Commit Graph

2811 Commits

Author SHA1 Message Date
Arseniy Seroka
fd5566da41 Merge pull request #5080 from joachifm/dnscrypt-refactor
dnscrypt-proxy: minor superficial improvements
2014-11-24 15:48:47 +03:00
William A. Kennington III
8309aa04b2 unifi: Actually remove webapps at shutdown 2014-11-24 02:30:04 -08:00
William A. Kennington III
8f0d65e2df unifi: Clean all of webapps at start and stop 2014-11-24 00:22:24 -08:00
William A. Kennington III
3f7b2bc70d unifi: Fix typo 2014-11-24 00:06:42 -08:00
Joachim Fasting
119d93e223 dnscrypt-proxy: minor superficial improvements
- Use upstream description and explicitly set platforms = all
- Coding conventions fix
2014-11-22 16:19:06 +01:00
William A. Kennington III
826f5468ab nixos/unifi: Remove old ROOT.war links before relinking 2014-11-14 11:45:38 -08:00
William A. Kennington III
d0e15cc575 Merge pull request #4983 from bosu/fw-stop-fix
firewall: clear rpfilter on stop
2014-11-14 00:14:27 -08:00
Boris Sukholitko
53b24d0c95 firewall: clear rpfilter on stop 2014-11-14 09:07:18 +02:00
Moritz Ulrich
e884dc32c5 Add local-fs.target to minidlna.
Minidlna fails to start if it wants to access a filesystem which isn't
mounted (yet).
2014-11-12 23:20:47 +01:00
Joachim Fasting
52f0553209 Add dnscrypt-proxy service
The dnscrypt-proxy service relays regular DNS queries to
a DNSCrypt enabled upstream resolver.
The traffic between the client and the upstream resolver is
encrypted and authenticated, which may mitigate the risk of
MITM attacks and third-party snooping (assuming a trustworthy
upstream).

Though dnscrypt-proxy can run as a standalone DNS client,
the recommended setup is to use it as a forwarder for a
caching DNS client.
To use dnscrypt-proxy as a forwarder for dnsmasq, do

```nix
{
  # ...

  networking.nameservers = [ "127.0.0.1" ];
  networking.dhcpcd.extraConfig = "nohook resolv.conf";

  services.dnscrypt-proxy.enable = true;
  services.dnscrypt-proxy.localAddress = "127.0.0.1";
  services.dnscrypt-proxy.port = 40;

  services.dnsmasq.enable = true;
  services.dnsmasq.extraConfig = ''
    no-resolv
    server=127.0.0.1#40
    listen-address=127.0.0.1
  '';

  # ...
}
```
2014-11-11 22:47:19 +01:00
Edward Tjörnhammar
c329e5bbd9 i2pd: added package, service 2014-11-09 09:55:35 +01:00
Emery Hemingway
67a2a58314 cjdns: service tweaks, new NixOS test 2014-11-08 23:39:02 +01:00
Aristid Breitkreuz
8b50383c45 Merge pull request #4859 from abbradar/git-daemon
nixos/git-daemon: fix a bug and add 'user' and 'group' options
2014-11-08 19:33:24 +01:00
Aristid Breitkreuz
cf4a976ced quassel: make a proper systemd unit (also properly works in containers now) 2014-11-08 14:59:25 +01:00
Nikolay Amiantov
46b866cf63 nixos/git-daemon: fix 'exportAll' option 2014-11-07 15:50:01 +03:00
Nikolay Amiantov
af1d09879b nixos/git-daemon: add 'user' and 'group' options 2014-11-07 15:49:45 +03:00
Nikolay Amiantov
4b2e43865a nixos/git-daemon: add types 2014-11-07 15:49:03 +03:00
William A. Kennington III
ba53392bce nixos/nat: Fix override so that sysctls are properly preserved 2014-10-31 16:50:25 -07:00
Domen Kožar
3b133beb7a Merge pull request #4553 from ehmry/polipo
drop permission prestart from polipo service module
2014-10-23 12:51:36 +02:00
Emery Hemingway
a3338abcfe cjdns: add peer hostnames to extraHosts, option for external config 2014-10-21 13:16:04 -04:00
Emery Hemingway
32d6ae7ed9 drop permission prestart from polipo service module
chowning the cache directory can timeout the service, permissions
on this directory should never change without user intervention
2014-10-16 10:57:16 -04:00
Joachim Schiele
13298fcbb9 Merge pull request #4535 from flosse/lua-bitop
lua-packages: added lua-bitop to add websocket support for prosody
2014-10-15 09:41:32 +02:00
Markus Kohlhase
5308d3284b prosody: added websocket support 2014-10-15 03:57:00 +02:00
Matej Cotman
561d3b3860 seeks: nixos module 2014-10-13 13:10:49 +02:00
Markus Kohlhase
d86c2c30c5 prosody: packaged as a service
Conflicts:
	nixos/modules/misc/ids.nix
2014-10-11 18:53:43 +02:00
Shea Levy
f5aaefbb6c More pkgs.lib -> lib fixes 2014-09-29 09:45:59 -04:00
Jaka Hudoklin
ff8f23ab26 Merge pull request #4280 from wkennington/master.consul
nixos/consul: Add module
2014-09-27 07:00:39 +02:00
William A. Kennington III
36f9b9c284 nixos/consul: Add module 2014-09-26 03:25:14 -07:00
Matej Cotman
5e18182a30 mailpile: add module 2014-09-26 10:49:09 +02:00
Emery Hemingway
61f0d9b251 cjdns: update from 20140919 20140922
package installs to .../bin
fix service module to look in .../bin

