From 116ae00e73d78e723b813b8872553c68cbcb1dac Mon Sep 17 00:00:00 2001 From: Moritz Hedtke Date: Wed, 15 Dec 2021 20:27:18 +0100 Subject: nixos/step-ca: create a step-ca user This allows you to create the certificate files owned by that user so the service can read them. --- nixos/modules/services/security/step-ca.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'nixos/modules/services/security') diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix index 27b2ceed1a4..bfb29fbc6c1 100644 --- a/nixos/modules/services/security/step-ca.nix +++ b/nixos/modules/services/security/step-ca.nix @@ -108,6 +108,9 @@ in ConditionFileNotEmpty = ""; # override upstream }; serviceConfig = { + User = "step-ca"; + Group = "step-ca"; + UMask = "0077"; Environment = "HOME=%S/step-ca"; WorkingDirectory = ""; # override upstream ReadWriteDirectories = ""; # override upstream @@ -129,6 +132,14 @@ in }; }; + users.users.step-ca = { + home = "/var/lib/step-ca"; + group = "step-ca"; + isSystemUser = true; + }; + + users.groups.step-ca = {}; + networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; -- cgit 1.4.1 From 9d5aba4ac9facddfeefbcf809f124f2791294cee Mon Sep 17 00:00:00 2001 From: Moritz Hedtke Date: Sun, 13 Feb 2022 00:49:27 +0100 Subject: nixos/step-ca: Remove unnecessary passthru.tests --- nixos/modules/services/security/step-ca.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'nixos/modules/services/security') diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix index 27b2ceed1a4..db7f81acd2a 100644 --- a/nixos/modules/services/security/step-ca.nix +++ b/nixos/modules/services/security/step-ca.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, nixosTests, ... }: +{ config, lib, pkgs, ... }: let cfg = config.services.step-ca; settingsFormat = (pkgs.formats.json { }); @@ -82,8 +82,6 @@ in }); in { - passthru.tests.step-ca = nixosTests.step-ca; - assertions = [ { -- cgit 1.4.1 From eb0dda98dc24e6aa51e41321321ae2c264b5bd44 Mon Sep 17 00:00:00 2001 From: Vladyslav M Date: Sun, 20 Feb 2022 14:37:20 +0200 Subject: nixos/vaultwarden: fix evaluation --- nixos/modules/services/security/vaultwarden/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nixos/modules/services/security') diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index fd459f70ccd..8277f493639 100644 --- a/nixos/modules/services/security/vaultwarden/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -151,7 +151,7 @@ in { }; systemd.services.backup-vaultwarden = mkIf (cfg.backupDir != null) { - aliases = [ "backup-bitwarden_rs" ]; + aliases = [ "backup-bitwarden_rs.service" ]; description = "Backup vaultwarden"; environment = { DATA_FOLDER = "/var/lib/bitwarden_rs"; @@ -169,7 +169,7 @@ in { }; systemd.timers.backup-vaultwarden = mkIf (cfg.backupDir != null) { - aliases = [ "backup-bitwarden_rs" ]; + aliases = [ "backup-bitwarden_rs.service" ]; description = "Backup vaultwarden on time"; timerConfig = { OnCalendar = mkDefault "23:00"; -- cgit 1.4.1 From 317ca6bb4e8a0be5d7ab150ef896da6a0ab58843 Mon Sep 17 00:00:00 2001 From: Solene Rapenne Date: Sun, 16 Jan 2022 13:20:08 +0100 Subject: clamav: remove freshclam service dependency --- nixos/modules/services/security/clamav.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'nixos/modules/services/security') diff --git a/nixos/modules/services/security/clamav.nix b/nixos/modules/services/security/clamav.nix index 340cbbf02fb..95a0ad8770e 100644 --- a/nixos/modules/services/security/clamav.nix +++ b/nixos/modules/services/security/clamav.nix @@ -9,7 +9,7 @@ let pkg = pkgs.clamav; toKeyValue = generators.toKeyValue { - mkKeyValue = generators.mkKeyValueDefault {} " "; + mkKeyValue = generators.mkKeyValueDefault { } " "; listsAsDuplicateKeys = true; }; @@ -30,7 +30,7 @@ in settings = mkOption { type = with types; attrsOf (oneOf [ bool int str (listOf str) ]); - default = {}; + default = { }; description = '' ClamAV configuration. Refer to , for details on supported values. @@ -59,7 +59,7 @@ in settings = mkOption { type = with types; attrsOf (oneOf [ bool int str (listOf str) ]); - default = {}; + default = { }; description = '' freshclam configuration. Refer to , for details on supported values. @@ -104,7 +104,6 @@ in systemd.services.clamav-daemon = mkIf cfg.daemon.enable { description = "ClamAV daemon (clamd)"; after = optional cfg.updater.enable "clamav-freshclam.service"; - requires = optional cfg.updater.enable "clamav-freshclam.service"; wantedBy = [ "multi-user.target" ]; restartTriggers = [ clamdConfigFile ]; @@ -134,7 +133,7 @@ in systemd.services.clamav-freshclam = mkIf cfg.updater.enable { description = "ClamAV virus database updater (freshclam)"; restartTriggers = [ freshclamConfigFile ]; - + after = [ "network-online.target" ]; preStart = '' mkdir -m 0755 -p ${stateDir} chown ${clamavUser}:${clamavGroup} ${stateDir} -- cgit 1.4.1 From 671a068a0166a5474e51b4d151b64250f8feaec8 Mon Sep 17 00:00:00 2001 From: Renaud Date: Wed, 2 Mar 2022 20:51:47 +0100 Subject: Remove F-PROT package and service module (EoL) (#160372) --- .../from_md/release-notes/rl-2205.section.xml | 7 ++ nixos/doc/manual/release-notes/rl-2205.section.md | 3 + nixos/modules/misc/ids.nix | 4 +- nixos/modules/module-list.nix | 1 - nixos/modules/rename.nix | 1 + nixos/modules/services/security/fprot.nix | 82 ---------------------- pkgs/tools/security/fprot/default.nix | 42 ----------- pkgs/top-level/all-packages.nix | 2 - 8 files changed, 13 insertions(+), 129 deletions(-) delete mode 100644 nixos/modules/services/security/fprot.nix delete mode 100644 pkgs/tools/security/fprot/default.nix (limited to 'nixos/modules/services/security') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index a6bd453b35d..4acf8195a8d 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -553,6 +553,13 @@ tilp2 was removed together with its module + + + The F-PROT antivirus (fprot package) and + its service module were removed because it reached + end-of-life. + + bird1 and its modules diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 8f5b4789a42..366f0552589 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -180,6 +180,9 @@ In addition to numerous new and upgraded packages, this release has the followin - `tilp2` was removed together with its module +- The F-PROT antivirus (`fprot` package) and its service module were removed because it + reached [end-of-life](https://kb.cyren.com/av-support/index.php?/Knowledgebase/Article/View/434/0/end-of-sale--end-of-life-for-f-prot-and-csam). + - `bird1` and its modules `services.bird` as well as `services.bird6` have been removed. Upgrade to `services.bird2`. - The options `networking.interfaces..ipv4.routes` and `networking.interfaces..ipv6.routes` are no longer ignored when using networkd instead of the default scripted network backend by setting `networking.useNetworkd` to `true`. diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1b4105c676d..7d1faa50f4b 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -89,7 +89,7 @@ in prayer = 49; mpd = 50; clamav = 51; - fprot = 52; + #fprot = 52; # unused # bind = 53; #dynamically allocated as of 2021-09-03 wwwrun = 54; #adm = 55; # unused @@ -412,7 +412,7 @@ in prayer = 49; mpd = 50; clamav = 51; - fprot = 52; + #fprot = 52; # unused #bind = 53; # unused wwwrun = 54; adm = 55; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index fd6bd087fb7..c102f4c97ee 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -951,7 +951,6 @@ ./services/security/clamav.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix - ./services/security/fprot.nix ./services/security/haka.nix ./services/security/haveged.nix ./services/security/hockeypuck.