Commit graph

2480 commits

Author SHA1 Message Date
Daniel Nagy
e57465a617
nixos/monero: set port type to types.port 2021-05-30 14:38:20 +02:00
Daniel Nagy
65b32a0afe
nixos/syncserver: set port type to types.port 2021-05-30 14:38:19 +02:00
Daniel Nagy
048c45679f
nixos/gitDaemon: set port type to types.port 2021-05-30 14:38:19 +02:00
Marc 'risson' Schmitt
6b12cff0b5
nixos/unbound: fix define-tag option
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2021-05-29 18:00:44 +02:00
Niklas Hambüchen
d344dccf3d nixos/wireguard: Remove .path systemd unit for privkey. Fixes #123203
As per `man systemd.path`:

> When a service unit triggered by a path unit terminates
> (regardless whether it exited successfully or failed),
> monitored paths are checked immediately again,
> **and the service accordingly restarted instantly**.

Thus the existence of the path unit made it impossible to stop the
wireguard service using e.g.

    systemctl stop wireguard-wg0.service

Systemd path units are not intended for program inputs such
as private key files.
This commit simply removes this usage; the private key is still
generated by the `generateKeyServiceUnit`.
2021-05-28 17:44:19 -07:00
Martin Weinelt
fcd6d0bc14
Merge pull request #124263 from Lassulus/solanum3
solanum: remove obsolete BANDB settings/patches
2021-05-25 20:51:32 +02:00
Sandro Jäckel
140828ce38
nixos/kresd: tell resolveconf to use local resolver 2021-05-25 16:37:00 +02:00
Niklas Hambüchen
83a8acc392
Merge pull request #121331 from nh2/wireguard-dynamicEndpointRefreshSeconds
nixos/wireguard: Add `dynamicEndpointRefreshSeconds` option
2021-05-24 21:49:05 +02:00
lassulus
8eb5701aaf solanum: remove obsolete BANDB settings/patches 2021-05-24 15:49:57 +02:00
Guillaume Girol
8fe0143d88 nixos: add option to load wireless regulatory database as firmware
use it when networkmanager or wpa_supplicant is enabled.

fixes #57053
fixes "Direct firmware load for regulatory.db failed with error -2"
in dmesg

Note that all kernels on unstable are newer that 4.15, which is required
for this to work.
2021-05-23 19:49:05 +02:00
Martin Weinelt
71fb79ee6b
Merge pull request #123828 from Lassulus/solanum2
nixos/solanum: init
2021-05-21 23:23:01 +02:00
lassulus
48c16e48aa nixos/solanum: init 2021-05-21 23:06:38 +02:00
eyJhb
6000f420e8
nixos/znc: fixed chown not working after hardening (#123883) 2021-05-21 19:07:53 +02:00
ajs124
c455f3ccaf
Merge pull request #123084 from Yarny0/hylafax
hylafaxplus & nixos/hylafax: small improvements
2021-05-21 14:20:57 +02:00
Jonas Chevalier
30c021fa15
Merge pull request #123744 from hercules-ci/init-ghostunnel
ghostunnel: init
2021-05-20 20:58:41 +02:00
Robert Hensing
dc9cb63de4 nixos/ghostunnel: init 2021-05-20 10:41:52 +02:00
Paul Schyska
69202853ea
nixos/nsd: make nsd-checkconf work when configuration contains keys 2021-05-19 18:21:10 +02:00
Michele Guerini Rocco
376eabdac3
Merge pull request #123254 from rnhmjoj/ipsec
libreswan: 3.2 -> 4.4
2021-05-19 13:36:04 +02:00
Maciej Krüger
7458dcd956
Merge pull request #75242 from mkg20001/cjdns-fix
services.cjdns: add missing, optional login & peerName attribute
2021-05-18 18:22:29 +02:00
Robert Schütz
d189df235a
Merge pull request #122241 from dotlambda/znc-harden
nixos/znc: harden systemd unit
2021-05-18 17:44:14 +02:00
Maciej Krüger
7409f9bab3
services.cjdns: add missing, optional login & peerName attribute 2021-05-18 17:39:04 +02:00
rnhmjoj
1a4db01c84
nixos/libreswan: update for version 4.x
- Use upstream unit files
- Remove deprecated config options
- Add option to disable redirects
- Add option to configure policies
2021-05-18 08:13:36 +02:00
Jörg Thalheim
b900661f6e
Merge pull request #122825 from Izorkin/update-duplicates-systemcallfilters
treewide: remove duplicates SystemCallFilters
2021-05-17 12:06:06 +01:00
Sandro
700942d2a5
Merge pull request #121119 from SuperSandro2000/remove-gnidorah
treewide: remove gnidorah
2021-05-17 02:42:24 +02:00
Niklas Hambüchen
357cf46c8d wireguard module: Add dynamicEndpointRefreshSeconds option.
See for an intro:
https://wiki.archlinux.org/index.php/WireGuard#Endpoint_with_changing_IP
2021-05-16 20:11:51 +02:00
Yarny0
c2af1ff281 nixos/hylafax: enable ProtectKernelLogs for most services
Also document that `ProtectClock` blocks access to serial line.
I couldn't found out why this is the case,
but faxgetty complains about the device file
not being accessible with `ProtectClock=true`.
2021-05-14 22:55:50 +02:00
Robert Schütz
e611d663f4
Merge pull request #120440 from dotlambda/radicale-settings
nixos/radicale: add settings option
2021-05-14 15:37:26 +02:00
Yarny0
4415846d5c nixos/hylafax: use runtimeShell where possible
According to
https://github.com/NixOS/nixpkgs/pull/84556
this effort helps with cross-compilation.

