Skip to content

Commit

Permalink
Merge #224806: staging-next 2023-04-05
Browse files Browse the repository at this point in the history
  • Loading branch information
vcunat committed Apr 12, 2023
2 parents 9308394 + d0bb9ed commit 2a32918
Show file tree
Hide file tree
Showing 326 changed files with 3,782 additions and 2,528 deletions.
6 changes: 5 additions & 1 deletion nixos/doc/manual/release-notes/rl-2305.section.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,12 @@ In addition to numerous new and upgraded packages, this release has the followin
It's recommended to use `nixos-rebuild boot` and `reboot`, rather than `nixos-rebuild switch` - since in some rare cases
the switch of a live system might fail.

- glibc: 2.35 -\> 2.37

- Cinnamon has been updated to 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what is changed.

- GNOME has been upgraded to version 44. Please see the [release notes](https://release.gnome.org/44/) for details.

- KDE Plasma has been updated to v5.27, see [the release notes](https://kde.org/announcements/plasma/5/5.27.0/) for what is changed.

- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.
Expand Down Expand Up @@ -232,7 +236,7 @@ In addition to numerous new and upgraded packages, this release has the followin

- `vim_configurable` has been renamed to `vim-full` to avoid confusion: `vim-full`'s build-time features are configurable, but both `vim` and `vim-full` are _customizable_ (in the sense of user configuration, like vimrc).

- Pantheon now defaults to Mutter 42 and GNOME settings daemon 42, all Pantheon packages are now tracking elementary OS 7 updates.
- Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates.

- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)

Expand Down
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,7 @@
./security/doas.nix
./security/duosec.nix
./security/google_oslogin.nix
./security/ipa.nix
./security/lock-kernel-modules.nix
./security/misc.nix
./security/oath.nix
Expand Down
258 changes: 258 additions & 0 deletions nixos/modules/security/ipa.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,258 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.security.ipa;
pyBool = x:
if x
then "True"
else "False";

ldapConf = pkgs.writeText "ldap.conf" ''
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
URI ldaps://${cfg.server}
BASE ${cfg.basedn}
TLS_CACERT /etc/ipa/ca.crt
'';
nssDb =
pkgs.runCommand "ipa-nssdb"
{
nativeBuildInputs = [pkgs.nss.tools];
} ''
mkdir -p $out
certutil -d $out -N --empty-password
certutil -d $out -A --empty-password -n "${cfg.realm} IPA CA" -t CT,C,C -i ${cfg.certificate}
'';
in {
options = {
security.ipa = {
enable = mkEnableOption (lib.mdDoc "FreeIPA domain integration");

certificate = mkOption {
type = types.package;
description = lib.mdDoc ''
IPA server CA certificate.
Use `nix-prefetch-url http://$server/ipa/config/ca.crt` to
obtain the file and the hash.
'';
example = literalExpression ''
pkgs.fetchurl {
url = http://ipa.example.com/ipa/config/ca.crt;
sha256 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
};
'';
};

domain = mkOption {
type = types.str;
example = "example.com";
description = lib.mdDoc "Domain of the IPA server.";
};

realm = mkOption {
type = types.str;
example = "EXAMPLE.COM";
description = lib.mdDoc "Kerberos realm.";
};

server = mkOption {
type = types.str;
example = "ipa.example.com";
description = lib.mdDoc "IPA Server hostname.";
};

basedn = mkOption {
type = types.str;
example = "dc=example,dc=com";
description = lib.mdDoc "Base DN to use when performing LDAP operations.";
};

offlinePasswords = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Whether to store offline passwords when the server is down.";
};

cacheCredentials = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Whether to cache credentials.";
};

ifpAllowedUids = mkOption {
type = types.listOf types.string;
default = ["root"];
description = lib.mdDoc "A list of users allowed to access the ifp dbus interface.";
};

dyndns = {
enable = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Whether to enable FreeIPA automatic hostname updates.";
};

interface = mkOption {
type = types.str;
example = "eth0";
default = "*";
description = lib.mdDoc "Network interface to perform hostname updates through.";
};
};

