public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge release-21.05 into staging-next-21.05

This commit is contained in:
github-actions[bot] 2021-08-09 18:02:12 +00:00 committed by GitHub
parent 7d8133e751 b09c989b82
commit ab6e8b0faa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 157 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nixos/modules/security/acme.nix
View File

@ -46,6 +46,7 @@ let
serviceConfig = commonServiceConfig // { serviceConfig = commonServiceConfig // {
StateDirectory = "acme/.minica"; StateDirectory = "acme/.minica";
BindPaths = "/var/lib/acme/.minica:/tmp/ca"; BindPaths = "/var/lib/acme/.minica:/tmp/ca";
UMask = 0077;
}; };
# Working directory will be /tmp # Working directory will be /tmp
@ -54,8 +55,6 @@ let
--ca-key ca/key.pem \ --ca-key ca/key.pem \
--ca-cert ca/cert.pem \ --ca-cert ca/cert.pem \
--domains selfsigned.local --domains selfsigned.local
chmod 600 ca/*
''; '';
}; };
@ -196,6 +195,7 @@ let
serviceConfig = commonServiceConfig // { serviceConfig = commonServiceConfig // {
Group = data.group; Group = data.group;
UMask = 0027;
StateDirectory = "acme/${cert}"; StateDirectory = "acme/${cert}";
@ -220,10 +220,12 @@ let
cat cert.pem chain.pem > fullchain.pem cat cert.pem chain.pem > fullchain.pem
cat key.pem fullchain.pem > full.pem cat key.pem fullchain.pem > full.pem
chmod 640 *
# Group might change between runs, re-apply it # Group might change between runs, re-apply it
chown 'acme:${data.group}' * chown 'acme:${data.group}' *
# Default permissions make the files unreadable by group + anon
# Need to be readable by group
chmod 640 *
''; '';
}; };
@ -340,8 +342,6 @@ let
fi fi
mv domainhash.txt certificates/ mv domainhash.txt certificates/
chmod 640 certificates/*
chmod -R u=rwX,g=,o= accounts/*
# Group might change between runs, re-apply it # Group might change between runs, re-apply it
chown 'acme:${data.group}' certificates/* chown 'acme:${data.group}' certificates/*
@ -357,6 +357,10 @@ let
ln -sf fullchain.pem out/cert.pem ln -sf fullchain.pem out/cert.pem
cat out/key.pem out/fullchain.pem > out/full.pem cat out/key.pem out/fullchain.pem > out/full.pem
fi fi
# By default group will have no access to the cert files.
# This chmod will fix that.
chmod 640 out/*
''; '';
}; };
}; };

24
nixos/tests/acme.nix
View File

@ -330,30 +330,38 @@ in import ./make-test-python.nix ({ lib, ... }: {
with subtest("Can request certificate with HTTPS-01 challenge"): with subtest("Can request certificate with HTTPS-01 challenge"):
webserver.wait_for_unit("acme-finished-a.example.test.target") webserver.wait_for_unit("acme-finished-a.example.test.target")
check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "pebble")
check_connection(client, "a.example.test")
with subtest("Certificates and accounts have safe + valid permissions"): with subtest("Certificates and accounts have safe + valid permissions"):
group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}" group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}"
webserver.succeed( webserver.succeed(
f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
) )
webserver.succeed( webserver.succeed(
f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/.lego/a.example.test/**/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" f"test $(stat -L -c '%a %U %G' /var/lib/acme/.lego/a.example.test/**/a.example.test* | tee /dev/stderr | grep '600 acme {group}' | wc -l) -eq 4"
) )
webserver.succeed( webserver.succeed(
f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1" f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1"
) )
webserver.succeed( webserver.succeed(
f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c \"%a %U %G\" {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0" f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"
) )
with subtest("Certs are accepted by web server"):
webserver.succeed("systemctl start nginx.service")
check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "pebble")
check_connection(client, "a.example.test")
# Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal
with subtest("Can generate valid selfsigned certs"): with subtest("Can generate valid selfsigned certs"):
webserver.succeed("systemctl clean acme-a.example.test.service --what=state") webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
webserver.succeed("systemctl start acme-selfsigned-a.example.test.service") webserver.succeed("systemctl start acme-selfsigned-a.example.test.service")
check_fullchain(webserver, "a.example.test") check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "minica") check_issuer(webserver, "a.example.test", "minica")
# Check selfsigned permissions
webserver.succeed(
f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
)
# Will succeed if nginx can load the certs # Will succeed if nginx can load the certs
webserver.succeed("systemctl start nginx-config-reload.service") webserver.succeed("systemctl start nginx-config-reload.service")
@ -376,6 +384,8 @@ in import ./make-test-python.nix ({ lib, ... }: {
webserver.wait_for_unit("acme-finished-a.example.test.target") webserver.wait_for_unit("acme-finished-a.example.test.target")
check_connection_key_bits(client, "a.example.test", "384") check_connection_key_bits(client, "a.example.test", "384")
webserver.succeed("grep testing /var/lib/acme/a.example.test/test") webserver.succeed("grep testing /var/lib/acme/a.example.test/test")
# Clean to remove the testing file (and anything else messy we did)
webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
with subtest("Correctly implements OCSP stapling"): with subtest("Correctly implements OCSP stapling"):
switch_to(webserver, "ocsp-stapling") switch_to(webserver, "ocsp-stapling")

