Commit Graph

1453 Commits

Author SHA1 Message Date
Martin Potier
ff562459cc nixos/libreswan: add missing runtime dependencies 2017-10-22 15:36:26 +02:00
Peter Hoeg
07bc859e9a Revert "ssh: deprecate use of old DSA keys"
This reverts commit 65b73d71cb.
2017-10-14 14:42:49 +08:00
Peter Hoeg
bdbba026f3 Revert "dnsmasq nixos: make sure it always runs"
This reverts commit 1917e69b54.
2017-10-14 14:42:49 +08:00
Peter Hoeg
8df1c9ac17 Revert "firewalld: init at 0.4.4.4"
This reverts commit 178a96f99b.
2017-10-14 14:42:48 +08:00
Peter Hoeg
ff3fd1027c Revert "networkmanager: dns and extraConfig"
This reverts commit 0dd25e585f.
2017-10-14 14:42:48 +08:00
Peter Hoeg
0dd25e585f networkmanager: dns and extraConfig 2017-10-14 14:38:04 +08:00
Peter Hoeg
178a96f99b firewalld: init at 0.4.4.4
Includes systemd module.
2017-10-14 14:38:04 +08:00
Peter Hoeg
1917e69b54 dnsmasq nixos: make sure it always runs
By default we only restart if the dnsmasq daemon fails but we introduce an
option to always keep it running.
2017-10-14 14:38:04 +08:00
Peter Hoeg
65b73d71cb ssh: deprecate use of old DSA keys
They are not safe and shouldn't be used.
2017-10-14 14:38:04 +08:00
Jörg Thalheim
b90f50862f Merge pull request #30324 from florianjacob/firewall-clarify-logging
nixos/firewall: Rename misleading rejected to refused in logging
2017-10-13 20:25:21 +01:00
Yegor Timoshenko
22505d8df4 connman: do not restart after suspend 2017-10-13 13:05:02 +02:00
Matt McHenry
bbec429f7a djbdns: fix root server list at build time
as suggested by @peterhoeg in
1b7e5eaa79 (commitcomment-24560631)

fixes #30379
2017-10-13 10:29:12 +01:00
Peter Hoeg
0034f9e52c dnsmasq nixos: make sure it always runs
By default we only restart if the dnsmasq daemon fails but we introduce an
option to always keep it running.
2017-10-12 12:55:12 +08:00
Florian Jacob
847beb558f nixos/firewall: Rename misleading rejected to refused in logging
as that's used as general term for rejected or dropped packets
in the rest of the config.
2017-10-11 20:12:58 +02:00
Yegor Timoshenko
274c9b7587 unbound: fix typo in systemd Before 2017-10-10 20:08:36 +00:00
Guillaume Maudoux
15b7e102b6 Safer defaults for immutable znc config (#30155)
* Safer defaults for immutable znc config

I just lost all the options I configured in ZNC, because the mutable config was overwritten.
I accept any suggestions on the way to implement this, but overwriting a mutable config by default seems weird. If we want to do this, we should ensure that ZNC does not allow to edit the config via the webmin when cfg.mutable is false.

* Do not backup old config files.

There seems to be little need for backups if mutable becomes a voluntary opt-out.

* fixup
2017-10-07 16:38:14 +01:00
Tim Steinbach
8840eaf223
keybase: Fix modules 2017-10-06 18:49:58 -04:00
Wei-Ming Yang
7e4e2667ae softether: 4.18 -> 4.20 2017-10-03 01:35:20 +08:00
volth
ddd13e1375 nixos/tinc: add "restartTriggers" back
Add "restartTriggers" back to restart the Tinc daemon when its peer is removed.
Reverted #27660
2017-09-27 23:16:02 +00:00
Niklas Hambüchen
f4c53f1940 consul service: Restart on failure.
Consul is a service you typically want to have running all the time;
it's not supposed to quit by itself.
2017-09-28 00:41:15 +02:00
Jörg Thalheim
2b8cba2ff5 Merge pull request #29874 from mbrgm/znc-fix
znc: fix openFirewall option
2017-09-27 23:08:51 +01:00
Franz Pletz
725dee203a
wpa_supplicant service: restart instead of stop & start
We now wait for dhcpcd to acquire a lease but dhcpcd is restarted on
system activation. As wpa_supplicant is stopped while dhcpcd is
restarting a significant delay is introduced on systems with wireless
network connections only. This changes the wpa_supplicant service to
also be restarted together with dhcpcd in case both services were
changed.
2017-09-27 23:38:03 +02:00
Marius Bergmann
dd50575d5a znc: fix openFirewall option
The current version is broken:
- there's no `openFirewall` attribute directly in the `cfg` set
- the `port` option is an attribute of the `confOptions` set

I used the proper attribute for the firewall port and moved the `openFirewall`
option directly up to the `services.znc` set, as it's rather a general option
for the whole service than a znc-specific option (which are located inside the
`confOptions` set).
2017-09-27 22:18:03 +02:00
Joerg Thalheim
75ba415fbc nixos/tinc: remove useless script argument
ExecStart is sufficient and more transparent to the user.
2017-09-27 17:57:39 +02:00
Joerg Thalheim
ad8cb0917f nixos/tinc: do not add Device= by default
tinc can figure this out based on DeviceType.
I also got `/dev/net/tun FD in bad state` after a particular upgrade.
2017-09-27 17:57:39 +02:00
Joerg Thalheim
194c4002b6 wireguard: fix function for adding routes 2017-09-25 20:42:03 +01:00
Jörg Thalheim
08b827ae8e Merge pull request #29753 from andir/wireguard-allowed-ips-as-route-optional
networking.wireguard: added `allowedIpsAsRoutes` boolean to control p…
2017-09-25 20:32:11 +01:00
Andreas Rammhold
846070e028
networking.wireguard: added allowedIpsAsRoutes boolean to control peer routes
Sometimes (especially in the default route case) it is required to NOT
add routes for all allowed IP ranges. One might run it's own custom
routing on-top of wireguard and only use the wireguard addresses to
exchange prefixes with the remote host.
2017-09-25 21:30:52 +02:00
Silvan Mosberger
a8c97ad23e nixos/radicale: fix default version (#29743) 2017-09-25 10:18:42 +00:00
Jörg Thalheim
975c7b2204 Merge pull request #29450 from jerith666/djb-1709
Add modules for tinydns and dnscache from djbdns
2017-09-24 15:39:29 +01:00
Joerg Thalheim
735b41c34f nixos/tinydns: default data to empty string
(not strictly required to start the service)
2017-09-24 15:38:25 +01:00
Robin Gloster
08b09fdc5c
fanctl, fan module: remove
This has been broken nearly all the time due to the patches needed to
iproute2 not being compatible with the newer versions we have been
shipping. As long as Ubuntu does not manage to upstream these changes
so they are maintained with iproute2 and we don't have a maintainer
updating these patches to new iproute2 versions it is not feasible to
have this available.
2017-09-23 17:55:33 +02:00
Peter Simons
99f759de1c Revert "nixos: add option for bind to not resolve local queries (#29503)"
This reverts commit 670b4e29adc16e0a29aa5b4c126703dcca56aeb6. The change
added in this commit was controversial when it was originally suggested
in https://github.com/NixOS/nixpkgs/pull/29205. Then that PR was closed
and a new one opened, https://github.com/NixOS/nixpkgs/pull/29503,
effectively circumventing the review process. I don't agree with this
modification. Adding an option 'resolveLocalQueries' to tell the locally
running name server that it should resolve local DNS queries feels
outright nuts. I agree that the current state is unsatisfactory and that
it should be improved, but this is not the right way.

(cherry picked from commit 23a021d12e8f939cd0bfddb1c7adeb125028c1e3)
2017-09-23 16:41:34 +02:00
Matt McHenry
1b7e5eaa79 nixos/dnscache: add module
with improvements suggested by Jörg Thalheim <joerg@thalheim.io>
2017-09-19 21:24:58 -04:00
Matt McHenry
ab851b63da nixos/tinydns: add module
with improvements suggested by Jörg Thalheim <joerg@thalheim.io>
2017-09-19 20:57:41 -04:00
Franz Pletz
406c7a0731 Merge pull request #29521 from aneeshusa/ease-radicale-upgrade
Ease radicale upgrade
2017-09-18 23:13:53 +02:00
gwitmond
bd52618c9d
nixos: add option for bind to not resolve local queries (#29503)
When the user specifies the networking.nameservers setting in the
configuration file, it must take precedence over automatically
derived settings.

The culprit was services.bind that made the resolver set to
127.0.0.1 and ignore the nameserver setting.

This patch adds a flag to services.bind to override the nameserver
to localhost. It defaults to true. Setting this to false prevents the
service.bind and dnsmasq.resolveLocalQueries settings from
overriding the users' settings.

Also, when the user specifies a domain to search, it must be set in
the resolver configuration, even if the user does not specify any
nameservers.

(cherry picked from commit 670b4e29adc16e0a29aa5b4c126703dcca56aeb6)

This commit was accidentally merged to 17.09 but was intended for
master. This is the cherry-pick to master.
2017-09-18 22:54:29 +02:00
Franz Pletz
dc08dcf6e7
ssh service: add sftpFlags option 2017-09-18 21:52:07 +02:00
Robert Klotzner
a9f60224f8 coturn service: Fix coturn to properly come up (#29415)
properly also in case dhcpcd being used.

Without network-online.target, coturn will fail to listen on addresses that
come up with dhcpcd.
2017-09-18 14:54:32 +02:00
Franz Pletz
b179908414
nixos/networking: network is online if default gw set
Previously services depending on network-online.target would wait until
dhcpcd times out if it was enabled and a static network address
configuration was used. Setting the default gateway statically is enough
for the networking to be considered online.

This also adjusts the relevant networking tests to wait for
network-online.target instead of just network.target.
2017-09-18 14:51:38 +02:00
Aneesh Agrawal
fcd590d116 radicale: Add extraArgs option to assist in data migration 2017-09-18 00:29:01 -07:00
Franz Pletz
275914323b Merge pull request #27256 from bachp/squid-service
squid service: initial service based on default config
2017-09-17 18:52:53 +02:00
Florian Jacob
8cea87c1eb nixos/tinc: Fix tinc cli wrapper for tinc 1.0.
tinc prior to 1.1 doesn't have the `tinc` executable,
and `tincd` isn't of any use while the daemon already runs.
2017-09-17 10:46:12 +02:00
Joachim F
c0616a3234 Merge pull request #28892 from ryantm/matterbridge2
matterbridge, modules/matterbridge: init at 1.1.0
2017-09-16 12:43:35 +00:00
Silvan Mosberger
fea9e081a9
namecoin service: fix typo 2017-09-15 23:08:53 +02:00
Bjørn Forsman
6b7a9376f1 nixos/wpa_supplicant: use literalExample
For various reasons, big Nix attrsets look ugly in the generated manual
page[1]. Use literalExample to fix it.

