Project import generated by Copybara.

GitOrigin-RevId: c04d5652cfa9742b1d519688f65d1bbccea9eb7e
This commit is contained in:
Default email 2024-09-19 17:19:46 +03:00
parent 5dca899b3a
commit 159e378cbb
10621 changed files with 671816 additions and 347606 deletions

View file

@ -154,5 +154,20 @@ bdfde18037f8d9f9b641a4016c8ada4dc4cbf856
# nixos/ollama: format with nixfmt-rfc-style (#329561)
246d1ee533810ac1946d863bbd9de9b525818d56
# steam: cleanup (#216972)
ad815aebfbfe1415ff6436521d545029c803c3fb
# nixos/nvidia: apply nixfmt-rfc-style (#313440)
fbdcdde04a7caa007e825a8b822c75fab9adb2d6
# step-cli: format package.nix with nixfmt (#331629)
fc7a83f8b62e90de5679e993d4d49ca014ea013d
# darwin.stdenv: format with nixfmt-rfc-style (#333962)
93c10ac9e561c6594d3baaeaff2341907390d9b8
# nrr: format with nixfmt-rfc-style (#334578)
cffc27daf06c77c0d76bc35d24b929cb9d68c3c9
# nixos/kanidm: inherit lib, nixfmt
8f18393d380079904d072007fb19dc64baef0a3a

View file

@ -14,9 +14,10 @@
# CI
/.github/workflows @NixOS/Security @Mic92 @zowoq
/.github/workflows/check-nix-format.yml @infinisil
/ci @infinisil @NixOS/Security
/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
/ci @infinisil @philiptaron @NixOS/Security
# Develompent support
# Development support
/.editorconfig @Mic92 @zowoq
/shell.nix @infinisil @NixOS/Security
@ -43,9 +44,12 @@
/pkgs/top-level/stage.nix @Ericson2314
/pkgs/top-level/splice.nix @Ericson2314
/pkgs/top-level/release-cross.nix @Ericson2314
/pkgs/top-level/by-name-overlay.nix @infinisil @philiptaron
/pkgs/stdenv @philiptaron
/pkgs/stdenv/generic @Ericson2314
/pkgs/stdenv/generic/check-meta.nix @Ericson2314
/pkgs/stdenv/cross @Ericson2314
/pkgs/build-support @philiptaron
/pkgs/build-support/cc-wrapper @Ericson2314
/pkgs/build-support/bintools-wrapper @Ericson2314
/pkgs/build-support/setup-hooks @Ericson2314
@ -56,12 +60,6 @@
/pkgs/pkgs-lib/formats/libconfig @h7x4
/pkgs/pkgs-lib/formats/hocon @h7x4
# pkgs/by-name
/pkgs/test/check-by-name @infinisil
/pkgs/by-name/README.md @infinisil
/pkgs/top-level/by-name-overlay.nix @infinisil
/.github/workflows/check-by-name.yml @infinisil
# Nixpkgs build-support
/pkgs/build-support/writers @lassulus @Profpatsch
@ -73,8 +71,8 @@
# @raitobezarius is not "code owner", but is listed here to be notified of changes
# pertaining to the Nix package manager.
# i.e. no authority over those files.
pkgs/tools/package-management/nix/ @raitobezarius
nixos/modules/installer/tools/nix-fallback-paths.nix @raitobezarius
pkgs/tools/package-management/nix/ @NixOS/nix-team @raitobezarius
nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobezarius
# Nixpkgs documentation
/maintainers/scripts/db-to-md.sh @jtojnar @ryantm
@ -89,6 +87,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @raitobezarius
/doc/README.md @infinisil
/nixos/README.md @infinisil
/pkgs/README.md @infinisil
/pkgs/by-name/README.md @infinisil
/maintainers/README.md @infinisil
# User-facing development documentation
@ -109,7 +108,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @raitobezarius
/nixos/virtualisation/qemu-vm.nix @raitobezarius
# ACME
/nixos/modules/security/acme @arianvp @flokli @aanderse # no merge permission: @m1cr0man @emilazy
/nixos/modules/security/acme @arianvp @flokli @aanderse @emilazy # no merge permission: @m1cr0man
# Systemd
/nixos/modules/system/boot/systemd.nix @NixOS/systemd
@ -139,13 +138,13 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @raitobezarius
/pkgs/top-level/release-python.nix @natsukium
# Haskell
/doc/languages-frameworks/haskell.section.md @sternenseemann @maralorn @ncfavier
/maintainers/scripts/haskell @sternenseemann @maralorn @ncfavier
/pkgs/development/compilers/ghc @sternenseemann @maralorn @ncfavier
/pkgs/development/haskell-modules @sternenseemann @maralorn @ncfavier
/pkgs/test/haskell @sternenseemann @maralorn @ncfavier
/pkgs/top-level/release-haskell.nix @sternenseemann @maralorn @ncfavier
/pkgs/top-level/haskell-packages.nix @sternenseemann @maralorn @ncfavier
/doc/languages-frameworks/haskell.section.md @sternenseemann @maralorn
/maintainers/scripts/haskell @sternenseemann @maralorn
/pkgs/development/compilers/ghc @sternenseemann @maralorn
/pkgs/development/haskell-modules @sternenseemann @maralorn
/pkgs/test/haskell @sternenseemann @maralorn
/pkgs/top-level/release-haskell.nix @sternenseemann @maralorn
/pkgs/top-level/haskell-packages.nix @sternenseemann @maralorn
# Perl
/pkgs/development/interpreters/perl @stigtsp @zakame @marcusramberg
@ -252,6 +251,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
# Idris
/pkgs/development/idris-modules @Infinisil
/pkgs/development/compilers/idris2 @mattpolzin
# Bazel
/pkgs/development/tools/build-managers/bazel @Profpatsch
@ -267,6 +267,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/pkgs/applications/editors/emacs @adisbladis
/pkgs/top-level/emacs-packages.nix @adisbladis
# Kakoune
/pkgs/applications/editors/kakoune @philiptaron
# Neovim
/pkgs/applications/editors/neovim @figsoda @teto
@ -320,7 +323,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
# Forgejo
nixos/modules/services/misc/forgejo.nix @adamcstephens @bendlas @emilylange
pkgs/by-name/fo/forgejo/package.nix @adamcstephens @bendlas @emilylange
pkgs/by-name/fo/forgejo/ @adamcstephens @bendlas @emilylange
# Dotnet
/pkgs/build-support/dotnet @corngood
@ -364,16 +367,13 @@ nixos/modules/services/web-apps/pretalx.nix @mweinelt
nixos/tests/web-apps/pretix.nix @mweinelt
nixos/tests/web-apps/pretalx.nix @mweinelt
# incus/lxc/lxd
nixos/maintainers/scripts/lxd/ @adamcstephens
# incus/lxc
nixos/maintainers/scripts/incus/ @adamcstephens
nixos/modules/virtualisation/incus.nix @adamcstephens
nixos/modules/virtualisation/lxc* @adamcstephens
nixos/modules/virtualisation/lxd* @adamcstephens
nixos/tests/incus/ @adamcstephens
nixos/tests/lxd/ @adamcstephens
pkgs/by-name/in/incus/ @adamcstephens
pkgs/by-name/lx/lxc* @adamcstephens
pkgs/by-name/lx/lxd* @adamcstephens
# ExpidusOS, Flutter
/pkgs/development/compilers/flutter @RossComputerGuy
@ -387,3 +387,8 @@ pkgs/by-name/lx/lxd* @adamcstephens
/pkgs/os-specific/linux/checkpolicy @RossComputerGuy
/pkgs/os-specific/linux/libselinux @RossComputerGuy
/pkgs/os-specific/linux/libsepol @RossComputerGuy
# installShellFiles
/pkgs/by-name/in/installShellFiles/* @Ericson2314
/pkgs/test/install-shell-files/* @Ericson2314
/doc/hooks/installShellFiles.section.md @Ericson2314

View file

@ -21,7 +21,7 @@ For new packages please briefly describe the package or provide a link to its ho
- [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
- and/or [package tests](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests)
- or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test)
- made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
- made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [24.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) (or backporting [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) and [24.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) Release notes)

View file

@ -270,6 +270,12 @@
- changed-files:
- any-glob-to-any-file:
- .github/**/*
- CONTRIBUTING.md
- pkgs/README.md
- nixos/README.md
- maintainers/README.md
- lib/README.md
- doc/README.md
"6.topic: printing":
- any:

View file

@ -15,6 +15,7 @@ permissions:
jobs:
tests:
name: basic-eval-checks
runs-on: ubuntu-latest
# we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
steps:

View file

@ -1,123 +0,0 @@
# Checks pkgs/by-name (see pkgs/by-name/README.md)
# using the nixpkgs-check-by-name tool (see https://github.com/NixOS/nixpkgs-check-by-name)
#
# When you make changes to this workflow, also update pkgs/test/check-by-name/run-local.sh adequately
name: Check pkgs/by-name
on:
# Using pull_request_target instead of pull_request avoids having to approve first time contributors
pull_request_target:
# This workflow depends on the base branch of the PR,
# but changing the base branch is not included in the default trigger events,
# which would be `opened`, `synchronize` or `reopened`.
# Instead it causes an `edited` event, so we need to add it explicitly here
# While `edited` is also triggered when the PR title/body is changed,
# this PR action is fairly quick, and PR's don't get edited that often,
# so it shouldn't be a problem
# There is a feature request for adding a `base_changed` event:
# https://github.com/orgs/community/discussions/35058
types: [opened, synchronize, reopened, edited]
permissions: {}
# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit
# trigger), and contributers would get notified on any canceled run.
# There is a feature request for supressing notifications on concurrency-canceled runs:
# https://github.com/orgs/community/discussions/13015
jobs:
check:
# This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases
runs-on: ubuntu-latest
# This should take 1 minute at most, but let's be generous.
# The default of 6 hours is definitely too long
timeout-minutes: 10
steps:
# This step has to be in this file,
# because it's needed to determine which revision of the repository to fetch,
# and we can only use other files from the repository once it's fetched.
- name: Resolving the merge commit
env:
GH_TOKEN: ${{ github.token }}
run: |
# This checks for mergeability of a pull request as recommended in
# https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests
# Retry the API query this many times
retryCount=5
# Start with 5 seconds, but double every retry
retryInterval=5
while true; do
echo "Checking whether the pull request can be merged"
prInfo=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/"$GITHUB_REPOSITORY"/pulls/${{ github.event.pull_request.number }})
mergeable=$(jq -r .mergeable <<< "$prInfo")
mergedSha=$(jq -r .merge_commit_sha <<< "$prInfo")
if [[ "$mergeable" == "null" ]]; then
if (( retryCount == 0 )); then
echo "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
exit 1
else
(( retryCount -= 1 )) || true
# null indicates that GitHub is still computing whether it's mergeable
# Wait a couple seconds before trying again
echo "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
sleep "$retryInterval"
(( retryInterval *= 2 )) || true
fi
else
break
fi
done
if [[ "$mergeable" == "true" ]]; then
echo "The PR can be merged, checking the merge commit $mergedSha"
echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
else
echo "The PR cannot be merged, it has a merge conflict, skipping the rest.."
fi
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
if: env.mergedSha
with:
# pull_request_target checks out the base branch by default
ref: ${{ env.mergedSha }}
# Fetches the merge commit and its parents
fetch-depth: 2
- name: Checking out base branch
if: env.mergedSha
run: |
base=$(mktemp -d)
git worktree add "$base" "$(git rev-parse HEAD^1)"
echo "base=$base" >> "$GITHUB_ENV"
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
if: env.mergedSha
- name: Fetching the pinned tool
if: env.mergedSha
# Update the pinned version using pkgs/test/check-by-name/update-pinned-tool.sh
run: |
# The pinned version of the tooling to use
toolVersion=$(<pkgs/test/check-by-name/pinned-version.txt)
# Fetch the x86_64-linux-specific release artifact containing the Gzipped NAR of the pre-built tool
toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-check-by-name/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
| gzip -cd | nix-store --import | tail -1)
# Adds a result symlink as a GC root
nix-store --realise "$toolPath" --add-root result
- name: Running nixpkgs-check-by-name
if: env.mergedSha
env:
# Force terminal colors to be enabled. The library that
# nixpkgs-check-by-name uses respects: https://bixense.com/clicolors/
CLICOLOR_FORCE: 1
run: |
if result/bin/nixpkgs-check-by-name --base "$base" .; then
exit 0
else
exitCode=$?
echo "To run locally: ./maintainers/scripts/check-by-name.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
exit "$exitCode"
fi

