Commit graph

12103 commits

Author SHA1 Message Date
Martin Weinelt
eb51af35ad
Merge pull request #152311 from arachnist/kea-fixes 2021-12-27 22:01:32 +01:00
Nikolay Amiantov
9027a59f7a influxdb2 service: don't use dynamic user
It breaks something inside of influxdb2, which results in flurry of errors like these:

> ts=2021-12-21T18:19:35.513910Z lvl=info msg="Write failed" log_id=0YZYwvV0000 service=storage-engine service=write shard=50 error="[shard 50] unlinkat ./L1-00000055.tsi: read-only file system"

I believe this is somehow caused by a mount namespace that systemd creates for
the service, but I didn't investigate this deeper.
2021-12-27 20:31:27 +03:00
Michele Guerini Rocco
3a7d97bff2
Merge pull request #139873 from rnhmjoj/dhcpd
nixos/dhcpd: switch to DynamicUser
2021-12-27 18:07:16 +01:00
Martin Weinelt
99e8065d4c
Merge pull request #147784 from m1cr0man/acme 2021-12-27 17:37:39 +01:00
Bobby Rong
c2b7c98814
Merge pull request #151678 from kouyk/thinkfan-typo
thinkfan: fix typo in level
2021-12-27 17:35:59 +08:00
Robert Gerus
6faa7ad3fc nixos/kea: fixes for the systemd units
Fix a typo in the kea-dhcp-ddns-server unit definition, and add a
KEA_LOCKFILE_DIR environment variable without which kea daemons try to
access a lockfile under /var/run/kea path, which is prevented by
systemd's ProtectSystem (or one of the other Protect*) mechanism.
kea-dhcp-ddns-server doesn't react to updates from dhcp4 server at all
without it.
2021-12-27 04:41:20 +01:00
Bernardo Meurer
2d7fc66c79
nixos/gvfs: fix libmtp udev package path
As pointed out by @sigprof[1] my bump of libmtp silently broke this, as I
moved the udev files out of the bin output of the pkg.

[1]: https://github.com/NixOS/nixpkgs/pull/144290#discussion_r775266642
2021-12-26 20:05:14 -03:00
Lucas Savva
8d01b0862d
nixos/acme: Update documentation
- Added defaultText for all inheritable options.
- Add docs on using new defaults option to configure
  DNS validation for all domains.
- Update DNS docs to show using a service to configure
  rfc2136 instead of manual steps.
2021-12-26 16:49:55 +00:00
Lucas Savva
377c6bcefc
nixos/acme: Add defaults and inheritDefaults option
Allows configuring many default settings for certificates,
all of which can still be overridden on a per-cert basis.
Some options have been moved into .defaults from security.acme,
namely email, server, validMinDays and renewInterval. These
changes will not break existing configurations thanks to
mkChangedOptionModule.

With this, it is also now possible to configure DNS-01 with
web servers whose virtualHosts utilise enableACME. The only
requirement is you set `acmeRoot = null` for each vhost.

The test suite has been revamped to cover these additions
and also to generally make it easier to maintain. Test config
for apache and nginx has been fully standardised, and it
is now much easier to add a new web server if it follows
the same configuration patterns as those two. I have also
optimised the use of switch-to-configuration which should
speed up testing.
2021-12-26 16:44:10 +00:00
Aaron Andersen
9ec14cd78d
Merge pull request #151255 from aanderse/nixos/mysql-cleanup
nixos/mysql: module cleanup
2021-12-25 17:04:35 -05:00
Aaron Andersen
baa0e61569
Merge pull request #147973 from aanderse/nixos/caddy
nixos/caddy: introduce several new options
2021-12-25 17:01:54 -05:00
Emery Hemingway
02cb654a4d nixos/stubby: reduce to a settings-style configuration
Extract the example configuration from the package to provide a
working example.

