| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |\
| |
| | |
nixos/fail2ban: add maxretry/extraPackages options
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
some ban actions need additional packages (eg ipset). since actions can be
provided by the user we need something general that's easy to configure.
we could also enable ipset regardless of the actual configuration of the system
if the iptables firewall is in use (like sshguard does), but that seems very
clumsy and wouldn't easily solve the binary-not-found problems other actions may
also have.
|
| | |
| |
| |
| |
| |
| |
| | |
it's not possible to set a different default maxretry value in the DEFAULT jail
because the module already does so. expose the maxretry option to the
configuration to remedy this. (we can't really remove it entirely because
fail2ban defaults to 5)
|
| |\|
| |
| | |
nixos/sshguard: restart sshguard when services/backend changes
|
| | |
| |
| |
| |
| |
| | |
backends changing shouldn't be very likely, but services may well change. we
should restart sshguard from nixos-rebuild instead of merely plopping down a new
config file and waiting for the user to restart sshguard.
|
| | | |
|
| |\ \
| | |
| | | |
nixos/fprintd: add TOD support
|
| | | |
| | |
| | |
| | |
| | | |
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Signed-off-by: Yurii Matsiuk <ymatsiuk@users.noreply.github.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As the only consequence of isSystemUser is that if the uid is null then
it's allocated below 500, if a user has uid = something below 500 then
we don't require isSystemUser to be set.
Motivation: https://github.com/NixOS/nixpkgs/issues/112647
|
| |\ \ \
| |_|/
|/| | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Co-authored-by: midchildan <git@midchildan.org>
|
| | |/
|/| |
|
| |/ |
|
| |\
| |
| | |
nixos/clamav: add settings options to replace extraConfig options
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes redirection after signing in when you use a single oauth2_proxy
instance for multiple domains.
X-Auth-Request-Redirect header is used to decide which URL to redirect
to after signing in. Specifying `request_uri` is enough in case you
need to redirect to the same domain that serves oauth2 callback
endpoint, but with multiple domains the you should include the scheme
and the host.
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
|
| |\ \
| | |
| | | |
vault: Support multiple config files (no secrets in store)
|
| | | |
| | |
| | |
| | |
| | | |
Align with RFC42 language, even if in advance of the actual settings
attribute.
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
Use the configured package for fprintd in services.dbus.packages and
environment.systemPackages rather than hardcoding pkgs.fprintd.
|
| | | | |
|
| |/ /
| |
| |
| |
| | |
Fixes #77395.
Fixes #82790.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It's very surprising that services.tor.client.enable would set
services.privoxy.enable. This violates the principle of least
astonishment, because it's Privoxy that can integrate with Tor, rather
than the other way around.
So this patch moves the Privoxy Tor integration to the Privoxy module,
and it also disables it by default. This change is documented in the
release notes.
Reported-by: V <v@anomalous.eu>
|
| |/ |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These were broken since 2016:
https://github.com/systemd/systemd/commit/f0367da7d1a61ad698a55d17b5c28ddce0dc265a
since StartLimitIntervalSec got moved into [Unit] from [Service].
StartLimitBurst has also been moved accordingly, so let's fix that one
too.
NixOS systems have been producing logs such as:
/nix/store/wf98r55aszi1bkmln1lvdbp7znsfr70i-unit-caddy.service/caddy.service:31:
Unknown key name 'StartLimitIntervalSec' in section 'Service', ignoring.
I have also removed some unnecessary duplication in units disabling
rate limiting since setting either interval or burst to zero disables it
(https://github.com/systemd/systemd/blob/ad16158c10dfc3258831a9ff2f1a988214f51653/src/basic/ratelimit.c#L16)
|
| |
|
|
| |
This commit should not change eval results
|
| |
|
|
|
|
| |
Add the option `environmentFile` to allow passing secrets to the service
without adding them to the Nix store, while keeping the current
configuration via the existing environment file intact.
|
| |\
| |
| | |
treewide: completely remove types.loaOf
|
| | | |
|
| |\ \
| | |
| | | |
tor: Add option to tor service for package
|
| | |/ |
|
| |\ \
| |/
|/| |
physlock: add optional lock message
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since systemd 243, docs were already steering users towards using
`journal`:
https://github.com/systemd/systemd/commit/eedaf7f322a850c5d9f49346d43420423fc6f593
systemd 246 will go one step further, it shows warnings for these units
during bootup, and will [automatically convert these occurences to
`journal`](https://github.com/systemd/systemd/commit/f3dc6af20f410702beb8e45ddf77e92289fc90c7):
> [ 6.955976] systemd[1]: /nix/store/hwyfgbwg804vmr92fxc1vkmqfq2k9s17-unit-display-manager.service/display-manager.service:27: Standard output type syslog is obsolete, automatically updating to journal. Please update│······················
your unit file, and consider removing the setting altogether.
So there's no point of keeping `syslog` here, and it's probably a better
idea to just not set it, due to:
> This setting defaults to the value set with DefaultStandardOutput= in
> systemd-system.conf(5), which defaults to journal.
|
| | |
| |
| |
| |
| |
| | |
Use StateDirectory to create necessary directories and hardcode some
paths. Also drop file based audit logs, they can be found in the
journal. And add module option deprecation messages.
|
| | |
| |
| |
| |
| | |
This leads to ci failure otherwise if the file gets changed.
git-blame can ignore whitespace changes.
|
| | |
| |
| |
| |
| | |
This accidentially added pkgs.yubikey-agent to
environment.systemPackages unconditionally.
|
| |\ \
| | |
| | | |
yubikey-agent: init at 0.1.3
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds yubikey-agent as a package and a nixos module.
On macOS, we use `wrapProgram` to set pinentry_mac as default in PATH;
on Linux we rely on the user to set their preferred pinentry in PATH.
In particular, we use a systemd override to prefix PATH to select a
chosen pinentry program if specified.
On Linux, we need libnotify to provide the notify-send utility for
desktop notifications (such as "Waiting for Yubikey touch...").
This might work on other flavors of unix, but I haven't tested.
We reuse the programs.gnupg.agent.pinentryFlavor option for
yubikey-agent, but in doing so I hit a problem: pinentryFlavour's
default value is specified in a mkDefault, but only conditionally. We
ought to be able to pick up the pinentryFlavour whether or not gpg-agent
is running. As a result, this commit moves the default value to the
definition of programs.gnupg.agent.enable.
|
| |/ /
| |
| |
| |
| |
| |
| |
| | |
The new release fixes one of the outstanding CVEs against oauth2_proxy:
https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5m6c-jp6f-2vcv.
In addition, rename the owner and the project name to reflect the
changes upstream (it now belongs to the oauth2-proxy organization, and
the name is oauth2-proxy)
|
| |\ \
| | |
| | | |
nixos/nginx.sso: add package option
|
| | | | |
|
| | | | |
|