Commit Graph

399 Commits

Author SHA1 Message Date
Joachim Fasting
a88a6bc676 nixos: additional hardening for dnscrypt-proxy
- Run as unprivileged user/group via systemd, obviating the need to
  specify capabilities, etc.
- Run with private tmp and minimal device name space
2015-06-12 15:12:33 +02:00
Joachim Fasting
823bb5dd4d nixos: implement socket-activation for dnscrypt-proxy
The socket definition is derived from upstream with the
exception that it does not depend on network.target, as
this creates a cycle between basic.target and sockets.target.

The apparmor profile has been updated to account for additional
runtime dependencies introduced by enabling systemd support.
2015-06-12 15:12:33 +02:00
Joachim Fasting
dfe20de782 nixos: permit dnscrypt-proxy service to read basic user/group info
If nscd is not running, dnscrypt-proxy crashes without read access
to /etc/{password,group,nsswitch.conf}.
2015-06-12 15:12:30 +02:00
William A. Kennington III
b79a5e812a nixos/quassel: Use qt5 instead of qt4
This really speeds up building quassel daemon since qt5 can be built in
parallel while qt4 cannot.
2015-06-08 15:37:34 -07:00
Jaka Hudoklin
c9da002a07 nixos/consul: fix consul alerts enable 2015-06-08 13:41:43 +02:00
Jaka Hudoklin
23504e5bf2 Add skydns module 2015-06-08 13:36:05 +02:00
Timofey Lagutin
714377f8dc bittorrentsync: fix storage_path.
If this path is a symlink, btsync won't be able to read it if it's not ending with "/".

As seen in f02d4ec9ed
Broken in 0539ed4771
2015-06-05 18:39:01 +03:00
Mateusz Kowalczyk
1113efec5e Merge pull request #7559 from offlinehacker/openvswitch/ipsec
openvswitch: ipsec support
2015-05-26 11:26:02 +01:00
Mateusz Kowalczyk
a35e1ddfb2 Merge pull request #7566 from offlinehacker/nixos/node-docker-registry/module
nixos: add node docker registry server
2015-05-26 11:07:22 +01:00
lethalman
aff1c293ef Merge pull request #7998 from dezgeg/pr-ddclient-ssl
ddclient: Set SSL_CERT_FILE environment variable
2015-05-26 10:25:47 +02:00
Tuomas Tynkkynen
2966068968 ddclient: Set SSL_CERT_FILE environment variable
Otherwise connection to SSL hosts fails like this:

May 26 06:44:05 kbuilder ddclient[17084]: WARNING:  cannot connect to dynamicdns.park-your-domain.com:443 socket:
    IO::Socket::IP configuration failed SSL connect attempt failed with unknown error
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2015-05-26 06:45:25 +03:00
Peter Simons
50fa9d8eea Merge pull request #7941 from peti/allow-custom-ssh-moduli-file
nixos: add config.services.openssh.moduliFile option so that users can replace the default file from OpenSSH
2015-05-22 20:51:42 +02:00
Peter Simons
86d299bc6e nixos: add config.services.openssh.moduliFile option so that users can replace the default file from OpenSSH
The man page for ssh-keygen(1) has a section "MODULI GENERATION" that describes
how to generate your own moduli file. The following script might also be helpful:

 | #! /usr/bin/env bash
 |
 | moduliFiles=()
 |
 | generateModuli()
 | {
 |   ssh-keygen -G "moduli-$1.candidates" -b "$1"
 |   ssh-keygen -T "moduli-$1" -f "moduli-$1.candidates"
 |   rm "moduli-$1.candidates"
 | }
 |
 | for (( i=0 ; i <= 16 ; ++i )); do
 |   let bitSize="2048 + i * 128"
 |   generateModuli "$bitSize" &
 |   moduliFiles+=( "moduli-$bitSize" )
 | done
 | wait
 |
 | echo >moduli "# Time Type Tests Tries Size Generator Modulus"
 | cat >>moduli "${moduliFiles[@]}"
 | rm "${moduliFiles[@]}"

Note that generating moduli takes a long time, i.e. several hours on a fast
machine!

