Commit Graph

1620 Commits

Author SHA1 Message Date
Bob van der Linden
1e48222cbe
nixos/ircd-hybrid: /var/run -> /run 2019-03-24 21:15:27 +01:00
Bob van der Linden
937e733c04
nixos/htpdate: /var/run -> /run 2019-03-24 21:15:26 +01:00
Bob van der Linden
1a567685b2
nixos/hostapd: /var/run -> /run 2019-03-24 21:15:26 +01:00
Bob van der Linden
82dee48ef2
nixos/bind: /var/run -> /run 2019-03-24 21:15:26 +01:00
Bob van der Linden
9afbe4c2bd
nixos/avahi-daemon: /var/run -> /run 2019-03-24 21:15:25 +01:00
Bob van der Linden
08558245a4
nixos/asterisk: /var/run -> /run 2019-03-24 21:13:19 +01:00
Francesco Gazzetta
58f682742e nixos/zeronet: add fileserverPort option
Without it, zeronet tried to write one to the read-only config file and
crashed
2019-03-23 17:58:57 +01:00
Wael M. Nasreddine
5af0780492
Merge remote-tracking branch 'origin/master' into staging
* origin/master: (693 commits)
  buildGoModule: use go_1_12 instead of go_1_11 (#58103)
  gitAndTools.lab: 0.15.2 -> 0.15.3 (#58091)
  signal-desktop: 1.22.0 -> 1.23.0
  added missing semicolon to documentation
  terminus_font_ttf: 4.46.0 -> 4.47.0
  buildGoModule: remove SSL env vars in favor of cacert in buildInputs (#58071)
  dav1d: init at 0.2.1
  dropbox-cli: 2018.11.28 -> 2019.02.14
  atlassian-confluence: 6.14.1 -> 6.14.2
  maintainers: update email for dywedir
  python.pkgs.hglib: use patch to specify hg path (#57926)
  chkrootkit: 0.52 -> 0.53
  radare2-cutter: 1.7.2 -> 1.8.0
  autorandr: 1.7 -> 1.8
  pythonPackages.pyhepmc: fix build
  llvm-polly/clang-polly: use latest llvm
  apulse: 0.1.11.1 -> 0.1.12, cleanup
  factorio: experimental 0.17.14 → 0.17.16 (#58000)
  sequeler: 0.6.7 -> 0.6.8
  nasc: 0.5.1 -> 0.5.2
  ...
2019-03-21 21:01:25 -07:00
Jörg Thalheim
b488c60cdb network-manager: rename systemd service back to match upstream
Compatibility with other distributions/software and expectation
of users coming from other systems should have higher priority over consistency.
In particular this fixes #51375, where the NetworkManager-wait-online.service
broke as a result of this.
2019-03-19 23:48:08 +01:00
Martin Weinelt
a978d3dcd2
nixos/knot: init 2019-03-14 01:28:53 +01:00
Markus
7e71cd8292 nixos/flannel: Add iptables package to service path 2019-03-12 15:30:33 +00:00
Pierre Bourdon
18bc8203a1
nixos/firewall: canonicalize firewall ports lists
Fixes #56086.
2019-03-09 20:02:04 +01:00
Pierre Bourdon
843215ac1c
nixos/firewall: use types.port where appropriate 2019-03-09 19:45:11 +01:00
Bas van Dijk
e44e2455d3 strongswan-swanctl: fix module by setting the new SWANCTL_DIR envvar 2019-03-08 16:11:38 +01:00
Peter Hoeg
011fe4a246
Merge pull request #56571 from peterhoeg/u/mqtt
mosquitto: 1.5.5 -> 1.5.8
2019-03-04 12:23:45 +08:00
Peter Hoeg
0e40b7bfc2 mosquitto (nixos): notify systemd when started 2019-03-01 18:54:24 +08:00
David Duarte
b381c27b58 nixos/coredns: init (#54931) 2019-03-01 11:10:44 +02:00
Andreas Rammhold
64c60a813d nixos/gnunet: fix typo in PrivateTmp parameter (#56343)
Systemd expects `PrivateTmp` and not `PrivateTemp` in the service
configuration.