View file

@ -10,6 +10,7 @@ permissions: {}
jobs:
check:
name: cherry-pick-check
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:

View file

@ -9,6 +9,7 @@ permissions:
jobs:
nixos:
name: maintainer-list-check
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:

View file

@ -7,13 +7,14 @@ name: Check that Nix files are formatted
on:
pull_request_target:
# See the comment at the same location in ./check-by-name.yml
# See the comment at the same location in ./nixpkgs-vet.yml
types: [opened, synchronize, reopened, edited]
permissions:
contents: read
jobs:
nixos:
name: nixfmt-check
runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps:
@ -82,7 +83,8 @@ jobs:
if (( "${#unformattedFiles[@]}" > 0 )); then
echo "Some new/changed Nix files are not properly formatted"
echo "Please run the following in \`nix-shell\`:"
echo "Please go to the Nixpkgs root directory, run \`nix-shell\`, then:"
echo "nixfmt ${unformattedFiles[*]@Q}"
echo "If you're having trouble, please ping @NixOS/nix-formatting"
exit 1
fi

View file

@ -8,6 +8,7 @@ permissions:
jobs:
nixos:
name: exp-nixf-tidy-check
runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps:

View file

@ -7,6 +7,7 @@ permissions: {}
jobs:
x86_64-linux:
name: shell-check-x86_64-linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@ -18,6 +19,7 @@ jobs:
run: nix-build shell.nix
aarch64-darwin:
name: shell-check-aarch64-darwin
runs-on: macos-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

View file

@ -10,6 +10,7 @@ on:
jobs:
tests:
name: editorconfig-check
runs-on: ubuntu-latest
if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:

View file

@ -15,6 +15,7 @@ permissions:
jobs:
labels:
name: label-pr
runs-on: ubuntu-latest
if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:

View file

@ -11,6 +11,7 @@ on:
jobs:
nixos:
name: nixos-manual-build
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:

View file

@ -13,6 +13,7 @@ on:
jobs:
nixpkgs:
name: nixpkgs-manual-build
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:

View file

@ -10,6 +10,7 @@ on:
jobs:
tests:
name: nix-files-parseable-check
runs-on: ubuntu-latest
if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:

View file

@ -0,0 +1,116 @@
# `nixpkgs-vet` is a tool to vet Nixpkgs: its architecture, package structure, and more.
# Among other checks, it makes sure that `pkgs/by-name` (see `../../pkgs/by-name/README.md`) follows the validity rules outlined in [RFC 140](https://github.com/NixOS/rfcs/pull/140).
# When you make changes to this workflow, please also update `ci/nixpkgs-vet.sh` to reflect the impact of your work to the CI.
# See https://github.com/NixOS/nixpkgs-vet for details on the tool and its checks.
name: Vet nixpkgs
on:
# Using pull_request_target instead of pull_request avoids having to approve first time contributors.
pull_request_target:
# This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
# Instead it causes an `edited` event, so we need to add it explicitly here.
# While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
# There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
types: [opened, synchronize, reopened, edited]
permissions: {}
# We don't use a concurrency group here, because the action is triggered quite often (due to the PR edit trigger), and contributors would get notified on any canceled run.
# There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015
jobs:
check:
name: nixpkgs-vet
# This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
runs-on: ubuntu-latest
# This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
timeout-minutes: 10
steps:
# This step has to be in this file, because it's needed to determine which revision of the repository to fetch, and we can only use other files from the repository once it's fetched.
- name: Resolving the merge commit
env:
GH_TOKEN: ${{ github.token }}
run: |
# This checks for mergeability of a pull request as recommended in
# https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests
# Retry the API query this many times
retryCount=5
# Start with 5 seconds, but double every retry
retryInterval=5
while true; do
echo "Checking whether the pull request can be merged"
prInfo=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/"$GITHUB_REPOSITORY"/pulls/${{ github.event.pull_request.number }})
mergeable=$(jq -r .mergeable <<< "$prInfo")
mergedSha=$(jq -r .merge_commit_sha <<< "$prInfo")
if [[ "$mergeable" == "null" ]]; then
if (( retryCount == 0 )); then
echo "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
exit 1
else
(( retryCount -= 1 )) || true
# null indicates that GitHub is still computing whether it's mergeable
# Wait a couple seconds before trying again
echo "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
sleep "$retryInterval"
(( retryInterval *= 2 )) || true
fi
else
break
fi
done
if [[ "$mergeable" == "true" ]]; then
echo "The PR can be merged, checking the merge commit $mergedSha"
echo "mergedSha=$mergedSha" >> "$GITHUB_ENV"
else
echo "The PR cannot be merged, it has a merge conflict, skipping the rest.."
fi
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
if: env.mergedSha
with:
# pull_request_target checks out the base branch by default
ref: ${{ env.mergedSha }}
# Fetches the merge commit and its parents
fetch-depth: 2
- name: Checking out base branch
if: env.mergedSha
run: |
base=$(mktemp -d)
git worktree add "$base" "$(git rev-parse HEAD^1)"
echo "base=$base" >> "$GITHUB_ENV"
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
if: env.mergedSha
- name: Fetching the pinned tool
if: env.mergedSha
# Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
run: |
# The pinned version of the tooling to use.
toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
# Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
| gzip -cd | nix-store --import | tail -1)
# Adds a result symlink as a GC root.
nix-store --realise "$toolPath" --add-root result
- name: Running nixpkgs-vet
if: env.mergedSha
env:
# Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
CLICOLOR_FORCE: 1
run: |
if result/bin/nixpkgs-vet --base "$base" .; then
exit 0
else
exitCode=$?
echo "To run locally: ./ci/nixpkgs-vet.sh $GITHUB_BASE_REF https://github.com/$GITHUB_REPOSITORY.git"
echo "If you're having trouble, ping @NixOS/nixpkgs-vet"
exit "$exitCode"
fi

View file

@ -16,6 +16,7 @@ permissions:
jobs:
action:
name: set-ofborg-pending
if: github.repository_owner == 'NixOS'
permissions:
statuses: write

View file

@ -46,7 +46,7 @@ jobs:
run: |
git clean -f
- name: create PR
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # v7.0.3
with:
body: |
Automatic update by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action.

View file

@ -1,9 +1,13 @@
ajs124 <git@ajs124.de> <ajs124@users.noreply.github.com>
Anderson Torres <torres.anderson.85@protonmail.com>
Atemu <git@atemu.net> <atemu.main@gmail.com>
Daniel Løvbrøtte Olsen <me@dandellion.xyz> <daniel.olsen99@gmail.com>
Fabian Affolter <mail@fabian-affolter.ch> <fabian@affolter-engineering.ch>
goatastronaut0212 <goatastronaut0212@outlook.com> <goatastronaut0212@proton.me>
Janne Heß <janne@hess.ooo> <dasJ@users.noreply.github.com>
Jörg Thalheim <joerg@thalheim.io> <Mic92@users.noreply.github.com>
Lin Jian <me@linj.tech> <linj.dev@outlook.com>
Lin Jian <me@linj.tech> <75130626+jian-lin@users.noreply.github.com>
Martin Weinelt <hexa@darmstadt.ccc.de> <mweinelt@users.noreply.github.com>
R. RyanTM <ryantm-bot@ryantm.com>
Robert Hensing <robert@roberthensing.nl> <roberth@users.noreply.github.com>

View file

@ -315,6 +315,22 @@ When reviewing a pull request, please always be nice and polite. Controversial c
GitHub provides reactions as a simple and quick way to provide feedback to pull requests or any comments. The thumb-down reaction should be used with care and if possible accompanied with some explanation so the submitter has directions to improve their contribution.
When doing a review:
- Aim to drive the proposal to a timely conclusion.
- Focus on the proposed changes to keep the scope of the discussion narrow.
- Help the contributor prioritise their efforts towards getting their change merged.
If you find anything related that could be improved but is not immediately required for acceptance, consider
- Implementing the changes yourself in a follow-up pull request (and request review from the person who inspired you)
- Tracking your idea in an issue
- Offering the original contributor to review a follow-up pull request
- Making concrete [suggestions](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/incorporating-feedback-in-your-pull-request) in the same pull request.
For example, follow-up changes could involve refactoring code in the affected files.
But please remember not to make such additional considerations a blocker, and communicate that to the contributor, for example by following the [conventional comments](https://conventionalcomments.org/) pattern.
If the related change is essential for the contribution at hand, make clear why you think it is important to address that first.
Pull request reviews should include a list of what has been reviewed in a comment, so other reviewers and mergers can know the state of the review.
All the review template samples provided in this section are generic and meant as examples. Their usage is optional and the reviewer is free to adapt them to their liking.
@ -354,7 +370,7 @@ The following paragraphs about how to deal with unactive contributors is just a
Please note that contributors with commit rights unactive for more than three months will have their commit rights revoked.
-->
Please see the discussion in [GitHub nixpkgs issue #50105](https://github.com/NixOS/nixpkgs/issues/50105) for information on how to proceed to be granted this level of access.
Please see the discussion in [GitHub nixpkgs issue #321665](https://github.com/NixOS/nixpkgs/issues/321665) for information on how to proceed to be granted this level of access.
In a case a contributor definitively leaves the Nix community, they should create an issue or post on [Discourse](https://discourse.nixos.org) with references of packages and modules they maintain so the maintainership can be taken over by other contributors.

View file

@ -1,7 +1,7 @@
# CI support files
This directory contains files to support CI, such as [GitHub Actions](https://github.com/NixOS/nixpkgs/tree/master/.github/workflows) and [Ofborg](https://github.com/nixos/ofborg).
This is in contrast with [`maintainers/scripts`](`../maintainers/scripts`) which is for human use instead.
This is in contrast with [`maintainers/scripts`](../maintainers/scripts) which is for human use instead.
## Pinned Nixpkgs
@ -10,3 +10,34 @@ In order to ensure that the needed packages are generally available without buil
[`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra.
Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it.
## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]`
Runs the [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) on the HEAD commit, closely matching what CI does. This can't do exactly the same as CI, because CI needs to rely on GitHub's server-side Git history to compute the mergeability of PRs before the check can be started.
In turn, when contributors are running this tool locally, we don't want to have to push commits to test them, and we can also rely on the local Git history to do the mergeability check.
Arguments:
- `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05
- `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.
## `ci/nixpkgs-vet`
This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules.
See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml).
## `ci/nixpkgs-vet/update-pinned-tool.sh`
Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases).
Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI.
This script currently needs to be called manually when the CI tooling needs to be updated.
Why not just build the tooling right from the PRs Nixpkgs version?
- Because it allows CI to check all PRs, even if they would break the CI tooling.
- Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
- Because it improves security, since we don't have to build potentially untrusted code from PRs.
The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).

