Project import generated by Copybara.

GitOrigin-RevId: a7855f2235a1876f97473a76151fec2afa02b287
This commit is contained in:
Default email 2022-08-21 15:32:41 +02:00
parent bd37aaa161
commit 13da32182d
1831 changed files with 57456 additions and 17499 deletions

View file

@ -36,3 +36,6 @@ d08ede042b74b8199dc748323768227b88efcf7c
# fix indentation in mk-python-derivation.nix
d1c1a0c656ccd8bd3b25d3c4287f2d075faf3cf3
# fix indentation in meteor default.nix
f76b359e4a55267ddd4e9e149e7cc13ae5cad98a

View file

@ -108,9 +108,9 @@
/pkgs/top-level/haskell-packages.nix @cdepillabout @sternenseemann @maralorn
# Perl
/pkgs/development/interpreters/perl @stigtsp @zakame
/pkgs/top-level/perl-packages.nix @stigtsp @zakame
/pkgs/development/perl-modules @stigtsp @zakame
/pkgs/development/interpreters/perl @stigtsp @zakame @dasJ
/pkgs/top-level/perl-packages.nix @stigtsp @zakame @dasJ
/pkgs/development/perl-modules @stigtsp @zakame @dasJ
# R
/pkgs/applications/science/math/R @jbedo

View file

@ -62,25 +62,26 @@ many CODEOWNERS will be inadvertently requested for review. To achieve this,
rebasing should not be performed directly on the target branch, but on the merge
base between the current and target branch.
In the following example, we see a rebase from `master` onto the merge base
between `master` and `staging`, so that a change can eventually be retargeted to
`staging`. The example uses `upstream` as the remote for `NixOS/nixpkgs.git`
while the `origin` remote is used for the remote you are pushing to.
In the following example, we assume that the current branch, called `feature`,
is based on `master`, and we rebase it onto the merge base between
`master` and `staging` so that the PR can eventually be retargeted to
`staging` without causing a mess. The example uses `upstream` as the remote for `NixOS/nixpkgs.git`
while `origin` is the remote you are pushing to.
```console
# Find the common base between two branches
common=$(git merge-base upstream/master upstream/staging)
# Find the common base between your feature branch and master
commits=$(git merge-base $(git branch --show-current) upstream/master)
# Rebase all commits onto the common base
git rebase --onto=$common $commits
# Rebase your commits onto the common merge base
git rebase --onto upstream/staging... upstream/master
# Force push your changes
git push origin $(git branch --show-current) --force-with-lease
git push origin feature --force-with-lease
```
The syntax `upstream/staging...` is equivalent to `upstream/staging...HEAD` and
stands for the merge base between `upstream/staging` and `HEAD` (hence between
`upstream/staging` and `upstream/master`).
Then change the base branch in the GitHub PR using the *Edit* button in the upper
right corner, and switch from `master` to `staging`. After the PR has been
right corner, and switch from `master` to `staging`. *After* the PR has been
retargeted it might be necessary to do a final rebase onto the target branch, to
resolve any outstanding merge conflicts.
@ -90,7 +91,7 @@ git rebase upstream/staging
# Review and fixup possible conflicts
git status
# Force push your changes
git push origin $(git branch --show-current) --force-with-lease
git push origin feature --force-with-lease
```
## Backporting changes

View file

@ -91,7 +91,7 @@ Used with Git. Expects `url` to a Git repo, `rev`, and `sha256`. `rev` in this c
Additionally, the following optional arguments can be given: `fetchSubmodules = true` makes `fetchgit` also fetch the submodules of a repository. If `deepClone` is set to true, the entire repository is cloned as opposing to just creating a shallow clone. `deepClone = true` also implies `leaveDotGit = true` which means that the `.git` directory of the clone won't be removed after checkout.
If only parts of the repository are needed, `sparseCheckout` can be used. This will prevent git from fetching unnecessary blobs from server, see [git sparse-checkout](https://git-scm.com/docs/git-sparse-checkout) and [git clone --filter](https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---filterltfilter-specgt) for more information:
If only parts of the repository are needed, `sparseCheckout` can be used. This will prevent git from fetching unnecessary blobs from server, see [git sparse-checkout](https://git-scm.com/docs/git-sparse-checkout) for more information:
```nix
{ stdenv, fetchgit }:
@ -101,8 +101,8 @@ stdenv.mkDerivation {
src = fetchgit {
url = "https://...";
sparseCheckout = ''
path/to/be/included
another/path
directory/to/be/included
another/directory
'';
sha256 = "0000000000000000000000000000000000000000000000000000";
};

View file

@ -36,6 +36,9 @@ buildImage {
WorkingDir = "/data";
Volumes = { "/data" = { }; };
};
diskSize = 1024;
buildVMMemorySize = 512;
}
```
@ -59,6 +62,10 @@ The above example will build a Docker image `redis/latest` from the given base i
- `config` is used to specify the configuration of the containers that will be started off the built image in Docker. The available options are listed in the [Docker Image Specification v1.2.0](https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions).
- `diskSize` is used to specify the disk size of the VM used to build the image in megabytes. By default it's 1024 MiB.
- `buildVMMemorySize` is used to specify the memory size of the VM to build the image in megabytes. By default it's 512 MiB.
After the new layer has been created, its closure (to which `contents`, `config` and `runAsRoot` contribute) will be copied in the layer itself. Only new dependencies that are not already in the existing layers will be copied.
At the end of the process, only one new single layer will be produced and added to the resulting image.

View file

@ -871,12 +871,27 @@ Constructs a wrapper for a program with various possible arguments. It is define
# adds `FOOBAR=baz` to `$out/bin/foo`s environment
makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz
# prefixes the binary paths of `hello` and `git`
# Prefixes the binary paths of `hello` and `git`
# and suffixes the binary path of `xdg-utils`.
# Be advised that paths often should be patched in directly
# (via string replacements or in `configurePhase`).
makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello git ]}
makeWrapper $out/bin/foo $wrapperfile \
--prefix PATH : ${lib.makeBinPath [ hello git ]} \
--suffix PATH : ${lib.makeBinPath [ xdg-utils ]}
```
Packages may expect or require other utilities to be available at runtime.
`makeWrapper` can be used to add packages to a `PATH` environment variable local to a wrapper.
Use `--prefix` to explicitly set dependencies in `PATH`.
:::{note}
`--prefix` essentially hard-codes dependencies into the wrapper.
They cannot be overridden without rebuilding the package.
:::
If dependencies should be resolved at runtime, use `--suffix` to append fallback values to `PATH`.
Theres many more kinds of arguments, they are documented in `nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh` for the `makeWrapper` implementation and in `nixpkgs/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh` for the `makeBinaryWrapper` implementation.
`wrapProgram` is a convenience function you probably want to use most of the time, implemented by both `makeWrapper` and `makeBinaryWrapper`.

View file

@ -36,7 +36,7 @@ rec {
forEach = xs: f: map f xs;
/* right fold a binary function `op` between successive elements of
`list` with `nul' as the starting value, i.e.,
`list` with `nul` as the starting value, i.e.,
`foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`.
Type: foldr :: (a -> b -> b) -> b -> [a] -> b

View file

@ -1359,6 +1359,12 @@
githubId = 9315;
name = "Zhong Jianxin";
};
a-kenji = {
email = "aks.kenji@protonmail.com";
github = "a-kenji";
githubId = 65275785;
name = "Alexander Kenji Berthold";
};
b4dm4n = {
email = "fabianm88@gmail.com";
github = "B4dM4n";
@ -1778,7 +1784,7 @@
};
booklearner = {
name = "booklearner";
email = "hey@booklearner.org";
email = "booklearner@proton.me";
matrix = "@booklearner:matrix.org";
github = "booklearner";
githubId = 103979114;
@ -3738,6 +3744,12 @@
githubId = 537775;
name = "Emery Hemingway";
};
eigengrau = {
email = "seb@schattenkopie.de";
name = "Sebastian Reuße";
github = "eigengrau";
githubId = 4939947;
};
eikek = {
email = "eike.kettner@posteo.de";
github = "eikek";
@ -4661,6 +4673,12 @@
githubId = 37017396;
name = "gbtb";
};
gdinh = {
email = "nix@contact.dinh.ai";
github = "gdinh";
githubId = 34658064;
name = "Grace Dinh";
};
gebner = {
email = "gebner@gebner.org";
github = "gebner";
@ -6337,6 +6355,16 @@
}];
name = "Ioannis Koutras";
};
jonaenz = {
name = "Jona Enzinger";
email = "5xt3zyy5l@mozmail.com";
matrix = "@jona:matrix.jonaenz.de";
github = "jonaenz";
githubId = 57130301;
keys = [{
fingerprint = "1CC5 B67C EB9A 13A5 EDF6 F10E 0B4A 3662 FC58 9202";
}];
};
jonafato = {
email = "jon@jonafato.com";
github = "jonafato";
@ -6783,6 +6811,12 @@
githubId = 2029444;
name = "James Kent";
};
kephasp = {
email = "pierre@nothos.net";
github = "kephas";
githubId = 762421;
name = "Pierre Thierry";
};
ketzacoatl = {
email = "ketzacoatl@protonmail.com";
github = "ketzacoatl";
@ -7250,7 +7284,7 @@
};
lassulus = {
email = "lassulus@gmail.com";
matrix = "@lassulus:nixos.dev";
matrix = "@lassulus:lassul.us";
github = "Lassulus";
githubId = 621759;
name = "Lassulus";
@ -7944,6 +7978,12 @@
githubId = 31056089;
name = "Tom Ho";
};
majewsky = {
email = "majewsky@gmx.net";
github = "majewsky";
githubId = 24696;
name = "Stefan Majewsky";
};
majiir = {
email = "majiir@nabaal.net";
github = "Majiir";
@ -8160,6 +8200,15 @@
githubId = 427866;
name = "Matthias Beyer";
};
MatthieuBarthel = {
email = "matthieu@imatt.ch";
name = "Matthieu Barthel";
github = "MatthieuBarthel";
githubId = 435534;
keys = [{
fingerprint = "80EB 0F2B 484A BB80 7BEF 4145 BA23 F10E AADC 2E26";
}];
};
matthuszagh = {
email = "huszaghmatt@gmail.com";
github = "matthuszagh";
@ -8466,6 +8515,15 @@
githubId = 9980864;
name = "Max Hofer";
};
miangraham = {
email = "miangraham@users.noreply.github.com";
github = "miangraham";
githubId = 704580;
name = "M. Ian Graham";
keys = [{
fingerprint = "8CE3 2906 516F C4D8 D373 308A E189 648A 55F5 9A9F";
}];
};
mic92 = {
email = "joerg@thalheim.io";
matrix = "@mic92:nixos.dev";
@ -8788,6 +8846,13 @@
fingerprint = "1248 D3E1 1D11 4A85 75C9 8934 6794 D45A 488C 2EDE";
}];
};
monaaraj = {
name = "Mon Aaraj";
email = "owo69uwu69@gmail.com";
matrix = "@mon:tchncs.de";
github = "MonAaraj";
githubId = 46468162;
};
monsieurp = {
email = "monsieurp@gentoo.org";
github = "monsieurp";
@ -10141,6 +10206,16 @@
fingerprint = "5D69 CF04 B7BC 2BC1 A567 9267 00BC F29B 3208 0700";
}];
};
phfroidmont = {
name = "Paul-Henri Froidmont";
email = "nix.contact-j9dw4d@froidmont.org";
github = "phfroidmont";
githubId = 8150907;
keys = [{
fingerprint = "3AC6 F170 F011 33CE 393B CD94 BE94 8AFD 7E78 73BE";
}];
};
philandstuff = {
email = "philip.g.potter@gmail.com";
github = "philandstuff";
@ -13451,6 +13526,15 @@
githubId = 619015;
name = "Svintsov Dmitry";
};
urandom = {
email = "colin@urandom.co.uk";
github = "arnottcr";
githubId = 2526260;
keys = [{
fingerprint = "04A3 A2C6 0042 784A AEA7 D051 0447 A663 F7F3 E236";
}];
name = "Colin Arnott";
};
urbas = {
email = "matej.urbas@gmail.com";
github = "urbas";
@ -13662,6 +13746,12 @@
githubId = 118959;
name = "VinyMeuh";
};
virchau13 = {
email = "virchau13@hexular.net";
github = "virchau13";
githubId = 16955157;
name = "Vir Chaudhury";
};
viraptor = {
email = "nix@viraptor.info";
github = "viraptor";
@ -13813,6 +13903,12 @@
github = "wamserma";
githubId = 60148;
};
water-sucks = {
email = "varun@cvte.org";
name = "Varun Narravula";
github = "water-sucks";
githubId = 68445574;
};
waynr = {
name = "Wayne Warren";
email = "wayne.warren.s@gmail.com";
@ -14015,6 +14111,15 @@
github = "wr0belj";
githubId = 40501814;
};
wrmilling = {
name = "Winston R. Milling";
email = "Winston@Milli.ng";
github = "WRMilling";
githubId = 6162814;
keys = [{
fingerprint = "21E1 6B8D 2EE8 7530 6A6C 9968 D830 77B9 9F8C 6643";
}];
};
wscott = {
email = "wsc9tt@gmail.com";
github = "wscott";

View file

@ -35,7 +35,7 @@ toRemove=()
cleanup() {
rm -rf "${toRemove[@]}"
}
trap cleanup EXIT SIGINT SIGQUIT ERR
trap cleanup EXIT
MKTEMP='mktemp --tmpdir nix-rebuild-amount-XXXXXXXX'

View file

@ -177,17 +177,17 @@ OK
the boot partition.
</para>
<programlisting>
# parted /dev/sda -- mkpart primary 512MiB -8GiB
# parted /dev/sda -- mkpart primary 512MB -8GB
</programlisting>
</listitem>
<listitem>
<para>
Next, add a <emphasis>swap</emphasis> partition. The size
required will vary according to needs, here a 8GiB one is
required will vary according to needs, here a 8GB one is
created.
</para>
<programlisting>
# parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
# parted /dev/sda -- mkpart primary linux-swap -8GB 100%
</programlisting>
<note>
<para>
@ -204,7 +204,7 @@ OK
reserved 512MiB at the start of the disk.
</para>
<programlisting>
# parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB
# parted /dev/sda -- mkpart ESP fat32 1MB 512MB
# parted /dev/sda -- set 3 esp on
</programlisting>
</listitem>
@ -242,7 +242,7 @@ OK
live.
</para>
<programlisting>
# parted /dev/sda -- mkpart primary 1MiB -8GiB
# parted /dev/sda -- mkpart primary 1MB -8GB
</programlisting>
</listitem>
<listitem>
@ -252,7 +252,7 @@ OK
created.
</para>
<programlisting>
# parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
# parted /dev/sda -- mkpart primary linux-swap -8GB 100%
</programlisting>
<note>
<para>

View file

@ -2130,6 +2130,13 @@ sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
</programlisting>
</listitem>
<listitem>
<para>
Added the <literal>keter</literal> NixOS module. Keter reverse
proxies requests to your loaded application based on virtual
hostnames.
</para>
</listitem>
<listitem>
<para>
If you are using Wayland you can choose to use the Ozone

