3p/nixpkgs: remove old PR patches
This commit is contained in:
parent
11f8adeb43
commit
6f81c9d464
4 changed files with 0 additions and 711 deletions
251
third_party/nixpkgs/patches/pr163673.patch
vendored
251
third_party/nixpkgs/patches/pr163673.patch
vendored
|
@ -1,251 +0,0 @@
|
|||
From 860cc90fec86ea49d1f73ac5f5920f11afaba28d Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Fri, 11 Mar 2022 13:54:14 +0000
|
||||
Subject: [PATCH 1/4] pomerium: 0.15.7 -> 0.17.0
|
||||
|
||||
---
|
||||
pkgs/servers/http/pomerium/default.nix | 8 +++-----
|
||||
1 file changed, 3 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
|
||||
index cbf2fe1943542..4a8381bccc996 100644
|
||||
--- a/pkgs/servers/http/pomerium/default.nix
|
||||
+++ b/pkgs/servers/http/pomerium/default.nix
|
||||
@@ -11,18 +11,17 @@ let
|
||||
in
|
||||
buildGoModule rec {
|
||||
pname = "pomerium";
|
||||
- version = "0.15.7";
|
||||
+ version = "0.17.0";
|
||||
src = fetchFromGitHub {
|
||||
owner = "pomerium";
|
||||
repo = "pomerium";
|
||||
rev = "v${version}";
|
||||
- hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
|
||||
+ hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q";
|
||||
};
|
||||
|
||||
- vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
|
||||
+ vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
|
||||
subPackages = [
|
||||
"cmd/pomerium"
|
||||
- "cmd/pomerium-cli"
|
||||
];
|
||||
|
||||
ldflags = let
|
||||
@@ -74,7 +73,6 @@ buildGoModule rec {
|
||||
|
||||
installPhase = ''
|
||||
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
||||
- install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||
'';
|
||||
|
||||
passthru.tests = {
|
||||
|
||||
From 6659ba52480b2881c89c104370c2e7528fb34a0e Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Fri, 11 Mar 2022 14:01:27 +0000
|
||||
Subject: [PATCH 2/4] pomerium-cli: init at 0.17.0
|
||||
|
||||
---
|
||||
pkgs/servers/http/pomerium/default.nix | 2 +
|
||||
pkgs/tools/security/pomerium-cli/default.nix | 58 ++++++++++++++++++++
|
||||
pkgs/top-level/all-packages.nix | 1 +
|
||||
3 files changed, 61 insertions(+)
|
||||
create mode 100644 pkgs/tools/security/pomerium-cli/default.nix
|
||||
|
||||
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
|
||||
index 4a8381bccc996..8a5580d5d0dba 100644
|
||||
--- a/pkgs/servers/http/pomerium/default.nix
|
||||
+++ b/pkgs/servers/http/pomerium/default.nix
|
||||
@@ -4,6 +4,7 @@
|
||||
, envoy
|
||||
, zip
|
||||
, nixosTests
|
||||
+, pomerium-cli
|
||||
}:
|
||||
|
||||
let
|
||||
@@ -77,6 +78,7 @@ buildGoModule rec {
|
||||
|
||||
passthru.tests = {
|
||||
inherit (nixosTests) pomerium;
|
||||
+ inherit pomerium-cli;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix
|
||||
new file mode 100644
|
||||
index 0000000000000..7dc7e3a7a903c
|
||||
--- /dev/null
|
||||
+++ b/pkgs/tools/security/pomerium-cli/default.nix
|
||||
@@ -0,0 +1,58 @@
|
||||
+{ buildGoModule
|
||||
+, fetchFromGitHub
|
||||
+, lib
|
||||
+, pomerium
|
||||
+}:
|
||||
+
|
||||
+let
|
||||
+ inherit (lib) concatStringsSep concatMap id mapAttrsToList;
|
||||
+in
|
||||
+buildGoModule rec {
|
||||
+ pname = "pomerium-cli";
|
||||
+ version = pomerium.version;
|
||||
+ src = fetchFromGitHub {
|
||||
+ owner = "pomerium";
|
||||
+ repo = "cli";
|
||||
+ rev = "v${version}";
|
||||
+ hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1";
|
||||
+ };
|
||||
+
|
||||
+ vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b";
|
||||
+ subPackages = [
|
||||
+ "cmd/pomerium-cli"
|
||||
+ ];
|
||||
+
|
||||
+ ldflags = let
|
||||
+ # Set a variety of useful meta variables for stamping the build with.
