Commit graph

21254 commits

Author SHA1 Message Date
ajs124
891a83d948 nixosTests.couchdb: clean up 2021-05-03 15:42:36 +02:00
ajs124
29bcaf04cb couchdb2: drop 2021-05-03 15:41:42 +02:00
Martin Weinelt
d67fc76603
Merge pull request #120536 from mweinelt/mosquitto 2021-05-03 00:41:21 +02:00
Martin Weinelt
fb5b00d2eb
Merge pull request #120526 from mweinelt/home-assistant 2021-05-03 00:35:50 +02:00
Martin Weinelt
f41349d30d
nixos/home-assistant: Restart systemd unit on restart service
Home-assistant through its `--runner` commandline flag supports sending
exit code 100 when the `homeassistant.restart` service is called.

With `RestartForceExitStatus` we can listen for that specific exit code
and restart the whole systemd unit, providing an actual clean restart
with fresh processes. Additional treat exit code 100 as a successful
termination.
2021-05-03 00:21:25 +02:00
Martin Weinelt
1dbb60f562
nixos/tests/home-assistant: update maintainership to home-assistant team 2021-05-03 00:21:25 +02:00
Martin Weinelt
8ab7fc1107
nixos/tests/home-assistant: test capability passing
Configures the emulated_hue component and expects CAP_NET_BIND_SERVICE
to be passed in order to be able to bind to 80/tcp.

Also print the systemd security analysis, so we can spot changes more
quickly.
2021-05-03 00:21:25 +02:00
Martin Weinelt
7d09d7f571
nixos/home-assistant: harden systemd service
This is what is still exposed, and it should still allow things to work
as usual.

✗ PrivateNetwork=                    Service has access to the host's …      0.5
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc…      0.3
✗ DeviceAllow=                       Service has a device ACL with som…      0.1
✗ IPAddressDeny=                     Service does not define an IP add…      0.2
✗ PrivateDevices=                    Service potentially has access to…      0.2
✗ PrivateUsers=                      Service has access to other users       0.2
✗ SystemCallFilter=~@resources       System call allow list defined fo…      0.2
✗ RootDirectory=/RootImage=          Service runs within the host's ro…      0.1
✗ SupplementaryGroups=               Service runs with supplementary g…      0.1
✗ RestrictAddressFamilies=~AF_UNIX   Service may allocate local sockets      0.1

→ Overall exposure level for home-assistant.service: 1.6 OK :-)

This can grow to as much as ~1.9 if you use one of the bluetooth or nmap
trackers or the emulated_hue component, all of which required elevated
permisssions.
2021-05-03 00:21:24 +02:00
Martin Weinelt
d942d4473d neovim, neovimUtils, neovim-qt: drop python2 support
In 2a00e53bd pynvim support for python2 was disabled, this broke the
neovim build. I really think it is time to let go of python2 support in
neovim.
2021-05-02 22:43:53 +02:00
Maximilian Bosch
040f0acccd
Merge pull request #121299 from Ma27/gitea-umask
nixos/gitea: set umask for secret creation
2021-05-02 00:06:20 +02:00
Luke Granger-Brown
152fa5414c
Merge pull request #120209 from considerate/considerate/multiple-tags-buildkite-agents
services.buildkite-agents: support multi-tags
2021-05-01 19:07:56 +01:00
Martin Weinelt
a2d1d16af8
nixos/mosquitto: Migrate away from bind_address/port config keys
Fixes these two deprecation warnings, by moving away from these options
towards a simple listener configuration.

> The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
> The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.

