most modules can be evaluated for their documentation in a very
restricted environment that doesn't include all of nixpkgs. this
evaluation can then be cached and reused for subsequent builds, merging
only documentation that has changed into the cached set. since nixos
ships with a large number of modules of which only a few are used in any
given config this can save evaluation a huge percentage of nixos
options available in any given config.
in tests of this caching, despite having to copy most of nixos/, saves
about 80% of the time needed to build the system manual, or about two
second on the machine used for testing. build time for a full system
config shrank from 9.4s to 7.4s, while turning documentation off
entirely shortened the build to 7.1s.
Sometimes it is preferable to configure forwarding only for bind
instead of relying on direct lookups.
This patch makes it possible to configure the forward setting to
either "first" (the default) or "only".
This commit introduces `services.adguardhome.settings` and
`services.adguardhome.mutableSettings`.
The first option allows declarative configuration of
AdGuard Home, while the second one controls whether changes
made in the web interface are kept between service restarts.
Co-authored-by: Aaron Andersen <aaron@fosslib.net>
Fix a typo in the kea-dhcp-ddns-server unit definition, and add a
KEA_LOCKFILE_DIR environment variable without which kea daemons try to
access a lockfile under /var/run/kea path, which is prevented by
systemd's ProtectSystem (or one of the other Protect*) mechanism.
kea-dhcp-ddns-server doesn't react to updates from dhcp4 server at all
without it.
- Added defaultText for all inheritable options.
- Add docs on using new defaults option to configure
DNS validation for all domains.
- Update DNS docs to show using a service to configure
rfc2136 instead of manual steps.
openFirewall is the much more common name for an option with this
effect. since the default was `true` all along, renaming it doesn't hurt
much and only improves consistency with other modules.
some options have default that are best described in prose, such as
defaults that depend on the system stateVersion, defaults that are
derivations specific to the surrounding context, or those where the
expression is much longer and harder to understand than a simple text
snippet.
escape interpolations in descriptions where possible, replace them with
sufficiently descriptive text elsewhere. also expand cfg.* paths in
descriptions.
This reverts commit 6af3d13bec.
Reported by @arcnmx
(https://github.com/NixOS/nixpkgs/pull/148179#issuecomment-987197656):
Does this not completely break the service? It doesn't change the
owner to the same as the ddclient server (which is somewhat difficult
due to it being a DynamicUser), so this now makes the service
completely unusable because the config is only readable by its owner,
root:
ddclient[871397]: WARNING: file /run/ddclient/ddclient.conf: Cannot open file '/run/ddclient/ddclient.conf'. (Permission denied)
Given that the RuntimeDirectory was only readable by the ddclient
service, the warning this PR fixes was spurious and not indicative of
an actual information leak. I'm not sure of what a quick fix would be
due to DynamicUser, but would at least request a revert of this so the
service can work again?
dhdpcd 9 support privilege separation with a dedicated user and seccomp
filtering. this has been enabled for a while in other distributions as
well.
if the dhcpcd module is not used and the _dhcpcd user/group isn't
definied otherwise dhcpcd will fall back to not using privsep.
by @erictapen:
- Removed note about testing and moved it to passthru.tests
- Removed patch, as it is probably the same as
56b2bb17d2ec67e1f93950944211f6cf8c40e0fb, wich landed in upstream.
other changes:
- changed PIDFile in the module, since dhcpcd 9 changed the location
this setting was added in 2016 in commit
bcdd81d9e1
the posibility to preferTempAddress was added to
nixos/network-interface in 2018 in commit
1fec496f38
preferTempAddress was renamed to tempAddress
in 2020 in commit 2485e6399e
therefore this setting is redundant since nm will use the sysctl option
nixos/network-interfaces: add default to sysctl so that the value for it
is set
networkmanager falls back to it
https://man.archlinux.org/man/NetworkManager.conf.5
Use service internal bind mounts instead of global ones.
This also moves the logs to /var/log/unifi on the host
and the run directory to /run/unifi.
Closes#61424
Details on https://github.com/NixOS/nixops/issues/1063#issuecomment-453253666.
`partOf` makes that if `smokeping.service` is stopped, `thttpd.service` will
be stopped as well.
(But not that `thttpd` will be started when `smokeping` is started).
Once `thttpd.service` is stopped that way, `Restart = always` will not apply.
