As a oneshot service, if the startup failed it would never be attempted again.
This is problematic when peer's addresses require DNS. DNS may not be reliably available at
the time wireguard starts. Converting this to a simple service with Restart
and RestartAfter directives allows the service to be reattempted, but at
the cost of losing the oneshot semantics.
Signed-off-by: Maximilian Bosch <maximilian@mbosch.me>
Passwords should not be stored in plain text by default. On existing
installations the next time a users user accounts will automatically
be upgraded from plain to hashed one-by-one as they log in.
With `sshd -t` config validation for SSH is possible. Until now, the
config generated by Nix was applied without any validation (which is
especially a problem for advanced config like `Match` blocks).
When deploying broken ssh config with nixops to a remote machine it gets
even harder to fix the problem due to the broken ssh that makes reverts
with nixops impossible.
This change performs the validation in a Nix build environment by
creating a store path with the config and generating a mocked host key
which seems to be needed for the validation. With a broken config, the
deployment already fails during the build of the derivation.
The original attempt was done in #56345 by adding a submodule for Match
groups to make it harder screwing that up, however that made the module
far more complex and config should be described in an easier way as
described in NixOS/rfcs#42.
I noticed xinetd process doesn't get exec'd on launch, exec here so the bash
process doesn't stick around.
Signed-off-by: William Casarin <jb55@jb55.com>
The type of ZNC's config option specifies that a configuration like
config.User.paul = null;
should be valid, which is useful for clearing/disabling property sets
like Users and Networks. However until now the config generator
implementation didn't actually cover null values, meaning you'd get an
error like
error: value is null while a set was expected, at /foo.nix:29:10
This fixes the implementation to correcly allow clearing of property
sets.
This allows configuring IP addresses on a tinc interface using
networking.interfaces."tinc.${n}".ipv[46].addresses.
Previously, this would fail with timeouts, because of the dependency
chain
tinc.${netname}.service
--after--> network.target
--after--> network-addresses-tinc.${n}.service (and network-link-…)
--after--> sys-subsystem-net-devices-tinc.${n}.device
But the network interface doesn't exist until tinc creates it! So
systemd waits in vain for the interface to appear, and by then the
network-addresses-* and network-link-* units have failed. This leads
to the network link not being brought up and the network addresses not
being assigned, which in turn stops tinc from actually working.
Ideally, private keys never leave the host they're generated on - like
SSH. Setting generatePrivateKeyFile to true causes the PK to be
generate automatically.
This is an implementation of wireguard support using wg-quick config
generation.
This seems preferrable to the existing wireguard support because
it handles many more routing and resolvconf edge cases than the
current wireguard support.
It also includes work-arounds to make key files work.
This has one quirk:
We need to set reverse path checking in the firewall to false because
it interferes with the way wg-quick sets up its routing.
Get these from upstream tox-node package instead.
This is likely to cause less maintenance overhead over time and
following upstream bootstrap node changes is automated.
Same problem as described in acbadcdbba.
When using multiple interfaces for wifi with `networking.wlanInterfaces`
and the interface for `hostapd` contains a dash, this will fail as
systemd escapes dashes in its device names.
The manpage claims that the "limit" in the setting::
<name>:[<limit>:]<regex>
is optional and defaults to zero, implying no limit.
However, tests confirmed that it actually isn't optional.
Without limit, the setting ``any:.*`` places
outbound jobs on infinite hold if no particular
modem was specified on the sendfax command line.
The new default value ``any:0:.*`` from
this commit uses any available modem to
send jobs if not modem was given to sendfax.
Before this change, only passwords not containing shell metacharacters could be
used, and because the password was passed as a command-line argument, local
users could (in a very small window of time) record the password and (in an
indefinity window of time) record the length of the password.
We also use the opportunity to add a call to `exec` in the systemd start
script, so that no shell needs to hang around waiting for iodine to stop.
Compatibility with other distributions/software and expectation
of users coming from other systems should have higher priority over consistency.
In particular this fixes#51375, where the NetworkManager-wait-online.service
broke as a result of this.
Systemd provides some functionality to escape strings that are supposed
to be part of a unit name[1]. This seems to be used for interface names
in `sys-subsystem-net-devices-{interface}.device` and breaks
wpa_supplicant if the wireless interface name has a dash which is
encoded to \x2d.
Such an interface name is rather rare, but used i.e. when configuring
multiple wireless interfaces with `networking.wlanInterfaces`[2] to have on
interface for `wpa_supplicant` and another one for `hostapd`.
