If it runs before the main service itself, the sqlite command may create an
empty database, causing the main service to not run the initial database setup.
- 0.53.0+ relicensed the server components
- as a result split into per-component packages
- adds missing 2 upload & relay components
- the tested behavior has changed
The RFC requires that we don't allow access to non-global v4 addresses
using the well-known 64:ff9b:: prefix, but there are some deployments
where it's convenient to permit this.
To make this work in tests, disable wkpf-strictness via the config
option introduced in bc18503e2ff1ee48ac472a67ba982dae76a5c2d3.
Tayga added 100.64.0.0 to the set of WKPF in
4dff17ef61821f5bc1996ce687a3dc317fd4fa50.
The previous setup caused all renewal units to be triggered upon
ever so slight changes in config. In larger setups (100+ certificates)
adding a new certificate caused high system load and/or large memory
consumption issues. The memory issues are already a alleviated with
the locking mechanism. However, this then causes long delays upwards
of multiple minutes depending on individual runs and also caused
superfluous activations.
In this change we streamline the overall setup of units:
1. The unit that other services can depend upon is 'acme-{cert}.service'.
We call this the 'base unit'. As this one as `RemainAfterExit` set
the `acme-finished-{cert}` targets are not required any longer.
2. We now always generate initial self-signed certificates to simplify
the dependency structure. This deprecates the `preliminarySelfsigned`
option.
3. The `acme-order-renew-{cert}` service gets activated after the base
unit and services using certificates have started and performs all acme
interactions. When it finishes others services (like web servers) will
be notified through the `reloadServices` option or they can use
`wantedBy` and `after` dependencies if they implement their own reload
units.
The renewal timer also triggers this unit.
4. The timer unit is explicitly blocked from being started by s-t-c.
5. Permission management has been cleaned up a bit: there was an
inconsistency between having the .lego files set to 600 vs 640
on the exposed side. This is unified to 640 now.
6. Exempt the account target from being restarted by s-t-c. This will
happen automatically if something relevant to the account changes.
In some situations, the dynamic refresh can fail to bring up the
wireguard interface. If that happens, all subsequent refresh attempts
will fail because the 'ip link delete' command fails with "Cannot find
device". If this happens, we now proceed with the networkctl reload
anyway.
We could in theory just re-use the upstream one, but it sets User=root
which I'm not entirely comfortable with. Instead, add the settings we
were missing from that file here. Sadly, upstream doesn't configure a
syscall filter or similar.
This makes it easier to replace an asset by just setting the Nginx
virtual host's `locations."= robots.txt".alias`. Previously you had to
either replace the extraConfig with mkForce or clear it and use the
`alias` option.
Before this change, setting services.syncthing.enable to true would
enable Syncthing, but it wouldn’t add Syncthing’s man page to your
system. This change ensures that the man page is available.
I tested this change using this Nix expression:
let
nixpkgsRepo = /path/to/nixpkgs/repo;
pkgs = import nixpkgsRepo { };
in pkgs.testers.runNixOSTest {
name = "syncthing-man-page-test";
nodes.machine = {
services.syncthing.enable = true;
};
testScript = ''
start_all()
machine.succeed("man syncthing > log.txt")
machine.copy_from_vm("log.txt", ".")
'';
}
Before this change, the syncthing module used two potentially different
packages for Syncthing. Sometimes, it would use cfg.package and
sometimes it would use pkgs.syncthing. This change makes the syncthing
module more consistent by making it always use cfg.package.
The reference to pkgs.syncthing was added in
1026bebee6. I looked through that commit
message and the thread for the pull request that it came from [1], and I
couldn’t find anything that explained why pkgs.syncthing was used over
cfg.package. I’m guessing that using pkgs.syncthing over cfg.package was
a mistake, but I’m not sure.
[1]: <https://github.com/NixOS/nixpkgs/pull/18973>
It is unclear where this list originated, but it doesn't make sense to
ship it with all networkmanager installations. The most excessive plugin
is openconnect, that ships a 250 MB closure including webkitgtk.
Instead users now have to specify the plugins they want explicitly. I
updated the option to give hints on how to find them as best as I can.
There is no point in having a special option to enable strongswan, when
we can just parse the intent from the plugin list instead.
Also pick up relevant runtime dependency information from the plugin
package instead of providing additional options or hardcoding them.
Bird configuration errors only print the line number without context.
Printing the configuration file with line numbers helps to identify the
faulty expression.
This avoids restarting the postgresql server, when only ensureDatabases
or ensureUsers have been changed. It will also allow to properly wait
for recovery to finish later.
To wait for "postgresql is ready" in other services, we now provide a
postgresql.target.
Resolves#400018
Co-authored-by: Marcel <me@m4rc3l.de>
By being in sync with the pname, it makes it easier to walk back from
the pname that shows in the /nix/store back to the attribute.
This change should not cause any rebuild.
These are the necessary changes for updating to 0.12, which supports dispatcherless operation by foregoing the dispatcher's unix socket in favour of UDP
When pdns-recursor is enabled it should ideally be the default resolver
for the host as well. This is probably good for 95% of the use-cases out
there, and the default for unbound and kresd, but also bind and dnsmasq.
source https://mozilla-services.readthedocs.io/en/latest/howtos/run-sync-1.5.html#howto-run-sync15
Quotation:
```
Firefox for Android (“Daylight”, versions 79 and later) does support using a non-Mozilla-hosted Sync server. Before logging in, go to App Menu > Settings > About Firefox and click the logo 5 times. You should see a “debug menu enabled” notification. Go back to the main menu and you will see two options for a custom account server and a custom Sync server. Set the Sync server to the URL given above and then log in.
To configure Android Firefox 44 up to 78 to talk to your new Sync server, just set the “identity.sync.tokenserver.uri” exactly as above before signing in to Mozilla accounts and Sync on your Android device.
Important: after creating the Android account, changes to “identity.sync.tokenserver.uri” will be ignored. (If you need to change the URI, delete the Android account using the Settings > Sync > Disconnect… menu item, update the pref, and sign in again.) Non-default TokenServer URLs are displayed in the Settings > Sync panel in Firefox for Android, so you should be able to verify your URL there.
```
the /token/ prefix is experimentally wrong.
The nixos `sshd.nix` module contains a
mechanism to generate ssh host keys prior to
starting sshd if those host keys are missing.
The option `services.openssh.hostKeys` is used to
configure which host keys should exist or be created.
It also declares the key type and other key-related options.
One of those options is `rounds`.
That one is then forwarded to the
`ssh-keygen` program with the `-a` option.
It defines how many rounds of a key derivation function
are to be used on the key's passphrase before the result
is used to en-/decrypt the private key; cf. ssh-keygen(1).
ssh host keys are passwordless;
they are solely protected by filesystem access modes.
Hence, the `-a` option is irrelevant
and silently ignored by `ssh-keygen`.
The commit at hand therefore removes this option from
the host key generation script and the option examples.
Add a module for pihole-ftl, which allows declaratively defining the
pihole.toml config file.
Also provide options for adlists to use, which can be added through the pihole
script (packaged as "pihole"). Other state such as clients and groups require
complex database operations, which is normally performed by the pihole
webapp (packaged as "pihole-web").
Extend the dnsmasq module to avoid duplication, since pihole-ftl is a soft-fork
of dnsmasq which maintains compatibility.
Provide the pihole script in `environment.systemPackages` so pihole-ftl can be
easily administrated.