Closes #4240
2014-09-23 22:30:53 +01:00
Ben Ford
06818c5cb2 Change service to systemd 2014-09-22 12:09:53 +01:00
Domen Kožar
2247f3a8d3 Merge pull request #4168 from lostdj/ltp/master/btsyncfix
bittorrentsync: fix storage_path
2014-09-20 10:53:57 +02:00
lostdj
f02d4ec9ed bittorrentsync: fix storage_path.
If this path is a symlink, btsync won't be able to read it if it's not ending with "/".
2014-09-19 18:19:04 +04:00
William A. Kennington III
ae195727b7 nixos/nat: Don't flush tables, create subchains for autogenerated rules 2014-09-18 11:28:58 -07:00
William A. Kennington III
ec9c4143a7 nixos/firewall: Cleanup in case reload fails 2014-09-16 15:51:57 -07:00
William A. Kennington III
1321fd175d nixos/nat: Leverage firewall module 2014-09-15 21:31:27 -07:00
William A. Kennington III
6a43d51291 nixos/firewall: Support extraStopCommands 2014-09-15 21:31:26 -07:00
William A. Kennington III
fd7b9b4291 nixos/firewall: Don't allow traffic during reload 2014-09-15 20:40:16 -07:00
Jaka Hudoklin
f7ba3d833f nixos/znc: fix module, createUser option does not exist anymore 2014-09-13 02:20:32 +02:00
William A. Kennington III
bab5efd237 nixos/ssh: Allow user to configure the package that provides ssh/sshd 2014-09-11 22:07:39 -07:00
Aristid Breitkreuz
c3fe942a57 start dhcpcd after network-interfaces 2014-09-06 13:52:09 +02:00
aszlig
e8c4fde22d
nixos/nsd: Improve support for journald/systemd.
Don't fork into the background and just log to stderr.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-09-05 02:54:39 +02:00
aszlig
6386df1645
nixos/nsd: Fix indentation/coding style.
For Nix, we indent using two spaces, but in this module somehow 4 spaces
were snuck in. Other than that, remoteControl and ratelimit are just
nested attribute sets, so we don't need to make another submodule type
for no particular reason.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-09-05 02:54:39 +02:00
Luca Bruno
2ba523df24 nixos nat: add description to forwardPorts 2014-09-04 11:33:08 +02:00
Luca Bruno
e6ab680cbf nixos nat: add type for sourcePort and destination of forwardPorts 2014-09-04 10:26:33 +02:00
Michael Raskin
4155121069 Merge pull request #3926 from lethalman/fwdports
nixos/nat: add forwardPorts for external->internal DNAT
2014-09-03 21:54:37 +04:00
Michael Raskin
3e841ef642 Fixing comment case 2014-09-03 20:03:15 +04:00
Michael Raskin
d1ae15b680 Merge pull request #3804 from ehmry/unbound
unbound: run in chroot
2014-09-03 11:45:20 +04:00
Nathan Bijnens
33a3f76ee4 Copy.com: client #3617 2014-09-03 11:31:51 +04:00
William A. Kennington III
9659d0f4fb nixos/dnsmasq: Fix regressions during the systemd update 2014-09-02 17:23:55 -07:00
Vladimir Still
13bbce96c3 sshd: Fix typo in assetion. 2014-09-02 10:06:04 +02:00
Vladimir Still
a2394f09c7 sshd: Add note about listening on port 22 to listenAddresses. 2014-09-01 22:56:35 +02:00
Vladimir Still
ac39d839c3 sshd: Add note about firewall and listenAddresses. 2014-09-01 22:56:35 +02:00
Vladimir Still
e12337156c sshd: Allow to specify ListenAddress. 2014-09-01 22:56:35 +02:00
Michael Raskin
a6dfb4dc28 Merge pull request #3241 from ehmry/cjdns
cjdns declarative configuration
2014-09-02 00:53:18 +04:00
Luca Bruno
b21ac60290 nixos/nat: add forwardPorts for external->internal DNAT 2014-09-01 22:31:56 +02:00
Luca Bruno
31b7cae018 nixos/znc: fix immutable config.
Fix references to coreutils echo and rm.
Make config writable even if immutable because of
https://github.com/znc/znc/blob/master/src/znc.cpp#L964 .
2014-09-01 16:21:12 +02:00
aszlig
29f4642284
nixos: Add new service for OpenNTPd.
This conflicts with the existing reference NTP daemon, so we're using
services.ntp.enable = mkForce false here to make sure both services
aren't enabled in par.

