3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

13299 commits

Author SHA1 Message Date
Emily 4ed98d69ed nixos/nginx: use Mozilla Intermediate TLS configuration
The configuration at https://ssl-config.mozilla.org/#server=nginx&config=intermediate
is reliably kept up-to-date in terms of security and compatible with a
wide range of clients. They've probably had more care and thought put
into them than our defaults, and will be easier to keep updated in
the future.

The only removed (rather than changed) configuration option here is
ssl_ecdh_curve, per https://github.com/mozilla/server-side-tls/issues/189.

Resolves #80952.
2020-03-06 13:08:56 +00:00
Silvan Mosberger b38344b54c
Merge pull request #81708 from yegortimoshenko/acme-fullchain-force-symlink
nixos/acme: force symlink from fullchain.pem to cert.pem
2020-03-04 19:33:39 +01:00
Michele Guerini Rocco 481a4e938e
Merge pull request #81597 from thatsmydoing/multiport-nat
nixos/nat: fix multiple destination ports with loopback
2020-03-04 19:12:25 +01:00
Jörg Thalheim bbbf224c7d
Merge pull request #81610 from Mic92/zfs
nixos/zfs: continue trimming also if one pool fails
2020-03-04 11:44:57 +00:00
Maximilian Bosch 7f9131f260
Merge pull request #81405 from NinjaTrappeur/nin-networkd-policy-rules
nixos/networkd: add RoutingPolicyRules-related options
2020-03-04 12:29:29 +01:00
Yegor Timoshenko c32da2ed9c nixos/acme: force symlink from fullchain.pem to cert.pem
Co-authored-by: emily <vcs@emily.moe>
2020-03-04 12:52:12 +03:00
Thomas Dy 97a61c8903 nixos/nat: fix multiple destination ports with loopback 2020-03-04 18:11:31 +09:00
Florian Klink 407be0a577
Merge pull request #81327 from flokli/add-cage
nixos/cage: init
2020-03-03 12:04:33 -08:00
Robert Hensing 6734e58da3
Merge pull request #81292 from hercules-ci/fix-service-runner-quotes
nixos/service-runner.nix: Allow quotes in commands + test
2020-03-03 14:31:00 +01:00
Jörg Thalheim 8f543ed80d
nixos/zfs: continue trimming also if one pool fails
fixes https://github.com/NixOS/nixpkgs/issues/81602
2020-03-03 11:22:07 +00:00
Yegor Timoshenko c16f2218da
Merge pull request #80900 from emilazy/acme-must-staple
nixos/acme: Must-Staple and extra flags
2020-03-03 03:57:40 +03:00
Yegor Timoshenko 31aefc74c5
Merge pull request #80856 from emilazy/adjust-acme
nixos/acme: adjust renewal timer options
2020-03-03 03:49:33 +03:00
Matthew Bauer e0e4d591cc nixos/cage: init
Add a cage module to nixos. This can be used to make kiosk-style
systems that boot directly to a single application. The user (demo by
default) is automatically logged in by this service and the
program (xterm by default) is automatically started.

This is useful for some embedded, single-user systems where we want
automatic booting. To keep the system secure, the user should have
limited privileges.

Based on the service provided in the Cage wiki here:

https://github.com/Hjdskes/cage/wiki/Starting-Cage-on-boot-with-systemd

Co-Authored-By: Florian Klink <flokli@flokli.de>
2020-03-02 13:43:20 -08:00
WilliButz eaef96093a
prometheus-nginx-exporter: 0.5.0 -> 0.6.0 (#81285)
* prometheus-nginx-exporter: 0.5.0 -> 0.6.0

* nixos/prometheus-nginx-exporter: update for 0.6.0

Added new option constLabels and updated virtualHost name in the
exporter's test.
2020-03-02 14:48:40 -05:00
Maximilian Bosch 70325e63d8
Merge pull request #79532 from NixOS/fix-predictable-ifnames-in-initrd
nixos/stage-1: fix predictable interface names in initrd
2020-03-02 17:14:06 +01:00
Andreas Rammhold ca5048cba4
Merge pull request #79925 from mrkkrp/mk/add-nix-store-gcs-proxy-service
Add nix-store-gcs-proxy service
2020-03-02 16:04:16 +01:00
Mark Karpov 96b472e95d
module/nix-store-gcs-proxy: init 2020-03-02 16:01:14 +01:00
Félix Baylac-Jacqué 9897d83f58 nixos/networkd: test routingPolicyRules with a nixos vm test 2020-03-02 15:37:40 +01:00
Jörg Thalheim 2c5ffb5c7a
Merge pull request #81164 from Mic92/home-assistant
nixos/home-assistant: 0.104.3 -> 0.106.0
2020-03-02 10:55:35 +00:00
Benjamin Staffin 3a2790c342 services.mailman: RemainAfterExit so settings take effect properly
Prior to this fix, changes to certain settings would not be applied
automatically and users would have to know to manually restart the
affected service.  A prime example of this is
`services.mailman.hyperkitty.baseUrl`, or various things that affect
`mailman3/settings.py`
2020-03-02 02:25:20 +00:00
obadz c31958449f
Merge pull request #77405 from danielfullmer/zerotier-mac-fix
nixos/zerotierone: prevent systemd from changing MAC address
2020-03-01 18:49:00 -07:00
Félix Baylac-Jacqué 611d765b76 nixos/networkd: Add the RoutingPolicyRule-related options 2020-03-01 14:52:36 -08:00
José Romildo Malaquias 74f5358f13
Merge pull request #66601 from eadwu/nvidia/prime-render-offload
nvidia: prime render offload
2020-03-01 14:28:57 -03:00
worldofpeace 0bbada3a07
Merge pull request #80451 from worldofpeace/pantheon-doc
nixos/pantheon: add docs
2020-03-01 16:56:55 +00:00
worldofpeace 21c971a732
Merge pull request #81118 from tilpner/gitdaemon-usercreation
nixos/git-daemon: only create git user if it will be used
2020-03-01 13:40:57 +00:00
Yegor Timoshenko 98cbc40570
Merge pull request #81371 from mweinelt/pr/acme-autostart
nixos/acme: renew after rebuild and on boot
2020-03-01 15:46:31 +03:00
Jörg Thalheim 1b92a08a71
Merge pull request #81297 from Mic92/sslh
nixos/sslh: don't run as nogroup
2020-03-01 12:18:09 +00:00
worldofpeace e906014d4b
Merge pull request #80920 from worldofpeace/rngd-cleanup-shutdown
nixos/rngd: fix clean shutdown
2020-03-01 11:44:22 +00:00
Emily ffb7b984b2 nixos/acme: add extraLegoRenewFlags option 2020-02-29 16:44:04 +00:00
Emily b522aeda5a nixos/acme: add ocspMustStaple option 2020-02-29 16:44:04 +00:00
Emily 7b14bbd734 nixos/acme: adjust renewal timer options
The current weekly setting causes every NixOS server to try to renew
its certificate at midnight on the dot on Monday. This contributes to
the general problem of periodic load spikes for Let's Encrypt; NixOS
is probably not a major contributor to that problem, but we can lead by
example by picking good defaults here.