[1] Quotes around attribute names are lost, newlines inside multi-line
strings are shown as '\n' and attrs written on multiple lines are joined
into one.
2017-09-15 20:27:48 +02:00
Jörg Thalheim
13edd9765a Merge pull request #29125 from geistesk/firehol-3.1.4
firehol: init at 3.1.4, iprange: init at 1.0.3
2017-09-13 18:10:22 +01:00
Edward Tjörnhammar
847ce53ab1
nixos, i2pd: nat option, default true 2017-09-12 10:13:29 +02:00
Ryan Mulligan
9c786d82f2 matterbridge, modules/matterbridge: init at 1.1.0 2017-09-10 08:57:28 -07:00
Jörg Thalheim
7641d0e335 Merge pull request #29171 from vaibhavsagar/znc-open-firewall
znc: open firewall with configured port
2017-09-10 14:34:29 +01:00
Vaibhav Sagar
c7dd5e146b znc: add openFirewall configuration option 2017-09-10 18:41:39 +08:00
Vaibhav Sagar
83d89e9b22 znc: open firewall with configured port
The configuration doesn't currently open the configured port, which is
less convenient than opening it.
2017-09-10 11:30:46 +08:00
Vaibhav Sagar
405050b2cb znc: fix network example configuration
s/ssl/useSSL/
2017-09-10 11:25:29 +08:00
Pascal Bach
2ed89eddf3 squid service: intial service based on default config 2017-09-09 12:44:46 +02:00
geistesk
2316f16ac0 nixos/fireqos: add service 2017-09-09 00:29:46 +02:00
Jörg Thalheim
6f0b538044 nixos/mfi: remove 2017-09-07 10:24:03 +01:00
makefu
ca54a86162
dnscrypt-wrapper module: fix permissions and options
When keys get refreshed a folder with the permissions of the root user
get created in the home directory of the user dnscrypt-wrapper. This
prevents the service from restarting.

In addition to that the parameters of dnscrypt-wrapper have
changed in upstream and in the newly packaged software.
2017-09-06 15:27:05 +02:00
Symphorien Gibol
bd54589233 networkmanager_iodine: init at 1.2.0 2017-08-30 02:58:29 +02:00
Franz Pletz
7d1d019650 Merge pull request #27826 from Infinisil/radicale
radicale: update to version 2
2017-08-30 02:17:34 +02:00
Franz Pletz
951106c650
lldpd: 0.9.7 -> 0.9.8
Now uses the upstream systemd unit which adds lots of hardening flags.
2017-08-27 02:33:32 +02:00
Joachim F
227697bc67 Merge pull request #28562 from oxij/nixos/i2pd
nixos: i2pd: bits and pieces
2017-08-26 10:07:35 +00:00
Jan Malakhovski
27aa99753b nixos: i2pd: fix indent 2017-08-25 12:49:10 +00:00
Jan Malakhovski
3594c4eec6 nixos: i2pd: tiny fix in a description 2017-08-25 12:49:10 +00:00
SLNOS
fd872c9b71 nixos: i2pd: enable ElGamal precomputation by default 2017-08-25 12:49:10 +00:00
SLNOS
af5de701b7 nixos: i2pd: add logLevel 2017-08-25 12:49:10 +00:00
SLNOS
042329be5e nixos: i2pd: one fork less, one process less 2017-08-25 12:49:10 +00:00
SLNOS
b42a107bc6 nixos: i2pd: rename extIp -> address to harmonize with tor 2017-08-25 12:49:10 +00:00
SLNOS
c21d434d1b nixos: i2pd: change httpproxy port to its default value 2017-08-25 12:49:10 +00:00
Frederik Rietdijk
31ba3649ec Merge pull request #28189 from Nadrieril/ffsync-non-root
firefox syncserver service: run as non-root user by default
2017-08-24 20:47:52 +02:00
Silvan Mosberger
e16a0988bc
radicale: 1.1.4 -> 2.1.2
This commit readds and updates the 1.x package from 1.1.4 to 1.1.6 which
also includes the needed command for migrating to 2.x

The module is adjusted to the version change, defaulting to radicale2 if
stateVersion >= 17.09 and radicale1 otherwise. It also now uses
ExecStart instead of the script service attribute. Some missing dots at
the end of sentences were also added.

I added a paragraph in the release notes on how to update to a newer
version.
2017-08-13 17:23:43 +02:00
Peter Hoeg
4ce76d9e1a ddclient nixos module: follow best practice for running daemons
Couple of changes:

 - move home to /var/lib/ddclient so we can enable ProtectSystem=full
 - do not stick binary into systemPackages as it will only run as a daemon
 - run as dedicated user/group
 - document why we cannot run as type=forking (output is swallowed)
 - secure things by running with ProtectSystem and PrivateTmp
 - .pid file goes into /run/ddclient
 - let nix create the home directory instead of handling it manually
 - make the interval configurable
2017-08-13 21:56:48 +08:00
Nadrieril
69a4836df5 firefox syncserver service: run as non-root user by default 2017-08-12 14:42:50 +01:00
Frederik Rietdijk
c06fb4a269 Merge pull request #28188 from Nadrieril/ffsync-fix-pythonpath
firefox syncserver service: fix PYTHONPATH
2017-08-12 15:11:53 +02:00
Nadrieril
d6c1d2f793 firefox syncserver service: fix PYTHONPATH 2017-08-12 14:08:25 +01:00
Jörg Thalheim
c2e7b0e0b4 Merge pull request #27997 from richardlarocque/mosquitto_hashed_pass_docs
nixos/mosquitto: Fix instructions for password gen
2017-08-12 09:07:22 +01:00
Franz Pletz
61d133c1ee Merge pull request #27939 from evujumenuk/wireguard-rt_tables
wireguard: add per-peer routing table option
2017-08-11 16:27:07 +02:00
Joachim F
793523d7bc Merge pull request #28089 from volth/patch-9
nixos/tinc: do not tell systemd where is pidfile
2017-08-11 13:31:57 +00:00
Joachim Fasting
767b2ae327
nixos/dnscrypt-proxy: default to random upstream resolver 2017-08-10 01:19:17 +02:00
volth
b32b18631e nixos/tinc: do not tell systemd where is pidfile
```Tinc```'s pid file has more info than just a pid

```
# cat /run/tinc.dmz.pid
12209 7BD4A657B4A04364D268D188A0F4AA972A05247D802149246BBE1F1E689CABA1 127.0.0.1 port 656
```
so ```systemd``` fails to parse it.
It results in long (re)start times when ```systemd``` waits for a correct pid file to appear.
2017-08-09 22:35:20 +00:00
volth
7e5332c868 tinc: allow the daemon to write to files in /etc/tinc/${network}/hosts
Follow up https://github.com/NixOS/nixpkgs/pull/27756: tinc daemon may also create new files in ```/etc/tinc/$network/hosts```
2017-08-10 00:09:45 +02:00
Michael Raskin
29c3ea0cf0 Merge pull request #27925 from adisbladis/networkmanager_unbound
networkmanager service: use unbound if enabled
2017-08-08 12:13:42 +02:00
evujumenuk
eaab02b94f wireguard: convert "table" to an interface option
Do the right thing, and use multiple interfaces for policy routing. For example, WireGuard interfaces do not allow multiple routes for the same CIDR range.
2017-08-08 01:45:19 +02:00
Richard Larocque
b27d8c5d0a nixos/mosquitto: Fix instructions for password gen
Fixes https://github.com/NixOS/nixpkgs/issues/27996.

Updates instructions for generating hashes passwords for use in a
Mosquitto password file.  Using `mosquitto_passwd` to generate these
hashes is a little less convenient, but the results are more likely to
be compatible with the mosquitto daemon.

As far as I can tell, the hashes generated with `mkpassd` did not work
as intended.  But this may have been hidden by another bug:
https://github.com/NixOS/nixpkgs/issues/27130.
2017-08-06 15:54:36 -07:00
Richard Larocque
66b07e41e6 nixos/mosquitto: Add checkPasswords option
Related to https://github.com/NixOS/nixpkgs/issues/27130.

Adds an option to NixOS configuration option to have Mosquitto use the
password file that it generates.  When this option is false the
Mosquitto server will accept login attempts with any username and any
password.  This option defaults to false because this matches the
behavior of the service prior to the introduction of this option.

When the `services.mosquitto.checkPasswords` is true, the server will
only accept valid usernames and passwords.
2017-08-06 15:31:37 -07:00
evujumenuk
6070d91e93 wireguard: remove "table" option from example
Most users will be served well by the default "table" setting ("main").
2017-08-04 21:00:45 +02:00
evujumenuk
e355f7044d wireguard: add per-peer routing table option
This adds a convenient per-peer option to set the routing table that associated routes are added to. This functionality is very useful for isolating interfaces from the kernel's global routing and forcing all traffic of a virtual interface (or a group of processes, via e.g. "ip rule add uidrange 10000-10009 lookup 42") through Wireguard.
2017-08-04 18:30:53 +02:00
Phil
4f277bd920 nixos/networking/nat: add option for protocol
This commit adds an option to allow udp port forwarding (see #24894).
2017-08-04 17:03:05 +02:00
adisbladis
da7755b75c
networkmanager service: use unbound if enabled 2017-08-04 13:50:06 +08:00
Robin Gloster
a4647bc33f
tlsdate: remove
Dead and does not build with openssl 1.1.
Debian has removed it, too.
2017-08-04 02:24:03 +02:00
Simon Lackerbauer
1075919413
unifi: add options to control JVM heap size
Our controller was acting very sluggish at times and increasing
available RAM for the JVM fixes this.
2017-08-04 02:12:31 +02:00
Franz Pletz
3b472d78a8
avahi-daemon service: add cacheEntriesMax option 2017-08-04 02:10:11 +02:00
Markus Mueller
53d2f0980d
nat: always flush nixos nat rules on firewall start/reload
Fixes #27510
2017-08-03 21:16:14 +02:00
Franz Pletz
c217f48c35
searx: 0.11.0 -> 0.12.0 2017-08-01 06:16:03 +02:00
Volth
3b82d7db82 tinc: allow the daemon to write to files in /etc/tinc/${network}/hosts 2017-07-30 00:25:04 +00:00
volth
eaa2d27b90 nixos/tinc: remove restartTriggers
```restartTriggers``` pointed to the constant files in ```/nix/store/``` and had to effect.
2017-07-29 21:32:28 +02:00
Volth
688dc4e4c3 tinc_pre: avoid infinite loop with EBADFD on network restart 2017-07-27 18:04:33 +02:00
Volth
00512470ec tinc service: add CLI tools to the $PATH
Now user can execute e.g. "sudo tinc.netname dump nodes"
2017-07-25 23:13:58 +02:00
Aristid Breitkreuz
63190540a8 wireguard: sometimes module tries to re-add the default route, which fails - use replace to make it succeed 2017-07-23 23:08:39 +02:00
Joachim F
1a768eba2a Merge pull request #26632 from jazmit/nixpkgs
coturn: allow use of ports < 1024
2017-07-23 12:56:05 +01:00
Aristid Breitkreuz
9b0ff955fd wireguard: allow not storing private keys in world-readable /nix/store (#27433)
* wireguard: allow not storing private keys in world-readable /nix/store
2017-07-17 23:55:31 +02:00
Falco Peijnenburg
b09d036342 Strongswan after network-online instead of network
The systemd service file shipped with strongswan has strongswan started after `network-online`. It turns out that this is for good reason: failure to connect on boot otherwise. 

