diff options
Diffstat (limited to 'nixos/modules/services/security')
-rw-r--r-- | nixos/modules/services/security/bitwarden_rs/default.nix | 46 | ||||
-rw-r--r-- | nixos/modules/services/security/certmgr.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/security/clamav.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/security/fail2ban.nix | 308 | ||||
-rw-r--r-- | nixos/modules/services/security/fprot.nix | 21 | ||||
-rw-r--r-- | nixos/modules/services/security/oauth2_proxy.nix | 29 | ||||
-rw-r--r-- | nixos/modules/services/security/sshguard.nix | 13 | ||||
-rw-r--r-- | nixos/modules/services/security/tor.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/security/torify.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/security/torsocks.nix | 9 | ||||
-rw-r--r-- | nixos/modules/services/security/vault.nix | 1 |
11 files changed, 324 insertions, 129 deletions
diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/bitwarden_rs/default.nix index d1817db0755..903a5327037 100644 --- a/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixos/modules/services/security/bitwarden_rs/default.nix @@ -18,15 +18,33 @@ let else key + toUpper x) "" parts; in if builtins.match "[A-Z0-9_]+" name != null then name else partsToEnvVar parts; - configFile = pkgs.writeText "bitwarden_rs.env" (concatMapStrings (s: s + "\n") ( - (concatLists (mapAttrsToList (name: value: - if value != null then [ "${nameToEnvVar name}=${if isBool value then boolToString value else toString value}" ] else [] - ) cfg.config)))); + # Due to the different naming schemes allowed for config keys, + # we can only check for values consistently after converting them to their corresponding environment variable name. + configEnv = + let + configEnv = listToAttrs (concatLists (mapAttrsToList (name: value: + if value != null then [ (nameValuePair (nameToEnvVar name) (if isBool value then boolToString value else toString value)) ] else [] + ) cfg.config)); + in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") { + WEB_VAULT_FOLDER = "${pkgs.bitwarden_rs-vault}/share/bitwarden_rs/vault"; + } // configEnv; + + configFile = pkgs.writeText "bitwarden_rs.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); + + bitwarden_rs = pkgs.bitwarden_rs.override { inherit (cfg) dbBackend; }; in { options.services.bitwarden_rs = with types; { enable = mkEnableOption "bitwarden_rs"; + dbBackend = mkOption { + type = enum [ "sqlite" "mysql" "postgresql" ]; + default = "sqlite"; + description = '' + Which database backend bitwarden_rs will be using. + ''; + }; + backupDir = mkOption { type = nullOr str; default = null; @@ -40,7 +58,7 @@ in { default = {}; example = literalExample '' { - domain = https://bw.domain.tld:8443; + domain = "https://bw.domain.tld:8443"; signupsAllowed = true; rocketPort = 8222; rocketLog = "critical"; @@ -56,23 +74,20 @@ in { even though foo2 would have been converted to FOO_2. This allows working around any potential future conflicting naming conventions. - Based on the attributes passed to this config option a environment file will be generated + Based on the attributes passed to this config option an environment file will be generated that is passed to bitwarden_rs's systemd service. The available configuration options can be found in - <link xlink:href="https://github.com/dani-garcia/bitwarden_rs/blob/1.8.0/.env.template">the environment template file</link>. + <link xlink:href="https://github.com/dani-garcia/bitwarden_rs/blob/${bitwarden_rs.version}/.env.template">the environment template file</link>. ''; - apply = config: optionalAttrs config.webVaultEnabled { - webVaultFolder = "${pkgs.bitwarden_rs-vault}/share/bitwarden_rs/vault"; - } // config; }; }; config = mkIf cfg.enable { - services.bitwarden_rs.config = { - dataFolder = "/var/lib/bitwarden_rs"; - webVaultEnabled = mkDefault true; - }; + assertions = [ { + assertion = cfg.backupDir != null -> cfg.dbBackend == "sqlite"; + message = "Backups for database backends other than sqlite will need