Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
1G apparently isn't sufficient anymore, at least in swraid case:
https://hydra.nixos.org/build/126561574
|
|
This is the last planned iteration before forking 20.09.
|
|
Instead of always using the default port of one exporter for its default
firewall filter, the port from the current service configuration is used.
|
|
This reverts commit 02590c96209d374d7f720293fcb8337e17104bc9.
https://github.com/NixOS/nixpkgs/commit/02590c96209d374d7f720293fcb8337e17104bc9#commitcomment-42078853
|
|
No need to fiddle around with `flatpack` to get `vorta`, a graphical
desktop-client for `borgbackup` running as it's available in `nixpkgs`.
|
|
services.openssh: add banner item
|
|
Add the possibility to setup a banner.
Co-authored-by: Silvan Mosberger <github@infinisil.com>
|
|
nixos/tests/sssd-ldap: init
|
|
|
|
Restructure acme module
|
|
|
|
nixos/phpfpm: always restart service on failure
|
|
nixos/gitlab: Support incoming mail
|
|
nixos/cachefilesd: don't set up manually
|
|
This reverts commit 8425726f86a2f4a38d0022f3d5cb1d2001da6999.
This should have been reverted in https://github.com/NixOS/nixpkgs/pull/95358
but I forgot about it.
|
|
- Allow for key reuse when domains are the only thing that
were changed.
- Fixed systemd service failure when preliminarySelfsigned
was set to false
|
|
* nixos/terraria: allow dataDir to be configured
add dataDir option to terraria module
* Update nixos/modules/services/games/terraria.nix
Co-authored-by: WORLDofPEACE <worldofpeace@protonmail.ch>
Co-authored-by: WORLDofPEACE <worldofpeace@protonmail.ch>
|
|
nixos/syncthing: add ignoreDelete folder option
|
|
nixos-install: add support for flakes
|
|
We apparently didn't fit anymore. I don't think this test is meant
to (also) check closure size.
Note: as of this commit, the test is blocked by a fontconfig problem,
so I tested with that merge temporarily reverted.
|
|
This isn't used anymore as per
https://github.com/NixOS/nixpkgs/pull/72354#discussion_r451031449.
|
|
nixos/opendkim: systemd sandbox
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This goes through a recent example of 19.09 (because the workflow
should be everchanging, so our example needs to be recent).
Lots of changes, just read idk.
|
|
cryptsetup, lvm2, systemd: Break cyclic dependency at a different point
|
|
treewide: use URN for fontconfig DTD
|
|
Use our available infrastructure instead of manually handling setup.
|
|
|
|
|
|
|
|
Attempting to reuse keys on a basis different to the cert (AKA,
storing the key in a directory with a hashed name different to
the cert it is associated with) was ineffective since when
"lego run" is used it will ALWAYS generate a new key. This causes
issues when you revert changes since your "reused" key will not
be the one associated with the old cert. As such, I tore out the
whole keyDir implementation.
As for the race condition, checking the mtime of the cert file
was not sufficient to detect changes. In testing, selfsigned
and full certs could be generated/installed within 1 second of
each other. cmp is now used instead.
Also, I removed the nginx/httpd reload waiters in favour of
simple retry logic for the curl-based tests
|
|
The cyclic dependency of systemd → cryptsetup → lvm2 → udev=systemd
needs to be broken somewhere. The previous strategy of building
cryptsetup with an lvm2 built without udev (#66856) caused the
installer.luksroot test to fail. Instead, build lvm2 with a udev built
without cryptsetup.
Fixes #96479.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
|
|
When not using apply, other modules can use $PATH as a list instead of
getting a colon-separated list to each /bin directory.
|
|
|
|
|
|
|
|
|
|
|
|
To match upstream change:
https://gitlab.freedesktop.org/fontconfig/fontconfig/commit/9c46ef4aac87c42d013d0e7380b6aeb03e1a9949
|
|
nixos/gpaste: return sessionPath
|
|
Testing of certs failed randomly when the web server was still
returning old certs even after the reload was "complete". This was
because the reload commands send process signals and do not wait
for the worker processes to restart. This commit adds log watchers
which wait for the worker processes to be restarted.
|
|
- Use an acme user and group, allow group override only
- Use hashes to determine when certs actually need to regenerate
- Avoid running lego more than necessary
- Harden permissions
- Support "systemctl clean" for cert regeneration
- Support reuse of keys between some configuration changes
- Permissions fix services solves for previously root owned certs
- Add a note about multiple account creation and emails
- Migrate extraDomains to a list
- Deprecate user option
- Use minica for self-signed certs
- Rewrite all tests
I thought of a few more cases where things may go wrong,
and added tests to cover them. In particular, the web server
reload services were depending on the target - which stays alive,
meaning that the renewal timer wouldn't be triggering a reload
and old certs would stay on the web servers.
I encountered some problems ensuring that the reload took place
without accidently triggering it as part of the test. The sync
commands I added ended up being essential and I'm not sure why,
it seems like either node.succeed ends too early or there's an
oddity of the vm's filesystem I'm not aware of.
- Fix duplicate systemd rules on reload services
Since useACMEHost is not unique to every vhost, if one cert
was reused many times it would create duplicate entries in
${server}-config-reload.service for wants, before and
ConditionPathExists
|
|
nixos/biboumi: init
|
|
strigi: drop
|