I found this by chance while grepping through nixpkgs…
2019-02-25 15:53:36 +01:00
Nikita Uvarov
131e31cd1b
sshd: fix startWhenNeeded and listenAddresses combination
Previously, if startWhenNeeded was set, listenAddresses option was
ignored and daemon was listening on all interfaces.
Fixes #56325.
2019-02-25 00:51:58 +01:00
Silvan Mosberger
c0318efe9a
Merge pull request #50504 from symphorien/local-closureInfo
nixos: add preferLocalBuild=true; on derivations for config files and closureInfo
2019-02-22 20:53:17 +01:00
Symphorien Gibol
a915b33315 nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
Jörg Thalheim
183919a0c0
Merge pull request #56004 from eskimor/add-nix-serve-help
nixos-nix-serve: Add some hint on howto get valid signing keys.
2019-02-21 09:43:50 +00:00
Johan Thomsen
7028fac35b
nixos/kubernetes: use system.path to handle dependency on flannel subnet.env
The current postStart step on flannel causes flannel.service to
sometimes hang, even when it's commanded to stop.
2019-02-20 21:08:56 +01:00
Robert Klotzner
9f3fe63b5f Add some hint on howto get valid signing keys. 2019-02-20 12:32:08 +01:00
Silvan Mosberger
ac953a4a6b
Merge pull request #55766 from Lucus16/bump-quassel
nixos/quassel: Add support for certificate file
2019-02-18 03:04:56 +01:00
Jaka Hudoklin
5ae048071d
Merge pull request #55649 from johanot/flannel-with-kubernetes-backend
nixos/flannel: add kubernetes as storage backend (and fix test)
2019-02-15 19:55:56 +01:00
Lars Jellema
85675c139f
nixos/quassel: Add support for certificate file 2019-02-14 14:36:21 +01:00
Johan Thomsen
94136fdc1b nixos/flannel: node name needs to be configured for flannel to work with kubernetes storage backend 2019-02-13 17:17:52 +01:00
Johan Thomsen
9522ca5ce9 nixos/flannel: add options to configure kubernetes as config backend for flannel 2019-02-12 18:26:39 +01:00
Robert Helgesson
488a3f09cd
nixos/wpa_supplicant: use <citerefentry>
Fixes #55505
2019-02-10 13:23:28 +01:00
Jörg Thalheim
6c28dd858b
teamspeak: ipv6 support
Unlike the options descriptions the service was not listen to any
IPs because the address family was limited to ipv4.
2019-02-08 10:28:20 +00:00
Lily Ballard
b0e79359bd nixos/unifi: Update TCP ports
Fixes #55377
2019-02-07 13:18:57 -08:00
Ioannis Koutras
6642f3f213 nixos/syncthing: setup user only on system service 2019-02-06 20:23:13 +01:00
Franz Pletz
2746973061
ndppd: don't use weird upstream systemd service unit 2019-02-03 14:39:28 +01:00
elseym
4ce1c59389
ndppd module: refactor 2019-02-03 14:28:54 +01:00
Danylo Hlynskyi
30c312341f
Merge pull request #54637 from danbst/small-eval-optimization
module system: small eval optimization
2019-01-31 00:42:24 +02:00
danbst
27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
Robert Schütz
0525fa54e8
Merge pull request #54739 from Nadrieril/fix-ffsync
Fix firefox sync-server
2019-01-30 16:26:31 +01:00
Nadrieril
375020cf99 nixos/syncserver: mild cleanup 2019-01-30 15:59:01 +01:00
Nadrieril
63c7fe0819 nixos/syncserver: use gunicorn
As described in `syncserver`'s documentation.
Makes it possible to run behind a reverse proxy.
2019-01-30 15:59:00 +01:00
Nadrieril
957d0589ad pythonPackages.syncserver: move to all-packages.nix and fix dependencies 2019-01-30 15:59:00 +01:00
Silvan Mosberger
f2daf4295e
Merge pull request #54708 from erictapen/unifi-maintainer
unifi, nixos/unifi: add erictapen as maintainer
2019-01-27 19:02:40 +01:00
Justin Humm
38f23046a3
unifi, nixos/unifi: add erictapen as maintainer 2019-01-27 17:28:15 +01:00
Maximilian Bosch
acbadcdbba
nixos/wpa_supplicant: escape interface names to listen on
Systemd provides some functionality to escape strings that are supposed
to be part of a unit name[1]. This seems to be used for interface names
in `sys-subsystem-net-devices-{interface}.device` and breaks
wpa_supplicant if the wireless interface name has a dash which is
encoded to \x2d.

Such an interface name is rather rare, but used i.e. when configuring
multiple wireless interfaces with `networking.wlanInterfaces`[2] to have on
interface for `wpa_supplicant` and another one for `hostapd`.

[1] https://www.freedesktop.org/software/systemd/man/systemd-escape.html
[2] https://nixos.org/nixos/options.html#networking.wlaninterfaces
2019-01-27 11:59:18 +01:00
Milan Pässler
24d5e30b5f nixos/prosody: add ExecReload
Add an ExecReload command to the prosody service, to allow reloading
prosody by sending SIGHUP to the main process, for example to update
certificates without restarting the server. This is exactly how the
`prosodyctl` tool does it.

Note: Currently there is a bug which prevents mod_http from reloading the
certificates properly: https://issues.prosody.im/1216.
2019-01-26 03:12:09 +01:00
Robert Irelan
8844f09d53 xrdp: fix clipboard for non-ASCII characters
Without this line, attempting to copy and paste non-ASCII characters
will result in error messages like the following (and pasting from the
server to the client will not work):

```
CLIPBOARD  clipboard_send_data_response_for_text: 823 : ERROR: clipboard_send_data_response_for_text: bad string
```
2019-01-22 09:52:53 -08:00
aszlig
6446d9eee8
nixos/nsd: Improve checking for empty dnssec zones
While at it (see previous commit), using attrNames in combination with
length is a bit verbose for checking whether the filtered attribute set
is empty, so let's just compare it against an empty attribute set.

Signed-off-by: aszlig <aszlig@nix.build>
2019-01-04 01:59:28 +01:00
aszlig
751bdacc9b
nixos/nsd: Don't override bind via nixpkgs.config
When generating values for the services.nsd.zones attribute using values
from pkgs, we'll run into an infinite recursion because the nsd module
has a condition on the top-level definition of nixpkgs.config.

While it would work to push the definition a few levels down, it will
still only work if we don't use bind tools for generating zones.

As far as I could see, Python support for BIND seems to be only needed
for the dnssec-* tools, so instead of using nixpkgs.config, we now
directly override pkgs.bind instead of globally in nixpkgs.

To illustrate the problem with a small test case, instantiating the
following Nix expression from the nixpkgs source root will cause the
mentioned infinite recursion:

  (import ./nixos {
    configuration = { lib, pkgs, ... }: {
      services.nsd.enable = true;
      services.nsd.zones = import (pkgs.writeText "foo.nix" ''
        { "foo.".data = "xyz";
          "foo.".dnssec = true;
        }
      '');
    };
  }).vm

With this change, generating zones via import-from-derivation is now
possible again.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @pngwjpgh
2019-01-04 01:49:50 +01:00
ajs124
325e314aae
sshd: Add restartTrigger for sshd_config
Co-Authored-By: Franz Pletz <fpletz@fnordicwalking.de>
2019-01-02 20:11:01 +01:00
Franz Pletz
0ea65cd96c
shairport-sync service: fix default arguments 2019-01-02 19:17:22 +01:00
Silvan Mosberger
070254317e
Revert "nixos/ddclient: make RuntimeDirectory and configFile private" 2018-12-29 16:53:43 +01:00
Jeremy Apthorp
654c3124b2
shairport-sync: don't daemonize
This flag causes the shairport-sync server to attempt to daemonize, but it looks like systemd is already handling that. With the `-d` argument, shairport-sync immediately exits—it seems that something (systemd I'm guessing?) is sending it SIGINT or SIGTERM.

