Loading nixos/modules/config/malloc.nix +17 −2 Original line number Diff line number Diff line Loading @@ -9,8 +9,23 @@ let graphene-hardened = { libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so"; description = '' An allocator designed to mitigate memory corruption attacks, such as those caused by use-after-free bugs. Hardened memory allocator coming from GrapheneOS project. The default configuration template has all normal optional security features enabled and is quite aggressive in terms of sacrificing performance and memory usage for security. ''; }; graphene-hardened-light = { libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc-light.so"; description = '' Hardened memory allocator coming from GrapheneOS project. The light configuration template disables the slab quarantines, write after free check, slot randomization and raises the guard slab interval from 1 to 8 but leaves zero-on-free and slab canaries enabled. The light configuration has solid performance and memory usage while still being far more secure than mainstream allocators with much better security properties. ''; }; Loading nixos/modules/programs/wshowkeys.nix +19 −15 Original line number Diff line number Diff line { config, lib, pkgs, ... }: with lib; { config, lib, pkgs, ... }: let cfg = config.programs.wshowkeys; in { meta.maintainers = with maintainers; [ primeos ]; in { options = { programs.wshowkeys = { enable = mkEnableOption '' enable = lib.mkEnableOption '' wshowkeys (displays keypresses on screen on supported Wayland compositors). It requires root permissions to read input events, but these permissions are dropped after startup''; package = lib.mkPackageOption pkgs "wshowkeys" { }; }; }; config = mkIf cfg.enable { security.wrappers.wshowkeys = { setuid = true; config = lib.mkIf cfg.enable { security.wrappers.wshowkeys = { setuid = true; owner = "root"; group = "root"; source = "${pkgs.wshowkeys}/bin/wshowkeys"; source = lib.getExe cfg.package; }; }; meta.maintainers = with lib.maintainers; [ primeos ]; } nixos/modules/services/security/oauth2_proxy_nginx.nix +46 −6 Original line number Diff line number Diff line Loading @@ -25,10 +25,41 @@ in }; virtualHosts = mkOption { type = types.listOf types.str; default = []; type = let vhostSubmodule = types.submodule { options = { allowed_groups = mkOption { type = types.nullOr (types.listOf types.str); description = "List of groups to allow access to this vhost, or null to allow all."; default = null; }; allowed_emails = mkOption { type = types.nullOr (types.listOf types.str); description = "List of emails to allow access to this vhost, or null to allow all."; default = null; }; allowed_email_domains = mkOption { type = types.nullOr (types.listOf types.str); description = "List of email domains to allow access to this vhost, or null to allow all."; default = null; }; }; }; oldType = types.listOf types.str; convertFunc = x: lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}" lib.genAttrs x (_: {}); newType = types.attrsOf vhostSubmodule; in types.coercedTo oldType convertFunc newType; default = {}; example = { "protected.foo.com" = { allowed_groups = ["admins"]; allowed_emails = ["boss@foo.com"]; }; }; description = '' A list of nginx virtual hosts to put behind the oauth2 proxy. Nginx virtual hosts to put behind the oauth2 proxy. You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting. ''; }; Loading @@ -50,11 +81,20 @@ in } ] ++ optional (cfg.virtualHosts != []) { recommendedProxySettings = true; # needed because duplicate headers } ++ (map (vhost: { } ++ (lib.mapAttrsToList (vhost: conf: { virtualHosts.${vhost} = { locations = { "/oauth2/auth" = { proxyPass = cfg.proxy; "/oauth2/auth" = let maybeQueryArg = name: value: if value == null then null else "${name}=${lib.concatStringsSep "," value}"; allArgs = lib.mapAttrsToList maybeQueryArg conf; cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs); cleanArgsStr = lib.concatStringsSep "&" cleanArgs; in { # nginx doesn't support passing query string arguments to auth_request, # so pass them here instead proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}"; extraConfig = '' auth_request off; proxy_set_header X-Scheme $scheme; Loading nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -782,6 +782,7 @@ in { rasdaemon = handleTest ./rasdaemon.nix {}; readarr = handleTest ./readarr.nix {}; redis = handleTest ./redis.nix {}; redlib = handleTest ./redlib.nix {}; redmine = handleTest ./redmine.nix {}; restartByActivationScript = handleTest ./restart-by-activation-script.nix {}; restic-rest-server = handleTest ./restic-rest-server.nix {}; Loading pkgs/applications/editors/jetbrains/bin/versions.json +160 −160 File changed.Preview size limit exceeded, changes collapsed. Show changes Loading
