The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets;
see https://github.com/NixOS/nixpkgs/issues/64965
In order for this to continue working if the strongswan module is
enabled, we use `"ipsec.secrets".text` instead of `.source` so that the
configurations of both modules are concatenated.
The inclusion of the "meta ipsec" rule in the default reverse path
filtering breaks systems not built with specific XFRM kernel config
options. Specifically CONFIG_XFRM must be set, which gets selected
by CONFIG_NFT_XFRM, which is hidden behind CONFIG_XFRM_USER.
These options are not selected by default in most defconfig's provided
by the kernel with the exception of some device-specific defconfigs.
These options are not set by the nix kernel common_config, and I would
argue that IPSec support does not belong in a minimal kernel as that
elevates its support status above other in-kernel VPN interfaces.
The contributor of this feature does not seem interested in working
towards a solution that does not break systems running kernels built
with "autoModules = false" while supporting this feature, and as this
silently breaks firewalls into an insecure state and poses an immediate
security issue I propose this be reverted until a solution that does not
break such systems is proposed.
https://github.com/NixOS/nixpkgs/pull/310857#discussion_r1742834970
Devices used as firewalls, if they do not have the required kernel
config, will fail to load the new firewall rules and will upon boot pass
traffic without any filtering into the internal network.
Devices exposed directly to the internet, after reboot, will boot
without filtering potentially exposing services not intended to be
exposed to the internet, such as databases.
The following platforms in nixpkgs appear to be impacted:
- pc_simplekernel
- pogoplug4
- sheevaplug
- zero-gravitas
- zero-sugar
- utilite
- guruplug
- beaglebone
- fuloong2f_n32
References to hardware without autoModules can be found in
nixos-hardware, as well as in active third-party repos on github.
I suspect there are other users impacted that do not have their configurations
public, as autoModules = true leads to long compile times when targeting
kernels to less standard hardware or hardware with quirks that require
patches that cannot be upstreamed.
This reverts commit 3c12ef3f21.
Exposes all currently available command-line arguments that were
missing, including some that were impossible to use with the catch-all
option `extraArgs` alone, requiring changes to other parts of the
system.
Those are now all self-contained in the module.
The service now uses systemd's `DynamicUsers`.
Previously, if this service started before the backend is up,
`StatusText` would be empty leading to the service trying to run
`tailscale up` even if this device is already logged in.
- ensures that everything in /var/lib/smokeping belongs to the service
- add nginx user to smokeping group, instead of allowing world to cd
into somkeping homedir
This links the generated configuration to /etc/wpa_supplicant.conf
unless `allowAuxiliaryImperativeNetworks`. In the latter case the
file in /etc should be writable and the generated one remains only
in the Nix store.
The cgitrc file allows list of values to be set for some keys as
multiple definition lines.
This allows setting multiple "css" files to include or multiple
"readme" branch and file lookup paths to be set.
This replaces the current implementation (splicing the secrets into the
configuration file using environment variables) with the new built-in
mechanism ext_password_backend.
With some minor syntax changes, it works exactly as before, except the
heavy lifting is done by wpa_supplicant and probably less error-prone.
This option is already present in the wireguard module, but missing from
the wg-quick module. This is very annoying, because it means you can't
easily get a safe and valid configuration on first boot when using
wg-quick.
This change adds the same option with the same description text and the
same script, but instead of generating an entire systemd unit dedicated
to creating the key file, it adds the script as a PreUp script, which
is a much simpler solution.
I've tested this in my own configuration, and it does indeed work.
wg-quick allows multiple PreUp scripts, which are run in order, and
all PreUp scripts are run before the private key is read from disk,
see `man wg-quick`.
This adds migration instructions for the removed global shared instance
configuration of fcgiwrap.
Adding those explicit messages to the previous options requires moving
the newly defined options from `services.fcgiwrap.*` to
`services.fcgiwrap.instances.*` due to an option namespace clash.
`mkRenamedOptionModule` was not used because the previous options do
not directly map to the new ones. In particular, `user` and `group`
were described as setting the socket's permission, but were actually
setting the process' running user.
Co-authored-by: Minijackson <minijackson@riseup.net>
Adds a module for rathole package. The package itself
and this module is very similar to frp, so the options
and tests are not very far off from those for frp.
Done using `grep -rP 'description\s+=\s+"[^"]+[ ]";' | cut -d ':' -f 1 |
xargs -i nvim {}` and sorting the opened files by hand, avoiding
generated packages list
Storing the SCION path sqlite databases persistently on disk is a valid
setup that improves performance, but may have outstanding bugs that need
to be investigated, so this makes persisent storage optional, off by
default.
deconz doesn't handle SIGTERM and terminates with code 143 (128 + 15
(SIGTERM) instead of 0. This results in systemd marking the service as
failed when a user stops it (with `systemctl stop deconz`). Fix it by
treating code 143 as success.
Previously, the blocky package was hardcoded to the one in pkgs. This
change allows to set it, so the user can configure the blocky service to
run blocky from nixpkgs-unstable, for example.
* Syncthing: implemented folder type
* Syncthing: fix syntax (via @johnhamelink )
This commit should be rebased/squashed into the previous one if ofborg cleares it!
Co-authored-by: John Hamelink <me@johnhame.link>
---------
Co-authored-by: John Hamelink <me@johnhame.link>
I guess my time has come as well...
With this commit, I'm not just dropping my maintainer entry, but I'm also
resigning from my duties as a board observer and NixCon project lead.
I also terminated my Summer of Nix contract today.
I'll also stop hosting the local NixOS meetup.
The only "project" I'll finish under the NixOS Foundation umbrella is
Google Summer of Code because the mentees aren't even remotely
responsible for why I'm leaving, and it would be unfair to leave them
hanging.
I'm grateful for all the things I was able to learn, for all the experiences
I could gather, and for all the friends I made along the way.
NixOS is what makes computers bearable for me, so I'll go and work on
some fork (*something something* you always meet twice in life).
It was wrong to use StateDirectory to keep the scion-control and
scion-router runtime databases on disk for the next run. I observed that
doing this means a reboot, or power outage can corrupt the temporary
runtime databases for the next service start, leading scion ping and
other functionality to stop working permanently, since those files are
not managed in an atomic manner by the golang code.
The GIT_PROJECT_ROOT directory is now created at runtime instead of
being assembled at build time.
This fixes ownership issues which prevented those repositories to be
read by users other than root. This also avoids creating symlinks in
the nix store pointing to the outside.
