This allows one to add rules which change a packet's routing table:
iptables -t raw -I PREROUTING 1 -m set --match-set myset src -j MARK --set-mark 2
ip rule add fwmark 2 table 1 priority 1000
ip route add default dev wg0 table 1
to the beginning of raw table PREROUTING chain, and still have rpfilter.
This allows the user to add `wpa_supplicant` config options not yet supported by Nix without having to write the entire `wpa_supplicant.conf` file manually.
First change is to override the nm-dispatcher systemd service so that
it puts coreutils (wc/env/...) and iproute in PATH.
Second change is to make sure userscripts have the execute bit.
This reverts a change applied in PR #18491. When interfaces are
configured by DHCP (typical in a cloud environment), ordering after
network.target cause trouble to applications expecting some network to
be present on boot (for example, cloud-init is quite brittle when
network hasn't been configured for `cloud-init.service`) and on
shutdown (for example, collectd needs to flush metrics on shutdown).
When ordering after network.target, we ensure applications relying on
network.target won't have any network reachability on boot and
potentially on shutdown.
Therefore, I think ordering before network.target is better.
`ocserv` is a VPN server which follows the openconnect protocol
(https://github.com/openconnect/protocol). The packaging is slightly
inspired by the AUR version
(https://aur.archlinux.org/packages/ocserv/).
This patch initializes the package written in C, the man pages and a
module for a simple systemd unit to run the VPN server. The package
supports the following authentication methods for the server:
* `plain` (mostly username/password)
* `pam`
The third method (`radius`) is currently not supported since `nixpkgs`
misses a packaged client.
The module can be used like this:
``` nix
{
services.ocserv = {
enable = true;
config = ''
...
'';
};
}
```
The option `services.ocserv.config` is required on purpose to
ensure that nobody just enables the service and experiences unexpected
side-effects on the system. For a full reference, please refer to the
man pages, the online docs or the example value.
The docs recommend to simply use `nobody` as user, so no extra user has
been added to the internal user list. Instead a configuration like
this can be used:
```
run-as-user = nobody
run-as-group = nogroup
```
/cc @tenten8401
Fixes#42594
This reverts commit 095fe5b43d.
Pointless renames considered harmful. All they do is force people to
spend extra work updating their configs for no benefit, and hindering
the ability to switch between unstable and stable versions of NixOS.
Like, what was the value of having the "nixos." there? I mean, by
definition anything in a NixOS module has something to do with NixOS...
Having socket-activated epmd means that there always be only a single
instance managed centrally. Because Erlang also starts it
automatically if not available, and in worst case scenario 'epmd' can
be started by some Erlang application running under systemd. And then
restarting this application unit will cause complete loss of names in
'epmd' (if other Erlang system are also installed on this host).
E.g. see at which lengths RabbitMQ goes to recover from such
situations:
7741b37b1e/src/rabbit_epmd_monitor.erl (L36)
Having the only one socket-activated epmd completely solves this
problem.
This allows non-privileged users to configure local DNS
entries by editing hosts files read by NetworkManager's dnsmasq
instance.
Cherry-picked from e6c3d5a507909c4e0c0a5013040684cce89c35ce and
5a566004a2b12c3d91bf0acdb704f1b40770c28f.
The deep merge caused all the options to be unset when generating docs, unless quagga was enabled.
Using imports, instead, properly allows the documentation to be generated.
Rather than special-casing the dns options in networkmanager.nix, use
the module system to let unbound and systemd-resolved contribute to
the newtorkmanager config.
Commit 401370287a introduced a small error
where the closing tag of <literal/> was an opening tag instead.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @basvandijk, @xeji
Peviously only the timesyncd systemd unit was disabled. This meant
that when you activate a system that has chronyd enabled the following
strange startup behaviour takes place:
systemd[1]: Starting chrony NTP daemon...
systemd[1]: Stopping Network Time Synchronization...
systemd[1]: Stopped chrony NTP daemon.
systemd[1]: Starting Network Time Synchronization...
[x] Support transparent proxying. This means services behind sslh (Apache, sshd and so on) will see the external IP and ports as if the external world connected directly to them.
[x] Run sslh daemon as unprivileged user instead of root (it is not only for security, transparent proxying requires it)
[x] Removed pidFile support (it is not compatible with running sslh daemon as unprivileged user)
[x] listenAddress default changed from "config.networking.hostName" (which resolves to meaningless "127.0.0.1" as with current /etc/hosts production) to "0.0.0.0" (all addresses)
BIND doesn't allow the options section (or any section I'd guess) to be
defined more than once, so whenever you want to set an additional option
you're stuck using weird hacks like this:
services.bind.forwarders = lib.mkForce [ "}; empty-zones-enable no; #" ];
This basically exploits the fact that values coming from the module
options aren't escaped and thus works in a similar vain to how SQL
injection works.
Another option would be to just set configFile to a file that includes
all the options, including zones. That obviously makes the configuration
way less extensible and more awkward to use with the module system.
To make sure this change does work correctly I added a small test just
for that. The test could use some improvements, but better to have a
test rather than none at all. For a future improvement the test could be
merged with the NSD test, because both use the same zone file format.
