Set "networking.tcpcrypt.enable = true;" to enable opportunistic TCP encryption
based on the user-space tools available from <http://tcpcrypt.org>.
Network attackers come in two varieties: passive and active (man-in-the-middle).
Passive attacks are much simpler to execute because they just require listening
on the network. Active attacks are much harder as they require listening and
modifying network traffic, often requiring very precise timing that can make
some attacks impractical.
Opportunistic encryption cannot protect against active attackers, but it *does*
protect against passive attackers. Furthermore, Tcpcrypt is powerful enough to
stop active attacks, too, if the application using it performs authentication.
A complete description of the protocol extension can be found at
<http://tools.ietf.org/html/draft-bittau-tcp-crypt-00>.
I.e., modules that use "require = [options]". Nowadays that should be
written as
{
options = { ... };
config = { ... };
};
Also, use "imports" instead of "require" in places where we actually
import another module.
Previously, the zfs binaries were put in $out/sbin where the stage-1
patchelf wouldn't fix them up. This would fail the allowedReferences
test.
Move the zfs binaries to $out/bin.
The NixOS config need not be $NIXOS_CONFIG, it can also be set through
-I nixos-config=... or not exist in a separate file at all (e.g. in a
NixOps deployment).
Issue #212.
dramatically speeds up my boot time because it was the last
service (for me) that depended on udev-settle.service
udev-settle isn't needed for modern system initialization but some
oldschool services (mdadm/lvm/cryptsetup) depend on it so they can
just enumerate devices instead of having to react to changes
dynamically. In NixOS these things are usually already taken care of
during stage 1 (early ramdisk) if you use them.
The option services.openssh.hostKeys now allows specifying multiple
host keys. The default value enables both a DSA and ECDSA key.
(Clients by default will use the ECDSA key, unless known_hosts already
has a DSA key for that host.) To use only an ECDSA key, you can say:
services.openssh.hostKeys =
[ { path = "/etc/ssh/ssh_host_ecdsa_key";
type = "ecdsa";
bits = 521;
}
];
If the option is enabled, the DNS servers from networking.nameservers
will be inserted in /etc/resolv.conf after the DNS servers that
NetworkManager receieves by DHCP, or that is configured manually
in the connection settings.
NixOS and Fedora uses .../ca-bundle.crt. Ubuntu uses
.../ca-certificates.crt. Add .../ca-certificates.crt symlink to be
compatible with Ubuntu.
Example use case: Bob has a ~/.msmtprc file that he brings over from
Ubuntu. It also works on NixOS.
If the option is enabled, the DNS servers from networking.nameservers
will be inserted in /etc/resolv.con and override any DNS servers that
NetworkManager receieves by DHCP, or that is configured manually
in the connection settings.
Currently only root has access. But with this patch all users in
"libvirtd" group will have access. This is similar to how it's done on
Ubuntu.
Also, add virtualisation.libvirtd.extraConfig option for further
customization of libvirtd.conf.
With this it's now possible to directly embed a configuration file
using `services.xserver.windowManager.i3.configFile = path`, which then
will be used instead of the one in the users home directory.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Note that since the configuration produced by nixos-hardware-scan
includes not-detected.nix, you get all firmware when following the
regular installation procedure.
Issue #87.