The [upstream systemd unit](https://github.com/mikebrady/shairport-sync/blob/master/scripts/shairport-sync.service.in#L10) doesn't pass `-d`.
2018-12-19 22:37:25 -08:00
Satoshi Shishiku
5a93f6149a
prosody service: set cafile
Fix s2s_secure_auth.
2018-12-17 01:01:41 +01:00
Rickard Nilsson
b20fcce195 nixos/nm-setup-hostsdir: RemainAfterExist -> RemainAfterExit 2018-12-15 08:33:28 +01:00
Renaud
0eb2f4b5f5
Merge pull request #50809 from sorki/wireguard_containers_wont_modprobe
wireguard: don't modprobe if boot.isContainer is set
2018-12-07 11:06:28 +01:00
Austin Seipp
4594b18070 nixos/chrony: fix misplaced ConditionCapability= directive
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-12-02 20:32:47 -06:00
Austin Seipp
ee14496ae2 nixos/dhcpcd: (try to) restart chrony in the exitHook
As the comment notes, restarts/exits of dhcpcd generally require
restarting the NTP service since, if name resolution fails for a pool of
servers, the service might break itself. To be on the safe side, try
restarting Chrony in these instances, too.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-11-30 18:50:33 -06:00
Austin Seipp
7b8d9700e1 nixos/chrony: don't emit initstepslew when servers is empty
Setting the server list to be empty is useful e.g. for hardware-only
or virtualized reference clocks that are passed through to the system
directly. In this case, initstepslew has no effect, so don't emit it.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-11-30 18:50:32 -06:00
Brandon Black
dacbd5a61a nixos/ntp: use upstream default restrictions to avoid DDoS (#50762)
Fixes #50732
2018-11-28 10:15:25 +00:00
Renaud
6a5fff3741
Merge pull request #51001 from c0bw3b/cleanup/more-https
Treewide: use more HTTPS-enabled sources
2018-11-25 16:22:34 +01:00
Franz Pletz
c1d760f0bf
Merge pull request #50469 from mguentner/mxisd
mxisd: init at 1.2.0 plus service with test
2018-11-25 13:26:05 +00:00
Maximilian Güntner
efae5d43ef
modules: add mxisd with test 2018-11-25 14:24:10 +01:00
Craig Younkins
eff461c8ef treewide: systemd timeout arguments to use infinity instead of 0 (#50934)
Fixes https://github.com/NixOS/nixpkgs/issues/49700
2018-11-25 13:33:22 +01:00
c0bw3b
c615b0504b nixos/flashpolicyd: fix url and use https 2018-11-24 23:13:09 +01:00
Jörg Thalheim
d3aeed389c
Merge pull request #50641 from blaxill/firewallMerge
nixos/firewall: Always use global firewall.allowed rules
2018-11-23 11:42:16 +00:00
Ben Blaxill
308ab4ea25 Rename back to default and better release notes 2018-11-22 19:24:23 -05:00
Ben Blaxill
32779b4c74 Refactor out the set operations 2018-11-20 21:29:33 -05:00
Samuel Dionne-Riel
a041dc8ab7
Merge pull request #50499 from delroth/syncthing-relay
syncthing-relay module: init
2018-11-20 01:40:23 +00:00
Richard Marko
3ffda36356 wireguard: don't modprobe if boot.isContainer is set 2018-11-20 01:17:04 +01:00
Ben Blaxill
551d2f7ed2 nixos/firewall: Always use global firewall.allowed rules
Apply global firewall.allowed* rules separately from the
interface specific rules.
2018-11-18 22:50:01 -05:00
Pierre Bourdon
08f24cadaa syncthing-relay module: init 2018-11-19 01:09:54 +01:00
Renaud
7f84561cc3
Merge pull request #49631 from janikrabe/master
oidentd: 2.2.2 -> 2.3.1
2018-11-19 00:31:02 +01:00
Silvan Mosberger
e468a1091b
Merge pull request #48687 from danielrutz/port-type
Add port type
2018-11-10 15:12:07 +01:00
Janik Rabe
49e97f8f88 oidentd: 2.2.2 -> 2.3.1
* Added license: GPLv2.
* Updated homepage and description.
* CFLAGS are no longer necessary as of version 2.2.0.
* Option '-a ::' is no longer necessary as of version 2.2.0.
2018-11-07 14:51:45 +02:00
Niklas Hambüchen
2cb7f5fb1e consul: 0.9.3 -> 1.3.0.
Removes the old UI build tooling; it is no longer necessary
because as of 1.2.0 it's bundled into the server binary.
It doesn't even need to have JS built, because it's bundled into
the release commit's source tree (see #48714).

The UI is enabled by default, so the NixOS service is
updated to directly use `ui = webUi;` now.

Fixes #48714.
Fixes #44192.
Fixes #41243.
Fixes #35602.

Signed-off-by: Niklas Hambüchen <mail@nh2.me>
2018-11-03 18:39:46 +01:00
Austin Seipp
93aa285376 nixos: fix #48917 by setting SYSTEMD_TIMEDATED_NTP_SERVICES
Setting this variable in the environment of systemd-timedated allows
'timedatectl' to tell if an NTP service is running.