nixos/modules/config/malloc.nix +17 −2 Original line number Diff line number Diff line Loading @@ -9,8 +9,23 @@ let graphene-hardened = { libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so"; description = '' An allocator designed to mitigate memory corruption attacks, such as those caused by use-after-free bugs. Hardened memory allocator coming from GrapheneOS project. The default configuration template has all normal optional security features enabled and is quite aggressive in terms of sacrificing performance and memory usage for security. ''; }; graphene-hardened-light = { libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc-light.so"; description = '' Hardened memory allocator coming from GrapheneOS project. The light configuration template disables the slab quarantines, write after free check, slot randomization and raises the guard slab interval from 1 to 8 but leaves zero-on-free and slab canaries enabled. The light configuration has solid performance and memory usage while still being far more secure than mainstream allocators with much better security properties. ''; }; Loading
nixos/modules/programs/wshowkeys.nix +19 −15 Original line number Diff line number Diff line { config, lib, pkgs, ... }: with lib; { config, lib, pkgs, ... }: let cfg = config.programs.wshowkeys; in { meta.maintainers = with maintainers; [ primeos ]; in { options = { programs.wshowkeys = { enable = mkEnableOption '' enable = lib.mkEnableOption '' wshowkeys (displays keypresses on screen on supported Wayland compositors). It requires root permissions to read input events, but these permissions are dropped after startup''; package = lib.mkPackageOption pkgs "wshowkeys" { }; }; }; config = mkIf cfg.enable { security.wrappers.wshowkeys = { setuid = true; config = lib.mkIf cfg.enable { security.wrappers.wshowkeys = { setuid = true; owner = "root"; group = "root"; source = "${pkgs.wshowkeys}/bin/wshowkeys"; source = lib.getExe cfg.package; }; }; meta.maintainers = with lib.maintainers; [ primeos ]; }
nixos/modules/services/security/oauth2_proxy_nginx.nix +46 −6 Original line number Diff line number Diff line Loading @@ -25,10 +25,41 @@ in }; virtualHosts = mkOption { type = types.listOf types.str; default = []; type = let vhostSubmodule = types.submodule { options = { allowed_groups = mkOption { type = types.nullOr (types.listOf types.str); description = "List of groups to allow access to this vhost, or null to allow all."; default = null; }; allowed_emails = mkOption { type = types.nullOr (types.listOf types.str); description = "List of emails to allow access to this vhost, or null to allow all."; default = null; }; allowed_email_domains = mkOption { type = types.nullOr (types.listOf types.str); description = "List of email domains to allow access to this vhost, or null to allow all."; default = null; }; }; }; oldType = types.listOf types.str; convertFunc = x: lib.warn "services.oauth2_proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}" lib.genAttrs x (_: {}); newType = types.attrsOf vhostSubmodule; in types.coercedTo oldType convertFunc newType; default = {}; example = { "protected.foo.com" = { allowed_groups = ["admins"]; allowed_emails = ["boss@foo.com"]; }; }; description = '' A list of nginx virtual hosts to put behind the oauth2 proxy. Nginx virtual hosts to put behind the oauth2 proxy. You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting. ''; }; Loading @@ -50,11 +81,20 @@ in } ] ++ optional (cfg.virtualHosts != []) { recommendedProxySettings = true; # needed because duplicate headers } ++ (map (vhost: { } ++ (lib.mapAttrsToList (vhost: conf: { virtualHosts.${vhost} = { locations = { "/oauth2/auth" = { proxyPass = cfg.proxy; "/oauth2/auth" = let maybeQueryArg = name: value: if value == null then null else "${name}=${lib.concatStringsSep "," value}"; allArgs = lib.mapAttrsToList maybeQueryArg conf; cleanArgs = builtins.map lib.escapeURL (builtins.filter (x: x != null) allArgs); cleanArgsStr = lib.concatStringsSep "&" cleanArgs; in { # nginx doesn't support passing query string arguments to auth_request, # so pass them here instead proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}"; extraConfig = '' auth_request off; proxy_set_header X-Scheme $scheme; Loading
nixos/tests/all-tests.nix +1 −0 Original line number Diff line number Diff line Loading @@ -782,6 +782,7 @@ in { rasdaemon = handleTest ./rasdaemon.nix {}; readarr = handleTest ./readarr.nix {}; redis = handleTest ./redis.nix {}; redlib = handleTest ./redlib.nix {}; redmine = handleTest ./redmine.nix {}; restartByActivationScript = handleTest ./restart-by-activation-script.nix {}; restic-rest-server = handleTest ./restic-rest-server.nix {}; Loading
pkgs/applications/editors/jetbrains/bin/versions.json +160 −160 File changed.Preview size limit exceeded, changes collapsed. Show changes
![github-actions[bot]'s avatar](https://secure.gravatar.com/avatar/e7cd911927c7d1acf6281b69d385990d8fadcd26871048bbcdbff2e88da7f607?s=48&d=identicon "github-actions[bot]")