See this thread on the mailing list, which my colleague initiated after finding that our NixOS strongswan config wouldn't connect on boot:
https://lists.strongswan.org/pipermail/users/2017-January/010359.html

Tested on a local config (which has the strongswan service config overridden).
2017-07-17 20:17:58 +02:00
Jörg Thalheim
04c944cdb4 Merge pull request #27057 from Nadrieril/bitlbee-libpurple
bitlbee service: Add option to load libpurple plugins into bitlbee
2017-07-17 18:07:43 +01:00
Nadrieril
8669fb1f96 tinc service: BindToAddress and ListenAddress are different options, they should not be mistaken 2017-07-17 13:07:49 +02:00
Nadrieril
65e38b7c52 bitlbee service: Add option to load libpurple plugins into bitlbee 2017-07-16 14:19:39 +01:00
Michael Raskin
0d2d5e2147 Merge pull request #27143 from florianjacob/networkmanager-support-resolved
networkmanager service: use resolved if enabled
2017-07-08 22:34:09 +02:00
zimbatm
4d545297d8 lib: introduce imap0, imap1 (#25543)
* lib: introduce imap0, imap1

For historical reasons, imap starts counting at 1 and it's not
consistent with the rest of the lib.

So for now we split imap into imap0 that starts counting at zero and
imap1 that starts counting at 1. And imap is marked as deprecated.

See c71e2d4235 (commitcomment-21873221)

* replace uses of lib.imap

* lib: move imap to deprecated.nix
2017-07-04 23:29:23 +01:00
Florian Jacob
12f54a5746 networkmanager service: use resolved if enabled 2017-07-04 23:50:56 +02:00
Rickard Nilsson
a6cf6367e2 network-manager: hostname option is deprecated
From log:
<warn>  [1498639184.8965] keyfile: 'hostname' option is deprecated and has no effect
2017-06-28 10:56:31 +02:00
michael bishop
bb16bced36
toxvpn: 20161230 -> 2017-06-25 2017-06-25 20:17:20 -03:00
Joachim Schiele
3d52203ab2 sshd.nix: Added nixops usage warning of openssh.authorizedKeys.keys usage 2017-06-22 11:50:09 +02:00
James
c9fdf3f4db coturn: allow use of ports < 1024 2017-06-20 09:17:24 +01:00
Jörg Thalheim
96eaad8fd4 Merge pull request #26697 from kirelagin/nsd-stderr
nsd: Send stderr to /dev/null
2017-06-18 16:53:36 +01:00
Jörg Thalheim
f36cdf1171 Merge pull request #26675 from kirelagin/bind-rndc
bind: Use rndc to control the daemon
2017-06-18 16:30:02 +01:00
Kirill Elagin
13d026e219 bind: Use rndc to control the daemon 2017-06-18 17:29:29 +03:00
Kirill Elagin
e66d2753f3 nsd: Send stderr to /dev/null
nsd by default logs _both_ to syslog and to standard error which results
in all the messages ending up in the journal twice, the ones from stderr
with an ugly timestamp sticked in front of them.
2017-06-18 15:31:34 +03:00
Pascal Bach
c9802321c1 cntlm service: cleanup non working config options (#26578)
- extraConfig was not working
- add possibility to add cntlm.conf in verbatime form
- create cntlm user as system user
- add no proxy option
2017-06-15 12:11:48 +02:00
Edward Tjörnhammar
3dcecf09fc
Remove aiccu package and service due to sunsetting.
https://www.sixxs.net/main/
2017-06-15 06:58:08 +02:00
Joachim Schiele
ca17f3b8ef hostapd dependency fix for https://github.com/nixos/nixpkgs/issues/16090 (#26573) 2017-06-14 16:44:46 +02:00
David Tulig
bb6cf349ff bind service: add listen-on options (#26430)
This adds configuration options for the bind package so that the
interfaces that bind listens on can be configured rather than just
hardcoded as any. The default values preserve the old behavior to be
backwards compatible.
2017-06-10 12:19:07 +02:00
rnhmjoj
2606d395fc
dnschain: allow different bind and external addresses 2017-06-03 12:24:04 +02:00
Jörg Thalheim
3d17573cd4
resilio: remove systemd user service
this used to be part of the upstream btsync package

fixes #26303
2017-06-02 21:25:21 +01:00
Jörg Thalheim
c611d03842
resilio: generate configuration with toJSON 2017-06-02 21:25:07 +01:00
Kjartan Ovmilk
919b39bb7c
resilio service: replaces btsync service, which is no longer supported upstream. 2017-06-02 21:24:49 +01:00
Peter Hoeg
a087081ebb network-manager: add support for internal DHCP 2017-06-02 19:21:46 +08:00
Zetok Zalbavar
92b923b378
i2pd: correct docs about bandwidth setting 2017-06-02 06:31:39 +02:00
Franz Pletz
a49c2366ef
nixos/firewall: clean up rpfilter rules properly
The rpfilter rules wouldn't be removed if it was previously enabled
but disabled in a new generation.
2017-05-29 17:26:34 +02:00
Niklas Hambüchen
19c298e973 tinc: Mention in docs that the host name may not be used verbatim. (#26157)
* tinc: Mention in docs that the host name may not be used verbatim.

Source:

  5c344f2976/src/net_setup.c (L341)

* tinc: also replaces non-alphanumeric characters.
2017-05-27 16:31:25 +01:00
Jörg Thalheim
6ab7038d27 Merge pull request #26081 from nocoolnametom/update-znc
znc module: Fix error with bitlbee channel closing tag missing a newline
2017-05-26 07:43:10 +01:00
Sebastian Hagen
b3b2431932 charybdis service: add option to configure MOTD (#25512)
Read MOTD files from /etc/charybdis.
2017-05-25 23:28:50 +02:00
Tom Doggett
2505203d7b
znc module: Fix error with bitlbee channel closing tag missing a newline. 2017-05-24 22:09:43 -07:00
Jörg Thalheim
0e9e777508
znc: document password generation better
cc @rtjre
2017-05-23 21:22:28 +01:00
Arseniy Seroka
c734781158 Merge pull request #25958 from Mic92/iwd
iwd: init at unstable-2017-04-21
2017-05-22 20:04:04 +03:00
Calum MacRae
abe0da425b kbfs service: init (#25610)
* kbfs service: init
2017-05-22 08:14:12 +08:00
Jörg Thalheim
a527a47cd3
iwd: init at unstable-2017-04-21 2017-05-21 11:05:35 +01:00
Franz Pletz
b411968774
lldpd: init at 0.9.7 2017-05-21 01:16:42 +02:00
Jörg Thalheim
376fe51da2 Merge pull request #25877 from nocoolnametom/update-znc
znc service: refactor config generation
2017-05-20 09:49:26 +01:00
Stefan Lau
a3696aa090 networkmanager_fortisslvpn: init at 1.2.4 2017-05-19 19:18:30 +02:00
Jascha Geerds
d4e2cbd5c9 miredo: Improve service description 2017-05-18 15:57:26 +02:00
Tom Doggett
e28203fd48
Adding options to enable bitlbee and slack gateways in znc config. 2017-05-17 16:13:18 -07:00
Jörg Thalheim
64acaa1e2d Merge pull request #25646 from zx2c4/wg-psk-change
wireguard: 0.0.20170421 -> 0.0.20170517
2017-05-17 23:58:51 +01:00
Joachim Schiele
d5e18499d9 on error, add a reference to the configuration file (#25825)
error now adds the zone file in the output which makes 'reasonable' debugging possible!