I was already trying to merge the module with services.ntp, but it would
have been quite a mess with a bunch of conditions on the package name.
They both have a bit in common if it comes to the configuration files,
but differ in handling of the state dir (for example, OpenNTPd doesn't
allow it to be owned by anything other than root).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-09-01 16:07:28 +02:00
Michael Raskin
9e3d1b1a8f Merge pull request #3908 from wkennington/master.ip
Reapply the multi-ip code
2014-09-01 10:28:54 +04:00
Jan Malakhovski
8c9b6d932a nixos: add dhcpcd.persistent option 2014-09-01 10:33:48 +04:00
Jan Malakhovski
99243a5c51 nixos: add atftpd service 2014-09-01 10:33:48 +04:00
Emery Hemingway
f60ac82cac cjdns: new declarative service expression
systemd service wants network-interfaces.target rather than network.target
assertion on config.networking.enableIPv6
2014-08-31 18:14:16 -04:00
William A. Kennington III
3d037ebb94 Revert "Revert "Merge pull request #3182 from wkennington/master.ipv6""
This reverts commit ea8910652f.
2014-08-31 09:46:16 -07:00
Rob Vermaas
ea8910652f Revert "Merge pull request #3182 from wkennington/master.ipv6"
This reverts commit b23fd65854, reversing
changes made to 43654cba2c.
2014-08-31 10:58:54 +02:00
Nicolas B. Pierron
a5d6219897 Merge pull request #3864 from nbp/useless-submodules
Remove useless use of undocumented submodules.
2014-08-30 18:21:17 +02:00
William A. Kennington III
4d8390be60 nixos/network-interfaces: Support the old ip configuration convention 2014-08-30 08:05:00 -07:00
William A. Kennington III
098c8f4c77 nixos/network-interfaces: Add support for multiple ipv4 / ipv6 addresses 2014-08-30 07:33:38 -07:00
Michael Raskin
8937b70d07 Merge pull request #3344 from ehmry/privoxy
privoxy: upstart to systemd conversion, actions file editing
2014-08-30 14:19:57 +04:00
Nicolas Pierron
8c19690d99 Remove useless use of optionSet. 2014-08-29 18:43:03 +02:00
Nicolas Pierron
43e52ef001 Remove useless use of undocumented submodules. 2014-08-29 18:28:34 +02:00
Michael Raskin
844fd2553e Merge pull request #3745 from wkennington/master.dnsmasq
dnsmasq: Update and enable dbus support
2014-08-29 01:43:41 +04:00
Michael Raskin
c42e7dfc0c Merge pull request #3200 from wkennington/master.dhcpcd
nixos/dhcpcd: Add an explicit interfaces option
2014-08-29 01:09:22 +04:00
Paul Colomiets
adbb9ff796 dnsmasq: upgrade to 2.71, fixed dnsmasq module
* The module now has systemd config

* Add resolveLocalQueries option which sets up it as a dns server for
  local host (including reasonable setup of resolvconf)

* Add "dnsmasq" user for running daemon

* Enabled dbus and dnssec support for the package

Conflicts:
	nixos/modules/misc/ids.nix
2014-08-28 11:39:03 -07:00
aszlig
8a56a55bb4
nixos/manual: Use literalExample when feasible.
Should bring most of the examples into a better consistency regarding
syntactic representation in the manual.

