| Age | Commit message (Collapse) | Author |
|---|
|
nixos/sourcehut: updates, fixes, hardening
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
qt5ct: move to qt5-packages
|
|
|
|
Rootless Docker service
|
|
It breaks something inside of influxdb2, which results in flurry of errors like these:
> ts=2021-12-21T18:19:35.513910Z lvl=info msg="Write failed" log_id=0YZYwvV0000 service=storage-engine service=write shard=50 error="[shard 50] unlinkat ./L1-00000055.tsi: read-only file system"
I believe this is somehow caused by a mount namespace that systemd creates for
the service, but I didn't investigate this deeper.
|
|
nixos/dhcpd: switch to DynamicUser
|
|
|
|
|
|
|
|
thinkfan: fix typo in level
|
|
Fix a typo in the kea-dhcp-ddns-server unit definition, and add a
KEA_LOCKFILE_DIR environment variable without which kea daemons try to
access a lockfile under /var/run/kea path, which is prevented by
systemd's ProtectSystem (or one of the other Protect*) mechanism.
kea-dhcp-ddns-server doesn't react to updates from dhcp4 server at all
without it.
|
|
nixos/gvfs: fix libmtp udev package path
|
|
|
|
autorestic: 1.3.0 -> 1.5.0
|
|
As pointed out by @sigprof[1] my bump of libmtp silently broke this, as I
moved the udev files out of the bin output of the pkg.
[1]: https://github.com/NixOS/nixpkgs/pull/144290#discussion_r775266642
|
|
This test is technically broken since reloading caddy
does not seem to load new certs. This needs to be fixed
in caddy.
|
|
In the process I also found that the CapabilityBoundingSet
was restricting the service from listening on port 80, and
the AmbientCapabilities was ineffective. Fixed appropriately.
|
|
|
|
|
|
- Added defaultText for all inheritable options.
- Add docs on using new defaults option to configure
DNS validation for all domains.
- Update DNS docs to show using a service to configure
rfc2136 instead of manual steps.
|
|
|
|
Allows configuring many default settings for certificates,
all of which can still be overridden on a per-cert basis.
Some options have been moved into .defaults from security.acme,
namely email, server, validMinDays and renewInterval. These
changes will not break existing configurations thanks to
mkChangedOptionModule.
With this, it is also now possible to configure DNS-01 with
web servers whose virtualHosts utilise enableACME. The only
requirement is you set `acmeRoot = null` for each vhost.
The test suite has been revamped to cover these additions
and also to generally make it easier to maintain. Test config
for apache and nginx has been fully standardised, and it
is now much easier to add a new web server if it follows
the same configuration patterns as those two. I have also
optimised the use of switch-to-configuration which should
speed up testing.
|
|
Closes #129838
It is possible for the CA to revoke a cert that has not yet
expired. We must run lego to validate this before expiration,
but we must still ignore failures on unexpired certs to retain
compatibility with #85794
Also changed domainHash logic such that a renewal will only
be attempted at all if domains are unchanged, and do a full
run otherwises. Resolves #147540 but will be partially
reverted when go-acme/lego#1532 is resolved + available.
|
|
Closes NixOS/nixpkgs#108237
When a user first adds an ACME cert to their configuration,
it's likely to fail to renew due to DNS misconfig. This is
non-fatal for other services since selfsigned certs are
(usually) put in place to let dependant services start.
Tell the user about this in the logs, and exit 2 for
differentiation purposes.
|
|
selfsignedDeps is already appended to the after and wants
of a cert's renewal service, making these redundant.
You can see this if you run the following command:
systemctl list-dependencies --all --reverse acme-selfsigned-mydomain.com.service
|
|
nixos/mysql: module cleanup
|
|
nixos/caddy: introduce several new options
|
|
virtualisation: implement kubevirt config
|
|
|
|
Extract the example configuration from the package to provide a
working example.
Remove pkgs.stubby from `environment.systemPackages`.
|
|
nginxMainline: enable ktls support
|
|
nixos/privacyidea: increase buffer-size of uwsgi from 4096 to 8192
|
|
nixos/prometheus-nginx-exporter: fix argument syntax
|
|
|
|
|
|
|
|
services.mysql.settings
|
|
|
|
nixos/systemd: set TZDIR for PID 1
|
|
See:
https://github.com/NixOS/nixpkgs/pull/126614
|
|
One of the valid values for the fan speed is "level disengaged",
however, it is represented as "level disengage" and does not match
what thinkfan expects.
|
|
KubeVirt[1] allows for VMs to be run and managed as pods inside of
Kubernetes clusters. Information about the guests can be exposed through
qemu-guest-agent[2] as well as startup scripts can be injected through
cloud-init[3].
This config has been duplicated and modified from the `cloudstack`
config/script.
To test this out, deploy KubeVirt locally with KinD[4], build the disk
image, then package it into a container image (or upload to CDI[5]) and
provision a VirtualMachine.
[1]: https://kubevirt.io/user-guide/
[2]: https://kubevirt.io/user-guide/virtual_machines/guest_agent_information/
[3]: https://kubevirt.io/user-guide/virtual_machines/startup_scripts/#cloud-init-examples
[4]: https://kubevirt.io/quickstart_kind/
[5]: https://kubevirt.io/user-guide/operations/containerized_data_importer/#containerized-data-importer
Signed-off-by: jbpratt <jbpratt78@gmail.com>
|
