This avoids restarting the postgresql server, when only ensureDatabases
or ensureUsers have been changed. It will also allow to properly wait
for recovery to finish later.
To wait for "postgresql is ready" in other services, we now provide a
postgresql.target.
Resolves#400018
Co-authored-by: Marcel <me@m4rc3l.de>
By being in sync with the pname, it makes it easier to walk back from
the pname that shows in the /nix/store back to the attribute.
This change should not cause any rebuild.
These are the necessary changes for updating to 0.12, which supports dispatcherless operation by foregoing the dispatcher's unix socket in favour of UDP
When pdns-recursor is enabled it should ideally be the default resolver
for the host as well. This is probably good for 95% of the use-cases out
there, and the default for unbound and kresd, but also bind and dnsmasq.
source https://mozilla-services.readthedocs.io/en/latest/howtos/run-sync-1.5.html#howto-run-sync15
Quotation:
```
Firefox for Android (“Daylight”, versions 79 and later) does support using a non-Mozilla-hosted Sync server. Before logging in, go to App Menu > Settings > About Firefox and click the logo 5 times. You should see a “debug menu enabled” notification. Go back to the main menu and you will see two options for a custom account server and a custom Sync server. Set the Sync server to the URL given above and then log in.
To configure Android Firefox 44 up to 78 to talk to your new Sync server, just set the “identity.sync.tokenserver.uri” exactly as above before signing in to Mozilla accounts and Sync on your Android device.
Important: after creating the Android account, changes to “identity.sync.tokenserver.uri” will be ignored. (If you need to change the URI, delete the Android account using the Settings > Sync > Disconnect… menu item, update the pref, and sign in again.) Non-default TokenServer URLs are displayed in the Settings > Sync panel in Firefox for Android, so you should be able to verify your URL there.
```
the /token/ prefix is experimentally wrong.
The nixos `sshd.nix` module contains a
mechanism to generate ssh host keys prior to
starting sshd if those host keys are missing.
The option `services.openssh.hostKeys` is used to
configure which host keys should exist or be created.
It also declares the key type and other key-related options.
One of those options is `rounds`.
That one is then forwarded to the
`ssh-keygen` program with the `-a` option.
It defines how many rounds of a key derivation function
are to be used on the key's passphrase before the result
is used to en-/decrypt the private key; cf. ssh-keygen(1).
ssh host keys are passwordless;
they are solely protected by filesystem access modes.
Hence, the `-a` option is irrelevant
and silently ignored by `ssh-keygen`.
The commit at hand therefore removes this option from
the host key generation script and the option examples.
Add a module for pihole-ftl, which allows declaratively defining the
pihole.toml config file.
Also provide options for adlists to use, which can be added through the pihole
script (packaged as "pihole"). Other state such as clients and groups require
complex database operations, which is normally performed by the pihole
webapp (packaged as "pihole-web").
Extend the dnsmasq module to avoid duplication, since pihole-ftl is a soft-fork
of dnsmasq which maintains compatibility.
Provide the pihole script in `environment.systemPackages` so pihole-ftl can be
easily administrated.
null is the default, but setting it explicitly rather than relying on
the default results in collisions if users want to set their own gid.
Requiring mkForce here shouldn't be necessary when the module doesn't
specifically rely on the auto-allocation behaviour.
Change-Id: Ia541ac4e9c4d85b240386049b9947c607674a2f5
The options part of "services.headscale.settings" get rendered directly
into a JSON file. As such, any declared values need to match the actual
config key that upstream uses or they are ineffective.
One such key is "derp.auto_update_enable", which controls whether or not
auto-updates for the DERP map are enabled. This key is misspellt though:
the config is called "derp.auto_update_enabled", and that has always
been the case since the config has been introduced in 57f46ded (Split
derp into its own config struct, 2021-10-22). Any unknown key is simply
ignored by Headscale, and as such the setting is ineffective.
Fix this by renaming the option.
The new implementation of `mapAttrsToList` is simpler than the previous one, avoiding an extra string conversion. Benchmarking shows a slight performance improvement. See the discussion here: https://discourse.nixos.org/t/another-implementation-of-mapattrstolist
Additionally, I searched nixpkgs for expressions equivalent to the old `mapAttrsToList` and replaced them with direct calls to the new implementation.
- Start after network-online as ncps requires all upstreams to be online
and reachable when starting
- Remove a bad assertion causing failures at eval time when using
secrets management systems
We recently upgraded to cloudflare-dyndns 5.3:
24f9910708,
so we can now use this new `CLOUDFLARE_API_TOKEN_FILE` feature that
landed in v5.2: 1d563d2752
Use vwifi to write a proper test for Kismet. This test demonstrates how
to simulate wireless networks in NixOS tests, and extract meaningful
data by putting an interface in monitor mode using Kismet.