[root@nixdoc:~/nixpkgs_nsd]# nixos-rebuild -I nixpkgs=. switch
building Nix...
building the system configuration...
these derivations will be built:
  /nix/store/318a7mhwlz1x0cy4hl1259n8x9z0jacy-nsd-env.drv
  /nix/store/fnbhk8grwk7vfdk3gby49bv6kml8hjcc-unit-script.drv
  /nix/store/xf80mq1f1c3pm37fci0vi5ixy4gb1rcp-unit-nsd.service.drv
  /nix/store/bfmkkykqksmvkhvh3ppl36k86lbw9v4i-system-units.drv
  /nix/store/ja97mwl2r0wdrxccl82dx8jln7jlmnyb-etc.drv
  /nix/store/yh8m6b3j8vapz2r1wzffq8zq09j56q8p-nixos-system-nixdoc.io-17.09.git.0afb6d7.drv
building path(s) ‘/nix/store/sg7w3k6qg2yr02a0sbrgbv5yiqn9pzcq-nsd-env’
created 2 symlinks in user environment
checking zone files
|- checking zone '/nix/store/sg7w3k6qg2yr02a0sbrgbv5yiqn9pzcq-nsd-env/zones/lastlog.de.'
[2017-05-16 10:30:34.628] nsd-checkzone[27696]: error: lastlog.de.:17: syntax error
[2017-05-16 10:30:34.628] nsd-checkzone[27696]: error: lastlog.de.:17: unrecognized RR type 'lastlog'
zone lastlog.de. file lastlog.de. has 2 errors
builder for ‘/nix/store/318a7mhwlz1x0cy4hl1259n8x9z0jacy-nsd-env.drv’ failed with exit code 1
cannot build derivation ‘/nix/store/xf80mq1f1c3pm37fci0vi5ixy4gb1rcp-unit-nsd.service.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/bfmkkykqksmvkhvh3ppl36k86lbw9v4i-system-units.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/ja97mwl2r0wdrxccl82dx8jln7jlmnyb-etc.drv’: 1 dependencies couldn't be built
cannot build derivation ‘/nix/store/yh8m6b3j8vapz2r1wzffq8zq09j56q8p-nixos-system-nixdoc.io-17.09.git.0afb6d7.drv’: 1 dependencies couldn't be built
error: build of ‘/nix/store/yh8m6b3j8vapz2r1wzffq8zq09j56q8p-nixos-system-nixdoc.io-17.09.git.0afb6d7.drv’ failed
2017-05-16 12:40:09 +02:00
Jason A. Donenfeld
6e50243d98 wireguard: preshared-key is now an attribute of the peer
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-09 16:58:39 +02:00
Volth
9bce416637 xrdp: environment.pathsToLink from xserver.nix 2017-05-02 21:08:07 +00:00
Volth
830669ca05 xrdp: do not restart xrdp-sesman on nixos-rebuild 2017-05-02 21:08:07 +00:00
Michael Raskin
1c8d388201 Merge pull request #23865 from volth/xrdp-tests
xrdp: init at 0.9.2
2017-04-30 22:35:48 +02:00
Michael Raskin
929ae39dbe Merge pull request #22683 from aneeshusa/add-nixos-test-for-radicale
Add nixos test for radicale
2017-04-30 18:51:46 +02:00
Benjamin Staffin
9827d5f95c
nixos: optional NetworkManager dnsmasq integration 2017-04-30 00:44:19 -07:00
Volth
5e8ad49de8 do not create non-deterministic file (rsakeys.ini) in nixstore 2017-04-29 17:23:35 +00:00
volth
dad760061e xrdp: init at 0.9.1 2017-04-29 17:23:35 +00:00
Kirill
64a7be7f3c Merge branch 'master' into aria2.service 2017-04-27 17:50:13 +03:00
Kirill
31c4498a47 Fix indentation. Fix openPorts option default to false. 2017-04-27 17:13:27 +03:00
Graham Christensen
bdd89faebb
Revert "openvpn service: source up/down scripts"
This reverts commit 50ad243f78.
2017-04-26 12:32:59 -04:00
Tristan Helmich
50ad243f78
openvpn service: source up/down scripts
source the up/down scripts instead of executing them to avoid loosing
access to special variables like $1
2017-04-25 13:18:54 -04:00
Franz Pletz
e74ea4282a
avahi service: add reflector option 2017-04-24 21:06:42 +02:00
Edward Tjörnhammar
0277345265
nixos, i2pd: remove, no longer needed, extip hack 2017-04-24 20:49:13 +02:00
Kirill
7a6738fefc Implement aria2 service for controlling a daemon via rpc. 2017-04-24 18:50:40 +03:00
Marius Bergmann
6572f5e81b keepalived service: init (#22755) 2017-04-20 12:50:59 +01:00
Christian Kögler
d2e46b9f70 dhcpcd service: clear exit code of exitHook (#24909)
* dhcpcd: clear exit code of exitHook

* dhcpcd: restart ntp server in oneshot in exit-hook
2017-04-16 20:10:44 +02:00
Thomas Tuegel
48b5b77bb7 Merge pull request #24813 from benley/nm-openvpn
nixos: Add nm-openvpn to the networkmanager group
2017-04-14 05:44:01 -05:00
Vladimír Čunát
5b3f807597
Merge #24179: openssh: 7.4p1 -> 7.5p1 2017-04-14 12:16:26 +02:00
Vladimír Čunát
da20d0e488
murmur service: fix typos from #24830 2017-04-14 11:05:42 +02:00
Daniel Peebles
09a9a472ee Merge pull request #24830 from mayflower/refactor/boolToString
treewide: use boolToString function
2017-04-13 09:45:31 -04:00
Tristan Helmich
13e9cc15f1 smokeping service: restart on-failure 2017-04-12 15:23:19 +02:00
Franz Pletz
3ab45f4b36
treewide: use boolToString function 2017-04-11 18:18:53 +02:00
Benjamin Staffin
47a5f9acee
nixos: Add nm-openvpn to the networkmanager group
This is to satisfy the polkit restriction limiting
org.freedesktop.NetworkManager.* dbus messages to members of that
group.

Should help with #24806
2017-04-10 22:41:55 -04:00
Aneesh Agrawal
8f4d778509 radicale: Add aneeshusa as maintainer 2017-04-10 20:04:17 -04:00
Aneesh Agrawal
769b991be6 openssh: 7.4p1 -> 7.5p1
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.

Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
2017-04-10 19:39:22 -04:00
pngwjpgh
773c456ef4 networkmanager: fix dispatcher scripts (#24507)
networkmanager used `source` to mean `text` and wrote dispatcher scripts with the default mode (0666), which means networkmanager wouldn't call them.
2017-04-09 13:14:04 +01:00
Bas van Dijk
01a8de97eb avahi-daemon: refactored using some abstraction 2017-04-09 11:18:53 +02:00
Peter Simons
67d735e8df Merge pull request #23409 from florianjacob/avahi-point-to-point-interfaces
avahi-daemon service: Add option to enable point-to-point interfaces.
2017-04-07 12:35:05 +02:00
Profpatsch
a1e6176cbf modules/searx: fix configFile type 2017-04-04 20:40:31 +02:00
Eelco Dolstra
80b40fdf03
sshd.nix: Alternative fix for #19589
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
2017-03-31 16:18:58 +02:00
Eelco Dolstra
4e79b0b075
Revert "sshd: separate key generation into another service"
This reverts commit 1a74eedd07. It
breaks NixOps, which expects that

  rm -f /etc/ssh/ssh_host_ed25519_key*
  systemctl restart sshd
  cat /etc/ssh/ssh_host_ed25519_key.pub

works.
2017-03-31 16:18:58 +02:00
Richard Zetterberg
dc10688edb nftables: adds information regarding nftables and Docker (#24326) 2017-03-25 16:34:02 +01:00
Joachim Fasting
f815a7697e
dnscrypt-proxy service: systemd notification under apparmor 2017-03-24 14:37:44 +01:00
Michael Walker
b29bc8d41c vsftpd: Expose the no_anon_password flag. 2017-03-19 01:53:29 +00:00
Franz Pletz
9536169074
nixos/treewide: remove boolean examples for options
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00
Joachim Fasting
f122f0147b
nixos/dnscrypt-proxy: log resolver list verification failure
Otherwise, the service unit just fails for no discernable
reason.  Verifcation failure is bad so it ought to be easily
discoverable.
2017-03-15 01:13:08 +01:00
Joachim Fasting
de15e7894b
nixos/dnscrypt-proxy: get resolver list from github
The list has disappeared from its ordinary location at
download.dnscrypt.org.
2017-03-15 01:12:46 +01:00
Joachim Fasting
472002f216
nixos/dnscrypt-proxy: remove the resolverList option
This option was initially added to make it easier to use an
up-to-date list, but now that we always use an up-to-date list
from upstream, there's no point to the option.

From now on, you can either use a resolver listed by dnscrypt
upstream or a custom resolver.
2017-03-15 01:12:43 +01:00
Joachim Fasting
540740598e
nixos/dnscrypt-proxy: add example of how to use the cache plugin 2017-03-15 01:12:39 +01:00
Joachim Fasting
719813caf6
nixos/dnscrypt-proxy: replace unimportant options with extraArgs
Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability.  Until
17.09 we'll automatically translate these options into extraArgs
for convenience.

Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.
2017-03-15 01:12:37 +01:00
Joachim Fasting
9325c3a616
nixos/dnscrypt-proxy: simplify module logic related to apparmor 2017-03-15 01:12:35 +01:00
Joachim Fasting
83052ef9db
nixos/dnscrypt-proxy: support reload 2017-03-15 01:12:29 +01:00
Joachim Fasting
bb6361b81a
nixos/dnscrypt-proxy: grant daemon access to load plugins 2017-03-10 18:54:54 +01:00
Joachim Fasting
5279ec111f
nixos/dnscrypt-proxy docs: reword section on forwarding
Newer versions of DNSCrypt proxy *can* cache lookups (via
plugin); make the wording more neutral wrt. why one might want
to run the proxy in a forwarding setup.
2017-03-10 18:54:52 +01:00
Joachim Fasting
c0a8a9205b
nixos/dnscrypt-proxy: inline option renamings
In an effort to make the module more self-contained.
2017-03-10 18:54:51 +01:00
Joachim Fasting
563c8e1496
nixos/dnscrypt-proxy: inline top-level binding (cleanup) 2017-03-10 18:54:50 +01:00
Joachim Fasting
c6da2c7c2b
nixos/dnscrypt-proxy: use example.com in example values
It is the canonical example domain after all.
2017-03-10 18:54:44 +01:00
Joachim Fasting
06520c7fb7
nixos/dnscrypt-proxy: indicate update status
Make it easier for the user to tell when the list is updated
and, at their option, see what changed.
2017-03-08 19:07:53 +01:00
Joachim Fasting
5f27abec23
nixos/dnscrypt-proxy: more fs isolation for the updater
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available.  We
filter mount syscalls to prevent the process from undoing the fs
isolation.
2017-03-08 19:07:51 +01:00
Joachim Fasting
e72aaa73ea
nixos/dnscrypt-proxy: support updating before nss is up
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.

