}
case "$(uname -s).$(uname -m)" in
- Linux.x86_64) system=x86_64-linux; hash=e43f6947d1f302b6193302889e7800f3e3dd4a650b6f929c668c894884a02701;;
- Linux.i?86) system=i686-linux; hash=e1c6fa89a0d55a56cddb5f26598a15e0f238115423ad884a3673a3e4815fd33b;;
- Linux.aarch64) system=aarch64-linux; hash=b31d50b34f2aeacdecbe97e56d5661b59b49ec84fa5ea3f8ddb022ab1bb5de56;;
- Darwin.x86_64) system=x86_64-darwin; hash=972ff28bf5786a079856cba6941a6001046e4bdbc99cb2f114e6fce31b9265ba;;
+ Linux.x86_64) system=x86_64-linux; hash=bd4cb069d16417ba4aadc5bb005fdb263823990352f9d37c5b763a0bd145394f;;
+ Linux.i?86) system=i686-linux; hash=79776189f9b7f6b4a54faf174912a57b272ffc4f6890e17e7ccc7f7d727e4478;;
+ Linux.aarch64) system=aarch64-linux; hash=e7bad8aae8f2e5ab101055dc14211465191d4eecf530a2a7c2721569410178fb;;
+ Darwin.x86_64) system=x86_64-darwin; hash=856cb6b62e32129c06b5ce7e3f3f22077c8fad8447cab5518c718b6f4107d8d7;;
*) oops "sorry, there is no binary distribution of Nix for your platform";;
esac
-url="https://nixos.org/releases/nix/nix-2.3/nix-2.3-$system.tar.xz"
+url="https://nixos.org/releases/nix/nix-2.3.2/nix-2.3.2-$system.tar.xz"
-tarball="$tmpDir/$(basename "$tmpDir/nix-2.3-$system.tar.xz")"
+tarball="$tmpDir/$(basename "$tmpDir/nix-2.3.2-$system.tar.xz")"
require_util curl "download the binary tarball"
require_util tar "unpack the binary tarball"
-echo "downloading Nix 2.3 binary tarball for $system from '$url' to '$tmpDir'..."
+echo "downloading Nix 2.3.2 binary tarball for $system from '$url' to '$tmpDir'..."
curl -L "$url" -o "$tarball" || oops "failed to download '$url'"
if command -v sha256sum > /dev/null 2>&1; then
--- /dev/null
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEtUHVUwEnDgvPFcpdgXC0cm1xmN4FAl4SOnUACgkQgXC0cm1x
+mN5KTwgAxYLEa2mE7vpqT7B9zOIkwV6qeX7Oy2P/EbHIHjE4IabaOi2vehh6RnaS
+a6OoLDRmw6OlPEj7oCuxJF9/CH+MFB1I0rvRt554ObjKbLEbftwXHOCtEUcuykgw
+AKYqbuCEveHajs1CP1Ou0qG+zoELK4HMpMO7TwUITOEeEqqQhARnC+07uetqq46U
+rHwpAt4GD4tyuUQvh79Lkr24im6T9FRhOOgFrFRbWVh10bDYLFlJ/rSE4Px2RNJM
+VTHZJQ2W95diB9DtP2Tfbl/pOBFEljqJjfXqlG2qFnwfSldspqvYNpe9MrivIKM2
+CxONUfzQlRf7H3cTLj0inTYzkRtOxQ==
+=6FAw
+-----END PGP SIGNATURE-----
+++ /dev/null
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEtUHVUwEnDgvPFcpdgXC0cm1xmN4FAl1wEiwACgkQgXC0cm1x
-mN4sqQf+Mnqghr47feJ0JXKc3WJRAkoGbn7AaIWqA1mY9Yxv9ejj8KMFK/WrW3Ez
-NdSByT9yvPQAGa3eaKmwv73AwUEE/HF9h5sfDfWccWMBs/jQHgRMpkE0eJ99f7eC
-8yKE8bOWxKf7c8JMTPoKOdUYBp4fVlmjj/Z15pWOCYWzLu5Eg0u6qbiGUdV6Exqd
-2ytBIBr+Z4jbktHBKXvmBvW5LNo7WfIYpCGuLFrkP4O9KYa0LGbBS7f/ZQSR//G0
