Joachim Fasting
a88a6bc676
nixos: additional hardening for dnscrypt-proxy
...
- Run as unprivileged user/group via systemd, obviating the need to
specify capabilities, etc.
- Run with private tmp and minimal device name space
2015-06-12 15:12:33 +02:00
Joachim Fasting
823bb5dd4d
nixos: implement socket-activation for dnscrypt-proxy
...
The socket definition is derived from upstream with the
exception that it does not depend on network.target, as
this creates a cycle between basic.target and sockets.target.
The apparmor profile has been updated to account for additional
runtime dependencies introduced by enabling systemd support.
2015-06-12 15:12:33 +02:00
Joachim Fasting
dfe20de782
nixos: permit dnscrypt-proxy service to read basic user/group info
...
If nscd is not running, dnscrypt-proxy crashes without read access
to /etc/{password,group,nsswitch.conf}.
2015-06-12 15:12:30 +02:00
William A. Kennington III
b79a5e812a
nixos/quassel: Use qt5 instead of qt4
...
This really speeds up building quassel daemon since qt5 can be built in
parallel while qt4 cannot.
2015-06-08 15:37:34 -07:00
Jaka Hudoklin
c9da002a07
nixos/consul: fix consul alerts enable
2015-06-08 13:41:43 +02:00
Jaka Hudoklin
23504e5bf2
Add skydns module
2015-06-08 13:36:05 +02:00
Timofey Lagutin
714377f8dc
bittorrentsync: fix storage_path.
...
If this path is a symlink, btsync won't be able to read it if it's not ending with "/".
As seen in f02d4ec9ed
Broken in 0539ed4771
2015-06-05 18:39:01 +03:00
Mateusz Kowalczyk
1113efec5e
Merge pull request #7559 from offlinehacker/openvswitch/ipsec
...
openvswitch: ipsec support
2015-05-26 11:26:02 +01:00
Mateusz Kowalczyk
a35e1ddfb2
Merge pull request #7566 from offlinehacker/nixos/node-docker-registry/module
...
nixos: add node docker registry server
2015-05-26 11:07:22 +01:00
lethalman
aff1c293ef
Merge pull request #7998 from dezgeg/pr-ddclient-ssl
...
ddclient: Set SSL_CERT_FILE environment variable
2015-05-26 10:25:47 +02:00
Tuomas Tynkkynen
2966068968
ddclient: Set SSL_CERT_FILE environment variable
...
Otherwise connection to SSL hosts fails like this:
May 26 06:44:05 kbuilder ddclient[17084]: WARNING: cannot connect to dynamicdns.park-your-domain.com:443 socket:
IO::Socket::IP configuration failed SSL connect attempt failed with unknown error
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2015-05-26 06:45:25 +03:00
Peter Simons
50fa9d8eea
Merge pull request #7941 from peti/allow-custom-ssh-moduli-file
...
nixos: add config.services.openssh.moduliFile option so that users can replace the default file from OpenSSH
2015-05-22 20:51:42 +02:00
Peter Simons
86d299bc6e
nixos: add config.services.openssh.moduliFile option so that users can replace the default file from OpenSSH
...
The man page for ssh-keygen(1) has a section "MODULI GENERATION" that describes
how to generate your own moduli file. The following script might also be helpful:
| #! /usr/bin/env bash
|
| moduliFiles=()
|
| generateModuli()
| {
| ssh-keygen -G "moduli-$1.candidates" -b "$1"
| ssh-keygen -T "moduli-$1" -f "moduli-$1.candidates"
| rm "moduli-$1.candidates"
| }
|
| for (( i=0 ; i <= 16 ; ++i )); do
| let bitSize="2048 + i * 128"
| generateModuli "$bitSize" &
| moduliFiles+=( "moduli-$bitSize" )
| done
| wait
|
| echo >moduli "# Time Type Tests Tries Size Generator Modulus"
| cat >>moduli "${moduliFiles[@]}"
| rm "${moduliFiles[@]}"
Note that generating moduli takes a long time, i.e. several hours on a fast
machine!
