Commit Graph

667 Commits

Author SHA1 Message Date
Julien Moutinho
05d334cfe2 Revert "Revert "apparmor: fix and improve the service""
This reverts commit 420f89ceb2.
2021-04-23 07:17:55 +02:00
Robert Hensing
e0e241c219
Merge pull request #116369 from m1cr0man/master
nixos/acme: Fix webroot issues
2021-03-23 21:31:42 +01:00
Lucas Savva
920a3f5a9d nixos/acme: Fix webroot issues
With the UMask set to 0023, the
mkdir -p command which creates the webroot
could end up unreadable if the web server
changes, as surfaced by the test suite in #114751
On top of this, the following commands
to chown the webroot + subdirectories was
mostly unnecessary. I stripped it back to
only fix the deepest part of the directory,
resolving #115976, and reintroduced a
human readable error message.
2021-03-15 01:41:40 +00:00
Robert Hensing
f0e20e0975 acme: Determine offline whether renewal is due 2021-03-01 23:41:52 +01:00
Florian Klink
f3af2df658
Merge pull request #111635 from xaverdh/hide-pid-broken
nixos/hidepid: remove module, it's broken
2021-02-23 00:20:29 +01:00
Dominik Xaver Hörl
893d911b55 nixos/hidepid: drop the module as the hidepid mount option is broken
This has been in an unusable state since the switch to cgroups-v2.
See https://github.com/NixOS/nixpkgs/issues/73800 for details.
2021-02-21 13:51:37 +01:00
nicoo
39383a8494 nixos/rngd: Remove module entirely, leave an explaination
Per @shlevy's request on #96092.
2021-02-21 01:32:50 +01:00
Sandro
fccda5aae6
Merge pull request #108819 from SuperSandro2000/nginx-module 2021-01-30 21:46:35 +01:00
Florian Klink
dfb2bc857b nixos/acme: fix docs 2021-01-29 18:56:28 +01:00
Florian Klink
82102fc37d
Merge pull request #100356 from m1cr0man/docsupdate
nixos/acme: Docs, explain how to set permissions
2021-01-29 17:16:06 +01:00
Florian Klink
1030745555
Merge pull request #106857 from m1cr0man/master
nixos/acme: Fixes for account creation and remove tmpfiles usage
2021-01-27 17:52:16 +01:00
Jörg Thalheim
0998756db2
Merge pull request #109342 from Mic92/wrappers 2021-01-27 14:32:38 +00:00
Jörg Thalheim
dbd05a5289
Update nixos/modules/security/wrappers/wrapper.nix
Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
2021-01-14 09:00:34 +00:00
Jörg Thalheim
eadffd9154
nixos/wrappers: fix applying capabilities
With libcap 2.41 the output of cap_to_text changed, also the original
author of code hoped that this would never happen.
To counter this now the security-wrapper only relies on the syscall
ABI, which is more stable and robust than string parsing. If new
breakages occur this will be more obvious because version numbers will
be incremented.
Furthermore all errors no make execution explicitly fail instead of
hiding errors behind debug environment variables and the code style was
more consistent with no goto fail; goto fail; vulnerabilities (https://gotofail.com/)
2021-01-14 08:46:57 +01:00
Lucas Savva
514a0b6d8a nixos/acme: Fix bash issue, enable debug
I found a logical error in the bash script, but during
debugging I enabled command echoing and realised it
would be a good idea to have it enabled all the time for
ease of bug reporting.
2021-01-12 19:11:52 +00:00
Frederik Rietdijk
b209617ff0 plasma5Packages: alias to the libsForQt5 used to build the plasma5 desktop
For in NixOS it is beneficial if both plasma5 and pam use the same Qt5
version. Because the plasma5 desktop may use a different version as the
default Qt5 version, we introduce plasma5Packages.
2021-01-10 15:59:45 +01:00
Lucas Savva
5b4f9c4244 nixos/acme: Set up webroot as non-root user 2021-01-09 19:37:03 +00:00
Lucas Savva
a01df7dc46 nixos/acme: Incorporate review suggestions 2021-01-09 19:15:03 +00:00
Sandro Jäckel
a7e31c64d9
nixos/acme: Suggest directory used security.acme.certs.<name>.webroot 2021-01-09 02:20:49 +01:00
Milan Pässler
018072ea22 nixos/pam: use pam_faillock instead of pam_tally
Fixes #108313