|
||||
+ setVars = {
|
||||
+ "github.com/pomerium/cli/version" = {
|
||||
+ Version = "v${version}";
|
||||
+ BuildMeta = "nixpkgs";
|
||||
+ ProjectName = "pomerium-cli";
|
||||
+ ProjectURL = "github.com/pomerium/cli";
|
||||
+ };
|
||||
+ };
|
||||
+ concatStringsSpace = list: concatStringsSep " " list;
|
||||
+ mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
|
||||
+ varFlags = concatStringsSpace (
|
||||
+ mapAttrsToFlatList (package: packageVars:
|
||||
+ mapAttrsToList (variable: value:
|
||||
+ "-X ${package}.${variable}=${value}"
|
||||
+ ) packageVars
|
||||
+ ) setVars);
|
||||
+ in [
|
||||
+ "${varFlags}"
|
||||
+ ];
|
||||
+
|
||||
+ installPhase = ''
|
||||
+ install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
|
||||
+ '';
|
||||
+
|
||||
+ meta = with lib; {
|
||||
+ homepage = "https://pomerium.io";
|
||||
+ description = "Client-side helper for Pomerium authenticating reverse proxy";
|
||||
+ license = licenses.asl20;
|
||||
+ maintainers = with maintainers; [ lukegb ];
|
||||
+ platforms = platforms.unix;
|
||||
+ };
|
||||
+}
|
||||
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
|
||||
index a2880d70e6457..7b01dfe3fe72d 100644
|
||||
--- a/pkgs/top-level/all-packages.nix
|
||||
+++ b/pkgs/top-level/all-packages.nix
|
||||
@@ -21613,6 +21613,7 @@ with pkgs;
|
||||
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
|
||||
|
||||
pomerium = callPackage ../servers/http/pomerium { };
|
||||
+ pomerium-cli = callPackage ../tools/security/pomerium-cli { };
|
||||
|
||||
postgrey = callPackage ../servers/mail/postgrey { };
|
||||
|
||||
|
||||
From 3004e58f6a0817080f40db34dc96fdf4d5da6c18 Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Fri, 11 Mar 2022 14:03:22 +0000
|
||||
Subject: [PATCH 3/4] nixos/pomerium: avoid blocking when renewing ACME
|
||||
certificates
|
||||
|
||||
---
|
||||
nixos/modules/services/web-servers/pomerium.nix | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
|
||||
index 2bc7d01c7c287..0b460755f50ef 100644
|
||||
--- a/nixos/modules/services/web-servers/pomerium.nix
|
||||
+++ b/nixos/modules/services/web-servers/pomerium.nix
|
||||
@@ -69,11 +69,16 @@ in
|
||||
CERTIFICATE_KEY_FILE = "key.pem";
|
||||
};
|
||||
startLimitIntervalSec = 60;
|
||||
+ script = ''
|
||||
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
|
||||
+ cd "$CREDENTIALS_DIRECTORY"
|
||||
+ fi
|
||||
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
|
||||
+ '';
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
StateDirectory = [ "pomerium" ];
|
||||
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
|
||||
|
||||
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
|
||||
MemoryDenyWriteExecute = false; # breaks LuaJIT
|
||||
@@ -99,7 +104,6 @@ in
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
|
||||
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
|
||||
LoadCredential = optionals (cfg.useACMEHost != null) [
|
||||
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
|
||||
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
|
||||
@@ -124,7 +128,7 @@ in
|
||||
Type = "oneshot";
|
||||
TimeoutSec = 60;
|
||||
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
|
||||
- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
|
||||
+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
|
||||
};
|
||||
};
|
||||
});
|
||||
|
||||
From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Fri, 11 Mar 2022 14:07:12 +0000
|
||||
Subject: [PATCH 4/4] pomerium: note changes in packaging in 22.05 release
|
||||
notes
|
||||
|
||||
---
|
||||
.../manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++
|
||||
nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++
|
||||
2 files changed, 15 insertions(+)
|
||||
|
||||
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||
index 9cf27e56827a1..333994c0957d6 100644
|
||||
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||
@@ -1322,6 +1322,16 @@
|
||||
warning.