We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
2017-03-08 19:07:50 +01:00
Joachim Fasting
adf044e1fb
nixos/dnscrypt-proxy: refactoring
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...).  Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
2017-03-08 19:07:44 +01:00
Daniel Ehlers
0bd211d84f
ddclient: Make verbose logging deactivatable. 2017-03-07 22:03:22 +01:00
Joachim Fasting
15da23d5c1
nixos/modules: use defaultText/literalExample where applicable
Primarily to fix rendering of default values/examples but also
to avoid unnecessary work.
2017-03-07 14:06:08 +01:00
Joachim Fasting
540163e4a4
search module: add missing types 2017-03-07 14:06:02 +01:00
Tom
9a7bad2c17 networkmanager service: support changing the mac-address (#23464)
Set `networking.networkmanager.wifi.macAddress` or `networking.networkmanager.ethernet.macAddress`
to one of these values to change your macAddress.

* "XX:XX:XX:XX:XX:XX": set the MAC address of the interface.
* "permanent": use the permanent MAC address of the device.
* "preserve": don’t change the MAC address of the device upon activation.
* "random": generate a randomized value upon each connect.
* "stable": generate a stable, hashed MAC address.

See https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ for more information
2017-03-07 03:50:37 +01:00
Joachim Fasting
f278793fdb
btsync module: remove redundant example
The default value already gives a good example of what values to
put here.
2017-03-06 15:59:23 +01:00
Florian Jacob
518e5c09a8 avahi-daemon service: Add option to enable point-to-point interfaces. 2017-03-02 23:52:08 +01:00
Edward Tjörnhammar
fa367c2d02
nixos, dhcpd: make machines assignable 2017-02-27 10:52:21 +01:00
Jörg Thalheim
6c36d9fa20
nftables: make default configuration null
reason:
 - We currently have an open discussion regarding a more modular
   firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
   leaving null makes future extension easier.
 - the current default might not cover all use cases (different ssh port)
   and might break setups, if applied blindly
2017-02-26 16:24:20 +01:00
Jookia
e2c95b46e5
nftables module: Add new module for nftables firewall settings
fixes #18842
2017-02-26 13:41:14 +01:00
Franz Pletz
4905c1c54f
prosody service: needs working network connectivity 2017-02-23 16:07:41 +01:00
Franz Pletz
66f553974b
dhcpcd service: fix network-online.target integration
When dhcpcd instead of networkd is used, the network-online.target behaved
the same as network.target, resulting in broken services that need a working
network connectivity when being started.

This commit makes dhcpcd wait for a lease and makes it wanted by
network-online.target. In turn, network-online.target is now wanted by
multi-user.target, so it will be activated at every boot.
2017-02-23 16:07:40 +01:00
Ricardo M. Correia
d9ae886946 nixos.openntpd: don't spam systemd journal
Starting `ntpd` with the `-d` option spams the systemd journal.
Instead, let the server fork.
2017-02-20 22:35:51 +01:00
Joachim F
6dbe55ca68 Merge pull request #20456 from ericsagnes/feat/loaf-dep-1
Use attrsOf in place of loaOf when relevant
2017-02-19 15:49:25 +01:00
Kier Davis
5e3a26e07b
Fix typo introduced by #22677 2017-02-15 23:44:11 +00:00
Parnell Springmeyer
9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Graham Christensen
b1a05a0865
nixos: drop references to kde4
Excluding modules/programs/environment.nix for PATHand QT_PLUGIN_PATH to allow the programs to continue running.
2017-02-11 14:01:13 -05:00
Profpatsch
ed8a0d8e5e modules/searx: add package option (#22636)
The user should be able to specify a patched version of searx.
2017-02-10 22:44:10 +01:00
afranchuk
a5e041ac08 libreswan service: make EnvironmentFile optional (#22591)
Recent versions of libreswan seem to omit this file, but it may be added/changed in the future. It is silly to have the service fail because a file is missing that only enriches the environment.
2017-02-10 00:53:44 +01:00
Joachim F
ca8fb930b1 Merge pull request #22356 from Ekleog/redsocks
Redsocks
2017-02-09 22:39:43 +01:00
Léo Gaspard
7a32b96697 redsocks module: initialize
redsocks module: use separate user for redsocks daemon
2017-02-09 18:01:14 +01:00
Ricardo M. Correia
9293f86bf2 nixos.chrony: remove generatecommandkey option
It's deprecated and no longer used.
2017-02-07 18:01:58 +01:00
Ricardo M. Correia
e3fce56047 nixos.chrony: add extraFlags config option 2017-02-07 18:01:57 +01:00
Ricardo M. Correia
af4e6f155e nixos.chrony: pass config file directly to daemon
This fixes an issue where `nixops deploy` wouldn't restart the chrony
service when the chrony configuration changed, because it wouldn't
detect that `/etc/chrony.conf` was a dependency of the chrony service.
2017-02-07 13:48:58 +01:00
Shea Levy
714fdb425a firewall: Fix check for rpfilter on manual-config kernels 2017-02-06 16:43:23 -05:00
Shea Levy
67ef18d01a supplicant nixos module: Allow not specifying the configFile path 2017-02-05 06:50:20 -05:00
Joachim Fasting
2628597e76
cjdns service: allow daemon to drop privileges
The service can run certain components with reduced privileges, but for
that it needs the setuid capability.
2017-02-05 04:54:26 +01:00
Joachim Fasting
a0338afe5f
cjdns service: allow writing keys to /etc
20e81f7c0d prevented key generation in
`preStart`, leaving the service broken for the case where the user has
no pre-existing key.

Eventually, we ought to store the state elsewhere so that `/etc` can be
read-only but for now we fix this the easy way.
2017-02-05 04:54:18 +01:00
rnhmjoj
a3ff62d48c namecoind: refactor nixos module 2017-02-03 20:06:45 +01:00
rnhmjoj
f7d49037a4
dnschain service: overhaul option interface & implementation
Closes https://github.com/NixOS/nixpkgs/pull/22041
2017-02-03 19:49:16 +01:00
Nikolay Amiantov
230c97c944 Merge pull request #22303 from abbradar/nfs4
NFS improvements
2017-02-03 20:04:25 +03:00
Yorick van Pelt
1b47bc9477 service.asterisk: add package option 2017-02-02 15:16:00 +01:00
Nikolay Amiantov
876a6d7f03 rpcbind service: use upstream systemd unit 2017-02-01 02:45:19 +03:00
Edward Tjörnhammar
b08524bf01
nixos: nylon, use named instances 2017-01-30 20:32:06 +01:00
Edward Tjörnhammar
e324c02aa5
nixos: i2pd, follow redirect 2017-01-29 18:00:58 +01:00
Parnell Springmeyer
628e6a83d0
More derp 2017-01-29 05:33:56 -06:00
Parnell Springmeyer
4aa0923009
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
Parnell Springmeyer
a8cb2afa98
Fixing a bunch of issues 2017-01-29 01:58:12 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer
a26a796d5c
Merging against master - updating smokingpig, rebase was going to be messy 2017-01-26 02:00:04 -08:00
Parnell Springmeyer
025555d7f1
More fixes and improvements 2017-01-26 00:05:40 -08:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Vladimír Čunát
278bbe3b33
add kresd service with basic options
Still celebrating today's 1.2.0 release!
2017-01-25 18:46:28 +01:00
Franz Pletz
8322a12ef2
firewall: disable conntrack helper autoloading by default
This was disabled in the Linux kernel since 4.7 and poses a security risk
if not configured properly.

https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
2017-01-25 01:14:04 +01:00
Franz Pletz
403fdd737e
linux: remove canDisableNetfilterConntrackHelpers feature
This feature is available in all kernels in nixpkgs.
2017-01-25 00:28:55 +01:00
Michael Raskin
7516dbe35e Merge pull request #22045 from rnhmjoj/recursor
PowerDNS Recursor: add package and service
2017-01-24 17:54:47 +00:00
Tristan Helmich
b3b300b6ff smokeping: setuid for fping6 2017-01-24 12:40:21 +01:00
rnhmjoj
6bcf89f217
pdns-recursor: add service 2017-01-23 17:57:48 +01:00
Jaka Hudoklin
90e0ed32ef Merge pull request #22043 from rnhmjoj/dnscrypt-wrapper
dnscrypt-wrapper: add service
2017-01-23 11:23:28 +01:00
rnhmjoj
9f2bb2ed42
dnscrypt-wrapper: add service 2017-01-23 07:06:07 +01:00
Robert Helgesson
cd9f709582
flannel service: fix enable expression
Need to surround the equality check in parentheses.
2017-01-22 21:58:39 +01:00
Franz Pletz
df0301f59b
nixos/networkmanager: trigger assertion instead of error 2017-01-22 20:32:24 +01:00
Michael Weiss
460b43dbfe firewall: Improve the comments (documentation) (#21862)
* Fix the FW names

FW_REFUSE was removed and nixos-fw-input was renamed to nixos-fw.

* Update the comment (documentation) at the top

Order the chains of the main table alphabetically (like in the rest of
the file) and add nixos-fw-rpfilter (from the raw table) and nixos-drop
(used while reloading the firewall).

* Refactor the module (mainly comments)

- Move some attributes to the top for better visibility (that should
  hopefully make it easier to read and understand this module without
  jumping around too much).
- Add some missing examples and improve some descriptions.
- Reorder the mkOption attributes for consistency.
- Wrap lines at 72 characters.
- Use two spaces between sentences.
2017-01-18 17:18:11 +01:00
Svein Ove Aas
fec95a40f1
ddclient: Don't include blank server= lines. 2017-01-16 18:54:49 +01:00
Nikolay Amiantov
70a6628848 Merge pull request #21882 from abbradar/dhcp6
DHCPv6 improvements
2017-01-15 19:53:33 +03:00
Nikolay Amiantov
820b4cd067 firewall service: allow DHCPv6 client traffic 2017-01-15 19:38:54 +03:00
Nikolay Amiantov
1158eda66a dhcpd service: add DHCPv6 support 2017-01-15 19:38:53 +03:00
Volth
ac0b6b9a2c miredo: do not run miredo-checkconf 2017-01-12 14:30:58 +00:00
Svein Ove Aas
a4fca56897
ddclient: Write /etc/ddclient.conf when requested
Fixes #20101

From PR #21417
2017-01-09 06:29:15 +01:00
Valentin Shirokov
e138d3afdf Added option networking.wireless.networks.*.priority
It is literal 'priority' option of wpa_supplicant.conf
2017-01-07 20:23:12 +08:00
Franz Pletz
e6708cea37
bind: fix collision of binaries in outputs
Using outputsToInstall the intended behaviour of including host and dnsutils
when bind is installed can be implemented instead of using symlinks to fix
installing all outputs individually with nix-env.

