3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

2829 commits

Author SHA1 Message Date
Sandro 7fa8d8b2e2
Merge pull request #153481 from Tchekda/submit/bird-lg 2022-05-25 18:20:58 +02:00
pennae 023e25264c
Merge pull request #172983 from pennae/mosquitto-bind-interface
nixos/mosquitto: add bind_interface listener option, fix assertion messages
2022-05-23 10:53:08 +00:00
Martin Weinelt 05232d19b6
Merge pull request #163220 from fleaz/init-r53_ddns 2022-05-22 17:08:55 +02:00
Francesco Gazzetta 6bb9d0ce3b nixos/zeronet: fix systemd after 2022-05-21 17:46:28 -04:00
Francesco Gazzetta 183e391256 nixos/zeronet: add package option 2022-05-21 17:46:28 -04:00
David Tchekachev 0f63bd3ba8
nixos/bird-lg: init 2022-05-20 15:44:00 +03:00
Jörg Thalheim e56ae50ed9
Merge pull request #173109 from Mic92/upterm
nixos/upterm: additional hardening
2022-05-19 20:16:13 +01:00
Niklas Hambüchen 23aee34b6f
Merge pull request #171264 from NixOS/nebula-always-restart
nixos/nebula: Always restart
2022-05-19 14:05:49 +02:00
Anillc 6958412083
nixos/frr: add extraOptions option
Support passing options to daemons. For example, bgpd needs '-M rpki' to
enable rpki functions.
2022-05-19 16:02:47 +08:00
Silvan Mosberger 26ab617a10
Merge pull request #172393 from mweinelt/openssh/sntrup761x25519-sha512-kexmethod
nixos/openssh: Add sntrup761x25519-sha512 kexAlgo
2022-05-18 12:03:00 +02:00
Lassulus a976121d57
Merge pull request #165474 from jian-lin/fix-wireguard-systemd-unit-dependency
nixos/wireguard: fix dependencies on network-related targets
2022-05-18 11:16:25 +02:00
Robert Schütz ae758a85d7 nixos/radicale: give access to /dev/urandom
A git command was failing in the test with

    error: unable to get random bytes for temporary file: Operation not permitted
    error: unable to create temporary file: Operation not permitted
    error: .Radicale.lock: failed to insert into database
    error: unable to index file '.Radicale.lock'
2022-05-17 22:23:57 +02:00
github-actions[bot] f10256fb7a
Merge master into staging-next 2022-05-16 12:02:51 +00:00
Sandro 6c0dc6d621
nixos/ddclient: turn verbose off by default
verbose is a debugging setting one step noisier than debug and should only be turned on when debugging because it leaks quite some credentials and tokens in the journalctl.
2022-05-16 01:49:08 +02:00
pennae c1115d37ff nixos/mosquitto: fix attribute path display in assertions 2022-05-15 10:33:38 +02:00
pennae 2145dbc4fc nixos/mosquitto: add missing listener option bind_interface
we expose it under settings instead of at the listener toplevel because
mosquitto seems to pick the addresses it will listen on
nondeterministically from the set of addresses configured on the
interface being bound to. encouraging its use by putting it into the
toplevel options for a listener seems inadvisable.
2022-05-15 10:33:38 +02:00
Jörg Thalheim eefafb54ef
nixos/upterm: additional hardening
Before:
$ ps aux | grep upterm
root     2575046  0.0  0.0 1085080 6968 ?        Ssl  07:03   0:00 /nix/store/ci97r1lqx4128w75k7dcsw82j5bl0n3g-upterm-0.8.2/bin/uptermd --ssh-addr [::]:2323 --private-key ssh_host_ed25519_key

After
$ ps aux | grep upterm
uptermd  2832993  0.4  0.0 1158812 6856 ?        Ssl  07:08   0:00 /nix/store/ci97r1lqx4128w75k7dcsw82j5bl0n3g-upterm-0.8.2/bin/uptermd --ssh-addr [::]:2323 --private-key ssh_host_ed25519_key
2022-05-15 09:57:52 +02:00
github-actions[bot] bcb22e9a7b
Merge master into staging-next 2022-05-13 18:01:23 +00:00
Georg Haas 18ffb9690c
nixos/uptermd: init 2022-05-13 17:44:44 +02:00
Martin Weinelt fa7ce6bc7f
nixos/openssh: Add sntrup761x25519-sha512 kexAlgo
Introduced in OpenSSH 9.0 it became the part of the default kexAlgorithm
selection, visibile in sshd_config(5).