Initial implementation of the GoDNS service module. This module allows users to enable and configure the GoDNS service on their NixOS system. It includes options for specifying the GoDNS package and the path to the configuration file.
The manpage of dhcpcd says:
>If any interface reports a working carrier then dhcpcd will try to
>obtain a lease before forking to the background, otherwise it will fork
>right away.
- Change `folder.devices` type into `oneOf [(listOf str) (attrsOf
(submodule { ... }))]`.
- Expose `encryptionPassord` within the attrSet of the devices option.
This allows the user to set the encrpyption password use to share the
folder's data with. We do this by file path, as opposed to string
literal, because we do not want to embed the encrpyption password into
the nix store.
Rewrite the syncthing config update script to embed secrets into the
json request. Specifically, we handle the `encryptionPassword` secret.
With this code, the user can embed path to the encrpyption password for
a given device the folder is shared with, and have it loaded in, without
touching the nix store.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
This reverts commit a8b8f8f8c7.
It introduced a failure in the syncthing service, where it hangs at the
curl step, repeatedly printing this:
l3ijkvb20h5nnffg5q25i4nmcsbf7glx-merge-syncthing-config[1458]: curl: (22) The requested URL returned error: 404
l3ijkvb20h5nnffg5q25i4nmcsbf7glx-merge-syncthing-config[1458]: curl: (22) The requested URL returned error: 404
l3ijkvb20h5nnffg5q25i4nmcsbf7glx-merge-syncthing-config[1458]: curl: (22) The requested URL returned error: 404
[...]
This is unfortunately not detected by `nix-build -A syncthing.tests`.
Ref https://github.com/NixOS/nixpkgs/pull/390742
Add the options:
- lighthouse.serve_dns
- lighthouse.dns.host
- lighthouse.dns.port
Improve systemd capabilities handling:
- do not give CAP_NET_ADMIN when tunnel interface is disabled
- give CAP_NET_BIND_SERVICE when DNS is enabled
Add self as maintainer: I'm using Nebula on NixOS in prod.
Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
This is needed since clatd will use networkctl to attempt to obtain the
PLAT prefix, and networkctl uses UNIX domain sockets to communicate with
the systemd-networkd daemon over DBus.
Previously, this option was supposed to be a file of the form
`CLOUDFLARE_API_TOKEN=...`, which has a few problems:
- That's not an api token. It's an env file fit for passing to systemd's
`EnvironmentFile` option. The user could typo the variable name, or
intentionally/unintentionally include unrelated environment variables.
- It's not how secret files usually work in NixOS. Secret files are
usually just the secret, and don't leak details about how the secret
is passed to the service.
- This increases friction for people switching between cloudflare dyndns
services, such as `services.cloudflare-dyndns` and
`services.cfdyndns`, which both have a `apiToken` option, but (before
this change) with different semantics.
In afeb76d628, sshd.service and
sshd@.service were switched to Type=notify. This apparently works for
sshd.service, but not for sshd@.service. Given that the reason for
this working with sshd.service isn't exactly clear, let's revert it
for both of them for now, and revisit Type=notify later.
While it is probably a mistake in configuration to have declarative
routes configured but no certificate file, it is not always necessary to
have a working set up, so the assertion was removed.
The documentation for the certificateFile setting was reworked to
describe this.
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
Make the cloudflared tunnel service use systemd credentials and dynamic
users, removing the services.cloudflared.user and .group option.
Also add an option to provide the cert.pem file, without which tunnels
defined declaratively would not work.
Additionally, add an assertion checking that the certificate file is
provided if there are declarative routes defined.
`mlkem768x25519-sha256` and the vendor-neutral `sntrup761x25519-sha512`
name are new in OpenSSH 9.9 <https://www.openssh.com/txt/release-9.9>
Co-authored-by: Mynacol <Mynacol@users.noreply.github.com>
This is done in view of the Release of the new v3 of Bird.
Switch to the bird3 package for the `services.bird.package` option.
Switch the `bird` package alias to bird3.
...and `escapeShellArgs` for spool area program command lines.
The new function `mkSpoolCmd` adds the `-q` option
by default as it is needed by all such programs.
This adds a simple hardened systemd-based module for g3proxy, a generic
purpose forward proxy.