|
||||
</para>
|
||||
</listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ The <literal>pomerium-cli</literal> command has been moved out
|
||||
+ of the <literal>pomerium</literal> package into the
|
||||
+ <literal>pomerium-cli</literal> package, following upstream’s
|
||||
+ repository split. If you are using the
|
||||
+ <literal>pomerium-cli</literal> command, you should now
|
||||
+ install the <literal>pomerium-cli</literal> package.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The option
|
||||
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||
index 58a1b23d17bf6..222c101a2842d 100644
|
||||
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||
@@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
Reason is that the old name has been deprecated upstream.
|
||||
Using the old option name will still work, but produce a warning.
|
||||
|
||||
+- The `pomerium-cli` command has been moved out of the `pomerium` package into
|
||||
+ the `pomerium-cli` package, following upstream's repository split. If you are
|
||||
+ using the `pomerium-cli` command, you should now install the `pomerium-cli`
|
||||
+ package.
|
||||
+
|
||||
- The option
|
||||
[services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)
|
||||
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
|
24
third_party/nixpkgs/patches/pr163678.patch
vendored
24
third_party/nixpkgs/patches/pr163678.patch
vendored
|
@ -1,24 +0,0 @@
|
|||
From f491e8c3326f102c0ef45f6b0abe0868d6df5bbd Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Fri, 11 Mar 2022 15:42:05 +0000
|
||||
Subject: [PATCH] mercurial: disable all non-essential phases in withExtensions
|
||||
|
||||
---
|
||||
pkgs/applications/version-management/mercurial/default.nix | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix
|
||||
index 17d21f30e3b24..0124cf0646e5e 100644
|
||||
--- a/pkgs/applications/version-management/mercurial/default.nix
|
||||
+++ b/pkgs/applications/version-management/mercurial/default.nix
|
||||
@@ -181,6 +181,10 @@ in
|
||||
nativeBuildInputs = self.nativeBuildInputs;
|
||||
|
||||
dontUnpack = true;
|
||||
+ dontPatch = true;
|
||||
+ dontConfigure = true;
|
||||
+ dontBuild = true;
|
||||
+ doCheck = false;
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
433
third_party/nixpkgs/patches/pr164025.patch
vendored
433
third_party/nixpkgs/patches/pr164025.patch
vendored
|
@ -1,433 +0,0 @@
|
|||
From f63d93bc3d0ad73b24b2cf9c0ee0381161071395 Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Sun, 13 Mar 2022 17:20:16 +0000
|
||||
Subject: [PATCH 1/2] pam_ussh: init at unstable-20210615
|
||||
|
||||
---
|
||||
pkgs/os-specific/linux/pam_ussh/default.nix | 64 +++++++++++++++++++++
|
||||
pkgs/os-specific/linux/pam_ussh/go.mod | 15 +++++
|
||||
pkgs/top-level/all-packages.nix | 2 +
|
||||
3 files changed, 81 insertions(+)
|
||||
create mode 100644 pkgs/os-specific/linux/pam_ussh/default.nix
|
||||
create mode 100644 pkgs/os-specific/linux/pam_ussh/go.mod
|
||||
|
||||
diff --git a/pkgs/os-specific/linux/pam_ussh/default.nix b/pkgs/os-specific/linux/pam_ussh/default.nix
|
||||
new file mode 100644
|
||||
index 0000000000000..499239500acce
|
||||
--- /dev/null
|
||||
+++ b/pkgs/os-specific/linux/pam_ussh/default.nix
|
||||
@@ -0,0 +1,64 @@
|
||||
+{ buildGoModule
|
||||
+, fetchFromGitHub
|
||||
+, pam
|
||||
+, lib
|
||||
+}:
|
||||
+
|
||||
+buildGoModule rec {
|
||||
+ pname = "pam_ussh";
|
||||
+ version = "unstable-20210615";
|
||||
+
|
||||
+ src = fetchFromGitHub {
|
||||
+ owner = "uber";
|
||||
+ repo = "pam-ussh";
|
||||
+ rev = "e9524bda90ba19d3b9eb24f49cb63a6a56a19193"; # HEAD as of 2022-03-13
|
||||
+ sha256 = "0nb9hpqbghgi3zvq41kabydzyc6ffaaw9b4jkc5jrwn1klpw1xk8";
|
||||
+ };
|
||||
+
|
||||
+ prePatch = ''
|
||||
+ cp ${./go.mod} go.mod
|
||||
+ '';
|
||||
+ overrideModAttrs = (_: {
|
||||
+ inherit prePatch;
|
||||
+ });
|
||||
+
|
||||
+ vendorSha256 = "0hjifc3kbwmx7kjn858vi05cwwra6q19cqjfd94k726pwhk37qkw";
|
||||
+
|
||||
+ buildInputs = [
|
||||
+ pam
|
||||
+ ];
|
||||
+
|
||||
+ buildPhase = ''
|
||||
+ runHook preBuild
|
||||
+
|
||||
+ if [ -z "$enableParallelBuilding" ]; then
|
||||
+ export NIX_BUILD_CORES=1
|
||||
+ fi
|
||||
+ go build -buildmode=c-shared -o pam_ussh.so -v -p $NIX_BUILD_CORES .