-0cLgwUizSyOlov1i0vn4Erd+4tgG8WP3CvAAJJEx3JlxB710iRZAUxpBgruF7pW3
-koNfQ6giKNGoLEqdoLl9IlZolsgbcw==
-=v+JT
------END PGP SIGNATURE-----
-builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/b94c1c89f69563a9fc2ceee487b9bc19e5234d6a.tar.gz"; sha256="0gqk3dlkd03yj0vgp6hzaz8y62i5bccjnw657xij7cq3qypc28v5";}
+builtins.fetchTarball {url="https://github.com/NixOS/nixpkgs-channels/archive/ce961fad160d02fdbd78d95b7cd1985a622d110f.tar.gz"; sha256="1bqakqa07f4l1h536n0k69il93d57qymacpzwv9760qq7i8xhhlj";}
# udevadm test-builtin net_id /sys/class/net/*
{ pkgs, lib, config, ... }:
-let udevNetSetupLinkRules = pkgs.writeTextFile {
- name = "80-net-setup-link.rules";
- destination = "/etc/udev/rules.d/80-net-setup-link.rules";
- text = ''
- SUBSYSTEM!="net", GOTO="net_setup_link_end"
+let udevNetSetupLinkRules = pkgs.writeTextDir "etc/udev/rules.d/79-net-setup-link.rules" ''
+ SUBSYSTEM!="net", GOTO="net_setup_link_end"
- IMPORT{builtin}="path_id"
+ IMPORT{builtin}="path_id"
- ACTION!="add", GOTO="net_setup_link_end"
+ ACTION!="add", GOTO="net_setup_link_end"
- # Load net_setup_link to setup the ID_NET_NAME_* envvars
- IMPORT{builtin}="net_setup_link"
+ # Load net_setup_link to setup the ID_NET_NAME_* envvars
+ IMPORT{builtin}="net_setup_link"
- # Rename eth* using the "path" name policy (eg. enp1s0),
- # Note that in stage-1 the envvar ID_NET_NAME is not set,
- # hence not usable as in ''${pkgs.systemd}/lib/udev/rules.d/80-net-setup-link.rules
- # Because in stage-1 there is no /etc/systemd/network/*.link
- # nor **/systemd/network/99-default.link
- # to set NamePolicy= which is responsible to set ID_NET_NAME.
- # Not sure if ATTR{type}=="1" and KERNEL=="eth*" are equivalent or not.
- ATTR{type}=="1", KERNEL=="eth*", NAME="$env{ID_NET_NAME_PATH}"
+ # Rename eth* using the "path" name policy (eg. enp1s0),
+ # Note that in stage-1 the envvar ID_NET_NAME is not set,
+ # hence not usable as in ''${pkgs.systemd}/lib/udev/rules.d/80-net-setup-link.rules
+ # Because in stage-1 there is no /etc/systemd/network/*.link
+ # nor **/systemd/network/99-default.link
+ # to set NamePolicy= which is responsible to set ID_NET_NAME.
+ # Not sure if ATTR{type}=="1" and KERNEL=="eth*" are equivalent or not.
+ ATTR{type}=="1", KERNEL=="eth*", NAME="$env{ID_NET_NAME_PATH}"
- LABEL="net_setup_link_end"
- '';
- };
+ LABEL="net_setup_link_end"
+ '';
in
{
networking = {
boot.initrd = {
extraUdevRulesCommands = ''
- # Query hwdb to set some more ID_* in case someone need them for their rules.