Change-Id: I8c6e5d2cc8a9faa2aea8c5df3af56756ffed542d
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Co-authored-by: Elias Coppens <elias.coppens@ens.fr>
When I initially tested this, the upstream seemed a good idea and worked
as expected but it no longer does and disconnects clients every 60
seconds indicated by the following line in tailscaled on the client:
magicsock: [0xc00444a640] derp.Recv(derp-901): derp.Recv: EOF
By connecting directly things work more reliable and there are no
connection resets every 60 seconds anymore.
It enables passing a sops-nix secret as a `settingsFile`
@see https://github.com/Mic92/sops-nix/issues/198.
By default sops-nix secrets are accessible by only root. We can change owner to another user, but the xray service is defined with `dynamicUser=true`, which means, there is no user in the compile time.
Systemd `loadCredential` passes the secret file to the service, which is exactly what we need here.
server_url check [has been loosened upstream][1] and backported to
NixOS[2]. The new, much looser check, is not practical to be implemented
in Nix (you are welcome to give it a try; I've implemented the original
one).
Since the surface area is much smaller now (and the scenario much less
common), I think we can remove this assertion altogether.
[1]: https://github.com/juanfont/headscale/pull/2248
[2]: https://github.com/NixOS/nixpkgs/pull/358255
radicale tries to connect to the systemd unix socket for logging. This
currently fails because it is not allowed to open sockets, then it falls
back to logging to stdout (printing a warning).
Allow radical to open unix sockets to fix this. This gives slightly
better logging experience (e.g. errors are marked red when sent through
the systemd log socket).
Fix the regression between NixOS 24.05 and 24.11 where using dhcpcd
(e.g. networking.useDHCP) and systemd-resolved
(services.resolved.enable) result in no "search" entry getting added to
/etc/resolv.conf, and dhcpcd logging the following error:
$ systemctl status dhcpcd
[...] dhcpcd[2896]: Failed to set DNS configuration: Interactive authentication required.
Fix it by adding a polkit rule that gives the required permissions to
the 'dhcpcd' user to manipulate resolved. The rule was made by using
polkit logging and allowing each action.id until the above error went
away, and /etc/resolv.conf got the correct search entry.
Due to undetermined hardening changes logging to syslog does not work
anymore, but we don't need it. We're running in a systemd unit so allow
logging to stdout instead.
KeepAlived: Support pkg override without overlaying
Co-authored-by: Antoine 'Toinux' Lesieur <toinux@nixos.local>
Co-authored-by: Arne Keller <arne.keller@posteo.de>
Merge conflict in `pkgs/by-name/en/envision/package.nix` between efb2d2b815fe9f7d12f4aab42c83e759db5ec716 (staging) and b9d59c4515ea7cd4595d342c9d87877b544e6dbd+de7a60960219b303cc44ad446f9e7ddaf23b9944 (staging-next).
It's hard to put the sourcing of ./.attrs.sh into all builder
consistently - mistakes will happen. Thus, load structured attrs once in
make-derivation and then source the remaining builder on top.
This should fix quite a few builders with structured attributes in
principle. Most importantly it helps substitute / substituteAll, which
are required for bootstrap on some platforms.
This patch fixes loading issues for pre shared keys for
peers without custom names. In this case the peer's public
key would be used in the name for the corresponding pre
shared key credential, causing a loading error.
The networking.wireguard base module already escapes some
base64 characters of the public key with escape sequences
starting with a backslash. This backslash is now replaced
with an underscore for use in the credential names.
This patch fixes an oversight in the initial implementation
of using systemd credentials in 6bc8dcc630
that would cause a warning to be logged about a missing credential
when presharedKeyFile wasn't set.
When obtaining the IP address from an interface iproute2 is missing:
"Unable to obtain information for 'bond-wan' -- missing ip or ifconfig command"
The prefix check to include iproute2 is incorrect for "usev4" and "usev6".
Currently the NixOS module checks for the "if" prefix. This prefix is
not valid with "usev4" and "usev6":
"Invalid Value for keyword 'usev4' = 'if'"
"ifv4" must be used with "usev4", and "ifv6" with "usev6".
I updated the nixos module to check for the correct prefix with "usev4"
and "usev6", and include iproute2 as necessary.
This fixes "frequency file /var/lib/ntp/ntp.drift.TEMP: Permission denied".
Creating a directory via StateDirectory makes that directory /var/lib/ntp owned by root:root.
However, when running ntpd we change to user ntp (see ntpFlags), so the process cannot
actually use that directory.
Actually creating a home directory for the user at that location solves that problem.
many of these plugins are expensive to build (e.g. they embed webkitgtk
for captive portals) or don't even build for some platform
(`pkgsCross...`), so it's nice to give an easy way to disable them.