Closes #48917.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-11-02 09:10:15 -05:00
Joachim F
2dc0fc6516
Merge pull request #47526 from rnhmjoj/syncthing
nixos/syncthing: move configuration to condigDir
2018-11-02 12:02:51 +00:00
obadz
c8c1ed2c78 nixos/zerotier: binds to network-online.target to avoid the 1m30s timeout before kill on shutdown 2018-11-01 23:00:25 +00:00
Léo Gaspard
b9faae955c
redsocks module: add self as maintainer 2018-10-31 01:06:14 +09:00
Lassulus
334dd6f964 nixos/bitlbee: use purple-2 as purple_plugin_path (#49440) 2018-10-30 15:37:41 +01:00
Bas van Dijk
0b381dd9ca
Merge pull request #49197 from LumiGuide/strongswan-swanctl-5.7.1
strongswan-swanctl: adapt options to strongswan-5.7.1
2018-10-27 09:34:53 +01:00
Silvan Mosberger
f374addc10
Merge pull request #48844 from c0bw3b/svc/ddclient
nixos/ddclient: make RuntimeDirectory and configFile private
2018-10-27 00:29:18 +02:00
Bas van Dijk
ca655e8b14 strongswan-swanctl: adapt options to strongswan-5.7.1
The changes were found by executing the following in the strongswan
repo (https://github.com/strongswan/strongswan):

git diff 5.6.3..5.7.1 src/swanctl/swanctl.opt
2018-10-26 23:46:02 +02:00
Maximilian Bosch
5dc1748043
Merge pull request #48728 from qolii/eternal-terminal-module
nixos/eternal-terminal: init new module.
2018-10-25 14:51:22 +02:00
qolii
c0d90b57d6 Address more review feedback. 2018-10-24 17:57:33 -07:00
Renaud
ab5380ec82
nixos/ddclient: make configFile private
/run/ddclient/ddclient.conf should be installed in mode 660 (readable and writeable only by ddclient.service user and group)
2018-10-23 00:43:41 +02:00
Renaud
f76a9eb526
nixos/ddclient: make RuntimeDirectory private
ddclient will raise a warning if /run/ddclient/ is world-readable
2018-10-22 23:58:12 +02:00
qolii
ee0444576f Address review feedback. 2018-10-20 13:52:43 -07:00
qolii
af1a285017 nixos/eternal-terminal: init new module. 2018-10-20 13:52:12 -07:00
Silvan Mosberger
1fa1bcbab0
nixos/znc: Fix confOptions.uriPrefix not being applied
This was overlooked on a rebase of mine on master, when I didn't realize
that in the time of me writing the znc changes this new option got
introduced.
2018-10-20 20:56:30 +02:00
Silvan Mosberger
039fc37f9c
nixos/znc: Fix confOptions.extraZncConf being applied to wrong section
This bug was introduced in https://github.com/NixOS/nixpkgs/pull/41467
2018-10-20 20:36:18 +02:00
Daniel Rutz
c98a7bf8f2 nixos/sshd: Use port type instead of int
This change leads to an additional check of the port number at build time, making invalid port values impossible.
2018-10-18 23:42:20 +02:00
Jörg Thalheim
5a1f0f9aa3
tinc: remove unnecessary networking.interfaces
This breaks with networking backends enabled and
also creates large delays on boot when some services depends
on the network target. It is also not really required
because tinc does create those interfaces itself.

fixes #27070
2018-10-18 21:37:56 +01:00
clefru
725fcdef3f Fix hostapd's place in systemd dependency tree. (#45464)
* nat/bind/dhcp.service:
  Remove. Those services have nothing to do with a link-level service.

* sys-subsystem-net-devices-${if}.device:
  Add as BindsTo dependency as this will make hostapd stop when the
  device is unplugged.

* network-link-${if}.service:
  Add hostapd as dependency for this service via requiredBy clause,
  so that the network link is only considered to be established
  only after hostapd has started.

* network.target:
  Remove this from wantedBy clause as this is already implied from
  dependencies stacked above hostapd. And if it's not implied than
  starting hostapd is not required for this particular network
  configuration.
2018-10-17 09:18:52 +02:00
Silvan Mosberger
e443bbf6fd
Merge pull request #45470 from Infinisil/znc-config
nixos/znc: More flexible module, cleanups
2018-10-17 03:01:30 +02:00
rnhmjoj
16f67637ba
nixos/syncthing: move configuration to condigDir
fixes #47513 following the upstream recommended settings:
https://github.com/syncthing/syncthing/issues/3434#issuecomment-235401876
2018-10-15 20:34:50 +02:00
Silvan Mosberger
81c3ae9492
nixos/znc: add config option
This option represents the ZNC configuration as a Nix value. It will be
converted to a syntactically valid file. This provides:
- Flexibility: Any ZNC option can be used
- Modularity: These values can be set from any NixOS module and will be
merged correctly
- Overridability: Default values can be overridden