This commit also renames a substituted variable `hylafax`
to `hylafaxplus` to permit substitution with `inherit`.
2021-05-14 05:42:18 +02:00
Yarny0
89df33f882 nixos/hylafax: replace a nested expression with lib.pipe
This avoids a tripple-nested function call,
and it looks slightly simpler (at least to me).
2021-05-14 05:42:18 +02:00
Yarny0
449647daf5 nixos/hylafax: use lib.types.ints.positive
I haven't realized earlier that there is
already an option type for postive integers.
2021-05-14 05:42:17 +02:00
Izorkin
feebe402f5
treewide: remove duplicates SystemCallFilters 2021-05-13 15:44:56 +03:00
Sandro
f0bb4f066a
Merge pull request #95050 from paumr/bind-fmt 2021-05-10 19:06:00 +02:00
Michele Guerini Rocco
d0cbcce8d4
Merge pull request #121395 from bjornfor/nixos-wpa-supplicant
nixos/wpa_supplicant: prefer 'install' over 'touch/chmod/mkdir/chgrp'
2021-05-10 08:16:39 +02:00
paumr
5390d4b946 nixos/bind: formatted with nixpkgs-fmt 2021-05-08 23:13:58 +02:00
Robert Schütz
314a64a026 nixos/znc: fix example 2021-05-08 22:54:19 +02:00
Robert Schütz
5986f233a6 nixos/znc: remove trailing slash from dataDir 2021-05-08 22:54:19 +02:00
Robert Schütz
4400ee83ec nixos/znc: harden systemd unit 2021-05-08 22:54:15 +02:00
Robert Hensing
4433ba90aa
Merge pull request #121927 from rissson/nixos-unbound-fix-top-level-include
nixos/unbound: allow list of strings in top-level settings option type
2021-05-08 22:00:57 +02:00
Marc 'risson' Schmitt
0340cd2abe
nixos/unbound: allow list of strings in top-level settings option type
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2021-05-08 19:55:17 +02:00
Aaron Andersen
9254b82706
Merge pull request #121746 from j0hax/monero-options
nixos/monero: add dataDir option
2021-05-08 11:43:49 -04:00
Gemini Lasswell
28f51d7757 nixos/yggdrasil: set directory permissions before writing keys
Remove the opportunity for someone to read the keys in between when
they are written and when the chmod is done.  Addresses #121293.
2021-05-08 09:49:19 +02:00
Johannes Arnold
c0853b6e2c nixos/monero: use isSystemUser = true 2021-05-08 02:13:25 +02:00
Maximilian Bosch
a50b9e6c23
Merge pull request #113716 from Ma27/wpa_multiple
wpa_supplicant: allow both imperative and declarative networks
2021-05-06 11:01:35 +02:00
Johannes Arnold
ff65166f44 nixos/monero: fix typo 2021-05-04 21:57:21 +00:00
Johannes Arnold
7cf3ffbddd nixos/monero: add dataDir option 2021-05-04 21:56:45 +00:00
Robert Schütz
762be5c86d nixos/radicale: harden systemd unit 2021-05-04 17:43:26 +02:00
Michele Guerini Rocco
93c5837be5
Merge pull request #121512 from rnhmjoj/searx
searx: set settings.yml permissions using umask
2021-05-04 11:43:12 +02:00
Robert Schütz
022c5b0922 nixos/radicale: add settings option
The radicale version is no longer chosen automatically based on
system.stateVersion because that gave the impression that old versions
are still supported.
2021-05-04 10:22:05 +02:00
Andreas Rammhold
3ec6977d30
Merge pull request #89572 from rissson/nixos/unbound
nixos/unbound: add settings option, deprecate extraConfig
2021-05-03 21:49:24 +02:00
Marc 'risson' Schmitt
52f6733203
nixos/unbound: deprecate extraConfig in favor of settings
Follow RFC 42 by having a settings option that is
then converted into an unbound configuration file
instead of having an extraConfig option.

Existing options have been renamed or kept if
possible.

An enableRemoteAccess has been added. It sets remote-control setting to
true in unbound.conf which in turn enables the new wrapping of
unbound-control to access the server locally.  Also includes options
'remoteAccessInterfaces' and 'remoteAccessPort' for remote access.

