diff options
author | Weijia Wang <9713184+wegank@users.noreply.github.com> | 2023-11-06 14:33:18 +0100 |
---|---|---|
committer | Weijia Wang <9713184+wegank@users.noreply.github.com> | 2023-11-06 14:33:18 +0100 |
commit | 32da89a1a1dfb314f614213cdd0f574baf873156 (patch) | |
tree | 312e552d4df4f142cf08fba1c5f3d45f61e82575 /nixos | |
parent | 2ee2d62dce74178c62736fe4a8c784ef40476465 (diff) | |
parent | 250c07f960eaefd781df539ee0d877b13da17b97 (diff) | |
download | nixpkgs-32da89a1a1dfb314f614213cdd0f574baf873156.tar nixpkgs-32da89a1a1dfb314f614213cdd0f574baf873156.tar.gz nixpkgs-32da89a1a1dfb314f614213cdd0f574baf873156.tar.bz2 nixpkgs-32da89a1a1dfb314f614213cdd0f574baf873156.tar.lz nixpkgs-32da89a1a1dfb314f614213cdd0f574baf873156.tar.xz nixpkgs-32da89a1a1dfb314f614213cdd0f574baf873156.tar.zst nixpkgs-32da89a1a1dfb314f614213cdd0f574baf873156.zip |
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/backup/syncoid.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/hostapd.nix | 30 | ||||
-rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/vagrant-guest.nix | 1 |
4 files changed, 5 insertions, 30 deletions
diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index 0f375455e7e..1a1df38617b 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -369,7 +369,7 @@ in PrivateDevices = true; PrivateMounts = true; PrivateNetwork = mkDefault false; - PrivateUsers = true; + PrivateUsers = false; # Enabling this breaks on zfs-2.2.0 ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index ffb15446305..5bd8e1d4d7a 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -899,25 +899,6 @@ in { ''; }; }; - - managementFrameProtection = mkOption { - default = "required"; - type = types.enum ["disabled" "optional" "required"]; - apply = x: - getAttr x { - "disabled" = 0; - "optional" = 1; - "required" = 2; - }; - description = mdDoc '' - Management frame protection (MFP) authenticates management frames - to prevent deauthentication (or related) attacks. - - - {var}`"disabled"`: No management frame protection - - {var}`"optional"`: Use MFP if a connection allows it - - {var}`"required"`: Force MFP for all clients - ''; - }; }; config = let @@ -943,7 +924,8 @@ in { # IEEE 802.11i (authentication) related configuration # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = bssCfg.managementFrameProtection; + ieee80211w = mkDefault 1; + sae_require_mfp = mkDefault 1; # Only allow WPA by default and disable insecure WEP auth_algs = mkDefault 1; @@ -1185,14 +1167,6 @@ in { message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.''; } { - assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"''; - } - { - assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"''; - } - { assertion = countWpaPasswordDefinitions <= 1; message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)''; } diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index e625c6322d9..6f275baf60d 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -997,7 +997,7 @@ in virtualisation.memorySize is above 2047, but qemu is only able to allocate 2047MB RAM on 32bit max. ''; } - { assertion = cfg.directBoot.initrd != options.virtualisation.directBoot.initrd.default -> cfg.directBoot.enable; + { assertion = cfg.directBoot.enable || cfg.directBoot.initrd == options.virtualisation.directBoot.initrd.default; message = '' You changed the default of `virtualisation.directBoot.initrd` but you are not diff --git a/nixos/modules/virtualisation/vagrant-guest.nix b/nixos/modules/virtualisation/vagrant-guest.nix index 263b1ebca08..2fad376086e 100644 --- a/nixos/modules/virtualisation/vagrant-guest.nix +++ b/nixos/modules/virtualisation/vagrant-guest.nix @@ -55,4 +55,5 @@ in }; security.sudo.wheelNeedsPassword = false; + security.sudo-rs.wheelNeedsPassword = false; } |