- Start after network-online as ncps requires all upstreams to be online
and reachable when starting
- Remove a bad assertion causing failures at eval time when using
secrets management systems
We recently upgraded to cloudflare-dyndns 5.3:
24f9910708,
so we can now use this new `CLOUDFLARE_API_TOKEN_FILE` feature that
landed in v5.2: 1d563d2752
Use vwifi to write a proper test for Kismet. This test demonstrates how
to simulate wireless networks in NixOS tests, and extract meaningful
data by putting an interface in monitor mode using Kismet.
Initial implementation of the GoDNS service module. This module allows users to enable and configure the GoDNS service on their NixOS system. It includes options for specifying the GoDNS package and the path to the configuration file.
The manpage of dhcpcd says:
>If any interface reports a working carrier then dhcpcd will try to
>obtain a lease before forking to the background, otherwise it will fork
>right away.
- Change `folder.devices` type into `oneOf [(listOf str) (attrsOf
(submodule { ... }))]`.
- Expose `encryptionPassord` within the attrSet of the devices option.
This allows the user to set the encrpyption password use to share the
folder's data with. We do this by file path, as opposed to string
literal, because we do not want to embed the encrpyption password into
the nix store.
Rewrite the syncthing config update script to embed secrets into the
json request. Specifically, we handle the `encryptionPassword` secret.
With this code, the user can embed path to the encrpyption password for
a given device the folder is shared with, and have it loaded in, without
touching the nix store.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
This reverts commit a8b8f8f8c7.
It introduced a failure in the syncthing service, where it hangs at the
curl step, repeatedly printing this:
l3ijkvb20h5nnffg5q25i4nmcsbf7glx-merge-syncthing-config[1458]: curl: (22) The requested URL returned error: 404
l3ijkvb20h5nnffg5q25i4nmcsbf7glx-merge-syncthing-config[1458]: curl: (22) The requested URL returned error: 404
l3ijkvb20h5nnffg5q25i4nmcsbf7glx-merge-syncthing-config[1458]: curl: (22) The requested URL returned error: 404
[...]
This is unfortunately not detected by `nix-build -A syncthing.tests`.
Ref https://github.com/NixOS/nixpkgs/pull/390742
Add the options:
- lighthouse.serve_dns
- lighthouse.dns.host
- lighthouse.dns.port
Improve systemd capabilities handling:
- do not give CAP_NET_ADMIN when tunnel interface is disabled
- give CAP_NET_BIND_SERVICE when DNS is enabled
Add self as maintainer: I'm using Nebula on NixOS in prod.
Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
This is needed since clatd will use networkctl to attempt to obtain the
PLAT prefix, and networkctl uses UNIX domain sockets to communicate with
the systemd-networkd daemon over DBus.
Previously, this option was supposed to be a file of the form
`CLOUDFLARE_API_TOKEN=...`, which has a few problems:
- That's not an api token. It's an env file fit for passing to systemd's
`EnvironmentFile` option. The user could typo the variable name, or
intentionally/unintentionally include unrelated environment variables.
- It's not how secret files usually work in NixOS. Secret files are
usually just the secret, and don't leak details about how the secret
is passed to the service.
- This increases friction for people switching between cloudflare dyndns
services, such as `services.cloudflare-dyndns` and
`services.cfdyndns`, which both have a `apiToken` option, but (before
this change) with different semantics.
In afeb76d628, sshd.service and
sshd@.service were switched to Type=notify. This apparently works for
sshd.service, but not for sshd@.service. Given that the reason for
this working with sshd.service isn't exactly clear, let's revert it
for both of them for now, and revisit Type=notify later.
While it is probably a mistake in configuration to have declarative
routes configured but no certificate file, it is not always necessary to
have a working set up, so the assertion was removed.
The documentation for the certificateFile setting was reworked to
describe this.
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
Make the cloudflared tunnel service use systemd credentials and dynamic
users, removing the services.cloudflared.user and .group option.
Also add an option to provide the cert.pem file, without which tunnels
defined declaratively would not work.
Additionally, add an assertion checking that the certificate file is
provided if there are declarative routes defined.
`mlkem768x25519-sha256` and the vendor-neutral `sntrup761x25519-sha512`
name are new in OpenSSH 9.9 <https://www.openssh.com/txt/release-9.9>
Co-authored-by: Mynacol <Mynacol@users.noreply.github.com>
This is done in view of the Release of the new v3 of Bird.
Switch to the bird3 package for the `services.bird.package` option.
Switch the `bird` package alias to bird3.
...and `escapeShellArgs` for spool area program command lines.
The new function `mkSpoolCmd` adds the `-q` option
by default as it is needed by all such programs.
