JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
99,705 Commits 1 Branch 0 Tags 12 GiB
af3b9a3d46
Commit Graph

271 Commits

Author SHA1 Message Date
Parnell Springmeyer
af3b9a3d46
More wibbles? 2017-01-29 01:41:39 -06:00
Parnell Springmeyer
48564d1ae5
Another wibble 2017-01-29 01:31:33 -06:00
Parnell Springmeyer
5077699605
Derp derp 2017-01-29 01:27:11 -06:00
Parnell Springmeyer
0707a3eaa2
Qualify with lib 2017-01-29 01:23:10 -06:00
Parnell Springmeyer
8e159b9d1e
Qualify mkOption with lib 2017-01-29 01:22:47 -06:00
Parnell Springmeyer
70ec24093c
Removing dead code 2017-01-29 01:22:19 -06:00
Parnell Springmeyer
82de4c0fad
setcap-wrapper: Syntax wibble 2017-01-29 01:20:02 -06:00
Parnell Springmeyer
7680a40a37
setcap-wrapper: Syntax wibble 2017-01-29 01:16:04 -06:00
Parnell Springmeyer
2f113ee90a
setcap-wrapper: Minor refactor 2017-01-29 01:08:36 -06:00
Parnell Springmeyer
3fe7b1a4c9
setcap-wrapper: Addressing more PR feedback, unifying drvs, and cleaning up a bit 2017-01-29 01:07:12 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer
9de070e620
Setuid wrapper should not be constrained to a specific linux kernel version 2017-01-26 09:39:37 -08:00
Parnell Springmeyer
01e6b82f3f
Removing dead code 2017-01-26 09:20:15 -08:00
Parnell Springmeyer
189a0c2579
Wrap with quotes as-per GCC's recommendation 2017-01-26 02:07:36 -08:00
Parnell Springmeyer
c30cf645f8
Make setting of the wrapper macros a compile-time error 2017-01-26 02:06:24 -08:00
Parnell Springmeyer
a26a796d5c
Merging against master - updating smokingpig, rebase was going to be messy 2017-01-26 02:00:04 -08:00
Parnell Springmeyer
ad8fde5e5d
Andddd more derp 2017-01-26 01:33:25 -08:00
Parnell Springmeyer
ce36b58e21
Derp 2017-01-26 01:31:49 -08:00
Parnell Springmeyer
f64b06a3e0
Hmmm 2017-01-26 01:13:19 -08:00
Parnell Springmeyer
fd974085bf
It's clearly quite late 2017-01-26 01:04:12 -08:00
Parnell Springmeyer
61fe8de40c
Silly, should just have one activation script 2017-01-26 01:03:18 -08:00
Parnell Springmeyer
48a0c5a3a7
More fixing 2017-01-26 01:00:46 -08:00
Parnell Springmeyer
21368c4c67
Hmm, unnecessary 2017-01-26 00:58:44 -08:00
Parnell Springmeyer
a4f905afc2
Enhhh I think compile time macros are gross 2017-01-26 00:41:00 -08:00
Parnell Springmeyer
785684f6c2
Ahhh, my compile-time macros confused me...of course they did... 2017-01-26 00:39:17 -08:00
Parnell Springmeyer
1ad541171e
Hmm 2017-01-26 00:36:35 -08:00
Parnell Springmeyer
e8bec4c75f
Implicit declared function... 2017-01-26 00:35:01 -08:00
Parnell Springmeyer
a20e65724b
Fixing 2017-01-26 00:32:59 -08:00
Parnell Springmeyer
025555d7f1
More fixes and improvements 2017-01-26 00:05:40 -08:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Franz Pletz
516760a6fb
nixos/acme: add random delay to timer 
This way we behave like good citizens and won't overload Let's Encrypt
with lots of cert renewal requests at the same time.
 2017-01-25 19:15:04 +01:00
Jörg Thalheim
30a554acfb
apparmor: support for lxc profiles 2017-01-10 23:01:03 +01:00
teh
a878365b77 nixos docs: update for Nginx + ACME (#21320) 
Closes #20698.
 2017-01-09 06:39:10 +01:00
Alexander Kahl
61d125b842 sssd: init at 1.14.2 
perlPackages.TextWrapI18N: init at 0.06
perlPackages.Po4a: init at 0.47
jade: init at 1.2.1
ding-libs: init at 0.6.0

Switch nscd to no-caching mode if SSSD is enabled.

abbradar: disable jade parallel building.

Closes #21150
 2017-01-04 03:07:20 +03:00
Joachim Fasting
f39d13cd3e
grsecurity doc: describe work-around for gitlab 
Fixes https://github.com/NixOS/nixpkgs/issues/20959
 2016-12-08 11:59:57 +01:00
Joachim Fasting
984d9ebb56
hidepid: polkit and systemd-logind compatibility 
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
 2016-12-07 01:12:05 +01:00
Joachim Fasting
0e765c72e5
grsecurity: enable module hardening 2016-12-06 01:23:58 +01:00
Joachim Fasting
31d79afbe5
grsecurity docs: note that pax_sanitize_slab defaults to fast 2016-12-06 01:23:51 +01:00
Joachim Fasting
071fbcda24
grsecurity: enable optional sysfs restrictions 
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
 2016-12-06 01:23:36 +01:00
Joachim Fasting
8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up 
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
 2016-12-06 01:22:53 +01:00
Domen Kožar
75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Joachim Fasting
e99228db30
grsecurity module: force a known good kernel package set 
Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel.  Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).

With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
 2016-11-28 12:11:04 +01:00
Joachim Fasting
2eb6ec1bc4
grsecurity module: remove code pertaining to zfs 
I don't know if it still the case that zfs fails to boot; either way,
that's the user's responsibility to contend with.
 2016-11-20 23:01:22 +01:00
Joachim Fasting
98935c7103
grsecurity module: remove requiredKernelConfig 
Using a custom package set with the NixOS module is no longer
something I wish to support.  It's still *possible* but not
advertised.  Secondly, the requiredKernelConfig didn't really
do anything (setting kernelPackages to a non-grsec kernel would
just silently let the user boot into a non-grsec setup ...).
 2016-11-20 23:00:41 +01:00
Joachim Fasting
5ad8a56d16
grsecurity module: remove use of mkEnableOption 2016-11-20 23:00:24 +01:00
Eric Sagnes
9513ab45aa duosec module: use enum 2016-11-16 22:36:05 +09:00
Timofei Kushnir
faa6f9b6b3 grsecurity: fix 'isYes' and 'isNo' 2016-10-29 14:26:06 +03:00
Domen Kožar
41c490b75e acme: we do want to support ipv4 afterall 2016-10-21 13:25:11 +02:00
Domen Kožar
d8f21b3ca3 acme: provide full nginx example 
(cherry picked from commit 2af7382f76a6523f1220637b3ec49ad25a02b040)
Signed-off-by: Domen Kožar <domen@dev.si>
 2016-10-21 13:19:04 +02:00
Alexander Ried
d91365d714 audit module: only enable service if kernel has audit (#19569) 2016-10-15 16:03:41 +02:00