112
pkgs/applications/networking/cluster/nomad-autoscaler/default.nix Normal file
View File

@ -0,0 +1,112 @@
{ lib, fetchFromGitHub, buildGoModule, go, removeReferencesTo, buildEnv }:
let
package = buildGoModule rec {
pname = "nomad-autoscaler";
version = "0.3.3";
outputs = [
"out"
"bin"
"aws_asg"
"azure_vmss"
"datadog"
"fixed_value"
"gce_mig"
"nomad_apm"
"nomad_target"
"pass_through"
"prometheus"
"target_value"
"threshold"
];
src = fetchFromGitHub {
owner = "hashicorp";
repo = "nomad-autoscaler";
rev = "v${version}";
sha256 = "sha256-bN/U6aCf33B88ouQwTGG8CqARzWmIvXNr5JPr3l8cVI=";
};
vendorSha256 = "sha256-Ls8gkfLyxfQD8krvxjAPnZhf1r1s2MhtQfMMfp8hJII=";
subPackages = [ "." ];
nativeBuildInputs = [ removeReferencesTo ];
# buildGoModule overrides normal buildPhase, can't use makeTargets
postBuild = ''
make build plugins
'';
# tries to pull tests from network, and fails silently anyway
doCheck = false;
postInstall = ''
mkdir -p $bin/bin
mv $out/bin/nomad-autoscaler $bin/bin/nomad-autoscaler
ln -s $bin/bin/nomad-autoscaler $out/bin/nomad-autoscaler
for d in $outputs; do
mkdir -p ''${!d}/share
done
rmdir $bin/share
# have out contain all of the plugins
for plugin in bin/plugins/*; do
remove-references-to -t ${go} "$plugin"
cp "$plugin" $out/share/
done
# populate the outputs as individual plugins
# can't think of a more generic way to handle this
# bash doesn't allow for dashes '-' to be in a variable name
# this means that the output names will need to differ slightly from the binary
mv bin/plugins/aws-asg $aws_asg/share/
mv bin/plugins/azure-vmss $azure_vmss/share/
mv bin/plugins/datadog $datadog/share/
mv bin/plugins/fixed-value $fixed_value/share/
mv bin/plugins/gce-mig $gce_mig/share/
mv bin/plugins/nomad-apm $nomad_apm/share/
mv bin/plugins/nomad-target $nomad_target/share/
mv bin/plugins/pass-through $pass_through/share/
mv bin/plugins/prometheus $prometheus/share/
mv bin/plugins/target-value $target_value/share/
mv bin/plugins/threshold $threshold/share/
'';
# make toggle-able, so that overrided versions can disable this check if
# they want newer versions of the plugins without having to modify
# the output logic
doInstallCheck = true;
installCheckPhase = ''
rmdir bin/plugins || {
echo "Not all plugins were extracted"
echo "Please move the following to their related output: $(ls bin/plugins)"
exit 1
}
'';
passthru = {
inherit plugins withPlugins;
};
meta = with lib; {
description = "Autoscaling daemon for Nomad";
homepage = "https://github.com/hashicorp/nomad-autoscaler";
license = licenses.mpl20;
maintainers = with maintainers; [ jonringer ];
};
};
plugins = let
plugins = builtins.filter (n: !(lib.elem n [ "out" "bin" ])) package.outputs;
in lib.genAttrs plugins (output: package.${output});
# Intended to be used as: (nomad-autoscaler.withPlugins (ps: [ ps.aws_asg ps.nomad_target ])
withPlugins = f: buildEnv {
name = "nomad-autoscaler-env";
paths = [ package.bin ] ++ f plugins;
};
in
package

