Commit graph

148 commits

Author SHA1 Message Date
Matthijs Steen
ef1a43030b nixos/bitwarden_rs: init 2019-04-23 23:46:57 +02:00
Aaron Andersen
a1c48c3f63 nixos/vault: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:01:01 -04:00
Aaron Andersen
7808202b38 nixos/munge: replace deprecated usage of PermissionsStartOnly
see https://github.com/NixOS/nixpkgs/issues/53852
2019-04-13 07:00:56 -04:00
Bob van der Linden
60481ba3fd
nixos/hologram-agent: /var/run -> /run 2019-03-24 21:15:30 +01:00
Chris Ostrouchov
5a5def3753
munge: fix module munge.key permissions from 0700 -> 0400 readonly 2019-01-30 12:53:54 -05:00
Franz Pletz
72f324dbc7
Merge pull request #45567 from johanot/certmgr-rootca-patch
certmgr: Add patch for optional trust of self-signed certificates at remote cfssl apiserver
2019-01-30 17:37:42 +00:00
Pierre Bourdon
43fcfc274d
nixos: add nginx-sso service 2019-01-29 19:54:14 +01:00
Silvan Mosberger
f73df1862c
Merge pull request #54495 from peterhoeg/f/sshguard
nixos/sshguard: fix syslog identifiers and pid file
2019-01-29 09:35:36 +01:00
Elis Hirwing
ab5dcc7068
nixos/sks: Add option to configure database settings
This can be used for options to tweak the behavior around the database.
2019-01-28 11:14:37 +01:00
Peter Hoeg
ee472e4521 nixos/sshguard: fix syslog ids, no more pid file, cleanups
1. Allow syslog identifiers with special characters
2. Do not write a pid file as we are running in foreground anyway
3. Clean up the module for readability

Without this, when deploying using nixops, restarting sshguard would make
nixops show an error about restarting the service although the service is
actually being restarted.
2019-01-28 11:36:29 +08:00
Franz Pletz
4602b43a33
certmgr service: add package option 2019-01-24 12:11:15 +01:00
Jonas Nick
5640aa2814 nixos/tor: add HiddenServiceVersion option 2018-11-23 20:53:02 +00:00
Markus Kowalewski
e3a86019d6
nixos/munge: do not create unnecessary log dir
/var/log/munge is not used. All log messages go to syslog
2018-10-21 20:46:09 +02:00
Jean-Paul Calderone
4a71e2942c nixos/tor: better support non-anonymous services
Tor requires ``SOCKSPort 0`` when non-anonymous hidden services are
enabled.  If the configuration doesn't enable Tor client features,
generate a configuration file that explicitly includes this disabling
to allow such non-anonymous hidden services to be created (note that
doing so still requires additional configuration).  See #48622.
2018-10-17 08:56:59 -04:00
Franz Pletz
11ba2f270f
nixos/clamav: fix freshclam service if db up to date 2018-10-02 00:26:38 +02:00
Franz Pletz
f8d681a91f
nixos/clamav: fix daemon/updater services toggling 2018-10-02 00:26:38 +02:00
Jean-Paul Calderone
57834da7fc nixos/tor: Correct "transparent" typo 2018-09-17 16:13:11 +02:00
Michael Weiss
53ef5441bb nixos/sks: Make the webroot option optional
That way the built-in web server is usable by default but users can use
$HOME/web directly (instead of having to use a symlink), if they want to
customize the webpage.
2018-09-08 17:01:35 +02:00
Michael Weiss
eb0050ca45 nixos/sks: Use a group and don't add sks to systemPackages
Without a group the gid will default to 65534 (2^16 - 2) which maps to
"nogroup". IMO it makes more sense to explicitly set a valid group.