Also done:
Remove unused/unneeded options, mkRemovedOptionModule unfortunately doesn't work
inside submodules (yet). The options userName and modulePackages were never used
to begin with
2018-10-14 20:39:42 +02:00
Peter Hoeg
abe0e22e20
Merge pull request #48119 from mrVanDalo/update_syncthing
nixos/modules: services.syncthing add guiAddress parameter
2018-10-14 18:47:51 +08:00
Ingolf Wagner
d2e1dd7fc7
nixos/modules: services.syncthing use types.str instead of types.string
As Infinisil mentioned in https://github.com/NixOS/nixpkgs/pull/48119#discussion_r224974201
2018-10-14 06:46:42 +02:00
Ingolf Wagner
fa6c8ec2a7
nixos/modules: services.syncthing add guiAddress parameter 2018-10-14 00:52:25 +02:00
Silvan Mosberger
4eee2cd0e0
nixos/znc: move to own folder
Move legacy options to separate file
2018-10-13 15:04:53 +02:00
Silvan Mosberger
c881a04a5d
Merge pull request #47902 from pvgoran/correct-mkEnableOption-uses
nixos: correct improper uses of mkEnableOption, clarify service descr…
2018-10-11 21:31:32 +02:00
Timo Kaufmann
a88dad2684
Merge pull request #48039 from lheckemann/murmur-mention-mumble
murmur: mention mumble in description
2018-10-08 21:46:38 +02:00
Linus Heckemann
68a2fceed5 nixos/murmur: mention mumble in description
This makes the option easier to find with the options search or in the
manpage.
2018-10-08 13:33:36 +02:00
lassulus
99c8dc4a11 charybdis service: bin/charybdis-ircd -> bin/charybdis 2018-10-07 13:10:50 +02:00
Matthew Bauer
33d24042d4
Merge pull request #46443 from bobvanderlinden/pr-test-upnp
Miniupnpd and bittorrent improvements
2018-10-05 22:48:24 -05:00
Pavel Goran
858b263bf0 nixos: correct improper uses of mkEnableOption, clarify service descriptions
Several service definitions used `mkEnableOption` with text starting
with "Whether to", which produced funny option descriptions like
"Whether to enable Whether to run the rspamd daemon..".

This commit corrects this, and adds short descriptions of services
to affected service definitions.
2018-10-05 13:14:45 +07:00
Jörg Thalheim
d334c1c1d0 nixos/bitlbee: option to use pam 2018-10-01 18:25:11 +01:00
Graham Christensen
8413f22bb3
docs: format 2018-09-29 20:51:11 -04:00
Franz Pletz
e7ca9af4cc
shairport-sync: fix pulseaudio support & default arguments 2018-09-26 18:12:02 +02:00
Austin Seipp
0ce90d58cc nixos/chrony: clean up, rework to be a little closer to upstream
Most importantly, this sets PrivateTmp, ProtectHome, and ProtectSystem
so that Chrony flaws are mitigated, should they occur.

Moving to ProtectSystem=full however, requires moving the chrony key
files under /var/lib/chrony -- which should be fine, anyway.

This also ensures ConditionCapability=CAP_SYS_TIME is set, ensuring
that chronyd will only be launched in an environment where such a
capability can be granted.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2018-09-24 15:42:44 -05:00
Sarah Brofeldt
7fb0194d41
Merge pull request #45161 from Gerschtli/update/ts3
teamspeak_server: 3.0.13.6 -> 3.3.0
2018-09-23 20:24:48 +02:00
Vladyslav Mykhailichenko
3b7ecaa798 iwd: 0.7 -> 0.8 2018-09-23 15:26:55 +03:00
Peter Hoeg
3904016a3d
Merge pull request #43812 from binarin/epmd-systemd-pr
epmd: Introduce erlang port mapper daemon service
2018-09-17 11:33:09 +08:00
Jörg Thalheim
fc41ea8c8e
Merge pull request #46144 from dasJ/nullidentdmod-module
nixos/nullidentdmod: Init
2018-09-16 22:06:59 +01:00
Bob van der Linden
d3eff01076
nixos: miniupnpd: use iptables scripts 2018-09-15 23:10:24 +02:00
Joachim F
e02575b906
Merge pull request #46381 from Chiiruno/dev/zeronet
nixos/zeronet: Fix TOR permissions, add torAlways option
2018-09-11 10:28:32 +00:00
Jörg Thalheim
1bdba70b71
Merge pull request #44496 from Yarny0/hylafaxplus
Hylafaxplus
2018-09-11 10:48:19 +01:00
Jörg Thalheim
c8ccc433df
nixos/hylafax: show correct option in warning message. 2018-09-11 10:38:04 +01:00
Edward Tjörnhammar
9dc661aa72
nixos/i2pd: Update options to encompass recent additions to the daemon
Also:
  * switch to flat sysdir
  * remove nixos default reseeds, rely on program defaults
  * refactor config expressions
2018-09-09 18:48:51 +02:00
Okina Matara
9c97f37761 nixos/zeronet: Fix TOR permissions, add torAlways option 2018-09-08 12:12:11 -05:00
Yarny0
12fa95f2d6 modules: HylaFAX server configuration
This commit adds the following
* the uucp user
* options for HylaFAX server to control startup and modems
* systemd services for HylaFAX server processes
  including faxgettys for modems
* systemd services to maintain the HylaFAX spool area,
  including cleanup with faxcron and faxqclean
* default configuration for all server processes
  for a minimal working configuration

Some notes:

* HylaFAX configuration cannot be initialized with faxsetup
  (as it would be common on other Linux distributions).
  The hylafaxplus package contains a template spool area.
* Modems are controlled by faxgetty.
  Send-only configuration (modems controlled by faxq)
  is not supported by this configuration setup.
* To enable the service, one or more modems must be defined with
  config.services.hylafax.modems .
* Sending mail *should* work:
  HylaFAX will use whatever is in
  config.services.mail.sendmailSetuidWrapper.program
  unless overridden with the sendmailPath option.
* The admin has to create a hosts.hfaxd file somewhere
  (e.g. in /etc) before enabling HylaFAX.
  This file controls access to the server (see hosts.hfaxd(5) ).
  Sadly, HylaFAX does not permit account-based access
  control as is accepts connections via TCP only.
* Active fax polling should work; I can't test it.
* Passive fax polling is not supported by HylaFAX.
* Pager transmissions (with sendpage) are disabled by default.
  I have never tested or used these.
* Incoming data/voice/"extern"al calls
  won't be handled by default.
  I have never tested or used these.
2018-09-08 14:21:40 +02:00
Tad Fisher
56b3c5b2dd nixos/networkmanager: fix VPN plugin service definition targets (#46201) 2018-09-08 14:10:51 +02:00
Janne Heß
32a2d08b23 nixos/nullidentdmod: Init 2018-09-06 16:31:20 +02:00
Janne Heß
9e25ebc03a nixos/iperf: Init the module 2018-09-06 12:38:30 +02:00
Yorick
1ee3ad6732 wireguard: change preStop to postStop, require network.target (#45569)
* wireguard: change preStop to postStop, require network.target

