Switch from slim to lightdm as the display-manager.
If plasma5 is used as desktop-manager use sdddm.
If gnome3 is used as desktop-manager use gdm.
Based on #12516
The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.
The result can be tested with:
openssl s_client -connect web.example.com:443 -status 2> /dev/null
Without OCSP stapling, we get:
OCSP response: no response sent
After this change, we get:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Aug 30 20:46:00 2018 GMT
This allows one to add rules which change a packet's routing table:
iptables -t raw -I PREROUTING 1 -m set --match-set myset src -j MARK --set-mark 2
ip rule add fwmark 2 table 1 priority 1000
ip route add default dev wg0 table 1
to the beginning of raw table PREROUTING chain, and still have rpfilter.
The wallpaper used is *structurally compatible* with the other one,
meaning that the logo is at the same location, and not bigger.
It has one drawback: the logo is brighter, which clashes with the grub
usage. This is to be fixed with new options in grub.
The additions are:
- image/svg+xml for SVG images
- application/atom+xml for Atom feeds
These types are also present in mime.types. For better readability,
the list is sorted and formatted with one type per line.
This prevents issues when gitea adds new locales etc. And if they
change locale values in future versions. Or if you rollback to a
previous version of gitea it might be a good idea to use the previous
locale files.
thermald has two modes: zero-config and manual. Sometimes it is useful
to manually configure thermald to achieve better thermal results or to give
thermald a hand when detecting possible cooling options.
This allows the user to add `wpa_supplicant` config options not yet supported by Nix without having to write the entire `wpa_supplicant.conf` file manually.
Introduces an option `services.datadog-agent.extraIntegrations` that
can be set to include additional Datadog agent integrations from the
integrations-core repository.
Documentation and an example is provided with the change.
Relates to NixOS/nixpkgs#40399
Refactors the datadog-agent (i.e. V6) module to let users configure
arbitrary checks, not just a limited set, without having to resort to
linking the files manually and updating the systemd unit.
Checks are now configured via a `services.datadog-agent.checks` option
which takes an attribute set in which the keys refer directly to
Datadog check names, and the values are attribute sets representing
Datadog's configuration structure.
With this mechanism users can configure arbitrary integrations, for
example for the `ntp`-check, simply by saying:
services.datadog-agent.checks.ntp = {
init_config = null;
# ... other check configuration options as per Datadog
# documentation
};
The previous check-specific configuration options for non-default
checks have been removed. Disk & network check configuration options
have been kept rather than making them a `default`-value of the
`checks`-option because they will be overridden by user-configurations
in that case.
Relates to NixOS/nixpkgs#40399.
Some modules of cloud-init can cope with a network not immediately
available (notably, the EC2 module), but some others won't retry if
network is not available (notably, the Cloudstack module).
network.target doesn't give much guarantee about the network
availability. Applications not able to start without a fully
configured network should be ordered after network-online.target.
Also see #44573 and #44524.
We override the ESP mount point in the config file /etc/fwupd/uefi.conf
(available since version 1.0.6), as it is set to a path in the nix store
during build time.
Tests are disabled as it needs /etc/os-release, which is not available
when building with sandboxing enabled.
First change is to override the nm-dispatcher systemd service so that
it puts coreutils (wc/env/...) and iproute in PATH.
Second change is to make sure userscripts have the execute bit.
This reverts a change applied in PR #18491. When interfaces are
configured by DHCP (typical in a cloud environment), ordering after
network.target cause trouble to applications expecting some network to
be present on boot (for example, cloud-init is quite brittle when
network hasn't been configured for `cloud-init.service`) and on
shutdown (for example, collectd needs to flush metrics on shutdown).
When ordering after network.target, we ensure applications relying on
network.target won't have any network reachability on boot and
potentially on shutdown.
Therefore, I think ordering before network.target is better.
The web_access.patch would no longer apply.
It disabled a check that required the static files
for the web UI to be owned by the user the daemon runs as
(not root, so it doesn't work well with nix).
Besides updating netdata, this commit removes that patch,
changes the netdata service config to set the "web files owner/group"
option to "root" and adds a test that checks that the web UI is being served.
This allows the web files to be owned by root without patching.
Broke evaluation of the nixos options.
The option `services.dysnomia' defined in `.../nixos/modules/rename.nix' does not exist.
This reverts commit 5c897b4eff.
Use nixos-fw chain instead of INPUT so that the rules don't keep
stacking everytime the firewall is reloaded.
This also adds a comment to each rule about the associated exporter.
- based on module originally written by @srhb
- complies with available options in cfssl v1.3.2
- uid and gid 299 reserved in ids.nix
- added simple nixos test case
Fixes#30891
* Upgrade `graphite-web`, `carbon` and `whisper` from 1.0.2 -> 1.1.3.
* Replaced the deprecated `pythonPackages.graphite_influxdb` with
`pythonPackages.influxgraph.`
* Renamed `pythonPackages.graphite_web` to `pythonPackages.graphite-web`
to be consistent with the Python package name.
* Replaced the unmaintained `pythonPackages.graphite_pager` with
`pythonPackages.graphitepager`
* Moved all new packages from `python-packages.nix` to
`pkgs/development/python-modules`
`ocserv` is a VPN server which follows the openconnect protocol
(https://github.com/openconnect/protocol). The packaging is slightly
inspired by the AUR version
(https://aur.archlinux.org/packages/ocserv/).
This patch initializes the package written in C, the man pages and a
module for a simple systemd unit to run the VPN server. The package
supports the following authentication methods for the server:
* `plain` (mostly username/password)
* `pam`
The third method (`radius`) is currently not supported since `nixpkgs`
misses a packaged client.
The module can be used like this:
``` nix
{
services.ocserv = {
enable = true;
config = ''
...
'';
};
}
```
The option `services.ocserv.config` is required on purpose to
ensure that nobody just enables the service and experiences unexpected
side-effects on the system. For a full reference, please refer to the
man pages, the online docs or the example value.
The docs recommend to simply use `nobody` as user, so no extra user has
been added to the internal user list. Instead a configuration like
this can be used:
```
run-as-user = nobody
run-as-group = nogroup
```
/cc @tenten8401
Fixes#42594
The default session might be found in `extraSessionFilePackages`, but it's not
viable to detect at evaluation time, so emit a warning.
In LightDM instead of checking `defaultSessionName` against
`displayManager.session.names` we rely on the assertions in
`desktopManager` and `windowMananger` and just check that there's at least one
default set. The second assertion could never actually be triggered.