When the smokeping config options are changed, NixOS's `switch-configuration.pl`
will stop `smokeping` (whit shuts down thttpd due to `partOf`), and then restart
smokeping; but this does not start thttpd.
As a result, thttpd will be off after changing the config, which isn't desired.
This commit fixes it by removing the `partOf`, which makes `Restart` work
as expected.
This avoids a common problem:
Until now, port forwarding to multiple hosts running smokeping did not work;
they all show the data of the first smokeping instance.
That ws because the image URLs generated by smokeping are absolute
(`imgurl` setting).
Consequently, if you ran
ssh node-1 -L 8081:localhost:8081
ssh node-2 -L 8081:localhost:8082
ssh node-3 -L 8081:localhost:8083
and try to open http://localhost:8081, http://localhost:8082 and
http://localhost:8083, they all would show the images of node-1!
Using a relative `imgurl` fixes that.
As per smokeping docs on `imgurl`:
> Either an absolute URL to the `imgcache` directory or one relative to the
> directory where you keep the SmokePing cgi.
This module was written by @puckipedia for nixcon-video-infra 2020.
Minor changes made by @cleeyv for compat with existing jibri package.
Co-authored-by: Puck Meerburg <puck@puck.moe>
This option enables a jibri service on the same host that is running
jitsi-meet. It was written, along with the jibri module, by @puckipedia
for nixcon-video-infra 2020.
Co-authored-by: Puck Meerburg <puck@puck.moe>
during the rewrite the checkPasswords=false feature of the old module
was lost. restore it, and with it systems that allow any client to use
any username.
mosquitto needs a lot of attention concerning its config because it doesn't
parse it very well, often ignoring trailing parts of lines, duplicated config
keys, or just looking back way further in the file to associated config keys
with previously defined items than might be expected.
this replaces the mosquitto module completely. we now have a hierarchical config
that flattens out to the mosquitto format (hopefully) without introducing spooky
action at a distance.
unifi does not shut down properly when stopped via systemd (it always exits with
SIGTERM exit status) because systemd wants stop commands to not exit before the
main command is gone and unifi does not comply. the easiest way around this is
to have systemd send an ignored signal after the stop command has exited.
unifi may still throw exceptions during shutdown, but it *does* exit cleanly as
far as systemd is concerned now.
In case of a power loss shortly after first boot,
the host keys gernerated by ssh-keygen could exist
in the file system but have zero size, preventing
sshd from starting up.
This commit changes the behaviour to generate host
keys if the file either does not exist or has zero
size, fixing the problem on the next boot.
Thanks to @SuperSandro2000 for figuring this out.
The multipath-tools package had existed in Nixpkgs for some time but
without a nixos module to configure/drive it. This module provides
attributes to drive the majority of multipath configuration options
and is being successfully used in stage-1 and stage-2 boot to mount
/nix from a multipath-serviced iSCSI volume.
Credit goes to @grahamc for early contributions to the module and
authoring the NixOS module test.
The service can run unprivileged -- by using capabilities -- and the
uid/gid can be dynamically allocated since there are only a handful of
state files.
This change improves the overall security of the service by leveraging
systemd's hardening and getting rids of `nogroup` and the initial root
permissions (before the daemon drop privileges).
After recent change `services.smokeping.enable = true;` system
started failing the build as:
```
nixpkgs-master $ nix build --no-link -f nixos system --keep-going
...
Checking that Nix store paths of all wrapped programs exist... FAIL
The path /nix/store/kr2sr80g9ny74im6m6dyh9v44hnzm261-fping-5.0/bin/fping6 does not exist!
Please, check the value of `security.wrappers."fping6".source`.
```
`fping` does not provide `fping6` binary for a while. Let's just remove it.
Closes: https://github.com/NixOS/nixpkgs/issues/138581
- Detailed initial config generation process.
- Detailed Nginx Configuration.
- Detailed private/public conf split.
docs: Improved documentation of Pleroma service
Secrets are only in the private file, and in a draft format for avoiding GitHub
complaints.
Fixed Nginx configuration.
docs: Improved the Nginx reverse proxy settings of Pleroma service
I noticed this minor grammar mistake when running update.nix, and then
while grepping to find the source I noticed we had it a few times in
Nixpkgs. Just as easy to fix treewide as it was to fix the one
occurrence I noticed.