\#107185 removed pam_tally, in favor of pam_faillock (see release notes).
2021-01-03 15:54:23 +01:00
Lucas Savva
92a3a37153 nixos/acme: Remove all systemd-tmpfiles usage
- Added an ExecPostStart to acme-$cert.service when webroot is defined to create the acme-challenge
directory and fix required permissions. Lego always tries to create .well-known and acme-challenge,
thus if any permissions in that tree are wrong it will crash and break cert renewal.
- acme-fixperms now configured with acme User and Group, however the script still runs as root. This
ensures the StateDirectories are owned by the acme user.
- Switched to list syntax for systemd options where multiple values are specified.
2020-12-29 15:01:08 +00:00
Florian Klink
f71e439688 nixos/acme: fix typo in docs 2020-12-28 13:19:15 +01:00
Lucas Savva
e5913db0c9 nixos/acme: update documentation and release notes
The instructions on recreating the cert were missing --what=state.
Also added a note on ensuring the group of manual certs is correct.
2020-12-28 00:35:45 +00:00
Lucas Savva
f670e1dc23 nixos/acme: change service umask to 0023
Closes #106603
Some webservers (lighttpd) require that the
files they are serving are world readable. We
do our own chmods in the scripts anyway, and
lego has sensible permissions on its output
files, so this change is safe enough.
2020-12-28 00:35:20 +00:00
Lucas Savva
351065f970 nixos/acme: reduce dependency on tmpfiles
systemd-tmpfiles is no longer required for
most of the critical paths in the module. The
only one that remains is the webroot
acme-challenge directory since there's no
other good place for this to live and forcing
users to do the right thing alone will only
create more issues.
2020-12-28 00:35:20 +00:00
Lucas Savva
85769a8cd8 nixos/acme: prevent mass account creation
Closes #106565
When generating multiple certificates which all
share the same server + email, lego will attempt
to create an account multiple times. By adding an
account creation target certificates which share
an account will wait for one service (chosen at
config build time) to complete first.
2020-12-28 00:35:18 +00:00
Florian Klink
49853c69f5
Merge pull request #101482 from m1cr0man/jwsfix
nixos/acme: lego run when account is missing
2020-12-20 11:06:19 +01:00
Lucas Savva
e3120397a5 nixos/acme: Remove dependency on system version for hash
This means that all systems running from master will trigger
new certificate creation on next rebuild. Race conditions around
multiple account creation are fixed in #106857, not this commit.
2020-12-18 12:57:35 +00:00
Silvan Mosberger
6df56e1cb8
Merge pull request #103866 from cole-h/doas
doas: 6.6.1 -> 6.8
2020-11-30 19:02:55 +01:00
Frederik Rietdijk
b2a3891e12 Merge master into staging-next 2020-11-27 15:09:19 +01:00
Graham Christensen
d9c3f13df3
Merge pull request #104776 from grahamc/utillinux
utillinux: rename to util-linux
2020-11-24 15:14:36 -05:00
Graham Christensen
bc49a0815a
utillinux: rename to util-linux 2020-11-24 12:42:06 -05:00
adisbladis
ba1fa0c604
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.
2020-11-24 02:47:07 +01:00
Florian Klink
d22b3ed4bc systemd: switch to unified cgroup hierarchy by default
See https://www.redhat.com/sysadmin/fedora-31-control-group-v2 for
details on why this is desirable, and how it impacts containers.

Users that need to keep using the old cgroup hierarchy can re-enable it
by setting `systemd.unifiedCgroupHierarchy` to `false`.

Well-known candidates not supporting that hierarchy, like docker and
hidepid=… will disable it automatically.

