Systemd 250:
> DHCPv4 client support in systemd-networkd learnt a new Label= option
> for configuring the address label to apply to configure IPv4
> addresses.
> The [IPv6AcceptRA] section of .network files gained support for a new
> UseMTU= setting that may be used to control whether to apply the
> announced MTU settings to the local interface.
> The [DHCPv4] section in .network file gained a new Use6RD= boolean
> setting to control whether the DHCPv4 client request and process the
> DHCP 6RD option.
> The [DHCPv6] section in .network file gained a new setting
> UseDelegatedPrefix= to control whether the delegated prefixes will be
> propagated to the downstream interfaces.
> The [IPv6AcceptRA] section of .network files now understands two new
> settings UseGateway=/UseRoutePrefix= for explicitly configuring
> whether to use the relevant fields from the IPv6 Router Advertisement
> records.
> The [RoutingPolicyRule] section of .network file gained a new
> SuppressInterfaceGroup= setting.
> The IgnoreCarrierLoss= setting in the [Network] section of .network
> files now allows a duration to be specified, controlling how long to
> wait before reacting to carrier loss.
Systemd 246:
> systemd-networkd's [DHCPv4] section gained a new setting UseGateway=
> which may be used to turn off use of the gateway information provided
> by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be
> used to configure how to process leases that lack a lifetime option.
> The IPv6Token= section in the [Network] section is deprecated, and
>> the [IPv6AcceptRA] section gained the Token= setting for its
>> replacement. The [IPv6Prefix] section also gained the Token= setting.
>> The Token= setting gained 'eui64' mode to explicitly configure an
>> address with the EUI64 algorithm based on the interface MAC address.
>> The 'prefixstable' mode can now optionally take a secret key. The
>> Token= setting in the [DHCPPrefixDelegation] section now supports all
>> algorithms supported by the same settings in the other sections.
* Remove `ForceDHCPv6PDOtherInformation=`
* Add a missing `WithoutRA=` option
Systemd 250:
> The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
> has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
> settings in the [DHCPv6] section and the DHCPv6Client= setting in the
> [IPv6AcceptRA] section to control when the DHCPv6 client is started
> and how the delegated prefixes are handled by the DHCPv6 client.
Adapt to changes introduced in Systemd 250:
> The [DHCPv6PrefixDelegation] section in .network file is renamed to
> [DHCPPrefixDelegation], as now the prefix delegation is also
> supported with DHCPv4 protocol by enabling the Use6RD= setting.
Replaces the `dhcpV6PrefixDelegationConfig` with
`dhcpPrefixDelegationConfig` and throws an error if the old option is
used.
Also adapt the respective IPv6 prefix delegation test.
This commit fixes two bugs:
1) When starting a github-runner for the very first time, the
unconfigure script did not copy the `tokenFile` to the state
directory. This case just was not handled so far. As a result, the
runner could not configure. The unit did, however, fail even before
as the state token file is configured as inaccessible for the service
through `InaccessiblePaths=`. As the given path did not exist in the
described case, setting up the unit's namespacing failed.
2) Similarly, the `tokenFile` is also marked as not accessible to the
service user. There are, however, cases where other namespacing
options make the files inaccessible even before `InaccessiblePaths=`
kicks in; thus, they appear as non existing and cause the namespacing
to fail yet again. Prefixing the entry with a `-` causes Systemd to
ignore the entry if it cannot find it. This is the behavior we want.
I also took fixing those bugs as a chance to refactor the unconfigure
script to make it easier to follow.
Before this patch, the entry match condition always fails, causing all
entries being removed. The error is not noticed because later they are
re-generated.
Before this patch, the gen_number found by regex contains
"-specialisation-foo" if specialisation is used. As a result, applying
int() to gen_number raises ValueError, causing entries containing
a specialisation part not being removed.
Lego has a built-in mechanism for sleeping for a random amount
of time before renewing a certificate. In our environment this
is not only unnecessary (as our systemd timer takes care of it)
but also unwanted since it slows down the execution of the
systemd service encompassing it, thus also slowing down the
start up of any services its depending on.
Also added FixedRandomDelay to the timer for more predictability.
Fixes#190493
Check if an actual key file exists. This does not
completely cover the work accountHash does to ensure
that a new account is registered when account
related options are changed.
Fixes#191794
Lego threw a permission denied error binding to port 80.
AmbientCapabilities with CAP_NET_BIND_SERVICE was required.
Also added a test for this.
`privacyidea-token-janitor`[1] is a tool which helps to automate
maintenance of tokens. This is helpful to identify e.g. orphaned tokens,
i.e. tokens of users that were removed or tokens that were unused for a
longer period of time and apply actions to them (e.g. `disable` or
`delete`).