The values here were chosen after consulting with @yuriks, an SRE at
Let's Encrypt:

* Randomize the time certificates are renewed within a 24 hour period.

* Check for renewal every 24 hours, to ensure the certificate is always
  renewed before an expiry notice is sent out.

* Increase the AccuracySec (thus lowering the accuracy(!)), so that
  systemd can coalesce the renewal with other timers being run.

  (You might be worried that this would defeat the purpose of the time
  skewing, but systemd is documented as avoiding this by picking a
  random time.)
2020-02-29 14:03:36 +00:00
Martin Weinelt 5ff9441471
nixos/acme: renew after rebuild and on boot
Fixes #81069
2020-02-29 14:40:34 +01:00
worldofpeace 3be04570e0 nixos/pantheon: add docs 2020-02-28 19:43:18 -05:00
Jörg Thalheim 9218a58964
nixos/sslh: don't run as nogroup
See #55370
2020-02-28 15:32:36 +00:00
Jörg Thalheim ee2ea82a68
nixos/home-assistant: make config deep mergeable
This make it possible to split the home-assistant configuration
across multiple files and nix will merge the option in an intuitive
way.
2020-02-28 15:32:03 +00:00
WilliButz 68410b08be
nixos/codimd: update useCDN default to false 2020-02-28 14:36:46 +01:00
Robert Hensing 43521ac965 nixos/service-runner.nix: Allow quotes in commands + test 2020-02-28 14:26:29 +01:00
worldofpeace 76f4f6b95d
Merge pull request #81087 from lovesegfault/tlp-1.3.1
tlp: 1.2.2 -> 1.3.1
2020-02-27 19:43:14 +00:00
Bernardo Meurer ee7becd918
nixos/tlp: revamp 2020-02-27 09:58:51 -08:00
Thomas Tuegel d3e3cc1225
nixos/plasma5: Fix activation script when XDG_CONFIG_HOME is unset
Fixes #80713
2020-02-27 09:48:58 -06:00
Daniel Schaefer 39ed5ff74c
Merge pull request #80329 from mmilata/hunspell-pathstolink
nixos: add /share/hunspell to environment.pathsToLink
2020-02-27 09:23:08 +01:00
Aaron Andersen 4d67db3101
Merge pull request #80849 from BBBSnowball/pull-load-imagick-once
nixos/nextcloud: avoid loading imagick extension more than once
2020-02-26 17:17:55 -05:00
Franz Pletz 2dff70f0f3
Merge pull request #80981 from bachp/nextcloud-x-frame-warning
nixos/nextcloud: prevent warning about missing X-Frame-Option
2020-02-26 17:37:38 +00:00
Vladimír Čunát 5f881209f9
nixos/kresd: never force extraFeatures = false
Fixes #81109.  Regressed in PR #78392 (26858063).
2020-02-26 15:10:53 +01:00
tilpner 6df119a6ec
nixos/git-daemon: only create git user if it will be used 2020-02-26 15:04:36 +01:00
Silvan Mosberger 5f37069888
Merge pull request #80861 from emilazy/acme-fullchain
nixos/acme: move the crt to fullchain.pem
2020-02-26 00:48:53 +01:00
Martin Milata 9b0a9577f7 nixos/parsoid: enable systemd sandboxing 2020-02-25 01:32:31 +01:00
Martin Milata 3b27f4d945 nixos/parsoid: fix package name
Original package was removed in 2b8cde0ce2.
2020-02-25 01:32:30 +01:00
Pascal Bach 119a7aae50 nixos/nextcloud: prevent warning about missing X-Frame-Option 2020-02-24 22:07:24 +01:00
Jörg Thalheim ee08bd8dec
Merge pull request #80831 from Mic92/netdata
netdata: 1.19.0 -> 1.20.0
2020-02-24 17:24:19 +00:00