71
third_party/nixpkgs/ci/nixpkgs-vet.sh vendored Executable file
View file

@ -0,0 +1,71 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p jq
set -o pipefail -o errexit -o nounset
trace() { echo >&2 "$@"; }
tmp=$(mktemp -d)
cleanup() {
# Don't exit early if anything fails to cleanup
set +o errexit
trace -n "Cleaning up.. "
[[ -e "$tmp/base" ]] && git worktree remove --force "$tmp/base"
[[ -e "$tmp/merged" ]] && git worktree remove --force "$tmp/merged"
rm -rf "$tmp"
trace "Done"
}
trap cleanup exit
repo=https://github.com/NixOS/nixpkgs.git
if (( $# != 0 )); then
baseBranch=$1
shift
else
trace "Usage: $0 BASE_BRANCH [REPOSITORY]"
trace "BASE_BRANCH: The base branch to use, e.g. master or release-23.11"
trace "REPOSITORY: The repository to fetch the base branch from, defaults to $repo"
exit 1
fi
if (( $# != 0 )); then
repo=$1
shift
fi
if [[ -n "$(git status --porcelain)" ]]; then
trace -e "\e[33mWarning: Dirty tree, uncommitted changes won't be taken into account\e[0m"
fi
headSha=$(git rev-parse HEAD)
trace -e "Using HEAD commit \e[34m$headSha\e[0m"
trace -n "Creating Git worktree for the HEAD commit in $tmp/merged.. "
git worktree add --detach -q "$tmp/merged" HEAD
trace "Done"
trace -n "Fetching base branch $baseBranch to compare against.. "
git fetch -q "$repo" refs/heads/"$baseBranch"
baseSha=$(git rev-parse FETCH_HEAD)
trace -e "\e[34m$baseSha\e[0m"
trace -n "Creating Git worktree for the base branch in $tmp/base.. "
git worktree add -q "$tmp/base" "$baseSha"
trace "Done"
trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
git -C "$tmp/merged" merge -q --no-edit "$baseSha"
trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
trace -e "\e[34m$toolVersion\e[0m"
trace -n "Building tool.. "
nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
trace "Running nixpkgs-vet.."
"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"

View file

@ -0,0 +1 @@
0.1.4

View file

@ -7,7 +7,7 @@ trace() { echo >&2 "$@"; }
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
repository=NixOS/nixpkgs-check-by-name
repository=NixOS/nixpkgs-vet
pin_file=$SCRIPT_DIR/pinned-version.txt
trace -n "Fetching latest release of $repository.. "

View file

@ -1,4 +1,4 @@
{
"rev": "521d48afa9ae596930a95325529df27fa7135ff5",
"sha256": "0a1pa5azw990narsfipdli1wng4nc3vhvrp00hb8v1qfchcq7dc9"
"rev": "4de4818c1ffa76d57787af936e8a23648bda6be4",
"sha256": "0l3b9jr5ydzqgvd10j12imc9jqb6jv5v2bdi1gyy5cwkwplfay67"
}

View file

@ -251,25 +251,42 @@ You, as the writer of documentation, are still in charge of its content.
For example:
```markdown
# pkgs.coolFunction
# pkgs.coolFunction {#pkgs.coolFunction}
Description of what `coolFunction` does.
`pkgs.coolFunction` *`name`* *`config`*
## Inputs
Description of what `callPackage` does.
`coolFunction` expects a single argument which should be an attribute set, with the following possible attributes:
`name` (String)
## Inputs {#pkgs-coolFunction-inputs}
If something's special about `coolFunction`'s general argument handling, you can say so here.
Otherwise, just describe the single argument or start the arguments' definition list without introduction.
*`name`* (String)
: The name of the resulting image.
`tag` (String; _optional_)
*`config`* (Attribute set)
: Tag of the generated image.
: Introduce the parameter. Maybe you have a test to make sure `{ }` is a sensible default; then you can say: these attributes are optional; `{ }` is a valid argument.
_Default:_ the output path's hash.
`outputHash` (String; _optional_)
: A brief explanation including when and when not to pass this attribute.
: _Default:_ the output path's hash.
```
Checklist:
- Start with a synopsis, to show the order of positional arguments.
- Metavariables are in emphasized code spans: ``` *`arg1`* ```. Metavariables are placeholders where users may write arbitrary expressions. This includes positional arguments.
- Attribute names are regular code spans: ``` `attr1` ```. These identifiers can _not_ be picked freely by users, so they are _not_ metavariables.
- _optional_ attributes have a _`Default:`_ if it's easily described as a value.
- _optional_ attributes have a _`Default behavior:`_ if it's not easily described using a value.
- Nix types aren't in code spans, because they are not code
- Nix types are capitalized, to distinguish them from the camelCase Module System types, which _are_ code and behave like functions.
#### Examples
To define a referenceable figure use the following fencing:

View file

@ -157,6 +157,12 @@ Here are security considerations for this scenario:
In more concrete terms, if you use any other hash, the [`--insecure` flag](https://curl.se/docs/manpage.html#-k) will be passed to the underlying call to `curl` when downloading content.
## Proxy usage {#sec-pkgs-fetchers-proxy}
Nixpkgs fetchers can make use of a http(s) proxy. Each fetcher will automatically inherit proxy-related environment variables (`http_proxy`, `https_proxy`, etc) via [impureEnvVars](https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-impureEnvVars).
The environment variable `NIX_SSL_CERT_FILE` is also inherited in fetchers, and can be used to provide a custom certificate bundle to fetchers. This is usually required for a https proxy to work without certificate validation errors.
[]{#fetchurl}
## `fetchurl` {#sec-pkgs-fetchers-fetchurl}

View file

@ -64,7 +64,7 @@ let
src = fetchurl {
url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
sha256 = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
};
in appimageTools.wrapType2 {
inherit pname version src;
@ -100,7 +100,7 @@ let
src = fetchurl {
url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
sha256 = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
};
appimageContents = appimageTools.extract {
@ -141,7 +141,7 @@ let
src = fetchurl {
url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
sha256 = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
};
appimageContents = appimageTools.extract {

View file

@ -50,6 +50,10 @@ Similarly, if you encounter errors similar to `Error_Protocol ("certificate has
If specified, the layer created by `buildImage` will be appended to the layers defined in the base image, resulting in an image with at least two layers (one or more layers from the base image, and the layer created by `buildImage`).
Otherwise, the resulting image with contain the single layer created by `buildImage`.
:::{.note}
Only **Env** configuration is inherited from the base image.
:::
_Default value:_ `null`.
`fromImageName` (String or Null; _optional_)

View file

@ -339,6 +339,41 @@ once to get a derivation hash, and again to produce the final fixed output deriv
:::
## `runCommand` {#tester-runCommand}
`runCommand :: { name, script, stdenv ? stdenvNoCC, hash ? "...", ... } -> Derivation`
This is a wrapper around `pkgs.runCommandWith`, which
- produces a fixed-output derivation, enabling the command(s) to access the network ;
- salts the derivation's name based on its inputs, ensuring the command is re-run whenever the inputs changes.
It accepts the following attributes:
- the derivation's `name` ;
- the `script` to be executed ;
- `stdenv`, the environment to use, defaulting to `stdenvNoCC` ;
- the derivation's output `hash`, defaulting to the empty file's.
The derivation's `outputHashMode` is set by default to recursive, so the `script` can output a directory as well.
All other attributes are passed through to [`mkDerivation`](#sec-using-stdenv),
including `nativeBuildInputs` to specify dependencies available to the `script`.
:::{.example #ex-tester-runCommand-nix}
# Run a command with network access
```nix
testers.runCommand {
name = "access-the-internet";
command = ''
curl -o /dev/null https://example.com
touch $out
'';
nativeBuildInputs = with pkgs; [ cacert curl ];
}
```
:::
## `runNixOSTest` {#tester-runNixOSTest}
A helper function that behaves exactly like the NixOS `runTest`, except it also assigns this Nixpkgs package set as the `pkgs` of the test and makes the `nixpkgs.*` options read-only.

View file

@ -3,32 +3,122 @@
Nixpkgs provides a variety of wrapper functions that help build commonly useful derivations.
Like [`stdenv.mkDerivation`](#sec-using-stdenv), each of these build helpers creates a derivation, but the arguments passed are different (usually simpler) from those required by `stdenv.mkDerivation`.
## `runCommand` {#trivial-builder-runCommand}
`runCommand :: String -> AttrSet -> String -> Derivation`
## `runCommandWith` {#trivial-builder-runCommandWith}
The result of `runCommand name drvAttrs buildCommand` is a derivation that is built by running the specified shell commands.
The function `runCommandWith` returns a derivation built using the specified command(s), in a specified environment.
By default `runCommand` runs in a stdenv with no compiler environment, whereas [`runCommandCC`](#trivial-builder-runCommandCC) uses the default stdenv, `pkgs.stdenv`.
It is the underlying base function of all [`runCommand*` variants].
The general behavior is controlled via a single attribute set passed
as the first argument, and allows specifying `stdenv` freely.
`name :: String`
: The name that Nix will append to the store path in the same way that `stdenv.mkDerivation` uses its `name` attribute.
The following [`runCommand*` variants] exist: `runCommand`, `runCommandCC`, and `runCommandLocal`.
`drvAttr :: AttrSet`
: Attributes to pass to the underlying call to [`stdenv.mkDerivation`](#chap-stdenv).
[`runCommand*` variants]: #trivial-builder-runCommand
`buildCommand :: String`
### Type {#trivial-builder-runCommandWith-Type}
```
runCommandWith :: {
name :: name;
stdenv? :: Derivation;
runLocal? :: Bool;
derivationArgs? :: { ... };
} -> String -> Derivation
```
### Inputs {#trivial-builder-runCommandWith-Inputs}
`name` (String)
: The derivation's name, which Nix will append to the store path; see [`mkDerivation`](#sec-using-stdenv).
`runLocal` (Boolean)
: If set to `true` this forces the derivation to be built locally, not using [substitutes] nor remote builds.
This is intended for very cheap commands (<1s execution time) which can be sped up by avoiding the network round-trip(s).
Its effect is to set [`preferLocalBuild = true`][preferLocalBuild] and [`allowSubstitutes = false`][allowSubstitutes].
::: {.note}
This prevents the use of [substituters][substituter], so only set `runLocal` (or use `runCommandLocal`) when certain the user will
always have a builder for the `system` of the derivation. This should be true for most trivial use cases
(e.g., just copying some files to a different location or adding symlinks) because there the `system`
is usually the same as `builtins.currentSystem`.
:::
`stdenv` (Derivation)
: The [standard environment](#chap-stdenv) to use, defaulting to `pkgs.stdenv`
`derivationArgs` (Attribute set)
: Additional arguments for [`mkDerivation`](#sec-using-stdenv).
`buildCommand` (String)
: Shell commands to run in the derivation builder.
::: {.note}
You have to create a file or directory `$out` for Nix to be able to run the builder successfully.
:::
[allowSubstitutes]: https://nixos.org/nix/manual/#adv-attr-allowSubstitutes
[preferLocalBuild]: https://nixos.org/nix/manual/#adv-attr-preferLocalBuild
[substituter]: https://nix.dev/manual/nix/latest/glossary#gloss-substituter
[substitutes]: https://nix.dev/manual/nix/2.23/glossary#gloss-substitute
::: {.example #ex-runcommandwith}
# Invocation of `runCommandWith`
```nix
runCommandWith {
name = "example";
derivationArgs.nativeBuildInputs = [ cowsay ];
} ''
cowsay > $out <<EOMOO
'runCommandWith' is a bit cumbersome,
so we have more ergonomic wrappers.
EOMOO
''
```
:::
## `runCommand` and `runCommandCC` {#trivial-builder-runCommand}
The function `runCommand` returns a derivation built using the specified command(s), in the `stdenvNoCC` environment.
`runCommandCC` is similar but uses the default compiler environment. To minimize dependencies, `runCommandCC`
should only be used when the build command needs a C compiler.
`runCommandLocal` is also similar to `runCommand`, but forces the derivation to be built locally.
See the note on [`runCommandWith`] about `runLocal`.
[`runCommandWith`]: #trivial-builder-runCommandWith
### Type {#trivial-builder-runCommand-Type}
```
runCommand :: String -> AttrSet -> String -> Derivation
runCommandCC :: String -> AttrSet -> String -> Derivation
runCommandLocal :: String -> AttrSet -> String -> Derivation
```
### Input {#trivial-builder-runCommand-Input}
While the type signature(s) differ from [`runCommandWith`], individual arguments with the same name will have the same type and meaning:
`name` (String)
: The derivation's name
`derivationArgs` (Attribute set)
: Additional parameters passed to [`mkDerivation`]
`buildCommand` (String)
: The command(s) run to build the derivation.
::: {.example #ex-runcommand-simple}
# Invocation of `runCommand`
```nix
(import <nixpkgs> {}).runCommand "my-example" {} ''
runCommand "my-example" {} ''
echo My example command is running
mkdir $out
@ -49,18 +139,24 @@ By default `runCommand` runs in a stdenv with no compiler environment, whereas [
```
:::
## `runCommandCC` {#trivial-builder-runCommandCC}
This works just like `runCommand`. The only difference is that it also provides a C compiler in `buildCommand`'s environment. To minimize your dependencies, you should only use this if you are sure you will need a C compiler as part of running your command.
## `runCommandLocal` {#trivial-builder-runCommandLocal}
Variant of `runCommand` that forces the derivation to be built locally, it is not substituted. This is intended for very cheap commands (<1s execution time). It saves on the network round-trip and can speed up a build.
::: {.note}
This sets [`allowSubstitutes` to `false`](https://nixos.org/nix/manual/#adv-attr-allowSubstitutes), so only use `runCommandLocal` if you are certain the user will always have a builder for the `system` of the derivation. This should be true for most trivial use cases (e.g., just copying some files to a different location or adding symlinks) because there the `system` is usually the same as `builtins.currentSystem`.
`runCommand name derivationArgs buildCommand` is equivalent to
```nix
runCommandWith {
inherit name derivationArgs;
stdenv = stdenvNoCC;
} buildCommand
```
Likewise, `runCommandCC name derivationArgs buildCommand` is equivalent to
```nix
runCommandWith {
inherit name derivationArgs;
} buildCommand
```
:::
## Writing text files {#trivial-builder-text-writing}
Nixpkgs provides the following functions for producing derivations which write text files or executable scripts into the Nix store.
@ -437,7 +533,6 @@ writeScript "my-file"
Contents of File
''
```
:::
This is equivalent to:
@ -450,6 +545,7 @@ writeTextFile {
executable = true;
}
```
:::
### `writeScriptBin` {#trivial-builder-writeScriptBin}

View file

@ -106,6 +106,7 @@ stdenvNoCC.mkDerivation {
--arg nixpkgsPath "./." \
--argstr revision ${nixpkgs.rev or "master"} \
--argstr libsetsJSON ${lib.escapeShellArg (builtins.toJSON libsets)} \
--store $(mktemp -d) \
> locations.json
function docgen {

View file

@ -0,0 +1,3 @@
# CERNLIB {#cernlib-hook}
This hook sets the `CERN`, `CERN_LEVEL`, and `CERN_ROOT` environment variables. They are part of [CERNLIB's build system](https://cernlib.web.cern.ch/install/install.html), and are are needed for some programs to compile correctly.