* wireguard service: network.target -> network-online.target
2018-09-02 17:07:55 +02:00
Florian Klink
953b77f07b bird: set reloadIfChanged to true (#45924)
This will trigger the reload instead of restart command if a definition
changes, which is much more desireable for a routing daemon.
2018-09-02 06:51:32 +02:00
Samuel Dionne-Riel
ca47cc90c2
Merge pull request #39142 from teto/nm_dispatchers
[RDY] networkmanager: enrich dispatcher PATH
2018-09-01 23:26:36 -04:00
Graham Christensen
34d2ec7c09
nixos docs: give IDs to things 2018-09-01 16:20:49 -04:00
John Ericson
2c4a75e9ef
Merge pull request #45820 from obsidiansystems/dont-use-obsolete-platform-aliases
treewide: Dont use obsolete platform aliases
2018-08-31 09:56:10 -04:00
チルノ
17564e0ed9 nixos/zeronet: init (#44842) 2018-08-31 11:40:23 +01:00
John Ericson
2c2f1e37d4 reewide: Purge all uses stdenv.system and top-level system
It is deprecated and will be removed after 18.09.
2018-08-30 17:20:32 -04:00
Jan Tojnar
8a8056c302
Merge pull request #45058 from michaelpj/imp/freedesktop-modules
freedesktop modules: init
2018-08-30 16:14:35 +01:00
Nikolay Amiantov
69407cb013 firewall service: respect marks in rpfilter (#39054)
This allows one to add rules which change a packet's routing table:

iptables -t raw -I PREROUTING 1 -m set --match-set myset src -j MARK --set-mark 2
ip rule add fwmark 2 table 1 priority 1000
ip route add default dev wg0 table 1

to the beginning of raw table PREROUTING chain, and still have rpfilter.
2018-08-29 20:50:53 +02:00
Vladyslav Mykhailichenko
d73fd69952 iwd: 0.4 -> 0.7 2018-08-25 15:26:52 +03:00
Sarah Brofeldt
4c6171c173 nixos/dhcpcd: Wait for devices to settle 2018-08-22 00:20:28 +02:00
Tobias Happ
ca3e9a7096 teamspeak_server: 3.0.13.6 -> 3.3.0 2018-08-17 00:25:31 +02:00
Michael Peyton Jones
13e2e19158
xdg: add modules for supporting various XDG specs 2018-08-16 21:23:34 +01:00
Franz Pletz
0371570807
Merge pull request #44524 from vincentbernat/fix/dhcpcd-systemd
dhcpcd service: order before network target
2018-08-13 20:24:22 +00:00
Franz Pletz
f167e88794
Merge pull request #44658 from dlahoti/patch-2
add `extraConfig` section to `networking.wireless`
2018-08-10 09:38:23 +00:00
Deven Lahoti
8d6128208d nixos/wireless: add extraConfig section to networking.wireless
This allows the user to add `wpa_supplicant` config options not yet supported by Nix without having to write the entire `wpa_supplicant.conf` file manually.
2018-08-09 15:20:44 -05:00
Silvan Mosberger
565479374b
Merge pull request #42469 from ghuntley/patch-4
zerotier: added option to customise the port used
2018-08-08 17:02:25 +02:00
Geoffrey Huntley
5b66ddb943 nixos/zerotier: added option to customise the port used 2018-08-09 00:00:12 +10:00
Matthieu Coudron
f0980c40c1 networkmanager: make hooks easier to use
First change is to override the nm-dispatcher systemd service so that
it puts coreutils (wc/env/...) and iproute in PATH.
Second change is to make sure userscripts have the execute bit.
2018-08-07 17:53:56 +09:00
Vincent Bernat
48f7778d99 dhcpcd service: order before network target
This reverts a change applied in PR #18491. When interfaces are
configured by DHCP (typical in a cloud environment), ordering after
network.target cause trouble to applications expecting some network to
be present on boot (for example, cloud-init is quite brittle when
network hasn't been configured for `cloud-init.service`) and on
shutdown (for example, collectd needs to flush metrics on shutdown).

When ordering after network.target, we ensure applications relying on
network.target won't have any network reachability on boot and
potentially on shutdown.

Therefore, I think ordering before network.target is better.
2018-08-05 23:07:54 +02:00
Maximilian Bosch
cd5e01edd9 ocserv: init at 0.12.1 (#42871)
`ocserv` is a VPN server which follows the openconnect protocol
(https://github.com/openconnect/protocol). The packaging is slightly
inspired by the AUR version
(https://aur.archlinux.org/packages/ocserv/).

This patch initializes the package written in C, the man pages and a
module for a simple systemd unit to run the VPN server. The package
supports the following authentication methods for the server:

* `plain` (mostly username/password)
* `pam`

The third method (`radius`) is currently not supported since `nixpkgs`
misses a packaged client.

The module can be used like this:

``` nix
{
  services.ocserv = {
    enable = true;
    config = ''
      ...
    '';
  };
}
```

The option `services.ocserv.config` is required on purpose to
ensure that nobody just enables the service and experiences unexpected
side-effects on the system. For a full reference, please refer to the
man pages, the online docs or the example value.

The docs recommend to simply use `nobody` as user, so no extra user has
been added to the internal user list. Instead a configuration like
this can be used:

```
run-as-user = nobody
run-as-group = nogroup
```

/cc @tenten8401
Fixes #42594
2018-08-01 21:39:09 +02:00
Silvan Mosberger
c3f00f7c16
Merge pull request #44061 from ljani/avahi-extraconfig
nixos/avahi: add support for extraConfig
2018-07-29 20:07:11 +02:00
Jani
d17770d0d5 nixos/avahi: add support for extraConfig 2018-07-28 12:48:08 +03:00
Tuomas Tynkkynen
96190535e5 Revert "nixos: rename system.{stateVersion,defaultChannel} -> system.nixos.\1"
This reverts commit 095fe5b43d.