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2021-05-03 21:27:15 +02:00
Silvan Mosberger
a221e6c330
Merge pull request #121172 from eyJhb/bind-list-to-attrs
nixos/bind: refactor zones from a list to attrset
2021-05-03 21:21:22 +02:00
eyjhb
757a455dde
nixos/bind: refactor zones from a list to attrset
This commit uses coercedTo to make zones a attrset instead of list.
Makes it easier to access/change zones in multiple places.
2021-05-03 20:04:42 +02:00
Silvan Mosberger
3e930b7e4a
Merge pull request #121294 from nh2/issue-121288-wireguard-fix-chmod-race
wireguard module: generatePrivateKeyFile: Fix chmod security race
2021-05-03 16:24:42 +02:00
Luke Granger-Brown
4b42da3d85
Merge pull request #120791 from mweinelt/babeld
babeld: 1.9.2 -> 1.10
2021-05-03 10:00:12 +01:00
rnhmjoj
9ea6c1979c
nixos/searx: set settings.yml permissions using umask
This should solve a leakage of secrets as suggested in #121293
2021-05-03 09:53:50 +02:00
Martin Weinelt
a2d1d16af8
nixos/mosquitto: Migrate away from bind_address/port config keys
Fixes these two deprecation warnings, by moving away from these options
towards a simple listener configuration.

> The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
> The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.

Fixes: #120860
2021-05-01 19:46:48 +02:00
Martin Weinelt
33e867620e
nixos/mosquitto: harden systemd unit
It can still network, it can only access the ssl related files if ssl is
enabled.

✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                    0.2
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                  0.1

→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
2021-05-01 19:46:48 +02:00
Bjørn Forsman
5d47dc750f nixos/wpa_supplicant: prefer 'install' over 'touch/chmod/mkdir/chgrp'
Ref #121293.
2021-05-01 15:34:04 +02:00
Niklas Hambüchen
aaffc6447d wireguard module: Quote all command line arguments correctly.
Standard best-practice shell quoting, which can prevent the most
horrible production accidents.

Note that we cannot use `+ optionalString someBool '' someString''`
because Nix's multi-line ''double-quoted'' strings remove leading
whitespace.
2021-04-30 23:05:10 +02:00
lunik1
248a57d61a
nixos/adguardhome: init (#120568) 2021-04-30 20:55:31 +02:00
Niklas Hambüchen
0dc08b4138 wireguard module: generatePrivateKeyFile: Fix chmod security race. Fixes #121288
Until now, the `touch + chmod 600 + write` approach made it possible for
an unprivileged local user read the private key file, by opening
the file after the touch, before the read permissions are restricted.

This was only the case if `generatePrivateKeyFile = true` and the parent
directory of `privateKeyFile` already existed and was readable.

This commit fixes it by using `umask`, which ensures kernel-side that
the `touch` creates the file with the correct permissions atomically.

This commit also:

* Removes `mkdir --mode 0644 -p "${dirOf values.privateKeyFile}"`
  because setting permissions `drw-r--r--` ("nobody can enter that dir")
  is awkward. `drwx------` would perhaps make sense, like for `.ssh`.
  However, setting the permissions on the private key file is enough,
  and likely better, because `privateKeyFile` is about that file
  specifically and no docs suggest that there's something special
  about its parent dir.
* Removes the `chmod 0400 "${values.privateKeyFile}"`
  because there isn't really a point in removing write access from
  the owner of the private key.
2021-04-30 18:55:38 +02:00
Sandro Jäckel
ae02415ee8
treewide: remove gnidorah
due to github account removal/deletion and not other mean of contact.
2021-04-30 01:48:19 +02:00
Vladimír Čunát
5b0871bd97
Merge #120493: nixos/kresd: allow package to be configured 2021-04-29 10:41:12 +02:00
Vladimír Čunát
a4749b11d4
nixos/kresd.package: improve the generated docs 2021-04-27 21:38:30 +02:00
Martin Weinelt
4e66e9aea5
nixos/babeld: start maintaining the module 2021-04-27 14:12:07 +02:00
github-actions[bot]
a956f62ea4
Merge master into staging-next 2021-04-25 06:05:34 +00:00
Martin Weinelt
e8988f7a30 nixos/babeld: run as DynamicUser
The last bits to prevent babeld from running unprivileged was its
kernel_setup_interface routine, that wants to set per interface
rp_filter. This behaviour has been disabled in a patch that has been
submitted upstream at https://github.com/jech/babeld/pull/68 and reuses
the skip-kernel-setup config option.

→ Overall exposure level for babeld.service: 1.7 OK 🙂
2021-04-25 00:54:52 +02:00
Sandro Jäckel
8ee00e6ca2
nixos/kresd: allow package to be configured 2021-04-24 09:18:45 +02:00
github-actions[bot]
b95da5efb6
Merge master into staging-next 2021-04-22 18:14:27 +00:00
github-actions[bot]
120744d620
Merge master into staging-next 2021-04-22 12:06:24 +00:00
Jörg Thalheim
40945d399d
quagga: remove
Upstream repositories do no longer exists. There has been no release in
a while. - Not a good combination for a network daemon running as root
in C that parses network packets...
2021-04-22 12:48:48 +02:00
Michael Weiss
3e01d42024
maintainers: remove tavyc
Their last commit was dcc84d8 from 2017.
Thank you for your contributions.
2021-04-22 11:34:25 +02:00
github-actions[bot]
9b3e698b14
Merge master into staging-next 2021-04-21 12:06:23 +00:00
Oleksii Filonenko
c2900f685f
Merge pull request #111518 from Jaculabilis/nebula
nixos/nebula: add basic module
2021-04-21 11:17:30 +03:00
github-actions[bot]
6ef7c23763
Merge master into staging-next 2021-04-19 18:11:51 +00:00
Lorenz Leutgeb
0b0cd3f6aa
mxisd: remove (#119372)
* mxisd: remove