Fixes #19761.
2017-01-07 02:44:54 +01:00
Franz Pletz
cdbffaa86e Merge pull request #21625 from mayflower/smokeping
smokeping: Allow customization of cgiurl and imgurl
2017-01-04 21:56:12 +01:00
Joachim F
9e0dc9fa7c Merge pull request #21592 from joachifm/cjdns-optional-extraHosts
cjdns service: optional extraHosts
2017-01-04 18:54:09 +01:00
Tristan Helmich
f808502aba smokeping: cleanup (option ordering) 2017-01-03 23:10:59 +01:00
Tristan Helmich
b5703eaa80 smokeping: Allow full override of imgurl + cgiurl 2017-01-03 23:10:54 +01:00
volth
c737809465 miredo-fix-kill-path 2017-01-03 10:10:34 +00:00
Tomas Hlavaty
bdb9cd1e17 cjdns service: optionally add cjdns hosts to networking.extraHosts
Enabling this incurs a heavy eval-time cost, but it's a nice usability
enhancement; satisfy both concerns by making it optional (default
false).
2017-01-02 19:31:37 +01:00
Joachim Fasting
237af1853a
Revert "nixos/cjdns: do not ammend /etc/hosts"
This reverts commit 60ded3f363.

We want to make this optional instead.
2017-01-02 19:31:11 +01:00
volth
06b372f24f miredo: init at 1.2.6 2016-12-31 21:03:27 +01:00
Joachim Fasting
d8659f24e6
dnscrypt-proxy service: order before nss-lookup.target 2016-12-30 20:27:05 +01:00
Alexey Lebedeff
59361a2a81 i2pd module: fix typo (#21525) 2016-12-30 15:14:05 +01:00
Graham Christensen
8ed4c8b73b
openssh: 7.4p1 no longer backgrounds when systemd is starting it. 2016-12-29 17:04:46 -05:00
Tim Digel
81d8a457ed Fix asterisk & asterisk: 13.6.0 -> 14.1.2 (#20788)
* fix/asterisk-module: use unix-group for asterisk-files
* fix/asterisk-module: add configOption to use some default config-files
* fix/asterisk-module: correction of skel copy
* fix/asterisk-module: use /etc/asterisk as configDir
* fix/asterisk-module: add reload; do not restart unit
* asterisk: 13.6.0 -> 14.1.2
* fix/asterisk: compile with lua, pjsip, format_mp3
* fix/asterisk: fix indentation
* fix/asterisk: remove broken flag
2016-12-28 23:04:58 +01:00
Franz Pletz
7ae2d221cd
bird service: add bird to systemPackages
For the tool birdc to monitor and configure bird.
2016-12-28 06:35:31 +01:00
Jörg Thalheim
1590461887 ntp: make timesyncd the new default
- most nixos user only require time synchronisation,
  while ntpd implements a battery-included ntp server (1,215 LOCs of C-Code vs 64,302)
- timesyncd support ntp server per interface (if configured through dhcp for instance)
- timesyncd is already included in the systemd package, switching to it would
  save a little disk space (1,5M)
2016-12-17 00:00:45 +01:00
michael bishop
e5cefadef7 fix indentation in several nixos option descriptions 2016-12-16 18:29:25 +01:00
Jörg Thalheim
cc864af928 bird: refactor module
- syntax check before deploying configuration
- remove static unnessary static uid/gid (configuration is opened as root)
- add service hardening
2016-12-15 11:38:45 +01:00
Jörg Thalheim
ebd85b632a
ferm: reload rules on updates instead of restart 2016-12-14 16:09:11 +01:00
Joachim Fasting
4697f83984
openfire service: more informative assertion failure message
Explain why the assertion fails; the user already knows that it *has*
failed.
2016-12-10 20:35:43 +01:00
Joachim Fasting
2a4902dd80
dante service: fix config option type
The type was simply str but the default is null, thus resulting in a
conversion error if the user fails to declare a value.
2016-12-10 20:35:41 +01:00
Joachim Fasting
3dcdc2d2b0
privoxy service: remove static uid
The service owns no data, having a static uid serves no purpose.

This frees up uid/gid 32
2016-12-05 13:37:08 +01:00
Joachim Fasting
ad88f1040e
privoxy service: additional isolation 2016-12-05 13:21:31 +01:00
lbonn
288e75c5f9 wireguard: remove dependency on ip-up.target
It was deprecated and removed from all modules in the tree by #18319.

The wireguard module PR (#17933) was still in the review at the time and
the deprecated usage managed to slip inside.
2016-12-01 00:11:16 +01:00
Sophie Taylor
016fa06c71
cjdns: Improving systemd unit description 2016-11-27 22:07:51 -05:00
Franz Pletz
e394c305a8 Merge pull request #20620 from rnhmjoj/fakeroute
fakeroute: init at 0.3
2016-11-28 03:01:15 +01:00
rnhmjoj
7eb9a03221
fakeroute: add service 2016-11-23 15:23:10 +01:00
Franz Pletz
d94e93ccdf Merge pull request #19588 from Shados/add-dante
Add dante package & accompanying service module
2016-11-22 15:10:46 +01:00
Alexei Robyn
49d679d7a8 dante service: init 2016-11-22 21:33:54 +11:00
Joachim Fasting
f9f354faad
nixos/modules: use defaultText where applicable
Primarily to fix rendering of these default values in the manual but
it's also nice to avoid having to eval these things just to build the
manual.
2016-11-21 16:35:15 +01:00
Eelco Dolstra
d69dce080d
Fix setting programs.ssh.setXAuthLocation
The configuration { services.openssh.enable = true;
services.openssh.forwardX11 = false; } caused
programs.ssh.setXAuthLocation to be set to false, which was not the
intent. The intent is that programs.ssh.setXAuthLocation should be
automatically enabled if needed or if xauth is already available.
2016-11-21 16:19:51 +01:00
Emery Hemingway
60ded3f363 nixos/cjdns: do not ammend /etc/hosts
Generating IPv6 addresses at eval time required building cjdns.

Fix #20422
2016-11-18 18:41:50 +01:00
Eric Sagnes
15d25df698 nsd module: use enum 2016-11-16 22:37:14 +09:00
Eric Sagnes
5259fb2181 nntp-proxy module: use enum 2016-11-16 22:36:53 +09:00
Eric Sagnes
fb26d561ed hostapd module: use enum 2016-11-16 22:36:26 +09:00
Eric Sagnes
57c4d6f380 znc module: networks option loaOf -> attrsOf 2016-11-16 16:33:06 +09:00
Eric Sagnes
b4d1d37b22 tinc module: networks, hosts option loaOf -> attrsOf 2016-11-16 16:32:02 +09:00
Pascal Bach
c1dca9e40b etcd: make all service using etc go to 127.0.0.1:2379 by default
The old etcd port 4001 is no longer enabled by default in etcd 3.
The new port is 2379 and is officially assigned by IANA.

There were still some services left that expect etcd on port 4001 by default.
This changes the default to 2379 everywhere.

It should not cause problems for users as the etcd by nix does listen on the new port only by default anyway.
2016-11-11 23:11:54 +01:00
Gregor Kleen
54199414e3 nsd service: fix typo
Closes #20343.
2016-11-11 14:06:07 +01:00
Edward Tjörnhammar
4009dbe543
nixos: i2pd, update config options 2016-11-06 08:13:04 +01:00
Joachim F
32715b8314 Merge pull request #17445 from joachifm/dnscrypt-proxy-update-list
dnscrypt-proxy service: auto-updated resolver list
2016-11-05 18:23:48 +01:00
Joachim Fasting
2f912bf0a3
dnscrypt-proxy service: auto-update upstream resolver list
By default, we use the list of public DNSCrypt resolvers provided by
dnscrypt-proxy upstream. The list is updated at regular intervals.
2016-11-05 17:44:51 +01:00
Joachim F
2c567dbd4d Merge pull request #20144 from ericsagnes/feat/module-enums
modules: use enum when relevant
2016-11-05 12:18:04 +01:00
Sophie Taylor
20e81f7c0d nixos/cjdns: tightened permissions via systemd, added caps 2016-11-04 17:00:23 +01:00
uwap
d9134ddb5d Add a package option for quassel (#20159) 2016-11-04 16:33:47 +01:00
Joachim Fasting
222cfd3233
cjdns module: fix typo 2016-11-04 13:44:48 +01:00
Eric Sagnes
8f8184ece1 tinc module: use enum 2016-11-04 13:04:17 +09:00
Eric Sagnes
5a3c2e3db0 bitlbee module: use enum 2016-11-04 13:03:53 +09:00
Marius Bergmann
51652ac3aa smokeping service: Use setuid-wrapped fping binary
The current default probe config uses the unwrapped fping binary, which
leads to an error because fping must be executed with elevated
permissions.

I fixed this by changing the path to the default binary to the
setuid-wrapped version.
2016-11-03 09:44:21 +01:00
Peter J. Jones
d19967bf48 vsftpd service: add extraConfig option, set anon_root (#20069)
This commit includes two changes:

  1. A new `extraConfig` option to allow administrators to set any
     vsftpd configuration option that isn't directly supported by this
     derivation.

  2. Correctly set the `anon_root` vsftpd option to `anonymousUserHome`
2016-11-03 05:06:47 +01:00
Eric Sagnes
7fd38dc8b3 znc module: optionSet -> submodule (#20096) 2016-11-03 05:02:14 +01:00
Marius Bergmann
248bf519c9 smokeping service: Fix permissions in $smokepingHome
In the prestart config of the smokeping service, smokeping is executed
initially. This happens as the user root and writes some files to
$smokepingHome, which can't be overwritten by the smokeping user. This
gives an error message.