This adds a simple hardened systemd-based module for g3proxy, a generic
purpose forward proxy.
Change-Id: I8c6e5d2cc8a9faa2aea8c5df3af56756ffed542d
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Co-authored-by: Elias Coppens <elias.coppens@ens.fr>
When I initially tested this, the upstream seemed a good idea and worked
as expected but it no longer does and disconnects clients every 60
seconds indicated by the following line in tailscaled on the client:
magicsock: [0xc00444a640] derp.Recv(derp-901): derp.Recv: EOF
By connecting directly things work more reliable and there are no
connection resets every 60 seconds anymore.
It enables passing a sops-nix secret as a `settingsFile`
@see https://github.com/Mic92/sops-nix/issues/198.
By default sops-nix secrets are accessible by only root. We can change owner to another user, but the xray service is defined with `dynamicUser=true`, which means, there is no user in the compile time.
Systemd `loadCredential` passes the secret file to the service, which is exactly what we need here.
server_url check [has been loosened upstream][1] and backported to
NixOS[2]. The new, much looser check, is not practical to be implemented
in Nix (you are welcome to give it a try; I've implemented the original
one).
Since the surface area is much smaller now (and the scenario much less
common), I think we can remove this assertion altogether.
[1]: https://github.com/juanfont/headscale/pull/2248
[2]: https://github.com/NixOS/nixpkgs/pull/358255
radicale tries to connect to the systemd unix socket for logging. This
currently fails because it is not allowed to open sockets, then it falls
back to logging to stdout (printing a warning).
Allow radical to open unix sockets to fix this. This gives slightly
better logging experience (e.g. errors are marked red when sent through
the systemd log socket).
Fix the regression between NixOS 24.05 and 24.11 where using dhcpcd
(e.g. networking.useDHCP) and systemd-resolved
(services.resolved.enable) result in no "search" entry getting added to
/etc/resolv.conf, and dhcpcd logging the following error:
$ systemctl status dhcpcd
[...] dhcpcd[2896]: Failed to set DNS configuration: Interactive authentication required.
Fix it by adding a polkit rule that gives the required permissions to
the 'dhcpcd' user to manipulate resolved. The rule was made by using
polkit logging and allowing each action.id until the above error went
away, and /etc/resolv.conf got the correct search entry.
Due to undetermined hardening changes logging to syslog does not work
anymore, but we don't need it. We're running in a systemd unit so allow
logging to stdout instead.
KeepAlived: Support pkg override without overlaying
Co-authored-by: Antoine 'Toinux' Lesieur <toinux@nixos.local>
Co-authored-by: Arne Keller <arne.keller@posteo.de>
Merge conflict in `pkgs/by-name/en/envision/package.nix` between efb2d2b815fe9f7d12f4aab42c83e759db5ec716 (staging) and b9d59c4515ea7cd4595d342c9d87877b544e6dbd+de7a60960219b303cc44ad446f9e7ddaf23b9944 (staging-next).
It's hard to put the sourcing of ./.attrs.sh into all builder
consistently - mistakes will happen. Thus, load structured attrs once in
make-derivation and then source the remaining builder on top.
This should fix quite a few builders with structured attributes in
principle. Most importantly it helps substitute / substituteAll, which
are required for bootstrap on some platforms.
This patch fixes loading issues for pre shared keys for
peers without custom names. In this case the peer's public
key would be used in the name for the corresponding pre
shared key credential, causing a loading error.
The networking.wireguard base module already escapes some
base64 characters of the public key with escape sequences
starting with a backslash. This backslash is now replaced
with an underscore for use in the credential names.
This patch fixes an oversight in the initial implementation
of using systemd credentials in 6bc8dcc630
that would cause a warning to be logged about a missing credential
when presharedKeyFile wasn't set.
When obtaining the IP address from an interface iproute2 is missing:
"Unable to obtain information for 'bond-wan' -- missing ip or ifconfig command"
The prefix check to include iproute2 is incorrect for "usev4" and "usev6".
Currently the NixOS module checks for the "if" prefix. This prefix is
not valid with "usev4" and "usev6":
"Invalid Value for keyword 'usev4' = 'if'"
"ifv4" must be used with "usev4", and "ifv6" with "usev6".
I updated the nixos module to check for the correct prefix with "usev4"
and "usev6", and include iproute2 as necessary.
This fixes "frequency file /var/lib/ntp/ntp.drift.TEMP: Permission denied".
Creating a directory via StateDirectory makes that directory /var/lib/ntp owned by root:root.
However, when running ntpd we change to user ntp (see ntpFlags), so the process cannot
actually use that directory.