Fixes #73800
2020-11-19 16:56:46 +01:00
Cole Helbling
19c0927d30
nixos/doas: add noLog option 2020-11-14 19:16:56 -08:00
Linus Heckemann
2b06415ca1
Merge pull request #101370 from m1cr0man/ssl-test-certs
nixos/acme: Permissions and tests fixes
2020-10-28 17:21:57 +01:00
Nick Hu
921287e7f0
Merge pull request #97726 from NickHu/pam_gnupg
pam: add support for pam_gnupg
2020-10-26 15:27:13 +00:00
Lucas Savva
79ecf069f5
nixos/acme: Add data.email to othersHash in nixos > 20.09 2020-10-24 20:40:02 +01:00
Lucas Savva
76401c9a3b
nixos/acme: lego run whenen account is missing 2020-10-23 18:52:42 +01:00
Lucas Savva
89d134b3fd
nixos/acme: Use more secure chmods
Previous settings would make files executable in
the certs directories.
2020-10-22 14:04:31 +01:00
David Reiss
49a749c729 nixos/pam_mount: add pamMount attribute to users
This attribute is a generalized version of cryptHomeLuks for creating an
entry in /etc/security/pam_mount.conf.xml. It lets the configuration
control all the attributes of the <volume> entry, instead of just the
path. The default path remains the value of cryptHomeLuks, for
compatibility.
2020-10-14 22:55:55 -07:00
Dominique Martinet
f8d78b9f67
confinement: fix assert for serviceConfig.ProtectSystem
serviceConfig.ProtectSystem is usually a string so if set, the assert
itself would error out leaving no useable trace:

  # nixos-rebuild switch --show-trace
  building Nix...
  building the system configuration...
  error: while evaluating the attribute 'config.system.build.toplevel' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:293:5:
  while evaluating 'foldr' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:52:20, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:128:12:
  while evaluating 'fold'' at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:55:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/lib/lists.nix:59:8:
  while evaluating anonymous function at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/system/activation/top-level.nix:121:50, called from undefined position:
  while evaluating the attribute 'assertion' at /nix/var/nix/profiles/per-user/root/channels/nixos/nixos/modules/security/systemd-confinement.nix:163:7:
  value is a string while a Boolean was expected

Fix the check to give a sensible assert message instead; the attribute
should either be not set or false bool to pass.

Closes: #99000
2020-10-14 11:56:18 +02:00
Lucas Savva
d95f020a53
nixos/acme: Docs, explain how to set permissions
As of 20.09 the /var/lib/acme/.challenges permissions will
not automatically be correct. Add instructions on how to
set them correctly.
2020-10-12 19:26:00 +01:00
Nick Hu
948e05bb28
pam: add support for pam_gnupg 2020-10-12 13:29:40 +01:00
Florian Klink
a1cb02148b
Merge pull request #99912 from m1cr0man/ocspfix
nixos/acme: Fix ocspMustStaple option and add test
2020-10-11 23:44:33 +02:00
zowoq
f9bb39e294 nixos/pam: remove trailing whitespace 2020-10-09 18:31:20 +10:00
Miles Breslin
8e628f8eea
nixos/pam: Add option to set pam-u2f appid (#73591) 2020-10-08 14:37:40 -04:00
Jeroen Simonetti
cc3ce9a13a nixos/security/acme: Add DNS resolver option
When using the ACME DNS-01 challenge, there is a possibility of a
failure to resolve the challenge if the record is not propagated
fast enough. To circumvent this generic DNS problem, this adds
a setting to explicitly tell the ACME provider to use a certain DNS
resolver to lookup the challenge.

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
2020-10-07 13:01:08 +02:00
Vladimír Čunát
420f89ceb2
Revert "apparmor: fix and improve the service"
This reverts commit fb6d63f3fd.

I really hope this finally fixes #99236: evaluation on Hydra.
This time I really did check basically the same commit on Hydra:
https://hydra.nixos.org/eval/1618011

Right now I don't have energy to find what exactly is wrong in the
commit, and it doesn't seem important in comparison to nixos-unstable
channel being stuck on a commit over one week old.
2020-10-07 12:22:18 +02:00
Lucas Savva
1edd91ca09
nixos/acme: Fix ocspMustStaple option and add test
Some of the testing setup for OCSP checking was wrong and
has been fixed too.
2020-10-07 00:18:13 +01:00
Andreas Rammhold
2c0ee52d91
nixos/security/acme: order after nss-lookup.target
This should hopefully solve races with DNS servers (such as unbound)
during the activation of a new generation. Previously unbound could
still be unavailable and thus the acme script would fail.
2020-10-06 22:52:55 +02:00
Tim Steinbach
9646ae97c8
pam: Fix interaction with samba
9544c6078e / #96672 removed the samba option
`syncPasswordsByPam`.
Need to remove this option from the pam module, otherwise it will cause build errors
2020-10-05 09:13:16 -04:00
Doron Behar
9544c6078e
Merge pull request #96672 from doronbehar/module/samba
nixos/samba: remove upstream deprecated syncPasswordsByPam option
2020-10-04 11:29:56 +03:00
Maximilian Bosch
d2dc0ae203
nixos/sudo: add package option
The `package`-option is always useful if modifying a package in an
overlay would mean that a lot of other packages need to be rebuilt as
well.

