Do the right thing, and use multiple interfaces for policy routing. For example, WireGuard interfaces do not allow multiple routes for the same CIDR range.
Fixes https://github.com/NixOS/nixpkgs/issues/27996.
Updates instructions for generating hashes passwords for use in a
Mosquitto password file. Using `mosquitto_passwd` to generate these
hashes is a little less convenient, but the results are more likely to
be compatible with the mosquitto daemon.
As far as I can tell, the hashes generated with `mkpassd` did not work
as intended. But this may have been hidden by another bug:
https://github.com/NixOS/nixpkgs/issues/27130.
This adds a convenient per-peer option to set the routing table that associated routes are added to. This functionality is very useful for isolating interfaces from the kernel's global routing and forcing all traffic of a virtual interface (or a group of processes, via e.g. "ip rule add uidrange 10000-10009 lookup 42") through Wireguard.
In order for DynamicUser = true to work in services, we need the
nss-systemd module to be able to resolve the user and group names
generated dynamically.
The piwki setup documentation as it stands has two issues:
- the `ALTER USER root` line does not work with MariaDB or MySQL 5.5
- the auth plugin details vary between MariaDB and MySQL
auditd creates an ordering cycle by adding wantedBy = [ "basic.target" ],
because of this the job job systemd-update-utmp.service/start is deleted.
Adding unitConfig.DefaultDependencies = false; to the auditd service unbreaks the cycle.
See also #11864
Evaluation error introduced in a0d464033c.
If the value for timeZone is null it shouldn't be even tried to coerce
it into a string.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @lheckemann, @joachifm
enableUpstreamMimeTypes controls whether to include the list of mime
types bundled with lighttpd (upstream). This option is enabled by
default and gives a much more complete mime type list than we currently
have. If you disable this, no mime types will be added by NixOS and you
will have to add your own mime types in services.lighttpd.extraConfig.
* mod_dirlisting is auto-loaded by lighttpd and should not be explicitly
loaded in the configuration file.
* The rest comes from looking at "ls -1 $lighttpd/lib/*.so" when
lighttpd is built with "enableMagnet" and "enableMysql".
Exhibitor tests the auto-manage-instances config value to see if it's a
non-zero integer, rather than a true/false string, which was getting
put into the config before. This now causes autoManageInstances to
behave correctly.
Checking the keyboard layout has been a long set of hurdles so far, with
several attempts. Originally, the checking was introduced by @lheckemann
in #23709.
The initial implementation just was trying to check whether the symbols/
directory contained the layout name.
Unfortunately, that wasn't enough and keyboard variants weren't
recognized, so if you set layout to eg. "dvorak" it will fail with an
error (#25526).
So my improvement on that was to use sed to filter rules/base.lst and
match the layout against that. I fucked up twice with this, first
because layout can be a comma-separated list which I didn't account for
and second because I ran into a Nix issue (NixOS/nix#1426).
After fixing this, it still wasn't enough (and this is btw. what
localectl also does), because we were *only* matching rules but not
symbols, so using "eu" as a layout won't work either.
I decided now it's the time to actually use libxkbcommon to try
compiling the keyboard options and see whether it succeeds. This comes
in the form of a helper tool called xkbvalidate.
IMHO this approach is a lot less error-prone and we can be sure that we
don't forget about anything because that's what the X server itself uses
to compile the keymap.
Another advantage of this is that we now validate the full set of XKB
options rather than just the layout.
Tested this against a variety of wrong and correct keyboard
configurations and against the "keymap" NixOS VM tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @lheckemann, @peti, @7c6f434c, @tohl, @vcunat, @lluchs
Fixes: #27597
Creating and then erasing the key relies on the disk erasing data
correctly, and otherwise allows attackers to simply decrypt swap just
using "secretkey". We don't actually need a LUKS header, so we can save
ourselves some pointless disk writes and identifiability.
In addition, I wouldn't have made the awful mistake of backing up my swap partition's LUKS header instead of my zpool's. May my data rest in peace.
- Remove useless escape of question mark
- Fix and quoting
- Add some '&&s' for correctness
- Add escapeShellArg
- Remove &&s in preStart
Edited by grahamc: fixed the ${} typo on line 246