customization"; + } ]; users.users.bitwarden_rs = { inherit group; @@ -87,7 +102,7 @@ in { User = user; Group = group; EnvironmentFile = configFile; - ExecStart = "${pkgs.bitwarden_rs}/bin/bitwarden_rs"; + ExecStart = "${bitwarden_rs}/bin/bitwarden_rs"; LimitNOFILE = "1048576"; LimitNPROC = "64"; PrivateTmp = "true"; @@ -109,6 +124,7 @@ in { path = with pkgs; [ sqlite ]; serviceConfig = { SyslogIdentifier = "backup-bitwarden_rs"; + Type = "oneshot"; User = mkDefault user; Group = mkDefault group; ExecStart = "${pkgs.bash}/bin/bash ${./backup.sh}"; diff --git a/nixos/modules/services/security/certmgr.nix b/nixos/modules/services/security/certmgr.nix index e89078883eb..94c0ba14117 100644 --- a/nixos/modules/services/security/certmgr.nix +++ b/nixos/modules/services/security/certmgr.nix @@ -113,7 +113,7 @@ in otherCert = "/var/certmgr/specs/other-cert.json"; } ''; - type = with types; attrsOf (either (submodule { + type = with types; attrsOf (either path (submodule { options = { service = mkOption { type = nullOr str; @@ -148,7 +148,7 @@ in description = "certmgr spec request object."; }; }; - }) path); + })); description = '' Certificate specs as described by: <link xlink:href="https://github.com/cloudflare/certmgr#certificate-specs" /> diff --git a/nixos/modules/services/security/clamav.nix b/nixos/modules/services/security/clamav.nix index 04b433f8f2b..aaf6fb0479b 100644 --- a/nixos/modules/services/security/clamav.nix +++ b/nixos/modules/services/security/clamav.nix @@ -30,6 +30,10 @@ let ''; in { + imports = [ + (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ]) + ]; + options = { services.clamav = { daemon = { @@ -79,18 +83,15 @@ in config = mkIf (cfg.updater.enable || cfg.daemon.enable) { environment.systemPackages = [ pkg ]; - users.users = singleton { - name = clamavUser; + users.users.${clamavUser} = { uid = config.ids.uids.clamav; group = clamavGroup; description = "ClamAV daemon user"; home = stateDir; }; - users.groups = singleton { - name = clamavGroup; - gid = config.ids.gids.clamav; - }; + users.groups.${clamavGroup} = + { gid = config.ids.gids.clamav; }; environment.etc."clamav/freshclam.conf".source = freshclamConfigFile; environment.etc."clamav/clamd.conf".source = clamdConfigFile; diff --git a/nixos/modules/services/security/fail2ban.nix b/nixos/modules/services/security/fail2ban.nix index 716ae7a2d2f..3f84f9c2560 100644 --- a/nixos/modules/services/security/fail2ban.nix +++ b/nixos/modules/services/security/fail2ban.nix @@ -6,15 +6,32 @@ let cfg = config.services.fail2ban; - fail2banConf = pkgs.writeText "fail2ban.conf" cfg.daemonConfig; + fail2banConf = pkgs.writeText "fail2ban.local" cfg.daemonConfig; - jailConf = pkgs.writeText "jail.conf" - (concatStringsSep "\n" (attrValues (flip mapAttrs cfg.jails (name: def: + jailConf = pkgs.writeText "jail.local" '' + [INCLUDES] + + before = paths-nixos.conf + + ${concatStringsSep "\n" (attrValues (flip mapAttrs cfg.jails (name: def: optionalString (def != "") '' [${name}] ${def} - '')))); + '')))} + ''; + + pathsConf = pkgs.writeText "paths-nixos.conf" '' + # NixOS + + [INCLUDES] + + before = paths-common.conf + + after = paths-overrides.local + + [DEFAULT] + ''; in @@ -31,21 +48,135 @@ in description = "Whether to enable the fail2ban service."; }; + package = mkOption { + default = pkgs.fail2ban; + type = types.package; + example = "pkgs.fail2ban_0_11"; + description = "The fail2ban package to use for running the fail2ban service."; + }; + + packageFirewall = mkOption { + default = pkgs.iptables; + type = types.package; + example = "pkgs.nftables"; + description = "The firewall package used by fail2ban service."; + }; + + banaction = mkOption { + default = "iptables-multiport"; + type = types.str; + example = "nftables-multiport"; + description = '' + Default banning action (e.g. iptables, iptables-new, iptables-multiport, + shorewall, etc) It is used to define action_* variables. Can be overridden + globally or per section within jail.local file + ''; + }; + + banaction-allports = mkOption { + default = "iptables-allport"; + type = types.str; + example = "nftables-allport"; + description = '' + Default banning action (e.g. iptables, iptables-new, iptables-multiport, + shorewall, etc) It is used to define action_* variables. Can be overridden + globally or per section within jail.local file + ''; + }; + + bantime-increment.enable = mkOption { + default = false; + type = types.bool; + description = '' + Allows to use database for searching of previously banned ip's to increase + a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... + ''; + }; + + bantime-increment.rndtime = mkOption { + default = "4m"; + type = types.str; + example = "8m"; + description = '' + "bantime-increment.rndtime" is the max number of seconds using for mixing with random time + to prevent "clever" botnets calculate exact time IP can be unbanned again + ''; + }; + + bantime-increment.maxtime = mkOption { + default = "10h"; + type = types.str; + example = "48h"; + description = '' + "bantime-increment.maxtime" is the max number of seconds using the ban time can reach (don't grows further) + ''; + }; + + bantime-increment.factor = mkOption { + default = "1"; + type = types.str; + example = "4"; + description = '' + "bantime-increment.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, + default value of factor is 1 and with default value of formula, the ban time grows by 1, 2, 4, 8, 16 ... + ''; + }; + + bantime-increment.formula = mkOption { + default = "ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor"; + type = types.str; + example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + description = '' + "bantime-increment.formula" used by default to calculate next value of ban time, default value bellow, + the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... + ''; + }; + + bantime-increment.multipliers = mkOption { + default = "1 2 4 8 16 32 64"; + type = types.str; + example = "2 4 16 128"; + description = '' + "bantime-increment.multipliers" used to calculate next value of ban time instead of formula, coresponding + previously ban count and given "bantime.factor" (for multipliers default is 1); + following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, + always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours + ''; + }; + + bantime-increment.overalljails = mkOption { + default = false; + type = types.bool; + example = true; + description = '' + "bantime-increment.overalljails" (if true) specifies the search of IP in the database will be executed + cross over all jails, if false (dafault), only current jail of the ban IP will be searched + ''; + }; + + ignoreIP = mkOption { + default = [ ]; + type = types.listOf types.str; + example = [ "192.168.0.0/16" "2001:DB8::42" ]; + description = '' + "ignoreIP" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which + matches an address in this list. Several addresses can be defined using space (and/or comma) separator. + ''; + }; + daemonConfig = mkOption { - default = - '' - [Definition] - loglevel = INFO - logtarget = SYSLOG - socket = /run/fail2ban/fail2ban.sock - pidfile = /run/fail2ban/fail2ban.pid - ''; + default = '' + [Definition] + logtarget = SYSLOG + socket = /run/fail2ban/fail2ban.sock + pidfile = /run/fail2ban/fail2ban.pid + dbfile = /var/lib/fail2ban/fail2ban.sqlite3 + ''; type = types.lines; - description = - '' - The contents of Fail2ban's main configuration file. It's - generally not necessary to change it. - ''; + description = '' + The contents of Fail2ban's main configuration file. It's + generally not necessary to change it. + ''; }; jails = mkOption { @@ -65,88 +196,111 @@ in } ''; type = types.attrsOf types.lines; - description = - '' - The configuration of each Fail2ban “jail”. A jail - consists of an action (such as blocking a port using - <command>iptables</command>) that is triggered when a - filter applied to a log file triggers more than a certain - number of times in a certain time period. Actions are - defined in <filename>/etc/fail2ban/action.d</filename>, - while