In case of `sudo` this is actually the case: when having an override for
it (e.g. for `withInsults = true;`), you'd have to rebuild e.g. `zfs`
and `grub` although that's not strictly needed.
2020-10-01 13:00:52 +02:00
Andreas Rammhold
9630d5c07f
nixos/security/wrapper: ensure the tmpfs is not world writeable
The /run/wrapper directory is a tmpfs. Unfortunately, it's mounted with
its root directory has the standard (for tmpfs) mode: 1777 (world writeable,
sticky -- the standard mode of shared temporary directories). This means that
every user can create new files and subdirectories there, but can't
move/delete/rename files that belong to other users.
2020-09-28 22:55:20 +02:00
Michael Raskin
31a4e2e28b
Merge pull request #93457 from ju1m/apparmor
apparmor: fix and improve the service
2020-09-27 13:07:38 +00:00
Florian Klink
303078d9ca
Merge pull request #97303 from martinetd/systemd-confinement-list
systemd-confinement: handle ExecStarts etc being lists
2020-09-10 21:17:17 +02:00
nicoo
e64d3f60fb nixos/modules/security/rngd: Disable by default
`rngd` seems to be the root cause for slow boot issues, and its functionality is
redundant since kernel v3.17 (2014), which introduced a `krngd` task (in kernel
space) that takes care of pulling in data from hardware RNGs:

> commit be4000bc4644d027c519b6361f5ae3bbfc52c347
> Author: Torsten Duwe <duwe@lst.de>
> Date:   Sat Jun 14 23:46:03 2014 -0400
>
>     hwrng: create filler thread
>
>     This can be viewed as the in-kernel equivalent of hwrngd;
>     like FUSE it is a good thing to have a mechanism in user land,
>     but for some reasons (simplicity, secrecy, integrity, speed)
>     it may be better to have it in kernel space.
>
>     This patch creates a thread once a hwrng registers, and uses
>     the previously established add_hwgenerator_randomness() to feed
>     its data to the input pool as long as needed. A derating factor
>     is used to bias the entropy estimation and to disable this
>     mechanism entirely when set to zero.

Closes: #96067
2020-09-09 21:51:25 -04:00
Thomas Tuegel
053b05d14d
Remove Qt 5.15 from Plasma closure 2020-09-08 08:47:34 -05:00
Dominique Martinet
fd196452f0 systemd-confinement: handle ExecStarts etc being lists
systemd-confinement's automatic package extraction does not work correctly
if ExecStarts ExecReload etc are lists.

Add an extra flatten to make things smooth.

Fixes #96840.
2020-09-06 18:55:10 +02:00
Florian Klink
d7046947e5
Merge pull request #91121 from m1cr0man/master
Restructure acme module
2020-09-06 18:26:22 +02:00
Julien Moutinho
fb6d63f3fd apparmor: fix and improve the service 2020-09-06 07:43:03 +02:00
Lucas Savva
34b5c5c1a4
nixos/acme: More features and fixes
- Allow for key reuse when domains are the only thing that
  were changed.
- Fixed systemd service failure when preliminarySelfsigned
  was set to false
2020-09-06 01:28:19 +01:00
Lucas Savva
f57824c915
nixos/acme: Update docs, use assert more effectively 2020-09-05 01:06:29 +01:00
Julien Moutinho
539ae5c932 Revert "apparmor: add apparmor_parser config file"
This reverts commit 2259fbdf4b.
2020-09-05 01:46:12 +02:00
Lucas Savva
67a5d660cb
nixos/acme: Run postRun script as root 2020-09-04 19:34:10 +01:00
Lucas Savva
1b6cfd9796
nixos/acme: Fix race condition, dont be smart with keys
Attempting to reuse keys on a basis different to the cert (AKA,
storing the key in a directory with a hashed name different to
the cert it is associated with) was ineffective since when
"lego run" is used it will ALWAYS generate a new key. This causes
issues when you revert changes since your "reused" key will not
be the one associated with the old cert. As such, I tore out the
whole keyDir implementation.

