diff options
Diffstat (limited to 'infra/libkookie/nixpkgs/nixos/modules/security')
6 files changed, 76 insertions, 8 deletions
diff --git a/infra/libkookie/nixpkgs/nixos/modules/security/acme.nix b/infra/libkookie/nixpkgs/nixos/modules/security/acme.nix index 5732620f2908..47f6bead7c3e 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/security/acme.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/security/acme.nix @@ -63,7 +63,7 @@ let script = with builtins; concatStringsSep "\n" (mapAttrsToList (cert: data: '' for fixpath in /var/lib/acme/${escapeShellArg cert} /var/lib/acme/.lego/${escapeShellArg cert}; do if [ -d "$fixpath" ]; then - chmod -R 750 "$fixpath" + chmod -R u=rwX,g=rX,o= "$fixpath" chown -R acme:${data.group} "$fixpath" fi done @@ -271,7 +271,7 @@ let mv domainhash.txt certificates/ chmod 640 certificates/* - chmod -R 700 accounts/* + chmod -R u=rwX,g=,o= accounts/* # Group might change between runs, re-apply it chown 'acme:${data.group}' certificates/* diff --git a/infra/libkookie/nixpkgs/nixos/modules/security/doas.nix b/infra/libkookie/nixpkgs/nixos/modules/security/doas.nix index b81f2d0c2d52..27f6870aaf37 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/security/doas.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/security/doas.nix @@ -12,6 +12,7 @@ let mkOpts = rule: concatStringsSep " " [ (optionalString rule.noPass "nopass") + (optionalString rule.noLog "nolog") (optionalString rule.persist "persist") (optionalString rule.keepEnv "keepenv") "setenv { SSH_AUTH_SOCK ${concatStringsSep " " rule.setEnv} }" @@ -118,6 +119,16 @@ in ''; }; + noLog = mkOption { + type = with types; bool; + default = false; + description = '' + If <code>true</code>, successful executions will not be logged + to + <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>. + ''; + }; + persist = mkOption { type = with types; bool; default = false; diff --git a/infra/libkookie/nixpkgs/nixos/modules/security/hidepid.nix b/infra/libkookie/nixpkgs/nixos/modules/security/hidepid.nix index 55a48ea3c9c6..4953f517e93b 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/security/hidepid.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/security/hidepid.nix @@ -23,5 +23,9 @@ with lib; boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; + + # Disable cgroupsv2, which doesn't work with hidepid. + # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203 + systemd.enableUnifiedCgroupHierarchy = false; }; } diff --git a/infra/libkookie/nixpkgs/nixos/modules/security/pam.nix b/infra/libkookie/nixpkgs/nixos/modules/security/pam.nix index a20d0a243a8e..a428103eaa96 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/security/pam.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/security/pam.nix @@ -318,6 +318,42 @@ let ''; }; + gnupg = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, pam_gnupg will attempt to automatically unlock the + user's GPG keys with the login password via + <command>gpg-agent</command>. The keygrips of all keys to be + unlocked should be written to <filename>~/.pam-gnupg</filename>, + and can be queried with <command>gpg -K --with-keygrip</command>. + Presetting passphrases must be enabled by adding + <literal>allow-preset-passphrase</literal> in + <filename>~/.gnupg/gpg-agent.conf</filename>. + ''; + }; + + noAutostart = mkOption { + type = types.bool; + default = false; + description = '' + Don't start <command>gpg-agent</command> if it is not running. + Useful in conjunction with starting <command>gpg-agent</command> as + a systemd user service. + ''; + }; + + storeOnly = mkOption { + type = types.bool; + default = false; + description = '' + Don't send the password immediately after login, but store for PAM + <literal>session</literal>. + ''; + }; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -360,7 +396,7 @@ let ${optionalString cfg.logFailures "auth required pam_tally.so"} ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) - "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} + "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"} ${optionalString cfg.fprintAuth "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth @@ -386,6 +422,7 @@ let || cfg.enableKwallet || cfg.enableGnomeKeyring || cfg.googleAuthenticator.enable + || cfg.gnupg.enable || cfg.duoSecurity.enable)) '' auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth ${optionalString config.security.pam.enableEcryptfs @@ -397,6 +434,10 @@ let " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} + ${optionalString cfg.gnupg.enable + "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + + optionalString cfg.gnupg.storeOnly " store-only" + } ${optionalString cfg.googleAuthenticator.enable "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} ${optionalString cfg.duoSecurity.enable @@ -472,6 +513,10 @@ let " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")} ${optionalString (cfg.enableGnomeKeyring) "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} + ${optionalString cfg.gnupg.enable + "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + + optionalString cfg.gnupg.noAutostart " no-autostart" + } ${optionalString (config.virtualisation.lxc.lxcfs.enable) "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} ''); diff --git a/infra/libkookie/nixpkgs/nixos/modules/security/pam_mount.nix b/infra/libkookie/nixpkgs/nixos/modules/security/pam_mount.nix index 77e22a96b553..9a0143c155c5 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/security/pam_mount.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/security/pam_mount.nix @@ -39,8 +39,16 @@ in environment.etc."security/pam_mount.conf.xml" = { source = let - extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null) config.users.users; - userVolumeEntry = user: "<volume user=\"${user.name}\" path=\"${user.cryptHomeLuks}\" mountpoint=\"${user.home}\" />\n"; + extraUserVolumes = filterAttrs (n: u: u.cryptHomeLuks != null || u.pamMount != {}) config.users.users; + mkAttr = k: v: ''${k}="${v}"''; + userVolumeEntry = user: let + attrs = { + user = user.name; + path = user.cryptHomeLuks; + mountpoint = user.home; + } // user.pamMount; + in + "<volume ${concatStringsSep " " (mapAttrsToList mkAttr attrs)} />\n"; in pkgs.writeText "pam_mount.conf.xml" '' <?xml version="1.0" encoding="utf-8" ?> @@ -52,7 +60,7 @@ in <!-- if activated, requires ofl from hxtools to be present --> <logout wait="0" hup="no" term="no" kill="no" /> <!-- set PATH variable for pam_mount module --> - <path>${pkgs.utillinux}/bin</path> + <path>${pkgs.util-linux}/bin</path> <!-- create mount point if not present --> <mkmountpoint enable="1" remove="true" /> diff --git a/infra/libkookie/nixpkgs/nixos/modules/security/wrappers/default.nix b/infra/libkookie/nixpkgs/nixos/modules/security/wrappers/default.nix index 52de21bca9bf..de6213714ac3 100644 --- a/infra/libkookie/nixpkgs/nixos/modules/security/wrappers/default.nix +++ b/infra/libkookie/nixpkgs/nixos/modules/security/wrappers/default.nix @@ -163,8 +163,8 @@ in # These are mount related wrappers that require the +s permission. fusermount.source = "${pkgs.fuse}/bin/fusermount"; fusermount3.source = "${pkgs.fuse3}/bin/fusermount3"; - mount.source = "${lib.getBin pkgs.utillinux}/bin/mount"; - umount.source = "${lib.getBin pkgs.utillinux}/bin/umount"; + mount.source = "${lib.getBin pkgs.util-linux}/bin/mount"; + umount.source = "${lib.getBin pkgs.util-linux}/bin/umount"; }; boot.specialFileSystems.${parentWrapperDir} = { |