See EOL notice at https://github.com/kamax-matrix/mxisd/blob/master/EOL.md#end-of-life-notice

* mxisd: Add throwing EOL notice
2021-04-19 11:26:08 -04:00
github-actions[bot]
b57b2b362c
Merge master into staging-next 2021-04-18 18:10:37 +00:00
Johannes Schleifenbaum
dc282fc3f3
nixos/dnsdist: dndist.conf -> dnsdist.conf 2021-04-18 13:34:28 +02:00
Morgan Jones
064e0af80b nixos/nebula: Add enable option defaulting to true to Nebula networks 2021-04-16 19:57:02 -07:00
Maximilian Bosch
84670bf681
wpa_supplicant: review fixes 2021-04-16 13:28:26 +02:00
Maximilian Bosch
08ced9d67f
nixos/wpa_supplicant: make new behavior opt-in 2021-04-16 13:18:46 +02:00
Maximilian Bosch
de0a39166b
wpa_supplicant: allow both imperative and declarative networks
For a while now it's possible to specify an additional config file in
`wpa_supplicant`[1]. In contrast to the file specified via `-c` this was
supposed to be used for immutable settings and not e.g. additional
networks.

However I'm a little bit unhappy about the fact that one has to choose
between a fully imperative setup and a fully declarative one where the
one would have to write credentials for e.g. WPA2-enterprise networks
into the store.

The primary problem with the current state of `wpa_supplicant` is that
if the `SAVE_CONFIG` command is invoked (e.g. via `wpa_cli`), all known
networks will be written to `/etc/wpa_supplicant.conf` and thus all
declarative networks would get out of sync with the declarative
settings.

To work around this, I had to change the following things:

* The `networking.wireless`-module now uses `-I` for declarative config,
  so the user-controlled mode can be used along with the
  `networks`-option.

* I added an `ro`-field to the `ssid`-struct in the
  `wpa_supplicant`-sources. This will be set to `1` for each network
  specified in the config passed via `-I`.

  Whenever config is written to the disk, those networks will be
  skipped, so changes to declarative networks are only temporary.

[1] https://w1.fi/cgit/hostap/commit/wpa_supplicant?id=e6304cad47251e88d073553042f1ea7805a858d1
2021-04-16 13:18:25 +02:00
Martin Weinelt
7cf67850c0
Merge branch 'master' into staging-next 2021-04-15 01:01:26 +02:00
Guillaume Girol
f1a2ab6818
Merge pull request #115332 from symphorien/usertype
nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}
2021-04-14 19:38:26 +00:00
Symphorien Gibol
7a87973b4c nixos/users: require one of users.users.name.{isSystemUser,isNormalUser}
As the only consequence of isSystemUser is that if the uid is null then
it's allocated below 500, if a user has uid = something below 500 then
we don't require isSystemUser to be set.

Motivation: https://github.com/NixOS/nixpkgs/issues/112647
2021-04-14 20:40:00 +02:00
Vladimír Čunát
d2eb7a7887
Merge branch 'staging' into staging-next
A few conflicts but relatively clear ones (I think).
2021-04-14 10:08:25 +02:00
Graham Christensen
d72a60a59f
Merge pull request #115590 from grahamc/iscsi
NixOS: services.{openiscsi, target}, boot.iscsi-initiator: init
2021-04-13 13:19:34 -04:00
Martin Weinelt
8e1e78a735
nixos/babeld: allow AF_INET communication required for netlink socket
This broke after seccomp was updated from 2.5.0 to 2.5.1 in 22148780.
2021-04-13 02:41:54 +02:00
Sandro
000af0d8bf
Merge pull request #118658 from rhoriguchi/networkmanager
nixos/networkmanager: add missing kernel module for wpa authentication
2021-04-12 20:18:32 +02:00
Sandro
0c1d21dfa8
Merge pull request #117905 from yoctocell/privoxy-module-fix-forward-socks5
nixos/privoxy: add missing "/" to "forward-socks5" option
2021-04-12 16:49:29 +02:00
sternenseemann
9c989f2fd9 spacecookie: add top-level attribute for haskellPackages.spacecookie
The haskellPackages.spacecookie derivation also includes a library and
thus a lot of propagated haskell dependencies. The top-level attribute
uses haskell.lib.justStaticExecutables and therefore only the
executable. This should reduce the runtime closure users have to
download considerably if they only want the server.
2021-04-10 15:44:19 +02:00
sternenseemann
d51edbe17e nixos/spacecookie: reflect changes for spacecookie 1.0.0.0
* New log options
* The old port option has been deprecated in favor of listen -> port

