public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
173,796 Commits 1 Branch 0 Tags
12446a80329ba0ff833ea94de22daf274e52ae2c
Commit Graph

423 Commits

Author SHA1 Message Date
Parnell Springmeyer
4aa0923009 Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
Parnell Springmeyer
af3b9a3d46 More wibbles? 2017-01-29 01:41:39 -06:00
Parnell Springmeyer
48564d1ae5 Another wibble 2017-01-29 01:31:33 -06:00
Parnell Springmeyer
5077699605 Derp derp 2017-01-29 01:27:11 -06:00
Parnell Springmeyer
0707a3eaa2 Qualify with lib 2017-01-29 01:23:10 -06:00
Parnell Springmeyer
8e159b9d1e Qualify mkOption with lib 2017-01-29 01:22:47 -06:00
Parnell Springmeyer
70ec24093c Removing dead code 2017-01-29 01:22:19 -06:00
Parnell Springmeyer
82de4c0fad setcap-wrapper: Syntax wibble 2017-01-29 01:20:02 -06:00
Parnell Springmeyer
7680a40a37 setcap-wrapper: Syntax wibble 2017-01-29 01:16:04 -06:00
Parnell Springmeyer
2f113ee90a setcap-wrapper: Minor refactor 2017-01-29 01:08:36 -06:00
Parnell Springmeyer
3fe7b1a4c9 setcap-wrapper: Addressing more PR feedback, unifying drvs, and cleaning up a bit 2017-01-29 01:07:12 -06:00
Parnell Springmeyer
e92b8402b0 Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer
9de070e620 Setuid wrapper should not be constrained to a specific linux kernel version 2017-01-26 09:39:37 -08:00
Parnell Springmeyer
01e6b82f3f Removing dead code 2017-01-26 09:20:15 -08:00
Parnell Springmeyer
189a0c2579 Wrap with quotes as-per GCC's recommendation 2017-01-26 02:07:36 -08:00
Parnell Springmeyer
c30cf645f8 Make setting of the wrapper macros a compile-time error 2017-01-26 02:06:24 -08:00
Parnell Springmeyer
a26a796d5c Merging against master - updating smokingpig, rebase was going to be messy 2017-01-26 02:00:04 -08:00
Parnell Springmeyer
ad8fde5e5d Andddd more derp 2017-01-26 01:33:25 -08:00
Parnell Springmeyer
ce36b58e21 Derp 2017-01-26 01:31:49 -08:00
Parnell Springmeyer
f64b06a3e0 Hmmm 2017-01-26 01:13:19 -08:00
Parnell Springmeyer
fd974085bf It's clearly quite late 2017-01-26 01:04:12 -08:00
Parnell Springmeyer
61fe8de40c Silly, should just have one activation script 2017-01-26 01:03:18 -08:00
Parnell Springmeyer
48a0c5a3a7 More fixing 2017-01-26 01:00:46 -08:00
Parnell Springmeyer
21368c4c67 Hmm, unnecessary 2017-01-26 00:58:44 -08:00
Parnell Springmeyer
a4f905afc2 Enhhh I think compile time macros are gross 2017-01-26 00:41:00 -08:00
Parnell Springmeyer
785684f6c2 Ahhh, my compile-time macros confused me...of course they did... 2017-01-26 00:39:17 -08:00
Parnell Springmeyer
1ad541171e Hmm 2017-01-26 00:36:35 -08:00
Parnell Springmeyer
e8bec4c75f Implicit declared function... 2017-01-26 00:35:01 -08:00
Parnell Springmeyer
a20e65724b Fixing 2017-01-26 00:32:59 -08:00
Parnell Springmeyer
025555d7f1 More fixes and improvements 2017-01-26 00:05:40 -08:00
Parnell Springmeyer
bae00e8aa8 setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Franz Pletz
516760a6fb nixos/acme: add random delay to timer 
This way we behave like good citizens and won't overload Let's Encrypt
with lots of cert renewal requests at the same time.
 2017-01-25 19:15:04 +01:00
Jörg Thalheim
30a554acfb apparmor: support for lxc profiles 2017-01-10 23:01:03 +01:00
teh
a878365b77 nixos docs: update for Nginx + ACME (#21320) 
Closes #20698.
 2017-01-09 06:39:10 +01:00
Alexander Kahl
61d125b842 sssd: init at 1.14.2 
perlPackages.TextWrapI18N: init at 0.06
perlPackages.Po4a: init at 0.47
jade: init at 1.2.1
ding-libs: init at 0.6.0

Switch nscd to no-caching mode if SSSD is enabled.

abbradar: disable jade parallel building.

Closes #21150
 2017-01-04 03:07:20 +03:00
Joachim Fasting
f39d13cd3e grsecurity doc: describe work-around for gitlab 
Fixes https://github.com/NixOS/nixpkgs/issues/20959
 2016-12-08 11:59:57 +01:00
Joachim Fasting
984d9ebb56 hidepid: polkit and systemd-logind compatibility 
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
 2016-12-07 01:12:05 +01:00
Joachim Fasting
0e765c72e5 grsecurity: enable module hardening 2016-12-06 01:23:58 +01:00
Joachim Fasting
31d79afbe5 grsecurity docs: note that pax_sanitize_slab defaults to fast 2016-12-06 01:23:51 +01:00
Joachim Fasting
071fbcda24 grsecurity: enable optional sysfs restrictions 
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
 2016-12-06 01:23:36 +01:00
Joachim Fasting
8c1f5afdf3 grsecurity: delay toggling of sysctls until system is up 
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
 2016-12-06 01:22:53 +01:00
Domen Kožar
75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Joachim Fasting
e99228db30 grsecurity module: force a known good kernel package set 
Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel.  Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).

With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
 2016-11-28 12:11:04 +01:00
Joachim Fasting
2eb6ec1bc4 grsecurity module: remove code pertaining to zfs 
I don't know if it still the case that zfs fails to boot; either way,
that's the user's responsibility to contend with.
 2016-11-20 23:01:22 +01:00
Joachim Fasting
98935c7103 grsecurity module: remove requiredKernelConfig 
Using a custom package set with the NixOS module is no longer
something I wish to support.  It's still *possible* but not
advertised.  Secondly, the requiredKernelConfig didn't really
do anything (setting kernelPackages to a non-grsec kernel would
just silently let the user boot into a non-grsec setup ...).
 2016-11-20 23:00:41 +01:00
Joachim Fasting
5ad8a56d16 grsecurity module: remove use of mkEnableOption 2016-11-20 23:00:24 +01:00
Eric Sagnes
9513ab45aa duosec module: use enum 2016-11-16 22:36:05 +09:00
Eric Sagnes
e5b7975fe3 acme module: certs option loaOf -> attrsOf 2016-11-16 16:28:27 +09:00
Timofei Kushnir
faa6f9b6b3 grsecurity: fix 'isYes' and 'isNo' 2016-10-29 14:26:06 +03:00
Domen Kožar
41c490b75e acme: we do want to support ipv4 afterall 2016-10-21 13:25:11 +02:00