|
||||
+
|
||||
+ runHook postBuild
|
||||
+ '';
|
||||
+ checkPhase = ''
|
||||
+ runHook preCheck
|
||||
+
|
||||
+ go test -v -p $NIX_BUILD_CORES .
|
||||
+
|
||||
+ runHook postCheck
|
||||
+ '';
|
||||
+ installPhase = ''
|
||||
+ runHook preInstall
|
||||
+
|
||||
+ mkdir -p $out/lib/security
|
||||
+ cp pam_ussh.so $out/lib/security
|
||||
+
|
||||
+ runHook postInstall
|
||||
+ '';
|
||||
+
|
||||
+ meta = with lib; {
|
||||
+ homepage = "https://github.com/uber/pam-ussh";
|
||||
+ description = "PAM module to authenticate using SSH certificates";
|
||||
+ license = licenses.mit;
|
||||
+ platforms = platforms.linux;
|
||||
+ maintainers = with maintainers; [ lukegb ];
|
||||
+ };
|
||||
+}
|
||||
diff --git a/pkgs/os-specific/linux/pam_ussh/go.mod b/pkgs/os-specific/linux/pam_ussh/go.mod
|
||||
new file mode 100644
|
||||
index 0000000000000..9adc453560a43
|
||||
--- /dev/null
|
||||
+++ b/pkgs/os-specific/linux/pam_ussh/go.mod
|
||||
@@ -0,0 +1,15 @@
|
||||
+module github.com/uber/pam-ussh
|
||||
+
|
||||
+go 1.17
|
||||
+
|
||||
+require (
|
||||
+ github.com/stretchr/testify v1.7.0
|
||||
+ golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000
|
||||
+)
|
||||
+
|
||||
+require (
|
||||
+ github.com/davecgh/go-spew v1.1.0 // indirect
|
||||
+ github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
+ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
|
||||
+ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
|
||||
+)
|
||||
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
|
||||
index 6c6832ae05475..539ecd4ec481b 100644
|
||||
--- a/pkgs/top-level/all-packages.nix
|
||||
+++ b/pkgs/top-level/all-packages.nix
|
||||
@@ -23052,6 +23052,8 @@ with pkgs;
|
||||
|
||||
pam_usb = callPackage ../os-specific/linux/pam_usb { };
|
||||
|
||||
+ pam_ussh = callPackage ../os-specific/linux/pam_ussh { };
|
||||
+
|
||||
paxctl = callPackage ../os-specific/linux/paxctl { };
|
||||
|
||||
paxtest = callPackage ../os-specific/linux/paxtest { };
|
||||
|
||||
From 1853015550a78acbc3e9d090d174120796c4b784 Mon Sep 17 00:00:00 2001
|
||||
From: Luke Granger-Brown <git@lukegb.com>
|
||||
Date: Sun, 13 Mar 2022 17:20:23 +0000
|
||||
Subject: [PATCH 2/2] nixos/pam: add support for pam-ussh
|
||||
|
||||
pam-ussh allows authorizing using an SSH certificate stored in your
|
||||
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
|
||||
certificates rather than raw public keys.