[1] https://www.freedesktop.org/software/systemd/man/systemd-escape.html
[2] https://nixos.org/nixos/options.html#networking.wlaninterfaces
Add an ExecReload command to the prosody service, to allow reloading
prosody by sending SIGHUP to the main process, for example to update
certificates without restarting the server. This is exactly how the
`prosodyctl` tool does it.
Note: Currently there is a bug which prevents mod_http from reloading the
certificates properly: https://issues.prosody.im/1216.
Without this line, attempting to copy and paste non-ASCII characters
will result in error messages like the following (and pasting from the
server to the client will not work):
```
CLIPBOARD clipboard_send_data_response_for_text: 823 : ERROR: clipboard_send_data_response_for_text: bad string
```
While at it (see previous commit), using attrNames in combination with
length is a bit verbose for checking whether the filtered attribute set
is empty, so let's just compare it against an empty attribute set.
Signed-off-by: aszlig <aszlig@nix.build>
When generating values for the services.nsd.zones attribute using values
from pkgs, we'll run into an infinite recursion because the nsd module
has a condition on the top-level definition of nixpkgs.config.
While it would work to push the definition a few levels down, it will
still only work if we don't use bind tools for generating zones.
As far as I could see, Python support for BIND seems to be only needed
for the dnssec-* tools, so instead of using nixpkgs.config, we now
directly override pkgs.bind instead of globally in nixpkgs.
To illustrate the problem with a small test case, instantiating the
following Nix expression from the nixpkgs source root will cause the
mentioned infinite recursion:
(import ./nixos {
configuration = { lib, pkgs, ... }: {
services.nsd.enable = true;
services.nsd.zones = import (pkgs.writeText "foo.nix" ''
{ "foo.".data = "xyz";
"foo.".dnssec = true;
}
'');
};
}).vm
With this change, generating zones via import-from-derivation is now
possible again.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @pngwjpgh
This flag causes the shairport-sync server to attempt to daemonize, but it looks like systemd is already handling that. With the `-d` argument, shairport-sync immediately exits—it seems that something (systemd I'm guessing?) is sending it SIGINT or SIGTERM.
The [upstream systemd unit](https://github.com/mikebrady/shairport-sync/blob/master/scripts/shairport-sync.service.in#L10) doesn't pass `-d`.
As the comment notes, restarts/exits of dhcpcd generally require
restarting the NTP service since, if name resolution fails for a pool of
servers, the service might break itself. To be on the safe side, try
restarting Chrony in these instances, too.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Setting the server list to be empty is useful e.g. for hardware-only
or virtualized reference clocks that are passed through to the system
directly. In this case, initstepslew has no effect, so don't emit it.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
* Added license: GPLv2.
* Updated homepage and description.
* CFLAGS are no longer necessary as of version 2.2.0.
* Option '-a ::' is no longer necessary as of version 2.2.0.
Removes the old UI build tooling; it is no longer necessary
because as of 1.2.0 it's bundled into the server binary.
It doesn't even need to have JS built, because it's bundled into
the release commit's source tree (see #48714).
The UI is enabled by default, so the NixOS service is
updated to directly use `ui = webUi;` now.
Fixes#48714.
Fixes#44192.
Fixes#41243.
Fixes#35602.
Signed-off-by: Niklas Hambüchen <mail@nh2.me>
Setting this variable in the environment of systemd-timedated allows
'timedatectl' to tell if an NTP service is running.
Closes#48917.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
The changes were found by executing the following in the strongswan
repo (https://github.com/strongswan/strongswan):
git diff 5.6.3..5.7.1 src/swanctl/swanctl.opt
This was overlooked on a rebase of mine on master, when I didn't realize
that in the time of me writing the znc changes this new option got
introduced.
This breaks with networking backends enabled and
also creates large delays on boot when some services depends
on the network target. It is also not really required
because tinc does create those interfaces itself.
fixes#27070
* nat/bind/dhcp.service:
Remove. Those services have nothing to do with a link-level service.
* sys-subsystem-net-devices-${if}.device:
Add as BindsTo dependency as this will make hostapd stop when the
device is unplugged.
* network-link-${if}.service:
Add hostapd as dependency for this service via requiredBy clause,
so that the network link is only considered to be established
only after hostapd has started.