Dash `echo` interprets backslash escapes. This causes two consecutive backslashes in JSON to turn into a single one before the string is passed to jq, resulting in a parsing error.
This is useful for situations in which you might want to reset certain
things using `--reset-database` or `--reset-deltas` or debug certain
things using any of the debug options like `--debug-perf-stats`.
Signed-off-by: Jakub Sokołowski <jakub@status.im>
This sets up a different systemd service for each interface. This way
each wpa_supplicant instance waits for his inteface to become ready
using the respective device unit, and that only. The configuration file
is still shared between all instances, though.
This closes a longstanding "fixme" from cbfba81.
- Add an option to automatically launch a scan when the
signal of the current network is low
- Enable 802.11r (fast access point transition) by default for all
protected networks
I may have finally found a clean solution to the issues[1][2][3] with
the automatic discovery of wireless network interfaces.
[1]: https://github.com/NixOS/nixpkgs/issues/101963
[2]: https://github.com/NixOS/nixpkgs/issues/23196
[3]: https://github.com/NixOS/nixpkgs/pull/125917#issuecomment-856000426
Currently the start script fails right away if no interface is available
by the time it's running, possibly leaving the system without network.
This happens when running a little early in the boot. A solution is to
instead wait for at least one interface to appear before scanning the
/sys/class/net/ directory. This is done here by listening for the right
udev events (from the net/wlan subsystem) using the `udevadm monitor`
command and grep to match its output.
This methods guarantees the availability of at least one interface to
wpa_supplicant, but won't add additional interfaces once it has started.
However, if the current interface is lost, say unplugged, the service is
automatically stopped and will be restarted as soon as a one (not
necessarily the same) is detected. It would be possible make this fully
dynamic by running another service that continously listen for udev
events and manages the main wpa_supplicant daemon, but this is probably
overkill.
I tested the following cases:
- one interface, starting at boot, w/o predictable naming scheme
- two interfaces, starting at boot (intel wireless and a usb adapter),
w/o predictable naming scheme
- one interface after the system booted, w/o predictable naming scheme
- two interfaces after the system booted, w/o predictable naming scheme
- unplugging and plugging back the current interface
The pppd daemon starting with version 2.4.9 uses rtnetlink to configure
the ipv6 peer address on the ppp interface. It therefore requires
allowing AF_NETLINK sockets.
The kernel before version 5.7 required CAP_SYS_ADMIN to conduct BPF
operations. After that a separate capability CAP_BPF was created, which
should be sufficient in this scenario and will further tighten the
sandbox around our pppd service.
Tested on my personal DSL line.
- The order of NSS (host) modules has been brought in line with upstream
recommendations:
- The `myhostname` module is placed before the `resolve` (optional) and `dns`
entries, but after `file` (to allow overriding via `/etc/hosts` /
`networking.extraHosts`, and prevent ISPs with catchall-DNS resolvers from
hijacking `.localhost` domains)
- The `mymachines` module, which provides hostname resolution for local
containers (registered with `systemd-machined`) is placed to the front, to
make sure its mappings are preferred over other resolvers.
- If systemd-networkd is enabled, the `resolve` module is placed before
`files` and `myhostname`, as it provides the same logic internally, with
caching.
- The `mdns(_minimal)` module has been updated to the new priorities.
If you use your own NSS host modules, make sure to update your priorities
according to these rules:
- NSS modules which should be queried before `resolved` DNS resolution should
use mkBefore.
- NSS modules which should be queried after `resolved`, `files` and
`myhostname`, but before `dns` should use the default priority
- NSS modules which should come after `dns` should use mkAfter.
This allows users of the bind module to specify an alternate BIND
package. For example, by overriding the source attribute to use a
different version of BIND.
Since the default value for `services.bind.package` is `pkgs.bind`,
this change is completely backwards compatible with the current
module.
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
6247812c76/auth.c (L323-L328)
Also update description to the wording of the sshd_config man page.
`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.
The docs are updated accordingly.
Reload only works with a static configuration path as there is no way to
pass the dynamically generated config path to a running solanum
instance, therefore we symlink the configuration to
/etc/solanum/ircd.conf.