https://github.com/sternenseemann/spacecookie/blob/master/CHANGELOG.md#1000
2021-04-10 15:44:19 +02:00
sternenseemann
76583ee81a nixos/spacecookie: convert into settings-style freeform configuration
* Move `hostname` and `root` into a settings submodule with a freeform
  type, allowing users to also use options not known to the NixOS
  service. Compatibility with a warning for the renamed options is also
  trivial to achieve.
* `port` stays where it is as we don't actually use the `port` option of
  spacecookie to set up the socket, but only to inform spacecookie about
  the port we have set in the `systemd.socket` file, this makes more
  sense. Additionally the configuration of the listening port and
  address change in the next spacecookie release — we can dodge this
  issue altogether by doing our own thing, but I'm interested to hear
  opinions on this.
  To ensure that this is not misconfigured, we add an assertion for
  the port option.
* Add an assertion for `user` in settings which has no effect the way
  we are starting spacecookie as it wouldn't be able to call setuid.
  The message also explains how a specific user can be used with
  spacecookie if desired.
2021-04-10 15:44:19 +02:00
sternenseemann
b74821f31b nixos/spacecookie: add address option customizing listen address
This configuration option reflects a new feature from the unreleased
spacecookie version allowing to customize the address spacecookie will
listen on (e. g. "::1" to bind on link-local addresses only). We will
not use this feature in the future, since the configuration option of
spacecookie naturally only has an effect if we don't use socket
activation (and spacecookie sets up its own socket), but having the same
functionality in the service seems like a good idea.

We can luckily emulate this behavior with socket activation as well.
2021-04-10 15:44:19 +02:00
sternenseemann
d1f57cbaf0 nixos/spacecookie: add openFirewall option
Convenience shortcut which automatically configures the firewall to open
the port which is also configured for the spacecookie service.
2021-04-10 15:44:19 +02:00
sternenseemann
58be28d7ce nixos/spacecookie: add package option
This allows to change the derivation to use for the spacecookie server
binary. We probably should also use justStaticExecutables by default to
reduce the runtime closure of the service.
2021-04-10 15:44:19 +02:00
sternenseemann
6b577f46b4 nixos/spacecookie: use nix style strings for description 2021-04-10 15:44:19 +02:00
Martin Weinelt
f882b057be
Merge pull request #111316 from higebu/add-gobgpd 2021-04-09 17:17:07 +02:00
Yuya Kusakabe
45cffe7985
nixos/gobpgd: init 2021-04-09 14:57:11 +00:00
Sandro
26f16c1cef
Merge pull request #91318 from stephank/pkg-doh-proxy-rust 2021-04-08 22:32:12 +02:00
ajs124
c6d4dae35d treewide: fix eval without aliases after 9378fdf87e 2021-04-08 13:33:09 +02:00
Frederik Rietdijk
b9ef51a84b services.tailscale: add openresolv to path
Without openresolv, magic dns is not very usable.
2021-04-07 18:40:04 +02:00
Stéphan Kochen
20481bd027 doh-proxy-rust: init at 0.3.8 2021-04-07 14:23:55 +02:00
ajs124
47598c476a nixos/iscsi/root-initiator: init
Co-authored-by: Graham Christensen <graham@floxdev.com>
2021-04-06 18:34:32 +00:00
ajs124
39b5040a4b nixos/iscsi/initiator: init
Co-authored-by: Graham Christensen <graham@floxdev.com>
2021-04-06 18:34:25 +00:00
ajs124
c2da1d7b53 nixos: iscsi/target: init module
Co-authored-by: Graham Christensen <graham@floxdev.com>
2021-04-06 18:33:50 +00:00
Ryan Horiguchi
5171c5c2ee
nixos/networkmanager: add missing kernel module for wpa authenticaion 2021-04-06 13:50:51 +02:00
Sandro Jäckel
9378fdf87e
iproute: deprecate alias 2021-04-04 01:43:46 +02:00
Doron Behar
c2b66f2702
Merge pull request #98734 from ju1m/zerobin 2021-03-29 17:18:29 +00:00
Xinglu Chen
273f5c38a3
nixos/privoxy: add missing "/" to "forward-socks5" option
Without this, Privoxy will silently fail, meaning that no traffic
would be routed through Tor, giving users a false sense of privacy.
2021-03-28 21:16:55 +02:00
Vladimír Čunát
56f308bb2f
nixos/kresd: trivial cleanup 2021-03-28 21:01:50 +02:00
Vladimír Čunát
6e562fd6a7
Merge #101043: nixos/kresd: Listen on IPv4 wildcard, too
This makes sense to me.  I can't see any reference (incl. PR #78628)
why that commit of mine (ae74a0e27c) used 127.0.0.1 instead of 0.0.0.0
2021-03-28 20:53:33 +02:00
Vladimír Čunát
0032a3fc81
Merge #100592: nixos/kresd: Fix unportable regex 2021-03-28 20:27:49 +02:00
Maciej Krüger
c8d2f4a3a8 cjdns: reduce password length to 32
Maximum password length per cjdns code is somehwhere less than that, see
ecd01e7681/client/AdminClient.c (L80)