Thanks to @devhell for reporting.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-08-27 23:41:15 +02:00
Emery Hemingway
e7597b12b8 privoxy: upstart to systemd conversion, actions file editing
fix missing actions and filters
2014-08-27 11:34:10 -04:00
Emery Hemingway
aedbfdff84 unbound: run in chroot 2014-08-26 21:24:09 -04:00
William A. Kennington III
aa77fe0fb0 nixos/radvd: Convert to a systemd unit
Additionally, remove the automatic initialization of the ipv6 forwarding
sysctl as this should be handled by the end user. This really should not
be an issue as most people running radvd are likely forwarding ipv6
packets.
2014-08-24 03:12:55 -07:00
William A. Kennington III
bc6979f7e1 nixos/dhcpcd: Don't configure sit devices 2014-08-14 14:06:56 -05:00
William A. Kennington III
a269acf480 nixos/dhcpcd: Use null instead of empty list to disable allowInterfaces 2014-08-14 14:05:55 -05:00
William A. Kennington III
320a82dd7f nixos/dhcpcd: Add an explicit interfaces option 2014-08-14 14:05:55 -05:00
William A. Kennington III
d0c0c2f9ba nixos/dhcpd: Wait until network interfaces are configured to start 2014-08-13 15:08:43 -05:00
William A. Kennington III
b3ddcfabd9 nixos/dhcpd: Convert to systemd from upstart 2014-08-13 15:08:43 -05:00
William A. Kennington III
24368beed8 nixos/dhcpd: Use dhcp user instead of nobody 2014-08-13 15:08:43 -05:00
William A. Kennington III
4fbf120e84 nixos/dhcpd: Add the ability to drop privileges 2014-08-13 15:08:08 -05:00
William A. Kennington III
56228e5614 nixos/dhcp: Modernize ddns-update-style 2014-08-13 15:08:08 -05:00
Jaka Hudoklin
675d76b00c nixos/znc: add option to add module packages to znc
Besides that add option for extra znc config and fix a lot of stuff
2014-08-09 19:35:59 +02:00
Eelco Dolstra
4668f37444 Fix NixOS evaluation on i686-linux 2014-08-09 17:19:09 +02:00
Peter Simons
9226fbf56a Merge remote-tracking branch 'origin/master' into staging. 2014-08-08 09:51:01 +02:00
William A. Kennington III
377454ff0e nixos/unifi: Explain and simplify the bind mount configuration 2014-08-05 23:15:49 -05:00
William A. Kennington III
12ad29226c nixos/unifi: Fix ordering of mount rules 2014-08-05 22:09:15 -05:00
William A. Kennington III
dfb596b49b nixos/unifi: Add service module 2014-08-05 21:40:47 -05:00
Eelco Dolstra
f64d84698e Merge remote-tracking branch 'origin/master' into staging
Conflicts:
	pkgs/applications/audio/espeak/edit.nix
	pkgs/applications/audio/lmms/default.nix
	pkgs/desktops/e18/enlightenment.nix
	pkgs/games/exult/default.nix
	pkgs/os-specific/linux/alsa-plugins/default.nix
2014-07-28 11:30:49 +02:00
lethalman
de59b6d7cd Merge pull request #3262 from bjornfor/znc-module-types
nixos/znc-service: don't use types.string (it's deprecated)
2014-07-26 12:41:25 +02:00
Eelco Dolstra
7f410ef923 Merge remote-tracking branch 'origin/master' into staging
Conflicts:
	pkgs/misc/vim-plugins/default.nix
2014-07-22 11:00:00 +02:00
Emery Hemingway
e5988bf4dd polipo: new service expression 2014-07-16 11:29:40 -04:00
Bjørn Forsman
3a4498ab07 nixos/znc-service: don't use types.string (it's deprecated)
Apart from s/types.string/types.str/ (or types.lines where appropriate):

* port is changed from string to int.

* extraFlags is changed from types.string (with unfortunate merge
  semantics) into a list of strings. A list of strings merge better:
  one space is added between elements.
2014-07-13 20:33:15 +02:00
Eelco Dolstra
95b828de42 Merge remote-tracking branch 'origin/master' into staging 2014-07-07 13:16:26 +02:00
Alex Berg
7b768ba2f5 Merge remote-tracking branch 'nixos/master' into feature/add-znc-module
Conflicts:
	nixos/modules/misc/ids.nix
2014-07-03 11:30:11 -05:00
Shea Levy
b3cfb9084b Get all lib functions from lib, not pkgs.lib, in modules 2014-07-02 12:28:18 -04:00
Eelco Dolstra
06fc1ec34d Merge remote-tracking branch 'origin/master' into staging
Conflicts:
	pkgs/servers/serfdom/default.nix
2014-07-01 11:25:41 +02:00
Eelco Dolstra
40f7b0f9df Another attempt to eradicate ensureDir
See c556a6ea46.
2014-06-30 14:56:10 +02:00
Michael Raskin
b403893aa2 Merge pull request #2778 from edwtjo/radicale
Adding Radicale package and service
2014-06-30 10:11:23 +04:00
aszlig
da32f052b1
Revert "nixos/sshd: drop mode from auth keys file".
This reverts commit a3331eb87b.

See https://github.com/NixOS/nixpkgs/issues/2559#issuecomment-47313334
for a description why this is not a good idea.

I guess it's better to implement a sane way to remove all files in
authorized_keys.d, especially because it is also backwards-compatible.