Fixes: #120860
2021-05-01 19:46:48 +02:00
Martin Weinelt
33e867620e
nixos/mosquitto: harden systemd unit
It can still network, it can only access the ssl related files if ssl is
enabled.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                  0.1

→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
2021-05-01 19:46:48 +02:00
Jan Tojnar
1733bade1a
Merge pull request #121226 from zhaofengli/librem-take2
phosh: init at 0.10.2
2021-05-01 18:41:50 +02:00
Luke Granger-Brown
be598f3980
Merge pull request #120541 from pennae/fail2ban
nixos/fail2ban: add maxretry/extraPackages options
2021-05-01 15:09:24 +01:00
Sandro
ac72d9acfe
Merge pull request #91955 from c00w/expand
sd-image: Add option to control sd image expansion on boot.
2021-05-01 14:52:07 +02:00
Luke Granger-Brown
d76b075e3c
Merge pull request #121246 from thblt/master
nixos/pcscd: ensure polkit rules are loaded (fix #121121)
2021-05-01 13:30:45 +01:00
Zhaofeng Li
31a32eeed3 nixos/phosh: init
Co-authored-by: Blaž Hrastnik <blaz@mxxn.io>
Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
Co-authored-by: Jordi Masip <jordi@masip.cat>
2021-05-01 06:55:02 +00:00
Zhaofeng Li
3086335f04 nixos/feedbackd: init 2021-05-01 06:52:35 +00:00
lewo
85aef7706e
Merge pull request #120620 from mweinelt/empty-capability-bounding-sets
nixos/{opendkim,rspamd}: Fix CapabilityBoundingSet option
2021-05-01 08:17:19 +02:00
Luke Granger-Brown
c58f60b41b
Merge pull request #121352 from lukegb/debug-hydra
amazonImage: make statically sized again
2021-05-01 04:06:34 +01:00
Luke Granger-Brown
733d682cc3 nixos/release: add amazonImageAutomaticSize
This allows us to continue to have the automatically sized image attempt
to build on Hydra, which should give us a good indication of when we've
got this fixed.
2021-05-01 02:43:45 +00:00
Luke Granger-Brown
87c3b7e767 amazonImage: make statically sized again
For reasons we haven't been able to work out, the aarch64 EC2 image now
regularly exceeds the output image size on hydra.nixos.org. As a
workaround, set this back to being statically sized again.

The other images do seem to build - it's just a case of the EC2 image
now being too large (occasionally non-determinstically).
2021-05-01 02:19:42 +00:00
Colin L Rice
bef4bda8dd sd-image: Add option to control sd image expansion on boot.
This is supeer useful to allow the normal sd-image code to be used by
someone who wants to setup multiple partitions with a sd-image.

Currently I'm manually copying the sd-image file and modifying it
instead.
2021-04-30 22:12:07 -04:00
Martin Weinelt
326f86d8cd
Merge pull request #121222 from mweinelt/nginx
nixos/nginx: update hardening settings
2021-05-01 00:36:16 +02:00
Martin Weinelt
efb30a191e
Merge pull request #120529 from mweinelt/zigbee2mqtt 2021-04-30 21:59:22 +02:00
Maximilian Bosch
02c3bd2187
nixos/gitea: set umask for secret creation
This ensures that newly created secrets will have the permissions
`0640`. With this change it's ensured that no sensitive information will
be word-readable at any time.

Related to #121293.

Strictly speaking this is a breaking change since each new directory
(including data-files) aren't world-readable anymore, but actually these
shouldn't be, unless there's a good reason for it.
2021-04-30 21:39:11 +02:00
Florian Klink
44a0debca7
Merge pull request #121021 from pennae/container-sigterm
nixos/nix-containers: use SIGTERM to stop containers
2021-04-30 21:35:16 +02:00
lunik1
248a57d61a
nixos/adguardhome: init (#120568) 2021-04-30 20:55:31 +02:00
Martin Weinelt
62de527dc3
nixos/zigbee2mqtt: start maintaing the module 2021-04-30 20:40:04 +02:00
Martin Weinelt
2b61d9ea01
nixos/zigbee2mqtt: create migration path from config to settings 2021-04-30 20:39:21 +02:00
Martin Weinelt
f1e7183f69
nixos/tests/zigbee2mqtt: relax DevicePolicy and log systemd-analye security 2021-04-30 19:42:26 +02:00
Martin Weinelt
a691549f7e
nixos/zigbee2mqtt: harden systemd unit
This is what is still exposed, and it allows me to control my lamps from
within home-assistant.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                  0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                              0.1
✗ MemoryDenyWriteExecute=                                     Service may create writable executable memory mappings                              0.1