View file

@ -70,6 +70,34 @@
with any supported NixOS release.
</para>
</listitem>
<listitem>
<para>
<literal>emacs</literal> enables native compilation which
means:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
emacs packages from nixpkgs, builtin or not, will do
native compilation ahead of time so you can enjoy the
benefit of native compilation without compiling them on
you machine;
</para>
</listitem>
<listitem>
<para>
emacs packages from somewhere else, e.g.
<literal>package-install</literal>, will do asynchronously
deferred native compilation. If you do not want this,
maybe to avoid CPU consumption for compilation, you can
use
<literal>(setq native-comp-deferred-compilation nil)</literal>
to disable it while still enjoy the benefit of native
compilation for packages from nixpkgs.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
<literal>nixos-generate-config</literal> now generates
@ -97,7 +125,9 @@
</listitem>
<listitem>
<para>
Cinnamon has been updated to 5.4.
Cinnamon has been updated to 5.4. While at it, the cinnamon
module now defaults to blueman as bluetooth manager and
slick-greeter as lightdm greeter to match upstream.
</para>
</listitem>
<listitem>
@ -138,6 +168,13 @@
<link linkend="opt-services.dragonflydb.enable">services.dragonflydb</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://komga.org/">Komga</link>, a free and
open source comics/mangas media server. Available as
<link linkend="opt-services.komga.enable">services.komga</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://hbase.apache.org/">HBase
@ -191,6 +228,14 @@
<link linkend="opt-services.tempo.enable">services.tempo</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/zalando/patroni">Patroni</link>,
a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
Available as
<link xlink:href="options.html#opt-services.patroni.enable">services.patroni</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.11-incompatibilities">
@ -251,6 +296,18 @@
<literal>(with foo; isPower &amp;&amp; is32bit &amp;&amp; isBigEndian)</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>fetchgit</literal> fetcher now uses
<link xlink:href="https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalscone_mode_handling">cone
mode</link> by default for sparse checkouts.
<link xlink:href="https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalsnon_cone_problems">Non-cone
mode</link> can be enabled by passing
<literal>nonConeMode = true</literal>, but note that non-cone
mode is deprecated and this option may be removed alongside a
future Git update without notice.
</para>
</listitem>
<listitem>
<para>
<literal>bsp-layout</literal> no longer uses the command
@ -357,6 +414,16 @@
release notes</link> for more details.
</para>
</listitem>
<listitem>
<para>
<literal>github-runner</literal> gained support for ephemeral
runners and registrations using a personal access token (PAT)
instead of a registration token. See
<literal>services.github-runner.ephemeral</literal> and
<literal>services.github-runner.tokenFile</literal> for
details.
</para>
</listitem>
<listitem>
<para>
A new module was added for the Saleae Logic device family,
@ -372,6 +439,13 @@
instead of using the Redis default.
</para>
</listitem>
<listitem>
<para>
Neo4j was updated from version 3 to version 4. See this
<link xlink:href="https://neo4j.com/docs/upgrade-migration-guide/current/">migration
guide</link> on how to migrate your Neo4j instance.
</para>
</listitem>
<listitem>
<para>
Matrix Synapse now requires entries in the
@ -450,6 +524,12 @@
dbus service.
</para>
</listitem>
<listitem>
<para>
The <literal>nomad</literal> package now defaults to 1.3,
which no longer has a downgrade path to releases 1.2 or older.
</para>
</listitem>
</itemizedlist>
</section>
</section>

View file

@ -133,14 +133,14 @@ update /etc/fstab.
which will be used by the boot partition.
```ShellSession
# parted /dev/sda -- mkpart primary 512MiB -8GiB
# parted /dev/sda -- mkpart primary 512MB -8GB
```
3. Next, add a *swap* partition. The size required will vary according
to needs, here a 8GiB one is created.
to needs, here a 8GB one is created.
```ShellSession
# parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
# parted /dev/sda -- mkpart primary linux-swap -8GB 100%
```
::: {.note}
@ -153,7 +153,7 @@ update /etc/fstab.
reserved 512MiB at the start of the disk.
```ShellSession
# parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB
# parted /dev/sda -- mkpart ESP fat32 1MB 512MB
# parted /dev/sda -- set 3 esp on
```
@ -180,14 +180,14 @@ update /etc/fstab.
end part, where the swap will live.
```ShellSession
# parted /dev/sda -- mkpart primary 1MiB -8GiB
# parted /dev/sda -- mkpart primary 1MB -8GB
```
3. Finally, add a *swap* partition. The size required will vary
according to needs, here a 8GiB one is created.
```ShellSession
# parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
# parted /dev/sda -- mkpart primary linux-swap -8GB 100%
```
::: {.note}