As for the race condition, checking the mtime of the cert file
was not sufficient to detect changes. In testing, selfsigned
and full certs could be generated/installed within 1 second of
each other. cmp is now used instead.

Also, I removed the nginx/httpd reload waiters in favour of
simple retry logic for the curl-based tests
2020-09-04 01:09:43 +01:00
Lucas Savva
982c5a1f0e
nixos/acme: Restructure module
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests

I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.

I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.

- Fix duplicate systemd rules on reload services

Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
2020-09-02 19:22:43 +01:00
WORLDofPEACE
18348c7829
Merge pull request #96042 from rnhmjoj/loaOf
treewide: completely remove types.loaOf
2020-09-02 08:45:37 -04:00
rnhmjoj
20d491a317
treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
Doron Behar
8cd4d59a32 nixos/samba: remove upstream deprecated syncPasswordsByPam option 2020-08-30 14:29:13 +03:00
Joachim F
18c52dadfe
Merge pull request #96034 from saschagrunert/apparmor
apparmor: add apparmor_parser config file
2020-08-28 08:08:25 +00:00
Lassulus
e453860b8f
Merge pull request #86236 from ThibautMarty/fix-nullOr-types
treewide: fix modules options types where the default is null
2020-08-26 18:21:29 +02:00
Izorkin
e21e5a9483 nixos/security/misc: add option unprivilegedUsernsClone 2020-08-25 14:18:24 +03:00
Sascha Grunert
2259fbdf4b
apparmor: add apparmor_parser config file
If the config does not exist, then apparmor_parser will throw a warning.
To avoid that and make the parser configurable, we now add a new option
to it.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
2020-08-22 22:59:26 +02:00
Lassulus
8a141825a3
Merge pull request #89779 from jktr/acme-extra-flags
nixos/acme: extra lego flags
2020-08-22 14:29:39 +02:00
Doron Behar
a854b77b08 nixos/wrappers: make (u)mount have the +s bit.
See
https://discourse.nixos.org/t/how-to-make-a-derivations-executables-have-the-s-permission/8555
and:
https://www.linuxquestions.org/questions/slackware-14/must-be-superuser-to-use-mount-fstab-is-correct-however-144932/
2020-08-15 21:57:16 +03:00
Florian Klink
962e15aebc nixos: remove StandardOutput=syslog, StandardError=syslog lines
Since systemd 243, docs were already steering users towards using
`journal`:

eedaf7f322

systemd 246 will go one step further, it shows warnings for these units
during bootup, and will [automatically convert these occurences to
`journal`](f3dc6af20f):

> [    6.955976] systemd[1]: /nix/store/hwyfgbwg804vmr92fxc1vkmqfq2k9s17-unit-display-manager.service/display-manager.service:27: Standard output type syslog is obsolete, automatically updating to journal. Please update│······················
 your unit file, and consider removing the setting altogether.

So there's no point of keeping `syslog` here, and it's probably a better
idea to just not set it, due to:

> This setting defaults to the value set with DefaultStandardOutput= in
> systemd-system.conf(5), which defaults to journal.
2020-08-13 18:49:15 +02:00
Sebastien Bourdeauducq
ecafef0dd8 pam_p11: add 2020-07-25 09:37:48 +02:00
Mario Rodas
af5765b0dc
Merge pull request #85681 from Beskhue/improve-descriptions
nixos/acme: improve some descriptions
2020-07-23 00:03:05 -05:00
datafoo
cc37d7edd7 nixos/acme: execute a single lego command
Stop trying to execute `lego renew` if that is not necessary.