This patch resolves https://github.com/NixOS/nixpkgs/pull/5870 .
2015-05-22 16:28:45 +02:00
William A. Kennington III
31a273cb14
nixos/tinc: users are system users
2015-05-21 20:11:13 -07:00
William A. Kennington III
4ed8cdc3d4
nixos/bird: Fix doc compilation
2015-05-20 18:53:54 -07:00
lassulus
9d07c54fa1
nixos: add bird module
...
patch bird to look in /var/run for birc.ctl
2015-05-19 15:42:24 +02:00
Arseniy Seroka
946e7dca61
Merge pull request #7842 from dezgeg/pr-nix-serve
...
nix-serve: Add nixos module
2015-05-14 22:44:43 +03:00
Tuomas Tynkkynen
fd8cb1ff2d
nix-serve: Add nixos module
...
This allows sharing the Nix store of the machine as a binary cache
simply by setting 'services.nix-serve.enable = true'.
2015-05-14 12:27:28 +03:00
Eelco Dolstra
fc8011ad8d
Ensure that nscd, sshd are created as system users
...
c0f70b4694
removed the fixed uid
assignment, but then it becomes necessary to set isSystemUser.
http://hydra.nixos.org/build/22182588
2015-05-13 16:23:36 +02:00
William A. Kennington III
2806491cc4
nixos/consul: Add shell for health checks
2015-05-11 17:44:07 -07:00
William A. Kennington III
b6e26aa8df
nixos/consul: Support a config directory for health checks
2015-05-11 16:45:04 -07:00
William A. Kennington III
1938dc9b54
nixos/consul: Remove the joinNodes and joinRetries options as they are now built in consul options
2015-05-11 16:27:53 -07:00
Arseniy Seroka
c0727fb751
Merge pull request #7788 from Lassulus/charybdis
...
add charybdis nixos module
2015-05-11 12:57:58 +03:00
lassulus
304cab2b46
add charybdis nixos module
2015-05-11 11:38:53 +02:00
William A. Kennington III
074c4a7f78
Merge remote-tracking branch 'upstream/master' into staging
2015-05-07 01:44:49 -07:00
Stephen Weinberg
a6ebccfbb8
Sane default configuration for sabnzbd module
...
Added option to set user. Use unpriviledged user by default. Add sane
default for configuration location.
2015-05-05 00:18:22 -04:00
Vladimír Čunát
30f31c9afc
Merge 'master' into staging
...
(relatively simple conflicts)
2015-04-26 22:52:08 +02:00
Jaka Hudoklin
ff095f5002
nixos: add node docker registry server
2015-04-25 16:16:34 +02:00
Emery Hemingway
34f1c39fe0
nixos: fix cjdns json config
...
filter extraneous attributes from config modules
2015-04-25 09:40:44 -04:00
Jaka Hudoklin
b5114de4ac
nixos: add racoon ipsec IKE deamon
2015-04-25 15:31:27 +02:00
Luca Bruno
db3b86560f
GNOME 3.16.1, closes #7357
2015-04-25 12:02:33 +02:00
Edward Tjörnhammar
4ea47155af
Merge pull request #7498 from k0ral/sslh
...
sslh: argument to -F can no longer be separated from the option by a space
2015-04-23 21:35:46 +02:00
Oliver Matthews
a498b28322
wait for filesystem before starting btsync; bump to latest package version
2015-04-23 13:09:34 +00:00
koral
88ce17b6e1
sslh: argument to -F can no longer be separated from the option by a space
2015-04-21 16:29:25 +00:00
Nicolas B. Pierron
7585d42d2b
Fix #7354 - Accept _module attributes added to every submodule.
2015-04-20 23:58:32 +02:00
Nikolay Amiantov
0f5d5f9d12
lambdabot: add named pipe for incoming commands
2015-04-20 18:56:48 +03:00
Eelco Dolstra
c0f70b4694
Remove fixed uids for nscd, sshd
...
These services don't create files on disk, let alone on a network
filesystem, so they don't really need a fixed uid. And this also gets
rid of a warning coming from <= 14.12 systems.