View file

@ -778,6 +778,7 @@ In addition to numerous new and upgraded packages, this release has the followin
sudo mkdir /var/lib/redis-peertube
sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
```
- Added the `keter` NixOS module. Keter reverse proxies requests to your loaded application based on virtual hostnames.
- If you are using Wayland you can choose to use the Ozone Wayland support
in Chrome and several Electron apps by setting the environment variable

View file

@ -35,6 +35,10 @@ In addition to numerous new and upgraded packages, this release has the followin
for a transition period so that in time the ecosystem can switch without
breaking compatibility with any supported NixOS release.
- `emacs` enables native compilation which means:
- emacs packages from nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine;
- emacs packages from somewhere else, e.g. `package-install`, will do asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still enjoy the benefit of native compilation for packages from nixpkgs.
- `nixos-generate-config` now generates configurations that can be built in pure
mode. This is achieved by setting the new `nixpkgs.hostPlatform` option.
@ -46,7 +50,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- PHP now defaults to PHP 8.1, updated from 8.0.
- Cinnamon has been updated to 5.4.
- Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to
blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream.
- `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement.
@ -59,6 +64,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable).
- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable).
- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).
- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
@ -75,6 +82,9 @@ In addition to numerous new and upgraded packages, this release has the followin
- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).
- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
Available as [services.patroni](options.html#opt-services.patroni.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
@ -97,6 +107,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `isPowerPC` predicate, found on `platform` attrsets (`hostPlatform`, `buildPlatform`, `targetPlatform`, etc) has been removed in order to reduce confusion. The predicate was was defined such that it matches only the 32-bit big-endian members of the POWER/PowerPC family, despite having a name which would imply a broader set of systems. If you were using this predicate, you can replace `foo.isPowerPC` with `(with foo; isPower && is32bit && isBigEndian)`.
- The `fetchgit` fetcher now uses [cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalscone_mode_handling) by default for sparse checkouts. [Non-cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalsnon_cone_problems) can be enabled by passing `nonConeMode = true`, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice.
- `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`.
- The Barco ClickShare driver/client package `pkgs.clickshare-csc1` and the option `programs.clickshare-csc1.enable` have been removed,
@ -135,10 +147,14 @@ Use `configure.packages` instead.
- The `xplr` package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the [upstream release notes](https://github.com/sayanarijit/xplr/releases/tag/v0.19.0) for more details.
- `github-runner` gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See `services.github-runner.ephemeral` and `services.github-runner.tokenFile` for details.
- A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
- The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default.
- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.
- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
- `dockerTools.buildImage` deprecates the misunderstood `contents` parameter, in favor of `copyToRoot`.
@ -159,4 +175,6 @@ Use `configure.packages` instead.
- There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service.
- The `nomad` package now defaults to 1.3, which no longer has a downgrade path to releases 1.2 or older.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

View file

@ -123,7 +123,7 @@ in rec {
inherit self;
includeSiteCustomize = true;
});
in self.withPackages (p: [ p.mistune_2_0 ]))
in self.withPackages (p: [ p.mistune ]))
];
options = builtins.toFile "options.json"
(builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix));

View file

@ -285,6 +285,8 @@ in rec {
Documentation = toString config.documentation; }
// optionalAttrs (config.onFailure != []) {
OnFailure = toString config.onFailure; }
// optionalAttrs (config.onSuccess != []) {
OnSuccess = toString config.onSuccess; }
// optionalAttrs (options.startLimitIntervalSec.isDefined) {
StartLimitIntervalSec = toString config.startLimitIntervalSec;
} // optionalAttrs (options.startLimitBurst.isDefined) {

View file

@ -206,6 +206,15 @@ in rec {
'';
};
onSuccess = mkOption {
default = [];
type = types.listOf unitNameType;
description = ''
A list of one or more units that are activated when
this unit enters the "inactive" state.
'';
};
startLimitBurst = mkOption {
type = types.int;
description = ''

View file

@ -204,11 +204,11 @@ in {
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
'';
description = ''
These lines go to the end of <literal>krb5.conf</literal> verbatim.
<literal>krb5.conf</literal> may include any of the relations that are
valid for <literal>kdc.conf</literal> (see <literal>man
kdc.conf</literal>), but it is not a recommended practice.
description = lib.mdDoc ''
These lines go to the end of `krb5.conf` verbatim.
`krb5.conf` may include any of the relations that are
valid for `kdc.conf` (see `man kdc.conf`),
but it is not a recommended practice.
'';
};

View file

@ -186,16 +186,16 @@ in
policy = mkOption {
default = "hard_open";
type = types.enum [ "hard_open" "hard_init" "soft" ];
description = ''
description = lib.mdDoc ''
Specifies the policy to use for reconnecting to an unavailable
LDAP server. The default is <literal>hard_open</literal>, which
LDAP server. The default is `hard_open`, which
reconnects if opening the connection to the directory server
failed. By contrast, <literal>hard_init</literal> reconnects if
failed. By contrast, `hard_init` reconnects if
initializing the connection failed. Initializing may not
actually contact the directory server, and it is possible that
a malformed configuration file will trigger reconnection. If
<literal>soft</literal> is specified, then
<package>nss_ldap</package> will return immediately on server
`soft` is specified, then
`nss_ldap` will return immediately on server
failure. All hard reconnect policies block with exponential
backoff before retrying.
'';

View file

@ -0,0 +1,519 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.users.mysql;
in
{
options = {
users.mysql = {
enable = mkEnableOption "Authentication against a MySQL/MariaDB database";
host = mkOption {
type = types.str;
example = "localhost";
description = "The hostname of the MySQL/MariaDB server";
};
database = mkOption {
type = types.str;
example = "auth";
description = "The name of the database containing the users";
};
user = mkOption {
type = types.str;
example = "nss-user";
description = "The username to use when connecting to the database";
};
passwordFile = mkOption {
type = types.path;
example = "/run/secrets/mysql-auth-db-passwd";
description = "The path to the file containing the password for the user";
};
pam = mkOption {
description = "Settings for <literal>pam_mysql</literal>";
type = types.submodule {
options = {
table = mkOption {
type = types.str;
example = "users";
description = "The name of table that maps unique login names to the passwords.";
};
updateTable = mkOption {
type = types.nullOr types.str;
default = null;
example = "users_updates";
description = ''
The name of the table used for password alteration. If not defined, the value
of the <literal>table</literal> option will be used instead.
'';
};
userColumn = mkOption {
type = types.str;
example = "username";
description = "The name of the column that contains a unix login name.";
};
passwordColumn = mkOption {
type = types.str;
example = "password";
description = "The name of the column that contains a (encrypted) password string.";
};
statusColumn = mkOption {
type = types.nullOr types.str;
default = null;
example = "status";
description = ''
The name of the column or an SQL expression that indicates the status of
the user. The status is expressed by the combination of two bitfields
shown below:
<itemizedlist>
<listitem>
<para>
<literal>bit 0 (0x01)</literal>:
if flagged, <literal>pam_mysql</literal> deems the account to be expired and
returns <literal>PAM_ACCT_EXPIRED</literal>. That is, the account is supposed
to no longer be available. Note this doesn't mean that <literal>pam_mysql</literal>
rejects further authentication operations.
</para>
</listitem>
<listitem>
<para>
<literal>bit 1 (0x02)</literal>:
if flagged, <literal>pam_mysql</literal> deems the authentication token
(password) to be expired and returns <literal>PAM_NEW_AUTHTOK_REQD</literal>.
This ends up requiring that the user enter a new password.
</para>
</listitem>
</itemizedlist>
'';
};
passwordCrypt = mkOption {
example = "2";
type = types.enum [
"0" "plain"
"1" "Y"
"2" "mysql"
"3" "md5"
"4" "sha1"
"5" "drupal7"
"6" "joomla15"
"7" "ssha"
"8" "sha512"
"9" "sha256"
];
description = ''
The method to encrypt the user's password:
<itemizedlist>
<listitem>
<para>
<literal>0</literal> (or <literal>"plain"</literal>):
No encryption. Passwords are stored in plaintext. HIGHLY DISCOURAGED.
</para>
</listitem>
<listitem>
<para>
<literal>1</literal> (or <literal>"Y"</literal>):
Use crypt(3) function.
</para>
</listitem>
<listitem>
<para>
<literal>2</literal> (or <literal>"mysql"</literal>):
Use the MySQL PASSWORD() function. It is possible that the encryption function used
by <literal>pam_mysql</literal> is different from that of the MySQL server, as
<literal>pam_mysql</literal> uses the function defined in MySQL's C-client API
instead of using PASSWORD() SQL function in the query.
</para>
</listitem>
<listitem>
<para>
<literal>3</literal> (or <literal>"md5"</literal>):
Use plain hex MD5.
</para>
</listitem>
<listitem>
<para>
<literal>4</literal> (or <literal>"sha1"</literal>):
Use plain hex SHA1.
</para>
</listitem>
<listitem>
<para>
<literal>5</literal> (or <literal>"drupal7"</literal>):
Use Drupal7 salted passwords.
</para>
</listitem>
<listitem>
<para>
<literal>6</literal> (or <literal>"joomla15"</literal>):
Use Joomla15 salted passwords.
</para>
</listitem>
<listitem>
<para>
<literal>7</literal> (or <literal>"ssha"</literal>):
Use ssha hashed passwords.
</para>
</listitem>
<listitem>
<para>
<literal>8</literal> (or <literal>"sha512"</literal>):
Use sha512 hashed passwords.
</para>
</listitem>
<listitem>
<para>
<literal>9</literal> (or <literal>"sha256"</literal>):
Use sha256 hashed passwords.
</para>
</listitem>
</itemizedlist>
'';
};
cryptDefault = mkOption {
type = types.nullOr (types.enum [ "md5" "sha256" "sha512" "blowfish" ]);
default = null;
example = "blowfish";
description = "The default encryption method to use for <literal>passwordCrypt = 1</literal>.";
};
where = mkOption {
type = types.nullOr types.str;
default = null;
example = "host.name='web' AND user.active=1";
description = "Additional criteria for the query.";
};
verbose = mkOption {
type = types.bool;
default = false;
description = ''
If enabled, produces logs with detailed messages that describes what
<literal>pam_mysql</literal> is doing. May be useful for debugging.
'';
};
disconnectEveryOperation = mkOption {
type = types.bool;
default = false;
description = ''
By default, <literal>pam_mysql</literal> keeps the connection to the MySQL
database until the session is closed. If this option is set to true it
disconnects every time the PAM operation has finished. This option may
be useful in case the session lasts quite long.
'';
};
logging = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enables logging of authentication attempts in the MySQL database.";
};
table = mkOption {
type = types.str;
example = "logs";
description = "The name of the table to which logs are written.";
};
msgColumn = mkOption {
type = types.str;
example = "msg";
description = ''
The name of the column in the log table to which the description
of the performed operation is stored.
'';
};
userColumn = mkOption {
type = types.str;
example = "user";
description = ''
The name of the column in the log table to which the name of the
user being authenticated is stored.
'';
};
pidColumn = mkOption {
type = types.str;
example = "pid";
description = ''
The name of the column in the log table to which the pid of the
process utilising the <literal>pam_mysql's</literal> authentication
service is stored.
'';
};
hostColumn = mkOption {
type = types.str;
example = "host";
description = ''
The name of the column in the log table to which the name of the user
being authenticated is stored.
'';
};
rHostColumn = mkOption {
type = types.str;
example = "rhost";
description = ''
The name of the column in the log table to which the name of the remote
host that initiates the session is stored. The value is supposed to be
set by the PAM-aware application with <literal>pam_set_item(PAM_RHOST)
</literal>.
'';
};
timeColumn = mkOption {
type = types.str;
example = "timestamp";
description = ''
The name of the column in the log table to which the timestamp of the
log entry is stored.
'';
};
};
};
};
};
nss = mkOption {
description = ''
Settings for <literal>libnss-mysql</literal>.
All examples are from the <link xlink:href="https://github.com/saknopper/libnss-mysql/tree/master/sample/minimal">minimal example</link>
of <literal>libnss-mysql</literal>, but they are modified with NixOS paths for bash.
'';
type = types.submodule {
options = {
getpwnam = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
FROM users \
WHERE username='%1$s' \
LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getpwnam.3.html">getpwnam</link>
syscall.
'';
};
getpwuid = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
FROM users \
WHERE uid='%1$u' \
LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getpwuid.3.html">getpwuid</link>
syscall.
'';
};
getspnam = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,password,'1','0','99999','0','0','-1','0' \
FROM users \
WHERE username='%1$s' \
LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getspnam.3.html">getspnam</link>
syscall.
'';
};
getpwent = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' FROM users
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getpwent.3.html">getpwent</link>
syscall.
'';
};
getspent = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username,password,'1','0','99999','0','0','-1','0' FROM users
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getspent.3.html">getspent</link>
syscall.
'';
};
getgrnam = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT name,password,gid FROM groups WHERE name='%1$s' LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getgrnam.3.html">getgrnam</link>
syscall.
'';
};
getgrgid = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT name,password,gid FROM groups WHERE gid='%1$u' LIMIT 1
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getgrgid.3.html">getgrgid</link>
syscall.
'';
};
getgrent = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT name,password,gid FROM groups
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/getgrent.3.html">getgrent</link>
syscall.
'';
};
memsbygid = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT username FROM grouplist WHERE gid='%1$u'
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/memsbygid.3.html">memsbygid</link>
syscall.
'';
};
gidsbymem = mkOption {
type = types.nullOr types.str;
default = null;
example = literalExpression ''
SELECT gid FROM grouplist WHERE username='%1$s'
'';
description = ''
SQL query for the <link
xlink:href="https://man7.org/linux/man-pages/man3/gidsbymem.3.html">gidsbymem</link>
syscall.
'';
};
};
};
};
};
};
config = mkIf cfg.enable {
system.nssModules = [ pkgs.libnss-mysql ];
system.nssDatabases.shadow = [ "mysql" ];
system.nssDatabases.group = [ "mysql" ];
system.nssDatabases.passwd = [ "mysql" ];
environment.etc."security/pam_mysql.conf" = {
user = "root";
group = "root";
mode = "0600";
# password will be added from password file in activation script
text = ''
users.host=${cfg.host}
users.db_user=${cfg.user}
users.database=${cfg.database}
users.table=${cfg.pam.table}
users.user_column=${cfg.pam.userColumn}
users.password_column=${cfg.pam.passwordColumn}
users.password_crypt=${cfg.pam.passwordCrypt}
users.disconnect_every_operation=${if cfg.pam.disconnectEveryOperation then "1" else "0"}
verbose=${if cfg.pam.verbose then "1" else "0"}
'' + optionalString (cfg.pam.cryptDefault != null) ''
users.use_${cfg.pam.cryptDefault}=1
'' + optionalString (cfg.pam.where != null) ''
users.where_clause=${cfg.pam.where}
'' + optionalString (cfg.pam.statusColumn != null) ''
users.status_column=${cfg.pam.statusColumn}
'' + optionalString (cfg.pam.updateTable != null) ''
users.update_table=${cfg.pam.updateTable}
'' + optionalString cfg.pam.logging.enable ''
log.enabled=true
log.table=${cfg.pam.logging.table}
log.message_column=${cfg.pam.logging.msgColumn}
log.pid_column=${cfg.pam.logging.pidColumn}
log.user_column=${cfg.pam.logging.userColumn}
log.host_column=${cfg.pam.logging.hostColumn}
log.rhost_column=${cfg.pam.logging.rHostColumn}
log.time_column=${cfg.pam.logging.timeColumn}
'';
};
environment.etc."libnss-mysql.cfg" = {
mode = "0600";
user = config.services.nscd.user;
group = config.services.nscd.group;
text = optionalString (cfg.nss.getpwnam != null) ''
getpwnam ${cfg.nss.getpwnam}
'' + optionalString (cfg.nss.getpwuid != null) ''
getpwuid ${cfg.nss.getpwuid}
'' + optionalString (cfg.nss.getspnam != null) ''
getspnam ${cfg.nss.getspnam}
'' + optionalString (cfg.nss.getpwent != null) ''
getpwent ${cfg.nss.getpwent}
'' + optionalString (cfg.nss.getspent != null) ''
getspent ${cfg.nss.getspent}
'' + optionalString (cfg.nss.getgrnam != null) ''
getgrnam ${cfg.nss.getgrnam}
'' + optionalString (cfg.nss.getgrgid != null) ''
getgrgid ${cfg.nss.getgrgid}
'' + optionalString (cfg.nss.getgrent != null) ''
getgrent ${cfg.nss.getgrent}
'' + optionalString (cfg.nss.memsbygid != null) ''
memsbygid ${cfg.nss.memsbygid}
'' + optionalString (cfg.nss.gidsbymem != null) ''
gidsbymem ${cfg.nss.gidsbymem}
'' + ''
host ${cfg.host}
database ${cfg.database}
'';
};
environment.etc."libnss-mysql-root.cfg" = {