Reopens #2559.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-06-27 09:22:07 +02:00
John Wiegley
8eedf968eb Merge pull request #3093 from lethalman/sshkeys
nixos/sshd: drop mode from auth keys file. Closes #2559
2014-06-26 10:26:47 -07:00
Luca Bruno
a3331eb87b nixos/sshd: drop mode from auth keys file. Closes #2559 2014-06-26 10:15:34 +02:00
Alex Berg
9af1e2ab51 Add ZNC module. Has zncConfOptions or specify full conf file. 2014-06-26 05:44:32 +02:00
Christoph Hrdinka
8daaa28ac8 nsd-service: add service module for nsd 2014-06-12 11:20:43 +02:00
Peter Simons
ce7be7584f Merge pull request #2790 from ehmry/unbound
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
2014-05-30 14:46:29 +02:00
Emery Hemingway
0ddce8db12 unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd 2014-05-29 09:59:55 -04:00
Edward Tjörnhammar
d1277ddcc2 Adding Radicale package and service 2014-05-28 20:41:39 +02:00
Alexei Robyn
4fa4518875 Add TeamSpeak 3 server & service module (close #2056)
Conflicts (trivial):
	lib/maintainers.nix
	nixos/modules/misc/ids.nix
2014-05-27 17:30:26 +02:00
Michael Raskin
2e5e49c306 Merge pull request #2424 from wkennington/cache.sshKey
ssh: Support knownHost public keys as strings
2014-05-27 01:46:12 -07:00
William A. Kennington III
08467c14de notbit: Add additional options to the daemon 2014-05-13 20:20:19 -05:00
William A. Kennington III
042273e528 notbit: Don't include unecessary notbit binaries in the environment 2014-05-13 20:19:57 -05:00
William A. Kennington III
8915390bab notbit: Use the correct default port 2014-05-13 20:19:27 -05:00
Wout Mertens
c927cee2c3 dhcpcd: Allow adding hook code 2014-05-12 15:03:42 +02:00
Eelco Dolstra
6f7aaf10a5 Containers: Use systemd-nspawn's --network-veth flag
Note that this causes the name of the host-side interface to change
from c-<name> to ve-<name>.
2014-05-07 17:53:57 +02:00
Austin Seipp
b553d11616 btsync: Default to no login/password for the Web UI
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-02 00:41:47 -05:00
Austin Seipp
8946e91fad btsync: remove unneeded assertion
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-01 17:00:49 -05:00
William A. Kennington III
1396f624f4 sshd: Fix typing for options which take paths 2014-05-01 16:33:44 -05:00
William A. Kennington III
78c33177ce ssh: Support knownHost public keys as strings 2014-05-01 16:21:25 -05:00
Eelco Dolstra
cbfba813fe wpa_supplicant: Restart when wlan devices (dis)appear 2014-04-28 20:12:06 +02:00
Austin Seipp
b470c93c1e nixos: only enable spipe when user specifies
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-25 05:42:00 -05:00
Eelco Dolstra
2c70276d96 Remove outdated remark 2014-04-24 23:18:15 +02:00
Eelco Dolstra
2d8c0d24f2 dhcpcd: Fix segfaults
This fixes several problems in the dhcpcd service:

* A segfault during startup, due to a race with udev (dhcpcd would get
  an ADD event from udev, causing it to re-add an interface that it
  already had, leading to a segfault later on).

* A hang/segfault processing "dhcpcd rebind" (which NixOS calls after
  waking up from suspend).

Also, add "lo" to the list of ignored interfaces. It usually ignores
"lo", but apparently not when it gets an ADD event from udev.
2014-04-24 15:19:26 +02:00
Eelco Dolstra
25af3671f9 Remove some dead code 2014-04-24 15:19:26 +02:00
Eelco Dolstra
03d9e5cda0 sshd: Add support for socket activation
By enabling ‘services.openssh.startWhenNeeded’, sshd is started
on-demand by systemd using socket activation. This is particularly
useful if you have a zillion containers and don't want to have sshd
running permanently. Note that socket activation is not noticeable
slower, contrary to what the manpage for ‘sshd -i’ says, so we might
want to make this the default one day.
2014-04-22 17:38:54 +02:00
Eelco Dolstra
baffee02b8 sshd: Always start a session
Partially reverts 70a4c7b1df. Whether to
start a session is independent of whether we're running in a
container.
2014-04-22 17:38:53 +02:00
Eelco Dolstra
27a8cada79 openvpn: Add systemd startup notification
This causes OpenVPN services to reach the "active" state when the VPN
connection is up (i.e., after OpenVPN prints "Initialization Sequence
Completed"). This allows units to be ordered correctly after openvpn-*
units, and makes systemctl present a password prompt:

  $ start openvpn-foo
  Enter Private Key Password: *************

(I first tried to implement this by calling "systemd-notify --ready"
from the "up" script, but systemd-notify is not reliable.)
2014-04-22 13:14:58 +02:00
Eelco Dolstra
0a256cc0ee Firewall: Only start if we have CAP_NET_ADMIN 2014-04-19 23:02:59 +02:00
Eelco Dolstra
465d6ff572 Set $LOCALE_ARCHIVE in all systemd units
This variable used to be inherited implicitly from the stage-2 script,
but systemd now clears the environment. So we need to set it
explicitly.
2014-04-18 19:04:45 +02:00
Eelco Dolstra
da774bced5 Remove dhcpcd_without_udev attribute 2014-04-18 15:36:06 +02:00
Eelco Dolstra
d43b536ab6 Work around apparent dhcpcd bug 2014-04-18 02:43:00 +02:00
Eelco Dolstra
f7d28f7cd6 Slight test speedup
Don't do a pointless ARP check in dhcpcd.
2014-04-18 02:40:01 +02:00
Eelco Dolstra
8dcf76480c firewall: Order after systemd-modules-load.service
This ensures that connection tracking modules are loaded on time.
2014-04-17 18:10:20 +02:00
Austin Seipp
ae207efc07 nixos: add spiped service module
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-15 03:33:47 -05:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Eelco Dolstra
13185280fe Fix tests broken due to the firewall being enabled by default 2014-04-11 17:16:44 +02:00
Eelco Dolstra
017408e048 Use iptables' ‘-w’ flag
This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel.  (Longer term, we should probably move to a single service
for managing the iptables rules.)
2014-04-11 17:16:44 +02:00
Eelco Dolstra
b9281e6a2d Fix NAT module 2014-04-11 17:16:44 +02:00
Eelco Dolstra
d2155649af Merge branch 'containers'
Fixes #2105.
2014-04-10 15:55:51 +02:00
Eelco Dolstra
a34bfbab4c Add option networking.nat.internalInterfaces
This allows applying NAT to an interface, rather than an IP range.
2014-04-10 15:07:29 +02:00
Peter Simons
0e147530ef Merge pull request #2199 from offlinehacker/nixos/ntp/containers_fix
nixos: disable ntp on containers by default
2014-04-10 12:33:35 +02:00
Jaka Hudoklin
0b170187e3 nixos: disable ntp on containers by default 2014-04-10 12:30:03 +02:00
Emery Hemingway
316e809ff8 cjdns: update to 20130303
build system is now nodejs based
new nixos module to start cjdns
2014-04-09 10:30:57 -04:00
Eelco Dolstra
694cc6172a Enable the firewall by default
Fixes #2135.
2014-04-08 09:44:01 +02:00
Shea Levy
a46d2e3150 Merge branch 'murmur' of git://github.com/thoughtpolice/nixpkgs
nixos: add Murmur module (Mumble chat)

Conflicts:
	nixos/modules/misc/ids.nix
2014-04-05 15:18:14 -04:00
Domen Kožar
f530ead0ba syncthing: add preStart script to create dataDir 2014-04-04 10:46:30 +02:00
Matej Cotman
7df1ce5088 syncthing: new package and nixos module 2014-04-04 10:46:29 +02:00
Austin Seipp
f61110d65d nixos: murmur service
Murmur is the headless server component of the Mumble chat system.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-02 00:11:00 -05:00
Shea Levy
701cb6b099 Merge branch 'nixos/containers/fix1' of git://github.com/offlinehacker/nixpkgs
nixos: fix linux containers (systemd-nspawn, lxc, lxc-libvirt)
2014-03-28 23:39:01 -04:00
Jaka Hudoklin
70a4c7b1df nixos: fix linux containers (systemd-nspawn, lxc, lxc-libvirt)
- Make dhcp work, use dhcpcd without udev in container
- Make login shell work, patch getty to not wait for /dev/tty0
- Make ssh work, sshd/pam do not start session
2014-03-24 23:59:50 +01:00
Austin Seipp
6e415d2b58 nixos: add BitTorrent Sync service module
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-03-20 12:24:28 -05:00
Shea Levy
78e6d0143d Add ngircd module 2014-03-19 22:04:35 -04:00
Eelco Dolstra
895bcdd1cb Add support for running a container with a private network interface
For example, the following sets up a container named ‘foo’.  The
container will have a single network interface eth0, with IP address
10.231.136.2.  The host will have an interface c-foo with IP address
10.231.136.1.

  systemd.containers.foo =
    { privateNetwork = true;
      hostAddress = "10.231.136.1";
      localAddress = "10.231.136.2";
      config =
        { services.openssh.enable = true; };
    };

With ‘privateNetwork = true’, the container has the CAP_NET_ADMIN
capability, allowing it to do arbitrary network configuration, such as
setting up firewall rules.  This is secure because it cannot touch the
interfaces of the host.

