Treat it the same as IPv4 (I'm tempted to disable IPv4 by default);
this is the only option I still need to set manually to enjoy IPv6-only
networks including printer discovery!
The `curve25519-sha256` key exchange method is defined in RFC 8731 that
is identical to curve25519-sha256@libssh.org. OpenSSH supports the
method since version 7.4, released on 2016-12-19. It is literally a
violation of the "both in Secure Secure Shell and Mozilla guidelines"
rule, but it provides essentially the same but a future-proof default.
Also, links to the Mozilla OpenSSH guidelines are updated to refer to
the current place.
Signed-off-by: Masanori Ogino <167209+omasanori@users.noreply.github.com>
Secrets are injected from the environment into the rendered
configuration before each startup using envsubst.
The test now makes use of this feature for the server password.
powerDownCommands is supposed to run before shutdown, but the current
implementation only runs before-sleep, thus not enabling wakeonlan on
devices when powering off even if the hardware supports it.
Taking into consideration the possibility of unexpected shutdown, it is
preferable to move the commands to powerUpCommands instead which is
executed at boot time as well as after resume - that should cover all
use cases for wakeonlan.
Fixes #91352
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests
I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.
I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.
- Fix duplicate systemd rules on reload services
Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
There are circumstances where running secondary DHCP servers in
non-authoritative mode is advantageous. Retain the previous
authoritative behavior as a default.
This is necessary for VPNs where some of the nodes run pre-1.1 versions.
Most of Linux distros [0] and even the nixpkgs.tinc attribute run on that
version, so it might be useful to have that option.
[0] https://repology.org/project/tinc/versions
The resilio module places the directoryRoot configuration in the webui
section. However, the generated configuration fails on the current
version of Resilio Sync with:
Invalid key context: 'directory_root' must be in global config section
This change places this key in the global configuration section to
solve this error.
Build error introduced in fe7053f75a912197f312d890740dd3bdde0ed994:
parser error : Opening and ending tag mismatch: commmand line 6139 and command
escription><para>Base64 preshared key generated by <commmand>wg genpsk</command>
^
Writing "command" with only two "m" fixes building the NixOS manual.
Signed-off-by: aszlig <aszlig@nix.build>
This reverts commit d3a26a5ecd.
Using ServiceConfig.ExecStart instead of script lead to the content not
being executed in a shell anymore, which broke the secrets being read
from a file and passed as a command line parameter.
Currently the service doesn't detect if on of the packages is updated
and doesn't restart.
By manually adding a trigger we make sure the service restarts if any of
the involved packages update.
We remove the configFile build flag override in the NixOS module.
Instead of embedding the conf file link to the binaries, we symlink it
to /etc/nsd/nsd.nix, the hardcoded config file location for the
various CLI nsd utilities.
This config file build option override is triggerring a nsd rebuild
for each configuration change. This prevent us to use the nixos cache
in many cases.
Co-authored-by: Erjo <erjo@cocoba.work>
services.networking.firewall might have existed during import of this
module in 2016, but it is unknown as of today.
Point to the proper boolean knob to avoid confusion.