View file

@ -0,0 +1,29 @@
# `haredo` {#haredo-hook}
This hook uses [the `haredo` command runner](https://sr.ht/~autumnull/haredo/) to build, check, and install the package. It overrides `buildPhase`, `checkPhase`, and `installPhase` by default.
The hook builds its targets in parallel if [`config.enableParallelBuilding`](#var-stdenv-enableParallelBuilding) is set to `true`.
## `buildPhase` {#haredo-hook-buildPhase}
This phase attempts to build the default target.
[]{#haredo-hook-haredoBuildTargets} Targets can be explicitly set by adding a string to the `haredoBuildTargets` list.
[]{#haredo-hook-dontUseHaredoBuild} This behavior can be disabled by setting `dontUseHaredoBuild` to `true`.
## `checkPhase` {#haredo-hook-checkPhase}
This phase searches for the `check.do` or `test.do` targets, running them if they exist.
[]{#haredo-hook-haredoCheckTargets} Targets can be explicitly set by adding a string to the `haredoCheckTargets` list.
[]{#haredo-hook-dontUseHaredoCheck} This behavior can be disabled by setting `dontUseHaredoCheck` to `true`.
## `installPhase` {#haredo-hook-installPhase}
This phase attempts to build the `install.do` target, if it exists.
[]{#haredo-hook-haredoInstallTargets} Targets can be explicitly set by adding a string to the `haredoInstallTargets` list.
[]{#haredo-hook-dontUseHaredoInstall} This behavior can be disabled by setting `dontUseHaredoInstall` to `true`.

View file

@ -10,11 +10,14 @@ automake.section.md
autopatchelf.section.md
bmake.section.md
breakpoint.section.md
cernlib.section.md
cmake.section.md
gdk-pixbuf.section.md
ghc.section.md
gnome.section.md
haredo.section.md
installShellFiles.section.md
just.section.md
libiconv.section.md
libxml2.section.md
meson.section.md
@ -24,6 +27,7 @@ patch-rc-path-hooks.section.md
perl.section.md
pkg-config.section.md
postgresql-test-hook.section.md
premake.section.md
python.section.md
scons.section.md
tetex-tex-live.section.md

View file

@ -1,16 +1,79 @@
# `installShellFiles` {#installshellfiles}
This hook helps with installing manpages and shell completion files. It exposes 2 shell functions `installManPage` and `installShellCompletion` that can be used from your `postInstall` hook.
This hook adds helpers that install artifacts like executable files, manpages
and shell completions.
The `installManPage` function takes one or more paths to manpages to install. The manpages must have a section suffix, and may optionally be compressed (with `.gz` suffix). This function will place them into the correct `share/man/man<section>/` directory, in [`outputMan`](#outputman).
It exposes the following functions that can be used from your `postInstall`
hook:
The `installShellCompletion` function takes one or more paths to shell completion files. By default it will autodetect the shell type from the completion file extension, but you may also specify it by passing one of `--bash`, `--fish`, or `--zsh`. These flags apply to all paths listed after them (up until another shell flag is given). Each path may also have a custom installation name provided by providing a flag `--name NAME` before the path. If this flag is not provided, zsh completions will be renamed automatically such that `foobar.zsh` becomes `_foobar`. A root name may be provided for all paths using the flag `--cmd NAME`; this synthesizes the appropriate name depending on the shell (e.g. `--cmd foo` will synthesize the name `foo.bash` for bash and `_foo` for zsh).
## `installBin` {#installshellfiles-installbin}
The `installBin` function takes one or more paths to files to install as
executable files.
This function will place them into [`outputBin`](#outputbin).
### Example Usage {#installshellfiles-installbin-exampleusage}
```nix
{
nativeBuildInputs = [ installShellFiles ];
# Sometimes the file has an undersirable name. It should be renamed before
# being installed via installBin
postInstall = ''
mv a.out delmar
installBin foobar delmar
'';
}
```
## `installManPage` {#installshellfiles-installmanpage}
The `installManPage` function takes one or more paths to manpages to install.
The manpages must have a section suffix, and may optionally be compressed (with
`.gz` suffix). This function will place them into the correct
`share/man/man<section>/` directory in [`outputMan`](#outputman).
### Example Usage {#installshellfiles-installmanpage-exampleusage}
```nix
{
nativeBuildInputs = [ installShellFiles ];
# Sometimes the manpage file has an undersirable name; e.g. it conflicts with
# another software with an equal name. It should be renamed before being
# installed via installManPage
postInstall = ''
mv fromsea.3 delmar.3
installManPage foobar.1 delmar.3
'';
}
```
## `installShellCompletion` {#installshellfiles-installshellcompletion}
The `installShellCompletion` function takes one or more paths to shell
completion files.
By default it will autodetect the shell type from the completion file extension,
but you may also specify it by passing one of `--bash`, `--fish`, or
`--zsh`. These flags apply to all paths listed after them (up until another
shell flag is given). Each path may also have a custom installation name
provided by providing a flag `--name NAME` before the path. If this flag is not
provided, zsh completions will be renamed automatically such that `foobar.zsh`
becomes `_foobar`. A root name may be provided for all paths using the flag
`--cmd NAME`; this synthesizes the appropriate name depending on the shell
(e.g. `--cmd foo` will synthesize the name `foo.bash` for bash and `_foo` for
zsh).
### Example Usage {#installshellfiles-installshellcompletion-exampleusage}
```nix
{
nativeBuildInputs = [ installShellFiles ];
postInstall = ''
installManPage doc/foobar.1 doc/barfoo.3
# explicit behavior
installShellCompletion --bash --name foobar.bash share/completions.bash
installShellCompletion --fish --name foobar.fish share/completions.fish
@ -21,9 +84,17 @@ The `installShellCompletion` function takes one or more paths to shell completio
}
```
The path may also be a fifo or named fd (such as produced by `<(cmd)`), in which case the shell and name must be provided (see below).
The path may also be a fifo or named fd (such as produced by `<(cmd)`), in which
case the shell and name must be provided (see below).
If the destination shell completion file is not actually present or consists of zero bytes after calling `installShellCompletion` this is treated as a build failure. In particular, if completion files are not vendored but are generated by running an executable, this is likely to fail in cross compilation scenarios. The result will be a zero byte completion file and hence a build failure. To prevent this, guard the completion commands against this, e.g.
If the destination shell completion file is not actually present or consists of
zero bytes after calling `installShellCompletion` this is treated as a build
failure. In particular, if completion files are not vendored but are generated
by running an executable, this is likely to fail in cross compilation
scenarios. The result will be a zero byte completion file and hence a build
failure. To prevent this, guard the completion generation commands.
### Example Usage {#installshellfiles-installshellcompletion-exampleusage-guarded}
```nix
{

View file

@ -0,0 +1,23 @@
# `just` {#just-hook}
This setup hook attempts to use [the `just` command runner](https://just.systems/man/en/) to build, check, and install the package. The hook overrides `buildPhase`, `checkPhase`, and `installPhase` by default.
[]{#just-hook-justFlags} The `justFlags` variable can be set to a list of strings to add additional flags passed to all invocations of `just`.
## `buildPhase` {#just-hook-buildPhase}
This phase attempts to invoke `just` with [the default recipe](https://just.systems/man/en/chapter_23.html).
[]{#just-hook-dontUseJustBuild} This behavior can be disabled by setting `dontUseJustBuild` to `true`.
## `checkPhase` {#just-hook-checkPhase}
This phase attempts to invoke the `just test` recipe, if it is available. This can be overrided by setting `checkTarget` to a string.
[]{#just-hook-dontUseJustCheck} This behavior can be disabled by setting `dontUseJustCheck` to `true`.
## `installPhase` {#just-hook-installPhase}
This phase attempts to invoke the `just install` recipe.
[]{#just-hook-dontUseJustInstall} This behavior can be disabled by setting `dontUseJustInstall` to `true`.

View file

@ -0,0 +1,7 @@
# Premake {#premake-hook}
This setup hook attempts to configure the package using [the Premake build configuration system](https://premake.github.io/). It overrides the `configurePhase` by default, if none exists.
[]{#premake-hook-premakefile} The Premakefile to use can be specified by setting `premakefile` in the derivation.
[]{#premake-hook-premakeFlagsArray} The flags passed to Premake can be configured by adding strings to the `premakeFlags` list.

View file

@ -23,7 +23,7 @@ The recommended way of defining a derivation for a Coq library, is to use the `c
* if it is a string of the form `owner:branch` then it tries to download the `branch` of owner `owner` for a project of the same name using the same vcs, and the `version` attribute of the resulting derivation is set to `"dev"`, additionally if the owner is not provided (i.e. if the `owner:` prefix is missing), it defaults to the original owner of the package (see below),
* if it is a string of the form `"#N"`, and the domain is github, then it tries to download the current head of the pull request `#N` from github,
* `defaultVersion` (optional). Coq libraries may be compatible with some specific versions of Coq only. The `defaultVersion` attribute is used when no `version` is provided (or if `version = null`) to select the version of the library to use by default, depending on the context. This selection will mainly depend on a `coq` version number but also possibly on other packages versions (e.g. `mathcomp`). If its value ends up to be `null`, the package is marked for removal in end-user `coqPackages` attribute set.
* `release` (optional, defaults to `{}`), lists all the known releases of the library and for each of them provides an attribute set with at least a `sha256` attribute (you may put the empty string `""` in order to automatically insert a fake sha256, this will trigger an error which will allow you to find the correct sha256), each attribute set of the list of releases also takes optional overloading arguments for the fetcher as below (i.e.`domain`, `owner`, `repo`, `rev` assuming the default fetcher is used) and optional overrides for the result of the fetcher (i.e. `version` and `src`).
* `release` (optional, defaults to `{}`), lists all the known releases of the library and for each of them provides an attribute set with at least a `hash` attribute (you may put the empty string `""` in order to automatically insert a fake hash, this will trigger an error which will allow you to find the correct hash), each attribute set of the list of releases also takes optional overloading arguments for the fetcher as below (i.e.`domain`, `owner`, `repo`, `rev` assuming the default fetcher is used) and optional overrides for the result of the fetcher (i.e. `version` and `src`).
* `fetcher` (optional, defaults to a generic fetching mechanism supporting github or gitlab based infrastructures), is a function that takes at least an `owner`, a `repo`, a `rev`, and a `hash` and returns an attribute set with a `version` and `src`.
* `repo` (optional, defaults to the value of `pname`),
* `owner` (optional, defaults to `"coq-community"`).
@ -69,15 +69,15 @@ mkCoqDerivation {
{ cases = [ (isEq "8.6") (range "1.6" "1.7") ]; out = "1.1"; }
] null;
release = {
"1.5.2".sha256 = "15aspf3jfykp1xgsxf8knqkxv8aav2p39c2fyirw7pwsfbsv2c4s";
"1.5.1".sha256 = "13nlfm2wqripaq671gakz5mn4r0xwm0646araxv0nh455p9ndjs3";
"1.5.0".sha256 = "064rvc0x5g7y1a0nip6ic91vzmq52alf6in2bc2dmss6dmzv90hw";
"1.5.2".hash = "sha256-mjCx9XKa38Nz9E6wNK7YSqHdJ7YTua5fD3d6J4e7WpU=";
"1.5.1".hash = "sha256-Q8tm0y2FQAt2V1kZYkDlHWRia/lTvXAMVjdmzEV11I4=";
"1.5.0".hash = "sha256-HIK0f21G69oEW8JG46gSBde/Q2LR3GiBCv680gHbmRg=";
"1.5.0".rev = "1.5";
"1.4".sha256 = "0vnkirs8iqsv8s59yx1fvg1nkwnzydl42z3scya1xp1b48qkgn0p";
"1.3".sha256 = "0l3vi5n094nx3qmy66hsv867fnqm196r8v605kpk24gl0aa57wh4";
"1.2".sha256 = "1mh1w339dslgv4f810xr1b8v2w7rpx6fgk9pz96q0fyq49fw2xcq";
"1.1".sha256 = "1q8alsm89wkc0lhcvxlyn0pd8rbl2nnxg81zyrabpz610qqjqc3s";
"1.0".sha256 = "1qmbxp1h81cy3imh627pznmng0kvv37k4hrwi2faa101s6bcx55m";
"1.4".hash = "sha256-F9g3MSIr3B6UZ3p8QWjz3/Jpw9sudJ+KRlvjiHSO024=";
"1.3".hash = "sha256-BPJTlAL0ETHvLMBslE0KFVt3DNoaGuMrHt2SBGyJe1A=";
"1.2".hash = "sha256-mHXBXSLYO4BN+jfN50y/+XCx0Qq5g4Ac2Y/qlsbgAdY=";
"1.1".hash = "sha256-ejAsMQbB/LtU9j+g160VdGXULrCe9s0gBWzyhKqmCuE=";
"1.0".hash = "sha256-tZTOltEBBKWciDxDMs/Ye4Jnq/33CANrHJ4FBMPtq+I=";
};
propagatedBuildInputs =
@ -126,7 +126,7 @@ For example, here is how you could locally add a new release of the `multinomial
coqPackages.lib.overrideCoqDerivation
{
defaultVersion = "2.0";
release."2.0".sha256 = "1lq8x86vd3vqqh2yq6hvyagpnhfq5wmk5pg2z0xq7b7dbbbhyfkk";
release."2.0".hash = "sha256-czoP11rtrIM7+OLdMisv2EF7n/IbGuwFxHiPtg3qCNM=";
}
coqPackages.multinomials
```

