Commit Graph

21 Commits

Author SHA1 Message Date
rnhmjoj
fedd7cd690
nixos: explicitely set security.wrappers ownership
This is slightly more verbose and inconvenient, but it forces you
to think about what the wrapper ownership and permissions will be.
2021-09-13 13:48:13 +02:00
Thibaut Marty
4a0beed5c0 treewide: fix modules options types where the default is null
They can be caught with `nixos-option -r` on an empty ({...}:{}) NixOS
configuration.
2020-04-28 19:13:59 +02:00
Aaron Andersen
6f0c1cdbd9 nixos/duosec: rename ikey option to integrationKey 2020-03-22 20:25:11 -04:00
Aaron Andersen
b9dca769f1 nixos/duosec: replace insecure skey option with secure secretKeyFile option 2020-03-22 20:23:55 -04:00
Aaron Andersen
4f9cea70bd nixos/duosec: fix indentation 2020-03-21 10:34:12 -04:00
Aaron Andersen
28c815e34b nixos/duosec: fix configuration issue with "groups" option 2020-01-30 14:16:17 -05:00
rnhmjoj
1d61efb7f1 treewide: use attrs instead of list for types.loaOf options 2020-01-06 10:39:18 -05:00
Alex Guzman
0c34b9fcf8
nixos/security: make duo support secure failure correctly
seems that this got broken when the config option was made to use enums. "secure" got replaced with "enum", which isn't a valid option for the failure mode.
2019-03-17 18:25:20 -07:00
Scott Dier
a3273e85e3 nixos/security: Fix pam configuration file generation. 2019-02-24 22:49:01 +00:00
Scott Dier
4e9ac79ef5 nixos/security: Allow configuration of pam for duosec. 2019-02-24 22:49:01 +00:00
Geoffrey Huntley
a88ec5e8a5 duosec: use root uid as sshd uid has been retired (#33597)
* fix: use root uid as sshd uid has been retired

fixes https://github.com/NixOS/nixpkgs/issues/10088
related PR (abandoned) at https://github.com/NixOS/nixpkgs/pull/15391

* must use "sshd" user otherwise duosec does not work in multi user mode

see https://github.com/duosecurity/duo_unix/issues/89#issuecomment-272062632
2018-03-21 18:46:35 -05:00
Parnell Springmeyer
628e6a83d0
More derp 2017-01-29 05:33:56 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Eric Sagnes
9513ab45aa duosec module: use enum 2016-11-16 22:36:05 +09:00
Parnell Springmeyer
98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Parnell Springmeyer
390ab0b3ef everything?: Updating every package that depended on the old setuidPrograms configuration. 2016-09-01 19:17:43 -05:00
Tobias Geerinckx-Rice
c64257b8e5 Fix user-facing typos (mainly in descriptions) 2014-12-30 03:31:03 +01:00
Austin Seipp
e31f212f6b nixos/duosec: Add an option to allow TCP forwarding
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-20 02:42:38 -05:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Austin Seipp
29d46452dd nixos: add Duo Security module
This module adds the security.duosec attributes, which you can use to
enable simple two-factor authentication for NixOS logins.

The module currently provides PAM and SSH support, although the PAM unix
system configuration isn't automatically dealt with (although the
configuration is automatically built).

Enabling it is as easy as saying:

  security.duosec.ssh.enable = true;
  security.duosec.ikey       = "XXXXXXXX...";
  security.duosec.skey       = "XXXXXXXX...";
  security.duosec.host       = "api-XXXXXXX.duosecurity.com";
  security.duosec.group      = "duosec";

which will enforce two-factor authentication for SSH logins for users in
the 'duosec' group.

This requires uid/gid support in the environment.etc module.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-16 07:11:50 -05:00