filters are defined in - <filename>/etc/fail2ban/filter.d</filename>. - ''; + description = '' + The configuration of each Fail2ban “jail”. A jail + consists of an action (such as blocking a port using + <command>iptables</command>) that is triggered when a + filter applied to a log file triggers more than a certain + number of times in a certain time period. Actions are + defined in <filename>/etc/fail2ban/action.d</filename>, + while filters are defined in + <filename>/etc/fail2ban/filter.d</filename>. + ''; }; }; }; - ###### implementation config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.fail2ban ]; + warnings = mkIf (config.networking.firewall.enable == false && config.networking.nftables.enable == false) [ + "fail2ban can not be used without a firewall" + ]; - environment.etc."fail2ban/fail2ban.conf".source = fail2banConf; - environment.etc."fail2ban/jail.conf".source = jailConf; - environment.etc."fail2ban/action.d".source = "${pkgs.fail2ban}/etc/fail2ban/action.d/*.conf"; - environment.etc."fail2ban/filter.d".source = "${pkgs.fail2ban}/etc/fail2ban/filter.d/*.conf"; + environment.systemPackages = [ cfg.package ]; - systemd.services.fail2ban = - { description = "Fail2ban Intrusion Prevention System"; + environment.etc = { + "fail2ban/fail2ban.local".source = fail2banConf; + "fail2ban/jail.local".source = jailConf; + "fail2ban/fail2ban.conf".source = "${cfg.package}/etc/fail2ban/fail2ban.conf"; + "fail2ban/jail.conf".source = "${cfg.package}/etc/fail2ban/jail.conf"; + "fail2ban/paths-common.conf".source = "${cfg.package}/etc/fail2ban/paths-common.conf"; + "fail2ban/paths-nixos.conf".source = pathsConf; + "fail2ban/action.d".source = "${cfg.package}/etc/fail2ban/action.d/*.conf"; + "fail2ban/filter.d".source = "${cfg.package}/etc/fail2ban/filter.d/*.conf"; + }; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - partOf = optional config.networking.firewall.enable "firewall.service"; + systemd.services.fail2ban = { + description = "Fail2ban Intrusion Prevention System"; - restartTriggers = [ fail2banConf jailConf ]; - path = [ pkgs.fail2ban pkgs.iptables pkgs.iproute ]; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + partOf = optional config.networking.firewall.enable "firewall.service"; - preStart = - '' - mkdir -p /var/lib/fail2ban - ''; + restartTriggers = [ fail2banConf jailConf pathsConf ]; + reloadIfChanged = true; - unitConfig.Documentation = "man:fail2ban(1)"; + path = [ cfg.package cfg.packageFirewall pkgs.iproute ]; - serviceConfig = - { Type = "forking"; - ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start"; - ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop"; - ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload"; - PIDFile = "/run/fail2ban/fail2ban.pid"; - Restart = "always"; + unitConfig.Documentation = "man:fail2ban(1)"; - ReadOnlyDirectories = "/"; - ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib"; - PrivateTmp = "true"; - RuntimeDirectory = "fail2ban"; - CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; - }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/fail2ban-server -xf start"; + ExecStop = "${cfg.package}/bin/fail2ban-server stop"; + ExecReload = "${cfg.package}/bin/fail2ban-server reload"; + Type = "simple"; + Restart = "on-failure"; + PIDFile = "/run/fail2ban/fail2ban.pid"; + # Capabilities + CapabilityBoundingSet = [ "CAP_AUDIT_READ" "CAP_DAC_READ_SEARCH" "CAP_NET_ADMIN" "CAP_NET_RAW" ]; + # Security + NoNewPrivileges = true; + # Directory + RuntimeDirectory = "fail2ban"; + RuntimeDirectoryMode = "0750"; + StateDirectory = "fail2ban"; + StateDirectoryMode = "0750"; + LogsDirectory = "fail2ban"; + LogsDirectoryMode = "0750"; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; }; + }; # Add some reasonable default jails. The special "DEFAULT" jail # sets default values for all other jails. - services.fail2ban.jails.DEFAULT = - '' - ignoreip = 127.0.0.1/8 - bantime = 600 - findtime = 600 - maxretry = 3 - backend = systemd - enabled = true - ''; - + services.fail2ban.jails.DEFAULT = '' + ${optionalString cfg.bantime-increment.enable '' + # Bantime incremental + bantime.increment = ${if cfg.bantime-increment.enable then "true" else "false"} + bantime.maxtime = ${cfg.bantime-increment.maxtime} + bantime.factor = ${cfg.bantime-increment.factor} + bantime.formula = ${cfg.bantime-increment.formula} + bantime.multipliers = ${cfg.bantime-increment.multipliers} + bantime.overalljails = ${if cfg.bantime-increment.overalljails then "true" else "false"} + ''} + # Miscellaneous options + ignoreip = 127.0.0.1/8 ${optionalString config.networking.enableIPv6 "::1"} ${concatStringsSep " " cfg.ignoreIP} + maxretry = 3 + backend = systemd + # Actions + banaction = ${cfg.banaction} + banaction_allports = ${cfg.banaction-allports} + ''; # Block SSH if there are too many failing connection attempts. - services.fail2ban.jails.ssh-iptables = - '' - filter = sshd - action = iptables-multiport[name=SSH, port="${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}", protocol=tcp] - maxretry = 5 - ''; - + services.fail2ban.jails.sshd = mkDefault '' + enabled = true + port = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports} + ''; }; - } diff --git a/nixos/modules/services/security/fprot.nix b/nixos/modules/services/security/fprot.nix index 47449039146..3a0b08b3c6d 100644 --- a/nixos/modules/services/security/fprot.nix +++ b/nixos/modules/services/security/fprot.nix @@ -10,12 +10,7 @@ in { services.fprot = { updater = { - enable = mkOption { - default = false; - description = '' - Whether to enable automatic F-Prot virus definitions database updates. - ''; - }; + enable = mkEnableOption "automatic F-Prot virus definitions database updates"; productData = mkOption { description = '' @@ -48,22 +43,18 @@ in { services.fprot.updater.licenseKeyfile = mkDefault "${pkgs.fprot}/opt/f-prot/license.key"; environment.systemPackages = [ pkgs.fprot ]; - environment.etc = singleton { + environment.etc."f-prot.conf" = { source = "${pkgs.fprot}/opt/f-prot/f-prot.conf"; - target = "f-prot.conf"; }; - users.users = singleton - { name = fprotUser; - uid = config.ids.uids.fprot; + users.users.${fprotUser} = + { uid = config.ids.uids.fprot; description = "F-Prot daemon user"; home = stateDir; }; - users.groups = singleton - { name = fprotGroup; - gid = config.ids.gids.fprot; - }; + users.groups.${fprotGroup} = + { gid = config.ids.gids.fprot; }; services.cron.systemCronJobs = [ "*/${toString cfg.updater.frequency} * * * * root start fprot-updater" ]; diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 2abb9ec32ac..46caadee204 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -12,7 +12,7 @@ let # command-line to launch oauth2_proxy. providerSpecificOptions = { azure = cfg: { - azure.tenant = cfg.azure.tenant; + azure-tenant = cfg.azure.tenant; resource = cfg.azure.resource; }; @@ -44,6 +44,7 @@ let pass-access-token = passAccessToken; pass-basic-auth = passBasicAuth; pass-host-header = passHostHeader; + reverse-proxy = reverseProxy; proxy-prefix = proxyPrefix; profile-url = profileURL; redeem-url = redeemURL; @@ -65,8 +66,8 @@ let } // lib.optionalAttrs (cfg.htpasswd.file != null) { display-htpasswd-file = cfg.htpasswd.displayForm; } // lib.optionalAttrs tls.enable { - tls-cert = tls.certificate; - tls-key = tls.key; + tls-cert-file = tls.certificate; + tls-key-file = tls.key; https-address = tls.httpsAddress; } // (getProviderOptions cfg cfg.provider) // cfg.extraConfig; @@ -98,14 +99,21 @@ in ############################################## # PROVIDER configuration + # Taken from: https://github.com/pusher/oauth2_proxy/blob/master/providers/providers.go provider = mkOption { type = types.enum [ "google" - "github" "azure" + "facebook" + "github" + "keycloak" "gitlab" "linkedin" - "myusa" + "login.gov" + "bitbucket" + "nextcloud" + "digitalocean" + "oidc" ]; default = "google"; description = '' @@ -433,6 +441,17 @@ in ''; }; + reverseProxy = mkOption { + type = types.bool; + default = false; + description = '' + In case when