View file

@ -93,18 +93,18 @@ The `dotnetCorePackages.sdk` contains both a runtime and the full sdk of a given
To package Dotnet applications, you can use `buildDotnetModule`. This has similar arguments to `stdenv.mkDerivation`, with the following additions:
* `projectFile` is used for specifying the dotnet project file, relative to the source root. These have `.sln` (entire solution) or `.csproj` (single project) file extensions. This can be a list of multiple projects as well. When omitted, will attempt to find and build the solution (`.sln`). If running into problems, make sure to set it to a file (or a list of files) with the `.csproj` extension - building applications as entire solutions is not fully supported by the .NET CLI.
* `nugetDeps` takes either a path to a `deps.nix` file, or a derivation. The `deps.nix` file can be generated using the script attached to `passthru.fetch-deps`. If the argument is a derivation, it will be used directly and assume it has the same output as `mkNugetDeps`.
* `nugetDeps` takes either a path to a `deps.nix` file, or a derivation. The `deps.nix` file can be generated using the script attached to `passthru.fetch-deps`. For compatibility, if the argument is a list of derivations, they will be added to `buildInputs`.
::: {.note}
For more detail about managing the `deps.nix` file, see [Generating and updating NuGet dependencies](#generating-and-updating-nuget-dependencies)
:::
* `packNupkg` is used to pack project as a `nupkg`, and installs it to `$out/share`. If set to `true`, the derivation can be used as a dependency for another dotnet project by adding it to `projectReferences`.
* `projectReferences` can be used to resolve `ProjectReference` project items. Referenced projects can be packed with `buildDotnetModule` by setting the `packNupkg = true` attribute and passing a list of derivations to `projectReferences`. Since we are sharing referenced projects as NuGets they must be added to csproj/fsproj files as `PackageReference` as well.
* `packNupkg` is used to pack project as a `nupkg`, and installs it to `$out/share`. If set to `true`, the derivation can be used as a dependency for another dotnet project by adding it to `buildInputs`.
* `buildInputs` can be used to resolve `ProjectReference` project items. Referenced projects can be packed with `buildDotnetModule` by setting the `packNupkg = true` attribute and passing a list of derivations to `buildInputs`. Since we are sharing referenced projects as NuGets they must be added to csproj/fsproj files as `PackageReference` as well.
For example, your project has a local dependency:
```xml
<ProjectReference Include="../foo/bar.fsproj" />
```
To enable discovery through `projectReferences` you would need to add:
To enable discovery through `buildInputs` you would need to add:
```xml
<ProjectReference Include="../foo/bar.fsproj" />
<PackageReference Include="bar" Version="*" Condition=" '$(ContinuousIntegrationBuild)'=='true' "/>
@ -118,6 +118,7 @@ For more detail about managing the `deps.nix` file, see [Generating and updating
* `dotnet-sdk` is useful in cases where you need to change what dotnet SDK is being used. You can also set this to the result of `dotnetSdkPackages.combinePackages`, if the project uses multiple SDKs to build.
* `dotnet-runtime` is useful in cases where you need to change what dotnet runtime is being used. This can be either a regular dotnet runtime, or an aspnetcore.
* `testProjectFile` is useful in cases where the regular project file does not contain the unit tests. It gets restored and build, but not installed. You may need to regenerate your nuget lockfile after setting this. Note that if set, only tests from this project are executed.
* `testFilters` is used to disable running unit tests based on various [filters](https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-test#filter-option-details). This gets passed as: `dotnet test --filter "{}"`, with each filter being concatenated using `"&"`.
* `disabledTests` is used to disable running specific unit tests. This gets passed as: `dotnet test --filter "FullyQualifiedName!={}"`, to ensure compatibility with all unit test frameworks.
* `dotnetRestoreFlags` can be used to pass flags to `dotnet restore`.
* `dotnetBuildFlags` can be used to pass flags to `dotnet build`.
@ -143,7 +144,7 @@ in buildDotnetModule rec {
projectFile = "src/project.sln";
nugetDeps = ./deps.nix; # see "Generating and updating NuGet dependencies" section for details
projectReferences = [ referencedProject ]; # `referencedProject` must contain `nupkg` in the folder structure.
buildInputs = [ referencedProject ]; # `referencedProject` must contain `nupkg` in the folder structure.
dotnet-sdk = dotnetCorePackages.sdk_6_0;
dotnet-runtime = dotnetCorePackages.runtime_6_0;
@ -218,7 +219,7 @@ buildDotnetGlobalTool {
## Generating and updating NuGet dependencies {#generating-and-updating-nuget-dependencies}
When writing a new expression, you can use the generated `fetch-deps` script to initialise the lockfile.
After creating a blank `deps.nix` and pointing `nugetDeps` to it,
After setting `nugetDeps` to the desired location of the lockfile (e.g. `./deps.nix`),
build the script with `nix-build -A package.fetch-deps` and then run the result.
(When the root attr is your package, it's simply `nix-build -A fetch-deps`.)

View file

@ -62,6 +62,65 @@ The following is an example expression using `buildGoModule`:
}
```
### Obtaining and overriding `vendorHash` for `buildGoModule` {#buildGoModule-vendorHash}
We can use `nix-prefetch` to obtain the actual hash. The following command gets the value of `vendorHash` for package `pet`:
```sh
cd path/to/nixpkgs
nix-prefetch -E "{ sha256 }: ((import ./. { }).my-package.overrideAttrs { vendorHash = sha256; }).goModules"
```
To obtain the hash without external tools, set `vendorHash = lib.fakeHash;` and run the build. ([more details here](#sec-source-hashes)).
`vendorHash` can be overridden with `overrideAttrs`. Override the above example like this:
```nix
{
pet_0_4_0 = pet.overrideAttrs (
finalAttrs: previousAttrs: {
version = "0.4.0";
src = fetchFromGitHub {
inherit (previousAttrs.src) owner repo;
rev = "v${finalAttrs.version}";
hash = "sha256-gVTpzmXekQxGMucDKskGi+e+34nJwwsXwvQTjRO6Gdg=";
};
vendorHash = "sha256-dUvp7FEW09V0xMuhewPGw3TuAic/sD7xyXEYviZ2Ivs=";
}
);
}
```
### Overriding `goModules` {#buildGoModule-goModules-override}
Overriding `<pkg>.goModules` by calling `goModules.overrideAttrs` is unsupported. Still, it is possible to override the `vendorHash` (`goModules`'s `outputHash`) and the `pre`/`post` hooks for both the build and patch phases of the primary and `goModules` derivation. Alternatively, the primary derivation provides an overridable `passthru.overrideModAttrs` function to store the attribute overlay implicitly taken by `goModules.overrideAttrs`. Here's an example usage of `overrideModAttrs`:
```nix
{
pet-overridden = pet.overrideAttrs (
finalAttrs: previousAttrs: {
passthru = previousAttrs.passthru // {
# If the original package has an `overrideModAttrs` attribute set, you'd
# want to extend it, and not replace it. Hence we use
# `lib.composeExtensions`. If you are sure the `overrideModAttrs` of the
# original package trivially does nothing, you can safely replace it
# with your own by not using `lib.composeExtensions`.
overrideModAttrs = lib.composeExtensions previousAttrs.passthru.overrideModAttrs (
finalModAttrs: previousModAttrs: {
# goModules-specific overriding goes here
postBuild = ''
# Here you have access to the `vendor` directory.
substituteInPlace vendor/github.com/example/repo/file.go \
--replace-fail "panic(err)" ""
'';
}
);
};
}
);
}
```
## `buildGoPackage` (legacy) {#ssec-go-legacy}
The function `buildGoPackage` builds legacy Go programs, not supporting Go modules.