But that will prevent reloads of the ircd, because the systemd unit
wouldn't change when the configuration changes. That is why we add the
actual location of the config file to restartTriggers and enable
reloadIfChanged, so changes will not restart, but reload on changes.
tailscale allows to specify the interface name.
The upstream systemd unit does not expose it directly however, only
via the `FLAGS` environment variable.
I can’t be 100% sure that the escaping is correct, but this is as good
as we can do for now, unless upstream changes their unit file.
Adds the `networking.networkmanager.connectionConfig` option which allows setting arbitrary settings inside the `[connection]` section.
This also reworked the underlying representation significantly to be less string-pasting and more semantic. In a future step it probably makes sense to provide raw access to other sections to users rather than replying on `extraConfig`. However I decided to defer this primarily because ordering of sections can matter. (Although IIUC this is only true for different `[connection]` sections). I think in the future we could expose an object where users can define/edit all sections and map the current configuration onto those. For now however only `[connection]` is exposed and the rest are just used internally.
Currently tailscaled expects `sysctl` (from package procps) to be present
in the path when running on Linux. It can function without the `sysctl`
command present but it prints an error about it. This fixes that error.
Warning: couldn't check net.ipv4.ip_forward (exec: "sysctl":
executable file not found in $PATH).
Signed-off-by: Christine Dodrill <me@christine.website>
As per `man systemd.path`:
> When a service unit triggered by a path unit terminates
> (regardless whether it exited successfully or failed),
> monitored paths are checked immediately again,
> **and the service accordingly restarted instantly**.
Thus the existence of the path unit made it impossible to stop the
wireguard service using e.g.
systemctl stop wireguard-wg0.service
Systemd path units are not intended for program inputs such
as private key files.
This commit simply removes this usage; the private key is still
generated by the `generateKeyServiceUnit`.
use it when networkmanager or wpa_supplicant is enabled.
fixes#57053
fixes "Direct firmware load for regulatory.db failed with error -2"
in dmesg
Note that all kernels on unstable are newer that 4.15, which is required
for this to work.
Also document that `ProtectClock` blocks access to serial line.
I couldn't found out why this is the case,
but faxgetty complains about the device file
not being accessible with `ProtectClock=true`.
According to
https://github.com/NixOS/nixpkgs/pull/84556
this effort helps with cross-compilation.
This commit also renames a substituted variable `hylafax`
to `hylafaxplus` to permit substitution with `inherit`.
The radicale version is no longer chosen automatically based on
system.stateVersion because that gave the impression that old versions
are still supported.
Follow RFC 42 by having a settings option that is
then converted into an unbound configuration file
instead of having an extraConfig option.
Existing options have been renamed or kept if
possible.
An enableRemoteAccess has been added. It sets remote-control setting to
true in unbound.conf which in turn enables the new wrapping of
unbound-control to access the server locally. Also includes options
'remoteAccessInterfaces' and 'remoteAccessPort' for remote access.
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Fixes these two deprecation warnings, by moving away from these options
towards a simple listener configuration.
> The 'bind_address' option is now deprecated and will be removed in a future version. The behaviour will default to true.
> The 'port' option is now deprecated and will be removed in a future version. Please use 'listener' instead.
Fixes: #120860
It can still network, it can only access the ssl related files if ssl is
enabled.
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
Standard best-practice shell quoting, which can prevent the most
horrible production accidents.
Note that we cannot use `+ optionalString someBool '' someString''`
because Nix's multi-line ''double-quoted'' strings remove leading
whitespace.
Until now, the `touch + chmod 600 + write` approach made it possible for
an unprivileged local user read the private key file, by opening
the file after the touch, before the read permissions are restricted.
This was only the case if `generatePrivateKeyFile = true` and the parent
directory of `privateKeyFile` already existed and was readable.
This commit fixes it by using `umask`, which ensures kernel-side that
the `touch` creates the file with the correct permissions atomically.
This commit also:
* Removes `mkdir --mode 0644 -p "${dirOf values.privateKeyFile}"`
because setting permissions `drw-r--r--` ("nobody can enter that dir")
is awkward. `drwx------` would perhaps make sense, like for `.ssh`.
However, setting the permissions on the private key file is enough,
and likely better, because `privateKeyFile` is about that file
specifically and no docs suggest that there's something special
about its parent dir.
* Removes the `chmod 0400 "${values.privateKeyFile}"`
because there isn't really a point in removing write access from
the owner of the private key.