running behind a reverse proxy, controls whether headers + like <literal>X-Real-Ip</literal> are accepted. Usage behind a reverse + proxy will require this flag to be set to avoid logging the reverse + proxy IP address. + ''; + }; + proxyPrefix = mkOption { type = types.str; default = "/oauth2"; diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix index 4a174564dd2..e7a9cefdef3 100644 --- a/nixos/modules/services/security/sshguard.nix +++ b/nixos/modules/services/security/sshguard.nix @@ -92,8 +92,11 @@ in { "-o cat" "-n1" ] ++ (map (name: "-t ${escapeShellArg name}") cfg.services)); + backend = if config.networking.nftables.enable + then "sshg-fw-nft-sets" + else "sshg-fw-ipset"; in '' - BACKEND="${pkgs.sshguard}/libexec/sshg-fw-ipset" + BACKEND="${pkgs.sshguard}/libexec/${backend}" LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}" ''; @@ -104,7 +107,9 @@ in { after = [ "network.target" ]; partOf = optional config.networking.firewall.enable "firewall.service"; - path = with pkgs; [ iptables ipset iproute systemd ]; + path = with pkgs; if config.networking.nftables.enable + then [ nftables iproute systemd ] + else [ iptables ipset iproute systemd ]; # The sshguard ipsets must exist before we invoke # iptables. sshguard creates the ipsets after startup if @@ -112,14 +117,14 @@ in { # the iptables rules because postStart races with the creation # of the ipsets. So instead, we create both the ipsets and # firewall rules before sshguard starts. - preStart = '' + preStart = optionalString config.networking.firewall.enable '' ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6 ${pkgs.iptables}/bin/iptables -I INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP ''; - postStop = '' + postStop = optionalString config.networking.firewall.enable '' ${pkgs.iptables}/bin/iptables -D INPUT -m set --match-set sshguard4 src -j DROP ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4 diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index ed862387cce..18c105b2f57 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -106,6 +106,12 @@ let in { + imports = [ + (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) + (mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.") + (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.") + ]; + options = { services.tor = { enable = mkOption { diff --git a/nixos/modules/services/security/torify.nix b/nixos/modules/services/security/torify.nix index 08da726437e..39551190dd3 100644 --- a/nixos/modules/services/security/torify.nix +++ b/nixos/modules/services/security/torify.nix @@ -25,6 +25,7 @@ in services.tor.tsocks = { enable = mkOption { + type = types.bool; default = false; description = '' Whether to build tsocks wrapper script to relay application traffic via Tor. @@ -40,6 +41,7 @@ in }; server = mkOption { + type = types.str; default = "localhost:9050"; example = "192.168.0.20"; description = '' @@ -48,6 +50,7 @@ in }; config = mkOption { + type = types.lines; default = ""; description = '' Extra configuration. Contents will be added verbatim to TSocks diff --git a/nixos/modules/services/security/torsocks.nix b/nixos/modules/services/security/torsocks.nix index c60c745443b..47ac95c4626 100644 --- a/nixos/modules/services/security/torsocks.nix +++ b/nixos/modules/services/security/torsocks.nix @@ -112,10 +112,9 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ]; - environment.etc = - [ { source = pkgs.writeText "torsocks.conf" (configFile cfg.server); - target = "tor/torsocks.conf"; - } - ]; + environment.etc."tor/torsocks.conf" = + { + source = pkgs.writeText "torsocks.conf" (configFile cfg.server); + }; }; } diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index b0ab8fadcbe..6a8a3a93327 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -135,6 +135,7 @@ in User = "vault"; Group = "vault"; ExecStart = "${cfg.package}/bin/vault server -config ${configFile}"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; PrivateDevices = true; PrivateTmp = true; ProtectSystem = "full"; |