View file

@ -67,6 +67,7 @@ dotnet.section.md
emscripten.section.md
gnome.section.md
go.section.md
gradle.section.md
hare.section.md
haskell.section.md
hy.section.md

View file

@ -258,26 +258,39 @@ It returns a derivation with all `package-lock.json` dependencies downloaded int
#### importNpmLock {#javascript-buildNpmPackage-importNpmLock}
`importNpmLock` is a Nix function that requires the following optional arguments:
This function replaces the npm dependency references in `package.json` and `package-lock.json` with paths to the Nix store.
How each dependency is fetched can be customized with the `fetcherOpts` argument.
- `npmRoot`: Path to package directory containing the source tree
This is a simpler and more convenient alternative to [`fetchNpmDeps`](#javascript-buildNpmPackage-fetchNpmDeps) for managing npm dependencies in Nixpkgs.
There is no need to specify a `hash`, since it relies entirely on the integrity hashes already present in the `package-lock.json` file.
##### Inputs {#javascript-buildNpmPackage-inputs}
- `npmRoot`: Path to package directory containing the source tree.
If this is omitted, the `package` and `packageLock` arguments must be specified instead.
- `package`: Parsed contents of `package.json`
- `packageLock`: Parsed contents of `package-lock.json`
- `pname`: Package name
- `version`: Package version
- `fetcherOpts`: An attribute set of arguments forwarded to the underlying fetcher.
It returns a derivation with a patched `package.json` & `package-lock.json` with all dependencies resolved to Nix store paths.
This function is analogous to using `fetchNpmDeps`, but instead of specifying `hash` it uses metadata from `package.json` & `package-lock.json`.
:::{.note}
`npmHooks.npmConfigHook` cannot be used with `importNpmLock`.
Use `importNpmLock.npmConfigHook` instead.
:::
Note that `npmHooks.npmConfigHook` cannot be used with `importNpmLock`. You will instead need to use `importNpmLock.npmConfigHook`:
:::{.example}
##### `pkgs.importNpmLock` usage example {#javascript-buildNpmPackage-example}
```nix
{ buildNpmPackage, importNpmLock }:
buildNpmPackage {
pname = "hello";
version = "0.1.0";
src = ./.;
npmDeps = importNpmLock {
npmRoot = ./.;
@ -286,6 +299,75 @@ buildNpmPackage {
npmConfigHook = importNpmLock.npmConfigHook;
}
```
:::
:::{.example}
##### `pkgs.importNpmLock` usage example with `fetcherOpts` {#javascript-buildNpmPackage-example-fetcherOpts}
`importNpmLock` uses the following fetchers:
- `pkgs.fetchurl` for `http(s)` dependencies
- `builtins.fetchGit` for `git` dependencies
It is possible to provide additional arguments to individual fetchers as needed:
```nix
{ buildNpmPackage, importNpmLock }:
buildNpmPackage {
pname = "hello";
version = "0.1.0";
src = ./.;
npmDeps = importNpmLock {
npmRoot = ./.;
fetcherOpts = {
# Pass 'curlOptsList' to 'pkgs.fetchurl' while fetching 'axios'
{ "node_modules/axios" = { curlOptsList = [ "--verbose" ]; }; }
};
};
npmConfigHook = importNpmLock.npmConfigHook;
}
```
:::
#### importNpmLock.buildNodeModules {#javascript-buildNpmPackage-importNpmLock.buildNodeModules}
`importNpmLock.buildNodeModules` returns a derivation with a pre-built `node_modules` directory, as imported by `importNpmLock`.
This is to be used together with `importNpmLock.hooks.linkNodeModulesHook` to facilitate `nix-shell`/`nix develop` based development workflows.
It accepts an argument with the following attributes:
`npmRoot` (Path; optional)
: Path to package directory containing the source tree. If not specified, the `package` and `packageLock` arguments must both be specified.
`package` (Attrset; optional)
: Parsed contents of `package.json`, as returned by `lib.importJSON ./my-package.json`. If not specified, the `package.json` in `npmRoot` is used.
`packageLock` (Attrset; optional)
: Parsed contents of `package-lock.json`, as returned `lib.importJSON ./my-package-lock.json`. If not specified, the `package-lock.json` in `npmRoot` is used.
`derivationArgs` (`mkDerivation` attrset; optional)
: Arguments passed to `stdenv.mkDerivation`
For example:
```nix
pkgs.mkShell {
packages = [
importNpmLock.hooks.linkNodeModulesHook
nodejs
];
npmDeps = importNpmLock.buildNodeModules {
npmRoot = ./.;
inherit nodejs;
};
}
```
will create a development shell where a `node_modules` directory is created & packages symlinked to the Nix store when activated.
### corepack {#javascript-corepack}
@ -346,11 +428,11 @@ NOTE: It is highly recommended to use a pinned version of pnpm (i.e. `pnpm_8` or
In case you are patching `package.json` or `pnpm-lock.yaml`, make sure to pass `finalAttrs.patches` to the function as well (i.e. `inherit (finalAttrs) patches`.
`pnpm.configHook` supports adding additional `pnpm install` flags via `pnpmInstallFlags` which can be set to a Nix string array.
#### Dealing with `sourceRoot` {#javascript-pnpm-sourceRoot}
NOTE: Nixpkgs pnpm tooling doesn't support building projects with a `pnpm-workspace.yaml`, or building monorepos. It maybe possible to use `pnpm.fetchDeps` for these projects, but it may be hard or impossible to produce a binary from such projects ([an example attempt](https://github.com/NixOS/nixpkgs/pull/290715#issuecomment-2144543728)).
If the pnpm project is in a subdirectory, you can just define `sourceRoot` or `setSourceRoot` for `fetchDeps`. Note, that projects using `pnpm-workspace.yaml` are currently not supported, and will probably not work using this approach.
If the pnpm project is in a subdirectory, you can just define `sourceRoot` or `setSourceRoot` for `fetchDeps`.
If `sourceRoot` is different between the parent derivation and `fetchDeps`, you will have to set `pnpmRoot` to effectively be the same location as it is in `fetchDeps`.
Assuming the following directory structure, we can define `sourceRoot` and `pnpmRoot` as follows:
@ -375,12 +457,62 @@ Assuming the following directory structure, we can define `sourceRoot` and `pnpm
pnpmRoot = "frontend";
```
#### PNPM Workspaces {#javascript-pnpm-workspaces}
If you need to use a PNPM workspace for your project, then set `pnpmWorkspace = "<workspace project name>"` in your `pnpm.fetchDeps` call,
which will make PNPM only install dependencies for that workspace package.
For example:
```nix
...
pnpmWorkspace = "@astrojs/language-server";
pnpmDeps = pnpm.fetchDeps {
inherit (finalAttrs) pnpmWorkspace;
...
}
```
The above would make `pnpm.fetchDeps` call only install dependencies for the `@astrojs/language-server` workspace package.
Note that you do not need to set `sourceRoot` to make this work.
Usually in such cases, you'd want to use `pnpm --filter=$pnpmWorkspace build` to build your project, as `npmHooks.npmBuildHook` probably won't work. A `buildPhase` based on the following example will probably fit most workspace projects:
```nix
buildPhase = ''
runHook preBuild
pnpm --filter=@astrojs/language-server build
runHook postBuild
'';
```
#### Additional PNPM Commands and settings {#javascript-pnpm-extraCommands}
If you require setting an additional PNPM configuration setting (such as `dedupe-peer-dependents` or similar),
set `prePnpmInstall` to the right commands to run. For example:
```nix
prePnpmInstall = ''
pnpm config set dedupe-peer-dependants false
'';
pnpmDeps = pnpm.fetchDeps {
inherit (finalAttrs) prePnpmInstall;
...
};
```
In this example, `prePnpmInstall` will be run by both `pnpm.configHook` and by the `pnpm.fetchDeps` builder.
### Yarn {#javascript-yarn}
Yarn based projects use a `yarn.lock` file instead of a `package-lock.json` to pin dependencies. Nixpkgs provides the Nix function `fetchYarnDeps` which fetches an offline cache suitable for running `yarn install` before building the project. In addition, Nixpkgs provides the hooks:
- `yarnConfigHook`: Fetches the dependencies from the offline cache and installs them into `node_modules`.
- `yarnBuildHook`: Runs `yarn build` or a specified `yarn` command that builds the project.
- `yarnInstallHook`: Runs `yarn install --production` to prune dependencies and installs the project into `$out`.
An example usage of the above attributes is:
@ -415,9 +547,9 @@ stdenv.mkDerivation (finalAttrs: {
nativeBuildInputs = [
yarnConfigHook
yarnBuildHook
yarnInstallHook
# Needed for executing package.json scripts
nodejs
npmHooks.npmInstallHook
];
meta = {
@ -426,8 +558,6 @@ stdenv.mkDerivation (finalAttrs: {
})
```
Note that there is no setup hook for installing yarn based packages - `npmHooks.npmInstallHook` should fit most cases, but sometimes you may need to override the `installPhase` completely.
#### `yarnConfigHook` arguments {#javascript-yarnconfighook}
By default, `yarnConfigHook` relies upon the attribute `${yarnOfflineCache}` (or `${offlineCache}` if the former is not set) to find the location of the offline cache produced by `fetchYarnDeps`. To disable this phase, you can set `dontYarnInstallDeps = true` or override the `configurePhase`.
@ -439,9 +569,15 @@ This script by default runs `yarn --offline build`, and it relies upon the proje
- `yarnBuildScript`: Sets a different `yarn --offline` subcommand (defaults to `build`).
- `yarnBuildFlags`: Single string list of additional flags to pass the above command, or a Nix list of such additional flags.
#### `yarnInstallHook` arguments {#javascript-yarninstallhook}
To install the package `yarnInstallHook` uses both `npm` and `yarn` to cleanup project files and dependencies. To disable this phase, you can set `dontYarnInstall = true` or override the `installPhase`. Below is a list of additional `mkDerivation` arguments read by this hook:
- `yarnKeepDevDeps`: Disables the removal of devDependencies from `node_modules` before installation.
### yarn2nix {#javascript-yarn2nix}
WARNING: The `yarn2nix` functions have been deprecated in favor of the new `yarnConfigHook` and `yarnBuildHook`. Documentation for them still appears here for the sake of the packages that still use them. See also a tracking issue [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
WARNING: The `yarn2nix` functions have been deprecated in favor of the new `yarnConfigHook`, `yarnBuildHook` and `yarnInstallHook`. Documentation for them still appears here for the sake of the packages that still use them. See also a tracking issue [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
#### Preparation {#javascript-yarn2nix-preparation}