* network.target:
Remove this from wantedBy clause as this is already implied from
dependencies stacked above hostapd. And if it's not implied than
starting hostapd is not required for this particular network
configuration.
This option represents the ZNC configuration as a Nix value. It will be
converted to a syntactically valid file. This provides:
- Flexibility: Any ZNC option can be used
- Modularity: These values can be set from any NixOS module and will be
merged correctly
- Overridability: Default values can be overridden
Also done:
Remove unused/unneeded options, mkRemovedOptionModule unfortunately doesn't work
inside submodules (yet). The options userName and modulePackages were never used
to begin with
Several service definitions used `mkEnableOption` with text starting
with "Whether to", which produced funny option descriptions like
"Whether to enable Whether to run the rspamd daemon..".
This commit corrects this, and adds short descriptions of services
to affected service definitions.
Most importantly, this sets PrivateTmp, ProtectHome, and ProtectSystem
so that Chrony flaws are mitigated, should they occur.
Moving to ProtectSystem=full however, requires moving the chrony key
files under /var/lib/chrony -- which should be fine, anyway.
This also ensures ConditionCapability=CAP_SYS_TIME is set, ensuring
that chronyd will only be launched in an environment where such a
capability can be granted.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit adds the following
* the uucp user
* options for HylaFAX server to control startup and modems
* systemd services for HylaFAX server processes
including faxgettys for modems
* systemd services to maintain the HylaFAX spool area,
including cleanup with faxcron and faxqclean
* default configuration for all server processes
for a minimal working configuration
Some notes:
* HylaFAX configuration cannot be initialized with faxsetup
(as it would be common on other Linux distributions).
The hylafaxplus package contains a template spool area.
* Modems are controlled by faxgetty.
Send-only configuration (modems controlled by faxq)
is not supported by this configuration setup.
* To enable the service, one or more modems must be defined with
config.services.hylafax.modems .
* Sending mail *should* work:
HylaFAX will use whatever is in
config.services.mail.sendmailSetuidWrapper.program
unless overridden with the sendmailPath option.
* The admin has to create a hosts.hfaxd file somewhere
(e.g. in /etc) before enabling HylaFAX.
This file controls access to the server (see hosts.hfaxd(5) ).
Sadly, HylaFAX does not permit account-based access
control as is accepts connections via TCP only.
* Active fax polling should work; I can't test it.
* Passive fax polling is not supported by HylaFAX.
* Pager transmissions (with sendpage) are disabled by default.
I have never tested or used these.
* Incoming data/voice/"extern"al calls
won't be handled by default.
I have never tested or used these.
Matthew Bauer
lassulus
Aaron Andersen
Maximilian Bosch
sjau
Florian Klink
Nikolay Amiantov
Milan Pässler
Franz Pletz
Carl Dong
Ingolf Wanger
William Casarin
Robin Gloster
Maximilian Güntner
Linus Heckemann
Will Dietz
Renaud
Hsiang-Cheng Yang
Silvan Mosberger
Daniel Schaefer
Lassulus
Graham Christensen
pacien
ajs124
Reno Reckling
adisbladis
Сухарик
Yarny0
Matthieu Coudron
Frederik Rietdijk
Ingo Blechschmidt
Aneesh Agrawal
Jan Tojnar
John Ericson
Bob van der Linden
Francesco Gazzetta
Wael M. Nasreddine
Jörg Thalheim
Martin Weinelt
Markus
Pierre Bourdon
Bas van Dijk
Peter Hoeg
David Duarte
Andreas Rammhold
Nikita Uvarov
Symphorien Gibol
Jörg Thalheim
Johan Thomsen
Robert Klotzner
Jaka Hudoklin
Lars Jellema
Robert Helgesson
Lily Ballard
Ioannis Koutras
elseym
Danylo Hlynskyi
Robert Schütz
Nadrieril
Justin Humm
Robert Irelan
aszlig
Jeremy Apthorp
Satoshi Shishiku
Rickard Nilsson
Austin Seipp
Brandon Black
Craig Younkins
Ben Blaxill
Samuel Dionne-Riel
Richard Marko
Janik Rabe
Niklas Hambüchen
Joachim F
obadz
Léo Gaspard
qolii
Daniel Rutz
clefru
rnhmjoj
Ingolf Wagner
Timo Kaufmann
Pavel Goran
Sarah Brofeldt
Vladyslav Mykhailichenko
Edward Tjörnhammar
Okina Matara
Tad Fisher
Janne Heß