mode = "0600";
user = config.services.nscd.user;
group = config.services.nscd.group;
# password will be added from password file in activation script
text = ''
username ${cfg.user}
'';
};
# Activation script to append the password from the password file
# to the configuration files. It also fixes the owner of the
# libnss-mysql-root.cfg because it is changed to root after the
# password is appended.
system.activationScripts.mysql-auth-passwords = ''
if [[ -r ${cfg.passwordFile} ]]; then
org_umask=$(umask)
umask 0077
conf_nss="$(mktemp)"
cp /etc/libnss-mysql-root.cfg $conf_nss
printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg
conf_pam="$(mktemp)"
cp /etc/security/pam_mysql.conf $conf_pam
printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
mv -fT "$conf_pam" /etc/security/pam_mysql.conf
umask $org_umask
fi
'';
};
}

View file

@ -91,7 +91,7 @@ in
systemd.services.post-resume =
{ description = "Post-Resume Actions";
after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" ];
after = [ "suspend.target" "hibernate.target" "hybrid-sleep.target" "suspend-then-hibernate.target" ];
script =
''
/run/current-system/systemd/bin/systemctl try-restart post-resume.target

View file

@ -26,13 +26,12 @@ in
{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }
'';
type = types.attrsOf sysctlOption;
description = ''
description = lib.mdDoc ''
Runtime parameters of the Linux kernel, as set by
<citerefentry><refentrytitle>sysctl</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>. Note that sysctl
{manpage}`sysctl(8)`. Note that sysctl
parameters names must be enclosed in quotes
(e.g. <literal>"vm.swappiness"</literal> instead of
<literal>vm.swappiness</literal>). The value of each
(e.g. `"vm.swappiness"` instead of
`vm.swappiness`). The value of each
parameter may be a string, integer, boolean, or null
(signifying the option will not appear at all).
'';

View file

@ -39,26 +39,23 @@ in
environment.profileRelativeSessionVariables = mkOption {
type = types.attrsOf (types.listOf types.str);
example = { PATH = [ "/bin" ]; MANPATH = [ "/man" "/share/man" ]; };
description = ''
description = lib.mdDoc ''
Attribute set of environment variable used in the global
environment. These variables will be set by PAM early in the
login process.
Variable substitution is available as described in
<citerefentry>
<refentrytitle>pam_env.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>.
{manpage}`pam_env.conf(5)`.
Each attribute maps to a list of relative paths. Each relative
path is appended to the each profile of
<option>environment.profiles</option> to form the content of
{option}`environment.profiles` to form the content of
the corresponding environment variable.
Also, these variables are merged into
<xref linkend="opt-environment.profileRelativeEnvVars"/> and it is
[](#opt-environment.profileRelativeEnvVars) and it is
therefore not possible to use PAM style variables such as
<literal>@{HOME}</literal>.
`@{HOME}`.
'';
};

View file

@ -84,19 +84,19 @@ in
<programlisting>${defaultPackagesText}</programlisting>
'';
example = [];
description = ''
description = lib.mdDoc ''
Set of default packages that aren't strictly necessary
for a running system, entries can be removed for a more
minimal NixOS installation.
Note: If <package>pkgs.nano</package> is removed from this list,
Note: If `pkgs.nano` is removed from this list,
make sure another editor is installed and the
<literal>EDITOR</literal> environment variable is set to it.
`EDITOR` environment variable is set to it.
Environment variables can be set using
<option>environment.variables</option>.
{option}`environment.variables`.
Like with systemPackages, packages are installed to
<filename>/run/current-system/sw</filename>. They are
{file}`/run/current-system/sw`. They are
automatically available to all users, and are
automatically updated every time you rebuild the system
configuration.

View file

@ -40,12 +40,12 @@ in
extraPortals = mkOption {
type = types.listOf types.package;
default = [ ];
description = ''
description = lib.mdDoc ''
List of additional portals to add to path. Portals allow interaction
with system, like choosing files or taking screenshots. At minimum,
a desktop portal implementation should be listed. GNOME and KDE already
adds <package>xdg-desktop-portal-gtk</package>; and
<package>xdg-desktop-portal-kde</package> respectively. On other desktop
adds `xdg-desktop-portal-gtk`; and
`xdg-desktop-portal-kde` respectively. On other desktop
environments you probably want to add them yourself.
'';
};

View file

@ -15,7 +15,7 @@ in
enable = mkEnableOption ''
the desktop portal for the LXQt desktop environment.
This will add the <package>lxqt.xdg-desktop-portal-lxqt</package>
This will add the <literal>lxqt.xdg-desktop-portal-lxqt</literal>
package (with the extra Qt styles) into the
<option>xdg.portal.extraPortals</option> option
'';
@ -29,9 +29,9 @@ in
pkgs.qtcurve
];
'';
description = ''
description = lib.mdDoc ''
Extra Qt styles that will be available to the
<package>lxqt.xdg-desktop-portal-lxqt</package>.
`lxqt.xdg-desktop-portal-lxqt`.
'';
};
};

View file

@ -17,16 +17,16 @@ in
enable = mkEnableOption ''
desktop portal for wlroots-based desktops
This will add the <package>xdg-desktop-portal-wlr</package> package into
This will add the <literal>xdg-desktop-portal-wlr</literal> package into
the <option>xdg.portal.extraPortals</option> option, and provide the
configuration file
'';
settings = mkOption {
description = ''
Configuration for <package>xdg-desktop-portal-wlr</package>.
description = lib.mdDoc ''
Configuration for `xdg-desktop-portal-wlr`.
See <literal>xdg-desktop-portal-wlr(5)</literal> for supported
See `xdg-desktop-portal-wlr(5)` for supported
values.
'';

View file

@ -103,12 +103,12 @@ in
default = "zstd";
example = "lz4";
type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str;
description = ''
Compression algorithm. <literal>lzo</literal> has good compression,
but is slow. <literal>lz4</literal> has bad compression, but is fast.
<literal>zstd</literal> is both good compression and fast, but requires newer kernel.
description = lib.mdDoc ''
Compression algorithm. `lzo` has good compression,
but is slow. `lz4` has bad compression, but is fast.
`zstd` is both good compression and fast, but requires newer kernel.
You can check what other algorithms are supported by your zram device with
<programlisting>cat /sys/class/block/zram*/comp_algorithm</programlisting>
{command}`cat /sys/class/block/zram*/comp_algorithm`
'';
};
};

View file

@ -20,7 +20,7 @@ in
type = types.str;
default = "0xfffd7fff";
example = "0xffffffff";
description = ''
description = lib.mdDoc ''
Sets the `amdgpu.ppfeaturemask` kernel option.
In particular, it is used here to set the overdrive bit.
Default is `0xfffd7fff` as it is less likely to cause flicker issues.

View file

@ -8,17 +8,17 @@ in
options.hardware.cpu.amd.sev = {
enable = mkEnableOption "access to the AMD SEV device";
user = mkOption {
description = "Owner to assign to the SEV device.";
description = lib.mdDoc "Owner to assign to the SEV device.";
type = types.str;
default = "root";
};
group = mkOption {
description = "Group to assign to the SEV device.";
description = lib.mdDoc "Group to assign to the SEV device.";
type = types.str;
default = defaultGroup;
};
mode = mkOption {
description = "Mode to set for the SEV device.";
description = lib.mdDoc "Mode to set for the SEV device.";
type = types.str;
default = "0660";
};

View file

@ -56,23 +56,6 @@ let
};
};
# this requires kernel package
dtbsWithSymbols = pkgs.stdenv.mkDerivation {
name = "dtbs-with-symbols";
inherit (cfg.kernelPackage) src nativeBuildInputs depsBuildBuild;
patches = map (patch: patch.patch) cfg.kernelPackage.kernelPatches;
buildPhase = ''
patchShebangs scripts/*
substituteInPlace scripts/Makefile.lib \
--replace 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget))' 'DTC_FLAGS += $(DTC_FLAGS_$(basetarget)) -@'
make ${pkgs.stdenv.hostPlatform.linux-kernel.baseConfig} ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
make dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
'';
installPhase = ''
make dtbs_install INSTALL_DTBS_PATH=$out/dtbs ARCH="${pkgs.stdenv.hostPlatform.linuxArch}"
'';
};
filterDTBs = src: if isNull cfg.filter
then "${src}/dtbs"
else
@ -83,6 +66,8 @@ let
| xargs -0 cp -v --no-preserve=mode --target-directory $out --parents
'';
filteredDTBs = filterDTBs cfg.kernelPackage;
# Compile single Device Tree overlay source
# file (.dts) into its compiled variant (.dtbo)
compileDTS = name: f: pkgs.callPackage({ stdenv, dtc }: stdenv.mkDerivation {
@ -197,7 +182,7 @@ in
};
hardware.deviceTree.package = if (cfg.overlays != [])
then pkgs.deviceTree.applyOverlays (filterDTBs dtbsWithSymbols) (withDTBOs cfg.overlays)
else (filterDTBs cfg.kernelPackage);
then pkgs.deviceTree.applyOverlays filteredDTBs (withDTBOs cfg.overlays)
else filteredDTBs;
};
}

View file

@ -11,6 +11,14 @@ with lib;
console.earlySetup = mkDefault true;
boot.loader.systemd-boot.consoleMode = mkDefault "1";
# Grayscale anti-aliasing for fonts
fonts.fontconfig.antialias = mkDefault true;
fonts.fontconfig.subpixel = {
rgba = mkDefault "none";
lcdfilter = mkDefault "none";
};
# TODO Find reasonable defaults X11 & wayland
};
}

View file

@ -454,23 +454,23 @@ in
isoImage.isoName = mkOption {
default = "${config.isoImage.isoBaseName}.iso";
description = ''
description = lib.mdDoc ''
Name of the generated ISO image file.
'';
};
isoImage.isoBaseName = mkOption {
default = "nixos";
description = ''
description = lib.mdDoc ''
Prefix of the name of the generated ISO image file.
'';
};
isoImage.compressImage = mkOption {
default = false;
description = ''
description = lib.mdDoc ''
Whether the ISO image should be compressed using
<command>zstd</command>.
{command}`zstd`.
'';
};
@ -481,7 +481,7 @@ in
+ lib.optionalString isAarch "-Xbcj arm"
+ lib.optionalString (isPower && is32bit && isBigEndian) "-Xbcj powerpc"
+ lib.optionalString (isSparc) "-Xbcj sparc";
description = ''
description = lib.mdDoc ''
Compression settings to use for the squashfs nix store.
'';
example = "zstd -Xcompression-level 6";
@ -489,7 +489,7 @@ in
isoImage.edition = mkOption {
default = "";
description = ''
description = lib.mdDoc ''
Specifies which edition string to use in the volume ID of the generated
ISO image.
'';
@ -498,7 +498,7 @@ in
isoImage.volumeID = mkOption {
# nixos-$EDITION-$RELEASE-$ARCH
default = "nixos${optionalString (config.isoImage.edition != "") "-${config.isoImage.edition}"}-${config.system.nixos.release}-${pkgs.stdenv.hostPlatform.uname.processor}";
description = ''
description = lib.mdDoc ''
Specifies the label or volume ID of the generated ISO image.
Note that the label is used by stage 1 of the boot process to
mount the CD, so it should be reasonably distinctive.
@ -512,7 +512,7 @@ in
}
]
'';
description = ''
description = lib.mdDoc ''
This option lists files to be copied to fixed locations in the
generated ISO image.
'';
@ -520,7 +520,7 @@ in
isoImage.storeContents = mkOption {
example = literalExpression "[ pkgs.stdenv ]";
description = ''
description = lib.mdDoc ''
This option lists additional derivations to be included in the
Nix store in the generated ISO image.
'';
@ -528,7 +528,7 @@ in
isoImage.includeSystemBuildDependencies = mkOption {
default = false;
description = ''
description = lib.mdDoc ''
Set this option to include all the needed sources etc in the
image. It significantly increases image size. Use that when
you want to be able to keep all the sources needed to build your
@ -539,14 +539,14 @@ in
isoImage.makeEfiBootable = mkOption {
default = false;
description = ''
description = lib.mdDoc ''
Whether the ISO image should be an efi-bootable volume.
'';
};
isoImage.makeUsbBootable = mkOption {
default = false;
description = ''
description = lib.mdDoc ''
Whether the ISO image should be bootable from CD as well as USB.
'';
};
@ -556,7 +556,7 @@ in
url = "https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/efi-background.png";
sha256 = "18lfwmp8yq923322nlb9gxrh5qikj1wsk6g5qvdh31c4h5b1538x";
};
description = ''
description = lib.mdDoc ''
The splash image to use in the EFI bootloader.
'';
};
@ -566,7 +566,7 @@ in
url = "https://raw.githubusercontent.com/NixOS/nixos-artwork/a9e05d7deb38a8e005a2b52575a3f59a63a4dba0/bootloader/isolinux/bios-boot.png";
sha256 = "1wp822zrhbg4fgfbwkr7cbkr4labx477209agzc0hr6k62fr6rxd";
};
description = ''
description = lib.mdDoc ''
The splash image to use in the legacy-boot bootloader.
'';
};
@ -574,7 +574,7 @@ in
isoImage.grubTheme = mkOption {
default = pkgs.nixos-grub2-theme;
type = types.nullOr (types.either types.path types.package);
description = ''
description = lib.mdDoc ''
The grub2 theme used for UEFI boot.
'';
};
@ -605,7 +605,7 @@ in
MENU COLOR SEL 7;37;40 #FFFFFFFF #FF5277C3 std
'';
type = types.str;
description = ''
description = lib.mdDoc ''
The syslinux theme used for BIOS boot.
'';
};
@ -613,12 +613,12 @@ in
isoImage.appendToMenuLabel = mkOption {
default = " Installer";
example = " Live System";
description = ''
description = lib.mdDoc ''
The string to append after the menu label for the NixOS system.
This will be directly appended (without whitespace) to the NixOS version
string, like for example if it is set to <literal>XXX</literal>:
string, like for example if it is set to `XXX`:
<literal>NixOS 99.99-pre666XXX</literal>
`NixOS 99.99-pre666XXX`
'';
};

View file

@ -10,7 +10,7 @@ with lib;
netboot.storeContents = mkOption {
example = literalExpression "[ pkgs.stdenv ]";
description = ''
description = lib.mdDoc ''
This option lists additional derivations to be included in the
Nix store in the generated netboot image.
'';

View file

@ -35,14 +35,14 @@ in
options.sdImage = {
imageName = mkOption {
default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img";
description = ''
description = lib.mdDoc ''
Name of the generated image file.
'';
};
imageBaseName = mkOption {
default = "nixos-sd-image";
description = ''
description = lib.mdDoc ''
Prefix of the name of the generated image file.
'';
};
@ -50,7 +50,7 @@ in
storePaths = mkOption {
type = with types; listOf package;
example = literalExpression "[ pkgs.stdenv ]";
description = ''
description = lib.mdDoc ''
Derivations to be included in the Nix store in the generated SD image.
'';
};
@ -74,7 +74,7 @@ in
firmwarePartitionID = mkOption {
type = types.str;
default = "0x2178694e";
description = ''
description = lib.mdDoc ''
Volume ID for the /boot/firmware partition on the SD card. This value
must be a 32-bit hexadecimal number.
'';
@ -83,7 +83,7 @@ in
firmwarePartitionName = mkOption {
type = types.str;
default = "FIRMWARE";
description = ''
description = lib.mdDoc ''
Name of the filesystem which holds the boot firmware.
'';
};
@ -92,7 +92,7 @@ in
type = types.nullOr types.str;
default = null;
example = "14e19a7b-0ae0-484d-9d54-43bd6fdc20c7";
description = ''
description = lib.mdDoc ''
UUID for the filesystem on the main NixOS partition on the SD card.
'';
};
@ -101,14 +101,14 @@ in
type = types.int;
# As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
default = 30;
description = ''
description = lib.mdDoc ''
Size of the /boot/firmware partition, in megabytes.
'';
};
populateFirmwareCommands = mkOption {
example = literalExpression "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''";
description = ''
description = lib.mdDoc ''
Shell commands to populate the ./firmware directory.
All files in that directory are copied to the
/boot/firmware partition on the SD image.
@ -117,7 +117,7 @@ in
populateRootCommands = mkOption {
example = literalExpression "''\${config.boot.loader.generic-extlinux-compatible.populateCmd} -c \${config.system.build.toplevel} -d ./files/boot''";
description = ''
description = lib.mdDoc ''
Shell commands to populate the ./files directory.
All files in that directory are copied to the
root (/) partition on the SD image. Use this to
@ -128,7 +128,7 @@ in
postBuildCommands = mkOption {
example = literalExpression "'' dd if=\${pkgs.myBootLoader}/SPL of=$img bs=1024 seek=1 conv=notrunc ''";
default = "";
description = ''
description = lib.mdDoc ''
Shell commands to run after the image is built.
Can be used for boards requiring to dd u-boot SPL before actual partitions.
'';
@ -137,16 +137,16 @@ in
compressImage = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Whether the SD image should be compressed using
<command>zstd</command>.
{command}`zstd`.
'';
};
expandOnBoot = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Whether to configure the sd image to expand it's partition on boot.
'';
};

View file

@ -160,9 +160,9 @@ in
enable = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Whether to install documentation of packages from
<option>environment.systemPackages</option> into the generated system path.
{option}`environment.systemPackages` into the generated system path.
See "Multiple-output packages" chapter in the nixpkgs manual for more info.
'';
@ -172,9 +172,9 @@ in
man.enable = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Whether to install manual pages.
This also includes <literal>man</literal> outputs.
This also includes `man` outputs.
'';
};
@ -193,8 +193,8 @@ in
info.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install info pages and the <command>info</command> command.
description = lib.mdDoc ''
Whether to install info pages and the {command}`info` command.
This also includes "info" outputs.
'';
};
@ -202,8 +202,8 @@ in
doc.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install documentation distributed in packages' <literal>/share/doc</literal>.
description = lib.mdDoc ''
Whether to install documentation distributed in packages' `/share/doc`.
Usually plain text and/or HTML.
This also includes "doc" outputs.
'';
@ -230,8 +230,7 @@ in
Whether to install NixOS's own documentation.
<itemizedlist>
<listitem><para>This includes man pages like
<citerefentry><refentrytitle>configuration.nix</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> if <option>documentation.man.enable</option> is
<citerefentry><refentrytitle>configuration.nix</refentrytitle><manvolnum>5</manvolnum></citerefentry> if <option>documentation.man.enable</option> is
set.</para></listitem>
<listitem><para>This includes the HTML manual and the <command>nixos-help</command> command if
<option>documentation.doc.enable</option> is set.</para></listitem>
@ -242,7 +241,7 @@ in
nixos.extraModules = mkOption {
type = types.listOf types.raw;
default = [];
description = ''
description = lib.mdDoc ''
Modules for which to show options even when not imported.