chromiumSupport = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Whether to whitelist the FreeIPA domain in Chromium.";
};
};
};

config = mkIf cfg.enable {
assertions = [
{
assertion = !config.krb5.enable;
message = "krb5 must be disabled through `krb5.enable` for FreeIPA integration to work.";
}
{
assertion = !config.users.ldap.enable;
message = "ldap must be disabled through `users.ldap.enable` for FreeIPA integration to work.";
}
];

environment.systemPackages = with pkgs; [krb5Full freeipa];

environment.etc = {
"ipa/default.conf".text = ''
[global]
basedn = ${cfg.basedn}
realm = ${cfg.realm}
domain = ${cfg.domain}
server = ${cfg.server}
host = ${config.networking.hostName}
xmlrpc_uri = https://${cfg.server}/ipa/xml
enable_ra = True
'';

"ipa/nssdb".source = nssDb;

"krb5.conf".text = ''
[libdefaults]
default_realm = ${cfg.realm}
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
[realms]
${cfg.realm} = {
kdc = ${cfg.server}:88
master_kdc = ${cfg.server}:88
admin_server = ${cfg.server}:749
default_domain = ${cfg.domain}
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.${cfg.domain} = ${cfg.realm}
${cfg.domain} = ${cfg.realm}
${cfg.server} = ${cfg.realm}
[dbmodules]
${cfg.realm} = {
db_library = ${pkgs.freeipa}/lib/krb5/plugins/kdb/ipadb.so
}
'';

"openldap/ldap.conf".source = ldapConf;
};

environment.etc."chromium/policies/managed/freeipa.json" = mkIf cfg.chromiumSupport {
text = ''
{ "AuthServerWhitelist": "*.${cfg.domain}" }
'';
};

system.activationScripts.ipa = stringAfter ["etc"] ''
# libcurl requires a hard copy of the certificate
if ! ${pkgs.diffutils}/bin/diff ${cfg.certificate} /etc/ipa/ca.crt > /dev/null 2>&1; then
rm -f /etc/ipa/ca.crt
cp ${cfg.certificate} /etc/ipa/ca.crt
fi
if [ ! -f /etc/krb5.keytab ]; then
cat <<EOF
In order to complete FreeIPA integration, please join the domain by completing the following steps:
1. Authenticate as an IPA user authorized to join new hosts, e.g. kinit admin@${cfg.realm}
2. Join the domain and obtain the keytab file: ipa-join
3. Install the keytab file: sudo install -m 600 krb5.keytab /etc/
4. Restart sssd systemd service: sudo systemctl restart sssd
EOF
fi
'';

services.sssd.config = ''
[domain/${cfg.domain}]
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_domain = ${cfg.domain}
ipa_server = _srv_, ${cfg.server}
ipa_hostname = ${config.networking.hostName}.${cfg.domain}
cache_credentials = ${pyBool cfg.cacheCredentials}
krb5_store_password_if_offline = ${pyBool cfg.offlinePasswords}
${optionalString ((toLower cfg.domain) != (toLower cfg.realm))
"krb5_realm = ${cfg.realm}"}
dyndns_update = ${pyBool cfg.dyndns.enable}
dyndns_iface = ${cfg.dyndns.interface}
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber, lock:nsaccountlock
[sssd]
debug_level = 65510
services = nss, sudo, pam, ssh, ifp
domains = ${cfg.domain}
[nss]
homedir_substring = /home
[pam]
pam_pwd_expiration_warning = 3
pam_verbosity = 3
[sudo]
debug_level = 65510
[autofs]
[ssh]
[pac]
[ifp]
user_attributes = +mail, +telephoneNumber, +givenname, +sn, +lock
allowed_uids = ${concatStringsSep ", " cfg.ifpAllowedUids}
'';

services.ntp.servers = singleton cfg.server;
services.sssd.enable = true;
services.ntp.enable = true;