This patch resolves https://github.com/NixOS/nixpkgs/pull/5870.
2015-05-22 16:28:45 +02:00
William A. Kennington III
31a273cb14 nixos/tinc: users are system users 2015-05-21 20:11:13 -07:00
William A. Kennington III
4ed8cdc3d4 nixos/bird: Fix doc compilation 2015-05-20 18:53:54 -07:00
lassulus
9d07c54fa1 nixos: add bird module
patch bird to look in /var/run for birc.ctl
2015-05-19 15:42:24 +02:00
Arseniy Seroka
946e7dca61 Merge pull request #7842 from dezgeg/pr-nix-serve
nix-serve: Add nixos module
2015-05-14 22:44:43 +03:00
Tuomas Tynkkynen
fd8cb1ff2d nix-serve: Add nixos module
This allows sharing the Nix store of the machine as a binary cache
simply by setting 'services.nix-serve.enable = true'.
2015-05-14 12:27:28 +03:00
Eelco Dolstra
fc8011ad8d Ensure that nscd, sshd are created as system users
c0f70b4694 removed the fixed uid
assignment, but then it becomes necessary to set isSystemUser.

http://hydra.nixos.org/build/22182588
2015-05-13 16:23:36 +02:00
William A. Kennington III
2806491cc4 nixos/consul: Add shell for health checks 2015-05-11 17:44:07 -07:00
William A. Kennington III
b6e26aa8df nixos/consul: Support a config directory for health checks 2015-05-11 16:45:04 -07:00
William A. Kennington III
1938dc9b54 nixos/consul: Remove the joinNodes and joinRetries options as they are now built in consul options 2015-05-11 16:27:53 -07:00
Arseniy Seroka
c0727fb751 Merge pull request #7788 from Lassulus/charybdis
add charybdis nixos module
2015-05-11 12:57:58 +03:00
lassulus
304cab2b46 add charybdis nixos module 2015-05-11 11:38:53 +02:00
William A. Kennington III
074c4a7f78 Merge remote-tracking branch 'upstream/master' into staging 2015-05-07 01:44:49 -07:00
Stephen Weinberg
a6ebccfbb8 Sane default configuration for sabnzbd module
Added option to set user. Use unpriviledged user by default. Add sane
default for configuration location.
2015-05-05 00:18:22 -04:00
Vladimír Čunát
30f31c9afc Merge 'master' into staging
(relatively simple conflicts)
2015-04-26 22:52:08 +02:00
Jaka Hudoklin
ff095f5002 nixos: add node docker registry server 2015-04-25 16:16:34 +02:00
Emery Hemingway
34f1c39fe0 nixos: fix cjdns json config
filter extraneous attributes from config modules
2015-04-25 09:40:44 -04:00
Jaka Hudoklin
b5114de4ac nixos: add racoon ipsec IKE deamon 2015-04-25 15:31:27 +02:00
Luca Bruno
db3b86560f GNOME 3.16.1, closes #7357 2015-04-25 12:02:33 +02:00
Edward Tjörnhammar
4ea47155af Merge pull request #7498 from k0ral/sslh
sslh: argument to -F can no longer be separated from the option by a space
2015-04-23 21:35:46 +02:00
Oliver Matthews
a498b28322 wait for filesystem before starting btsync; bump to latest package version 2015-04-23 13:09:34 +00:00
koral
88ce17b6e1 sslh: argument to -F can no longer be separated from the option by a space 2015-04-21 16:29:25 +00:00
Nicolas B. Pierron
7585d42d2b Fix #7354 - Accept _module attributes added to every submodule. 2015-04-20 23:58:32 +02:00
Nikolay Amiantov
0f5d5f9d12 lambdabot: add named pipe for incoming commands 2015-04-20 18:56:48 +03:00
Eelco Dolstra
c0f70b4694 Remove fixed uids for nscd, sshd
These services don't create files on disk, let alone on a network
filesystem, so they don't really need a fixed uid. And this also gets
rid of a warning coming from <= 14.12 systems.
2015-04-19 22:06:45 +02:00
Tobias Geerinckx-Rice
1f513c21f9 Merge pull request #7461 from dezgeg/pr-ddclient-unit-type
ddclient: Fix capitalization of systemd unit keys
2015-04-19 15:27:21 +02:00
Tuomas Tynkkynen
e7843efe12 ddclient: Fix incorrectly capitalized systemd unit key
This avoids the following warning:

Apr 19 10:53:48 xen systemd[1]: [/nix/store/...-unit-ddclient.service/ddclient.service:19] Unknown lvalue 'type' in section 'Service'

As `Type=simple` is the default in systemd, the assignment to the
service type can be simply dropped.
2015-04-19 15:58:34 +03:00
Jonathan Glines
cdb174c18d Added NixOS module for Asterisk server 2015-04-16 17:41:37 -06:00
Eelco Dolstra
a0f69df10e dnsmasq: Add some types 2015-04-16 19:13:26 +02:00
Nikolay Amiantov
1d6723c085 lambdabot: add nixos service 2015-04-16 13:33:40 +03:00
Joel Moberg
5b075eb400 i2p: add nixos service 2015-04-15 12:52:06 +02:00
Nicolas B. Pierron
3eef61a6eb NixOS Manual: Do not use unfree packages as default value. 2015-04-08 23:14:19 +02:00
Arseniy Seroka
e52e160190 Merge pull request #7215 from cwoac/btsync2
Add support for btsync 2.x branch
2015-04-06 18:50:05 +03:00
Oliver Matthews
0539ed4771 Add support for btsync 2.x branch 2015-04-06 15:31:40 +00:00
William A. Kennington III
b3c423757e nixos/rdnssd: Major refactoring
This updates rdnssd to the following:
* Using the systemd interfaces directly
* Using the rdnssd user instead of the root user
* Integrating with resolvconf instead of writing directly to /etc/resolv.conf
2015-04-04 21:20:07 -07:00
Nikolay Amiantov
16f047a60f nixos/networkmanager: support l2tp 2015-03-29 13:09:02 +03:00
Jan Malakhovski
5c6d86540b nixos: use types.enum instead of ad-hoc check in sshd service 2015-03-26 12:43:42 +00:00
Arseniy Seroka
ff22e19fc4 Merge pull request #6893 from hrdinka/nsd-config-options
nsd: Fix automatic config options
2015-03-23 13:19:29 +03:00
Edward Tjörnhammar
664592561d nixos: added aiccu service 2015-03-20 22:01:35 +01:00
Christoph Hrdinka
d3a2edb8ce nsd: Fix automatic config options 2015-03-19 12:10:55 +01:00
Christoph Hrdinka
6db8155e37 nsd: Update from 4.1.0 -> 4.1.1 2015-03-18 21:01:35 +01:00
lethalman
359bc60ec8 Merge pull request #6448 from eduarrrd/ddclient
ddclient module: fix module
2015-03-17 12:38:12 +01:00
lethalman
fe79bf34a5 Merge pull request #6512 from bjornfor/nixos-haproxy-cleanup
nixos/haproxy: remove broken default 'config'
2015-03-11 16:29:06 +01:00
Eelco Dolstra
d31202fba2 sshd: Enable seccomp sandboxing 2015-03-09 11:27:19 +01:00
Nikita Mikhailov
579159c72b Add dispatcher configuration options to NetworkManager module 2015-03-08 20:24:53 +01:00
William A. Kennington III
9ce0c1cb71 nixos/consul: Fix timeout bugs and json formatting 2015-02-25 15:42:43 -08:00
William A. Kennington III
f27fa79aa9 nixos/dnsmasq: Fix service name typo 2015-02-25 09:22:16 -08:00
Eduard Bachmakov
4bf66ba89c ddclient module: fix module
* rewrite to systemd.services
* disable forking to give systemd better control
* verifiably run as ddclient user
* expose ssl option
* unset default value for dyndns server
* rename option "web" to "use" to be consistent with ddclient docs
* add descriptions
* add types to options
* clean up formatting
2015-02-23 22:37:20 -05:00
Eelco Dolstra
b70bd0879b sshd: Generate a ed25519 host key 2015-02-23 17:00:07 +01:00
Bjørn Forsman
ffb4797dd3 nixos/haproxy: remove broken default 'config'
HAProxy fails to start with the default 'config'. Better disable it and
assert that the user provides a suitable 'config'. (AFAICS, there cannot
really be a default config file for HAProxy.)
2015-02-22 12:30:14 +01:00
Bjørn Forsman
419a4166a7 nixos/haproxy: small cleanup
* Add option types
* Rewrite option descriptions
* /var/run/haproxy.pid => /run/haproxy.pid (canonical location)
2015-02-22 12:29:34 +01:00
aszlig
030895f075
nixos/dhcpcd: Only run resume commands if enabled.
The networkd implementation sets systemd.services.dhcpcd.enable to
false in nixos/modules/tasks/network-interfaces-systemd.nix. So we need
to respect that in the dhcpcd module.