View file

@ -219,10 +219,10 @@ stdenv.mkDerivation {
# don't do any fixup
dontFixup = true;
outputHashAlgo = "sha256";
outputHashAlgo = null;
outputHashMode = "recursive";
# replace this with the correct SHA256
outputHash = lib.fakeSha256;
outputHash = lib.fakeHash;
}
```

View file

@ -55,13 +55,19 @@ sets are
* `pkgs.python311Packages`
* `pkgs.python312Packages`
* `pkgs.python313Packages`
* `pkgs.pypyPackages`
* `pkgs.pypy27Packages`
* `pkgs.pypy39Packages`
* `pkgs.pypy310Packages`
and the aliases
* `pkgs.python2Packages` pointing to `pkgs.python27Packages`
* `pkgs.python3Packages` pointing to `pkgs.python311Packages`
* `pkgs.python3Packages` pointing to `pkgs.python312Packages`
* `pkgs.pythonPackages` pointing to `pkgs.python2Packages`
* `pkgs.pypy2Packages` pointing to `pkgs.pypy27Packages`
* `pkgs.pypy3Packages` pointing to `pkgs.pypy39Packages`
* `pkgs.pypyPackages` pointing to `pkgs.pypy2Packages`
#### `buildPythonPackage` function {#buildpythonpackage-function}
@ -208,9 +214,6 @@ because their behaviour is different:
paths included in this list. Items listed in `install_requires` go here.
* `optional-dependencies ? { }`: Optional feature flagged dependencies. Items listed in `extras_requires` go here.
Aside from propagating dependencies,
`buildPythonPackage` also injects code into and wraps executables with the
paths included in this list. Items listed in `extras_requires` go here.
##### Overriding Python packages {#overriding-python-packages}
@ -310,13 +313,7 @@ python3Packages.buildPythonApplication rec {
}
```
This is then added to `all-packages.nix` just as any other application would be.
```nix
{
luigi = callPackage ../applications/networking/cluster/luigi { };
}
```
This is then added to `pkgs/by-name` just as any other application would be.
Since the package is an application, a consumer doesn't need to care about
Python versions or modules, which is why they don't go in `python3Packages`.
@ -325,25 +322,27 @@ Python versions or modules, which is why they don't go in `python3Packages`.
A distinction is made between applications and libraries, however, sometimes a
package is used as both. In this case the package is added as a library to
`python-packages.nix` and as an application to `all-packages.nix`. To reduce
`python-packages.nix` and as an application to `pkgs/by-name`. To reduce
duplication the `toPythonApplication` can be used to convert a library to an
application.
The Nix expression shall use [`buildPythonPackage`](#buildpythonpackage-function) and be called from
`python-packages.nix`. A reference shall be created from `all-packages.nix` to
`python-packages.nix`. A reference shall be created from `pkgs/by-name` to
the attribute in `python-packages.nix`, and the `toPythonApplication` shall be
applied to the reference:
```nix
{
youtube-dl = with python3Packages; toPythonApplication youtube-dl;
}
python3Packages,
}:
python3Packages.toPythonApplication python3Packages.youtube-dl
```
#### `toPythonModule` function {#topythonmodule-function}
In some cases, such as bindings, a package is created using
[`stdenv.mkDerivation`](#sec-using-stdenv) and added as attribute in `all-packages.nix`. The Python
[`stdenv.mkDerivation`](#sec-using-stdenv) and added as attribute in `pkgs/by-name` or in `all-packages.nix`. The Python
bindings should be made available from `python-packages.nix`. The
`toPythonModule` function takes a derivation and makes certain Python-specific
modifications.
@ -359,6 +358,66 @@ modifications.
Do pay attention to passing in the right Python version!
#### `mkPythonMetaPackage` function {#mkpythonmetapackage-function}
This will create a meta package containing [metadata files](https://packaging.python.org/en/latest/specifications/recording-installed-packages/) to satisfy a dependency on a package, without it actually having been installed into the environment.
In nixpkgs this is used to package Python packages with split binary/source distributions such as [psycopg2](https://pypi.org/project/psycopg2/)/[psycopg2-binary](https://pypi.org/project/psycopg2-binary/).
```nix
mkPythonMetaPackage {
pname = "psycopg2-binary";
inherit (psycopg2) optional-dependencies version;
dependencies = [ psycopg2 ];
meta = {
inherit (psycopg2.meta) description homepage;
};
}
```
#### `mkPythonEditablePackage` function {#mkpythoneditablepackage-function}
When developing Python packages it's common to install packages in [editable mode](https://setuptools.pypa.io/en/latest/userguide/development_mode.html).
Like `mkPythonMetaPackage` this function exists to create an otherwise empty package, but also containing a pointer to an impure location outside the Nix store that can be changed without rebuilding.
The editable root is passed as a string. Normally `.pth` files contains absolute paths to the mutable location. This isn't always ergonomic with Nix, so environment variables are expanded at runtime.
This means that a shell hook setting up something like a `$REPO_ROOT` variable can be used as the relative package root.
As an implementation detail, the [PEP-518](https://peps.python.org/pep-0518/) `build-system` specified won't be used, but instead the editable package will be built using [hatchling](https://pypi.org/project/hatchling/).
The `build-system`'s provided will instead become runtime dependencies of the editable package.
Note that overriding packages deeper in the dependency graph _can_ work, but it's not the primary use case and overriding existing packages can make others break in unexpected ways.
``` nix
{ pkgs ? import <nixpkgs> { } }:
let
pyproject = pkgs.lib.importTOML ./pyproject.toml;
myPython = pkgs.python.override {
self = myPython;
packageOverrides = pyfinal: pyprev: {
# An editable package with a script that loads our mutable location
my-editable = pyfinal.mkPythonEditablePackage {
# Inherit project metadata from pyproject.toml
pname = pyproject.project.name;
inherit (pyproject.project) version;
# The editable root passed as a string
root = "$REPO_ROOT/src"; # Use environment variable expansion at runtime
# Inject a script (other PEP-621 entrypoints are also accepted)
inherit (pyproject.project) scripts;
};
};
};
pythonEnv = testPython.withPackages (ps: [ ps.my-editable ]);
in pkgs.mkShell {
packages = [ pythonEnv ];
}
```
#### `python.buildEnv` function {#python.buildenv-function}
Python environments can be created using the low-level `pkgs.buildEnv` function.
@ -475,7 +534,6 @@ are used in [`buildPythonPackage`](#buildpythonpackage-function).
See [example usage](#using-pythonrelaxdepshook).
- `pythonRemoveBinBytecode` to remove bytecode from the `/bin` folder.
- `setuptoolsBuildHook` to build a wheel using `setuptools`.
- `setuptoolsCheckHook` to run tests with `python setup.py test`.
- `sphinxHook` to build documentation and manpages using Sphinx.
- `venvShellHook` to source a Python 3 `venv` at the `venvDir` location. A
`venv` is created if it does not yet exist. `postVenvCreation` can be used to
@ -1365,6 +1423,10 @@ those specified in `build-system`. If a package requires incompatible build
time dependencies, they should be removed in `postPatch` through
`substituteInPlace` or similar.
For ease of use, both `buildPythonPackage` and `buildPythonApplication` will
automatically add `pythonRelaxDepsHook` if either `pythonRelaxDeps` or
`pythonRemoveDeps` is specified.
#### Using unittestCheckHook {#using-unittestcheckhook}
`unittestCheckHook` is a hook which will set up (or configure) a [`checkPhase`](#ssec-check-phase) to run `python -m unittest discover`:
@ -2028,8 +2090,8 @@ no maintainer, so maintenance falls back to the package set maintainers.
### Updating packages in bulk {#python-package-bulk-updates}
There is a tool to update alot of python libraries in bulk, it exists at
`maintainers/scripts/update-python-libraries` with this repository.
A tool to bulk-update numerous Python libraries is available in the
repository at `maintainers/scripts/update-python-libraries`.
It can quickly update minor or major versions for all packages selected
and create update commits, and supports the `fetchPypi`, `fetchurl` and

View file

@ -104,24 +104,27 @@ directory and executed as follows:
```bash
nix-shell generate-shell.nix
Rscript generate-r-packages.R cran > cran-packages.nix.new
mv cran-packages.nix.new cran-packages.nix
Rscript generate-r-packages.R cran > cran-packages.json.new
mv cran-packages.json.new cran-packages.json
Rscript generate-r-packages.R bioc > bioc-packages.nix.new
mv bioc-packages.nix.new bioc-packages.nix
Rscript generate-r-packages.R bioc > bioc-packages.json.new
mv bioc-packages.json.new bioc-packages.json
Rscript generate-r-packages.R bioc-annotation > bioc-annotation-packages.nix.new
mv bioc-annotation-packages.nix.new bioc-annotation-packages.nix
Rscript generate-r-packages.R bioc-annotation > bioc-annotation-packages.json.new
mv bioc-annotation-packages.json.new bioc-annotation-packages.json
Rscript generate-r-packages.R bioc-experiment > bioc-experiment-packages.nix.new
mv bioc-experiment-packages.nix.new bioc-experiment-packages.nix
Rscript generate-r-packages.R bioc-experiment > bioc-experiment-packages.json.new
mv bioc-experiment-packages.json.new bioc-experiment-packages.json
```
`generate-r-packages.R <repo>` reads `<repo>-packages.nix`, therefore
`generate-r-packages.R <repo>` reads `<repo>-packages.json`, therefore
the renaming.
The contents of a generated `*-packages.json` file will be used to
create a package derivation for each R package listed in the file.
Some packages require overrides to specify external dependencies or other
patches and special requirements. These overrides are specified in the
`pkgs/development/r-modules/default.nix` file. As the `*-packages.nix`
`pkgs/development/r-modules/default.nix` file. As the `*-packages.json`
contents are automatically generated it should not be edited and broken
builds should be addressed using overrides.

View file

@ -2,7 +2,7 @@
## Using Ruby {#using-ruby}
Several versions of Ruby interpreters are available on Nix, as well as over 250 gems and many applications written in Ruby. The attribute `ruby` refers to the default Ruby interpreter, which is currently MRI 3.1. It's also possible to refer to specific versions, e.g. `ruby_3_y`, `jruby`, or `mruby`.
Several versions of Ruby interpreters are available on Nix, as well as over 250 gems and many applications written in Ruby. The attribute `ruby` refers to the default Ruby interpreter, which is currently MRI 3.3. It's also possible to refer to specific versions, e.g. `ruby_3_y`, `jruby`, or `mruby`.
In the Nixpkgs tree, Ruby packages can be found throughout, depending on what they do, and are called from the main package set. Ruby gems, however are separate sets, and there's one default set for each interpreter (currently MRI only).
@ -154,7 +154,7 @@ let
defaultGemConfig = pkgs.defaultGemConfig // {
pg = attrs: {
buildFlags =
[ "--with-pg-config=${pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
[ "--with-pg-config=${lib.getDev pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
};
};
};
@ -172,7 +172,7 @@ let
gemConfig = pkgs.defaultGemConfig // {
pg = attrs: {
buildFlags =
[ "--with-pg-config=${pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
[ "--with-pg-config=${lib.getDev pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
};
};
};
@ -190,9 +190,7 @@ let
defaultGemConfig = super.defaultGemConfig // {
pg = attrs: {
buildFlags = [
"--with-pg-config=${
pkgs."postgresql_${pg_version}"
}/bin/pg_config"
"--with-pg-config=${lib.getDev pkgs."postgresql_${pg_version}"}/bin/pg_config"
];
};
};

View file

@ -567,8 +567,7 @@ buildPythonPackage rec {
};
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src sourceRoot;
name = "${pname}-${version}";
inherit pname version src sourceRoot;
hash = "sha256-miW//pnOmww2i6SOGbkrAIdc/JMDT4FJLqdMFojZeoY=";
};
@ -611,9 +610,8 @@ buildPythonPackage rec {
};
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
inherit pname version src;
sourceRoot = "${pname}-${version}/${cargoRoot}";
name = "${pname}-${version}";
hash = "sha256-PS562W4L1NimqDV2H0jl5vYhL08H9est/pbIxSdYVfo=";
};
@ -652,8 +650,7 @@ buildPythonPackage rec {
};
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
inherit pname version src;
hash = "sha256-heOBK8qi2nuc/Ib+I/vLzZ1fUUD/G/KTw9d7M4Hz5O0=";
};
@ -697,8 +694,7 @@ stdenv.mkDerivation rec {
};
cargoDeps = rustPlatform.fetchCargoTarball {
inherit src;
name = "${pname}-${version}";
inherit pname version src;
hash = "sha256-8fa3fa+sFi5H+49B5sr2vYPkp9C9s6CcE0zv4xB8gww=";
};

View file

@ -232,6 +232,14 @@ To add a new plugin, run `nix-shell -p vimPluginsUpdater --run 'vim-plugins-upda
Finally, there are some plugins that are also packaged in nodePackages because they have Javascript-related build steps, such as running webpack. Those plugins are not listed in `vim-plugin-names` or managed by `vimPluginsUpdater` at all, and are included separately in `overrides.nix`. Currently, all these plugins are related to the `coc.nvim` ecosystem of the Language Server Protocol integration with Vim/Neovim.
### Plugin optional configuration {#vim-plugin-required-snippet}
Some plugins require specific configuration to work. We choose not to
patch those plugins but expose the necessary configuration under
`PLUGIN.passthru.initLua` for neovim plugins. For instance, the `unicode-vim` plugin
needs the path towards a unicode database so we expose the following snippet `vim.g.Unicode_data_directory="${self.unicode-vim}/autoload/unicode"` under `vimPlugins.unicode-vim.passthru.initLua`.
## Updating plugins in nixpkgs {#updating-plugins-in-nixpkgs}
Run the update script with a GitHub API token that has at least `public_repo` access. Running the script without the token is likely to result in rate-limiting (429 errors). For steps on creating an API token, please refer to [GitHub's token documentation](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token).

View file

@ -0,0 +1,102 @@
# Build Support {#sec-build-support}
## `pkgs.substitute` {#pkgs-substitute}
`pkgs.substitute` is a wrapper around [the `substitute` Bash function](#fun-substitute) in the standard environment.
It replaces strings in `src` as specified by the `substitutions` argument.
:::{.example #ex-pkgs-substitute}
# Usage of `pkgs.substitute`
In a build script, the line:
```bash
substitute $infile $outfile --replace-fail @foo@ ${foopkg}/bin/foo
```
is equivalent to:
```nix
{ substitute, foopkg }:
substitute {
src = ./sourcefile.txt;
substitutions = [
"--replace"
"@foo@"
"${foopkg}/bin/foo"
];
}
```
:::
## `pkgs.substituteAll` {#pkgs-substituteall}
`pkgs.substituteAll` substitutes all instances of `@varName@` (`@`s included) in file `src` with the value of the corresponding environment variable.
As this uses the [`substituteAll`] (#fun-substitute) function, its limitations regarding variable names that will or will not be replaced also apply here.
:::{.example #ex-pkgs-substituteAll}
# Usage of `pkgs.substituteAll`
If `say-goodbye.sh` contains the following:
```bash
#! @bash@/bin/bash
echo @unchanged@
@hello@/bin/hello --greeting @greeting@
```
the following derivation will make substitutions to `@bash@`, `@hello@`, and `@greeting@`:
```nix
{
substituteAll,
bash,
hello,
}:
substituteAll {
src = ./say-goodbye.sh;
env = {
inherit bash hello;
greeting = "goodbye";
};
}
```
such that `$out` will result in something like the following:
```
#! /nix/store/s30jrpgav677fpc9yvkqsib70xfmx7xi-bash-5.2p26/bin/bash
echo @unchanged@
/nix/store/566f5isbvw014h7knmzmxa5l6hshx43k-hello-2.12.1/bin/hello --greeting goodbye
```
:::
## `pkgs.substituteAllFiles` {#pkgs-substituteallfiles}
`pkgs.substituteAllFiles` replaces `@varName@` with the value of the environment variable `varName`.
It expects `src` to be a directory and requires a `files` argument that specifies which files will be subject to replacements; only these files will be placed in `$out`.
As it also uses the `substituteAll` function, it is subject to the same limitations on environment variables as discussed in [pkgs.substituteAll](#pkgs-substituteall).
:::{.example #ex-pkgs-substitute-all-files}
# Usage of `pkgs.substituteAllFiles`
If the current directory contains `{foo,bar,baz}.txt` and the following `default.nix`
```nix
{ substituteAllFiles }:
substituteAllFiles {
src = ./.;
files = [
"foo.txt"
"bar.txt"
];
hello = "there";
}
```
in the resulting derivation, every instance of `@hello@` will be replaced with `there` in `$out/foo.txt` and` `$out/bar.txt`; `baz.txt` will not be processed nor will it appear in `$out`.
:::