Currently we generate 96 char long passwords that don't work

This changes it so password length is just 32 chars long
2021-03-26 11:35:09 +01:00
Florian Klink
f3fa3a38a9
Merge pull request #116743 from flokli/bird-check-config-disable
nixos/bird*: enable config files outside the store, propagate reload errors to systemd
2021-03-25 23:01:09 +01:00
Maximilian Bosch
0ad1d526dc
Merge pull request #117454 from dotlambda/wireguard-noalias
nixos/wireguard: don't use alias
2021-03-24 11:43:13 +01:00
Robert Schütz
683f374529 nixos/wireguard: don't use alias 2021-03-24 11:27:36 +01:00
sternenseemann
76d9fe7629 !fixup add myself as maintainer for the module 2021-03-22 15:19:49 +01:00
sternenseemann
4048b39fc1 nixos/modules/inspircd: add simplistic module and nixos test 2021-03-22 14:38:57 +01:00
Florian Klink
2b03d3a1cf nixos/bird: check config during reload
`birdc configure` seems to not return a nonzero exit code if the reload
failed.

Context: https://bird.network.cz/pipermail/bird-users/2018-January/011858.html

Co-Authored-By: Puck Meerburg <puck@puck.moe>
2021-03-18 14:25:44 +01:00
Florian Klink
7d266264ce nixos/bird: add services.bird*.checkConfig option
This is useful when the config doesn't entirely live in the Nix store,
but is configured to include mutable config files written at runtime.

Co-Authored-By: Puck Meerburg <puck@puck.moe>
2021-03-18 14:24:55 +01:00
Julien Moutinho
a9ce4c4a0e zerobin: 20160108 -> 1.0.5 2021-03-13 13:06:06 +01:00
Aaron Andersen
47c5175f0c
Merge pull request #93629 from ju1m/croc
nixos/croc: init
2021-03-12 20:34:33 -05:00
rnhmjoj
7962df46fe
nixos/privoxy: make certificate-directory optional
The tmpfiles.d rule should only be added if inspectHttps is enabled.
2021-03-11 08:17:50 +01:00
rnhmjoj
df6d7f3142
nixos/privoxy: document repeated settings 2021-03-09 17:59:12 +01:00
rnhmjoj
8e21a1c51b
nixos/privoxy: set temporary directory
This is needed for working external filters, otherwise privoxy will fail
without a clear error message.
2021-03-09 11:02:59 +01:00
rnhmjoj
3673ded392
nixos/privoxy: add https and settings options
This is a major rewrite of the Privoxy module:

- As per RFC0042, remove privoxy.extraConfig and replace it
  with a privoxy.settings option, which maps a NixOS freeform
  submodule to the Privoxy configuration format.

- Move all top-level options that mirrored a setting to
  the real ones in privoxy.settings. This still keeps the
  type-checking, default values and examples in places.

- Add two convenience options: userActions and userFilters, which
  simplify the operation of creating a file with pkgs.writeText,
  converting it to a string and adding it to the actionsfile/
  filterfile list.

- Add a privoxy.inspectHttps option to automagically setup TLS
  decryption support. I don't know how long have been waiting
  for this feature: can't believe it has just happened.

- Also add a privoxy.certsLifetime to control the periodical
  cleanup of the temporary certificates generate by Privoxy.
2021-03-09 11:02:59 +01:00
Julien Moutinho
be6463cd9d nixos/croc: init 2021-03-08 01:34:32 +01:00
Johan Thomsen
7b5c38e973 nixos/kubernetes: docker -> containerd
also, nixos/containerd: module init
2021-03-07 12:51:14 +10:00
Tim Van Baak
002fe4f19d nixos/nebula: Add final newline to module and test 2021-03-04 21:39:04 -08:00
Tim Van Baak
e3f113abc2 nixos/nebula: Update systemd service to be more like the source repo's 2021-03-04 21:36:05 -08:00
taku0
61706fc470
Merge pull request #114853 from lourkeur/fix-string-escaping
nixos/kresd, nixos/dokuwiki, tests/fpm, build-bazel-package, libcutl: fix string escaping
2021-03-03 19:35:16 +09:00
Tim Van Baak
17430ea40a nixos/nebula: Remove default punch option in favor of setting it through the settings option 2021-03-01 20:21:27 -08:00
Tim Van Baak
511465ade0 nixos/nebula: Remove unnecessary package from service user 2021-02-28 18:35:16 -08:00
Tim Van Baak
9f1ebd0c10 nixos/nebula: Refactor module to allow for multiple nebula services on the same machine 2021-02-28 18:31:42 -08:00
Julien Moutinho
862481560c nixos/dnscrypt-proxy2: reallow @sync syscalls 2021-02-21 14:53:54 +01:00
rnhmjoj
15d6eacb15
nixos/{networkd,dhcpcd}: remove udev-settle hack
systemd-udev-settle is a terrible hack[1] and should never[2] ever[3]
used, seriously it's very bad. It was used as a stop-gap solution for
issue #39069, but thanks to PR #79532 it can be removed now.