'';
};
@ -250,7 +249,7 @@ in
nixos.options.splitBuild = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Whether to split the option docs build into a cacheable and an uncacheable part.
Splitting the build can substantially decrease the amount of time needed to build
the manual, but some user modules may be incompatible with this splitting.
@ -260,7 +259,7 @@ in
nixos.options.warningsAreErrors = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Treat warning emitted during the option documentation build (eg for missing option
descriptions) as errors.
'';
@ -269,18 +268,18 @@ in
nixos.includeAllModules = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Whether the generated NixOS's documentation should include documentation for all
the options from all the NixOS modules included in the current
<literal>configuration.nix</literal>. Disabling this will make the manual
generator to ignore options defined outside of <literal>baseModules</literal>.
`configuration.nix`. Disabling this will make the manual
generator to ignore options defined outside of `baseModules`.
'';
};
nixos.extraModuleSources = mkOption {
type = types.listOf (types.either types.path types.str);
default = [ ];
description = ''
description = lib.mdDoc ''
Which extra NixOS module paths the generated NixOS's documentation should strip
from options.
'';

View file

@ -354,6 +354,7 @@ in
webdav = 322;
pipewire = 323;
rstudio-server = 324;
localtimed = 325;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -662,6 +663,7 @@ in
webdav = 322;
pipewire = 323;
rstudio-server = 324;
localtimed = 325;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

View file

@ -39,16 +39,15 @@ in
type = str;
default = "02:15";
example = "hourly";
description = ''
description = lib.mdDoc ''
Update the locate database at this interval. Updates by
default at 2:15 AM every day.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
{manpage}`systemd.time(7)`.
To disable automatic updates, set to <literal>"never"</literal>
and run <command>updatedb</command> manually.
To disable automatic updates, set to `"never"`
and run {command}`updatedb` manually.
'';
};

View file

@ -117,13 +117,13 @@ in
'';
type = pkgsType;
example = literalExpression "import <nixpkgs> {}";
description = ''
description = lib.mdDoc ''
If set, the pkgs argument to all NixOS modules is the value of
this option, extended with <literal>nixpkgs.overlays</literal>, if
that is also set. Either <literal>nixpkgs.crossSystem</literal> or
<literal>nixpkgs.localSystem</literal> will be used in an assertion
this option, extended with `nixpkgs.overlays`, if
that is also set. Either `nixpkgs.crossSystem` or
`nixpkgs.localSystem` will be used in an assertion
to check that the NixOS and Nixpkgs architectures match. Any
other options in <literal>nixpkgs.*</literal>, notably <literal>config</literal>,
other options in `nixpkgs.*`, notably `config`,
will be ignored.
If unset, the pkgs argument to all NixOS modules is determined
@ -132,18 +132,18 @@ in
The default value imports the Nixpkgs source files
relative to the location of this NixOS module, because
NixOS and Nixpkgs are distributed together for consistency,
so the <literal>nixos</literal> in the default value is in fact a
relative path. The <literal>config</literal>, <literal>overlays</literal>,
<literal>localSystem</literal>, and <literal>crossSystem</literal> come
so the `nixos` in the default value is in fact a
relative path. The `config`, `overlays`,
`localSystem`, and `crossSystem` come
from this option's siblings.
This option can be used by applications like NixOps to increase
the performance of evaluation, or to create packages that depend
on a container that should be built with the exact same evaluation
of Nixpkgs, for example. Applications like this should set
their default value using <literal>lib.mkDefault</literal>, so
their default value using `lib.mkDefault`, so
user-provided configuration can override it without using
<literal>lib</literal>.
`lib`.
Note that using a distinct version of Nixpkgs with NixOS may
be an unexpected source of problems. Use this option with care.
@ -157,12 +157,12 @@ in
{ allowBroken = true; allowUnfree = true; }
'';
type = configType;
description = ''
description = lib.mdDoc ''
The configuration of the Nix Packages collection. (For
details, see the Nixpkgs documentation.) It allows you to set
package configuration options.
Ignored when <literal>nixpkgs.pkgs</literal> is set.
Ignored when `nixpkgs.pkgs` is set.
'';
};
@ -180,17 +180,17 @@ in
]
'';
type = types.listOf overlayType;
description = ''
description = lib.mdDoc ''
List of overlays to use with the Nix Packages collection.
(For details, see the Nixpkgs documentation.) It allows
you to override packages globally. Each function in the list
takes as an argument the <emphasis>original</emphasis> Nixpkgs.
takes as an argument the *original* Nixpkgs.
The first argument should be used for finding dependencies, and
the second should be used for overriding recipes.
If <literal>nixpkgs.pkgs</literal> is set, overlays specified here
If `nixpkgs.pkgs` is set, overlays specified here
will be applied after the overlays that were already present
in <literal>nixpkgs.pkgs</literal>.
in `nixpkgs.pkgs`.
'';
};
@ -202,12 +202,12 @@ in
apply = lib.systems.elaborate;
defaultText = literalExpression
''(import "''${nixos}/../lib").lib.systems.examples.aarch64-multiplatform'';
description = ''
description = lib.mdDoc ''
Specifies the platform where the NixOS configuration will run.
To cross-compile, set also <literal>nixpkgs.buildPlatform</literal>.
To cross-compile, set also `nixpkgs.buildPlatform`.
Ignored when <literal>nixpkgs.pkgs</literal> is set.
Ignored when `nixpkgs.pkgs` is set.
'';
};
@ -220,7 +220,7 @@ in
apply = lib.systems.elaborate;
defaultText = literalExpression
''config.nixpkgs.hostPlatform'';
description = ''
description = lib.mdDoc ''
Specifies the platform on which NixOS should be built.
By default, NixOS is built on the system where it runs, but you can
change where it's built. Setting this option will cause NixOS to be
@ -230,7 +230,7 @@ in
or if you're building machines, you can set this to match your
development system and/or build farm.
Ignored when <literal>nixpkgs.pkgs</literal> is set.
Ignored when `nixpkgs.pkgs` is set.
'';
};
@ -243,25 +243,25 @@ in
apply = lib.systems.elaborate;
defaultText = literalExpression
''(import "''${nixos}/../lib").lib.systems.examples.aarch64-multiplatform'';
description = ''
Systems with a recently generated <literal>hardware-configuration.nix</literal>
description = lib.mdDoc ''
Systems with a recently generated `hardware-configuration.nix`
do not need to specify this option, unless cross-compiling, in which case
you should set <emphasis>only</emphasis> <option>nixpkgs.buildPlatform</option>.
you should set *only* {option}`nixpkgs.buildPlatform`.
If this is somehow not feasible, you may fall back to removing the
<option>nixpkgs.hostPlatform</option> line from the generated config and
{option}`nixpkgs.hostPlatform` line from the generated config and
use the old options.
Specifies the platform on which NixOS should be built. When
<literal>nixpkgs.crossSystem</literal> is unset, it also specifies
the platform <emphasis>for</emphasis> which NixOS should be
`nixpkgs.crossSystem` is unset, it also specifies
the platform *for* which NixOS should be
built. If this option is unset, it defaults to the platform
type of the machine where evaluation happens. Specifying this
option is useful when doing distributed multi-platform
deployment, or when building virtual machines. See its
description in the Nixpkgs manual for more details.
Ignored when <literal>nixpkgs.pkgs</literal> or <literal>hostPlatform</literal> is set.
Ignored when `nixpkgs.pkgs` or `hostPlatform` is set.
'';
};
@ -272,20 +272,20 @@ in
type = types.nullOr types.attrs; # TODO utilize lib.systems.parsedPlatform
default = null;
example = { system = "aarch64-linux"; config = "aarch64-unknown-linux-gnu"; };
description = ''
Systems with a recently generated <literal>hardware-configuration.nix</literal>
may instead specify <emphasis>only</emphasis> <option>nixpkgs.buildPlatform</option>,
or fall back to removing the <option>nixpkgs.hostPlatform</option> line from the generated config.
description = lib.mdDoc ''
Systems with a recently generated `hardware-configuration.nix`
may instead specify *only* {option}`nixpkgs.buildPlatform`,
or fall back to removing the {option}`nixpkgs.hostPlatform` line from the generated config.
Specifies the platform for which NixOS should be
built. Specify this only if it is different from
<literal>nixpkgs.localSystem</literal>, the platform
<emphasis>on</emphasis> which NixOS should be built. In other
`nixpkgs.localSystem`, the platform
*on* which NixOS should be built. In other
words, specify this to cross-compile NixOS. Otherwise it
should be set as null, the default. See its description in the
Nixpkgs manual for more details.
Ignored when <literal>nixpkgs.pkgs</literal> or <literal>hostPlatform</literal> is set.
Ignored when `nixpkgs.pkgs` or `hostPlatform` is set.
'';
};

View file

@ -23,7 +23,7 @@ in
}
'';
description = ''
description = lib.mdDoc ''
A set with the key names being the environment variable you'd like to
set and the values being a list of paths to text documents containing
lists of words. The various files will be merged, sorted, duplicates

View file

@ -22,6 +22,7 @@
./config/ldap.nix
./config/locale.nix
./config/malloc.nix
./config/mysql.nix
./config/networking.nix
./config/no-x-libs.nix
./config/nsswitch.nix
@ -329,6 +330,7 @@
./services/cluster/kubernetes/proxy.nix
./services/cluster/kubernetes/scheduler.nix
./services/cluster/pacemaker/default.nix
./services/cluster/patroni/default.nix
./services/cluster/spark/default.nix
./services/computing/boinc/client.nix
./services/computing/foldingathome/client.nix
@ -618,6 +620,7 @@
./services/misc/plikd.nix
./services/misc/podgrab.nix
./services/misc/polaris.nix
./services/misc/portunus.nix
./services/misc/prowlarr.nix
./services/misc/tautulli.nix
./services/misc/pinnwand.nix
@ -637,6 +640,7 @@
./services/misc/sonarr.nix
./services/misc/sourcehut
./services/misc/spice-vdagentd.nix
./services/misc/spice-webdavd.nix
./services/misc/ssm-agent.nix
./services/misc/sssd.nix
./services/misc/subsonic.nix
@ -1023,7 +1027,7 @@
./services/system/cloud-init.nix
./services/system/dbus.nix
./services/system/earlyoom.nix
./services/system/localtime.nix
./services/system/localtimed.nix
./services/system/kerberos/default.nix
./services/system/nscd.nix
./services/system/saslauthd.nix
@ -1074,6 +1078,7 @@
./services/web-apps/jirafeau.nix
./services/web-apps/jitsi-meet.nix
./services/web-apps/keycloak.nix
./services/web-apps/komga.nix
./services/web-apps/lemmy.nix
./services/web-apps/invidious.nix
./services/web-apps/invoiceplane.nix
@ -1134,6 +1139,7 @@
./services/web-servers/pomerium.nix
./services/web-servers/unit/default.nix
./services/web-servers/tomcat.nix
./services/web-servers/keter
./services/web-servers/traefik.nix
./services/web-servers/trafficserver/default.nix
./services/web-servers/ttyd.nix

View file

@ -61,7 +61,7 @@ in
installer.cloneConfig = mkOption {
default = true;
description = ''
description = lib.mdDoc ''
Try to clone the installation-device configuration by re-using it's
profile from the list of imported modules.
'';
@ -70,14 +70,14 @@ in
installer.cloneConfigIncludes = mkOption {
default = [];
example = [ "./nixos/modules/hardware/network/rt73.nix" ];
description = ''
description = lib.mdDoc ''
List of modules used to re-build this installation device profile.
'';
};
installer.cloneConfigExtra = mkOption {
default = "";
description = ''
description = lib.mdDoc ''
Extra text to include in the cloned configuration.nix included in this
installer.
'';

View file

@ -85,9 +85,9 @@ in
bindInterface = mkOption {
default = true;
type = types.bool;
description = ''
Binds <package>captive-browser</package> to the network interface declared in
<literal>cfg.interface</literal>. This can be used to avoid collisions
description = lib.mdDoc ''
Binds `captive-browser` to the network interface declared in
`cfg.interface`. This can be used to avoid collisions
with private subnets.
'';
};

View file

@ -76,10 +76,10 @@ in
extraOpts = mkOption {
type = types.attrs;
description = ''
description = lib.mdDoc ''
Extra chromium policy options. A list of available policies
can be found in the Chrome Enterprise documentation:
<link xlink:href="https://cloud.google.com/docs/chrome-enterprise/policies/">https://cloud.google.com/docs/chrome-enterprise/policies/</link>
<https://cloud.google.com/docs/chrome-enterprise/policies/>
Make sure the selected policy is supported on Linux and your browser version.
'';
default = {};

View file

@ -8,15 +8,15 @@ with lib;
enable = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Whether to enable k3b, the KDE disk burning application.
Additionally to installing <package>k3b</package> enabling this will
add <literal>setuid</literal> wrappers in <literal>/run/wrappers/bin</literal>
for both <package>cdrdao</package> and <package>cdrecord</package>. On first
run you must manually configure the path of <package>cdrdae</package> and
<package>cdrecord</package> to correspond to the appropriate paths under
<literal>/run/wrappers/bin</literal> in the "Setup External Programs" menu.
Additionally to installing `k3b` enabling this will
add `setuid` wrappers in `/run/wrappers/bin`
for both `cdrdao` and `cdrecord`. On first
run you must manually configure the path of `cdrdae` and
`cdrecord` to correspond to the appropriate paths under
`/run/wrappers/bin` in the "Setup External Programs" menu.
'';
};
};

View file

@ -17,7 +17,7 @@ in
type = lib.types.bool;
};
withUtempter = mkOption {
description = ''
description = lib.mdDoc ''
Whether to enable libutempter for mosh.
This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions).
Note, this will add a guid wrapper for the group utmp!

View file

@ -45,7 +45,7 @@ in {
passwordeval = "cat /secrets/password.txt";
};
};
description = ''
description = lib.mdDoc ''
Named accounts and their respective configurations.
The special name "default" allows a default account to be defined.
See msmtp(1) for the available options.

View file

@ -93,10 +93,10 @@ in
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration text prepended to <filename>ssh_config</filename>. Other generated
options will be added after a <literal>Host *</literal> pattern.
See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>
description = lib.mdDoc ''
Extra configuration text prepended to {file}`ssh_config`. Other generated
options will be added after a `Host *` pattern.
See {manpage}`ssh_config(5)`
for help.
'';
};

View file

@ -22,7 +22,7 @@ in
default = "fuck";
type = types.str;
description = ''
description = lib.mdDoc ''
`thefuck` needs an alias to be configured.
The default value is `fuck`, but you can use anything else as well.
'';

View file

@ -95,13 +95,13 @@ let
exclude.dir /nix/store
include.encrypt /home/.../*
'';
description = ''
<literal>include.*</literal> and
<literal>exclude.*</literal> directives to be
description = lib.mdDoc ''
`include.*` and
`exclude.*` directives to be
used when sending files to the IBM TSM server.
The lines will be written into a file that the
<literal>inclexcl</literal>
directive in <filename>dsm.sys</filename> points to.
`inclexcl`
directive in {file}`dsm.sys` points to.
'';
};
options.extraConfig = mkOption {

View file

@ -62,7 +62,7 @@ in
to use `yabar-unstable'.
'';
description = ''
description = lib.mdDoc ''
The package which contains the `yabar` binary.
Nixpkgs provides the `yabar` and `yabar-unstable`

View file

@ -49,7 +49,7 @@ in
package = mkOption {
default = pkgs.oh-my-zsh;
defaultText = literalExpression "pkgs.oh-my-zsh";
description = ''
description = lib.mdDoc ''
Package to install for `oh-my-zsh` usage.
'';
@ -67,7 +67,7 @@ in
custom = mkOption {
default = null;
type = with types; nullOr str;
description = ''
description = lib.mdDoc ''
Path to a custom oh-my-zsh package to override config of oh-my-zsh.
(Can't be used along with `customPkgs`).
'';
@ -76,7 +76,7 @@ in
customPkgs = mkOption {
default = [];
type = types.listOf types.package;
description = ''
description = lib.mdDoc ''
List of custom packages that should be loaded into `oh-my-zsh`.
'';
};
@ -92,7 +92,7 @@ in
cacheDir = mkOption {
default = "$HOME/.cache/oh-my-zsh";
type = types.str;
description = ''
description = lib.mdDoc ''
Cache directory to be used by `oh-my-zsh`.
Without this option it would default to the read-only nix store.
'';

View file

@ -11,7 +11,7 @@ in {
package = mkOption {
default = pkgs.zsh-autoenv;
defaultText = literalExpression "pkgs.zsh-autoenv";
description = ''
description = lib.mdDoc ''
Package to install for `zsh-autoenv` usage.
'';

View file

@ -24,7 +24,7 @@ in
strategy = mkOption {
type = types.listOf (types.enum [ "history" "completion" "match_prev_cmd" ]);
default = [ "history" ];
description = ''
description = lib.mdDoc ''
`ZSH_AUTOSUGGEST_STRATEGY` is an array that specifies how suggestions should be generated.
The strategies in the array are tried successively until a suggestion is found.
There are currently three built-in strategies to choose from:

View file

@ -451,10 +451,9 @@ let
renewInterval = mkOption {
type = types.str;
inherit (defaultAndText "renewInterval" "daily") default defaultText;
description = ''
description = lib.mdDoc ''
Systemd calendar expression when to check for renewal. See
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
{manpage}`systemd.time(7)`.
'';
};
@ -677,7 +676,7 @@ let
inheritDefaults = mkOption {
default = true;
example = true;
description = "Whether to inherit values set in `security.acme.defaults` or not.";
description = lib.mdDoc "Whether to inherit values set in `security.acme.defaults` or not.";
type = lib.types.bool;
};
};

View file

@ -81,8 +81,8 @@ services.nginx = {
};
# We can also add a different vhost and reuse the same certificate
# but we have to append extraDomainNames manually.
<link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ];
# but we have to append extraDomainNames manually beforehand:
# <link linkend="opt-security.acme.certs._name_.extraDomainNames">security.acme.certs."foo.example.com".extraDomainNames</link> = [ "baz.example.com" ];
"baz.example.com" = {
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
<link linkend="opt-services.nginx.virtualHosts._name_.useACMEHost">useACMEHost</link> = "foo.example.com";

View file

@ -42,7 +42,7 @@ in