2015-04-19 22:06:45 +02:00
Tobias Geerinckx-Rice
1f513c21f9
Merge pull request #7461 from dezgeg/pr-ddclient-unit-type
...
ddclient: Fix capitalization of systemd unit keys
2015-04-19 15:27:21 +02:00
Tuomas Tynkkynen
e7843efe12
ddclient: Fix incorrectly capitalized systemd unit key
...
This avoids the following warning:
Apr 19 10:53:48 xen systemd[1]: [/nix/store/...-unit-ddclient.service/ddclient.service:19] Unknown lvalue 'type' in section 'Service'
As `Type=simple` is the default in systemd, the assignment to the
service type can be simply dropped.
2015-04-19 15:58:34 +03:00
Jonathan Glines
cdb174c18d
Added NixOS module for Asterisk server
2015-04-16 17:41:37 -06:00
Eelco Dolstra
a0f69df10e
dnsmasq: Add some types
2015-04-16 19:13:26 +02:00
Nikolay Amiantov
1d6723c085
lambdabot: add nixos service
2015-04-16 13:33:40 +03:00
Joel Moberg
5b075eb400
i2p: add nixos service
2015-04-15 12:52:06 +02:00
Nicolas B. Pierron
3eef61a6eb
NixOS Manual: Do not use unfree packages as default value.
2015-04-08 23:14:19 +02:00
Arseniy Seroka
e52e160190
Merge pull request #7215 from cwoac/btsync2
...
Add support for btsync 2.x branch
2015-04-06 18:50:05 +03:00
Oliver Matthews
0539ed4771
Add support for btsync 2.x branch
2015-04-06 15:31:40 +00:00
William A. Kennington III
b3c423757e
nixos/rdnssd: Major refactoring
...
This updates rdnssd to the following:
* Using the systemd interfaces directly
* Using the rdnssd user instead of the root user
* Integrating with resolvconf instead of writing directly to /etc/resolv.conf
2015-04-04 21:20:07 -07:00
Nikolay Amiantov
16f047a60f
nixos/networkmanager: support l2tp
2015-03-29 13:09:02 +03:00
Jan Malakhovski
5c6d86540b
nixos: use types.enum instead of ad-hoc check in sshd service
2015-03-26 12:43:42 +00:00
Arseniy Seroka
ff22e19fc4
Merge pull request #6893 from hrdinka/nsd-config-options
...
nsd: Fix automatic config options
2015-03-23 13:19:29 +03:00
Edward Tjörnhammar
664592561d
nixos: added aiccu service
2015-03-20 22:01:35 +01:00
Christoph Hrdinka
d3a2edb8ce
nsd: Fix automatic config options
2015-03-19 12:10:55 +01:00
Christoph Hrdinka
6db8155e37
nsd: Update from 4.1.0 -> 4.1.1
2015-03-18 21:01:35 +01:00
lethalman
359bc60ec8
Merge pull request #6448 from eduarrrd/ddclient
...
ddclient module: fix module
2015-03-17 12:38:12 +01:00
lethalman
fe79bf34a5
Merge pull request #6512 from bjornfor/nixos-haproxy-cleanup
...
nixos/haproxy: remove broken default 'config'
2015-03-11 16:29:06 +01:00
Eelco Dolstra
d31202fba2
sshd: Enable seccomp sandboxing
2015-03-09 11:27:19 +01:00
Nikita Mikhailov
579159c72b
Add dispatcher configuration options to NetworkManager module
2015-03-08 20:24:53 +01:00
William A. Kennington III
9ce0c1cb71
nixos/consul: Fix timeout bugs and json formatting
2015-02-25 15:42:43 -08:00
William A. Kennington III
f27fa79aa9
nixos/dnsmasq: Fix service name typo
2015-02-25 09:22:16 -08:00
Eduard Bachmakov
4bf66ba89c
ddclient module: fix module
...
