Emily
4ed98d69ed
nixos/nginx: use Mozilla Intermediate TLS configuration
...
The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate
is reliably kept up-to-date in terms of security and compatible with a
wide range of clients. They've probably had more care and thought put
into them than our defaults, and will be easier to keep updated in
the future.
The only removed (rather than changed) configuration option here is
ssl_ecdh_curve, per https://github.com/mozilla/server-side-tls/issues/189 .
Resolves #80952 .
2020-03-06 13:08:56 +00:00
Silvan Mosberger
b38344b54c
Merge pull request #81708 from yegortimoshenko/acme-fullchain-force-symlink
...
nixos/acme: force symlink from fullchain.pem to cert.pem
2020-03-04 19:33:39 +01:00
Michele Guerini Rocco
481a4e938e
Merge pull request #81597 from thatsmydoing/multiport-nat
...
nixos/nat: fix multiple destination ports with loopback
2020-03-04 19:12:25 +01:00
Jörg Thalheim
bbbf224c7d
Merge pull request #81610 from Mic92/zfs
...
nixos/zfs: continue trimming also if one pool fails
2020-03-04 11:44:57 +00:00
Maximilian Bosch
7f9131f260
Merge pull request #81405 from NinjaTrappeur/nin-networkd-policy-rules
...
nixos/networkd: add RoutingPolicyRules-related options
2020-03-04 12:29:29 +01:00
Yegor Timoshenko
c32da2ed9c
nixos/acme: force symlink from fullchain.pem to cert.pem
...
Co-authored-by: emily <vcs@emily.moe>
2020-03-04 12:52:12 +03:00
Thomas Dy
97a61c8903
nixos/nat: fix multiple destination ports with loopback
2020-03-04 18:11:31 +09:00
Florian Klink
407be0a577
Merge pull request #81327 from flokli/add-cage
...
nixos/cage: init
2020-03-03 12:04:33 -08:00
Robert Hensing
6734e58da3
Merge pull request #81292 from hercules-ci/fix-service-runner-quotes
...
nixos/service-runner.nix: Allow quotes in commands + test
2020-03-03 14:31:00 +01:00
Jörg Thalheim
8f543ed80d
nixos/zfs: continue trimming also if one pool fails
...
fixes https://github.com/NixOS/nixpkgs/issues/81602
2020-03-03 11:22:07 +00:00
Yegor Timoshenko
c16f2218da
Merge pull request #80900 from emilazy/acme-must-staple
...
nixos/acme: Must-Staple and extra flags
2020-03-03 03:57:40 +03:00
Yegor Timoshenko
31aefc74c5
Merge pull request #80856 from emilazy/adjust-acme
...
nixos/acme: adjust renewal timer options
2020-03-03 03:49:33 +03:00
Matthew Bauer
e0e4d591cc
nixos/cage: init
...
Add a cage module to nixos. This can be used to make kiosk-style
systems that boot directly to a single application. The user (demo by
default) is automatically logged in by this service and the
program (xterm by default) is automatically started.
This is useful for some embedded, single-user systems where we want
automatic booting. To keep the system secure, the user should have
limited privileges.
Based on the service provided in the Cage wiki here:
https://github.com/Hjdskes/cage/wiki/Starting-Cage-on-boot-with-systemd
Co-Authored-By: Florian Klink <flokli@flokli.de>
2020-03-02 13:43:20 -08:00
WilliButz
eaef96093a
prometheus-nginx-exporter: 0.5.0 -> 0.6.0 ( #81285 )
...
* prometheus-nginx-exporter: 0.5.0 -> 0.6.0
* nixos/prometheus-nginx-exporter: update for 0.6.0
Added new option constLabels and updated virtualHost name in the
exporter's test.
2020-03-02 14:48:40 -05:00
Maximilian Bosch
70325e63d8
Merge pull request #79532 from NixOS/fix-predictable-ifnames-in-initrd
...
nixos/stage-1: fix predictable interface names in initrd
2020-03-02 17:14:06 +01:00
Andreas Rammhold
ca5048cba4
Merge pull request #79925 from mrkkrp/mk/add-nix-store-gcs-proxy-service
...
Add nix-store-gcs-proxy service
2020-03-02 16:04:16 +01:00
Mark Karpov
96b472e95d
module/nix-store-gcs-proxy: init
2020-03-02 16:01:14 +01:00
Félix Baylac-Jacqué
9897d83f58
nixos/networkd: test routingPolicyRules with a nixos vm test
2020-03-02 15:37:40 +01:00
Jörg Thalheim
2c5ffb5c7a
Merge pull request #81164 from Mic92/home-assistant
...
nixos/home-assistant: 0.104.3 -> 0.106.0
2020-03-02 10:55:35 +00:00
Benjamin Staffin
3a2790c342
services.mailman: RemainAfterExit so settings take effect properly
...