This change has been reviewed in #40053 and after not getting any
opposition, I'm hereby adding this to master.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @peti, @edolstra
Closes: #40053
Wireguard is now split into two pretty much independent packages:
`wireguard` (Linux-specific kernel module) and `wireguard-tools`,
which is cross-platform.
* networking/stubby.nix: implementing systemd service module for stubby
This change implements stubby, the DNS-over-TLS stub resolver daemon.
The motivation for this change was the desire to use stubby's
DNS-over-TLS funcitonality in tandem with unbound, which requires
passing certain configuration parameters. This module implements those
config parameters by exposing them for use in configuration.nix.
* networking/stubby.nix: merging back module list
re-merging the module list to remove unecessary changes.
* networking/stubby.nix: removing unecessary capabilities flag
This change removes the unecessary flag for toggling the capabilities
which allows the daemon to bind to low ports.
* networking/stubby.nix: adding debug level logging bool
Adding the option to turn on debug logging.
* networking/stubby.nix: clarifying idleTimeout and adding systemd target
Improving docs to note that idleTimeout is expressed in ms. Adding the
nss-lookup `before' target to the systemd service definition.
* networking/stubby.nix: Restrict options with types.enum
This change restricts fallbackProtocol and authenticationMode to accept
only valid options instead of any list or str types (respectively). This
change also fixes typo in the CapabilityBoundingSet systemd setting.
* networking/stubby.nix: cleaning up documentation
Cleaning up docs, adding literal tags to settings, and removing
whitespace.
* networking/stubby.nix: fixing missing linebreak in comments
* networking/stubby.nix: cleaning errant comments
after seeing
`adjtime failed: Invalid argument` in my syslog, I tried using
`ntpd -s` but it would trigger
`/etc/ntpd.conf: No such file or directory`
see https://github.com/NixOS/nixpkgs/issues/31885
Instead of running the daemon with a specific config file, use the
standard file so that user are able to use the ntp executable without
having to look for the current config file.
Tracking scripts in particular, cannot be included in extraOpts, because script declaration has to be above script usage in keepalived.conf.
Changes are fully backward compatible.
When trying to run NSD to serve the root zone, one gets the following
error message:
error: illegal name: '.'
This is because the name of the zone is used as the derivation name for
building the zone file. However, Nix doesn't allow derivation names
starting with a period.
So whenever the zone is "." now, the file name generated is "root"
instead of ".".
I also added an assertion that makes sure the user sets
services.nsd.rootServer, otherwise NSD will fail at runtime because it
prevents serving the root zone without an explicit compile-time option.
Tested this by adding a root zone to the "nsd" NixOS VM test.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @hrdinka, @qknight
Ubiquiti has both a LTS and current version of their Unifi controller software.
The latter adds new features, but may drop support for some devices.
This adds the capability to use either for the unifi module but defaults
to the LTS version, which was the previous behavior.
This is more in line with what other services do; also looks cleaner.
It changes configuration entries for pre-and post-hooks type to lines from
lists of strings which are more logical for them; coersion is provided for
backwards compatibility.
Finally, add several steps to improve robustness:
1. Load kernel module on start if not loaded;
2. Don't remove wireguard interface on start; it is removed on service stop. If
it's not something is wrong.
Do cleanup of user-created additional rules.
Of course it'd be much better to just use iptables-{save,restore} for
declarative management, but as it's still not there...
a) Some providers can update multiple domains - support that.
b) Make "zone" and "script" configurable. Some providers require these.
c) Instead of leaving the ddclient daemon running all the time, use a systemd
timer to kick it off.
d) Don't use a predefined user - run everything via DynamicUser
e) Add documentation
Currently broken on NixOS due to hardcoded modprobe binary path (see
bug #30756 from Oct 2017), no activity on a proposed fix for months.
As the protocol is terribly broken anyways, let's better remove it
completely, and not talk about anymore ;-)
Closes#30756.
Resolved the following conflicts (by carefully applying patches from the both
branches since the fork point):
pkgs/development/libraries/epoxy/default.nix
pkgs/development/libraries/gtk+/3.x.nix
pkgs/development/python-modules/asgiref/default.nix
pkgs/development/python-modules/daphne/default.nix
pkgs/os-specific/linux/systemd/default.nix
I determined which options got changed by executing the following
commands in the strongswan repository:
git diff -U20 5.6.0..5.6.1 src/swanctl/swanctl.opt
git diff -U20 5.6.0..5.6.1 conf
The strongswan-swanctl systemd service starts charon-systemd. This implements a IKE daemon
very similar to charon, but it's specifically designed for use with systemd. It uses the
systemd libraries for a native integration.
Instead of using starter and an ipsec.conf based configuration, the daemon is directly
managed by systemd and configured with the swanctl configuration backend.
See: https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd
Note that the strongswan.conf and swantctl.conf configuration files are automatically
generated based on NixOS options under services.strongswan-swanctl.strongswan and
services.strongswan-swanctl.swanctl respectively.