1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-25 03:17:13 +00:00
Commit graph

2232 commits

Author SHA1 Message Date
Maximilian Bosch 84670bf681
wpa_supplicant: review fixes 2021-04-16 13:28:26 +02:00
Maximilian Bosch 08ced9d67f
nixos/wpa_supplicant: make new behavior opt-in 2021-04-16 13:18:46 +02:00
Maximilian Bosch de0a39166b
wpa_supplicant: allow both imperative and declarative networks
For a while now it's possible to specify an additional config file in
`wpa_supplicant`[1]. In contrast to the file specified via `-c` this was
supposed to be used for immutable settings and not e.g. additional
networks.

However I'm a little bit unhappy about the fact that one has to choose
between a fully imperative setup and a fully declarative one where the
one would have to write credentials for e.g. WPA2-enterprise networks
into the store.

The primary problem with the current state of `wpa_supplicant` is that
if the `SAVE_CONFIG` command is invoked (e.g. via `wpa_cli`), all known
networks will be written to `/etc/wpa_supplicant.conf` and thus all
declarative networks would get out of sync with the declarative
settings.

To work around this, I had to change the following things:

* The `networking.wireless`-module now uses `-I` for declarative config,
  so the user-controlled mode can be used along with the
  `networks`-option.

* I added an `ro`-field to the `ssid`-struct in the
  `wpa_supplicant`-sources. This will be set to `1` for each network
  specified in the config passed via `-I`.

  Whenever config is written to the disk, those networks will be
  skipped, so changes to declarative networks are only temporary.

[1] https://w1.fi/cgit/hostap/commit/wpa_supplicant?id=e6304cad47251e88d073553042f1ea7805a858d1
2021-04-16 13:18:25 +02:00
Guillaume Girol f1a2ab6818
Merge pull request #115332 from symphorien/usertype
nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}
2021-04-14 19:38:26 +00:00
Symphorien Gibol 7a87973b4c nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}
As the only consequence of isSystemUser is that if the uid is null then
it's allocated below 500, if a user has uid = something below 500 then
we don't require isSystemUser to be set.

Motivation: https://github.com/NixOS/nixpkgs/issues/112647
2021-04-14 20:40:00 +02:00
Martin Weinelt 8e1e78a735
nixos/babeld: allow AF_INET communication required for netlink socket
This broke after seccomp was updated from 2.5.0 to 2.5.1 in 22148780.
2021-04-13 02:41:54 +02:00
Sandro 000af0d8bf
Merge pull request #118658 from rhoriguchi/networkmanager
nixos/networkmanager: add missing kernel module for wpa authentication
2021-04-12 20:18:32 +02:00
Sandro 0c1d21dfa8
Merge pull request #117905 from yoctocell/privoxy-module-fix-forward-socks5
nixos/privoxy: add missing "/" to "forward-socks5" option
2021-04-12 16:49:29 +02:00
sternenseemann 9c989f2fd9 spacecookie: add top-level attribute for haskellPackages.spacecookie
The haskellPackages.spacecookie derivation also includes a library and
thus a lot of propagated haskell dependencies. The top-level attribute
uses haskell.lib.justStaticExecutables and therefore only the
executable. This should reduce the runtime closure users have to
download considerably if they only want the server.
2021-04-10 15:44:19 +02:00
sternenseemann d51edbe17e nixos/spacecookie: reflect changes for spacecookie 1.0.0.0
* New log options
* The old port option has been deprecated in favor of listen -> port

https://github.com/sternenseemann/spacecookie/blob/master/CHANGELOG.md#1000
2021-04-10 15:44:19 +02:00
sternenseemann 76583ee81a nixos/spacecookie: convert into settings-style freeform configuration
* Move `hostname` and `root` into a settings submodule with a freeform
  type, allowing users to also use options not known to the NixOS
  service. Compatibility with a warning for the renamed options is also
  trivial to achieve.
* `port` stays where it is as we don't actually use the `port` option of
  spacecookie to set up the socket, but only to inform spacecookie about
  the port we have set in the `systemd.socket` file, this makes more
  sense. Additionally the configuration of the listening port and
  address change in the next spacecookie release — we can dodge this
  issue altogether by doing our own thing, but I'm interested to hear
  opinions on this.
  To ensure that this is not misconfigured, we add an assertion for
  the port option.
* Add an assertion for `user` in settings which has no effect the way
  we are starting spacecookie as it wouldn't be able to call setuid.
  The message also explains how a specific user can be used with
  spacecookie if desired.
2021-04-10 15:44:19 +02:00
sternenseemann b74821f31b nixos/spacecookie: add address option customizing listen address
This configuration option reflects a new feature from the unreleased
spacecookie version allowing to customize the address spacecookie will
listen on (e. g. "::1" to bind on link-local addresses only). We will
not use this feature in the future, since the configuration option of
spacecookie naturally only has an effect if we don't use socket
activation (and spacecookie sets up its own socket), but having the same
functionality in the service seems like a good idea.