If we don't, the resumeCommand is set nevertheless, which causes the
post-resume.service to fail after resuming:

Failed to reload dhcpcd.service: Unit dhcpcd.service is masked.
post-resume.service: main process exited, code=exited, status=1/FAILURE
Failed to start Post-Resume Actions.
Dependency failed for Post-Resume Actions.
Unit post-resume.service entered failed state.
post-resume.service failed.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-02-22 08:09:04 +01:00
Sou Bunnbu
f8dbd6f9ae Merge pull request #6427 from grwlf/vsftpd-port
vsftpd.nix: add 'portPromiscuous' option
2015-02-18 19:18:34 +08:00
Sergey Mironov
ac65a757f0 vsftpd.nix: add 'portPromiscuous' option 2015-02-18 11:51:43 +03:00
Mathijs Kwik
2fe44b95d0 nixos/wpa_supplicant: fix conflicting documentation
fixes #6298
2015-02-17 22:16:20 +01:00
James Cook
33550b6efe Merge pull request #5665 from joachifm/dnscrypt-proxy-apparmor-updates
dnscrypt-proxy service: update AppArmor profile
2015-02-14 22:02:31 -08:00
lethalman
51a7277fac Merge pull request #6312 from k0ral/sslh
sslh: added libwrap support + improved nixos module.
2015-02-13 10:03:48 +01:00
Jaka Hudoklin
a17f5c8c9b nixos/consul: add consul-alerts service 2015-02-12 19:16:50 +01:00
koral
cb153cfca3 sslh: added libwrap support + improved nixos module. 2015-02-12 13:21:36 +01:00
lethalman
93ebaafabe Merge pull request #6170 from k0ral/sslh
New sslh module
2015-02-10 11:17:56 +01:00
William A. Kennington III
9792b12e53 nixos/openntpd: Don't start until we have networking
This attempts to fix an issues where ntp is unable to resolve hostnames
because it came up before local nameservers or networking.
2015-02-06 14:45:47 -08:00
William A. Kennington III
3e280f2089 nixos/tinc: Fix key generation behavior and use tinc 1.1 by default 2015-02-05 23:37:20 -08:00
koral
1439e72147 New sslh module. 2015-02-05 13:30:39 +01:00
Edward Tjörnhammar
83925c33f6 i2pd: 0.6.0 -> 0.7.0
nixos: i2pd.service, fix string escaping
2015-02-05 12:09:59 +01:00
William A. Kennington III
9ddb6c9cc9 nixos/tinc: Add daemon configuration 2015-02-04 18:19:04 -08:00
William A. Kennington III
bae5faa82d nixos/dhcpd: Also try restarting openntpd as it suffers the same dns resolution problem 2015-02-04 17:33:14 -08:00
William A. Kennington III
43d8b1ef3c openntpd: Fixes 2015-02-04 17:30:22 -08:00
William A. Kennington III
a9f1329d2d nixos/openntpd: Add openntpd to the environment for ntpctl 2015-02-04 17:27:03 -08:00
lethalman
49b67bb9cb Merge pull request #6078 from boothead/sabnzbd
sabnzbd Change service to systemd
2015-02-03 13:32:59 +01:00
Shea Levy
c45372f038 Merge commit 'cfb29ab882323d379aba20a95020c7c24f883eae'
Partial staging merge, including cc-wrapper fixes