This patch adds two new things:
* A wrapper for `privacyidea-token-janitor` to make sure it's executable
from CLI. To achieve this, it does a `sudo(8)` into the
`privacyidea`-user and sets up the environment to make sure the
configuration file can be found. With that, administrators can
directly invoke it from the CLI without additional steps.
* An optional service is added which performs automatic cleanups of
orphaned and/or unassigned tokens. Yes, the tool can do way more
stuff, but I figured it's reasonable to have an automatic way to clean
up tokens of users who were removed from the PI instance. Additional
automation steps should probably be implemented in additional
services (and are perhaps too custom to add them to this module).
[1] https://privacyidea.readthedocs.io/en/v3.7/workflows_and_tools/tools/index.html
Within #193485 (and the previous changes) the internal structure of the
testing driver was changed. Since then, `makeTest` returns the
attributes for the VM test(s) (including `driverInteractive`) inside a
sub-attribute called `test`, so without this change running
`nixos-build-vms` would fail like this:
error: attribute 'driverInteractive' missing
Move already implemented functionality to the upper level so
it could be used in a more generic way.
Signed-off-by: Ivan Nikolaenko <ivan.nikolaenko@unikie.com>
Some networks can only transfer packets with a lower than normal maximum
transfer unit size. In these cases, it is necessary to set a MTU that
works for the given upstream network.
Wireguard can tag its packets with a firewall mark. This can be used for
firewalls or policy routing. This is very useful in some setups where
all traffic should go through a wireguard interface. The wireguard
packets cannot go through the wireguard interface and must be routed
differently, which can be done via the Firewall Mark.
The nixos option `config.networking.wireguard.interface.<name>.fwMark`
is of type `types.str` and not `types.int` to allow for specifying the
mark as a hexadecimal value.
This will clean up the module slightly and bring it more in line with Pantheon & Cinnamon.
While at it do some other refactoring inspired by those modules:
- Correct a typo in light background attribute name.
- Rename the attribute name.
- Quote arguments.
- Extract the overridden package list and override text into variables.
- Avoid having separate copy commands for overrides from packages.
- Avoid `with` statements.
- Use `concatMapStringsSep`.
This allows for easier interop with Moonraker, as well as giving an
ability to store klipper configuration files in /var/lib/klipper, thus not
littering /etc with all the backups SAVE_CONFIG does.
- Added `configFile` as an alternative way to specify configuration
- Added `isMutableConfig` and `mutableConfigPath`
Co-authored-by: @lovesegfault <bernardo@meurer.org>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
Co-authored-by: Bernardo Meurer <bernardo@meurer.org>
`unpaper` requires syscall 238 (`set_mempolicy`).
Add this by un-blocking the systemd syscall filter set `@resources`
which is safe in the context of paperless.
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: a-kenji <aks.kenji@protonmail.com>
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: a-kenji <aks.kenji@protonmail.com>
Co-authored-by: Brian Leung <leungbk@posteo.net>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
Co-authored-by: a-kenji <aks.kenji@protonmail.com>
Co-authored-by: Ctem <c@ctem.me>
Co-authored-by: Brian Leung <leungbk@posteo.net>
Co-authored-by: Shahar Dawn Or <mightyiampresence@gmail.com>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
Before this change, the description for
security.wrappers.<name>.capabilities made it seem like you could just
string together the names of capabilities like this:
capabilities = "CAP_SETUID,CAP_SETGID";
In reality, each item in the list must be a full-on capability clause:
capabilities = "CAP_SETUID=ep,CAP_SETGID+i";
This attribute set isn't passed through the NixOS config resolution
mechanism, which means that we can't use lib.mkDefault here.
Instead, just put it before any user overrides so that if the user
specifies this environment variable it'll just override it anyway.
Optional functionality of AusweisApp2 requires an UDP port to be opened.
The module allows for convenient configuration and serves as documentation.
See also https://github.com/NixOS/nixpkgs/issues/136269
deprecate literalDocBook by adding a warning (that will not fire yet) to
its uses and other docbook literal strings by adding optional warning
message to mergeJSON.
This reverts commit 05958b228b.
Issue https://github.com/NixOS/nixpkgs/issues/188998 is concerns quite a
few NixOS users with full disk encryption and custom keymap.
Since there hasn't been a proper fix agreed upon and merged, I am
reverting this.
The changes can be applied again, when it is ensured that they do not
break custom keymaps in initrd.
Summary: fix errors with example code in the manual that shows how to set up DNS-01 verification via the acme protocol, e.g. for those who want to get wildcard certificates from Let's Encrypt.
Fix syntax error in nix arrays (there should not be commas.)
Fix permissions on /var/lib/secrets so it can be read by bind daemon. Without this fix bind won't start.
Add the missing feature: put the generated secret into certs.secret
In order to be able to use the unixd service with the `verify_ca` and
`verify_hostnames` set to `true` it needs to be able to read the
certificate store. This change bind mounts the cacert paths for the
unixd service.
