| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
bind_interface is the mosquitto way of trying to bind to all addresses
on an interface, but it is unreliable (trying to bind to link-local v6
addresses *sometimes* but not always) and just prone to failure in
general for reasons we have yet to discover.
since this kind of automatic behavior isn't particularly necessary in a
declarative system we may as well skip it.
|
|
the non-networkd backend does not wait for slaac to finish (ie, ipv6
addresses coming out of tentative state), and that breaks the mosquitto
bind_interface test slightly. if slaac takes too long the test will run
into mosquitto restart limits and fail.
|
|
looks like stricter typing checks broke this one?
|
|
we expose it under settings instead of at the listener toplevel because
mosquitto seems to pick the addresses it will listen on
nondeterministically from the set of addresses configured on the
interface being bound to. encouraging its use by putting it into the
toplevel options for a listener seems inadvisable.
|
|
during the rewrite the checkPasswords=false feature of the old module
was lost. restore it, and with it systems that allow any client to use
any username.
|
|
|
|
expand the test to check all four forms of passwords, tls certificates (both
server and client), and that acl files are formatted properly.
|
|
mosquitto needs a lot of attention concerning its config because it doesn't
parse it very well, often ignoring trailing parts of lines, duplicated config
keys, or just looking back way further in the file to associated config keys
with previously defined items than might be expected.
this replaces the mosquitto module completely. we now have a hierarchical config
that flattens out to the mosquitto format (hopefully) without introducing spooky
action at a distance.
|
|
It can still network, it can only access the ssl related files if ssl is
enabled.
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
→ Overall exposure level for mosquitto.service: 1.1 OK 🙂
|
|
The library does not depend on stdenv, that `stdenv` exposes `lib` is
an artifact of the ancient origins of nixpkgs.
|
|
|
|
|
|
|
|
|
|
|
|
|
