Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption
based on the user-space tools available from <http://tcpcrypt.org>.
Network attackers come in two varieties: passive and active (man-in-the-middle).
Passive attacks are much simpler to execute because they just require listening
on the network. Active attacks are much harder as they require listening and
modifying network traffic, often requiring very precise timing that can make
some attacks impractical.
Opportunistic encryption cannot protect against active attackers, but it *does*
protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to
stop active attacks, too, if the application using it performs authentication.
A complete description of the protocol extension can be found at
<http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>.
I.e., modules that use "require = [options]". Nowadays that should be
written as
{
options = { ... };
config = { ... };
};
Also, use "imports" instead of "require" in places where we actually
import another module.
apcupsd is a daemon for controlling APC UPSes. It is very simple to
configure. If you have an USB based UPS, the default settings should be
useable without further adjustments:
services.apcupsd.enable = true;
This will give you autodetection of USB UPSes, network access limited to
localhost (for security) and the shutdown sequence will be started when
the system when the battery level is below 50 percent, or when the UPS
has calculated that it has 5 minutes or less of remaining power-on time.
You can provide your own configuration file contents with this option:
services.apcupsd.configText = "contents of apcupsd.conf";
Bug/annoyance 1: When apcupsd calls "wall" (on powerfail etc. events),
it prints an error message because stdout is not connected to a tty (it
is connected to the journal):
wall: cannot get tty name: Inappropriate ioctl for device
The message still gets through though, to ctrl-alt-f[1-6] terminals.
Bug/annoyance 2: apcupsd tries to call "mail" (on powerfail etc.
events), and that fails because I'm not passing in any mail program at
the moment (because that would require more configuration options). A
solution to this would be to simply let the user fully configure the
apcupsd event handling logic in nix.
(cgit is "a hyperfast web frontend for git repositories written in C")
cgit is enabled like this (assuming lighttpd is already enabled):
services.lighttpd.cgit.enable = true;
and configured verbatim like this (contents of the cgitrc file):
services.lighttpd.cgit.configText = ''
cache-size=1000
scan-path=/srv/git
'';
cgit will be available from this URL: http://yourserver/cgit
In lighttpd, I've ensured that the cache dir for cgit is created if cgit
is enabled.
Now you can access gitweb at http://yourserver/gitweb by simply adding
this to configuration.nix (assuming services.lighttpd.enable = true);
services.lighttpd.gitweb.enable = true;
The path to all bare repositories served by gitweb can be set with this
option (default value below):
services.lighttpd.gitweb.projectroot = "/srv/git";
Based on patch contributed by Bjørn Forsman.
More specifically, this removes services.pulseaudio and adds the option
hardware.pulseaudio.systemWide which defaults to false but can be used to turn
on the system-wide PulseAudio server (previously defined in
services.pulseaudio). Since the two PulseAudio modes are mutually exclusive
anyway (maybe not strictly true, but I don't think is a good idea combining
them) its nicer to be able to reuse server and ALSA configuration between them.
Also the system-wide PulseAudio service has been adjusted to systemd, and a few
things has been fixed (there was no alsa.conf before, for example).
The bottomline is that people that was using hardware.pulseaudio before should
be able to keep doing it in exactly the same way, and people that used
services.pulseaudio must switch over to hardware.pulseaudio.systemWide instead.
Enable it with
services.transmission.enable = true;
and optionally configure it
services.transmission.settings =
{
download-dir = "/srv/torrents/";
incomplete-dir = "/srv/torrents/.incomplete/";
incomplete-dir-enabled = true;
rpc-whitelist = "127.0.0.1,192.168.*.*";
# for users in group "transmission" to have access to torrents
umask = 2;
};
The above settings are written/merged into settings.json each time the
service is about to start.
Adding support for the kind of bootloader in raspberrypi. Disable grub,
disable generationsDir, enable boot.loader.raspberrypi.
Usual layout expected: /boot being the first vfat the board reads blobs from.
If the user tries to run a program that doesn't exist from Bash, the
program name is looked up in a database that maps to Nix package
names. If it is found, we print out a message like:
$ pdflatex
The program ‘pdflatex’ is currently not installed. It is provided by
several packages. You can install it by typing one of the following:
nix-env -i tetex
nix-env -i texlive-core
If the environment variable $NIX_AUTO_INSTALL is set, the command is
installed and executed automatically:
$ hello --version
The program ‘hello’ is currently not installed. It is provided by
the package ‘hello’, which I will now install for you.
installing `hello-2.8'
hello (GNU hello) 2.8
Copyright (C) 2011 Free Software Foundation, Inc. ...
To use this, you must currently manually put the SQLite programs
database in /var/lib/nixos/programs.sqlite. In the future, this file
should be provided as part of the NixOS channel so it gets updated
automatically. To get a test version:
$ curl http://nixos.org/~eelco/programs.sqlite.xz | xz -d > /var/lib/nixos/programs.sqlite