if you want this service to do such killing
by sending a <literal>SIGTERM</literal> to those running processes'';
policies = mkOption {
description = ''
description = lib.mdDoc ''
AppArmor policies.
'';
type = types.attrsOf (types.submodule ({ name, config, ... }: {
@ -50,7 +50,7 @@ in
enable = mkDisableOption "loading of the profile into the kernel";
enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
profile = mkOption {
description = "The policy of the profile.";
description = lib.mdDoc "The policy of the profile.";
type = types.lines;
apply = pkgs.writeText name;
};
@ -61,16 +61,16 @@ in
includes = mkOption {
type = types.attrsOf types.lines;
default = {};
description = ''
description = lib.mdDoc ''
List of paths to be added to AppArmor's searched paths
when resolving <literal>include</literal> directives.
when resolving `include` directives.
'';
apply = mapAttrs pkgs.writeText;
};
packages = mkOption {
type = types.listOf types.package;
default = [];
description = "List of packages to be added to AppArmor's include path";
description = lib.mdDoc "List of packages to be added to AppArmor's include path";
};
enableCache = mkEnableOption ''
caching of AppArmor policies

View file

@ -94,7 +94,7 @@ in {
<note><para>If this is <literal>false</literal> the resulting store
path will be non-deterministic and will be rebuilt every time the
<package>openssl</package> package changes.</para></note>
<literal>openssl</literal> package changes.</para></note>
'';
};

View file

@ -142,6 +142,16 @@ let
'';
};
mysqlAuth = mkOption {
default = config.users.mysql.enable;
defaultText = literalExpression "config.users.mysql.enable";
type = types.bool;
description = ''
If set, the <literal>pam_mysql</literal> module will be used to
authenticate users against a MySQL/MariaDB database.
'';
};
fprintAuth = mkOption {
default = config.services.fprintd.enable;
defaultText = literalExpression "config.services.fprintd.enable";
@ -310,12 +320,10 @@ let
limits = mkOption {
default = [];
type = limitsType;
description = ''
description = lib.mdDoc ''
Attribute set describing resource limits. Defaults to the
value of <option>security.pam.loginLimits</option>.
The meaning of the values is explained in <citerefentry>
<refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
value of {option}`security.pam.loginLimits`.
The meaning of the values is explained in {manpage}`limits.conf(5)`.
'';
};
@ -442,11 +450,13 @@ let
(
''
# Account management.
account required pam_unix.so
'' +
optionalString use_ldap ''
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
'' +
optionalString cfg.mysqlAuth ''
account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
'' +
@ -460,7 +470,11 @@ let
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
'' +
# The required pam_unix.so module has to come after all the sufficient modules
# because otherwise, the account lookup will fail if the user does not exist
# locally, for example with MySQL- or LDAP-auth.
''
account required pam_unix.so
# Authentication management.
'' +
@ -476,6 +490,9 @@ let
optionalString cfg.logFailures ''
auth required pam_faillock.so
'' +
optionalString cfg.mysqlAuth ''
auth sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}
'' +
@ -573,6 +590,9 @@ let
optionalString use_ldap ''
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
'' +
optionalString cfg.mysqlAuth ''
password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString config.services.sssd.enable ''
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok
'' +
@ -616,6 +636,9 @@ let
optionalString use_ldap ''
session optional ${pam_ldap}/lib/security/pam_ldap.so
'' +
optionalString cfg.mysqlAuth ''
session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
'' +
optionalString config.services.sssd.enable ''
session optional ${pkgs.sssd}/lib/security/pam_sss.so
'' +
@ -750,14 +773,13 @@ in
}
];
description =
'' Define resource limits that should apply to users or groups.
description = ''
Define resource limits that should apply to users or groups.
Each item in the list should be an attribute set with a
<varname>domain</varname>, <varname>type</varname>,
<varname>item</varname>, and <varname>value</varname>
attribute. The syntax and semantics of these attributes
must be that described in <citerefentry><refentrytitle>limits.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>.
must be that described in <citerefentry><refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
Note that these limits do not apply to systemd services,
whose limits can be changed via <option>systemd.extraConfig</option>
@ -838,17 +860,14 @@ in
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
description = lib.mdDoc ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use the PKCS#11 device instead of the regular password,
use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
{manpage}`pam.conf(5)`
for better understanding of this option.
'';
};
@ -929,16 +948,13 @@ in
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
description = lib.mdDoc ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use U2F device instead of regular password, use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
{manpage}`pam.conf(5)`
for better understanding of this option.
'';
};
@ -1047,17 +1063,14 @@ in
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
description = lib.mdDoc ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use the SSH certificate instead of the regular password,
use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
{manpage}`pam.conf(5)`
for better understanding of this option.
'';
};
@ -1082,16 +1095,13 @@ in
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
description = lib.mdDoc ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use Yubikey instead of regular password, use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
{manpage}`pam.conf(5)`
for better understanding of this option.
'';
};
@ -1250,6 +1260,9 @@ in
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
"mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so,
'' +
optionalString (isEnabled (cfg: cfg.mysqlAuth)) ''
mr ${pkgs.pam_mysql}/lib/security/pam_mysql.so,
'' +
optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''
mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,
'' +

View file

@ -46,7 +46,7 @@ in
type = types.package;
default = pkgs.sudo;
defaultText = literalExpression "pkgs.sudo";
description = ''
description = lib.mdDoc ''
Which package to use for `sudo`.
'';
};

View file

@ -10,12 +10,10 @@ in {
options.confinement.enable = lib.mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
If set, all the required runtime store paths for this service are
bind-mounted into a <literal>tmpfs</literal>-based <citerefentry>
<refentrytitle>chroot</refentrytitle>
<manvolnum>2</manvolnum>
</citerefentry>.
bind-mounted into a `tmpfs`-based
{manpage}`chroot(2)`.
'';
};
@ -63,16 +61,13 @@ in {
default = toplevelConfig.environment.binsh;
defaultText = lib.literalExpression "config.environment.binsh";
example = lib.literalExpression ''"''${pkgs.dash}/bin/dash"'';
description = ''
The program to make available as <filename>/bin/sh</filename> inside
the chroot. If this is set to <literal>null</literal>, no
<filename>/bin/sh</filename> is provided at all.
description = lib.mdDoc ''
The program to make available as {file}`/bin/sh` inside
the chroot. If this is set to `null`, no
{file}`/bin/sh` is provided at all.
This is useful for some applications, which for example use the
<citerefentry>
<refentrytitle>system</refentrytitle>
<manvolnum>3</manvolnum>
</citerefentry> library function to execute commands.
{manpage}`system(3)` library function to execute commands.
'';
};
@ -88,10 +83,8 @@ in {
name space.
If this is set to <literal>chroot-only</literal>, only the file
system name space is set up along with the call to <citerefentry>
<refentrytitle>chroot</refentrytitle>
<manvolnum>2</manvolnum>
</citerefentry>.
system name space is set up along with the call to
<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>.
<note><para>This doesn't cover network namespaces and is solely for
file system level isolation.</para></note>

View file

@ -54,10 +54,7 @@ let
description = ''
A comma-separated list of capabilities to be given to the wrapper
program. For capabilities supported by the system check the
<citerefentry>
<refentrytitle>capabilities</refentrytitle>
<manvolnum>7</manvolnum>
</citerefentry>
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
manual page.
<note><para>
@ -188,6 +185,16 @@ in
'';
};
security.wrapperDirSize = lib.mkOption {
default = "50%";
example = "10G";
type = lib.types.str;
description = ''
Size limit for the /run/wrappers tmpfs. Look at mount(8), tmpfs size option,
for the accepted syntax. WARNING: don't set to less than 64MB.
'';
};
security.wrapperDir = lib.mkOption {
type = lib.types.path;
default = "/run/wrappers/bin";
@ -230,7 +237,7 @@ in
boot.specialFileSystems.${parentWrapperDir} = {
fsType = "tmpfs";
options = [ "nodev" "mode=755" ];
options = [ "nodev" "mode=755" "size=${config.security.wrapperDirSize}" ];
};
# Make sure our wrapperDir exports to the PATH env variable when

View file

@ -23,12 +23,10 @@ let
on_exit()
{
exitStatus=$?
# Reset the EXIT handler, or else we're called again on 'exit' below
trap - EXIT
${cfg.postHook}
exit $exitStatus
}
trap 'on_exit' INT TERM QUIT EXIT
trap on_exit EXIT
archiveName="${if cfg.archiveBaseName == null then "" else cfg.archiveBaseName + "-"}$(date ${cfg.dateFormat})"
archiveSuffix="${optionalString cfg.appendFailedSuffix ".failed"}"
@ -320,13 +318,12 @@ in {
startAt = mkOption {
type = with types; either str (listOf str);
default = "daily";
description = ''
description = lib.mdDoc ''
When or how often the backup should run.
Must be in the format described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
{manpage}`systemd.time(7)`.
If you do not want the backup to start
automatically, use <literal>[ ]</literal>.
automatically, use `[ ]`.
It will generate a systemd service borgbackup-job-NAME.
You may trigger it manually via systemctl restart borgbackup-job-NAME.
'';
@ -336,10 +333,9 @@ in {
default = false;
type = types.bool;
example = true;
description = ''
Set the <literal>persistentTimer</literal> option for the
<citerefentry><refentrytitle>systemd.timer</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>
description = lib.mdDoc ''
Set the `persistentTimer` option for the
{manpage}`systemd.timer(5)`
which triggers the backup immediately if the last trigger
was missed (e.g. if the system was powered down).
'';

View file

@ -27,30 +27,27 @@ in
type = types.listOf types.str;
default = [ ];
example = [ "/home" ];
description = ''
description = lib.mdDoc ''
List of paths to include into the backups. See the FILE SELECTION
section in <citerefentry><refentrytitle>duplicity</refentrytitle>
<manvolnum>1</manvolnum></citerefentry> for details on the syntax.
section in {manpage}`duplicity(1)` for details on the syntax.
'';
};
exclude = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
description = lib.mdDoc ''
List of paths to exclude from backups. See the FILE SELECTION section in
<citerefentry><refentrytitle>duplicity</refentrytitle>
<manvolnum>1</manvolnum></citerefentry> for details on the syntax.
{manpage}`duplicity(1)` for details on the syntax.
'';
};
targetUrl = mkOption {
type = types.str;
example = "s3://host:port/prefix";
description = ''
description = lib.mdDoc ''
Target url to backup to. See the URL FORMAT section in
<citerefentry><refentrytitle>duplicity</refentrytitle>
<manvolnum>1</manvolnum></citerefentry> for supported urls.
{manpage}`duplicity(1)` for supported urls.
'';
};
@ -60,8 +57,7 @@ in
description = ''
Path of a file containing secrets (gpg passphrase, access key...) in
the format of EnvironmentFile as described by
<citerefentry><refentrytitle>systemd.exec</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>. For example:
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. For example:
<programlisting>
PASSPHRASE=«...»
AWS_ACCESS_KEY_ID=«...»
@ -73,10 +69,9 @@ in
frequency = mkOption {
type = types.nullOr types.str;
default = "daily";
description = ''
description = lib.mdDoc ''
Run duplicity with the given frequency (see
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> for the format).
{manpage}`systemd.time(7)` for the format).
If null, do not run automatically.
'';
};
@ -85,10 +80,9 @@ in
type = types.listOf types.str;
default = [ ];
example = [ "--backend-retry-delay" "100" ];
description = ''
description = lib.mdDoc ''
Extra command-line flags passed to duplicity. See
<citerefentry><refentrytitle>duplicity</refentrytitle>
<manvolnum>1</manvolnum></citerefentry>.
{manpage}`duplicity(1)`.
'';
};

View file

@ -118,12 +118,11 @@ in
type = types.str;
default = "hourly";
example = "daily";
description = ''
description = lib.mdDoc ''
Run sanoid at this interval. The default is to run hourly.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
{manpage}`systemd.time(7)`.
'';
};

View file

@ -16,11 +16,11 @@ let
lib.concatMapStrings (s: if lib.isList s then "-" else s)
(builtins.split "[^a-zA-Z0-9_.\\-]+" name);
# Function to build "zfs allow" commands for the filesystems we've
# delegated permissions to. It also checks if the target dataset
# exists before delegating permissions, if it doesn't exist we
# delegate it to the parent dataset. This should solve the case of
# provisoning new datasets.
# Function to build "zfs allow" commands for the filesystems we've delegated
# permissions to. It also checks if the target dataset exists before
# delegating permissions, if it doesn't exist we delegate it to the parent
# dataset (if it exists). This should solve the case of provisoning new
# datasets.
buildAllowCommand = permissions: dataset: (
"-+${pkgs.writeShellScript "zfs-allow-${dataset}" ''
# Here we explicitly use the booted system to guarantee the stable API needed by ZFS
@ -38,6 +38,7 @@ let
(concatStringsSep "," permissions)
dataset
]}
${lib.optionalString ((builtins.dirOf dataset) != ".") ''
else
${lib.escapeShellArgs [
"/run/booted-system/sw/bin/zfs"
@ -47,6 +48,7 @@ let
# Remove the last part of the path
(builtins.dirOf dataset)
]}
''}
fi
''}"
);
@ -67,14 +69,14 @@ let
(concatStringsSep "," permissions)
dataset
]}
${lib.escapeShellArgs [
${lib.optionalString ((builtins.dirOf dataset) != ".") (lib.escapeShellArgs [
"/run/booted-system/sw/bin/zfs"
"unallow"
cfg.user
(concatStringsSep "," permissions)
# Remove the last part of the path
(builtins.dirOf dataset)
]}
])}
''}"
);
in
@ -89,12 +91,11 @@ in
type = types.str;
default = "hourly";
example = "*-*-* *:15:00";
description = ''
description = lib.mdDoc ''
Run syncoid at this interval. The default is to run hourly.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
{manpage}`systemd.time(7)`.
'';
};

View file

@ -140,12 +140,11 @@ in
type = types.str;
default = "01:15";
example = "hourly";
description = ''
description = lib.mdDoc ''
Create archive at this interval.
The format is described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>.
{manpage}`systemd.time(7)`.
'';
};

View file

@ -16,9 +16,9 @@ with lib;
"fs.defaultFS" = "hdfs://localhost";
}
'';
description = ''
description = lib.mdDoc ''
Hadoop core-site.xml definition
<link xlink:href="https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/core-default.xml"/>
<https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/core-default.xml>
'';
};
coreSiteInternal = mkOption {
@ -38,7 +38,7 @@ with lib;
"dfs.namenode.http-bind-host" = "0.0.0.0";
};
type = types.attrsOf types.anything;
description = ''
description = lib.mdDoc ''
Default options for hdfs-site.xml
'';
};
@ -50,9 +50,9 @@ with lib;
"dfs.nameservices" = "namenode1";
}
'';
description = ''
description = lib.mdDoc ''
Additional options and overrides for hdfs-site.xml
<link xlink:href="https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/hdfs-default.xml"/>
<https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/hdfs-default.xml>
'';
};
hdfsSiteInternal = mkOption {
@ -80,7 +80,7 @@ with lib;
}
'';
type = types.attrsOf types.anything;
description = ''
description = lib.mdDoc ''
Default options for mapred-site.xml
'';
};
@ -92,9 +92,9 @@ with lib;
"mapreduce.map.java.opts" = "-Xmx900m -XX:+UseParallelGC";
}
'';
description = ''
description = lib.mdDoc ''
Additional options and overrides for mapred-site.xml
<link xlink:href="https://hadoop.apache.org/docs/current/hadoop-mapreduce-client/hadoop-mapreduce-client-core/mapred-default.xml"/>
<https://hadoop.apache.org/docs/current/hadoop-mapreduce-client/hadoop-mapreduce-client-core/mapred-default.xml>
'';
};
@ -113,7 +113,7 @@ with lib;
"yarn.resourcemanager.scheduler.class" = "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler";
};
type = types.attrsOf types.anything;
description = ''
description = lib.mdDoc ''
Default options for yarn-site.xml
'';
};
@ -125,9 +125,9 @@ with lib;
"yarn.resourcemanager.hostname" = "''${config.networking.hostName}";
}
'';
description = ''
description = lib.mdDoc ''
Additional options and overrides for yarn-site.xml
<link xlink:href="https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-common/yarn-default.xml"/>
<https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-common/yarn-default.xml>
'';
};
yarnSiteInternal = mkOption {
@ -147,9 +147,9 @@ with lib;
"hadoop.http.max.threads" = 500;
}
'';
description = ''
description = lib.mdDoc ''
Hadoop httpfs-site.xml definition
<link xlink:href="https://hadoop.apache.org/docs/current/hadoop-hdfs-httpfs/httpfs-default.html"/>
<https://hadoop.apache.org/docs/current/hadoop-hdfs-httpfs/httpfs-default.html>
'';
};
@ -162,7 +162,7 @@ with lib;
example = literalExpression ''
"''${pkgs.hadoop}/lib/''${pkgs.hadoop.untarDir}/etc/hadoop/log4j.properties";
'';
description = "log4j.properties file added to HADOOP_CONF_DIR";
description = lib.mdDoc "log4j.properties file added to HADOOP_CONF_DIR";
};
containerExecutorCfg = mkOption {
@ -179,9 +179,9 @@ with lib;
"feature.terminal.enabled" = 0;
}
'';
description = ''
description = lib.mdDoc ''
Yarn container-executor.cfg definition
<link xlink:href="https://hadoop.apache.org/docs/r2.7.2/hadoop-yarn/hadoop-yarn-site/SecureContainer.html"/>
<https://hadoop.apache.org/docs/r2.7.2/hadoop-yarn/hadoop-yarn-site/SecureContainer.html>
'';
};
@ -194,7 +194,7 @@ with lib;
./extraYARNConfs
]
'';
description = "Directories containing additional config files to be added to HADOOP_CONF_DIR";
description = lib.mdDoc "Directories containing additional config files to be added to HADOOP_CONF_DIR";