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index d72ff1c6f17..195cf87e6a8 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -50,6 +50,7 @@ with lib; (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.") (mkRemovedOptionModule [ "services" "fourStore" ] "The fourStore module has been removed") (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") + (mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed") (mkRemovedOptionModule [ "services" "kippo" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "mailpile" ] "The corresponding package was removed from nixpkgs.") diff --git a/nixos/modules/services/security/fprot.nix b/nixos/modules/services/security/fprot.nix deleted file mode 100644 index df60d553e85..00000000000 --- a/nixos/modules/services/security/fprot.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ config, lib, pkgs, ... }: -with lib; -let - fprotUser = "fprot"; - stateDir = "/var/lib/fprot"; - fprotGroup = fprotUser; - cfg = config.services.fprot; -in { - options = { - - services.fprot = { - updater = { - enable = mkEnableOption "automatic F-Prot virus definitions database updates"; - - productData = mkOption { - description = '' - product.data file. Defaults to the one supplied with installation package. - ''; - type = types.path; - }; - - frequency = mkOption { - default = 30; - type = types.int; - description = '' - Update virus definitions every X minutes. - ''; - }; - - licenseKeyfile = mkOption { - type = types.path; - description = '' - License keyfile. Defaults to the one supplied with installation package. - ''; - }; - - }; - }; - }; - - ###### implementation - - config = mkIf cfg.updater.enable { - - services.fprot.updater.productData = mkDefault "${pkgs.fprot}/opt/f-prot/product.data"; - services.fprot.updater.licenseKeyfile = mkDefault "${pkgs.fprot}/opt/f-prot/license.key"; - - environment.systemPackages = [ pkgs.fprot ]; - environment.etc."f-prot.conf" = { - source = "${pkgs.fprot}/opt/f-prot/f-prot.conf"; - }; - - users.users.${fprotUser} = - { uid = config.ids.uids.fprot; - description = "F-Prot daemon user"; - home = stateDir; - }; - - users.groups.${fprotGroup} = - { gid = config.ids.gids.fprot; }; - - services.cron.systemCronJobs = [ "*/${toString cfg.updater.frequency} * * * * root start fprot-updater" ]; - - systemd.services.fprot-updater = { - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = false; - }; - wantedBy = [ "multi-user.target" ]; - - # have to copy fpupdate executable because it insists on storing the virus database in the same dir - preStart = '' - mkdir -m 0755 -p ${stateDir} - chown ${fprotUser}:${fprotGroup} ${stateDir} - cp ${pkgs.fprot}/opt/f-prot/fpupdate ${stateDir} - ln -sf ${cfg.updater.productData} ${stateDir}/product.data - ''; - - script = "/var/lib/fprot/fpupdate --keyfile ${cfg.updater.licenseKeyfile}"; - }; - }; -} diff --git a/pkgs/tools/security/fprot/default.nix b/pkgs/tools/security/fprot/default.nix deleted file mode 100644 index 6b930adcc26..00000000000 --- a/pkgs/tools/security/fprot/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ lib, stdenv, fetchurl }: - -stdenv.mkDerivation { - - pname = "f-prot"; - version = "6.2.1"; - - src = fetchurl { - url = "http://files.f-prot.com/files/unix-trial/fp-Linux.x86.32-ws.tar.gz"; - sha256 = "0qlsrkanf0inplwv1i6hqbimdg91syf5ggd1vahsm9lhivmnr0v5"; - }; - - installPhase = '' - mkdir -p $out/bin - cp fpscan $out/bin - - mkdir -p $out/opt/f-prot - cp fpupdate $out/opt/f-prot - cp product.data.default $out/opt/f-prot/product.data - cp license.key $out/opt/f-prot/ - cp f-prot.conf.default $out/opt/f-prot/f-prot.conf - ln -s $out/opt/f-prot/fpupdate $out/bin/fpupdate - - patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" $out/opt/f-prot/fpupdate - - mkdir -p $out/share/man/ - mkdir -p $out/share/man/man1 - cp doc/man/fpscan.1 $out/share/man/man1 - mkdir -p $out/share/man/man5 - cp doc/man/f-prot.conf.5 $out/share/man/man5 - mkdir -p $out/share/man/man8 - cp doc/man/fpupdate.8 $out/share/man/man8 - ''; - - meta = with lib; { - homepage = "http://www.f-prot.com"; - description = "A popular proprietary antivirus program"; - license = licenses.unfree; - maintainers = [ ]; - platforms = platforms.linux; - }; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1de42284b3e..5359a2ef981 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5555,8 +5555,6 @@ with pkgs; fpm = callPackage ../tools/package-management/fpm { }; - fprot = callPackage ../tools/security/fprot { }; - fprintd = callPackage ../tools/security/fprintd { }; fprintd-tod = callPackage ../tools/security/fprintd/tod.nix { }; -- cgit 1.4.1 From 764670261a559e0e2e89dcce487fb9bd3ae19f9e Mon Sep 17 00:00:00 2001 From: Jonas Heinrich Date: Wed, 23 Feb 2022 11:08:49 +0100 Subject: nixos/opensnitch: Add options to configure daemon --- nixos/modules/services/security/opensnitch.nix | 103 ++++++++++++++++++++++++- pkgs/tools/networking/opensnitch/daemon.nix | 7 +- 2 files changed, 108 insertions(+), 2 deletions(-) (limited to 'nixos/modules/services/security') diff --git a/nixos/modules/services/security/opensnitch.nix b/nixos/modules/services/security/opensnitch.nix index 919346cf2bb..f9b4985e199 100644 --- a/nixos/modules/services/security/opensnitch.nix +++ b/nixos/modules/services/security/opensnitch.nix @@ -3,22 +3,123 @@ with lib; let - name = "opensnitch"; cfg = config.services.opensnitch; + format = pkgs.formats.json {}; in { options = { services.opensnitch = { enable = mkEnableOption "Opensnitch application firewall"; + settings = mkOption { + type = types.submodule { + freeformType = format.type; + + options = { + Server = { + + Address = mkOption { + type = types.str; + description = '' + Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is + mandatory) or TCP socket (192.168.1.100:50051). + ''; + }; + + LogFile = mkOption { + type = types.path; + description = '' + File to write logs to (use /dev/stdout to write logs to standard + output). + ''; + }; + + }; + + DefaultAction = mkOption { + type = types.enum [ "allow" "deny" ]; + description = '' + Default action whether to block or allow application internet + access. + ''; + }; + + DefaultDuration = mkOption { + type = types.enum [ + "once" "always" "until restart" "30s" "5m" "15m" "30m" "1h" + ]; + description = '' + Default duration of firewall rule. + ''; + }; + + InterceptUnknown = mkOption { + type = types.bool; + description = '' + Wheter to intercept spare connections. + ''; + }; + + ProcMonitorMethod = mkOption { + type = types.enum [ "ebpf" "proc" "ftrace" "audit" ]; + description = '' + Which process monitoring method to use. + ''; + }; + + LogLevel = mkOption { + type = types.enum [ 0 1 2 3 4 ]; + description = '' + Default log level from 0 to 4 (debug, info, important, warning, + error). + ''; + }; + + Firewall = mkOption { + type = types.enum [ "iptables" "nftables" ]; + description = '' + Which firewall backend to use. + ''; + }; + + Stats = { + + MaxEvents = mkOption { + type = types.int; + description = '' + Max events to send to the GUI. + ''; + }; + + MaxStats = mkOption { + type = types.int; + description = '' + Max stats per item to keep in backlog. + ''; + }; + + }; + }; + }; + description = '' + opensnitchd configuration. Refer to + + for details on supported values. + ''; + }; }; }; config = mkIf cfg.enable { + # pkg.opensnitch is referred to elsewhere in the module so we don't need to worry about it being garbage collected + services.opensnitch.settings = mapAttrs (_: v: mkDefault v) (builtins.fromJSON (builtins.unsafeDiscardStringContext (builtins.readFile "${pkgs.opensnitch}/etc/default-config.json"))); + systemd = { packages = [ pkgs.opensnitch ]; services.opensnitchd.wantedBy = [ "multi-user.target" ]; }; + environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings; + }; } diff --git a/pkgs/tools/networking/opensnitch/daemon.nix b/pkgs/tools/networking/opensnitch/daemon.nix index e636950cd98..25b42066419 100644 --- a/pkgs/tools/networking/opensnitch/daemon.nix +++ b/pkgs/tools/networking/opensnitch/daemon.nix @@ -48,7 +48,12 @@ buildGoModule rec { postBuild = '' mv $GOPATH/bin/daemon $GOPATH/bin/opensnitchd - mkdir -p $out/lib/systemd/system + mkdir -p $out/etc/opensnitchd $out/lib/systemd/system + cp system-fw.json $out/etc/opensnitchd/ + substitute default-config.json $out/etc/default-config.json \ + --replace "/var/log/opensnitchd.log" "/dev/stdout" \ + --replace "iptables" "nftables" \ + --replace "ebpf" "proc" substitute opensnitchd.service $out/lib/systemd/system/opensnitchd.service \ --replace "/usr/local/bin/opensnitchd" "$out/bin/opensnitchd" \ --replace "/etc/opensnitchd/rules" "/var/lib/opensnitch/rules" \ -- cgit 1.4.1 From 236a731da065014c4fb314566d31bf96da4ae759 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 9 Mar 2022 14:47:20 +0100 Subject: nixos/tor: admit newlines in secret key --- nixos/modules/services/security/tor.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nixos/modules/services/security') diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index cafb44e1242..3bf70c4aa4f 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -962,7 +962,7 @@ in '') onion.authorizedClients ++ optional (onion.secretKey != null) '' install -d -o tor -g tor -m 0700 ${escapeShellArg onion.path} - key="$(cut -f1 -d: ${escapeShellArg onion.secretKey})" + key="$(cut -f1 -d: ${escapeShellArg onion.secretKey} | head -1)" case "$key" in ("== ed25519v"*"-secret") install -o tor -g tor -m 0400 ${escapeShellArg onion.secretKey} ${escapeShellArg onion.path}/hs_ed25519_secret_key;; -- cgit 1.4.1 From 3c63da7cf87473423a8138a82fbec59b9684d1c6 Mon Sep 17 00:00:00 2001 From: Luflosi Date: Wed, 23 Feb 2022 21:57:05 +0100 Subject: nixos/tor: allow tor to read resolv.conf when using resolved When `services.resolved.enable` is set to true, the file /etc/resolv.conf becomes a symlink to /etc/static/resolv.conf, which is a symlink to /run/systemd/resolve/stub-resolv.conf. Without this commit, tor does not have access to this file thanks to systemd confinement. This results in the following warning when tor starts: ``` [warn] Unable to stat resolver configuration in '/etc/resolv.conf': No such file or directory [warn] Could not read your DNS config from '/etc/resolv.conf' - please investigate your DNS configuration. This is possibly a problem. Meanwhile, falling back to local DNS at 127.0.0.1. ``` To fix this, simply allow read-only access to the file when resolved is in use. According to https://github.com/NixOS/nixpkgs/pull/161818#discussion_r824820462, the symlink may also point to /run/systemd/resolve/resolv.conf, so allow that as well. --- nixos/modules/services/security/tor.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'nixos/modules/services/security') diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 3bf70c4aa4f..ddd216ca7fd 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -1008,7 +1008,11 @@ in #InaccessiblePaths = [ "-+${runDir}/root" ]; UMask = "0066"; BindPaths = [ stateDir ]; - BindReadOnlyPaths = [ storeDir "/etc" ]; + BindReadOnlyPaths = [ storeDir "/etc" ] ++ + optionals config.services.resolved.enable [ + "/run/systemd/resolve/stub-resolv.conf" + "/run/systemd/resolve/resolv.conf" + ]; AmbientCapabilities = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE"; # ProtectClock= adds