* rewrite to systemd.services
* disable forking to give systemd better control
* verifiably run as ddclient user
* expose ssl option
* unset default value for dyndns server
* rename option "web" to "use" to be consistent with ddclient docs
* add descriptions
* add types to options
* clean up formatting
2015-02-23 22:37:20 -05:00
Eelco Dolstra
b70bd0879b
sshd: Generate a ed25519 host key
2015-02-23 17:00:07 +01:00
Bjørn Forsman
ffb4797dd3
nixos/haproxy: remove broken default 'config'
...
HAProxy fails to start with the default 'config'. Better disable it and
assert that the user provides a suitable 'config'. (AFAICS, there cannot
really be a default config file for HAProxy.)
2015-02-22 12:30:14 +01:00
Bjørn Forsman
419a4166a7
nixos/haproxy: small cleanup
...
* Add option types
* Rewrite option descriptions
* /var/run/haproxy.pid => /run/haproxy.pid (canonical location)
2015-02-22 12:29:34 +01:00
aszlig
030895f075
nixos/dhcpcd: Only run resume commands if enabled.
...
The networkd implementation sets systemd.services.dhcpcd.enable to
false in nixos/modules/tasks/network-interfaces-systemd.nix. So we need
to respect that in the dhcpcd module.
If we don't, the resumeCommand is set nevertheless, which causes the
post-resume.service to fail after resuming:
Failed to reload dhcpcd.service: Unit dhcpcd.service is masked.
post-resume.service: main process exited, code=exited, status=1/FAILURE
Failed to start Post-Resume Actions.
Dependency failed for Post-Resume Actions.
Unit post-resume.service entered failed state.
post-resume.service failed.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2015-02-22 08:09:04 +01:00
Sou Bunnbu
f8dbd6f9ae
Merge pull request #6427 from grwlf/vsftpd-port
...
vsftpd.nix: add 'portPromiscuous' option
2015-02-18 19:18:34 +08:00
Sergey Mironov
ac65a757f0
vsftpd.nix: add 'portPromiscuous' option
2015-02-18 11:51:43 +03:00
Mathijs Kwik
2fe44b95d0
nixos/wpa_supplicant: fix conflicting documentation
...
fixes #6298
2015-02-17 22:16:20 +01:00
James Cook
33550b6efe
Merge pull request #5665 from joachifm/dnscrypt-proxy-apparmor-updates
...
dnscrypt-proxy service: update AppArmor profile
2015-02-14 22:02:31 -08:00
lethalman
51a7277fac
Merge pull request #6312 from k0ral/sslh
...
sslh: added libwrap support + improved nixos module.
2015-02-13 10:03:48 +01:00
Jaka Hudoklin
a17f5c8c9b
nixos/consul: add consul-alerts service
2015-02-12 19:16:50 +01:00
koral
cb153cfca3
sslh: added libwrap support + improved nixos module.
2015-02-12 13:21:36 +01:00
lethalman
93ebaafabe
Merge pull request #6170 from k0ral/sslh
...
New sslh module
2015-02-10 11:17:56 +01:00
William A. Kennington III
9792b12e53
nixos/openntpd: Don't start until we have networking
...
This attempts to fix an issues where ntp is unable to resolve hostnames
because it came up before local nameservers or networking.
2015-02-06 14:45:47 -08:00
William A. Kennington III
3e280f2089
nixos/tinc: Fix key generation behavior and use tinc 1.1 by default
2015-02-05 23:37:20 -08:00
koral
1439e72147
New sslh module.
2015-02-05 13:30:39 +01:00
Edward Tjörnhammar
83925c33f6
i2pd: 0.6.0 -> 0.7.0
...
nixos: i2pd.service, fix string escaping
2015-02-05 12:09:59 +01:00
William A. Kennington III
9ddb6c9cc9
nixos/tinc: Add daemon configuration
2015-02-04 18:19:04 -08:00
William A. Kennington III
bae5faa82d
nixos/dhcpd: Also try restarting openntpd as it suffers the same dns resolution problem
2015-02-04 17:33:14 -08:00
William A. Kennington III
43d8b1ef3c
openntpd: Fixes
2015-02-04 17:30:22 -08:00
William A. Kennington III
a9f1329d2d
nixos/openntpd: Add openntpd to the environment for ntpctl
2015-02-04 17:27:03 -08:00
lethalman
49b67bb9cb
Merge pull request #6078 from boothead/sabnzbd
...
sabnzbd Change service to systemd
2015-02-03 13:32:59 +01:00
Shea Levy
c45372f038
Merge commit 'cfb29ab882323d379aba20a95020c7c24f883eae'
...