It is also enabled by default in the OpenSSH client, as can be seen from

$ ssh -Q KexAlgorithms

Also clarifies that we use the referenced documents as the lower bound,
given that they haven't been updated for 5-7y.
2022-05-10 23:20:54 +02:00
github-actions[bot] 27575e98ee
Merge staging-next into staging 2022-05-09 12:08:45 +00:00
Janne Heß e6fb1e63d1
Merge pull request #171650 from helsinki-systems/feat/config-systemd-package
treewide: pkgs.systemd -> config.systemd.package
2022-05-09 10:23:04 +02:00
github-actions[bot] 31938a3f5c
Merge staging-next into staging 2022-05-09 00:03:28 +00:00
Ivan Kozik 9db1d1782b nixos/tinc: unbreak the service
The user is actually tinc.${network}, as Mic92 points out in
https://github.com/NixOS/nixpkgs/pull/171703#discussion_r867506032

Sorry, I broke this in https://github.com/NixOS/nixpkgs/pull/171703 earlier.

coreutils 9.1 chown does not complain in this case with a valid dotted user.
2022-05-08 16:04:20 +00:00
github-actions[bot] 00e5877c2f
Merge staging-next into staging 2022-05-07 00:02:47 +00:00
Sandro d21ebc62bf
Merge pull request #170851 from danderson/danderson/ts-warn-rpf
nixos/tailscale: warn if strict reverse path filtering is in use.
2022-05-06 23:21:50 +02:00
github-actions[bot] ad713fb84e
Merge staging-next into staging 2022-05-06 12:02:39 +00:00
Yureka 96aaf29234
Revert "Merge pull request #164398 from NinjaTrappeur/nin/pleroma-wrappers"
This reverts commit 05417a66e7, reversing
changes made to 53e4f8d237.
2022-05-06 12:38:28 +02:00
github-actions[bot] 4c4d0d6bc3
Merge staging-next into staging 2022-05-06 06:02:20 +00:00
Rick van Schijndel 32bebf42ea
Merge pull request #171703 from ivan/chown-colon
treewide: chown user:group instead of user.group to fix warnings from coreutils 9.1
2022-05-06 07:20:40 +02:00
David Anderson 3fdac0f981 nixos/tailscale: warn if strict reverse path filtering is in use.
Tailscale uses policy routing to enable certain traffic to bypass
routes that lead into the Tailscale mesh. NixOS's reverse path
filtering setup doesn't understand the policy routing at play,
and so incorrectly interprets some of this traffic as spoofed.

Since this only breaks some features of Tailscale, merely warn
users about it, rather than make it a hard error.

Updates tailscale/tailscale#4432

Signed-off-by: David Anderson <dave@natulte.net>
2022-05-05 18:28:48 -07:00
Sandro b9e7f61c72
Merge pull request #171747 from danderson/danderson/tailscale-getent
nixos/tailscale: add glibc to PATH.
2022-05-06 03:10:00 +02:00
Sandro e5e30371bc
Merge pull request #170210 from danderson/danderson/restart-tailscaled
nixos/tailscale: use systemctl restart during activation.
2022-05-06 03:09:01 +02:00
David Anderson 67b1fac192 nixos/tailscale: add glibc to PATH.
For some features, tailscaled uses getent(1) to get the shell
of OS users. getent(1) is in the glibc derivation. Without this
derivation in the path, tailscale falls back to /bin/sh for all
users.

Signed-off-by: David Anderson <dave@natulte.net>
2022-05-05 17:09:27 -07:00
Ivan Kozik 59a76614f3 treewide: chown user:group instead of user.group to fix warnings from coreutils 9.1 2022-05-05 22:05:18 +00:00
Janne Heß 57cd07f3a9
treewide: pkgs.systemd -> config.systemd.package
This ensures there is only one systemd package when e.g. testing the
next systemd version.
2022-05-05 20:00:31 +02:00
LuoChen e4b942eccf wg-quick: fix postUp always generated issue 2022-05-05 16:08:46 +08:00
Daniel Fullmer ad38a2a646 nixos/ssh: remove empty host key files before generating new ones
In a previous PR [1], the conditional to generate a new host key file
was changed to also include the case when the file exists, but has zero
size. This could occur when the system is uncleanly powered off shortly
after first boot.