|
||||
---
|
||||
.../from_md/release-notes/rl-2205.section.xml | 9 ++
|
||||
.../manual/release-notes/rl-2205.section.md | 2 +
|
||||
nixos/modules/security/pam.nix | 109 ++++++++++++++++++
|
||||
nixos/modules/security/sudo.nix | 2 +-
|
||||
nixos/tests/all-tests.nix | 1 +
|
||||
nixos/tests/pam/pam-ussh.nix | 70 +++++++++++
|
||||
pkgs/os-specific/linux/pam_ussh/default.nix | 3 +
|
||||
7 files changed, 195 insertions(+), 1 deletion(-)
|
||||
create mode 100644 nixos/tests/pam/pam-ussh.nix
|
||||
|
||||
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||
index 9cf27e56827a1..ede0e10e03466 100644
|
||||
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
|
||||
@@ -1286,6 +1286,15 @@
|
||||
been added by default.
|
||||
</para>
|
||||
</listitem>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ <literal>security.pam.ussh</literal> has been added, which
|
||||
+ allows authorizing PAM sessions based on SSH
|
||||
+ <emphasis>certificates</emphasis> held within an SSH agent,
|
||||
+ using
|
||||
+ <link xlink:href="https://github.com/uber/pam-ussh">pam-ussh</link>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>zrepl</literal> package has been updated from
|
||||
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||
index 58a1b23d17bf6..90ac7e90e7295 100644
|
||||
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
|
||||
@@ -470,6 +470,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
- `services.logrotate.enable` now defaults to true if any rotate path has
|
||||
been defined, and some paths have been added by default.
|
||||
|
||||
+- `security.pam.ussh` has been added, which allows authorizing PAM sessions based on SSH _certificates_ held within an SSH agent, using [pam-ussh](https://github.com/uber/pam-ussh).
|
||||
+
|
||||
- The `zrepl` package has been updated from 0.4.0 to 0.5:
|
||||
|
||||
- The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume.
|
||||
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
|
||||
index c0ef8b5f30bd4..f9697d61f1b27 100644
|
||||
--- a/nixos/modules/security/pam.nix
|
||||
+++ b/nixos/modules/security/pam.nix
|
||||
@@ -61,6 +61,19 @@ let
|
||||
'';
|
||||
};
|
||||
|
||||
+ usshAuth = mkOption {
|
||||
+ default = false;
|
||||
+ type = types.bool;
|
||||
+ description = ''
|
||||
+ If set, users with an SSH certificate containing an authorized principal
|
||||
+ in their SSH agent are able to log in. Specific options are controlled
|
||||
+ using the <option>security.pam.ussh</option> options.
|
||||
+
|
||||
+ Note that the <option>security.pam.ussh.enable</option> must also be
|
||||
+ set for this option to take effect.
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
yubicoAuth = mkOption {
|
||||
default = config.security.pam.yubico.enable;
|
||||
defaultText = literalExpression "config.security.pam.yubico.enable";
|
||||
@@ -475,6 +488,9 @@ let
|
||||
optionalString cfg.usbAuth ''
|
||||
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
|
||||
'' +
|
||||
+ (let ussh = config.security.pam.ussh; in optionalString (config.security.pam.ussh.enable && cfg.usshAuth) ''
|
||||
+ auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"}
|
||||
+ '') +
|
||||
(let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
|
||||
auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
|
||||
'') +
|
||||
@@ -926,6 +942,96 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
+ security.pam.ussh = {
|
||||
+ enable = mkOption {
|
||||
+ default = false;
|
||||
+ type = types.bool;
|
||||
+ description = ''
|
||||
+ Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module.
|
||||
+
|
||||
+ This is similar to <literal>pam-ssh-agent</literal>, except that
|
||||
+ the presence of a CA-signed SSH key with a valid principal is checked
|
||||
+ instead.
|
||||
+
|
||||
+ Note that this module must both be enabled using this option and on a
|
||||
+ per-PAM-service level as well (using <literal>usshAuth</literal>).
|
||||
+
|
||||
+ More information can be found <link
|
||||
+ xlink:href="https://github.com/uber/pam-ussh">here</link>.
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
+ caFile = mkOption {
|
||||
+ default = null;
|
||||
+ type = with types; nullOr path;
|
||||
+ description = ''
|
||||
+ By default <literal>pam-ussh</literal> reads the trusted user CA keys
|
||||
+ from <filename>/etc/ssh/trusted_user_ca</filename>.
|
||||
+
|
||||
+ This should be set the same as your <literal>TrustedUserCAKeys</literal>
|
||||
+ option for sshd.