We can luckily emulate this behavior with socket activation as well.
2021-04-10 15:44:19 +02:00
sternenseemann d1f57cbaf0 nixos/spacecookie: add openFirewall option
Convenience shortcut which automatically configures the firewall to open
the port which is also configured for the spacecookie service.
2021-04-10 15:44:19 +02:00
sternenseemann 58be28d7ce nixos/spacecookie: add package option
This allows to change the derivation to use for the spacecookie server
binary. We probably should also use justStaticExecutables by default to
reduce the runtime closure of the service.
2021-04-10 15:44:19 +02:00
sternenseemann 6b577f46b4 nixos/spacecookie: use nix style strings for description 2021-04-10 15:44:19 +02:00
Martin Weinelt f882b057be
Merge pull request #111316 from higebu/add-gobgpd 2021-04-09 17:17:07 +02:00
Yuya Kusakabe 45cffe7985
nixos/gobpgd: init 2021-04-09 14:57:11 +00:00
Sandro 26f16c1cef
Merge pull request #91318 from stephank/pkg-doh-proxy-rust 2021-04-08 22:32:12 +02:00
ajs124 c6d4dae35d treewide: fix eval without aliases after 9378fdf87e 2021-04-08 13:33:09 +02:00
Frederik Rietdijk b9ef51a84b services.tailscale: add openresolv to path
Without openresolv, magic dns is not very usable.
2021-04-07 18:40:04 +02:00
Stéphan Kochen 20481bd027 doh-proxy-rust: init at 0.3.8 2021-04-07 14:23:55 +02:00
Ryan Horiguchi 5171c5c2ee
nixos/networkmanager: add missing kernel module for wpa authenticaion 2021-04-06 13:50:51 +02:00
Sandro Jäckel 9378fdf87e
iproute: deprecate alias 2021-04-04 01:43:46 +02:00
Doron Behar c2b66f2702
Merge pull request #98734 from ju1m/zerobin 2021-03-29 17:18:29 +00:00
Xinglu Chen 273f5c38a3
nixos/privoxy: add missing "/" to "forward-socks5" option
Without this, Privoxy will silently fail, meaning that no traffic
would be routed through Tor, giving users a false sense of privacy.
2021-03-28 21:16:55 +02:00
Vladimír Čunát 56f308bb2f
nixos/kresd: trivial cleanup 2021-03-28 21:01:50 +02:00
Vladimír Čunát 6e562fd6a7
Merge #101043: nixos/kresd: Listen on IPv4 wildcard, too
This makes sense to me.  I can't see any reference (incl. PR #78628)
why that commit of mine (ae74a0e27c) used 127.0.0.1 instead of 0.0.0.0
2021-03-28 20:53:33 +02:00
Vladimír Čunát 0032a3fc81
Merge #100592: nixos/kresd: Fix unportable regex 2021-03-28 20:27:49 +02:00
Maciej Krüger c8d2f4a3a8 cjdns: reduce password length to 32
Maximum password length per cjdns code is somehwhere less than that, see
ecd01e7681/client/AdminClient.c (L80)

Currently we generate 96 char long passwords that don't work

This changes it so password length is just 32 chars long
2021-03-26 11:35:09 +01:00
Florian Klink f3fa3a38a9
Merge pull request #116743 from flokli/bird-check-config-disable
nixos/bird*: enable config files outside the store, propagate reload errors to systemd
2021-03-25 23:01:09 +01:00
Maximilian Bosch 0ad1d526dc
Merge pull request #117454 from dotlambda/wireguard-noalias
nixos/wireguard: don't use alias
2021-03-24 11:43:13 +01:00
Robert Schütz 683f374529 nixos/wireguard: don't use alias 2021-03-24 11:27:36 +01:00
sternenseemann 76d9fe7629 !fixup add myself as maintainer for the module 2021-03-22 15:19:49 +01:00
sternenseemann 4048b39fc1 nixos/modules/inspircd: add simplistic module and nixos test 2021-03-22 14:38:57 +01:00
Florian Klink 2b03d3a1cf nixos/bird: check config during reload
`birdc configure` seems to not return a nonzero exit code if the reload
failed.

