nixpkgs/nixos/modules/services
Martin Weinelt d1d8dd3e55
nixos/knot: add support for XDP setups
The Express Data Path (XDP) is a way to circumvent the traditional Linux
networking stack and instead run an eBPF program on your NIC, that makes
the decision to provide Knot with certain packets. This is way faster
and more scalable but comes at the cost of reduced introspection.

Unfortunately the `knotc conf-check` command fails hard with missing
interfaces or IP addresses configured in `xdp.listen`, so we disable it
for now, once the `xdp` config section is set. We also promote the config
check condition to a proper option, so our conditions become public
documentation, and we allow users to deal with corner cases, that we have
not thought of yet.

We follow the pre-requisites documented in the Knot 3.3 manual, and set
up the required capabilities and allow the AF_XDP address family.

But on top of that, due to our strict hardening, we found two more
requirements, that were communicated upstream while debugging this.

- There is a requirement on AF_NETLINK, likely to query for and configure
  the relevant network interface
- Running eBPF programs requires access to the `bpf` syscall, which we
  deny through the `~@privileged` configuration.

In summary We now conditionally loosen the hardening of the unit once we
detect that an XDP configuration is wanted. And since we cannot
introspect arbitrary files from the `settingsFiles` option, we expose XDP
support through the `enableXDP` toggle option on the module.
2024-02-13 13:44:31 +01:00
..
admin pgadmin: 8.1 -> 8.2 2024-01-13 09:54:32 +01:00
amqp nixos/rabbitmq: Rename cookie -> unsafeCookie 2024-02-04 21:41:29 +01:00
audio Merge pull request #255707 from micahsoftdotexe/update-navidrome 2024-01-28 00:08:18 +01:00
backup Merge pull request #275621 from Yarny0/tsm-client-update 2024-02-06 17:17:40 +01:00
blockchain/ethereum treewide: replace mkPackageOptionMD with mkPackageOption 2023-11-30 19:03:14 +01:00
cluster nixos/kubernetes: use correct -o option with bash install when copying certs in cfssl prestart script 2024-02-10 01:46:00 -08:00
computing Merge pull request #261702 from h7x4/replace-mkoption-with-mkpackageoption 2023-11-30 02:49:30 +01:00
continuous-integration nixos/github-runners: add a group option to set the executing group 2024-02-09 16:58:09 +01:00
databases Merge pull request #279268 from superherointj/etcd-fix-firewall-startup 2024-02-05 00:37:09 +01:00
desktops nixos: fix a bunch of services missing dep on network-online.target 2024-01-19 00:11:34 -08:00
development livebook: Set KillMode=mixed 2024-01-26 20:19:49 +01:00
display-managers Merge pull request #268497 from katexochen/greetd/tuigreet-dir 2023-12-07 10:04:09 +01:00
editors nixos/emacs: drop custom emacsclient desktop file 2024-01-20 08:21:08 +08:00
finance treewide: use mkPackageOption 2023-11-27 01:28:36 +01:00
games nixos/archisteamfarm: allow bots.*.passwordFile to be null (#284978) 2024-02-05 01:18:23 +01:00
hardware nixos/fwupd: make test option internal, be explicit about removal 2024-02-11 20:27:02 +01:00
home-automation nixos/home-assistant: always add dependencies for default integrations 2024-02-11 04:09:52 +01:00
logging nixos: fix a bunch of services missing dep on network-online.target 2024-01-19 00:11:34 -08:00
mail nixos/dovecot: fix sieve script config generation 2024-01-29 19:42:55 +01:00
matrix nixos/matrix-synapse: fix recursive filtering of null values 2024-02-09 16:05:05 +01:00
misc Merge pull request #277220 from nu-nu-ko/nixos-jellyfin-dirs 2024-02-12 14:06:46 +01:00
monitoring nixos/rustdesk-server: add extra args options for hbbr and hbbs 2024-02-12 13:41:08 +01:00
network-filesystems Merge pull request #280373 from h7x4/treewide-use-new-tmpfiles-api 2024-01-26 10:47:18 +01:00
networking nixos/knot: add support for XDP setups 2024-02-13 13:44:31 +01:00
printing nixos/cupsd: allow cups package override 2023-12-28 08:58:01 -08:00
scheduling
search nixos/hound: adopt, rework, cleanup (#268983) 2023-12-05 15:59:26 +01:00
security kanidm: 1.1.0-rc.15 -> 1.1.0-rc.16 2024-02-07 14:14:39 +01:00
system nixos/systemd-lock-handler: init 2024-01-27 11:55:46 +02:00
torrent treewide: use new tmpfiles api 2024-01-24 05:13:17 +01:00
tracing
ttys
video frigate: 0.12.1 -> 0.13.1 2024-02-06 22:54:22 +01:00
wayland
web-apps Merge pull request #282971 from wegank/restya-board-drop 2024-02-10 17:28:05 +01:00
web-servers nixos/nginx: turn auth_request off for ACME challenge 2024-02-05 00:33:33 -08:00
x11 Merge pull request #232528 from SuperSandro2000/chromium-kde 2024-02-10 17:15:14 +01:00