};
gatewayRole.enable = mkEnableOption "gateway role for deploying hadoop configs";

View file

@ -21,7 +21,7 @@ in
"hbase.cluster.distributed" = "true";
};
type = types.attrsOf types.anything;
description = ''
description = lib.mdDoc ''
Default options for hbase-site.xml
'';
};
@ -30,9 +30,9 @@ in
type = with types; attrsOf anything;
example = literalExpression ''
'';
description = ''
description = lib.mdDoc ''
Additional options and overrides for hbase-site.xml
<link xlink:href="https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml"/>
<https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml>
'';
};
hbaseSiteInternal = mkOption {
@ -50,11 +50,11 @@ in
type = types.package;
default = pkgs.hbase;
defaultText = literalExpression "pkgs.hbase";
description = "HBase package";
description = lib.mdDoc "HBase package";
};
rootdir = mkOption {
description = ''
description = lib.mdDoc ''
This option will set "hbase.rootdir" in hbase-site.xml and determine
the directory shared by region servers and into which HBase persists.
The URL should be 'fully-qualified' to include the filesystem scheme.
@ -68,7 +68,7 @@ in
default = "/hbase";
};
zookeeperQuorum = mkOption {
description = ''
description = lib.mdDoc ''
This option will set "hbase.zookeeper.quorum" in hbase-site.xml.
Comma separated list of servers in the ZooKeeper ensemble.
'';
@ -83,7 +83,7 @@ in
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Open firewall ports for HBase master.
'';
};
@ -94,7 +94,7 @@ in
overrideHosts = mkOption {
type = types.bool;
default = true;
description = ''
description = lib.mdDoc ''
Remove /etc/hosts entries for "127.0.0.2" and "::1" defined in nixos/modules/config/networking.nix
Regionservers must be able to resolve their hostnames to their IP addresses, through PTR records
or /etc/hosts entries.
@ -105,7 +105,7 @@ in
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Open firewall ports for HBase master.
'';
};

View file

@ -0,0 +1,268 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.patroni;
defaultUser = "patroni";
defaultGroup = "patroni";
format = pkgs.formats.yaml { };
#boto doesn't support python 3.10 yet
patroni = pkgs.patroni.override { pythonPackages = pkgs.python39Packages; };
configFileName = "patroni-${cfg.scope}-${cfg.name}.yaml";
configFile = format.generate configFileName cfg.settings;
in
{
options.services.patroni = {
enable = mkEnableOption "Patroni";
postgresqlPackage = mkOption {
type = types.package;
example = literalExpression "pkgs.postgresql_14";
description = mdDoc ''
PostgreSQL package to use.
Plugins can be enabled like this `pkgs.postgresql_14.withPackages (p: [ p.pg_safeupdate p.postgis ])`.
'';
};
postgresqlDataDir = mkOption {
type = types.path;
defaultText = literalExpression ''"/var/lib/postgresql/''${config.services.patroni.postgresqlPackage.psqlSchema}"'';
example = "/var/lib/postgresql/14";
default = "/var/lib/postgresql/${cfg.postgresqlPackage.psqlSchema}";
description = mdDoc ''
The data directory for PostgreSQL. If left as the default value
this directory will automatically be created before the PostgreSQL server starts, otherwise
the sysadmin is responsible for ensuring the directory exists with appropriate ownership
and permissions.
'';
};
postgresqlPort = mkOption {
type = types.port;
default = 5432;
description = mdDoc ''
The port on which PostgreSQL listens.
'';
};
user = mkOption {
type = types.str;
default = defaultUser;
example = "postgres";
description = mdDoc ''
The user for the service. If left as the default value this user will automatically be created,
otherwise the sysadmin is responsible for ensuring the user exists.
'';
};
group = mkOption {
type = types.str;
default = defaultGroup;
example = "postgres";
description = mdDoc ''
The group for the service. If left as the default value this group will automatically be created,
otherwise the sysadmin is responsible for ensuring the group exists.
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/patroni";
description = mdDoc ''
Folder where Patroni data will be written, used by Raft as well if enabled.
'';
};
scope = mkOption {
type = types.str;
example = "cluster1";
description = mdDoc ''
Cluster name.
'';
};
name = mkOption {
type = types.str;
example = "node1";
description = mdDoc ''
The name of the host. Must be unique for the cluster.
'';
};
namespace = mkOption {
type = types.str;
default = "/service";
description = mdDoc ''
Path within the configuration store where Patroni will keep information about the cluster.
'';
};
nodeIp = mkOption {
type = types.str;
example = "192.168.1.1";
description = mdDoc ''
IP address of this node.
'';
};
otherNodesIps = mkOption {
type = types.listOf types.string;
example = [ "192.168.1.2" "192.168.1.3" ];
description = mdDoc ''
IP addresses of the other nodes.
'';
};
restApiPort = mkOption {
type = types.port;
default = 8008;
description = mdDoc ''
The port on Patroni's REST api listens.
'';
};
raft = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
This will configure Patroni to use its own RAFT implementation instead of using a dedicated DCS.
'';
};
raftPort = mkOption {
type = types.port;
default = 5010;
description = mdDoc ''
The port on which RAFT listens.
'';
};
softwareWatchdog = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
This will configure Patroni to use the software watchdog built into the Linux kernel
as described in the [documentation](https://patroni.readthedocs.io/en/latest/watchdog.html#setting-up-software-watchdog-on-linux).
'';
};
settings = mkOption {
type = format.type;
default = { };
description = mdDoc ''
The primary patroni configuration. See the [documentation](https://patroni.readthedocs.io/en/latest/SETTINGS.html)
for possible values.
Secrets should be passed in by using the `environmentFiles` option.
'';
};
environmentFiles = mkOption {
type = with types; attrsOf (nullOr (oneOf [ str path package ]));
default = { };
example = {
PATRONI_REPLICATION_PASSWORD = "/secret/file";
PATRONI_SUPERUSER_PASSWORD = "/secret/file";
};
description = mdDoc "Environment variables made available to Patroni as files content, useful for providing secrets from files.";
};
};
config = mkIf cfg.enable {
services.patroni.settings = {
scope = cfg.scope;
name = cfg.name;
namespace = cfg.namespace;
restapi = {
listen = "${cfg.nodeIp}:${toString cfg.restApiPort}";
connect_address = "${cfg.nodeIp}:${toString cfg.restApiPort}";
};
raft = mkIf cfg.raft {
data_dir = "${cfg.dataDir}/raft";
self_addr = "${cfg.nodeIp}:5010";
partner_addrs = map (ip: ip + ":5010") cfg.otherNodesIps;
};
postgresql = {
listen = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
connect_address = "${cfg.nodeIp}:${toString cfg.postgresqlPort}";
data_dir = cfg.postgresqlDataDir;
bin_dir = "${cfg.postgresqlPackage}/bin";
pgpass = "${cfg.dataDir}/pgpass";
};
watchdog = mkIf cfg.softwareWatchdog {
mode = "required";
device = "/dev/watchdog";
safety_margin = 5;
};
};
users = {
users = mkIf (cfg.user == defaultUser) {
patroni = {
group = cfg.group;
isSystemUser = true;
};
};
groups = mkIf (cfg.group == defaultGroup) {
patroni = { };
};
};
systemd.services = {
patroni = {
description = "Runners to orchestrate a high-availability PostgreSQL";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
script = ''
${concatStringsSep "\n" (attrValues (mapAttrs (name: path: ''export ${name}="$(< ${escapeShellArg path})"'') cfg.environmentFiles))}
exec ${patroni}/bin/patroni ${configFile}
'';
serviceConfig = mkMerge [
{
User = cfg.user;
Group = cfg.group;
Type = "simple";
Restart = "on-failure";
TimeoutSec = 30;
ExecReload = "${pkgs.coreutils}/bin/kill -s HUP $MAINPID";
KillMode = "process";
}
(mkIf (cfg.postgresqlDataDir == "/var/lib/postgresql/${cfg.postgresqlPackage.psqlSchema}" && cfg.dataDir == "/var/lib/patroni") {
StateDirectory = "patroni patroni/raft postgresql postgresql/${cfg.postgresqlPackage.psqlSchema}";
StateDirectoryMode = "0750";
})
];
};
};
boot.kernelModules = mkIf cfg.softwareWatchdog [ "softdog" ];
services.udev.extraRules = mkIf cfg.softwareWatchdog ''
KERNEL=="watchdog", OWNER="${cfg.user}", GROUP="${cfg.group}", MODE="0600"
'';
environment.systemPackages = [
patroni
cfg.postgresqlPackage
(mkIf cfg.raft pkgs.python310Packages.pysyncobj)
];
environment.etc."${configFileName}".source = configFile;
environment.sessionVariables = {
PATRONICTL_CONFIG_FILE = "/etc/${configFileName}";
};
};
meta.maintainers = [ maintainers.phfroidmont ];
}

View file

@ -109,10 +109,9 @@ in
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration for <literal>slurmdbd.conf</literal> See also:
<citerefentry><refentrytitle>slurmdbd.conf</refentrytitle>
<manvolnum>8</manvolnum></citerefentry>.
description = lib.mdDoc ''
Extra configuration for `slurmdbd.conf` See also:
{manpage}`slurmdbd.conf(8)`.
'';
};
};

View file

@ -121,10 +121,10 @@ in {
keepalive = mkOption {
default = 600;
type = types.int;
description = "
description = lib.mdDoc ''
This is a number that indicates how frequently keepalive messages should be sent
from the worker to the buildmaster, expressed in seconds.
";
'';
};
package = mkOption {

View file

@ -193,7 +193,7 @@ in
options.services.buildkite-agents = mkOption {
type = types.attrsOf (types.submodule buildkiteOptions);
default = {};
description = ''
description = lib.mdDoc ''
Attribute set of buildkite agents.
The attribute key is combined with the hostname and a unique integer to
create the final agent name. This can be overridden by setting the `name`

View file

@ -48,9 +48,14 @@ in
tokenFile = mkOption {
type = types.path;
description = lib.mdDoc ''
The full path to a file which contains the runner registration token.
The full path to a file which contains either a runner registration token or a
personal access token (PAT).
The file should contain exactly one line with the token without any newline.
The token can be used to re-register a runner of the same name but is time-limited.
If a registration token is given, it can be used to re-register a runner of the same
name but is time-limited. If the file contains a PAT, the service creates a new
registration token on startup as needed. Make sure the PAT has a scope of
`admin:org` for organization-wide registrations or a scope of
`repo` for a single repository.
Changing this option or the file's content triggers a new runner registration.
'';
@ -117,6 +122,24 @@ in
default = pkgs.github-runner;
defaultText = literalExpression "pkgs.github-runner";
};
ephemeral = mkOption {
type = types.bool;
description = lib.mdDoc ''
If enabled, causes the following behavior:
- Passes the `--ephemeral` flag to the runner configuration script
- De-registers and stops the runner with GitHub after it has processed one job
- On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option)
- Restarts the service after its successful exit
- On start, wipes the state directory and configures a new runner
You should only enable this option if `tokenFile` points to a file which contains a
personal access token (PAT). If you're using the option with a registration token, restarting the
service will fail as soon as the registration token expired.
'';
default = false;
};
};
config = mkIf cfg.enable {
@ -136,7 +159,7 @@ in
environment = {
HOME = runtimeDir;
RUNNER_ROOT = runtimeDir;
RUNNER_ROOT = stateDir;
};
path = (with pkgs; [
@ -150,7 +173,7 @@ in
] ++ cfg.extraPackages;
serviceConfig = rec {
ExecStart = "${cfg.package}/bin/runsvc.sh";
ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
# Does the following, sequentially:
# - If the module configuration or the token has changed, purge the state directory,
@ -178,7 +201,7 @@ in
${lines}
'';
currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" ] cfg;
runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" ] cfg;
newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
newConfigTokenFilename = ".new-token";
runnerCredFiles = [
@ -188,6 +211,9 @@ in
];
unconfigureRunner = writeScript "unconfigure" ''
differs=
if [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
# State directory is not empty
# Set `differs = 1` if current and new runner config differ or if `currentConfigPath` does not exist
${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 || differs=1
# Also trigger a registration if the token content changed
@ -195,10 +221,14 @@ in
"$STATE_DIRECTORY"/${currentConfigTokenFilename} \
${escapeShellArg cfg.tokenFile} \
>/dev/null 2>&1 || differs=1
# If .credentials does not exist, assume a previous run de-registered the runner on stop (ephemeral mode)
[[ ! -f "$STATE_DIRECTORY/.credentials" ]] && differs=1
fi
if [[ -n "$differs" ]]; then
echo "Config has changed, removing old runner state."
echo "The old runner will still appear in the GitHub Actions UI." \
# In ephemeral mode, the runner deletes the `.credentials` file after de-registering it with GitHub
[[ -f "$STATE_DIRECTORY/.credentials" ]] && echo "The old runner will still appear in the GitHub Actions UI." \
"You have to remove it manually."
find "$STATE_DIRECTORY/" -mindepth 1 -delete
@ -212,17 +242,28 @@ in
if [[ -e "$STATE_DIRECTORY/${newConfigTokenFilename}" ]]; then
echo "Configuring GitHub Actions Runner"
token=$(< "$STATE_DIRECTORY"/${newConfigTokenFilename})
RUNNER_ROOT="$STATE_DIRECTORY" ${cfg.package}/bin/config.sh \
--unattended \
--disableupdate \
--work "$RUNTIME_DIRECTORY" \
--url ${escapeShellArg cfg.url} \
--token "$token" \
--labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)} \
--name ${escapeShellArg cfg.name} \
${optionalString cfg.replace "--replace"} \
args=(
--unattended
--disableupdate
--work "$RUNTIME_DIRECTORY"
--url ${escapeShellArg cfg.url}
--labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
--name ${escapeShellArg cfg.name}
${optionalString cfg.replace "--replace"}
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
${optionalString cfg.ephemeral "--ephemeral"}
)
# If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option
token=$(<"$STATE_DIRECTORY/${newConfigTokenFilename}")
if [[ "$token" =~ ^ghp_* ]]; then
args+=(--pat "$token")
else
args+=(--token "$token")
fi
${cfg.package}/bin/config.sh "''${args[@]}"
# Move the automatically created _diag dir to the logs dir
mkdir -p "$STATE_DIRECTORY/_diag"
@ -250,6 +291,10 @@ in
setupRuntimeDir
];
# If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
# to trigger a fresh registration.
Restart = if cfg.ephemeral then "on-success" else "no";
# Contains _diag
LogsDirectory = [ systemdDir ];
# Default RUNNER_ROOT which contains ephemeral Runner data
@ -269,8 +314,7 @@ in
# By default, use a dynamically allocated user
DynamicUser = true;
KillMode = "process";
KillSignal = "SIGTERM";
KillSignal = "SIGINT";
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing:

View file

@ -103,15 +103,15 @@ let
defaultText = literalExpression ''baseDirectory + "/secrets"'';
};
clusterJoinTokenPath = mkOption {
description = ''
description = lib.mdDoc ''
Location of the cluster-join-token.key file.
You can retrieve the contents of the file when creating a new agent via
<link xlink:href="https://hercules-ci.com/dashboard">https://hercules-ci.com/dashboard</link>.
<https://hercules-ci.com/dashboard>.
As this value is confidential, it should not be in the store, but
installed using other means, such as agenix, NixOps
<literal>deployment.keys</literal>, or manual installation.
`deployment.keys`, or manual installation.
The contents of the file are used for authentication between the agent and the API.
'';
@ -120,29 +120,28 @@ let
defaultText = literalExpression ''staticSecretsDirectory + "/cluster-join-token.key"'';
};
binaryCachesPath = mkOption {
description = ''
description = lib.mdDoc ''
Path to a JSON file containing binary cache secret keys.
As these values are confidential, they should not be in the store, but
copied over using other means, such as agenix, NixOps
<literal>deployment.keys</literal>, or manual installation.
`deployment.keys`, or manual installation.
The format is described on <link xlink:href="https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/">https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/</link>.
The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/>.
'';
type = types.path;
default = config.staticSecretsDirectory + "/binary-caches.json";
defaultText = literalExpression ''staticSecretsDirectory + "/binary-caches.json"'';
};
secretsJsonPath = mkOption {
description = ''
description = lib.mdDoc ''
Path to a JSON file containing secrets for effects.
As these values are confidential, they should not be in the store, but
copied over using other means, such as agenix, NixOps
<literal>deployment.keys</literal>, or manual installation.
The format is described on <link xlink:href="https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/">https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/</link>.
`deployment.keys`, or manual installation.
The format is described on <https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/>.
'';
type = types.path;
default = config.staticSecretsDirectory + "/secrets.json";

View file

@ -87,7 +87,7 @@ in
type = types.str;
default = localDB;
example = "dbi:Pg:dbname=hydra;host=postgres.example.org;user=foo;";
description = ''
description = lib.mdDoc ''
The DBI string for Hydra database connection.
NOTE: Attempts to set `application_name` will be overridden by
@ -115,8 +115,8 @@ in
type = types.str;
default = "*";
example = "localhost";
description = ''
The hostname or address to listen on or <literal>*</literal> to listen
description = lib.mdDoc ''
The hostname or address to listen on or `*` to listen
on all interfaces.
'';
};

View file

@ -97,9 +97,9 @@ in
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Open the firewall ports corresponding to FoundationDB processes and coordinators
using <option>config.networking.firewall.*</option>.
using {option}`config.networking.firewall.*`.
'';
};

View file

@ -35,9 +35,9 @@ in
default = pkgs.mongodb;
defaultText = literalExpression "pkgs.mongodb";
type = types.package;
description = "
description = lib.mdDoc ''
Which MongoDB derivation to use.
";
'';
};
user = mkOption {

View file

@ -36,9 +36,9 @@ in
package = mkOption {
type = types.package;
example = literalExpression "pkgs.mariadb";
description = "
description = lib.mdDoc ''
Which MySQL derivation to use. MariaDB packages are supported too.
";
'';
};
user = mkOption {

View file

@ -36,48 +36,43 @@ let
serverConfig = pkgs.writeText "neo4j.conf" ''
# General
dbms.allow_upgrade=${boolToString cfg.allowUpgrade}
dbms.connectors.default_listen_address=${cfg.defaultListenAddress}
dbms.read_only=${boolToString cfg.readOnly}