Adding pkgs.sks to environment.systemPackages is not required (IIRC we
want to avoid bloating environment.systemPackages). Instead it seems
like a better idea to make the relevant binaries available to the user
sks and enable useDefaultShell so that "su -l sks" can be used for
manual interaction (that way the files will always have the correct
owner).
2018-09-08 16:24:05 +02:00
Michael Weiss
a0d3d098ff nixos/sks: Add a webroot option
The module will now, by default, serve a simple webpage via the built-in
web server (instead of displaying an error message).
2018-09-08 16:24:05 +02:00
Michael Weiss
6764d41ecc nixos/sks: Update the descriptions and add meta.maintainers
TODO: Merge this module with https://github.com/NixOS/nixpkgs/pull/24516
2018-09-08 13:44:11 +02:00
Michael Weiss
a0d7b88911 nixos/sks: Add a dataDir option 2018-09-08 13:44:08 +02:00
Nadrieril
9b9ba8405b nixos/usbguard: ensure the audit log file can be created
Since version 0.7.3, usbguard-daemon won't start if the file cannot be opened.
2018-08-30 21:54:22 +01:00
Nadrieril
08148a746a nixos/usbguard: disable debug output 2018-08-30 21:54:22 +01:00
Ben Wolsieffer
c6191c8abf nixos/cfssl: don't create user/group unless service is enabled 2018-08-21 16:24:31 -04:00
Silvan Mosberger
1a3b9e1bd2
Merge pull request #44556 from johanot/certmgr-module-init
nixos/certmgr: init
2018-08-10 15:11:26 +02:00
Johan Thomsen
004e7fb6fd nixos/certmgr: init 2018-08-10 09:56:25 +02:00
Daiderd Jordan
d113c02563
services-vault: make package configurable and add extraConfig option 2018-08-09 23:22:53 +02:00
Johan Thomsen
7d7c36f8be nixos/cfssl: init
- based on module originally written by @srhb
- complies with available options in cfssl v1.3.2
- uid and gid 299 reserved in ids.nix
- added simple nixos test case
2018-08-03 09:40:32 +02:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
Yegor Timoshenko
1bb95d8409
Merge pull request #42775 from mkaito/oauth2_proxy-virtualHosts
oauth2_proxy: add nginx vhost module
2018-07-05 22:15:50 +03:00
Florian Klink
fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Michishige Kaito
2fec848254 fixup! oauth2_proxy: add nginx vhost module 2018-06-29 16:23:24 +01:00
Michishige Kaito
4a72999c75 oauth2_proxy: add nginx vhost module 2018-06-29 15:36:03 +01:00
Yegor Timoshenko
5e5bdfa6ad
Merge pull request #41098 from mkaito/oauth2_proxy
oauth2_proxy: Handle attributes being derivations
2018-06-18 20:47:55 +03:00
Joachim Fasting
c449f0b55c
nixos/tor: grammer fix, advise -> advice
Seems to me that the noun form is more appropriate here.
2018-06-18 12:40:09 +02:00
SLNOS
adab27a352 nixos/tor: use ControlPort for controlSocket for simplicity 2018-06-11 15:52:24 +00:00
SLNOS
2de3c4bd78 nixos/tor: add tor-init service to fix directory ownerships, fix hardenings
This reverts a part of 5bd12c694b.

Apparently there's no way to specify user for RuntimeDirectory in systemd
service file (it's always root) but tor won't create control socket if the dir
is owned by anybody except the tor user.

These hardenings were adopted from the upstream service file, checked
against systemd.service(5) and systemd.exec(5) manuals, and tested to
actually work with all the options enabled.

`PrivateDevices` implies `DevicePolicy=closed` according to systemd.exec(5),
removed.

`--RunAsDaemon 0` is the default value according to tor(5), removed.
2018-06-11 15:52:24 +00:00
markuskowa
96af022af5 nixos/munge: run munge as user munge instead of root. (#41509)
* Added a note in release notes (incompatibilities)
* Adapt slurm test
* Change user to munge in service.munge
2018-06-09 00:50:28 +02:00
Michishige Kaito
170223fe64 Handle attributes being derivations 2018-05-26 12:05:04 +01:00
bricewge
21b926003d sshguard: service creates /var/lib/sshguard 2018-05-05 00:29:44 -05:00
Yegor Timoshenko
e71c36369f
Merge pull request #39002 from serokell/oauth2_proxy_mod
oauth2_proxy: refactor service
2018-04-27 22:15:50 +03:00
Yorick van Pelt
048c991eb0
oauth2_proxy: use explicit upstream default for setXauthrequest 2018-04-27 16:45:38 +02:00
Robert Schütz
5bd12c694b
nixos/tor: use RuntimeDirectory, StateDirectory (#39083) 2018-04-18 09:42:45 +02:00
Yorick van Pelt
a037cbd46b
oauth2_proxy: add keyFile, make some options optional 2018-04-16 14:06:22 +02:00
Yorick van Pelt
b901c40a8e
oauth2_proxy: update module for extraConfig support 2018-04-16 13:10:31 +02:00
Joachim F
1c889be474
Merge pull request #37827 from oxij/pull/28938-tor-control-port
nixos/tor: expose control socket
2018-03-26 13:05:27 +00:00
Jaka Hudoklin
cb9c1c63c9 nixos/tor: expose control socket 2018-03-26 00:41:10 +00:00
Dan Peebles
6fa9d9cdbd hologram-server module: add cache timeout option
The version of hologram we're using has supported this option for a
while, but we didn't expose it through the NixOS module
2018-03-21 12:58:25 -04:00
Joel Thompson
fe2e4d6fb9 hologram: Enable configuring LDAP authorization
In AdRoll/hologram#62 support was added to hologram to configure
LDAP-based authorization of which roles a user was allowed to get
credentials for. This adds the ability to configure that.

Additionally, AdRoll/hologram/#94 added support to customize the LDAP
group query, so this also feeds that configuration through.

fixes #37393
2018-03-20 07:36:23 +00:00