The last bits to prevent babeld from running unprivileged was its
kernel_setup_interface routine, that wants to set per interface
rp_filter. This behaviour has been disabled in a patch that has been
submitted upstream at https://github.com/jech/babeld/pull/68 and reuses
the skip-kernel-setup config option.
→ Overall exposure level for babeld.service: 1.7 OK 🙂
Upstream repositories do no longer exists. There has been no release in
a while. - Not a good combination for a network daemon running as root
in C that parses network packets...
For a while now it's possible to specify an additional config file in
`wpa_supplicant`[1]. In contrast to the file specified via `-c` this was
supposed to be used for immutable settings and not e.g. additional
networks.
However I'm a little bit unhappy about the fact that one has to choose
between a fully imperative setup and a fully declarative one where the
one would have to write credentials for e.g. WPA2-enterprise networks
into the store.
The primary problem with the current state of `wpa_supplicant` is that
if the `SAVE_CONFIG` command is invoked (e.g. via `wpa_cli`), all known
networks will be written to `/etc/wpa_supplicant.conf` and thus all
declarative networks would get out of sync with the declarative
settings.
To work around this, I had to change the following things:
* The `networking.wireless`-module now uses `-I` for declarative config,
so the user-controlled mode can be used along with the
`networks`-option.
* I added an `ro`-field to the `ssid`-struct in the
`wpa_supplicant`-sources. This will be set to `1` for each network
specified in the config passed via `-I`.
Whenever config is written to the disk, those networks will be
skipped, so changes to declarative networks are only temporary.
[1] https://w1.fi/cgit/hostap/commit/wpa_supplicant?id=e6304cad47251e88d073553042f1ea7805a858d1
As the only consequence of isSystemUser is that if the uid is null then
it's allocated below 500, if a user has uid = something below 500 then
we don't require isSystemUser to be set.
Motivation: https://github.com/NixOS/nixpkgs/issues/112647
The haskellPackages.spacecookie derivation also includes a library and
thus a lot of propagated haskell dependencies. The top-level attribute
uses haskell.lib.justStaticExecutables and therefore only the
executable. This should reduce the runtime closure users have to
download considerably if they only want the server.
* Move `hostname` and `root` into a settings submodule with a freeform
type, allowing users to also use options not known to the NixOS
service. Compatibility with a warning for the renamed options is also
trivial to achieve.
* `port` stays where it is as we don't actually use the `port` option of
spacecookie to set up the socket, but only to inform spacecookie about
the port we have set in the `systemd.socket` file, this makes more
sense. Additionally the configuration of the listening port and
address change in the next spacecookie release — we can dodge this
issue altogether by doing our own thing, but I'm interested to hear
opinions on this.
To ensure that this is not misconfigured, we add an assertion for
the port option.
* Add an assertion for `user` in settings which has no effect the way
we are starting spacecookie as it wouldn't be able to call setuid.
The message also explains how a specific user can be used with
spacecookie if desired.
This configuration option reflects a new feature from the unreleased
spacecookie version allowing to customize the address spacecookie will
listen on (e. g. "::1" to bind on link-local addresses only). We will
not use this feature in the future, since the configuration option of
spacecookie naturally only has an effect if we don't use socket
activation (and spacecookie sets up its own socket), but having the same
functionality in the service seems like a good idea.
We can luckily emulate this behavior with socket activation as well.
This allows to change the derivation to use for the spacecookie server
binary. We probably should also use justStaticExecutables by default to
reduce the runtime closure of the service.
Maximum password length per cjdns code is somehwhere less than that, see
ecd01e7681/client/AdminClient.c (L80)
Currently we generate 96 char long passwords that don't work
This changes it so password length is just 32 chars long
This is useful when the config doesn't entirely live in the Nix store,
but is configured to include mutable config files written at runtime.
Co-Authored-By: Puck Meerburg <puck@puck.moe>
This is a major rewrite of the Privoxy module:
- As per RFC0042, remove privoxy.extraConfig and replace it
with a privoxy.settings option, which maps a NixOS freeform
submodule to the Privoxy configuration format.
- Move all top-level options that mirrored a setting to
the real ones in privoxy.settings. This still keeps the
type-checking, default values and examples in places.
