Commit graph

1033 commits

Author SHA1 Message Date
Frederik Rietdijk
31ba3649ec Merge pull request #28189 from Nadrieril/ffsync-non-root
firefox syncserver service: run as non-root user by default
2017-08-24 20:47:52 +02:00
Peter Hoeg
4ce76d9e1a ddclient nixos module: follow best practice for running daemons
Couple of changes:

 - move home to /var/lib/ddclient so we can enable ProtectSystem=full
 - do not stick binary into systemPackages as it will only run as a daemon
 - run as dedicated user/group
 - document why we cannot run as type=forking (output is swallowed)
 - secure things by running with ProtectSystem and PrivateTmp
 - .pid file goes into /run/ddclient
 - let nix create the home directory instead of handling it manually
 - make the interval configurable
2017-08-13 21:56:48 +08:00
Nadrieril
69a4836df5 firefox syncserver service: run as non-root user by default 2017-08-12 14:42:50 +01:00
Frederik Rietdijk
c06fb4a269 Merge pull request #28188 from Nadrieril/ffsync-fix-pythonpath
firefox syncserver service: fix PYTHONPATH
2017-08-12 15:11:53 +02:00
Nadrieril
d6c1d2f793 firefox syncserver service: fix PYTHONPATH 2017-08-12 14:08:25 +01:00
Jörg Thalheim
c2e7b0e0b4 Merge pull request #27997 from richardlarocque/mosquitto_hashed_pass_docs
nixos/mosquitto: Fix instructions for password gen
2017-08-12 09:07:22 +01:00
Franz Pletz
61d133c1ee Merge pull request #27939 from evujumenuk/wireguard-rt_tables
wireguard: add per-peer routing table option
2017-08-11 16:27:07 +02:00
Joachim F
793523d7bc Merge pull request #28089 from volth/patch-9
nixos/tinc: do not tell systemd where is pidfile
2017-08-11 13:31:57 +00:00
Joachim Fasting
767b2ae327
nixos/dnscrypt-proxy: default to random upstream resolver 2017-08-10 01:19:17 +02:00
volth
b32b18631e nixos/tinc: do not tell systemd where is pidfile
```Tinc```'s pid file has more info than just a pid

```
# cat /run/tinc.dmz.pid
12209 7BD4A657B4A04364D268D188A0F4AA972A05247D802149246BBE1F1E689CABA1 127.0.0.1 port 656
```
so ```systemd``` fails to parse it.
It results in long (re)start times when ```systemd``` waits for a correct pid file to appear.
2017-08-09 22:35:20 +00:00
volth
7e5332c868 tinc: allow the daemon to write to files in /etc/tinc/${network}/hosts
Follow up https://github.com/NixOS/nixpkgs/pull/27756: tinc daemon may also create new files in ```/etc/tinc/$network/hosts```
2017-08-10 00:09:45 +02:00
Michael Raskin
29c3ea0cf0 Merge pull request #27925 from adisbladis/networkmanager_unbound
networkmanager service: use unbound if enabled
2017-08-08 12:13:42 +02:00
evujumenuk
eaab02b94f wireguard: convert "table" to an interface option
Do the right thing, and use multiple interfaces for policy routing. For example, WireGuard interfaces do not allow multiple routes for the same CIDR range.
2017-08-08 01:45:19 +02:00
Richard Larocque
b27d8c5d0a nixos/mosquitto: Fix instructions for password gen
Fixes https://github.com/NixOS/nixpkgs/issues/27996.

Updates instructions for generating hashes passwords for use in a
Mosquitto password file.  Using `mosquitto_passwd` to generate these
hashes is a little less convenient, but the results are more likely to
be compatible with the mosquitto daemon.

As far as I can tell, the hashes generated with `mkpassd` did not work
as intended.  But this may have been hidden by another bug:
https://github.com/NixOS/nixpkgs/issues/27130.
2017-08-06 15:54:36 -07:00
evujumenuk
6070d91e93 wireguard: remove "table" option from example
Most users will be served well by the default "table" setting ("main").
2017-08-04 21:00:45 +02:00
evujumenuk
e355f7044d wireguard: add per-peer routing table option
This adds a convenient per-peer option to set the routing table that associated routes are added to. This functionality is very useful for isolating interfaces from the kernel's global routing and forcing all traffic of a virtual interface (or a group of processes, via e.g. "ip rule add uidrange 10000-10009 lookup 42") through Wireguard.
2017-08-04 18:30:53 +02:00
Phil
4f277bd920 nixos/networking/nat: add option for protocol
This commit adds an option to allow udp port forwarding (see #24894).
2017-08-04 17:03:05 +02:00
adisbladis
da7755b75c
networkmanager service: use unbound if enabled 2017-08-04 13:50:06 +08:00
Robin Gloster
a4647bc33f
tlsdate: remove
Dead and does not build with openssl 1.1.
Debian has removed it, too.
2017-08-04 02:24:03 +02:00
Simon Lackerbauer
1075919413
unifi: add options to control JVM heap size
Our controller was acting very sluggish at times and increasing
available RAM for the JVM fixes this.
2017-08-04 02:12:31 +02:00
Franz Pletz
3b472d78a8
avahi-daemon service: add cacheEntriesMax option 2017-08-04 02:10:11 +02:00
Markus Mueller
53d2f0980d
nat: always flush nixos nat rules on firewall start/reload
Fixes #27510
2017-08-03 21:16:14 +02:00
Franz Pletz
c217f48c35
searx: 0.11.0 -> 0.12.0 2017-08-01 06:16:03 +02:00
Volth
3b82d7db82 tinc: allow the daemon to write to files in /etc/tinc/${network}/hosts 2017-07-30 00:25:04 +00:00
volth
eaa2d27b90 nixos/tinc: remove restartTriggers
```restartTriggers``` pointed to the constant files in ```/nix/store/``` and had to effect.
2017-07-29 21:32:28 +02:00
Volth
688dc4e4c3 tinc_pre: avoid infinite loop with EBADFD on network restart 2017-07-27 18:04:33 +02:00
Volth
00512470ec tinc service: add CLI tools to the $PATH
Now user can execute e.g. "sudo tinc.netname dump nodes"
2017-07-25 23:13:58 +02:00
Aristid Breitkreuz
63190540a8 wireguard: sometimes module tries to re-add the default route, which fails - use replace to make it succeed 2017-07-23 23:08:39 +02:00
Joachim F
1a768eba2a Merge pull request #26632 from jazmit/nixpkgs
coturn: allow use of ports < 1024
2017-07-23 12:56:05 +01:00
Aristid Breitkreuz
9b0ff955fd wireguard: allow not storing private keys in world-readable /nix/store (#27433)
* wireguard: allow not storing private keys in world-readable /nix/store
2017-07-17 23:55:31 +02:00
Falco Peijnenburg
b09d036342 Strongswan after network-online instead of network
The systemd service file shipped with strongswan has strongswan started after `network-online`. It turns out that this is for good reason: failure to connect on boot otherwise. 

