| Commit message (Collapse) | Author | Age |
| |
|
| |
|
|
|
|
|
|
|
| |
They contain no useful information and increase the length of the
autogenerated options documentation.
See discussion in #18816.
|
|
|
|
|
|
| |
Otherwise, the service unit just fails for no discernable
reason. Verifcation failure is bad so it ought to be easily
discoverable.
|
|
|
|
|
| |
The list has disappeared from its ordinary location at
download.dnscrypt.org.
|
|
|
|
|
|
|
|
|
| |
This option was initially added to make it easier to use an
up-to-date list, but now that we always use an up-to-date list
from upstream, there's no point to the option.
From now on, you can either use a resolver listed by dnscrypt
upstream or a custom resolver.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability. Until
17.09 we'll automatically translate these options into extraArgs
for convenience.
Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Newer versions of DNSCrypt proxy *can* cache lookups (via
plugin); make the wording more neutral wrt. why one might want
to run the proxy in a forwarding setup.
|
|
|
|
| |
In an effort to make the module more self-contained.
|
| |
|
|
|
|
| |
It is the canonical example domain after all.
|
|
|
|
|
| |
Make it easier for the user to tell when the list is updated
and, at their option, see what changed.
|
|
|
|
|
|
|
| |
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available. We
filter mount syscalls to prevent the process from undoing the fs
isolation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.
We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
|
|
|
|
|
|
| |
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...). Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
|
| |
|
|
|
|
|
| |
Primarily to fix rendering of default values/examples but also
to avoid unnecessary work.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set `networking.networkmanager.wifi.macAddress` or `networking.networkmanager.ethernet.macAddress`
to one of these values to change your macAddress.
* "XX:XX:XX:XX:XX:XX": set the MAC address of the interface.
* "permanent": use the permanent MAC address of the device.
* "preserve": don’t change the MAC address of the device upon activation.
* "random": generate a randomized value upon each connect.
* "stable": generate a stable, hashed MAC address.
See https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/ for more information
|
|
|
|
|
| |
The default value already gives a good example of what values to
put here.
|
| |
|
|
|
|
|
|
|
|
|
| |
reason:
- We currently have an open discussion regarding a more modular
firewall (https://github.com/NixOS/nixpkgs/issues/23181) and
leaving null makes future extension easier.
- the current default might not cover all use cases (different ssh port)
and might break setups, if applied blindly
|
|
|
|
| |
fixes #18842
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When dhcpcd instead of networkd is used, the network-online.target behaved
the same as network.target, resulting in broken services that need a working
network connectivity when being started.
This commit makes dhcpcd wait for a lease and makes it wanted by
network-online.target. In turn, network-online.target is now wanted by
multi-user.target, so it will be activated at every boot.
|
|
|
|
|
| |
Starting `ntpd` with the `-d` option spams the systemd journal.
Instead, let the server fork.
|
|\
| |
| | |
Use attrsOf in place of loaOf when relevant
|
| | |
|
| | |
|
| | |
|
|\ \ |
|
| | |
| | |
| | |
| | | |
Excluding modules/programs/environment.nix for PATHand QT_PLUGIN_PATH to allow the programs to continue running.
|
| | |
| | |
| | | |
The user should be able to specify a patched version of searx.
|
| | |
| | |
| | | |
Recent versions of libreswan seem to omit this file, but it may be added/changed in the future. It is silly to have the service fail because a file is missing that only enriches the environment.
|
| |\ \
| | | |
| | | | |
Redsocks
|
| | | |
| | | |
| | | |
| | | | |
redsocks module: use separate user for redsocks daemon
|
| | | |
| | | |
| | | |
| | | | |
It's deprecated and no longer used.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This fixes an issue where `nixops deploy` wouldn't restart the chrony
service when the chrony configuration changed, because it wouldn't
detect that `/etc/chrony.conf` was a dependency of the chrony service.
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
The service can run certain components with reduced privileges, but for
that it needs the setuid capability.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
20e81f7c0d56e0b179115ca72a85b81ff637d909 prevented key generation in
`preStart`, leaving the service broken for the case where the user has
no pre-existing key.
Eventually, we ought to store the state elsewhere so that `/etc` can be
read-only but for now we fix this the easy way.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
Closes https://github.com/NixOS/nixpkgs/pull/22041
|
| |\ \ \
| | | | |
| | | | | |
NFS improvements
|