- Add two convenience options: userActions and userFilters, which
simplify the operation of creating a file with pkgs.writeText,
converting it to a string and adding it to the actionsfile/
filterfile list.
- Add a privoxy.inspectHttps option to automagically setup TLS
decryption support. I don't know how long have been waiting
for this feature: can't believe it has just happened.
- Also add a privoxy.certsLifetime to control the periodical
cleanup of the temporary certificates generate by Privoxy.
The `--apis=` command line parameter passed to Jitsi Videobridge is
required to monitor a Jitsi Meet instance for example via the prometheus
exporter [jitsiexporter](https://git.xsfx.dev/prometheus/jitsiexporter).
The NixOS 21.03 release has been delayed to 21.05. See NixOS/rfcs#80.
There are two instances of 21.03 which have been left as is, since they
are in stateVersion comparisons. This will ensure that existing user
configurations which refer to 21.03 will continue to work.
Without this patch merging options like
services.xserver.windowManager.xmonad.extraPackages
results in the evaluation error:
error: value is a list while a set was expected, at nixpkgs/lib/options.nix:77:23
With this patch we get the desired merging behaviour that just concatenates the
resulting package lists.
(cherry picked from commit 6e99f9fdec)
Co-Authored-By: Silvan Mosberger <contact@infinisil.com>
Since version 5.2.0 there's non-empty stop phase:
ExecStopPost=/usr/bin/env rm -f "/run/knot-resolver/control/%i"
but it's perfectly OK to run that from a different version
(and typically it's no-op anyway). Real-life example where this helps:
https://github.com/NixOS/nixpkgs/issues/49528#issuecomment-747723198
This reverts commit 8f177612b1.
Attempting to start any service from udev when systemd-udev-settle is
used at all hangs the boot for 2min. See issue #107341.
It's very surprising that services.tor.client.enable would set
services.privoxy.enable. This violates the principle of least
astonishment, because it's Privoxy that can integrate with Tor, rather
than the other way around.
So this patch moves the Privoxy Tor integration to the Privoxy module,
and it also disables it by default. This change is documented in the
release notes.
Reported-by: V <v@anomalous.eu>
Dnscrypt-proxy needs some options to be set before it can do anything useful.
Currently, we only apply what the user configured which, by default, is nothing.
This leads to the dnscrypt-proxy2 service failing to start when you only set
`enable = true;` which is not a great user experience.
This patch makes the module take the example config from the upstream repo as a
base on top of which the user-specified settings are applied (it contains sane
defaults).
An option has been added to restore the old behaviour.
Unbound throws the following error:
--8<---------------cut here---------------start------------->8---
error: failed to list interfaces: getifaddrs: Address family not supported by protocol
fatal error: could not open ports
--8<---------------cut here---------------end--------------->8---
The solution is pulled from upstream:
https://github.com/NLnetLabs/unbound/pull/351
This simplifies testing changes to the tailscale service on a local
machine. You can use this as such:
```nix
let
tailscale_patched = magic {};
in {
services.tailscale = {
enable = true;
package = tailscale_patched;
};
};
```
Signed-off-by: Christine Dodrill <me@christine.website>
This resolves issue #101963.
When the service is started and no interface is ready yet, wpa_supplicant
is being exec'd with no `-i` flags, thus failing. Once the interfaces
are ready, the udev rule would fire but wouldn't restart the unit because
it wasn't currently running (see systemctl(1) try-restart).
The solution is to exit (with a clear error message) but always restart
wpa_supplicant when the interfaces are modified.
Other units depend on nss-lookup.target and expect the DNS resolution to
work once that target is reached. The previous version
`wants=nss-lookup.target` made this unit require the nss-lookup.target
to be reached before this was started.
Another change that we can probalby do is drop the before relationship
with the nss-lookup.target. That might just be implied with the current
version.
This option allows users to specify a local UNIX control socket to
"remote control" the daemon. System users, that should be permitted to
access the daemon, must be in the `unbound` group in order to access the
socket. When a socket path is configured we are also creating the
required group.
Currently this only supports the UNIX socket mode while unbound actually
supports more advanced types. Users are still able to configure more
complex scenarios via the `extraConfig` attribute.
When this option is set to `null` (the default) it doesn't affect the
system configuration at all. The unbound defaults for control sockets
apply and no additional groups are created.
