This reverts commit a8b8f8f8c7.
It introduced a failure in the syncthing service, where it hangs at the
curl step, repeatedly printing this:
l3ijkvb20h5nnffg5q25i4nmcsbf7glx-merge-syncthing-config[1458]: curl: (22) The requested URL returned error: 404
l3ijkvb20h5nnffg5q25i4nmcsbf7glx-merge-syncthing-config[1458]: curl: (22) The requested URL returned error: 404
l3ijkvb20h5nnffg5q25i4nmcsbf7glx-merge-syncthing-config[1458]: curl: (22) The requested URL returned error: 404
[...]
This is unfortunately not detected by `nix-build -A syncthing.tests`.
Ref https://github.com/NixOS/nixpkgs/pull/390742
This is needed since clatd will use networkctl to attempt to obtain the
PLAT prefix, and networkctl uses UNIX domain sockets to communicate with
the systemd-networkd daemon over DBus.
Previously, this option was supposed to be a file of the form
`CLOUDFLARE_API_TOKEN=...`, which has a few problems:
- That's not an api token. It's an env file fit for passing to systemd's
`EnvironmentFile` option. The user could typo the variable name, or
intentionally/unintentionally include unrelated environment variables.
- It's not how secret files usually work in NixOS. Secret files are
usually just the secret, and don't leak details about how the secret
is passed to the service.
- This increases friction for people switching between cloudflare dyndns
services, such as `services.cloudflare-dyndns` and
`services.cfdyndns`, which both have a `apiToken` option, but (before
this change) with different semantics.
While it is probably a mistake in configuration to have declarative
routes configured but no certificate file, it is not always necessary to
have a working set up, so the assertion was removed.
The documentation for the certificateFile setting was reworked to
describe this.
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
Make the cloudflared tunnel service use systemd credentials and dynamic
users, removing the services.cloudflared.user and .group option.
Also add an option to provide the cert.pem file, without which tunnels
defined declaratively would not work.
Additionally, add an assertion checking that the certificate file is
provided if there are declarative routes defined.
