A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
As part of the networking.* name space cleanup, connman should be moved
to services.connman. The same will happen for example with
networkmanager in a separate PR.
The new description should give more clear understanding of when to
edit the option.
I used NixOS to set up a DNS server that is authoritative for certain
zones. The description of the `cacheNetworks` option made me think I
needed to set it to `"any"` to allow people to query the zone I set
up. Reading the source of the module would have clarified my
understanding, but at the time I just read the description and thought
little of it. Later I discovered I was getting tons of DNS requests
and presumably being used for a DNS amplification attack or similar.
I have fixed the problem now, but I would like the option to have a
clearer description so others don't make the same mistake I did.
Add a virtual user system based around pam and a Berkeley
user database.
Adding the:
- localRoot
- userDbPath
- allowWriteableChroot
- virtualUseLocalPrivs
Vsftpd options.
Ever since setting up bonding the `wpa_supplicant-unit-start` script has
been failing. This is because the file `bonding_masters` in
`/sys/class/net/` is *not* a directory containing `uevent`.
Adding a test to verify the `uevent` path to be sourced exists resolves
the problem.
The two new options make it possible to create the interface in one namespace
and move it to a different one, as explained at https://www.wireguard.com/netns/.
In cases where you boot up really quickly (like in the VM test on a
non-busy host), tinydns might want to bind before the loopback interface
is fully up. Order tinydns after network.target to fix that.
Incorrect merging of modules resulted in dhcpcd being enabled causing flaky network connection.
https://github.com/NixOS/nixpkgs/pull/64364
Fixing it uncovered an infinite recursion from the same commit, previously masked by the incorrect merge.
We can just drop the `mkDefault` for `networking.wireless.enable` as it is already `false` by default.
Closes: https://github.com/NixOS/nixpkgs/issues/72416
This is a good example of a package/module that should be distributed
externally (e.g. as a flake [1]): it's not stable yet so anybody who
seriously wants to use it will want to use the upstream repo. Also,
it's highly specialized so NixOS is not really the right place at the
moment (every NixOS module slows down NixOS evaluation for everybody).
[1] https://github.com/edolstra/jormungandr/tree/flake
It seems that dnsdist doesn't actually request CAP_NET_BIND_SERVICE, which is why normally it's executed and root and setuids to another, unprivileged, user. This means that as it is, dnsdist will be unable to bind to any port under 1024 and will fail with access denied.
Removing CAP_SETGID and CAP_SETUID is also related to this as we don't actually change the uid or gid after the fact as we use DynamicUser. (That part isn't strictly NEEDED but there's no reason to have those capabilities if we don't use them).
There are also some additional sandboxing we can remove from the service definition as they are assumed true or strict by DynamicUser: specifically PrivateTmp and ProtectSystem respectively.
ProtectHome is still there, despite being assumed read-only as setting it to true means they are seen as empty. I don't think it really matters as I don't know if systemd will ignore it or not, but I didn't see any reason to go hunting for excuses to make it a bigger change.