Commit graph

1122 commits

Author SHA1 Message Date
Franz Pletz
a59864c3c5
Merge pull request #31839 from bluescreen303/fix-rpfilter
firewall: fix rpfilter blocking dhcp offers when no ip was bound yet
2017-11-24 09:39:05 +01:00
Tim Steinbach
48252b15b9
sshd: Remove ripemd160 MACs
They are invalid for our OpenSSH
2017-11-21 09:36:51 -05:00
Mathijs Kwik
05761e9504 firewall: fix rpfilter blocking dhcp offers when no ip was bound yet 2017-11-19 22:24:56 +01:00
jeaye
2a8bd9e2a1
nixos/ssh: Harden config defaults 2017-11-16 20:25:37 -08:00
jeaye
ec80c92825
nixos/ssh: Remove support for old host keys 2017-11-16 20:25:22 -08:00
Parnell Springmeyer
cb11bf73a5 nixos/nghttpx: add module for the nghttpx proxy server (#31680)
* nghttpx: Add a new NixOS module for the nghttpx proxy server

This change also adds a global `uid` and `gid` for a `nghttpx` user
and group as well as an integration test.

* nixos/nghttpx: fix building manual
2017-11-16 18:21:02 +00:00
Franz Pletz
06d0ba1ee9
Merge pull request #31477 from andir/fix-babeld-config
Fix babeld config
2017-11-14 12:12:59 +01:00
rnhmjoj
2918f6a3f0
nixos/wireless: add manual network configuration 2017-11-11 23:11:46 +01:00
Andreas Rammhold
5feed06535
babeld module: updated example config
Previosuly the example config did feature the deprecated `wired`
paramter. Wired can now be configured using the `type` parameter.
2017-11-10 11:54:21 +01:00
Andreas Rammhold
5d9073747a
babeld module: support non-boolean default arguments
Previosuly only boolean values would be rendered properly. All other
values would cause an error. Even the example configuration did fail.
2017-11-10 11:54:15 +01:00
Andreas Rammhold
236a7c5452
babeld module: separate default options by space
In the previous version multiple default values would generate an
invalid babeld config file since all options would be concatenated
without any separator.
2017-11-10 11:54:08 +01:00
Orivej Desh
30bd994724
Merge pull request #31161 from nocent/master
networkmanager: add power saving and mac address randomization options for wifi devices
2017-11-06 06:17:16 +00:00
Markus Mueller
4874862732
babeld module: init 2017-11-05 21:15:23 +01:00
Franz Pletz
711303952e
wireguard module: add device name environment var
This makes the interface name available as an environment variable for
the pre/post hooks.
2017-11-05 16:42:25 +01:00
Benjamin Staffin
600f393bc7
keybase service: Turn off debug logging
Keybase is _extremely_ verbose with its debug output when run with -d.
2017-11-03 14:45:08 -04:00
Joerg Thalheim
2e6daff704 nixos/unbound: correct indented interface/access lists 2017-11-03 08:37:02 +00:00
nocent
af13b05dda networkmanager: add power saving and mac address randomization options for wifi devices 2017-11-02 21:57:25 +00:00
Andrew Dunham
7f921735e7
strongswan: allow configuring enabled plugins 2017-11-02 14:39:14 +01:00
rnhmjoj
ea8714ecb1
nixos/dnschain: use nodePackages.dnschain 2017-10-31 22:03:38 +01:00
Franz Pletz
fd9ae9226d Merge pull request #30319 from peterhoeg/f/dnsmasq
dnsmasq nixos: make sure it always runs
2017-10-25 04:07:27 +02:00
Martin Potier
ff562459cc nixos/libreswan: add missing runtime dependencies 2017-10-22 15:36:26 +02:00
Peter Hoeg
07bc859e9a Revert "ssh: deprecate use of old DSA keys"
This reverts commit 65b73d71cb.
2017-10-14 14:42:49 +08:00
Peter Hoeg
bdbba026f3 Revert "dnsmasq nixos: make sure it always runs"
This reverts commit 1917e69b54.
2017-10-14 14:42:49 +08:00
Peter Hoeg
8df1c9ac17 Revert "firewalld: init at 0.4.4.4"
This reverts commit 178a96f99b.
2017-10-14 14:42:48 +08:00
Peter Hoeg
ff3fd1027c Revert "networkmanager: dns and extraConfig"
This reverts commit 0dd25e585f.
2017-10-14 14:42:48 +08:00
Peter Hoeg
0dd25e585f networkmanager: dns and extraConfig 2017-10-14 14:38:04 +08:00
Peter Hoeg
178a96f99b firewalld: init at 0.4.4.4
Includes systemd module.
2017-10-14 14:38:04 +08:00
Peter Hoeg
1917e69b54 dnsmasq nixos: make sure it always runs
By default we only restart if the dnsmasq daemon fails but we introduce an
option to always keep it running.
2017-10-14 14:38:04 +08:00
Peter Hoeg
65b73d71cb ssh: deprecate use of old DSA keys
They are not safe and shouldn't be used.
2017-10-14 14:38:04 +08:00
Jörg Thalheim
b90f50862f Merge pull request #30324 from florianjacob/firewall-clarify-logging
nixos/firewall: Rename misleading rejected to refused in logging
2017-10-13 20:25:21 +01:00
Yegor Timoshenko
22505d8df4 connman: do not restart after suspend 2017-10-13 13:05:02 +02:00
Matt McHenry
bbec429f7a djbdns: fix root server list at build time
as suggested by @peterhoeg in
1b7e5eaa79 (commitcomment-24560631)