I fixed this by moving the chown step after the initial smokeping runs,
so that it also affects the generated files.
2016-11-02 13:18:57 +01:00
Joachim Fasting
420cf50838
dnscrypt-proxy module: minor config example tweaks
- Indentation
- unbound automatically handles local forward addresses
2016-10-29 03:04:00 +02:00
Joachim Fasting
d198e474a8
dnscrypt-proxy service: remove use of mkEnableOption 2016-10-29 03:03:50 +02:00
Joachim F
1da6dd3eee Merge pull request #19875 from joachifm/cjdns-for-upstream
Cjdns module enhancments
2016-10-28 13:01:58 +02:00
Joachim Fasting
8180922d23 cjdns service: refactor cjdns hosts builder
The old version would export two lists to a bash builder and do pairwise
processing on the bash side.  In the new version we instead generate a
logic free builder on the Nix side. This is not only conceptually
simpler but reduces the amount of code and intermediate values.
2016-10-27 14:15:54 +02:00
Joachim Fasting
9654e09b5a cjdns service: ensure that generated passwd has requested length
`head -cNUM ... | tr -dc SET` might generate output containing fewer
than NUM characters.  Given the limited alphabet, this could result in a
fairly weak passphrase. The construction `tr </dev/urandom | head
-cNUM`, however, is sure to give us the full `NUM`.
2016-10-27 14:15:53 +02:00
Joachim Fasting
e94bd6f31d cjdns service: protect /home and /tmp 2016-10-27 14:15:52 +02:00
Joachim Fasting
5fba586650 cjdns service: better types
- types.string -> str, string is deprecated
- change type of confFile option to nullOr path, makes more sense
2016-10-27 14:15:52 +02:00
Joachim Fasting
afe67f28a3 cjdns service: use cfg.enable shortcut 2016-10-27 14:15:51 +02:00
Joachim Fasting
79d216b8f4 cjdns service: whitespace cleanup 2016-10-27 14:15:51 +02:00
Frederik Rietdijk
7077a270bf Merge remote-tracking branch 'upstream/master' into HEAD 2016-10-26 13:06:43 +02:00
Bjørn Forsman
cd1b09af5d nixos/tftpd: change default dir from /home/tftp to /srv/tftp
/home is for real users. /srv is recommended by FHS (although there is
no consensus for what to name subdirs under /srv).
2016-10-25 17:20:52 +02:00
Bjørn Forsman
d03dbfcbb8 nixos/tftpd: mention that it runs as an xinetd service 2016-10-25 17:20:52 +02:00
Domen Kožar
1622a21c68 Merge pull request #19453 from ryantrinkle/openfire-fix
openfire: fix service expression
2016-10-24 11:35:16 +02:00
Emery Hemingway
b675619391 nixos: use types.lines for extraConfig 2016-10-23 19:41:43 +02:00
Jörg Thalheim
fba9d231b4 Merge pull request #17394 from schneefux/znc-module
ZNC: 1.6.2 -> 1.6.3, push 2015-12-07 -> 2016-07-28, module refactor
2016-10-22 19:58:24 +02:00
Jörg Thalheim
fafe3ec40a Merge pull request #19624 from bjornfor/improve-atftpd-service
nixos/atftpd: various improvements
2016-10-22 18:08:53 +02:00
Frederik Rietdijk
e56832d730 Merge remote-tracking branch 'upstream/master' into HEAD 2016-10-22 17:23:24 +02:00
schneefux
ee42e000dd
znc module: refactor 2016-10-22 13:52:20 +02:00
Anmol Sethi
1a74eedd07 sshd: separate key generation into another service
Fixes #19589
2016-10-20 23:14:37 -04:00
Alexander Ried
57d9c69c6a supplicant: fix wants and wantedBy 2016-10-20 20:17:17 +02:00
Peter Hoeg
1026bebee6
syncthing: use service files from upstream
Currently only for the user services as NixOS handles the named system
instances slightly differently.

syncthing and syncthing-inotify are done the same way.

There are 4 parts to this:

 1) Copy in the upstream unit files
 2) Make the nixos module use the definition from upstream
 3) Enable restarting of all instances (system and user) on resume
 4) Allow the traffic in the firewall on default ports if wanted

fixes #18973
2016-10-19 21:20:57 +02:00
Ryan Trinkle
928341132e openfire: fix service expression
openfire is not in scope
2016-10-19 11:06:07 -04:00
Bjørn Forsman
f3876cbba0 nixos/atftpd: various improvements
* Add extraOptions option, to pass arbitrary command line options to
  atftp. Especially useful to specify which address to bind to
  (--bind-addres ...).
* Improve descriptions (fix a typo, document default bind address,
  don't repeat service name in systemd description + capitalize)
* Change default server directory from /var/empty to /srv/tftp, and
  change types.str to types.path.
2016-10-17 16:20:24 +02:00
Benno Fünfstück
796264a708 nixos/avahi: use more upstream-like systemd units
The new units mirror the upstream systemd units as closely as possible.
I could not find a reason why the service would need to be restarted on
resuming from suspend, and the upstream units also do not contain such a
restriction, so I removed the `partOf = [ "post-resume.target"]`.
This fixes #19525.
2016-10-15 22:51:39 +02:00
Alexander Ried
4094d63dea NetworkManager-strongswan: init at 1.4.0 2016-10-15 20:32:16 +02:00
Profpatsch
bef6bef0d2
stdenv/stripHash: print to stdout, not to variable
`stripHash` documentation states that it prints out the stripped name to
the stdout, but the function stored the value in `strippedName`
instead.

Basically all usages did something like
`$(stripHash $foo | echo $strippedName)` which is just braindamaged.
Fixed the implementation and all invocations.
2016-10-11 18:34:36 +02:00
Joachim F
1997761725 Merge pull request #19367 from cransom/smokeping-fix
smokeping module: fix missing js, broken alerts
2016-10-10 16:06:39 +02:00
Franz Pletz
03c2b449f8
dhcpd service: Add extraFlags option 2016-10-09 11:38:34 +02:00
Casey Ransom
74558c88fb smokeping module: fix missing js, broken alerts
The initial commit accidentally left in some commented code and if you were
using alerts, they simply didn't work.

Smokeping also includes some JS code for the webui allowing you to zoom into
graphs and it was not passed into the homedir. Additionally, generate
static html pages for other webservers to serve the cache directory.

Add additional options to specify sendmail path or mailhost and verify that both
are not set.

Add one extra config hook that allows you to bypass all of the invidual config
stanzas and just hand it a string.
2016-10-08 20:52:45 -04:00
Jaka Hudoklin
afbe339e7d firewall service: add support for loose reverse path filter check (#19122) 2016-10-08 14:26:52 +02:00
Moritz Ulrich
c475234827 services.kippo: Add missing '}' 2016-10-06 13:39:21 +02:00
Frederik Rietdijk
6f836eb0d4 Kippo: move pythonPackages.twisted_11 to kippo expression 2016-10-06 12:59:05 +02:00
Eric Sagnes
0bd263ecc3
wireguard: add module
fixes #17933
2016-10-06 09:41:38 +02:00
Joachim F
0906a0f197 Merge pull request #18491 from groxxda/network-interfaces
Replace Network-interfaces.target
2016-10-02 16:34:37 +02:00
Jörg Thalheim
cd673d3c26 Merge pull request #19138 from nhooyr/openssh
openssh: support prohibit-password for permitRootLogin
2016-10-02 15:26:21 +02:00
Anmol Sethi
6891bb1c59
openssh: support prohibit-password for permitRootLogin
See 1dc8d93ce6

I also made it the default.
2016-10-01 13:23:56 -04:00
Jörg Thalheim
7d3143990f Merge pull request #19136 from nhooyr/powerdns
powerdns: removed PrivateTmp=true in serviceConfig
2016-10-01 18:28:34 +02:00
Anmol Sethi
489ca7e5c0
powerdns: removed PrivateTmp=true in serviceConfig
As discussed in #18718 PrivateTmp is unnecessary because powerdns is
chrooted to /var/lib/powerdns.

I also added myself as co-maintainer.
2016-10-01 12:27:23 -04:00
Joachim F
7e80c42b0e Merge pull request #18511 from ericsagnes/feat/remove-optionSet
modules: optionSet -> submodule
2016-10-01 17:57:45 +02:00
Jaka Hudoklin
98a8146428 Merge pull request #19016 from offlinehacker/pkgs/flannel/update/0.6.2
flannel: update, add nixos module, add tests
2016-10-01 17:22:34 +02:00
Jaka Hudoklin
feb9fc3aff flannel service: init 2016-10-01 17:08:48 +02:00
Robert Helgesson
db3579c332
ddclient service: minor spelling fix 2016-09-30 19:26:21 +02:00
Thomas Bereknyei
5bca9297ff
ddclient: add configFile option
ddclient: improve documentation

Adopted @joachifm's suggestions.

ddclient additional refinement
2016-09-30 19:13:56 +02:00
Shea Levy
b692e06686 supplicant: Make the device pull in the supplicant service.
The udev rule should do this. Not sure why it doesn't.

Fixes #19029.
2016-09-30 09:22:49 -04:00
Christoph Hrdinka
553a3295c1 nsd: 4.1.9 -> 4.1.12
4.1.12
======

Bugfixes
--------

Fix malformed edns query assertion failure, reported by Michal Kepien (NASK).

4.1.11
======

Features
--------

* When tcp is more than half full, use short timeout for tcp session.
* Patch for {max,min}-{refresh,retry}-time from YAMAGUCHI Takanori.
* Fix #790: size-limit-xfr can stop NSD from downloading infinite zone transfer data size, from Toshifumi Sakaguchi. Fixes CVE-2016-6173 JVN#63359718 JPCERT#91251865.

Bugfixes
--------

* Fix build without IPv6, patch from Zdenek Kaspar.
* Fix #783: Trying to run a root server without having configured it silently gives wrong answers.
* Fix #782: Serve DS record but parent zone has no NS record.
* Fix nsec3 missing for nsec3 signed parent and child for DS at zonecut.

4.1.10
======

Features
--------

* ip-freebind: yesno option in nsd.conf sets IP_FREEBIND socket option for Linux, binds to interfaces and addresses that are down.
* NSD includes AAAA before A for queries over IPV6 (in delegations). And TC is set if no glue can be provided with a delegation because of packet size.
* print notice that nsd is starting before taking off.

Bugfixes
--------

* Fix for openssl 1.1.0, HMAC_CTX size not exported from openssl.
* Fix #751: NSD fails to occlude names below a DNAME.
* If set without nsd.db print "" as the default in the man pages.
* Fix #755: NSD spins after a zone update and a lot of TCP queries.
* Fix for NSEC3 with zone signed without exact match for empty nonterminals, the answer for that domain gets closest encloser.
* #772 Document that recvmmsg has IPv6 problems on some linux kernels.