Actually creating a home directory for the user at that location solves that problem.
many of these plugins are expensive to build (e.g. they embed webkitgtk
for captive portals) or don't even build for some platform
(`pkgsCross...`), so it's nice to give an easy way to disable them.
this should not result in any observable change by default, the
motivation is to make working on either one of these components in
isolation of the other a bit easier.
nm-file-secret agent is a small agent that can supply secrets of
connection profiles to NetworkManager by reading the contents of
preconfigured files.
These files could be supplied e.g. by nixos-sops or any other mechanism.
This patch fixes systemd credential loading for wireguard
with networkd not working when specifying more than one
credential per interface by properly flattening the resulting
multidimensional list instead of falling back on string concat
with a space.
Resolves#365402
Enabling networking.wireguard.useNetworkd currently requires users to
modify the permissions of their private key files. Since that is a bad
upgrade experience, the module should be disabled by default for now.
Once systemd credential support is added to the module, it should be
safe to once again enable it by default for networkd users.
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
like the toplevel hickory-dns.settings, options here are handled by the
hickory-dns binary: users should be able to specify options that the
nixos module has overlooked.
The current default configuration, automatic channel selection with
the HT40- capability, is explicitly disallowed by an assertion in this
module.
This is a result of recent change to default to automatic channel
selection in 1047f0a6bf.
FRR intends for non-root users to connect to the VTY sockets if they
are members of the frrvty group, however this is not possible if
non-root/non-frr users cannot access the runtime directory. The
sockets used by the FRR daemons for internal IPC are also created in
the runtime directory, however these are created with appropriately
restrictive permissions to prevent interference.
services.bind.cacheNetworks should only apply to recursive queryies, as
per the option documentation:
> Note that this is for recursive queries – all networks are allowed to
> query zones configured with the zones option by default [...].
This would correspond to the `allow-query-cache` option in named.conf,
as per the BIND docs[1]:
> Specifies which hosts (an IP address list) can access this server’s
> cache and thus effectively controls recursion.
And not `allow-query`, which restricts all requests (including requests
where the server has authority) [2]:
> Specifies which hosts (an IP address list) are allowed to send queries
> to this resolver.
> [...]
> Note:
> `allow-query-cache` is used to specify access to the cache.
[1]: https://bind9.readthedocs.io/en/v9.20.0/reference.html#namedconf-statement-allow-query-cache
[2]: https://bind9.readthedocs.io/en/v9.20.0/reference.html#namedconf-statement-allow-query
The `saePasswordsFile` option mentions that lines beginning with `#` are
ignored, however the current regexp ignores all lines with `#` located
anywhere in the line. In order to better fit the documentation, the
regexp has been changed to only allow `#` at the beginning of the line,
with optional whitespace.
If dhcpcd receives a secondary IPv4 address from the DHCP server it
tries to enable automatic promotion from secondary to primary by writing
`1` to /proc/sys/net/ipv4/conf/%s/promote_secondaries.
`wpa_supplicant` refuses to start when `configFile.path == null` because this
omits the `-c` (‘Configuration file’) option, which it requires even if the
`-I` (‘additional configuration file’) option is provided. If `configFile.path
== null`, pass `extraConfFile` with `-c` instead of `-I` to prevent this.
Group only needs limited access, while other users don't need access at
all. So set the UMask to 027.
Signed-off-by: Felix Singer <felixsinger@posteo.net>
It was breaking knot-dns.tests.knot
New knotd uses fchown to cover cases where user changes during startup.
In typical Linux cases the user is kept the same and there are
capabilities instead, but the syscall still happens and got caught here.
systemd requires paths in `ReadWritePaths=` to exist before setting up
the service sandbox, so dhcpcd should be ordered after resolvconf.
Making resolvconf a oneshot service ensure `After=resolvconf.service`
works correctly.
We cannot use `mkRenamedOptionModule` or `mkRemovedOptionModule` inside
a freeform option. Thus we have to manually assert these deprecated
options aren't used rather than aliasing them to their replacement.
Some users would like to customize it.
Also, in current versions of fedimint p2p port in the URL
must be set, due to some bug, so update the example value
to reflect that.
- use upstream service and scripts
- switch to integrated-vtysh-config, abandon per-daemon config
- use always daemon names in options (e.g. ospf -> ospfd)
- zebra, mgmtd and staticd are always enabled
- abandon vtyListenAddress, vtyListenPort options; use
just "extraOptions" or "options" instead, respectively
- extend test to test staticd
- update release-notes
- pkgs.servers.frr: fix sbindir and remove FHS PATH
- introduce services.frr.openFilesLimit option
