When pdns-recursor is enabled it should ideally be the default resolver
for the host as well. This is probably good for 95% of the use-cases out
there, and the default for unbound and kresd, but also bind and dnsmasq.
- Now we check for database existence in the script.
- Nix ensures the script exists.
- The 126 error code check and retry is leftover from an old version.
The geoclue2 module recommends that the guest agent be disabled when the
desktop environment provides their own geoclue2 agent. But when a
desktop environment uses the demo agent directly, like COSMIC does, the
demo agent must be whitelisted. But disabling the demo agent also
removes it from the whitelisted agents.
This commit adds an option which holds a list of all whitelisted
geoclue2 agents. It allows for consumers like COSMIC to have the demo
agent disabled but still whitelisted for such use cases.
Make sure SSH_AUTH_SOCK is known by these sessions, which are not
systemd managed. It should not be a problem for users who know this
environment variable and use multiple desktops environments to
opt-out of this and I would prefer a more out-of-the-box experience
for those who don't.
There exist multiple issues with these options, for example they are not
introspectable, since the values are configured in the config part of the
module.
Also the keypair is always configured for both server and client usage,
which is really surprising. The postfix docs even advise against setting
up client certificates, if they aren't required. [1]
The replacements are the `smtpd_tls_chain_files` for server usage and
`smtp_tls_chain_files` for client usage, which are the prefered way to
configure keys and certificates since Postfix 3.4.0. [2]
[1] https://www.postfix.org/postconf.5.html#smtp_tls_cert_file
[2] https://www.postfix.org/postconf.5.html#smtpd_tls_cert_file
Resolution still fails when on VPN with no IPv6 DNS servers. We'll need
to investigate further why the fix doesn't help in this case.
This reverts commit f90236a8f2.
Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
* pkgs.formats.yaml_1_2: init
Same as YAML 1.1 but relies on the unpinned remarshal version which emits
YAML 1.2.
* nixos/postfix-tlspol: init
MTA-STS and DANE/TLSA resolver and TLS policy socketmap server for
Postfix.
* nixos/tests/postfix-tlspol: init
Simple test if the service comes up and the CLI can interact with it and
gives reasonable results.