- cp -v ${pkgs.systemd}/lib/udev/rules.d/75-net-description.rules $out/
-
- # The name set here in stage-1 by 80-net-setup-link.rules
+ # The name set here in stage-1 by 79-net-setup-link.rules
# will stay in stage-2 (at least until the device is removed/added).
- cp -v ${udevNetSetupLinkRules}/etc/udev/rules.d/80-net-setup-link.rules $out/
+ cp -v ${udevNetSetupLinkRules}/etc/udev/rules.d/79-net-setup-link.rules $out/
'';
};
{
imports = [
modules/services/networking/domains.nix
- modules/services/networking/knot.nix
+ #modules/services/networking/knot.nix
modules/services/databases/openldap.nix
];
disabledModules = [
- "services/networking/knot.nix"
+ #"services/networking/knot.nix"
];
}
+++ /dev/null
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
- cfg = config.services.knot;
-
- configFile = pkgs.writeText "knot.conf" cfg.extraConfig;
- socketFile = "/run/knot/knot.sock";
-
- knotConfCheck = file: pkgs.runCommand "knot-config-checked"
- { buildInputs = [ cfg.package ]; } ''
- ln -s ${configFile} $out
- knotc --config=${configFile} conf-check
- '';
- keymgr = pkgs.writeShellScriptBin "keymgr" ''
- ${pkgs.systemd}/bin/systemd-run --pipe \
- --uid knot --working-directory="$PWD" \
- -p DynamicUser=yes -p StateDirectory=knot \
- ${cfg.package}/bin/keymgr --config=${configFile} "$@"
- '';
- knot-cli-wrappers = pkgs.stdenv.mkDerivation {
- name = "knot-cli-wrappers";
- buildInputs = [ pkgs.makeWrapper ];
- buildCommand = ''
- mkdir -p $out/bin
- makeWrapper ${cfg.package}/bin/knotc "$out/bin/knotc" \
- --add-flags "--config=${configFile}" \
- --add-flags "--socket=${socketFile}"
- for executable in kdig khost kjournalprint knsec3hash knsupdate kzonecheck
- do
- ln -s "${cfg.package}/bin/$executable" "$out/bin/$executable"
- done
- mkdir -p "$out/share"
- ln -s '${cfg.package}/share/man' "$out/share/"
- '';
- };
-in {
- options = {
- services.knot = {
- enable = mkEnableOption "Knot authoritative-only DNS server";
-
- extraArgs = mkOption {
- type = types.listOf types.str;
- default = [];
- description = ''
- List of additional command line paramters for knotd
- '';
- };
-
- extraConfig = mkOption {
- type = types.lines;
- default = "";
- description = ''
- Extra lines to be added verbatim to knot.conf
- '';
- };
-
- package = mkOption {
- type = types.package;
- default = pkgs.knot-dns;
- defaultText = "pkgs.knot-dns";
- description = ''
- Which Knot DNS package to use
- '';
- };
- };
- };
-
- config = mkIf config.services.knot.enable {
- systemd.services.knot = {
- unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
- description = cfg.package.meta.description;
- wantedBy = [ "multi-user.target" ];
- wants = [ "network.target" ];
- after = ["network.target" ];
-
- serviceConfig = {
- Type = "notify";
- ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
- ExecReload = "${knot-cli-wrappers}/bin/knotc reload";
- CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
- AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
- NoNewPrivileges = true;
- DynamicUser = "yes";
- RuntimeDirectory = "knot";
- StateDirectory = "knot";
- StateDirectoryMode = "0700";
- PrivateDevices = true;
- RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
- SystemCallArchitectures = "native";
- Restart = "on-abort";
- };
- };
-
- environment.systemPackages = [ knot-cli-wrappers keymgr ];
- };
-}
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-
- # If a client has a session ticket, it can present it to the server and re-negotiation is not necessary.
- ssl_session_tickets on;
'';
log = ''
access_log ${nginx.logDir}/access.log main buffer=32k;
url = "https://github.com/NixOS/nixpkgs/pull/80151.diff";
sha256 = "0jjw2gvp7b7v2n2m2d6yj0gw711j6p9lyjf5ywp2y9ql6905qf4b";
}
+ /*
{ meta.description = "shorewall: fix warnings due to types.loaOf being deprecated";
url = "https://github.com/NixOS/nixpkgs/pull/80154.diff";
sha256 = "0b216m1rib3jl6s3r5cbkd5h1bfhppikg4cz9ayr1fspsflr3bci";
url = "https://github.com/NixOS/nixpkgs/pull/81774.diff";
sha256 = "14drpym2mq9gq505psjzqq23gv0wkbwrrvh438h5jirzcym3467a";
}
+ */
];
localNixpkgsPatches = [
patches/direnv.diff
sourcephile / git / sourcephile-nix.git / commitdiff