Context: https://bird.network.cz/pipermail/bird-users/2018-January/011858.html

Co-Authored-By: Puck Meerburg <puck@puck.moe>
2021-03-18 14:25:44 +01:00
Florian Klink 7d266264ce nixos/bird: add services.bird*.checkConfig option
This is useful when the config doesn't entirely live in the Nix store,
but is configured to include mutable config files written at runtime.

Co-Authored-By: Puck Meerburg <puck@puck.moe>
2021-03-18 14:24:55 +01:00
Julien Moutinho a9ce4c4a0e zerobin: 20160108 -> 1.0.5 2021-03-13 13:06:06 +01:00
Aaron Andersen 47c5175f0c
Merge pull request #93629 from ju1m/croc
nixos/croc: init
2021-03-12 20:34:33 -05:00
rnhmjoj 7962df46fe
nixos/privoxy: make certificate-directory optional
The tmpfiles.d rule should only be added if inspectHttps is enabled.
2021-03-11 08:17:50 +01:00
rnhmjoj df6d7f3142
nixos/privoxy: document repeated settings 2021-03-09 17:59:12 +01:00
rnhmjoj 8e21a1c51b
nixos/privoxy: set temporary directory
This is needed for working external filters, otherwise privoxy will fail
without a clear error message.
2021-03-09 11:02:59 +01:00
rnhmjoj 3673ded392
nixos/privoxy: add https and settings options
This is a major rewrite of the Privoxy module:

- As per RFC0042, remove privoxy.extraConfig and replace it
  with a privoxy.settings option, which maps a NixOS freeform
  submodule to the Privoxy configuration format.

- Move all top-level options that mirrored a setting to
  the real ones in privoxy.settings. This still keeps the
  type-checking, default values and examples in places.

- Add two convenience options: userActions and userFilters, which
  simplify the operation of creating a file with pkgs.writeText,
  converting it to a string and adding it to the actionsfile/
  filterfile list.

- Add a privoxy.inspectHttps option to automagically setup TLS
  decryption support. I don't know how long have been waiting
  for this feature: can't believe it has just happened.

- Also add a privoxy.certsLifetime to control the periodical
  cleanup of the temporary certificates generate by Privoxy.
2021-03-09 11:02:59 +01:00
Julien Moutinho be6463cd9d nixos/croc: init 2021-03-08 01:34:32 +01:00
Johan Thomsen 7b5c38e973 nixos/kubernetes: docker -> containerd
also, nixos/containerd: module init
2021-03-07 12:51:14 +10:00
taku0 61706fc470
Merge pull request #114853 from lourkeur/fix-string-escaping
nixos/kresd, nixos/dokuwiki, tests/fpm, build-bazel-package, libcutl: fix string escaping
2021-03-03 19:35:16 +09:00
Julien Moutinho 862481560c nixos/dnscrypt-proxy2: reallow @sync syscalls 2021-02-21 14:53:54 +01:00
rnhmjoj 15d6eacb15
nixos/{networkd,dhcpcd}: remove udev-settle hack
systemd-udev-settle is a terrible hack[1] and should never[2] ever[3]
used, seriously it's very bad. It was used as a stop-gap solution for
issue #39069, but thanks to PR #79532 it can be removed now.

[1]: https://github.com/systemd/systemd/issues/7293#issuecomment-592941764
[2]: https://github.com/NixOS/nixpkgs/issues/73095
[3]: https://github.com/NixOS/nixpkgs/issues/107341
2021-02-18 22:07:00 +01:00
Milan 3b77e7c967
nixos/jitsi-videobridge: add apis option (#112960)
The `--apis=` command line parameter passed to Jitsi Videobridge is
required to monitor a Jitsi Meet instance for example via the prometheus
exporter [jitsiexporter](https://git.xsfx.dev/prometheus/jitsiexporter).
2021-02-13 15:04:58 +01:00
Luke Granger-Brown cfed3b8b22 treewide: update 21.03 to 21.05
The NixOS 21.03 release has been delayed to 21.05. See NixOS/rfcs#80.

There are two instances of 21.03 which have been left as is, since they
are in stateVersion comparisons. This will ensure that existing user
configurations which refer to 21.03 will continue to work.
2021-02-12 14:12:48 -08:00
Bernardo Meurer c83a3d6fa7
Merge pull request #112335 from lovesegfault/firefox-no-flash
treewide: cleanup Adobe Flash Player
2021-02-09 01:35:24 +00:00