| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
unbound: update from 1.4.21 to 1.4.22, service from Upstart to systemd
|
| | | |
|
| |/
|
|
|
|
| |
Conflicts (trivial):
lib/maintainers.nix
nixos/modules/misc/ids.nix
|
| |\
| |
| | |
ssh: Support knownHost public keys as strings
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Note that this causes the name of the host-side interface to change
from c-<name> to ve-<name>.
|
| | |
| |
| |
| | |
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
| |/
|
|
| |
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes several problems in the dhcpcd service:
* A segfault during startup, due to a race with udev (dhcpcd would get
an ADD event from udev, causing it to re-add an interface that it
already had, leading to a segfault later on).
* A hang/segfault processing "dhcpcd rebind" (which NixOS calls after
waking up from suspend).
Also, add "lo" to the list of ignored interfaces. It usually ignores
"lo", but apparently not when it gets an ADD event from udev.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
By enabling ‘services.openssh.startWhenNeeded’, sshd is started
on-demand by systemd using socket activation. This is particularly
useful if you have a zillion containers and don't want to have sshd
running permanently. Note that socket activation is not noticeable
slower, contrary to what the manpage for ‘sshd -i’ says, so we might
want to make this the default one day.
|
| |
|
|
|
|
| |
Partially reverts 70a4c7b1dfdb238d3729c3f71127538943a43afd. Whether to
start a session is independent of whether we're running in a
container.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This causes OpenVPN services to reach the "active" state when the VPN
connection is up (i.e., after OpenVPN prints "Initialization Sequence
Completed"). This allows units to be ordered correctly after openvpn-*
units, and makes systemctl present a password prompt:
$ start openvpn-foo
Enter Private Key Password: *************
(I first tried to implement this by calling "systemd-notify --ready"
from the "up" script, but systemd-notify is not reliable.)
|
| | |
|
| |
|
|
|
|
| |
This variable used to be inherited implicitly from the stage-2 script,
but systemd now clears the environment. So we need to set it
explicitly.
|
| | |
|
| | |
|
| |
|
|
| |
Don't do a pointless ARP check in dhcpcd.
|
| |
|
|
| |
This ensures that connection tracking modules are loaded on time.
|
| |
|
|
| |
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
| |
|
|
|
|
|
|
| |
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
|
| | |
|
| |
|
|
|
|
|
| |
This prevents errors like "Another app is currently holding the
xtables lock" if the firewall and NAT services are starting in
parallel. (Longer term, we should probably move to a single service
for managing the iptables rules.)
|
| | |
|
| |\
| |
| |
| | |
Fixes #2105.
|
| | |
| |
| |
| | |
This allows applying NAT to an interface, rather than an IP range.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For example, the following sets up a container named ‘foo’. The
container will have a single network interface eth0, with IP address
10.231.136.2. The host will have an interface c-foo with IP address
10.231.136.1.
systemd.containers.foo =
{ privateNetwork = true;
hostAddress = "10.231.136.1";
localAddress = "10.231.136.2";
config =
{ services.openssh.enable = true; };
};
With ‘privateNetwork = true’, the container has the CAP_NET_ADMIN
capability, allowing it to do arbitrary network configuration, such as
setting up firewall rules. This is secure because it cannot touch the
interfaces of the host.
The helper program ‘run-in-netns’ is needed at the moment because ‘ip
netns exec’ doesn't quite do the right thing (it remounts /sys without
bind-mounting the original /sys/fs/cgroups).
|
| |\ \
| | |
| | | |
nixos: disable ntp on containers by default
|
| | | | |
|
| |/ /
| |
| |
| |
| | |
build system is now nodejs based
new nixos module to start cjdns
|
| | |
| |
| |
| | |
Fixes #2135.
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | | |
nixos: add Murmur module (Mumble chat)
Conflicts:
nixos/modules/misc/ids.nix
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Murmur is the headless server component of the Mumble chat system.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
| | | | |
|
| |/ / |
|
| |\ \
| | |
| | |
| | | |
nixos: fix linux containers (systemd-nspawn, lxc, lxc-libvirt)
|
| | |/
| |
| |
| |
| |
| | |
- Make dhcp work, use dhcpcd without udev in container
- Make login shell work, patch getty to not wait for /dev/tty0
- Make ssh work, sshd/pam do not start session
|
| | |
| |
| |
| | |
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
| |/ |
|
| | |
|
| | |
|
| | |
|