→ Overall exposure level for zigbee2mqtt.service: 1.3 OK 🙂
2021-04-30 19:42:26 +02:00
Martin Weinelt
e0f1e1f7bf
nixos/zigbee2mqtt: convert to rfc42 style settings 2021-04-30 19:42:26 +02:00
Martin Weinelt
506bc7ba02
nixos/nginx: update hardening settings
- Set an explicit umask that allows u+rwx and g+r.
- Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be
  no need to access either.
- Adds `ProtectClock` to prevent write-access to the system clock.
- `ProtectProc` hides processes from other users within the /proc
  filesystem and `ProcSubSet` hides all files/directories unrelated to
  the process management of the units process.
- Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I
  know of.
- Restricts the creation of arbitrary namespaces
- Adds a reasonable `SystemCallFilter` preventing calls to @privileged,
  @obsolete and others.

And finally applies some sorting based on the order these options appear
in systemd.exec(5).
2021-04-30 18:49:43 +02:00
Kim Lindberger
fdd6ca8fce
Merge pull request #118898 from talyz/gitlab-memory-bloat
nixos/gitlab: Add options to tame GitLab's memory usage somewhat
2021-04-30 16:58:30 +02:00
Michael Weiss
28b8cff301
nixos/tests/cage: Fix the test with wlroots 0.13
See #119615 for more details. The aarch64-linux test failed with
"qemu-system-aarch64: Virtio VGA not available" so I've restricted the
test to x86_64-linux (the virtio paravirtualized 3D graphics driver is
likely only available on very few platforms).
2021-04-30 15:57:04 +02:00
pennae
317a2c9f26 nixos/nix-containers: add tests for early/no-machined container stop 2021-04-30 15:43:27 +02:00
Sandro
a73342b7ce
Merge pull request #120637 from andreisergiu98/ombi-update 2021-04-30 12:57:15 +02:00
Thibault Polge
71d9291742
nixos/pcscd: Correctly install pcsclite (fix #121121)
This makes sure that the polkit policies for pcsclite are correcly loaded.
2021-04-30 10:33:03 +02:00
Peter Hoeg
82c31a83b8 nixos/module: example referenced old ffmpeg 2021-04-30 09:43:18 +08:00
Michael Weiss
af99194379
nixos/tests/cage: Increase the xterm font size to fix the test
The result still looks far from ideal but at least it gets recognized
now. "-fa Monospace" is required to switch to a font from the FreeType
library so that "-fs 24" works.

Note: Using linuxPackages_latest is not required anymore.
2021-04-29 21:08:10 +02:00
Lassulus
addfd88117
Merge pull request #117072 from em0lar/keycloak-module-dbuser
nixos/keycloak: use db username in db init scripts
2021-04-29 20:15:19 +02:00
Leo Maroni
d9e18f4e7f
nixos/keycloak: use db username in db init scripts 2021-04-29 19:36:29 +02:00
Kim Lindberger
abecdfea73
Merge pull request #120833 from talyz/pipewire-0.3.26
pipewire: 0.3.25 -> 0.3.26
2021-04-29 18:46:35 +02:00
Florian Klink
7f9a5ad257
cage: drop maintainership (#121174)
I cannot currently maintain this, as I don't have access to the hardware
running it anymore.
2021-04-29 18:07:13 +02:00
WilliButz
674cea17a7
Merge pull request #120492 from SuperSandro2000/prometheus-unbound-exporter
Prometheus unbound exporter
2021-04-29 10:54:22 +02:00
Vladimír Čunát
5b0871bd97
Merge #120493: nixos/kresd: allow package to be configured 2021-04-29 10:41:12 +02:00
Andrei Pampu
e88bf5f13b
nixos/ombi: set ombi as system user 2021-04-29 10:52:02 +03:00
Sandro Jäckel
d3fe53a8a6
nixos/tests/prometheus-exporters: nixpkgs-fmt 2021-04-29 06:19:31 +02:00