Prior to this fix, changes to certain settings would not be applied
automatically and users would have to know to manually restart the
affected service. A prime example of this is
`services.mailman.hyperkitty.baseUrl`, or various things that affect
`mailman3/settings.py`
2020-03-02 02:25:20 +00:00
obadz
c31958449f
Merge pull request #77405 from danielfullmer/zerotier-mac-fix
...
nixos/zerotierone: prevent systemd from changing MAC address
2020-03-01 18:49:00 -07:00
Félix Baylac-Jacqué
611d765b76
nixos/networkd: Add the RoutingPolicyRule-related options
2020-03-01 14:52:36 -08:00
José Romildo Malaquias
74f5358f13
Merge pull request #66601 from eadwu/nvidia/prime-render-offload
...
nvidia: prime render offload
2020-03-01 14:28:57 -03:00
worldofpeace
0bbada3a07
Merge pull request #80451 from worldofpeace/pantheon-doc
...
nixos/pantheon: add docs
2020-03-01 16:56:55 +00:00
worldofpeace
21c971a732
Merge pull request #81118 from tilpner/gitdaemon-usercreation
...
nixos/git-daemon: only create git user if it will be used
2020-03-01 13:40:57 +00:00
Yegor Timoshenko
98cbc40570
Merge pull request #81371 from mweinelt/pr/acme-autostart
...
nixos/acme: renew after rebuild and on boot
2020-03-01 15:46:31 +03:00
Jörg Thalheim
1b92a08a71
Merge pull request #81297 from Mic92/sslh
...
nixos/sslh: don't run as nogroup
2020-03-01 12:18:09 +00:00
worldofpeace
e906014d4b
Merge pull request #80920 from worldofpeace/rngd-cleanup-shutdown
...
nixos/rngd: fix clean shutdown
2020-03-01 11:44:22 +00:00
Emily
ffb7b984b2
nixos/acme: add extraLegoRenewFlags option
2020-02-29 16:44:04 +00:00
Emily
b522aeda5a
nixos/acme: add ocspMustStaple option
2020-02-29 16:44:04 +00:00
Emily
7b14bbd734
nixos/acme: adjust renewal timer options
...
The current weekly setting causes every NixOS server to try to renew
its certificate at midnight on the dot on Monday. This contributes to
the general problem of periodic load spikes for Let's Encrypt; NixOS
is probably not a major contributor to that problem, but we can lead by
example by picking good defaults here.
The values here were chosen after consulting with @yuriks, an SRE at
Let's Encrypt:
* Randomize the time certificates are renewed within a 24 hour period.
* Check for renewal every 24 hours, to ensure the certificate is always
renewed before an expiry notice is sent out.
* Increase the AccuracySec (thus lowering the accuracy(!)), so that
systemd can coalesce the renewal with other timers being run.
(You might be worried that this would defeat the purpose of the time
skewing, but systemd is documented as avoiding this by picking a
random time.)
2020-02-29 14:03:36 +00:00
Martin Weinelt
5ff9441471
nixos/acme: renew after rebuild and on boot
...
Fixes #81069
2020-02-29 14:40:34 +01:00
worldofpeace
3be04570e0
nixos/pantheon: add docs
2020-02-28 19:43:18 -05:00
Jörg Thalheim
9218a58964
nixos/sslh: don't run as nogroup
...
See #55370
2020-02-28 15:32:36 +00:00
Jörg Thalheim
ee2ea82a68
nixos/home-assistant: make config deep mergeable
...
This make it possible to split the home-assistant configuration
across multiple files and nix will merge the option in an intuitive
way.
2020-02-28 15:32:03 +00:00
WilliButz
68410b08be
nixos/codimd: update useCDN default to false
2020-02-28 14:36:46 +01:00
Robert Hensing
43521ac965
nixos/service-runner.nix: Allow quotes in commands + test
2020-02-28 14:26:29 +01:00
worldofpeace
76f4f6b95d
Merge pull request #81087 from lovesegfault/tlp-1.3.1
...
tlp: 1.2.2 -> 1.3.1
2020-02-27 19:43:14 +00:00
Bernardo Meurer
ee7becd918
nixos/tlp: revamp
2020-02-27 09:58:51 -08:00
Thomas Tuegel
d3e3cc1225
nixos/plasma5: Fix activation script when XDG_CONFIG_HOME is unset
...
Fixes #80713
2020-02-27 09:48:58 -06:00
Daniel Schaefer
39ed5ff74c
Merge pull request #80329 from mmilata/hunspell-pathstolink
...
nixos: add /share/hunspell to environment.pathsToLink
2020-02-27 09:23:08 +01:00
Aaron Andersen
4d67db3101
Merge pull request #80849 from BBBSnowball/pull-load-imagick-once
...
nixos/nextcloud: avoid loading imagick extension more than once
2020-02-26 17:17:55 -05:00
Franz Pletz
2dff70f0f3
Merge pull request #80981 from bachp/nextcloud-x-frame-warning
...
nixos/nextcloud: prevent warning about missing X-Frame-Option
2020-02-26 17:37:38 +00:00
Vladimír Čunát
5f881209f9
nixos/kresd: never force extraFeatures = false
...
Fixes #81109 . Regressed in PR #78392 (26858063
).
2020-02-26 15:10:53 +01:00
tilpner
6df119a6ec
nixos/git-daemon: only create git user if it will be used
2020-02-26 15:04:36 +01:00
Silvan Mosberger
5f37069888
Merge pull request #80861 from emilazy/acme-fullchain
...
nixos/acme: move the crt to fullchain.pem
2020-02-26 00:48:53 +01:00
Martin Milata
9b0a9577f7
nixos/parsoid: enable systemd sandboxing
2020-02-25 01:32:31 +01:00
Martin Milata
3b27f4d945
nixos/parsoid: fix package name
...
Original package was removed in 2b8cde0ce2
.
2020-02-25 01:32:30 +01:00
Pascal Bach
119a7aae50
nixos/nextcloud: prevent warning about missing X-Frame-Option
2020-02-24 22:07:24 +01:00
Jörg Thalheim
ee08bd8dec
Merge pull request #80831 from Mic92/netdata
...
netdata: 1.19.0 -> 1.20.0
2020-02-24 17:24:19 +00:00