Fix #86184.
2020-06-19 14:56:17 +02:00
Cole Helbling
13e2c75c93
nixos/sudo: default rule should be first
In /etc/sudoers, the last-matched rule will override all
previously-matched rules. Thus, make the default rule show up first (but
still allow some wiggle room for a user to `mkBefore` it), before any
user-defined rules.
2020-06-17 17:48:51 -07:00
J. Konrad Tegtmeier-Rottach
1719353619 nixos/acme: add extraLegoRunFlags option 2020-06-08 02:18:31 +02:00
J. Konrad Tegtmeier-Rottach
a0189a4c49 nixos/acme: add extraLegoFlags option 2020-06-08 02:17:55 +02:00
Peter Hoeg
66e040eaac nixos/pam: mount encrypted home earlier
This patch was done by curro:

The generated /etc/pam.d/* service files invoke the pam_systemd.so
session module before pam_mount.so, if both are enabled (e.g. via
security.pam.services.foo.startSession and
security.pam.services.foo.pamMount respectively).

This doesn't work in the most common scenario where the user's home
directory is stored in a pam-mounted encrypted volume (because systemd
will fail to access the user's systemd configuration).
2020-06-04 13:14:30 +08:00
Florian Klink
4a85559ffc
Merge pull request #87016 from flokli/nsswitch-cleanup
nixos/nsswitch cleanup nss modules
2020-05-14 14:55:43 +02:00
Timmy Xiao
fd13ca9f84 pam: fix spelling mistake in configuration 2020-05-12 15:56:37 -04:00
adisbladis
30236aceaf
Merge pull request #87581 from cole-h/doas
nixos/doas: default rule should be first
2020-05-12 18:38:51 +02:00
Florian Klink
2297508783 nixos/google-oslogin: add to system.nssDatabases.group too
nixos/modules/config/nsswitch.nix uses `passwdArray` for both `passwd`
and `group`, but when moving this into the google-oslogin module in
4b71b6f8fa, it didn't get split
appropriately.
2020-05-11 16:14:50 +02:00
Cole Helbling
01b645e872
nixos/doas: default rule should be first
In /etc/doas.conf, the last-matched rule will override all
previously-matched rules. Thus, make the default rule show up first (but
still allow some wiggle room for a user to `mkBefore` it), before any
user-defined rules.
2020-05-10 22:14:16 -07:00
Dominique Martinet
4c81174f4c
nixos/confinement: add conflict for ProtectSystem service option
Systemd ProtectSystem is incompatible with the chroot we make
for confinement. The options is redundant with what we do anyway
so warn if it had been set and advise to disable it.

Merges: https://github.com/NixOS/nixpkgs/pull/87420
2020-05-10 19:25:41 +02:00
Cole Helbling
446fb0097a
nixos/doas: init
`doas` is a lighter alternative to `sudo` that "provide[s] 95% of the
features of `sudo` with a fraction of the codebase" [1]. I prefer it to
`sudo`, so I figured I would add a NixOS module in order for it to be
easier to use. The module is based off of the existing `sudo` module.

[1] https://github.com/Duncaen/OpenDoas
2020-05-04 15:56:06 -07:00
Florian Klink
7457c78989
Merge pull request #86347 from m1cr0man/dnsdocs
nixos/acme: update documentation
2020-05-04 14:11:28 +02:00
Yegor Timoshenko
235f4c4a91
Merge pull request #83121 from emilazy/acme-use-ec256
nixos/acme: change default keyType to ec256
2020-05-03 12:41:23 +03:00
Lucas Savva
037ef70d5c
nixos/acme: fix incorrect example 2020-05-02 00:07:50 +01:00
Lucas Savva
c9f6e5f161
nixos/acme: indicate support for other providers 2020-05-01 18:23:16 +01:00
Florian Klink
4b71b6f8fa nixos/google-oslogin: Move nsswitch config into the module
Motivation: #86350
2020-04-30 17:51:13 +02:00
Lucas Savva
47da7aafdf
nixos/acme: update documentation 2020-04-29 20:31:17 +01:00
worldofpeace
10bf212b4f
Merge pull request #85589 from emilazy/add-acme-maintainers-team
Add ACME maintainers team
2020-04-28 18:38:12 -04:00
worldofpeace
a0ebabf60a
Merge pull request #80896 from clkamp/pam-unix-add-nodelay
nixos/security/pam: Add nodelay option
2020-04-28 17:50:42 -04:00