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
+ authorizedPrincipals = mkOption {
|
||||
+ default = null;
|
||||
+ type = with types; nullOr commas;
|
||||
+ description = ''
|
||||
+ Comma-separated list of authorized principals to permit; if the user
|
||||
+ presents a certificate with one of these principals, then they will be
|
||||
+ authorized.
|
||||
+
|
||||
+ Note that <literal>pam-ussh</literal> also requires that the certificate
|
||||
+ contain a principal matching the user's username. The principals from
|
||||
+ this list are in addition to those principals.
|
||||
+
|
||||
+ Mutually exclusive with <literal>authorizedPrincipalsFile</literal>.
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
+ authorizedPrincipalsFile = mkOption {
|
||||
+ default = null;
|
||||
+ type = with types; nullOr path;
|
||||
+ description = ''
|
||||
+ Path to a list of principals; if the user presents a certificate with
|
||||
+ one of these principals, then they will be authorized.
|
||||
+
|
||||
+ Note that <literal>pam-ussh</literal> also requires that the certificate
|
||||
+ contain a principal matching the user's username. The principals from
|
||||
+ this file are in addition to those principals.
|
||||
+
|
||||
+ Mutually exclusive with <literal>authorizedPrincipals</literal>.
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
+ group = mkOption {
|
||||
+ default = null;
|
||||
+ type = with types; nullOr str;
|
||||
+ description = ''
|
||||
+ If set, then the authenticating user must be a member of this group
|
||||
+ to use this module.
|
||||
+ '';
|
||||
+ };
|
||||
+
|
||||
+ control = mkOption {
|
||||
+ default = "sufficient";
|
||||
+ type = types.enum [ "required" "requisite" "sufficient" "optional" ];
|
||||
+ description = ''
|
||||
+ This option sets pam "control".
|
||||
+ If you want to have multi factor authentication, use "required".
|
||||
+ If you want to use the SSH certificate instead of the regular password,
|
||||
+ use "sufficient".
|
||||
+
|
||||
+ Read
|
||||
+ <citerefentry>
|
||||
+ <refentrytitle>pam.conf</refentrytitle>
|
||||
+ <manvolnum>5</manvolnum>
|
||||
+ </citerefentry>
|
||||
+ for better understanding of this option.
|
||||
+ '';
|
||||
+ };
|
||||
+ };
|
||||
+
|
||||
security.pam.yubico = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
@@ -1110,6 +1216,9 @@ in
|
||||
optionalString (isEnabled (cfg: cfg.usbAuth)) ''
|
||||
mr ${pkgs.pam_usb}/lib/security/pam_usb.so,
|
||||
'' +
|
||||
+ optionalString (isEnabled (cfg: cfg.usshAuth)) ''
|
||||
+ mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so,
|
||||
+ '' +
|
||||
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
|
||||
"mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,
|
||||
'' +
|
||||
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
|
||||
index 99e578f8adae6..4bf239fca8f90 100644
|
||||
--- a/nixos/modules/security/sudo.nix
|
||||
+++ b/nixos/modules/security/sudo.nix
|
||||
@@ -245,7 +245,7 @@ in
|
||||
|
||||
environment.systemPackages = [ sudo ];
|
||||
|
||||
- security.pam.services.sudo = { sshAgentAuth = true; };
|
||||
+ security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
|
||||
|
||||
environment.etc.sudoers =
|
||||
{ source =
|
||||
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
|
||||
index 043d8a56d0c63..1ed12c54c5752 100644
|
||||
--- a/nixos/tests/all-tests.nix
|
||||
+++ b/nixos/tests/all-tests.nix
|
||||
@@ -388,6 +388,7 @@ in
|
||||
pam-file-contents = handleTest ./pam/pam-file-contents.nix {};
|
||||
pam-oath-login = handleTest ./pam/pam-oath-login.nix {};
|
||||
pam-u2f = handleTest ./pam/pam-u2f.nix {};
|
||||