[1]: https://github.com/systemd/systemd/issues/7293#issuecomment-592941764
[2]: https://github.com/NixOS/nixpkgs/issues/73095
[3]: https://github.com/NixOS/nixpkgs/issues/107341
2021-02-18 22:07:00 +01:00
Milan
3b77e7c967
nixos/jitsi-videobridge: add apis option (#112960)
The `--apis=` command line parameter passed to Jitsi Videobridge is
required to monitor a Jitsi Meet instance for example via the prometheus
exporter [jitsiexporter](https://git.xsfx.dev/prometheus/jitsiexporter).
2021-02-13 15:04:58 +01:00
Luke Granger-Brown
cfed3b8b22 treewide: update 21.03 to 21.05
The NixOS 21.03 release has been delayed to 21.05. See NixOS/rfcs#80.

There are two instances of 21.03 which have been left as is, since they
are in stateVersion comparisons. This will ensure that existing user
configurations which refer to 21.03 will continue to work.
2021-02-12 14:12:48 -08:00
Aaron Andersen
9f9e7c181c nixos/nebula: conditionally provision the nebula user 2021-02-09 20:48:23 -05:00
Aaron Andersen
b52a8f67dd nixos/nebula: simply service user logic 2021-02-09 20:45:17 -05:00
Aaron Andersen
e8eaea9627 nixos/nebula: replace extraConfig option with a settings option 2021-02-09 20:42:33 -05:00
Bernardo Meurer
c83a3d6fa7
Merge pull request #112335 from lovesegfault/firefox-no-flash
treewide: cleanup Adobe Flash Player
2021-02-09 01:35:24 +00:00
Guillaume Girol
2630a2df91
Merge pull request #108238 from snicket2100/more-dnscrypt-proxy-hardening
nixos/dnscrypt-proxy2: more service hardening
2021-02-08 19:22:44 +00:00
Bernardo Meurer
ecaefda84a
nixos.flashpolicyd: drop 2021-02-08 09:38:48 -08:00
Eric Bailey
35056b3b61 maintainers/teams: add beam team 2021-02-07 13:01:11 -06:00
Fritz Otlinghaus
d7ee2a16bd nixos/resilio: add sharedFolders type 2021-02-03 16:17:37 -08:00
Ben Wolsieffer
6f4e6cd819 nixos/chrony: split the initstepslew attrset into options
Add explicit options for initstepslew.enabled and initstepslew.threshold, rather
than using an attrset.
2021-02-02 19:26:47 -05:00
Sandro
449b698a0b
Merge pull request #111435 from helsinki-systems/sabnzbd
nixos/sabnzbd: add types
2021-02-01 20:07:39 +01:00
Attila Lendvai
c61c0cc04f nixos/bee-clef: init at 0.4.7 2021-02-01 10:56:04 +01:00
Attila Lendvai
35a9d23b82 nixos/bee: init at 0.4.2 2021-02-01 10:56:04 +01:00
Tim Van Baak
35d79e894c nixos/nebula: add basic module 2021-01-31 18:42:57 -08:00
Sandro
4bb7e4fb63
Merge pull request #111470 from helsinki-systems/bind2
nixos/bind: update zone file type
2021-01-31 15:14:02 +01:00
Sandro
75281960c0
Merge pull request #111436 from helsinki-systems/shairport
nixos/shairport-sync: add types
2021-01-31 15:13:33 +01:00
Sandro
1b77b735ea
Merge pull request #111428 from helsinki-systems/prayer
nixos/prayer: Add port type
2021-01-31 15:05:59 +01:00
Sandro
49f5e8799b
Merge pull request #111420 from helsinki-systems/mailpile
nixos/mailpile add types switch port to port type
2021-01-31 15:04:01 +01:00
Sandro
60b597ad3b
Merge pull request #111419 from helsinki-systems/lshd
nixos/lshd: add types
2021-01-31 15:03:45 +01:00
Sandro
af78f11035
Merge pull request #111417 from helsinki-systems/ircd-hybrid
nixos/ircd-hybrid: add types
2021-01-31 15:02:07 +01:00
Fritz Otlinghaus
58ab3a3249
nixos/bind: update zone file type 2021-01-31 14:59:54 +01:00
Fritz Otlinghaus
54e7528009
nixos/radvd: add type (#111430) 2021-01-31 13:54:30 +01:00
Fritz Otlinghaus
821f19a975
nixos/quassel: add types (#111429) 2021-01-31 13:46:29 +01:00
Lassulus
4c181d179b
Merge pull request #110131 from helsinki-systems/bind_types
bind: Add types for options
2021-01-31 13:44:14 +01:00
Fritz Otlinghaus
087011cc68
nixos/wakeonlan: add types 2021-01-31 13:26:12 +01:00
Fritz Otlinghaus
a94c7ef24e
nixos/shairport-sync: add types 2021-01-31 12:14:01 +01:00
Fritz Otlinghaus
14a8446dc1
nixos/sabnzbd: add types 2021-01-31 12:12:59 +01:00
Fritz Otlinghaus
f0932a6c41
nixos/prayer: Add port type 2021-01-31 12:01:41 +01:00
Fritz Otlinghaus
295de63e90
nixos/lshd: add types 2021-01-31 11:27:20 +01:00
Fritz Otlinghaus
f50a26d257
nixos/mailpile add types switch port to port type 2021-01-31 11:26:07 +01:00
Fritz Otlinghaus
adacfb44cc
nixos/ircd-hybrid: add types 2021-01-31 11:17:03 +01:00
Sandro
532dd98cdb
Merge pull request #111155 from helsinki-systems/hostapd
nixos/hostapd: add interface type
2021-01-29 17:47:39 +01:00
Scriptkiddi
679e369ba2
nixos/hostapd: add interface type 2021-01-29 13:04:50 +01:00
Sandro
1f730f2918
Merge pull request #111126 from helsinki-systems/gogoclient
nixos/gogoclient: add types
2021-01-29 09:52:35 +01:00
Scriptkiddi
5f40e68c9c nixos/consul: add types 2021-01-29 00:32:32 -08:00
Scriptkiddi
f2764e1f71
nixos/gogoclient: add types 2021-01-29 08:39:51 +01:00
Scriptkiddi
103ea99b99 nixos/gvpe: add types 2021-01-28 13:58:33 -08:00
Scriptkiddi
f2ce0f543d nixos/flashpolicyd: add types 2021-01-27 11:44:15 -08:00
Ninjatrappeur
ab224b550c
Merge pull request #103138 from NinjaTrappeur/nin-pleroma 2021-01-27 13:28:44 +01:00
Robert Hensing
d2a41be2f3
Merge pull request #110707 from Infinisil/functionTo
Bring back `types.functionTo`
2021-01-27 10:50:13 +01:00
Scriptkiddi
26c4dcf8fa nixos/babeld: add type extraConfig 2021-01-26 20:06:29 -08:00
Scriptkiddi
5f472181f2 nixos/cntlm: add types 2021-01-26 13:17:19 -08:00
Félix Baylac-Jacqué
231c5a576a
nixos/pleroma: init
Adding a new pleroma NixOS module and its associated documentation.