4.1.9
=====

Bugfixes
--------

* Change the nsd.db file version because of nanosecond precision fix.
2016-09-27 00:14:24 +02:00
Frederik Rietdijk
4020035513 Merge pull request #18935 from rycee/pullout/radicale
radicale: break into own package
2016-09-26 22:14:42 +02:00
aszlig
2af7051197
nixos/offlineimap: Move to services/mail
The services/networking directory is already quite polluted and the
first point where I was looking for the offlineimap module was in
services/mail and didn't find it there.

Offlineimap already has IMAP in its name and clearly belongs to the
"mail" category so let's move it there.

Tested by evaluating a configuration with services.offlineimap enabled.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @DamienCassou
2016-09-26 21:18:06 +02:00
aszlig
603b73f1e1
nixos/offlineimap: Don't build the package on eval
Coercing the derivation to string causes the package to be built during
evaluation rather than during actual realization which is completely
unnecessary because we don't need additional Nix expression information
for the package (nor do we need it for the service).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @DamienCassou
Cc: @Profpatsch (stumbled on this because of him)
2016-09-26 21:07:06 +02:00
Robert Helgesson
9d2a831497
radicale: break into own package
Since this is an application it is not suitable for pythonPackages,
which is more appropriate for Python modules.
2016-09-25 22:15:19 +02:00
Michele Guerini Rocco
ec8d5945ce connman: disable connman-vpn by default (#18323) 2016-09-25 08:02:29 +02:00
Wei-Ming Yang
e330807e1f
murmur service: welcome -> welcometext
fixed incorrect option name `welcome` to `welcometext`.

joachifm added a rename for backwards compat.

Closes https://github.com/NixOS/nixpkgs/pull/18570
2016-09-23 16:08:14 +02:00
Jookia
e23cc550b3 nixos: add htpdate module 2016-09-23 02:02:20 +10:00
Alexey Shmalko
60cfc558be Merge pull request #18718 from Mic92/powerdns
powerdns: init at 4.0.1
2016-09-20 11:07:51 +03:00
Jörg Thalheim
b0a1c0b343
powerdns: init at 4.0.1
fixes #18703
2016-09-18 14:52:44 +02:00
Joachim Fasting
22d6c97855
unbound service: extend isLocalAddress to handle ipv6 2016-09-16 09:47:36 +02:00
Joachim Fasting
5dc60051fa
unbound service: some pre-chroot isolation
While entering the chroot should provide the same amount of isolation,
the preStart script will run with full root privileges and so would
benefit from some isolation as well (in particular due to
unbound-anchor, which can perform network I/O).
2016-09-15 15:37:20 +02:00
Joachim Fasting
39f5182a30
unbound service: use auto-generated uid
1. The preStart script ensures consistent ownership, even if the unbound
   user's uid has changed
2. The unbound daemon does not generate data that needs to be private to
   it, so it would not matter that a different service would end up
   owning its data (as long as unbound remains enabled, it should reclaim
   ownership soon enough anyway).

Thus, there's no clear benefit to allocate a dedicated uid for the
unbound service.  This releases uid/gid 48.

Also, because the preStart script creates the data directory, there's no
need to specify a homedir or ask for its creation.
2016-09-15 15:37:19 +02:00
Joachim Fasting
0759e77dfd
unbound service: add reference to man:unbound.conf(8) 2016-09-15 15:37:19 +02:00
Joachim Fasting
52432ee63d
unbound service: non-blocking random in chroot
/dev/random is an exhaustible resource. Presumably, unbound will not be
used to generate long-term encryption keys and so allowing it to use
/dev/random only increases the risk of entropy exhaustion for no
benefit.
2016-09-15 15:37:19 +02:00
Joachim Fasting
7980523e00
unbound service: convenient handling of local forward addresses
do-not-query-localhost defaults to yes; with this patch, unbound is
configured to query localhost if any of the forward addresses are local.
2016-09-15 15:37:19 +02:00
Alexander Ried
8524df1259 networking.nat: replace network-interfaces.target
We can replace this safely with network-pre because iptables does not
care whether the interfaces exist or not.
2016-09-13 11:19:22 +02:00
Alexander Ried
60430b140c lshd service: remove use of network-interfaces.target 2016-09-13 11:19:22 +02:00
Alexander Ried
d43b2b9c85 openvpn service: network-interfaces.target -> network.target 2016-09-13 11:19:22 +02:00
Alexander Ried
97416eaeef gpve service: network-interfaces.target -> network.target 2016-09-13 11:19:22 +02:00
Alexander Ried
fbf0abf4af softether: improve service dependencies 2016-09-13 11:19:22 +02:00
Alexander Ried
9819cdc71a wicd: get closer to upstream service definition
taken from
http://bazaar.launchpad.net/~wicd-devel/wicd/experimental/view/head:/other/wicd.service
2016-09-13 11:19:22 +02:00
Alexander Ried
3ada966bd5 treewide: minor format / style / documentation fixes 2016-09-13 11:19:22 +02:00
Alexander Ried
bc7710468d networking.dhcpcd: use upstream targets 2016-09-13 11:19:22 +02:00
Joachim Fasting
5a2a3510b9 zerobin service: remove use of network-interfaces.target 2016-09-13 11:19:22 +02:00
Joachim Fasting
c7ed675fe3 xinetd service: remove use of network-interfaces.target 2016-09-13 11:19:22 +02:00
Joachim Fasting
cda9af6eb8 wpa-supplicant service: remove use of network-interfaces.target 2016-09-13 11:19:22 +02:00
Joachim Fasting
768b333dc1 tinc service: remove use of network-interfaces.target 2016-09-13 11:19:22 +02:00
Joachim Fasting
795defaae0 tcpcrypt service: remove use of network-interfaces.target 2016-09-13 11:19:22 +02:00
Joachim Fasting
67d9369e5d radicale service: network-interfaces.target -> network{,-online}.target 2016-09-13 11:19:22 +02:00
Joachim Fasting
652e0b4b8a oidentd service: network-interfaces.target -> network.target 2016-09-13 11:19:22 +02:00
Joachim Fasting
ae71667451 cjdns service: network-interfaces.target -> network.target 2016-09-13 11:19:22 +02:00
Joachim Fasting
69e15b7ba5 bind service: network-interfaces.target -> network.target 2016-09-13 11:19:22 +02:00
Alexander Ried
06b2897c40 networking.dhcpcd: Don't add to system closure when using networkd (#18436) 2016-09-13 07:55:17 +02:00
Eric Sagnes
7e5a24c23a i2pd module: optionSet -> submodule 2016-09-13 12:53:12 +09:00
Eric Sagnes
b73ca0df27 tinc module: optionSet -> submodule 2016-09-13 12:53:12 +09:00
Eric Sagnes
8d58771b94 openvpn module: optionSet -> submodule 2016-09-13 12:53:11 +09:00
Eric Sagnes
775d98acbc xinet module: optionSet -> submodule 2016-09-13 12:53:11 +09:00
Eric Sagnes
819524a0d3 supplicant module: optionSet -> submodule 2016-09-13 12:53:11 +09:00
Eric Sagnes
48d6fa933c sshd module: optionSet -> submodule 2016-09-13 12:53:11 +09:00
Eric Sagnes
d89a718baf prosody module: optionSet -> submodule 2016-09-13 12:53:11 +09:00
Eric Sagnes
c3bdee3c39 nat module: optionSet -> submodule 2016-09-13 12:53:10 +09:00
Franz Pletz
5c38882f38
toxvpn service: doesn't require online network
Tested that it detects network changes quickly.
2016-09-11 08:16:55 +02:00
Franz Pletz
c58654e2b7
treewide: fix fallout of ip-up deprecation
See #18319 for details. Starting network-online.target manually does not
work as it hangs indefinitely.

Additionally, don't treat avahi and dhcpcd special and sync their systemd units
with the respective upstream suggestion.
2016-09-11 08:13:04 +02:00
Alexander Ried
27bc34f1e4 treewide: deprecate ip-up.target (#18319)
Systemd upstream provides targets for networking. This also includes a target network-online.target.

In this PR I remove / replace most occurrences since some of them were even wrong and could delay startup.
2016-09-10 18:03:59 +02:00
Domen Kožar
fed3501b07 Remove docker-registry as it's deprecated #18209 2016-09-09 18:50:42 +02:00
Robert Helgesson
bf371a8b06 radicale service: use "simple" service type (#18406)
Radicale can run as a foreground service and will then emits logging and
errors on the standard output. This helps the logging end up in the
systemd journal.
2016-09-08 12:34:22 +02:00
aszlig
fb46df8a9a
nixos: Fix ordering of firewall.service
Follow-up to the following commits:

  abdc5961c3: Fix starting the firewall
  e090701e2d: Order before sysinit

Solely use sysinit.target here instead of multi-user.target because we
want to make sure that the iptables rules are applied *before* any
socket units are started.

The reason I've dropped the wantedBy on multi-user.target is that
sysinit.target is already a part of the dependency chain of
multi-user.target.

To make sure that this holds true, I've added a small test case to
ensure that during switch of the configuration the firewall.service is
considered as well.

Tested using the firewall NixOS test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
2016-09-07 15:11:24 +02:00
Eelco Dolstra
e090701e2d firewall: Order before sysinit
Suggested by @aszlig.
2016-09-07 14:42:30 +02:00
Eelco Dolstra
abdc5961c3 Fix starting the firewall
Probably as a result of 992c514a20, it
was not being started anymore.

My understanding of systemd.special(7) (section "Special passive
system units") is that the firewall should want network-pre.target,
rather than the other way around (not very intuitive...). This in
itself does not cause the firewall to be wanted, which is why the
wanted-by relationship with multi-user.target is necessary.

http://hydra.nixos.org/build/39965589
2016-09-07 14:30:11 +02:00
Alexey Shmalko
b7237abc08 avahi-daemon: remove default browse-domains
These domains are not actually default but examples. See
https://github.com/lathiat/avahi/blob/master/avahi-daemon/avahi-daemon.conf#L24
for default config.
2016-09-07 13:58:21 +02:00
Eelco Dolstra
520cb14f16 Fix infinite recursion introduced by f3c32cb2c1 2016-09-05 18:17:22 +02:00
Eelco Dolstra
f3c32cb2c1 Let services.openssh.forwardX11 imply programs.ssh.setXAuthLocation 2016-09-05 15:38:42 +02:00