Pointless renames considered harmful. All they do is force people to
spend extra work updating their configs for no benefit, and hindering
the ability to switch between unstable and stable versions of NixOS.

Like, what was the value of having the "nixos." there? I mean, by
definition anything in a NixOS module has something to do with NixOS...
2018-07-28 00:12:55 +03:00
Jörg Thalheim
e9ff0f9448
Merge pull request #43863 from volth/unused4
[bot] nixos/*: remove unused arguments in lambdas
2018-07-21 16:39:08 +01:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
volth
6d2857a311 [bot] treewide: remove unused 'inherit' in let blocks 2018-07-20 19:38:19 +00:00
Frederik Rietdijk
1a6af9f88e
Merge pull request #43857 from volth/unused
[bot] treewide: remove unreferenced code
2018-07-20 21:06:32 +02:00
volth
87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Erik Arvstedt
aecf24a0eb openvpn: document how to import an external config 2018-07-20 10:51:52 +02:00
Alexey Lebedeff
c00d17aae3 epmd: Introduce erlang port mapper daemon service
Having socket-activated epmd means that there always be only a single
instance managed centrally. Because Erlang also starts it
automatically if not available, and in worst case scenario 'epmd' can
be started by some Erlang application running under systemd. And then
restarting this application unit will cause complete loss of names in
'epmd' (if other Erlang system are also installed on this host).

E.g. see at which lengths RabbitMQ goes to recover from such
situations:
7741b37b1e/src/rabbit_epmd_monitor.erl (L36)

Having the only one socket-activated epmd completely solves this
problem.
2018-07-19 17:32:29 +02:00
Franz Pletz
ea9078b76b
Merge pull request #41745 from rvolosatovs/fix/sshd
nixos: Add more ssh-keygen params
2018-07-14 16:29:46 +00:00
xeji
51d0309651
Merge pull request #38324 from rvl/znc-uri-prefix
znc: add uriPrefix option
2018-07-10 09:38:50 +02:00
Rickard Nilsson
d80292dbd2 nixos: Add option networking.networkmanager.dynamicHosts
This allows non-privileged users to configure local DNS
entries by editing hosts files read by NetworkManager's dnsmasq
instance.

Cherry-picked from e6c3d5a507909c4e0c0a5013040684cce89c35ce and
5a566004a2b12c3d91bf0acdb704f1b40770c28f.
2018-07-07 17:15:35 +02:00
Graham Christensen
078925c954
quagga module: Use a deep merge via imports instead of the shallow merge
The deep merge caused all the options to be unset when generating docs, unless quagga was enabled.

Using imports, instead, properly allows the documentation to be generated.
2018-07-05 22:11:29 -04:00
Ingo Blechschmidt
c97b1a44d1 supplicant: Fix tiny typo in the documentation 2018-07-04 00:14:45 +02:00
Silvan Mosberger
bdac6ac4b2
Merge pull request #42860 from ldesgoui/fix-murmur-service
murmur service: prevent silent launch failure by waiting until network is available
2018-07-03 17:34:07 +02:00
Silvan Mosberger
59dd0e6c69
Merge pull request #41222 from gnidorah/firewall
nixos/firewall: per-interface port options
2018-07-03 17:21:55 +02:00
Michael Raskin
b43c4d8b75
Merge pull request #42798 from flokli/users-users
tree-wide: users.extraUsers -> users.users, users.extraGroups -> users.groups
2018-07-02 11:23:10 +00:00
ldesgoui
16a46139d3 murmur: prevent silent launch failure 2018-07-02 05:30:43 +02:00
Jörg Thalheim
6e54e9253a iwd: set statedir to /var/lib/iwd 2018-07-01 10:59:35 +01:00
adisbladis
dd608f80db
Merge pull request #42709 from jollheef/master
hostapd: use WPA2 instead of WPA1 by default
2018-06-30 21:44:19 +08:00
Mikhail Klementev
d8f6ca1afa hostapd: use WPA2 instead of WPA1 by default 2018-06-30 11:33:11 +00:00
Florian Klink
fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Benjamin Staffin
dca7e24a11
networkmanager: Expand dns description, integrate with other services (#41898)
Rather than special-casing the dns options in networkmanager.nix, use
the module system to let unbound and systemd-resolved contribute to
the newtorkmanager config.
2018-06-29 13:41:46 -04:00
Jesper Geertsen Jonsson
1327218d8a zerotier: interface names changed; fix no dhcp
Since ZT v1.2.8:
ZT interface names are no longer named zt<sequence number>.
Instead they are by default named zt<network hash>.

https://www.zerotier.com/blog/2018-05-04-128.shtml
2018-06-27 15:43:55 +02:00
aszlig
a346f153b5
nixos/strongswan-swanctl: Fix build of manual
Commit 401370287a introduced a small error
where the closing tag of <literal/> was an opening tag instead.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @basvandijk, @xeji
2018-06-26 10:02:07 +02:00
xeji
7e77094f39
Merge pull request #42518 from LumiGuide/strongswan-swanctl-5.6.3
strongswan-swanctl: adapt options to strongswan-5.6.3
2018-06-25 15:01:56 +02:00
gnidorah
c60c8aa759 nixos/firewall: per-interface port options 2018-06-24 16:49:10 +03:00
Bas van Dijk
401370287a strongswan-swanctl: adapt options to strongswan-5.6.3
This time there was only one change between 5.6.2..5.6.3:

2c7a4b0704
2018-06-24 11:32:10 +02:00
Bas van Dijk
56ef106848 chrony: disable the whole timesyncd module when chronyd is enabled
Peviously only the timesyncd systemd unit was disabled. This meant
that when you activate a system that has chronyd enabled the following
strange startup behaviour takes place:

  systemd[1]: Starting chrony NTP daemon...
  systemd[1]: Stopping Network Time Synchronization...
  systemd[1]: Stopped chrony NTP daemon.
  systemd[1]: Starting Network Time Synchronization...
2018-06-22 12:02:35 +02:00
Matthew Justin Bauer
3925077548
Merge pull request #41485 from teto/owamp
[RDY] Owamp : Get one way (network) latencies between synchronized computers
2018-06-20 21:45:36 -04:00
Yegor Timoshenko
b5d6a49085
nixos/networkmanager: add extraConfig 2018-06-18 22:21:27 +08:00
volth
baa1098a4a
nixos/xrdp: add fonts.enableDefaultFonts 2018-06-17 11:23:30 +00:00
xeji
bffc59badd
Merge pull request #37289 from disassembler/dnsdist
nixos/dnsdist: init module
2018-06-13 13:56:53 +02:00
volth
3ae018592d
nixos/tinc: minor fixes 2018-06-12 23:27:52 +00:00
Roman Volosatovs
1846a85b77
sshd: Add issue references to services.openssh.authorizedKeysFiles 2018-06-12 18:30:53 +02:00
Roman Volosatovs
9953edaf75
sshd: Support more ssh-keygen parameters 2018-06-12 18:26:20 +02:00
volth
d79a5057d3 nixos/nat: optional networking.nat.externalInterface (#41864)
to prevent "cannot coerce null to string" raise before the assertions are checked
2018-06-12 15:14:15 +02:00
volth
b25a2c9614 nixos/unbound: add restart (#41885) 2018-06-12 14:29:25 +02:00
volth
d4daddad75 nixos/nat: optional networking.nat.externalInterface (#41758) 2018-06-10 18:29:32 +02:00
Izorkin
9ef30fd56a sshd: change location of config file (#41744)
create symlink /etc/ssh/sshd_config
2018-06-10 01:39:06 +02:00
volth
2874e56c05 nixos/sslh: add transparent proxying support (#41412)
[x] Support transparent proxying. This means services behind sslh (Apache, sshd and so on) will see the external IP and ports as if the external world connected directly to them.
 [x] Run sslh daemon as unprivileged user instead of root (it is not only for security, transparent proxying requires it)
 [x] Removed pidFile support (it is not compatible with running sslh daemon as unprivileged user)
 [x] listenAddress default changed from "config.networking.hostName" (which resolves to meaningless "127.0.0.1" as with current /etc/hosts production) to "0.0.0.0" (all addresses)
2018-06-09 00:38:51 +02:00
Matthieu Coudron
358296c05a owamp: adding module
You can retrieve the one way latency between your client and the remote
host via owping.
2018-06-05 22:15:28 +09:00
Joachim F
ae512f2d8e
Merge pull request #34886 from leenaars/mortyproxy
morty: init -> 0.2.0
2018-06-02 10:26:09 +00:00
Matthew Justin Bauer
20ca7af00f
Merge pull request #40171 from teto/ntp
[RDY] openntpd: make -s flag work
2018-06-01 23:16:20 -04:00
Matthew Justin Bauer
76d0d7ceb5
Merge pull request #40692 from Izorkin/sshd
sshd: add custom options
2018-06-01 23:08:28 -04:00
coretemp
2d3db84ddb dnscrypt-proxy: make man 8 dnscrypt-proxy work (#41039) 2018-05-31 23:15:19 +02:00
Michiel Leenaars
e9ff80d24a morty: init as service 2018-05-30 18:13:53 +02:00
aszlig
94bc38e6c1
nixos/bind: Allow to set extra options
BIND doesn't allow the options section (or any section I'd guess) to be
defined more than once, so whenever you want to set an additional option
you're stuck using weird hacks like this:

services.bind.forwarders = lib.mkForce [ "}; empty-zones-enable no; #" ];

This basically exploits the fact that values coming from the module
options aren't escaped and thus works in a similar vain to how SQL
injection works.

Another option would be to just set configFile to a file that includes
all the options, including zones. That obviously makes the configuration
way less extensible and more awkward to use with the module system.

To make sure this change does work correctly I added a small test just
for that. The test could use some improvements, but better to have a
test rather than none at all. For a future improvement the test could be
merged with the NSD test, because both use the same zone file format.

This change has been reviewed in #40053 and after not getting any
opposition, I'm hereby adding this to master.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @peti, @edolstra
Closes: #40053
2018-05-30 05:07:39 +02:00
Samuel Leathers
fef6b9ac0c
Merge pull request #40801 from xeji/test/dnscrypt-proxy
nixos/dnscrypt-proxy: fix apparmor profile and test
2018-05-19 21:11:17 -04:00
Uli Baum
8dbd8f4d69 nixos/dnscrypt-proxy: fix apparmor profile and test
Test failed because of an incomplete apparmor profile.
- fix apparmor profile
- improve test timing, prevent non-deterministic failure
2018-05-20 02:25:42 +02:00
xeji
f4ec18aaac
nixos/cjdns: fix service for i686 (#40740)
service failed to start because of MemoryDenyWriteExecute = true,
which seems not to work on i686
2018-05-20 01:01:42 +02:00
Izorkin
ad11b960e9 sshd: add custom options 2018-05-19 11:52:00 +03:00
Kirill Elagin
865abfa609
wireguard: Enable tools on other platforms
Wireguard is now split into two pretty much independent packages:
`wireguard` (Linux-specific kernel module) and `wireguard-tools`,
which is cross-platform.
2018-05-19 01:17:26 +03:00