Remove pkgs.stubby from `environment.systemPackages`.
2021-12-25 12:07:06 +01:00
7c6f434c
b0f154fd44
Merge pull request #147027 from Izorkin/update-nginx-ktls
nginxMainline: enable ktls support
2021-12-24 10:23:17 +00:00
Maximilian Bosch
3d91acc39a
Merge pull request #151481 from Ma27/privacyidea-uwsgi-buffer-size
nixos/privacyidea: increase buffer-size of uwsgi from 4096 to 8192
2021-12-24 10:21:24 +01:00
Bobby Rong
7378b39d1d
Merge pull request #149704 from squalus/nginx-prometheus-exporter-fix
nixos/prometheus-nginx-exporter: fix argument syntax
2021-12-23 10:27:16 +08:00
Guillaume Girol
d96a3994cc nixos/collectd: validate config file syntax at build time 2021-12-23 00:08:43 +01:00
Aaron Andersen
d621ad09a8 nixos/mysql: minor cleanup and formatting 2021-12-22 08:57:18 -05:00
Aaron Andersen
a96f6ef187 nixos/mysql: remove services.mysql.bind and services.mysql.port in favor of services.mysql.settings 2021-12-22 08:57:14 -05:00
Steven Kou
73050d70fc
thinkfan: fix typo in level
One of the valid values for the fan speed is "level disengaged",
however, it is represented as "level disengage" and does not match
what thinkfan expects.
2021-12-22 04:00:19 +08:00
Aaron Andersen
81a67a3353 nixos/caddy: introduce several new options 2021-12-20 20:00:42 -05:00
Maximilian Bosch
8f9f754271
nixos/privacyidea: increase buffer-size of uwsgi from 4096 to 8192
When accessing the Audit log, I get an HTTP 502 when the frontend
requests `/audit` and I get the following error in my `nginx`-log:

    Dec 20 22:12:48 ldap nginx[336]: 2021/12/20 22:12:48 [error] 336#336: *8421 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 10.237.0.1, server: _, request: "GET /audit/?action=**&action_detail=**&administrator=**&client=**&date=**&duration=**&info=**&page=1&page_size=10&policies=**&privacyidea_server=**&realm=**&resolver=**&serial=**&sortorder=desc&startdate=**&success=**&tokentype=**&user=** HTTP/1.1", upstream: "uwsgi://unix:/run/privacyidea/socket:", host: "ldap.ist.nicht-so.sexy", referrer: "https://ldap.ist.nicht-so.sexy/"

This is because of an "invalid request block size"-error according to
`journalctl -u privacyidea.service`:

    Dec 20 22:12:48 ldap uwsgi[10721]: invalid request block size: 4245 (max 4096)...skip

Increasing the buffer to 8192 fixes the problem for me.
2021-12-21 00:51:45 +01:00
Graham Christensen
3907d19260 services.prometheus.exporters.fastly: add a smoke test 2021-12-20 10:57:31 -05:00
Graham Christensen
1753f97e13 services.prometheus.exporters.fastly: fixup broken module config 2021-12-20 10:29:13 -05:00
Franz Pletz
d5b0e12d9b
Merge pull request #147516 from pennae/dhcpcd
dhcpcd: 8.1.4 -> 9.4.1, module updates, enable privsep
2021-12-20 14:44:58 +01:00
pennae
971adf24eb nixos/dhcpcd: set RuntimeDirectory 2021-12-20 10:53:13 +01:00
Aaron Andersen
76457da532 nixos/mysql: remove services.mysql.extraOptions in favor of services.mysql.settings 2021-12-18 21:01:48 -05:00
Aaron Andersen
f1d1d319ae nixos/mysql: update user and group descriptions 2021-12-18 21:01:48 -05:00
Aaron Andersen
c7cac1bdc0 nixos/mysql: use systemd StateDirectory to provision the data directory 2021-12-18 21:01:42 -05:00
0x4A6F
0b738b87db
Merge pull request #151145 from zhaofengli/unifi5-log4j-new-mitigation
unifi5: Follow new mitigation guidelines
2021-12-18 13:00:28 +01:00
Bobby Rong
c9ec5a228d
Merge pull request #151153 from bobby285271/pantheon
Pantheon updates 2021-12-17
2021-12-18 14:01:54 +08:00
Bobby Rong
62103c4e41
pantheon.xdg-desktop-portal-pantheon: move to pkgs/desktop/pantheon
Only used by Pantheon AFAIK.
2021-12-18 11:35:55 +08:00
Aaron Andersen
eeef6e1341
Merge pull request #151144 from Sohalt/spacenavd-syslog
nixos/spacenavd: remove syslog.target
2021-12-17 21:47:23 -05:00
sohalt
9718fc1211 nixos/spacenavd: remove syslog.target 2021-12-18 00:59:48 +01:00
Zhaofeng Li
a4bcad541e unifi5: Follow new mitigation guidelines
Simply disabling lookups isn't enough, and the JndiLookup class must be
removed:

https://web.archive.org/web/20211217085954/https://logging.apache.org/log4j/2.x/security.html
2021-12-17 15:55:13 -08:00
pennae
64bbe28843 nixos/unifi: rename openPorts to openFirewall
openFirewall is the much more common name for an option with this
effect. since the default was `true` all along, renaming it doesn't hurt
much and only improves consistency with other modules.
2021-12-17 21:30:52 +01:00
pennae
2000a1edcd nixos/unifi: add deprecation warning for openPorts
modules are discouraged from opening ports in the firewall unless
explicitly told to do so. add a deprecation notice for this in unifi.
2021-12-17 21:30:52 +01:00
ajs124
e6188c00f0
Merge pull request #149387 from sumnerevans/matrix-synapse-1.49
matrix-synapse: 1.48.0 -> 1.49.0
2021-12-17 19:51:34 +00:00
Franz Pletz
0cb8669638
dhcpcd: use dhcpcd as privsep user 2021-12-17 19:23:00 +01:00
Graham Christensen
06edb74413
Merge pull request #148785 from pennae/more-option-doc-staticizing
treewide: more defaultText for options
2021-12-17 11:14:08 -05:00
Flakebi
368b22d09b powerdns-admin: fix and add module
- Add the migrations directory to the package
- Add postgres support to the package
- Add a service for powerdns-admin

Co-authored-by: Zhaofeng Li <hello@zhaofeng.li>
2021-12-17 10:33:40 +01:00
Bobby Rong
94144484c2
Merge pull request #148164 from veehaitch/nixos-github-runner-148024-v2
nixos/github-runner: refactor tokens handling
2021-12-17 16:28:21 +08:00
Alyssa Ross
de27156be0 nixos/cage: log to journal
Previously, cage would log to the TTY it was running on top of, so log
messages were basically lost.
2021-12-16 23:55:15 +00:00
Nikolay Amiantov
fe97584f15
Merge pull request #147679 from danderson/danderson/influx-update
influxdb2: 2.0.8 -> 2.1.1
2021-12-17 02:41:41 +03:00
Martin Weinelt
8086f8658e
Merge pull request #151029 from andir/snapcast-bind 2021-12-16 23:52:05 +01:00
Andreas Rammhold
c9c93b0add
nixos/snapserver: use the correct bind address arguments
Snapserver expects the arguments `--tcp.bind_to_address` and
`--http.bind_to_address` instead of the `--tcp.address` (and http
equivalent) versions.

This caused the process to listen on `0.0.0.0` (for TCP and HTTP
sockets) regardless of the configuration value. It also never listend on
the IPv6 address `::` as our module system made the user believe.

This commit fixes the above issue and ensures that (at least for the TCP
socket) that our default `::` does indeed allow connections via IPv6
(to localhost aka ::1).
2021-12-16 23:27:56 +01:00
David Anderson
492f791f9d influxdb2: use the new server derivation in the nixos module. 2021-12-16 12:10:09 -08:00
Kim Lindberger
ebaa226853
elk7: 7.11.1 -> 7.16.1, 6.8.3 -> 6.8.21 + add filebeat module and tests (#150879)
* elk7: 7.11.1 -> 7.16.1

* nixosTests.elk: Improve reliability and compatibility with ELK 7.x

- Use comparisons in jq instead of grepping
- Match for `.hits.total.value` if version >= 7, otherwise it always
  passes
- Make curl fail if requests fails

* nixos/filebeat: Add initial module and test

Filebeat is an open source file harvester, mostly used to fetch logs
files and feed them into logstash.

This module can be used instead of journalbeat if used with
`filebeat7` and configured with the `journald` input.

* python3Packages.parsedmarc.tests: Fix breakage

- Don't use the deprecated elasticsearch7-oss package
- Improve jq query robustness and add tracing

* rl-2205: Note the addition of the filebeat service

* elk6: 6.8.3 -> 6.8.21

The latest version includes a fix for CVE-2021-44228.

* nixos/journalbeat: Add a loose dependency on elasticsearch

Avoid unnecssary back-off when elasticsearch is running on the same
host.
2021-12-17 00:20:52 +09:00
Nikolay Amiantov
759f4afc65
tarsnap service: fix escaping (#150802) 2021-12-16 16:53:59 +03:00
Nikolay Amiantov
497d334c14 youtrack service: restart on failure 2021-12-15 01:40:00 +03:00
Sumner Evans
c0a6554847
matrix-synapse: 1.48.0 -> 1.49.0 2021-12-14 10:34:41 -07:00