fixes #30379
2017-10-13 10:29:12 +01:00
Peter Hoeg
0034f9e52c dnsmasq nixos: make sure it always runs
By default we only restart if the dnsmasq daemon fails but we introduce an
option to always keep it running.
2017-10-12 12:55:12 +08:00
Florian Jacob
847beb558f nixos/firewall: Rename misleading rejected to refused in logging
as that's used as general term for rejected or dropped packets
in the rest of the config.
2017-10-11 20:12:58 +02:00
Yegor Timoshenko
274c9b7587 unbound: fix typo in systemd Before 2017-10-10 20:08:36 +00:00
Guillaume Maudoux
15b7e102b6 Safer defaults for immutable znc config (#30155)
* Safer defaults for immutable znc config

I just lost all the options I configured in ZNC, because the mutable config was overwritten.
I accept any suggestions on the way to implement this, but overwriting a mutable config by default seems weird. If we want to do this, we should ensure that ZNC does not allow to edit the config via the webmin when cfg.mutable is false.

* Do not backup old config files.

There seems to be little need for backups if mutable becomes a voluntary opt-out.

* fixup
2017-10-07 16:38:14 +01:00
Tim Steinbach
8840eaf223
keybase: Fix modules 2017-10-06 18:49:58 -04:00
Wei-Ming Yang
7e4e2667ae softether: 4.18 -> 4.20 2017-10-03 01:35:20 +08:00
volth
ddd13e1375 nixos/tinc: add "restartTriggers" back
Add "restartTriggers" back to restart the Tinc daemon when its peer is removed.
Reverted #27660
2017-09-27 23:16:02 +00:00
Niklas Hambüchen
f4c53f1940 consul service: Restart on failure.
Consul is a service you typically want to have running all the time;
it's not supposed to quit by itself.
2017-09-28 00:41:15 +02:00
Jörg Thalheim
2b8cba2ff5 Merge pull request #29874 from mbrgm/znc-fix
znc: fix openFirewall option
2017-09-27 23:08:51 +01:00
Franz Pletz
725dee203a
wpa_supplicant service: restart instead of stop & start
We now wait for dhcpcd to acquire a lease but dhcpcd is restarted on
system activation. As wpa_supplicant is stopped while dhcpcd is
restarting a significant delay is introduced on systems with wireless
network connections only. This changes the wpa_supplicant service to
also be restarted together with dhcpcd in case both services were
changed.
2017-09-27 23:38:03 +02:00
Marius Bergmann
dd50575d5a znc: fix openFirewall option
The current version is broken:
- there's no `openFirewall` attribute directly in the `cfg` set
- the `port` option is an attribute of the `confOptions` set

I used the proper attribute for the firewall port and moved the `openFirewall`
option directly up to the `services.znc` set, as it's rather a general option
for the whole service than a znc-specific option (which are located inside the
`confOptions` set).
2017-09-27 22:18:03 +02:00
Joerg Thalheim
75ba415fbc nixos/tinc: remove useless script argument
ExecStart is sufficient and more transparent to the user.
2017-09-27 17:57:39 +02:00
Joerg Thalheim
ad8cb0917f nixos/tinc: do not add Device= by default
tinc can figure this out based on DeviceType.
I also got `/dev/net/tun FD in bad state` after a particular upgrade.
2017-09-27 17:57:39 +02:00
Joerg Thalheim
194c4002b6 wireguard: fix function for adding routes 2017-09-25 20:42:03 +01:00
Jörg Thalheim
08b827ae8e Merge pull request #29753 from andir/wireguard-allowed-ips-as-route-optional
networking.wireguard: added `allowedIpsAsRoutes` boolean to control p…
2017-09-25 20:32:11 +01:00
Andreas Rammhold
846070e028
networking.wireguard: added allowedIpsAsRoutes boolean to control peer routes
Sometimes (especially in the default route case) it is required to NOT
add routes for all allowed IP ranges. One might run it's own custom
routing on-top of wireguard and only use the wireguard addresses to
exchange prefixes with the remote host.
2017-09-25 21:30:52 +02:00
Silvan Mosberger
a8c97ad23e nixos/radicale: fix default version (#29743) 2017-09-25 10:18:42 +00:00
Jörg Thalheim
975c7b2204 Merge pull request #29450 from jerith666/djb-1709
Add modules for tinydns and dnscache from djbdns
2017-09-24 15:39:29 +01:00