Conflicts:
	pkgs/applications/audio/spotify/default.nix
	pkgs/build-support/cc-wrapper/default.nix
	pkgs/development/compilers/cryptol/1.8.x.nix
2015-02-02 21:14:28 -05:00
Bjørn Forsman
ee52a61e3a nixos/tftpd: add option types and fixup descriptions
The first description is a (incorrect) copy/paste from the 'vsftpd'
module, and the second option lacks a 'dot' at the end.
2015-02-01 15:57:28 +01:00
Shea Levy
52d4b9d982 Merge branch 'tlsdate' of git://github.com/4z3/nixpkgs 2015-01-30 01:07:59 -05:00
Eelco Dolstra
b61d4ac6a5 ntpd: Fork into the background
With -n, ntpd will write log messages to both syslog and stderr, which
is ugly.
2015-01-28 15:34:42 +01:00
Eelco Dolstra
11a0344e13 Merge pull request #5918 from robberer/openntpd
openntpd: add extraConfig and extraOptions
2015-01-23 16:43:15 +01:00
Longrin Wischnewski
4fa5d1f626 openntpd: add extraConfig and extraOptions 2015-01-23 16:15:20 +01:00
tv
3fdd925063 nixos: Add tlsdated service 2015-01-21 05:09:47 +01:00
Joachim Fasting
7023e03d77 firewall service: fix pingLimit example value
The example uses single dashes, whereas iptables requires double dashes.
2015-01-20 08:47:11 +01:00
Peter Simons
ec6b82a0c2 Merge branch 'master' into staging. 2015-01-19 18:41:17 +01:00
William A. Kennington III
130f66b683 nixos/sync-server: Respect the enable option 2015-01-18 14:21:40 -08:00
Domen Kožar
3b174a4024 Merge pull request #5301 from nbp/syncserver
Add Firefox Sync service
2015-01-18 17:47:51 +01:00
Nicolas B. Pierron
8196727fad Improve the documentation of the syncserver module. 2015-01-18 12:21:23 +01:00
Nicolas B. Pierron
0d13ea0131 Change default syncserver listen.port to a safer one. 2015-01-18 12:20:44 +01:00
Eric Seidel
88eae46455 rename occurrences of gcc.gcc to gcc.cc 2015-01-14 20:47:49 -08:00
Edward Tjörnhammar
837cfbb9ea nixos: adding nylon service with uid,gid 2015-01-14 22:08:47 +01:00
Vladimír Čunát
72d2d59cd4 /etc/ssh/ssh_known_hosts: refactor and fix #5612
Generating the file was refactored to be completely in nix.
Functionally it should create the same content as before,
only adding the newlines.

CC recent updaters: @aszlig, @rickynils.
2015-01-11 22:14:25 +01:00
Joachim Fasting
97bac259d0 dnscrypt-proxy service: update AppArmor profile
This patch fixes the AppArmor profile path clause and adds
(currently ignored) network rules.

The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy,
but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink
to bin), which permitted the service to run unconfined.

Adding the network rules has no effect other than improving correctness,
as the version of AppArmor in the NixOS kernel fails to enforce network
rules.
2015-01-09 15:08:07 +01:00
William A. Kennington III
9a7766e054 nixos/network-interfaces: Add mstpd support for bridges 2015-01-07 14:49:24 -08:00
William A. Kennington III
8627110091 icedtea: Make major version nonspecific attrs 2015-01-02 00:24:49 -08:00