The helper program ‘run-in-netns’ is needed at the moment because ‘ip
netns exec’ doesn't quite do the right thing (it remounts /sys without
bind-mounting the original /sys/fs/cgroups).
2014-03-18 10:49:25 +01:00
William A. Kennington III
a42e1d5494 notbit: Add systemd service for a system daemon 2014-03-15 04:36:15 -05:00
Shea Levy
a0d574f19b firewall: Allow setting rate limits for pings 2014-03-14 14:55:30 -04:00
Thomas Bereknyei
a2353866a8 UID/GID fix for kippo 2014-03-12 03:32:56 -04:00
Domen Kozar
f0b34fe8ff searx: refactor a bit 2014-03-09 18:57:17 +01:00
Matej Cotman
7e932ca4e2 searx: add module 2014-03-09 17:33:56 +01:00
Gergely Risko
322b7124a8 Allow ntpq locally 2014-03-06 11:54:02 +01:00
Austin Seipp
fc9022bea1 firewall: add support for TCP/UDP port ranges
This is useful for packages like mosh, which use a wide UDP port range
by default for incoming connections.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-02-22 18:19:22 +01:00
Rickard Nilsson
fc90a739ba networkmanager module: No need to start ModemManager explicitly, done by NM 2014-02-13 18:05:04 +01:00
Oliver Charles
625b42838a NetworkManager: Fix aliases and dependencies
There are two fixes in this commit.

Firstly, I am creating proper symlinks for the Alias= definitions in the
.service files. This achieves the same result as `systemctl enable`, and
I think is preferred over `mv`.

Secondly, `networkmanager-init` now wants `NetworkManager.service`,
along with `ModemManager.service`. ModemManager does not depend on
NetworkManager (according to `systemctl list-dependencies ModemManager`),
thus NetworkManager never got started on boot.
2014-02-12 11:32:49 +00:00
Michael Raskin
4c9c7f6ba4 Add an option to change vsftpd anonymos write umask. 2014-02-11 01:34:19 +04:00
Domen Kožar
b17edbac57 ModemManager: 0.5.4.0 -> 0.7.991 2014-02-08 20:17:00 +01:00
Eelco Dolstra
9e7fe29e41 ntpd: Don't answer status queries
Workaround for CVE-2013-5211:

http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
2014-02-03 23:44:11 +01:00
Eelco Dolstra
559f5be07d dhcpcd: Update to 6.2.1
Dhcpcd now has integration with udev, so it should no longer be a
problem if udev renames an interface while dhcpcd is running.
2014-02-02 11:28:45 +01:00
Arvin Moezzi
0602ef22de git-daemon service: fix typo in option (close #1659) 2014-02-01 11:56:56 +01:00
Thomas Tuegel
7b743fcaab networkmanager: load modules required for PPTP 2014-01-24 09:22:59 -06:00
Thomas Bereknyei
57e3feda74 Adds kippo SSH honeypot 2014-01-14 10:32:26 +00:00
Rok Garbas
e1f363350a connman-vpn and connman-vpn dbus servise should start after connman service 2014-01-11 21:17:17 +01:00
Matej Cotman
7d4d3536f7 connman: new packages ConnMan v1.20 and connman-ui 2014-01-11 20:22:53 +01:00
Thomas Tuegel
6f768bf47c networkmanager: register PPTP service 2014-01-02 11:02:29 -06:00
William A. Kennington III
38bc05158d network-interfaces: Add the ability to create bond devices
This patch adds support for the creations of new bond devices, aggregate
pipes of physical devices for extra throughput or failover.

Additionally, add better correction at the startup of a bridge
of vlan interface (delete old, stale interfaces).
2013-12-31 09:28:52 -06:00
Peter Simons
6bc4007e60 nixos: don't white-list port 8200 in the firewall when minidlna is enabled
If you want minidla to accept connections from the rest of the world, please
add

    networking.firewall.allowedTCPPorts = [ 8200 ];
    networking.firewall.allowedUDPPorts = [ 1900 ];

to /etc/nixos/configuration.nix.

See <http://lists.science.uu.nl/pipermail/nix-dev/2013-November/011997.html>
for the discussion that lead to this.
2013-12-23 21:32:13 +01:00
Michael Raskin
997778c820 Make Ejabberd service work 2013-12-20 18:16:56 +04:00
Michael Raskin
654627fe4c Merge pull request #1362 from tomberek/ddclient_correction
Correct web-skip value to match behavior of checkip.dyndns.com
2013-12-14 22:51:44 -08:00
Thomas Bereknyei
6129be5a7a Correct web-skip value to match behavior of checkip.dyndns.com 2013-12-11 23:22:43 -05:00
Bjørn Forsman
9474fbae65 nixos: add ntopng service
ntopng is a high-speed web-based traffic analysis and flow collection
tool. Enable it by adding this to configuration.nix:

  services.ntopng.enable = true;

