zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg/nix-config:36a2a424c523066ae1670343f04a6e4e6be9435a
Branches Tags
zuckerberg/nix-config:master zuckerberg/nix-config:stage zuckerberg/nix-config:hyprland zuckerberg/nix-config:pia-vpn-v2 zuckerberg/nix-config:kexec_luks2
...
compare: zuckerberg/nix-config:stage
Branches Tags
zuckerberg/nix-config:stage zuckerberg/nix-config:master zuckerberg/nix-config:hyprland zuckerberg/nix-config:pia-vpn-v2 zuckerberg/nix-config:kexec_luks2

2 Commits
36a2a424c5 ... stage

Author SHA1 Message Date
zuckerberg 87082709e0 Keep dhcpcd from running on container/virtual interfaces
Check Flake / check-flake (push) Successful in 2h44m20s
Details
2026-05-31 09:29:38 -07:00
zuckerberg 78852c6b0a nginx: 1.30.1 security fix via overlay
Check Flake / check-flake (push) Has been cancelled
Details 
nixos-unstable (the channel branch this flake tracks) does not yet
contain nginx 1.30.1. Pull the fix forward from nixpkgs master
(PR #519893, merged 2026-05-14) with a scoped nginxStable overlay
override. Remove once nixos-unstable advances past 2026-05-14.
 2026-05-15 15:34:51 -07:00
2 changed files with 34 additions and 4 deletions
Expand all files Collapse all files
common/network/default.nix
+21 -4
View File
@@ -14,8 +14,25 @@ in
options.networking.ip_forward = mkEnableOption "Enable ip forwarding";
config = mkIf cfg.ip_forward {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
};
config = mkMerge [
(mkIf cfg.ip_forward {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
})
# Keep dhcpcd away from container/virtual interfaces. dhcpcd runs as a single
# daemon over every interface not on its deny list, and the nixpkgs default
# omits these. When containers create/tear down podman0/veth*, dhcpcd reacts
# to the link events with a full reconfigure and can drop the primary
# interface's DHCP default route, leaving the host unreachable.
{
networking.dhcpcd.denyInterfaces = [
"podman*"
"veth*"
"cni*"
"docker*"
"br-*"
];
}
];
}
overlays/default.nix
+13
View File
@@ -32,6 +32,19 @@ in
];
});
# nginx 1.30.0 -> 1.30.1: critical security fix. Pulled forward from
# nixpkgs master (PR #519893, merged 2026-05-14) because the
# nixos-unstable channel branch we track does not have it yet.
# Remove once nixos-unstable advances past 2026-05-14.
nginxStable = prev.nginxStable.overrideAttrs (old: rec {
version = "1.30.1";
src = prev.fetchurl {
url = "https://nginx.org/download/nginx-${version}.tar.gz";
hash = "sha256-mXZQANl0iWsxyliC2MJ5zj/n729cb58Kln7X/TQH+cw=";
};
});
nginx = final.nginxStable;
# Plasma Bigscreen: TV-optimized KDE shell (not yet packaged in nixpkgs)
plasma-bigscreen = import ./plasma-bigscreen.nix {
inherit (prev.kdePackages)