co-authored-by: duponin <duponin@locahlo.st>
2021-01-26 18:11:38 +01:00
Ben Siraphob
1c2a2b0a08 treewide: fold -> foldr 2021-01-26 10:57:07 +07:00
Florian Klink
b2f3bd4d79
Merge pull request #100155 from primeos/nixos-add-fqdn-option
nixos/networking: Add a read-only option for the FQDN
2021-01-25 16:45:45 +01:00
Bernardo Meurer
105b9eb1b8
Merge pull request #109768 from cpcloud/nomad-datadir-cleanup
nixos/nomad: enforce specific data_dir semantics
2021-01-24 18:20:08 +00:00
Bas van Dijk
8ac4b251c8
nixos: use functionTo to prevent evaluation errors while merging
Without this patch merging options like
services.xserver.windowManager.xmonad.extraPackages
results in the evaluation error:

  error: value is a list while a set was expected, at nixpkgs/lib/options.nix:77:23

With this patch we get the desired merging behaviour that just concatenates the
resulting package lists.

(cherry picked from commit 6e99f9fdecb1f28308c8e0aed0fc851737354864)

Co-Authored-By: Silvan Mosberger <contact@infinisil.com>
2021-01-24 17:18:37 +01:00
Sandro
81e3b9d15b
Merge pull request #110670 from siraben/double-quotes-fix
treewide: fix double quoted strings in one-liners
2021-01-24 16:17:14 +01:00
Sandro
0dd579a3e6
Merge pull request #110686 from helsinki-systems/chrony_types
nixos/chrony: add types
2021-01-24 14:18:51 +01:00
volth
bc0d605cf1 treewide: fix double quoted strings in meta.description
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
2021-01-24 19:56:59 +07:00
Fritz Otlinghaus
31345193f0
nixos/chrony: add types 2021-01-24 13:50:35 +01:00
Fritz Otlinghaus
6054aa2bc1
nixos/amuled: add types 2021-01-24 13:37:09 +01:00
Phillip Cloud
c7c3b9e4ae nixos/nomad: remove User setting entirely 2021-01-23 19:44:37 -05:00
Phillip Cloud
2a3cb407b0 nixos/nomad: only set User if privileges are dropped 2021-01-23 19:44:37 -05:00
Phillip Cloud
5ce4ce6174 nixos/nomad: make formatting consistent in mkMerge call 2021-01-23 19:44:37 -05:00
Phillip Cloud
12b9249cf3 nixos/nomad: unconditionally set user to nomad 2021-01-23 19:44:37 -05:00
Phillip Cloud
5d0b3b7228 nixos/nomad: fix markup and remove suggestion 2021-01-23 19:44:37 -05:00
Phillip Cloud
bddb7ac406 nixos/nomad: fix typo and spell out ExecStartPre usage 2021-01-23 19:44:37 -05:00
Phillip Cloud
b72a46713f nixos/nomad: reformat SupplementaryGroups expression 2021-01-23 19:44:37 -05:00
Phillip Cloud
b80c454459 nixos/nomad: add mkIf for StateDirectory 2021-01-23 19:44:37 -05:00
Phillip Cloud
58fe45936e nixos/nomad: move serviceConfig into mkMerge and mkIf for docker SupplementaryGroups 2021-01-23 19:44:37 -05:00
Phillip Cloud
f3aa71b7ec nixos/nomad: describe the nomad cluster manager responsibilities 2021-01-23 19:44:37 -05:00