DeviceAllow=char-rtc r -- cgit 1.4.1 From 1b34039b5f1c3bfa6a9b1f7bd78ab3adecbe2a75 Mon Sep 17 00:00:00 2001 From: Luflosi Date: Sat, 5 Mar 2022 13:25:02 +0100 Subject: nixos/tor: fix services.tor.client.enable = false not working If `services.tor.client.enable` is set to false (the default), the `SOCKSPort` option is not added to the torrc file but since Tor defaults to listening on port 9050 when the option is not specified, the tor client is not actually disabled. To fix this, simply set `SOCKSPort` to 0, which disables the client. Use `mkForce` to prevent potentially two different `SOCKSPort` options in the torrc file, with one of them being 0 as this would cause Tor to fail to start. When `services.tor.client.enable` is set to false, this should always be disabled. --- nixos/doc/manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 2 ++ nixos/modules/services/security/tor.nix | 5 +++++ 3 files changed, 17 insertions(+) (limited to 'nixos/modules/services/security') diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 396de8cd77c..ae9067c923e 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -792,6 +792,16 @@ systemd.nspawn.<name>.execConfig.PrivateUsers = false + + + The Tor SOCKS proxy is now actually disabled if + services.tor.client.enable is set to + false (the default). If you are using this + functionality but didn’t change the setting or set it to + false, you now need to set it to + true. + + The terraform 0.12 compatibility has been removed and the diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 2f730de737c..ad9020f1544 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -307,6 +307,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `systemd-nspawn@.service` settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set `systemd.nspawn..execConfig.PrivateUsers = false` +- The Tor SOCKS proxy is now actually disabled if `services.tor.client.enable` is set to `false` (the default). If you are using this functionality but didn't change the setting or set it to `false`, you now need to set it to `true`. + - The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under `$out/libexec/terraform-providers/////_/terraform-provider-_v` (which mkProvider does). diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index ddd216ca7fd..a5822c02794 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -910,6 +910,11 @@ in ORPort = mkForce []; PublishServerDescriptor = mkForce false; }) + (mkIf (!cfg.client.enable) { + # Make sure application connections via SOCKS are disabled + # when services.tor.client.enable is false + SOCKSPort = mkForce [ 0 ]; + }) (mkIf cfg.client.enable ( { SOCKSPort = [ cfg.client.socksListenAddress ]; } // optionalAttrs cfg.client.transparentProxy.enable { -- cgit 1.4.1 From 81b63b6ef6f2e7e2d9adea64d744d1975e6b8860 Mon Sep 17 00:00:00 2001 From: Benjamin Staffin Date: Sun, 20 Mar 2022 13:31:43 -0400 Subject: nixos/oauth2_proxy: add missing oidc providers (#164632) - Add adfs and keycloak-oidc providrs - Sort the list alphabetically --- nixos/modules/services/security/oauth2_proxy.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'nixos/modules/services/security') diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix index 4d356242417..ce295bd4ba3 100644 --- a/nixos/modules/services/security/oauth2_proxy.nix +++ b/nixos/modules/services/security/oauth2_proxy.nix @@ -102,17 +102,19 @@ in # Taken from: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/providers/providers.go provider = mkOption { type = types.enum [ - "google" + "adfs" "azure" + "bitbucket" + "digitalocean" "facebook" "github" - "keycloak" "gitlab" + "google" + "keycloak" + "keycloak-oidc" "linkedin" "login.gov" - "bitbucket" "nextcloud" - "digitalocean" "oidc" ]; default = "google"; -- cgit 1.4.1