dbms.default_listen_address=${cfg.defaultListenAddress}
dbms.databases.default_to_read_only=${boolToString cfg.readOnly}
${optionalString (cfg.workerCount > 0) ''
dbms.threads.worker_count=${toString cfg.workerCount}
''}
# Directories
# Directories (readonly)
dbms.directories.certificates=${cfg.directories.certificates}
dbms.directories.data=${cfg.directories.data}
dbms.directories.logs=${cfg.directories.home}/logs
dbms.directories.plugins=${cfg.directories.plugins}
dbms.directories.lib=${cfg.package}/share/neo4j/lib
${optionalString (cfg.constrainLoadCsv) ''
dbms.directories.import=${cfg.directories.imports}
''}
# Directories (read and write)
dbms.directories.data=${cfg.directories.data}
dbms.directories.logs=${cfg.directories.home}/logs
dbms.directories.run=${cfg.directories.home}/run
# HTTP Connector
${optionalString (cfg.http.enable) ''
dbms.connector.http.enabled=${boolToString cfg.http.enable}
dbms.connector.http.listen_address=${cfg.http.listenAddress}
''}
${optionalString (!cfg.http.enable) ''
# It is not possible to disable the HTTP connector. To fully prevent
# clients from connecting to HTTP, block the HTTP port (7474 by default)
# via firewall. listen_address is set to the loopback interface to
# prevent remote clients from connecting.
dbms.connector.http.listen_address=127.0.0.1
dbms.connector.http.advertised_address=${cfg.http.listenAddress}
''}
# HTTPS Connector
dbms.connector.https.enabled=${boolToString cfg.https.enable}
dbms.connector.https.listen_address=${cfg.https.listenAddress}
https.ssl_policy=${cfg.https.sslPolicy}
dbms.connector.https.advertised_address=${cfg.https.listenAddress}
# BOLT Connector
dbms.connector.bolt.enabled=${boolToString cfg.bolt.enable}
dbms.connector.bolt.listen_address=${cfg.bolt.listenAddress}
bolt.ssl_policy=${cfg.bolt.sslPolicy}
dbms.connector.bolt.advertised_address=${cfg.bolt.listenAddress}
dbms.connector.bolt.tls_level=${cfg.bolt.tlsLevel}
# neo4j-shell
dbms.shell.enabled=${boolToString cfg.shell.enable}
# SSL Policies
${concatStringsSep "\n" sslPolicies}
@ -95,8 +90,10 @@ let
dbms.jvm.additional=-Djdk.tls.rejectClientInitiatedRenegotiation=true
dbms.jvm.additional=-Dunsupported.dbms.udc.source=tarball
# Usage Data Collector
dbms.udc.enabled=${boolToString cfg.udc.enable}
#dbms.memory.heap.initial_size=12000m
#dbms.memory.heap.max_size=12000m
#dbms.memory.pagecache.size=4g
#dbms.tx_state.max_off_heap_memory=8000m
# Extra Configuration
${cfg.extraServerConfig}
@ -114,6 +111,8 @@ in {
(mkRemovedOptionModule [ "services" "neo4j" "port" ] "Use services.neo4j.http.listenAddress instead.")
(mkRemovedOptionModule [ "services" "neo4j" "boltPort" ] "Use services.neo4j.bolt.listenAddress instead.")
(mkRemovedOptionModule [ "services" "neo4j" "httpsPort" ] "Use services.neo4j.https.listenAddress instead.")
(mkRemovedOptionModule [ "services" "neo4j" "shell" "enabled" ] "shell.enabled was removed upstream")
(mkRemovedOptionModule [ "services" "neo4j" "udc" "enabled" ] "udc.enabled was removed upstream")
];
###### interface
@ -334,13 +333,10 @@ in {
enable = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
The HTTP connector is required for Neo4j, and cannot be disabled.
Setting this option to `false` will force the HTTP
connector's {option}`listenAddress` to the loopback
interface to prevent connection of remote clients. To prevent all
clients from connecting, block the HTTP port (7474 by default) by
firewall.
description = ''
Enable the HTTP connector for Neo4j. Setting this option to
<literal>false</literal> will stop Neo4j from listening for incoming
connections on the HTTPS port (7474 by default).
'';
};
@ -568,19 +564,6 @@ in {
'';
};
udc = {
enable = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Enable the Usage Data Collector which Neo4j uses to collect usage
data. Refer to the operations manual section on the
[Usage Data Collector](https://neo4j.com/docs/operations-manual/current/configuration/usage-data-collector/)
for more information.
'';
};
};
};
###### implementation
@ -612,7 +595,7 @@ in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
NEO4J_HOME = "${cfg.package}/share/neo4j";
NEO4J_HOME = "${cfg.directories.home}";
NEO4J_CONF = "${cfg.directories.home}/conf";
};
serviceConfig = {
@ -653,6 +636,6 @@ in {
};
meta = {
maintainers = with lib.maintainers; [ patternspandemic ];
maintainers = with lib.maintainers; [ patternspandemic jonringer erictapen ];
};
}

View file

@ -79,15 +79,15 @@ in
authentication = mkOption {
type = types.lines;
default = "";
description = ''
description = lib.mdDoc ''
Defines how users authenticate themselves to the server. See the
<link xlink:href="https://www.postgresql.org/docs/current/auth-pg-hba-conf.html">PostgreSQL documentation for pg_hba.conf</link>
[PostgreSQL documentation for pg_hba.conf](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html)
for details on the expected format of this option. By default,
peer based authentication will be used for users connecting
via the Unix socket, and md5 password authentication will be
used for users connecting via TCP. Any added rules will be
inserted above the default rules. If you'd like to replace the
default rules entirely, you can use <function>lib.mkForce</function> in your
default rules entirely, you can use `lib.mkForce` in your
module.
'';
};

View file

@ -24,22 +24,22 @@ in
user = mkOption {
default = "rethinkdb";
description = "User account under which RethinkDB runs.";
description = lib.mdDoc "User account under which RethinkDB runs.";
};
group = mkOption {
default = "rethinkdb";
description = "Group which rethinkdb user belongs to.";
description = lib.mdDoc "Group which rethinkdb user belongs to.";
};
dbpath = mkOption {
default = "/var/db/rethinkdb";
description = "Location where RethinkDB stores its data, 1 data directory per instance.";
description = lib.mdDoc "Location where RethinkDB stores its data, 1 data directory per instance.";
};
pidpath = mkOption {
default = "/run/rethinkdb";
description = "Location where each instance's pid file is located.";
description = lib.mdDoc "Location where each instance's pid file is located.";
};
#cfgpath = mkOption {

View file

@ -10,6 +10,7 @@
},
"context.spa-libs": {
"audio.convert.*": "audioconvert/libspa-audioconvert",
"avb.*": "avb/libspa-avb",
"api.alsa.*": "alsa/libspa-alsa",
"api.v4l2.*": "v4l2/libspa-v4l2",
"api.libcamera.*": "libcamera/libspa-libcamera",

View file

@ -39,14 +39,14 @@ in {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable the deprecated example Pipewire session manager";
description = lib.mdDoc "Whether to enable the deprecated example Pipewire session manager";
};
package = mkOption {
type = types.package;
default = pkgs.pipewire-media-session;
defaultText = literalExpression "pkgs.pipewire-media-session";
description = ''
description = lib.mdDoc ''
The pipewire-media-session derivation to use.
'';
};
@ -54,7 +54,7 @@ in {
config = {
media-session = mkOption {
type = json.type;
description = ''
description = lib.mdDoc ''
Configuration for the media session core. For details see
https://gitlab.freedesktop.org/pipewire/media-session/-/blob/${cfg.package.version}/src/daemon/media-session.d/media-session.conf
'';
@ -63,7 +63,7 @@ in {
alsa-monitor = mkOption {
type = json.type;
description = ''
description = lib.mdDoc ''
Configuration for the alsa monitor. For details see
https://gitlab.freedesktop.org/pipewire/media-session/-/blob/${cfg.package.version}/src/daemon/media-session.d/alsa-monitor.conf
'';
@ -72,7 +72,7 @@ in {
bluez-monitor = mkOption {
type = json.type;
description = ''
description = lib.mdDoc ''
Configuration for the bluez5 monitor. For details see
https://gitlab.freedesktop.org/pipewire/media-session/-/blob/${cfg.package.version}/src/daemon/media-session.d/bluez-monitor.conf
'';
@ -81,7 +81,7 @@ in {
v4l2-monitor = mkOption {
type = json.type;
description = ''
description = lib.mdDoc ''
Configuration for the V4L2 monitor. For details see
https://gitlab.freedesktop.org/pipewire/media-session/-/blob/${cfg.package.version}/src/daemon/media-session.d/v4l2-monitor.conf
'';

View file

@ -34,7 +34,8 @@ with lib;
];
# for $out/bin/install-printer-driver
services.packagekit.enable = true;
# TODO: Enable once #177946 is resolved
# services.packagekit.enable = true;
};

View file

@ -29,7 +29,7 @@ in {
ip = mkOption {
type = types.str;
default = "localhost";
description = ''
description = lib.mdDoc ''
IP address Jupyter will be listening on.
'';
};
@ -41,7 +41,7 @@ in {
# saving a rebuild.
default = pkgs.python3.pkgs.notebook;
defaultText = literalExpression "pkgs.python3.pkgs.notebook";
description = ''
description = lib.mdDoc ''
Jupyter package to use.
'';
};
@ -50,7 +50,7 @@ in {
type = types.str;
default = "jupyter-notebook";
example = "jupyter-lab";
description = ''
description = lib.mdDoc ''
Which command the service runs. Note that not all jupyter packages
have all commands, e.g. jupyter-lab isn't present in the default package.
'';
@ -59,7 +59,7 @@ in {
port = mkOption {
type = types.int;
default = 8888;
description = ''
description = lib.mdDoc ''
Port number Jupyter will be listening on.
'';
};
@ -67,7 +67,7 @@ in {
notebookDir = mkOption {
type = types.str;
default = "~/";
description = ''
description = lib.mdDoc ''
Root directory for notebooks.
'';
};
@ -75,7 +75,7 @@ in {
user = mkOption {
type = types.str;
default = "jupyter";
description = ''
description = lib.mdDoc ''
Name of the user used to run the jupyter service.
For security reason, jupyter should really not be run as root.
If not set (jupyter), the service will create a jupyter user with appropriate settings.
@ -86,7 +86,7 @@ in {
group = mkOption {
type = types.str;
default = "jupyter";
description = ''
description = lib.mdDoc ''
Name of the group used to run the jupyter service.
Use this if you want to create a group of users that are able to view the notebook directory's content.
'';
@ -95,7 +95,7 @@ in {
password = mkOption {
type = types.str;
description = ''
description = lib.mdDoc ''
Password to use with notebook.
Can be generated using:
In [1]: from notebook.auth import passwd
@ -112,7 +112,7 @@ in {
notebookConfig = mkOption {
type = types.lines;
default = "";
description = ''
description = lib.mdDoc ''
Raw jupyter config.
'';
};
@ -149,13 +149,14 @@ in {
};
}
'';
description = "Declarative kernel config
description = lib.mdDoc ''
Declarative kernel config.
Kernels can be declared in any language that supports and has the required
dependencies to communicate with a jupyter server.
In python's case, it means that ipykernel package must always be included in
the list of packages of the targeted environment.
";
'';
};
};

View file

@ -13,7 +13,7 @@ with lib;
"Python 3"
"Python 3 for Data Science"
'';
description = ''
description = lib.mdDoc ''
Name that will be shown to the user.
'';
};
@ -27,7 +27,7 @@ with lib;
"-f"
"{connection_file}"
];
description = ''
description = lib.mdDoc ''
Command and arguments to start the kernel.
'';
};
@ -35,7 +35,7 @@ with lib;
language = mkOption {
type = types.str;
example = "python";
description = ''
description = lib.mdDoc ''
Language of the environment. Typically the name of the binary.
'';
};
@ -44,7 +44,7 @@ with lib;
type = types.nullOr types.path;
default = null;
example = literalExpression ''"''${env.sitePackages}/ipykernel/resources/logo-32x32.png"'';
description = ''
description = lib.mdDoc ''
Path to 32x32 logo png.
'';
};
@ -52,7 +52,7 @@ with lib;
type = types.nullOr types.path;
default = null;
example = literalExpression ''"''${env.sitePackages}/ipykernel/resources/logo-64x64.png"'';
description = ''
description = lib.mdDoc ''
Path to 64x64 logo png.
'';
};
@ -61,7 +61,7 @@ with lib;
type = types.attrsOf types.path;
default = { };
example = literalExpression ''"{ examples = ''${env.sitePack}/IRkernel/kernelspec/kernel.js"; }'';
description = ''
description = lib.mdDoc ''
Extra paths to link in kernel directory
'';
};

View file

@ -35,7 +35,7 @@ in {
authentication = mkOption {
type = types.str;
default = "jupyterhub.auth.PAMAuthenticator";
description = ''
description = lib.mdDoc ''
Jupyterhub authentication to use
There are many authenticators available including: oauth, pam,
@ -46,7 +46,7 @@ in {
spawner = mkOption {
type = types.str;
default = "systemdspawner.SystemdSpawner";
description = ''
description = lib.mdDoc ''
Jupyterhub spawner to use
There are many spawners available including: local process,
@ -57,7 +57,7 @@ in {
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
description = lib.mdDoc ''
Extra contents appended to the jupyterhub configuration
Jupyterhub configuration is a normal python file using
@ -84,7 +84,7 @@ in {
jupyterhub-systemdspawner
])
'';
description = ''
description = lib.mdDoc ''
Python environment to run jupyterhub
Customizing will affect the packages available in the hub and
@ -106,7 +106,7 @@ in {
jupyterlab
])
'';
description = ''
description = lib.mdDoc ''
Python environment to run jupyterlab
Customizing will affect the packages available in the
@ -146,7 +146,7 @@ in {
};
}
'';
description = ''
description = lib.mdDoc ''
Declarative kernel config
Kernels can be declared in any language that supports and has
@ -159,7 +159,7 @@ in {
port = mkOption {
type = types.port;
default = 8000;
description = ''
description = lib.mdDoc ''
Port number Jupyterhub will be listening on
'';
};
@ -167,7 +167,7 @@ in {
host = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
description = lib.mdDoc ''
Bind IP JupyterHub will be listening on
'';
};
@ -175,7 +175,7 @@ in {
stateDirectory = mkOption {
type = types.str;
default = "jupyterhub";
description = ''
description = lib.mdDoc ''
Directory for jupyterhub state (token + database)
'';
};

View file

@ -9,7 +9,7 @@ in {
enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
description = lib.mdDoc ''
Enables the daemon for `lorri`, a nix-shell replacement for project
development. The socket-activated daemon starts on the first request
issued by the `lorri` command.

View file

@ -36,7 +36,7 @@ in {
certificateChain = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
description = lib.mdDoc ''
Chain of CA-certificates to which our `certificateFile` is relative.
Optional for TLS.
'';

View file

@ -81,11 +81,11 @@ in
settings = mkOption {
type = format.type;
description = ''
The ASF.json file, all the options are documented <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config">here</link>.
description = lib.mdDoc ''
The ASF.json file, all the options are documented [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config).
Do note that `AutoRestart` and `UpdateChannel` is always to `false` respectively `0` because NixOS takes care of updating everything.
`Headless` is also always set to `true` because there is no way to provide inputs via a systemd service.
You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod">here</link>.
You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined [here](https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod).
'';
example = {
Statistics = false;

View file

@ -41,7 +41,7 @@ in {
stateDir = mkOption {
type = types.str;
default = "/var/lib/crossfire";
description = ''
description = lib.mdDoc ''
Where to store runtime data (save files, persistent items, etc).
If left at the default, this will be automatically created on server
@ -61,7 +61,7 @@ in {
configFiles = mkOption {
type = types.attrsOf types.str;
description = ''
description = lib.mdDoc ''
Text to append to the corresponding configuration files. Note that the
files given in the example are *not* the complete set of files available
to customize; look in /etc/crossfire after enabling the server to see

View file

@ -41,7 +41,7 @@ in {
stateDir = mkOption {
type = types.str;
default = "/var/lib/deliantra";
description = ''
description = lib.mdDoc ''
Where to store runtime data (save files, persistent items, etc).
If left at the default, this will be automatically created on server

View file

@ -25,7 +25,7 @@ in
gameId = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
description = lib.mdDoc ''
Id of the game to use. To list available games run
`minetestserver --gameid list`.
@ -36,7 +36,7 @@ in
world = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
description = lib.mdDoc ''
Name of the world to use. To list available worlds run
`minetestserver --world list`.
@ -47,7 +47,7 @@ in
configPath = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
description = lib.mdDoc ''
Path to the config to use.
If set to null, the config of the running user will be used:

View file

@ -15,9 +15,9 @@ let
DisabledPlugins=${lib.concatStringsSep ";" cfg.disabledPlugins}
'';
};
"fwupd/uefi.conf" = {
source = pkgs.writeText "uefi.conf" ''
[uefi]
"fwupd/uefi_capsule.conf" = {
source = pkgs.writeText "uefi_capsule.conf" ''
[uefi_capsule]
OverrideESPMountPoint=${config.boot.loader.efi.efiSysMountPoint}
'';
};

View file

@ -35,11 +35,10 @@ in
LIBPATH /path/to/serial_reader.so
CHANNELID 1
'';
description = ''
description = lib.mdDoc ''
Configuration for devices that aren't hotpluggable.
See <citerefentry><refentrytitle>reader.conf</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for valid options.
See {manpage}`reader.conf(5)` for valid options.
'';
};
};

View file

@ -126,10 +126,10 @@ in {
psycopg2
];
'';
description = ''
description = lib.mdDoc ''
List of packages to add to propagatedBuildInputs.
A popular example is <package>python3Packages.psycopg2</package>
A popular example is `python3Packages.psycopg2`
for PostgreSQL support in the recorder component.
'';
};

View file

@ -121,11 +121,9 @@ in
type = types.nullOr types.str;
default = null;
example = "hourly";
description = ''
description = lib.mdDoc ''
Specification of the time at which awstats will get updated.
(in the format described by <citerefentry>
<refentrytitle>systemd.time</refentrytitle>
<manvolnum>7</manvolnum></citerefentry>)
(in the format described by {manpage}`systemd.time(7)`)
'';
};
};

View file

@ -79,7 +79,7 @@ let
priority = mkOption {
type = types.int;
default = 1000;
description = ''
description = lib.mdDoc ''
Order of this logrotate block in relation to the others. The semantics are
the same as with `lib.mkOrder`. Smaller values have a greater priority.
'';
@ -260,7 +260,7 @@ in
priority = mkOption {
type = types.int;
default = 1000;
description = ''
description = lib.mdDoc ''
Order of this logrotate block in relation to the others. The semantics are
the same as with `lib.mkOrder`. Smaller values are inserted first.
'';

Some files were not shown because too many files have changed in this diff Show more