15
pkgs/development/libraries/wolfssl/default.nix
View File

@ -1,4 +1,4 @@
{ lib, stdenv, fetchFromGitHub, autoreconfHook }: { lib, stdenv, fetchFromGitHub, fetchpatch, autoreconfHook }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "wolfssl"; pname = "wolfssl";
@ -11,6 +11,19 @@ stdenv.mkDerivation rec {
sha256 = "1aa51j0xnhi49izc8djya68l70jkjv25559pgybfb9sa4fa4gz97"; sha256 = "1aa51j0xnhi49izc8djya68l70jkjv25559pgybfb9sa4fa4gz97";
}; };
patches = [
(fetchpatch {
name = "CVE-2021-37155.part-1.patch";
url = "https://github.com/wolfSSL/wolfssl/commit/73076940af8904f98eee085994c176fe1876b95a.patch";
sha256 = "1fdg6c49njhxn6yljpqrhrv2s6ci6hyw01xjs42s09ly3xvf2fcx";
})
(fetchpatch {
name = "CVE-2021-37155.part-2.patch";
url = "https://github.com/wolfSSL/wolfssl/commit/822aa92fccf77558e250131c1c6e9bb84d07afe8.patch";
sha256 = "1n7774hy9ybbxmg8dldqnhw279k7fkxwvw1s2mjjhkzra9w5x2zy";
})
];
# almost same as Debian but for now using --enable-all --enable-reproducible-build instead of --enable-distro to ensure options.h gets installed # almost same as Debian but for now using --enable-all --enable-reproducible-build instead of --enable-distro to ensure options.h gets installed
configureFlags = [ "--enable-all" "--enable-reproducible-build" "--enable-pkcs11" "--enable-tls13" "--enable-base64encode" ]; configureFlags = [ "--enable-all" "--enable-reproducible-build" "--enable-pkcs11" "--enable-tls13" "--enable-base64encode" ];

4
pkgs/tools/security/tor/default.nix
View File

@ -30,11 +30,11 @@ let
in in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "tor"; pname = "tor";
version = "0.4.5.7"; version = "0.4.5.9";
src = fetchurl { src = fetchurl {
url = "https://dist.torproject.org/${pname}-${version}.tar.gz"; url = "https://dist.torproject.org/${pname}-${version}.tar.gz";
sha256 = "0x7hhl0svfc4yh9xvq7kkzgmwjcw1ak9i0794wjg4biy2fmclzs4"; sha256 = "0mh8yz6l7sl6kh9max76nk6rhlsq2lhwwvpiwlwnrlif21bf817k";
}; };
outputs = [ "out" "geoip" ]; outputs = [ "out" "geoip" ];

2
pkgs/top-level/all-packages.nix
View File

@ -7130,6 +7130,8 @@ in
nvidiaGpuSupport = config.cudaSupport or false; nvidiaGpuSupport = config.cudaSupport or false;
}; };
nomad-autoscaler = callPackage ../applications/networking/cluster/nomad-autoscaler { };
nomad-driver-podman = callPackage ../applications/networking/cluster/nomad-driver-podman { }; nomad-driver-podman = callPackage ../applications/networking/cluster/nomad-driver-podman { };
notable = callPackage ../applications/misc/notable { }; notable = callPackage ../applications/misc/notable { };