However, ssh-keygen prompts the user before overwriting a file. For
example:

$ touch hi
$ ssh-keygen -f hi
Generating public/private rsa key pair.
hi already exists.
Overwrite (y/n)?

So, lets just try to remove the empty file (if it exists) before running
ssh-keygen.

[1] https://github.com/NixOS/nixpkgs/pull/141258
2022-05-03 22:09:43 -07:00
fleaz 8b250ec5af
nixos/r53-ddns: init 2022-05-04 00:16:18 +02:00
Matthieu Coudron 5114d91cd8
Merge pull request #169802 from NinjaTrappeur/nin/prosody012 2022-05-03 11:04:17 +02:00
Niklas Hambüchen 73135fb85d
nixos/nebula: Always restart
Without this, if the network goes down for a while, systemd will give up after 5 restarts:

    Scheduled restart job, restart counter is at 5.
    Stopped Nebula VPN service for myvpn.
    nebula@myvpn.service: Start request repeated too quickly.
    Failed with result 'exit-code'.
    Failed to start Nebula VPN service for myvpn.

Most network services need this, but for VPNs it's extra important.
2022-05-02 16:45:44 +02:00
Félix Baylac-Jacqué 20693a1e73
prosody: 0.11.13 -> 0.12.0
See https://blog.prosody.im/prosody-0.12.0-released for more
informations.

We remove the various lua wrappers introduced by
6799a91843 and
16d0b4a69f. It seems like we don't need
them anymore. I'm not brave enough to dig into the Lua machinery to
see what resolved that. Sorry, you'll have to trust me on that one.

We should probably think about the migration from http_upload to
http_file_share for the NixOS module. It's not trivial, we need to
make sure we don't break the already uploaded URLs.
2022-05-02 12:43:19 +02:00
Lara 917be9fa32 asterisk: Create symlinks for each config individually
This commit refactors the way how configuration files are deployed to
the `/etc/asterisk` directory.

The current solution builds a Nix derivation containing all config files
and symlinks it to `/etc/asterisk`. The problem with that approach is
that it is not possible to provide additional configuration that should
not be written to the Nix store, i.e. files containing credentials.

The proposed solution changes the creation of configuration files so
that each configuration file gets symlinked to `/etc/asterisk`
individually so that it becomes possible to provide additional config
files to `/etc/asterisk` as well.
2022-05-02 10:32:34 +00:00
Bernardo Meurer ecfb5500f7
nixos/cloudflare-dyndns: init 2022-05-01 16:50:31 -07:00
Arnout Engelen 2b85441bb0
Merge pull request #146241 from rgrunbla/wpa_supplicant-fix-writable
wpa_supplicant: prevent writing non-writable configuration
2022-04-27 11:35:49 +02:00
David Anderson c9a1647ade nixos/tailscale: use systemctl restart during activation.
This avoids the scenario where you activate a new config over Tailscale,
and a long delay between the "stop services" and "start services" phases
of the activation script lead to your terminal freezing for tens of
seconds, until tailscaled finally gets started again and the session
recovers.

Per the documentation of stopIfChanged, this is only safe to do if the
service definition is robust to stopping the old process using the new
service definition. As the maintainer of the upstream systemd unit, I
can confirm that Tailscale is robust to this scenario: it has to be
in order to work right on several other distros that just do
unpack-then-restart, rather than the more complex stop-unpack-start
dance.

Signed-off-by: David Anderson <dave@natulte.net>
2022-04-24 23:31:35 -07:00
Jonas Heinrich 24b53785cc nixos/create_ap: add module 2022-04-23 07:17:44 -04:00
Jörg Thalheim aa446f8d3c
Merge pull request #169437 from Mic92/consul
nixos/consul: allow ipv6-only
2022-04-21 07:22:02 +01:00
Lassulus b424ce3fd2
Merge pull request #161587 from helsinki-systems/feat/bird2-reload-trigger
nixos/bird: reloadIfChanged -> reloadTriggers
2022-04-20 18:24:05 +01:00
Jörg Thalheim 325a525467
nixos/consul: allow ipv6-only 2022-04-20 17:32:06 +02:00