security.pki.certificateFiles = singleton cfg.certificate;
};
}
4 changes: 3 additions & 1 deletion nixos/release-small.nix
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,8 @@ in rec {
stdenv
subversion
tarball
vim;
vim
tests-stdenv-gcc-stageCompare;
};

tested = let
Expand Down Expand Up @@ -135,6 +136,7 @@ in rec {
"nixos.tests.proxy"
"nixos.tests.simple"
"nixpkgs.jdk"
"nixpkgs.tests-stdenv-gcc-stageCompare"
])
];
};
Expand Down
19 changes: 11 additions & 8 deletions nixos/tests/gnome-xorg.nix
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
services.xserver.desktopManager.gnome.enable = true;
services.xserver.desktopManager.gnome.debug = true;
services.xserver.displayManager.defaultSession = "gnome-xorg";
programs.gnome-terminal.enable = true;

systemd.user.services = {
"org.gnome.Shell@x11" = {
Expand Down Expand Up @@ -61,10 +60,10 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
# False when startup is done
startingUp = su "${gdbus} ${eval} Main.layoutManager._startingUp";

# Start gnome-terminal
gnomeTerminalCommand = su "gnome-terminal";
# Start Console
launchConsole = su "${bus} gapplication launch org.gnome.Console";

# Hopefully gnome-terminal's wm class
# Hopefully Console's wm class
wmClass = su "${gdbus} ${eval} global.display.focus_window.wm_class";
in ''
with subtest("Login to GNOME Xorg with GDM"):
Expand All @@ -82,13 +81,17 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
"${startingUp} | grep -q 'true,..false'"
)
with subtest("Open Gnome Terminal"):
with subtest("Open Console"):
# Close the Activities view so that Shell can correctly track the focused window.
machine.send_key("esc")
machine.succeed(
"${gnomeTerminalCommand}"
"${launchConsole}"
)
# correct output should be (true, '"Gnome-terminal"')
# correct output should be (true, '"kgx"')
# For some reason, this deviates from Wayland.
machine.wait_until_succeeds(
"${wmClass} | grep -q 'true,...Gnome-terminal'"
"${wmClass} | grep -q 'true,...kgx'"
)
machine.sleep(20)
machine.screenshot("screen")
Expand Down
26 changes: 12 additions & 14 deletions nixos/tests/gnome.nix
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {

services.xserver.desktopManager.gnome.enable = true;
services.xserver.desktopManager.gnome.debug = true;
programs.gnome-terminal.enable = true;

environment.systemPackages = [
(pkgs.makeAutostartItem {
name = "org.gnome.Terminal";
package = pkgs.gnome.gnome-terminal;
})
];

systemd.user.services = {
"org.gnome.Shell@wayland" = {
Expand Down Expand Up @@ -64,10 +56,10 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
# False when startup is done
startingUp = su "${gdbus} ${eval} Main.layoutManager._startingUp";

# Start gnome-terminal
gnomeTerminalCommand = su "${bus} gnome-terminal";
# Start Console
launchConsole = su "${bus} gapplication launch org.gnome.Console";

# Hopefully gnome-terminal's wm class
# Hopefully Console's wm class
wmClass = su "${gdbus} ${eval} global.display.focus_window.wm_class";
in ''
with subtest("Login to GNOME with GDM"):
Expand All @@ -86,10 +78,16 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
"${startingUp} | grep -q 'true,..false'"
)
with subtest("Open Gnome Terminal"):
# correct output should be (true, '"gnome-terminal-server"')
with subtest("Open Console"):
# Close the Activities view so that Shell can correctly track the focused window.
machine.send_key("esc")
machine.succeed(
"${launchConsole}"
)
# correct output should be (true, '"org.gnome.Console"')
machine.wait_until_succeeds(
"${wmClass} | grep -q 'gnome-terminal-server'"
"${wmClass} | grep -q 'true,...org.gnome.Console'"
)
machine.sleep(20)
machine.screenshot("screen")
Expand Down
Loading

0 comments on commit 2a32918

Please sign in to comment.