See this thread on the mailing list, which my colleague initiated after finding that our NixOS strongswan config wouldn't connect on boot:
https://lists.strongswan.org/pipermail/users/2017-January/010359.html

Tested on a local config (which has the strongswan service config overridden).
2017-07-17 20:17:58 +02:00
Jörg Thalheim
04c944cdb4 Merge pull request #27057 from Nadrieril/bitlbee-libpurple
bitlbee service: Add option to load libpurple plugins into bitlbee
2017-07-17 18:07:43 +01:00
Nadrieril
8669fb1f96 tinc service: BindToAddress and ListenAddress are different options, they should not be mistaken 2017-07-17 13:07:49 +02:00
Nadrieril
65e38b7c52 bitlbee service: Add option to load libpurple plugins into bitlbee 2017-07-16 14:19:39 +01:00
Michael Raskin
0d2d5e2147 Merge pull request #27143 from florianjacob/networkmanager-support-resolved
networkmanager service: use resolved if enabled
2017-07-08 22:34:09 +02:00
zimbatm
4d545297d8 lib: introduce imap0, imap1 (#25543)
* lib: introduce imap0, imap1

For historical reasons, imap starts counting at 1 and it's not
consistent with the rest of the lib.

So for now we split imap into imap0 that starts counting at zero and
imap1 that starts counting at 1. And imap is marked as deprecated.

See c71e2d4235 (commitcomment-21873221)

* replace uses of lib.imap

* lib: move imap to deprecated.nix
2017-07-04 23:29:23 +01:00
Florian Jacob
12f54a5746 networkmanager service: use resolved if enabled 2017-07-04 23:50:56 +02:00
Rickard Nilsson
a6cf6367e2 network-manager: hostname option is deprecated
From log:
<warn>  [1498639184.8965] keyfile: 'hostname' option is deprecated and has no effect
2017-06-28 10:56:31 +02:00
michael bishop
bb16bced36
toxvpn: 20161230 -> 2017-06-25 2017-06-25 20:17:20 -03:00
Joachim Schiele
3d52203ab2 sshd.nix: Added nixops usage warning of openssh.authorizedKeys.keys usage 2017-06-22 11:50:09 +02:00
James
c9fdf3f4db coturn: allow use of ports < 1024 2017-06-20 09:17:24 +01:00
Jörg Thalheim
96eaad8fd4 Merge pull request #26697 from kirelagin/nsd-stderr
nsd: Send stderr to /dev/null
2017-06-18 16:53:36 +01:00
Jörg Thalheim
f36cdf1171 Merge pull request #26675 from kirelagin/bind-rndc
bind: Use rndc to control the daemon
2017-06-18 16:30:02 +01:00
Kirill Elagin
13d026e219 bind: Use rndc to control the daemon 2017-06-18 17:29:29 +03:00
Kirill Elagin
e66d2753f3 nsd: Send stderr to /dev/null
nsd by default logs _both_ to syslog and to standard error which results
in all the messages ending up in the journal twice, the ones from stderr
with an ugly timestamp sticked in front of them.
2017-06-18 15:31:34 +03:00
Pascal Bach
c9802321c1 cntlm service: cleanup non working config options (#26578)
- extraConfig was not working
- add possibility to add cntlm.conf in verbatime form
- create cntlm user as system user
- add no proxy option
2017-06-15 12:11:48 +02:00
Edward Tjörnhammar
3dcecf09fc
Remove aiccu package and service due to sunsetting.
https://www.sixxs.net/main/
2017-06-15 06:58:08 +02:00
Joachim Schiele
ca17f3b8ef hostapd dependency fix for https://github.com/nixos/nixpkgs/issues/16090 (#26573) 2017-06-14 16:44:46 +02:00
David Tulig
bb6cf349ff bind service: add listen-on options (#26430)
This adds configuration options for the bind package so that the
interfaces that bind listens on can be configured rather than just
hardcoded as any. The default values preserve the old behavior to be
backwards compatible.
2017-06-10 12:19:07 +02:00
rnhmjoj
2606d395fc
dnschain: allow different bind and external addresses 2017-06-03 12:24:04 +02:00