+ pam-ussh = handleTest ./pam/pam-ussh.nix {};
|
||||
pantalaimon = handleTest ./matrix/pantalaimon.nix {};
|
||||
pantheon = handleTest ./pantheon.nix {};
|
||||
paperless-ng = handleTest ./paperless-ng.nix {};
|
||||
diff --git a/nixos/tests/pam/pam-ussh.nix b/nixos/tests/pam/pam-ussh.nix
|
||||
new file mode 100644
|
||||
index 0000000000000..ba0570dbf97d2
|
||||
--- /dev/null
|
||||
+++ b/nixos/tests/pam/pam-ussh.nix
|
||||
@@ -0,0 +1,70 @@
|
||||
+import ../make-test-python.nix ({ pkgs, lib, ... }:
|
||||
+
|
||||
+let
|
||||
+ testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" {
|
||||
+ nativeBuildInputs = [ pkgs.openssh ];
|
||||
+ } ''
|
||||
+ mkdir $out
|
||||
+ ssh-keygen -t ed25519 -N "" -f $out/ca
|
||||
+
|
||||
+ ssh-keygen -t ed25519 -N "" -f $out/alice
|
||||
+ ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub
|
||||
+
|
||||
+ ssh-keygen -t ed25519 -N "" -f $out/bob
|
||||
+ ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub
|
||||
+ '';
|
||||
+ makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" ''
|
||||
+ set -euo pipefail
|
||||
+
|
||||
+ eval $(${pkgs.openssh}/bin/ssh-agent)
|
||||
+
|
||||
+ mkdir -p $HOME/.ssh
|
||||
+ chmod 700 $HOME/.ssh
|
||||
+ cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh
|
||||
+ chmod 600 $HOME/.ssh/${user}
|
||||
+ chmod 644 $HOME/.ssh/${user}{,-cert}.pub
|
||||
+
|
||||
+ set -x
|
||||
+
|
||||
+ ${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user}
|
||||
+ ${pkgs.openssh}/bin/ssh-add -l &>2
|
||||
+
|
||||
+ exec sudo id -u -n
|
||||
+ '';
|
||||
+in {
|
||||
+ name = "pam-ussh";
|
||||
+ meta.maintainers = with lib.maintainers; [ lukegb ];
|
||||
+
|
||||
+ machine =
|
||||
+ { ... }:
|
||||
+ {
|
||||
+ users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; };
|
||||
+ users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; };
|
||||
+
|
||||
+ security.pam.ussh = {
|
||||
+ enable = true;
|
||||
+ authorizedPrincipals = "root";
|
||||
+ caFile = "${testOnlySSHCredentials}/ca.pub";
|
||||
+ };
|
||||
+
|
||||
+ security.sudo = {
|
||||
+ enable = true;
|
||||
+ extraConfig = ''
|
||||
+ Defaults lecture="never"
|
||||
+ '';
|
||||
+ };
|
||||
+ };
|
||||
+
|
||||
+ testScript =
|
||||
+ ''
|
||||
+ with subtest("alice should be allowed to escalate to root"):
|
||||
+ machine.succeed(
|
||||
+ 'su -c "${makeTestScript "alice"}" -l alice | grep root'
|
||||
+ )
|
||||
+
|
||||
+ with subtest("bob should not be allowed to escalate to root"):
|
||||
+ machine.fail(
|
||||
+ 'su -c "${makeTestScript "bob"}" -l bob | grep root'
|
||||
+ )
|
||||
+ '';
|
||||
+})
|
||||
diff --git a/pkgs/os-specific/linux/pam_ussh/default.nix b/pkgs/os-specific/linux/pam_ussh/default.nix
|
||||
index 499239500acce..889c8bc6f57cf 100644
|
||||
--- a/pkgs/os-specific/linux/pam_ussh/default.nix
|
||||
+++ b/pkgs/os-specific/linux/pam_ussh/default.nix
|
||||
@@ -2,6 +2,7 @@
|
||||
, fetchFromGitHub
|
||||
, pam
|
||||
, lib
|
||||
+, nixosTests
|
||||
}:
|
||||
|
||||
buildGoModule rec {
|
||||
@@ -54,6 +55,8 @@ buildGoModule rec {
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
+ passthru.tests = { inherit (nixosTests) pam-ussh; };
|
||||
+
|
||||
meta = with lib; {
|
||||
homepage = "https://github.com/uber/pam-ussh";
|
||||
description = "PAM module to authenticate using SSH certificates";
|
3
third_party/nixpkgs/patches/series
vendored
3
third_party/nixpkgs/patches/series
vendored
|
@ -1,7 +1,4 @@
|
|||
nvidia-sideband-socket.patch
|
||||
pr163673.patch
|
||||
pr163678.patch
|
||||
pr164025.patch
|
||||
pr167221.patch
|
||||
networkd-support-more-wg-options.patch
|
||||
networkd-global-options.patch
|
||||
|
|
Loading…
Reference in a new issue