Open a browser at http://localhost:3000 and login with the default
username/password: admin/admin.
2013-12-09 21:35:01 +01:00
Bjørn Forsman
ca26e75a73 nixos/avahi-service: small documentation update 2013-12-07 12:03:50 +01:00
Eelco Dolstra
2b1f212494 Disable various services when running inside a container 2013-11-26 18:19:45 +01:00
Rickard Nilsson
26d7598d46 networkmanager NixOS service: Make it possible to append or insert name servers in /etc/resolv.conf 2013-11-13 01:52:57 +01:00
Eelco Dolstra
785eaf2cea Add some primops to lib 2013-11-12 13:48:30 +01:00
Vladimír Čunát
619a1f5614 changes proposed for 13-10 update
One feature change: polkit update 8d14c7ba
2013-11-09 18:41:42 +01:00
Vladimír Čunát
8d14c7baa6 polkit: major update 0.105 -> 0.112
- It now uses JavaScript for configuration (only),
  so I had to "convert" config for NetworkManager.
- I tested suspend/restart/(un)mount on KDE/Xfce,
  Phreedom tested NetworkManager config conversion.
2013-11-09 16:29:18 +01:00
Eelco Dolstra
cc65b1015d vsftpd: Disable seccomp filtering on 64-bit
It worked on Linux 3.4 but fails with "500 OOPS: priv_sock_get_cmd"
since we updated the default kernel to 3.10.

http://hydra.nixos.org/build/6715359

https://bugzilla.redhat.com/show_bug.cgi?id=845980
https://bugzilla.novell.com/show_bug.cgi?id=786024
2013-11-07 16:38:57 +01:00
Eelco Dolstra
000962c3fb vsftpd: Run in the background and log to syslog (i.e. journal) 2013-11-07 16:38:57 +01:00
Eelco Dolstra
10e31f6de7 Clean up the vsftpd module a bit 2013-11-07 16:38:57 +01:00
Eelco Dolstra
444a4fb793 Loosen the type of SSH key files 2013-11-01 00:34:31 +01:00
Eelco Dolstra
c1159edc65 Remove remaining references to Upstart 2013-10-31 13:26:06 +01:00
Eelco Dolstra
244cf195c8 Use the "assertions" option instead of mkAssert 2013-10-30 18:47:44 +01:00
Eelco Dolstra
408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra
be5d3a59dd Clean up some option examples 2013-10-30 18:47:43 +01:00
Eelco Dolstra
70a2c54527 Strictly check the arguments to mkOption
And fix various instances of bad arguments.
2013-10-30 15:35:09 +01:00
Eelco Dolstra
862e3dd977 Substitute "types.uniq types.string" -> "types.str" 2013-10-30 14:57:42 +01:00
Eelco Dolstra
1d104c792b Remove the dhclient module
It's no longer used by NixOS (replaced by dhcpcd).
2013-10-29 17:39:32 +01:00
Eelco Dolstra
0695b68c8c Manual: Render multi-line strings properly 2013-10-29 17:39:31 +01:00
Rok Garbas
562b453b93 nixos: haproxy module 2013-10-29 15:55:25 +01:00
Eelco Dolstra
f0b7b0af12 wpa_supplicant.nix: Add option types 2013-10-29 13:14:30 +01:00
Eelco Dolstra
d5047faede Remove uses of the "merge" option attribute
It's redundant because you can (and should) specify an option type, or
an apply function.
2013-10-28 22:45:56 +01:00
Eelco Dolstra
2cc37c17d9 openvpn.nix: Improve types 2013-10-28 22:45:55 +01:00
Michael Raskin
3022fff7db Adding Quantum Minigolf game 2013-10-28 00:09:46 +04:00
Eelco Dolstra
a3777ba4f9 Remove dependencies on the Nixpkgs location 2013-10-23 20:08:23 +02:00
Michael Raskin
f88aa22706 Allow non-SSL connections to vsftpd by default to let tests not specify certificate 2013-10-20 21:16:12 +04:00
Michael Raskin
a0bbc3e838 Add apparently missing option to vsftpd configuration 2013-10-20 20:39:37 +04:00
Michael Raskin
9b6f7c14ec Merge pull request #1060 from MarcWeber/submit/vsftpd
small vsftpd improvements
2013-10-20 08:58:21 -07:00
Eelco Dolstra
ae74b0ae58 sshd: Remove the usePAM option
Sshd *must* use PAM because we depend on it for proper session
management.  The original goal of this option (disabling password
logins) can also be implemented by removing pam_auth authentication
from sshd's PAM service.
2013-10-15 15:05:49 +02:00
Eelco Dolstra
a2c820c678 Turn security.pam.services into an attribute set
That is, you can say

  security.pam.services.sshd = { options... };

instead of

  security.pam.services = [ { name = "sshd"; options... } ];

making it easier to override PAM settings from other modules.
2013-10-15 14:47:51 +02:00
Marc Weber
4683774277 experimental/vsftpd
vsftpd improvements:
- intorduce one declarative list of options
- make docummentation strings more understandable and add missing options
  such as SSL/TLS support
- Use environment.etc."vsftpd".text because I can't think about any
  reason why a shell script should be used.
  That code was written in 2009.
2013-10-12 01:05:13 +02:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00