The RFC requires that we don't allow access to non-global v4 addresses
using the well-known 64:ff9b:: prefix, but there are some deployments
where it's convenient to permit this.
To make this work in tests, disable wkpf-strictness via the config
option introduced in bc18503e2ff1ee48ac472a67ba982dae76a5c2d3.
Tayga added 100.64.0.0 to the set of WKPF in
4dff17ef61821f5bc1996ce687a3dc317fd4fa50.
PR #431115 changed extraStructuredConfig to structuredExtraConfig to
follow the deprecation warning about `extraConfig`. However,
`extraStructuredConfig` was mentioned in several places in the docs that
weren't addressed. Also, using this would silently fail since the code
in question would still accept the old key.
This patch updates the docs accordingly and throws an error if the
code-path is reached and `extraStructuredConfig` is being used.
Makes the audit module responsible for setting up the audit subsystem of
the kernel. The auditd module is now only responsible for setting up the
daemon.
Enable the audit subsystem early via kernelParams.
Increase the default audit backlog limit so that it works out of the box
for a normal system.
Remove a superfluous and pointless test case.
Ever since fb49d81b25 we set
CONFIG_PSTORE=y in the config because we set CONIFG_ACPI_APEI=y in the
kernel. This means we always have pstore built right into the kernel.
systemd thus always mounts `/sys/fs/pstore` which makes our custom unit
superfluous and redudant.
The previous setup caused all renewal units to be triggered upon
ever so slight changes in config. In larger setups (100+ certificates)
adding a new certificate caused high system load and/or large memory
consumption issues. The memory issues are already a alleviated with
the locking mechanism. However, this then causes long delays upwards
of multiple minutes depending on individual runs and also caused
superfluous activations.
In this change we streamline the overall setup of units:
1. The unit that other services can depend upon is 'acme-{cert}.service'.
We call this the 'base unit'. As this one as `RemainAfterExit` set
the `acme-finished-{cert}` targets are not required any longer.
2. We now always generate initial self-signed certificates to simplify
the dependency structure. This deprecates the `preliminarySelfsigned`
option.
3. The `acme-order-renew-{cert}` service gets activated after the base
unit and services using certificates have started and performs all acme
interactions. When it finishes others services (like web servers) will
be notified through the `reloadServices` option or they can use
`wantedBy` and `after` dependencies if they implement their own reload
units.
The renewal timer also triggers this unit.
4. The timer unit is explicitly blocked from being started by s-t-c.
5. Permission management has been cleaned up a bit: there was an
inconsistency between having the .lego files set to 600 vs 640
on the exposed side. This is unified to 640 now.
6. Exempt the account target from being restarted by s-t-c. This will
happen automatically if something relevant to the account changes.
An HCL config can be represented as JSON in different ways and we forced
users to use a list of attrsets for `cfg.settings.template` prior to
this change.
Similarly, a user may opt to use `vault-agent` exclusively as auth-proxy
without any templates, which would result in `null` ending up in the
resulting JSON configuration and prevent `vault-agent` from starting.
A lot of NixOS modules opt to recursively filter out any `null` values
when hitting this, either by defining a function in `apply =` in
`cfg.settings` or in the `format.generate` call, but that comes with its
own set of downsides.
While I personally can't think of a use-case involving `consul-template`
without templates, it does manage to start without one just fine and
`consul-template` is equally affected by our opinionated JSON
representation forced onto the user.
As such, we decided in favor of removing the option entirely in the
discussion leading up to this.
This is one of the 3 suggested implementations from issue 420208.
You can see the other 2 there too, if you are curious.
tl;dr: Non-breaking bug fix to allow using `vault-agent` without
templates and no longer forcing our opinionated JSON representation onto
the user.
Render documentation for modular services.
https://nixos.org/manual/nixos/unstable/#modular-services
This is admittedly not a great solution, but it is a rather simple
solution that we can use until we develop a proper one.
Flaws:
- These are rendered in the NixOS documentation, but modular services
are not meant to be exclusive to NixOS.
- They are rendered as NixOS options, but should be imported into
service submodules.
Benefits:
- Simple
- search.nixos.org integration for free
A basic NixOS system shouldn’t require `stdenv` to install, and
it adds something like 45 MiB of build tools to the installer
closure. This doesn’t really help much at present since
WebKitGTK(?!) has a dodgy reference to GCC, but it’s a step in the
right direction.
In some situations, the dynamic refresh can fail to bring up the
wireguard interface. If that happens, all subsequent refresh attempts
will fail because the 'ip link delete' command fails with "Cannot find
device". If this happens, we now proceed with the networkctl reload
anyway.
