In a critical setup of bird with many BGP sessions,
you want to control the exact time when configuration
changes are applied. Therefore, an option was added,
to disable automatic reloading the systemd unit,
when configuration changes are made. The administrator
how has the ability to control how changes are applied.
The ModemManager shipped fccUnlockScripts are using either qmicli or
mbimcli, to unlock wwan modems. These needs to be available for
ModemManager if you set the fccUnlockScripts link, so instead of having
every user than needs it pull it inn in different ways, we should just
provide the tools if we think they might be needed.
https://modemmanager.org/docs/modemmanager/fcc-unlock
In the past, we emitted `unicast_peer` block even with empty unicast peers list.
This now results in:
```
Keepalived_vrrp[392762]: A unicast keyword has been specified without any unicast peers. Defaulting to multicast. This usage is deprecated - please update your configuration.
```
We do not emit it anymore to avoid this warning.
This is a followup to commit bba808dbfa ("nixos/avahi-daemon:
resolve mdns only over enabled protocols, disable ipv6 by default",
2023-10-01, PR #258424). mdns occurs twice in /etc/nsswitch.conf but
that commit changed only the first one (mdns_minimal, before resolve).
This commits ensures that both occurrences are set consistently.
This is not only consistent with upstream example[1] but it also
fixes#118628 -- a longstanding issue with CUPS and printer detection.
[1] https://github.com/avahi/nss-mdns#activation
The output is expected to be a list [ hostname, port, optional ipv6 scope ], but the
current regex only outputs [ port ], when only a port is given as address.
Noticed that issue while reviewing #275633: when declaring
`ListenAddress host` without a port, all ports declared by
`Port`/`cfg.ports` will be used with `host` according to
`sshd_config(5)`.
However, if this is done and socket activation is used, only a socket
for port 22 is created instead of a sockets for each port from
`Port`/`cfg.ports`. This patch corrects that behavior.
Also added a regression test for this case.
Changed `services.zerotierone.localConf` default value to `null` and type to `nullOr attrs` per input.
Changed `systemd` preStart script to delete
`/var/lib/zerotier-one/local.conf` when it is a symlink, and rename when it is an actual file, then only create a symlink to the nix store when `services.zerotierone.localConf` is not null.
This reverts commit 413011ddf4.
Using separate lockfile directories prevents the different kea daemons
from using the interprocess sync lockfile.
Keeping the runtime directory around might be the better approach.
I saw this trace when building my system configuration this morning:
```
lazy-options.json> trace: warning: literalExample is deprecated, use literalExpression instead, or use literalMD for a non-Nix description.
```
This warning was introduced in https://github.com/NixOS/nixpkgs/pull/237557.
The option this commit changes was introduced in https://github.com/NixOS/nixpkgs/pull/137003.
#264753 mistakenly used the dataDir option to set the -data argument.
This broke existing configurations because -data used to be set to
configDir (implicitly, using the -home option, which is equivalent to
setting -config and -data to the same value).
Fix this by introducing a new databaseDir option sets -data and defaults
to configDir. This maintains the existing behavior by default while
still allowing users to specify separate config and database
directories.
ServerQuery actually listens on three separate addresses each
corresponding to its own protocol (raw/telnet, ssh, and http). By only
setting `query_addr` we only update what IP we listen on for the raw
protocol, not ssh and http protocols which end up listening on the
default wildcard address.
This change simply makes it so that setting `queryIP` sets the IP for
all three protocols by setting each corresponding option (`query_ip`,
`query_ssh_ip` and `query_http_ip`).
see https://github.com/lathiat/nss-mdns#:~:text=in%20such%20a%20situation%20causes%20long%20timeouts%20when%20resolving%20hosts
especially:
> libnss_mdns.so.2 resolves both IPv6 and IPv4 addresses, libnss_mdns4.so.2 only IPv4 addresses and
> libnss_mdns6.so.2 only IPv6 addresses. Due to the fact that most mDNS responders only register local IPv4
> addresses via mDNS, most people will want to use libnss_mdns4.so.2 exclusively. Using libnss_mdns.so.2
> or libnss_mdns6.so.2 in such a situation causes long timeouts when resolving hosts since most modern
> Unix/Linux applications check for IPv6 addresses first, followed by a lookup for IPv4.
The `services.vdirsyncer.jobs.<name>.config.statusPath` option was
making the appropriate changes to the systemd service options, but not
to the vdirsyncer config file.
The previous -home argument worked as such:
"Set common configuration and data directory. The default configuration directory is $HOME/.config/syncthing (Unix-like), $HOME/Library/Application Support/Syncthing (Mac) and %LOCALAPPDATA%\Syncthing (Windows)"
This resulted in syncthing not respecting different home and data dirs
declared in its config. The default behaviour will remain the same, as
we set the datadir default value to homeDir + .config/syncthing.
This fixes the case where users enable harmonia but also have allowed-users set.
Having extra-allowed-users is a no-op when nix.settings.allowed-users is set to "*" (the default)
This fixes the case where users enable nix-serve but also have allowed-users set.
Having extra-allowed-users is a no-op when nix.settings.allowed-users is set to "*" (the default)
I changed my nickname from Ninjatrappeur to Picnoir. My github id is
stable, it shouldn't break too much stuff.
I took advantage of this handle change to remove myself from the
hostapd maintainers: I don't use NixOS as a router anymore.
If username is set, then unbound will try to become that user using
`setusercontext`. But this is pointless since we are already instructing
systemd to launch unbound with that user.
So force username to be empty, which disables this behaviour in unbound.
This allows us to remove the capability granted, and also tighten the
syscall filter.
upstream is in the process of renaming to `hickory-dns`.
a consequence of this is that the main binary has been renamed from
`trust-dns` to `hickory-dns` and the repository has been moved (though
for the time being the old repo is still usable on account that it
redirects to the new one).
see: <https://bluejekyll.github.io/blog/posts/announcing-hickory-dns/>
This changes the syscall filter to match that of upstream. Note that
SystemCallFilter=~foo bar
is completely different from
SystemCallFilter=~foo
SystemCallFilter=bar
The former one means that foo and bar are forbidden, and the latter
one means foo is forbidden and bar is granted!
When using iproute2's ip binary, you can omit the dev parameter, e.g. ip link set up eth0 instead of ip link set up dev eth0.
This breaks if for some reason your device is named e.g. he, hel, … because it is interpreted as ip link set up help.
I just encountered this bug using networking.bridges trying to create an interface named he.
I used a grep on nixpkgs to try to find iproute2 invocations using variables without the dev keyword, and found a few, and fixed them by providing the dev keyword.
I merely fixed what I found, but the use of abbreviated commands makes it a bit hard to be sure everything has been found (e.g. ip l set … up instead of ip link set … up).