Partial staging merge, including cc-wrapper fixes
Conflicts:
pkgs/applications/audio/spotify/default.nix
pkgs/build-support/cc-wrapper/default.nix
pkgs/development/compilers/cryptol/1.8.x.nix
2015-02-02 21:14:28 -05:00
Bjørn Forsman
ee52a61e3a
nixos/tftpd: add option types and fixup descriptions
...
The first description is a (incorrect) copy/paste from the 'vsftpd'
module, and the second option lacks a 'dot' at the end.
2015-02-01 15:57:28 +01:00
Shea Levy
52d4b9d982
Merge branch 'tlsdate' of git://github.com/4z3/nixpkgs
2015-01-30 01:07:59 -05:00
Eelco Dolstra
b61d4ac6a5
ntpd: Fork into the background
...
With -n, ntpd will write log messages to both syslog and stderr, which
is ugly.
2015-01-28 15:34:42 +01:00
Eelco Dolstra
11a0344e13
Merge pull request #5918 from robberer/openntpd
...
openntpd: add extraConfig and extraOptions
2015-01-23 16:43:15 +01:00
Longrin Wischnewski
4fa5d1f626
openntpd: add extraConfig and extraOptions
2015-01-23 16:15:20 +01:00
tv
3fdd925063
nixos: Add tlsdated service
2015-01-21 05:09:47 +01:00
Joachim Fasting
7023e03d77
firewall service: fix pingLimit example value
...
The example uses single dashes, whereas iptables requires double dashes.
2015-01-20 08:47:11 +01:00
Peter Simons
ec6b82a0c2
Merge branch 'master' into staging.
2015-01-19 18:41:17 +01:00
William A. Kennington III
130f66b683
nixos/sync-server: Respect the enable option
2015-01-18 14:21:40 -08:00
Domen Kožar
3b174a4024
Merge pull request #5301 from nbp/syncserver
...
Add Firefox Sync service
2015-01-18 17:47:51 +01:00
Nicolas B. Pierron
8196727fad
Improve the documentation of the syncserver module.
2015-01-18 12:21:23 +01:00
Nicolas B. Pierron
0d13ea0131
Change default syncserver listen.port to a safer one.
2015-01-18 12:20:44 +01:00
Eric Seidel
88eae46455
rename occurrences of gcc.gcc to gcc.cc
2015-01-14 20:47:49 -08:00
Edward Tjörnhammar
837cfbb9ea
nixos: adding nylon service with uid,gid
2015-01-14 22:08:47 +01:00
Vladimír Čunát
72d2d59cd4
/etc/ssh/ssh_known_hosts: refactor and fix #5612
...
Generating the file was refactored to be completely in nix.
Functionally it should create the same content as before,
only adding the newlines.
CC recent updaters: @aszlig, @rickynils.
2015-01-11 22:14:25 +01:00
Joachim Fasting
97bac259d0
dnscrypt-proxy service: update AppArmor profile
...
This patch fixes the AppArmor profile path clause and adds
(currently ignored) network rules.
The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy,
but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink
to bin), which permitted the service to run unconfined.
Adding the network rules has no effect other than improving correctness,
as the version of AppArmor in the NixOS kernel fails to enforce network
rules.
2015-01-09 15:08:07 +01:00
William A. Kennington III
9a7766e054
nixos/network-interfaces: Add mstpd support for bridges
2015-01-07 14:49:24 -08:00
William A. Kennington III
8627110091
icedtea: Make major version nonspecific attrs
2015-01-02 00:24:49 -08:00