View file

@ -0,0 +1,15 @@
# Geant4 {#geant4}
[Geant4](https://www.geant4.org/) is a toolkit for simulating how particles pass through matter. It is available through the `geant4` package.
## Setup hook {#geant4-hook}
The setup hook included in the package applies the environment variables set by the [`geant4.sh` script](https://github.com/Geant4/geant4/blob/master/cmake/Modules/G4ConfigureGNUMakeHelpers.cmake#L4-L55), which is typically necessary for compiling `make`-based programs that depend on Geant4.
## Datasets {#geant4-datasets}
All of [the Geant4 datasets provided by CERN](https://geant4.web.cern.ch/support/download) are available through the `geant4.data` attrset.
### Setup hook {#geant4-datasets-hook}
The hook provided by the packages in `geant4.data` will set an appropriate environment variable in the form of `G4[...]DATA`. For example, for the `G4RadioactiveDecay` dataset, the `G4RADIOACTIVEDATA` environment variable is set to the value expected by Geant4.

View file

@ -12,10 +12,12 @@ emacs.section.md
firefox.section.md
fish.section.md
fuse.section.md
geant4.section.md
ibus.section.md
kakoune.section.md
krita.section.md
linux.section.md
lhapdf.section.md
locales.section.md
etc-files.section.md
nginx.section.md
@ -27,4 +29,5 @@ urxvt.section.md
vcpkg.section.md
weechat.section.md
xorg.section.md
build-support.md
```

View file

@ -0,0 +1,11 @@
# LHAPDF {#lhapdf}
[LHAPDF](https://lhapdf.hepforge.org/) is a tool for evaluating parton distribution functions (PDFs) in high-energy physics. LHAPDF is available in the `lhapdf` package.
## PDF sets {#lhapdf-sets}
All of [the PDF sets made available by the LHAPDF project](https://lhapdf.hepforge.org/pdfsets.html) are available through the `lhapdf.pdf_sets` attrset.
### Setup hook {#lhapdf-sets-hook}
Each package provided in the `lhapdf.pdf_sets` attrset contains a setup hook which adds itself to [the `LHAPDF_DATA_PATH` environment variable](https://lhapdf.hepforge.org/#sets).

View file

@ -52,7 +52,7 @@ pkgs.linuxPackages_custom {
version = "6.1.55";
src = pkgs.fetchurl {
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
hash = "sha256:1h0mzx52q9pvdv7rhnvb8g68i7bnlc9rf8gy9qn4alsxq4g28zm8";
hash = "sha256-qH4kHsFdU0UsTv4hlxOjdp2IzENrW5jPbvsmLEr/FcA=";
};
configfile = ./path_to_config_file;
}
@ -67,7 +67,7 @@ pkgs.linuxPackages_custom {
modDirVersion = "6.1.55";
src = pkgs.fetchurl {
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${modDirVersion}.tar.xz";
hash = "sha256:1h0mzx52q9pvdv7rhnvb8g68i7bnlc9rf8gy9qn4alsxq4g28zm8";
hash = "sha256-qH4kHsFdU0UsTv4hlxOjdp2IzENrW5jPbvsmLEr/FcA=";
};
configfile = ./path_to_config_file;
}

View file

@ -580,7 +580,7 @@ After unpacking all of `src` and `srcs`, if neither of `sourceRoot` and `setSour
If `unpackPhase` produces multiple source directories, you should set `sourceRoot` to the name of the intended directory.
You can also set `sourceRoot = ".";` if you want to control it yourself in a later phase.
For example, if your want your build to start in a sub-directory inside your sources, and you are using `fetchzip`-derived `src` (like `fetchFromGitHub` or similar), you need to set `sourceRoot = "${src.name}/my-sub-directory"`.
For example, if you want your build to start in a sub-directory inside your sources, and you are using `fetchzip`-derived `src` (like `fetchFromGitHub` or similar), you need to set `sourceRoot = "${src.name}/my-sub-directory"`.
##### `setSourceRoot` {#var-stdenv-setSourceRoot}
@ -1136,6 +1136,12 @@ Example removing all references to the compiler in the output:
}
```
### `runHook` \<hook\> {#fun-runHook}
Execute \<hook\> and the values in the array associated with it. The array's name is determined by removing `Hook` from the end of \<hook\> and appending `Hooks`.
For example, `runHook postHook` would run the hook `postHook` and all of the values contained in the `postHooks` array, if it exists.
### `substitute` \<infile\> \<outfile\> \<subs\> {#fun-substitute}
Performs string substitution on the contents of \<infile\>, writing the result to \<outfile\>. The substitutions in \<subs\> are of the following form:
@ -1538,6 +1544,16 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut
Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
#### `shadowstack` {#shadowstack}
Adds the `-fcf-protection=return` compiler option. This enables the Shadow Stack feature supported by some newer processors, which maintains a user-inaccessible copy of the program's stack containing only return-addresses. When returning from a function, the processor compares the return-address value on the two stacks and throws an error if they do not match, considering it a sign of corruption and possible tampering. This should significantly increase the difficulty of ROP attacks.
For the Shadow Stack to be enabled at runtime, all code linked into a process must be built with Shadow Stack enabled, so this is probably only useful to enable on a wide scale, so that all of a packages dependencies also have the feature enabled.
This is currently only supported on some newer Intel and AMD processors as part of the Intel CET set of features. However, the generated code should continue to work on older processors which will simply omit any of this checking.
This breaks some code that does advanced stack management or exception handling. If enabling this hardening flag it is important to test the result on a system that has known working and enabled CET support, so that any such breakage can be discovered.
#### `trivialautovarinit` {#trivialautovarinit}
Adds the `-ftrivial-auto-var-init=pattern` compiler option. This causes "trivially-initializable" uninitialized stack variables to be forcibly initialized with a nonzero value that is likely to cause a crash (and therefore be noticed). Uninitialized variables generally take on their values based on fragments of previous program state, and attackers can carefully manipulate that state to craft malicious initial values for these variables.
@ -1554,6 +1570,14 @@ sorry, unimplemented: __builtin_clear_padding not supported for variable length
This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash.
#### `pacret` {#pacret}
This flag adds the `-mbranch-protection=pac-ret` compiler option on aarch64-linux targets. This uses ARM v8.3's Pointer Authentication feature to sign function return pointers before adding them to the stack. The pointer's authenticity is then validated before returning to its destination. This dramatically increases the difficulty of ROP exploitation techniques.
This may cause problems with code that does advanced stack manipulation, and debugging/stack-unwinding tools need to be pac-ret aware to work correctly when these features are in operation.
Pre-ARM v8.3 processors will ignore Pointer Authentication instructions, so code built with this flag will continue to work on older processors, though without any of the intended protections. If enabling this flag, it is recommended to ensure the resultant packages are tested against an ARM v8.3+ linux system with known-working Pointer Authentication support so that any breakage caused by this feature is actually detected.
[^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation.
[^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`.
[^footnote-stdenv-propagated-dependencies]: Nix itself already takes a packages transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency.

View file

@ -40,6 +40,13 @@ import pkgs.path { overlays = [ (self: super: {
In the first example, `pkgs.foo` is the result of a function call with some default arguments, usually a derivation. Using `pkgs.foo.override` will call the same function with the given new arguments.
Many packages, like the `foo` example above, provide package options with default values in their arguments, to facilitate overriding.
Because it's not usually feasible to test that packages build with all combinations of options, you might find that a package doesn't build if you override options to non-default values.
Package maintainers are not expected to fix arbitrary combinations of options.
If you find that something doesn't work, please submit a fix, ideally with a regression test.
If you want to ensure that things keep working, consider [becoming a maintainer](https://github.com/NixOS/nixpkgs/tree/master/maintainers) for the package.
## &lt;pkg&gt;.overrideAttrs {#sec-pkg-overrideAttrs}
The function `overrideAttrs` allows overriding the attribute set passed to a `stdenv.mkDerivation` call, producing a new derivation based on the original one. This function is available on all derivations produced by the `stdenv.mkDerivation` function, which is most packages in the nixpkgs expression `pkgs`.

View file

@ -77,6 +77,10 @@
}).nixos.manual;
};
devShells = forAllSystems (system: {
default = import ./shell.nix { inherit system; };
});
# The "legacy" in `legacyPackages` doesn't imply that the packages exposed
# through this attribute are "legacy" packages. Instead, `legacyPackages`
# is used here as a substitute attribute name for `packages`. The problem

View file

@ -455,7 +455,7 @@ rec {
1. Takes a function `p`, or a path to a Nix file that contains a function `p`, which takes an attribute set and returns value of arbitrary type `a`,
2. Takes an attribute set `args` with explicit attributes to pass to `p`,
3. Calls `f` with attributes from the original attribute set `attrs` passed to `newScope` updated with `args, i.e. `attrs // args`, if they match the attributes in the argument of `p`.
3. Calls `f` with attributes from the original attribute set `attrs` passed to `newScope` updated with `args`, i.e. `attrs // args`, if they match the attributes in the argument of `p`.
All such functions `p` will be called with the same value for `attrs`.

View file

@ -79,7 +79,8 @@ let
fromHexString toHexString toBaseDigits inPureEvalMode isBool isInt pathExists
genericClosure readFile;
inherit (self.fixedPoints) fix fix' converge extends composeExtensions
composeManyExtensions makeExtensible makeExtensibleWithCustomName;
composeManyExtensions makeExtensible makeExtensibleWithCustomName
toExtension;
inherit (self.attrsets) attrByPath hasAttrByPath setAttrByPath
getAttrFromPath attrVals attrNames attrValues getAttrs catAttrs filterAttrs
filterAttrsRecursive foldlAttrs foldAttrs collect nameValuePair mapAttrs
@ -123,7 +124,8 @@ let
inherit (self.derivations) lazyDerivation optionalDrvAttr;
inherit (self.meta) addMetaAttrs dontDistribute setName updateName
appendToName mapDerivationAttrset setPrio lowPrio lowPrioSet hiPrio
hiPrioSet getLicenseFromSpdxId getLicenseFromSpdxIdOr getExe getExe';
hiPrioSet licensesSpdx getLicenseFromSpdxId getLicenseFromSpdxIdOr
getExe getExe';
inherit (self.filesystem) pathType pathIsDirectory pathIsRegularFile
packagesFromDirectoryRecursive;
inherit (self.sources) cleanSourceFilter

View file

@ -1,6 +1,17 @@
# snippets that can be shared by multiple fetchers (pkgs/build-support)
{ lib }:
{
let
commonH = hashTypes: rec {
hashNames = [ "hash" ] ++ hashTypes;
hashSet = lib.genAttrs hashNames (lib.const {});
};
fakeH = {
hash = lib.fakeHash;
sha256 = lib.fakeSha256;
sha512 = lib.fakeSha512;
};
in rec {
proxyImpureEnvVars = [
# We borrow these environment variables from the caller to allow
@ -9,6 +20,170 @@
# by definition pure.
"http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy"
"HTTP_PROXY" "HTTPS_PROXY" "FTP_PROXY" "ALL_PROXY" "NO_PROXY"
# https proxies typically need to inject custom root CAs too
"NIX_SSL_CERT_FILE"
];
/**
Converts an attrset containing one of `hash`, `sha256` or `sha512`,
into one containing `outputHash{,Algo}` as accepted by `mkDerivation`.
An appropriate fake hash is substituted when the hash value is `""`,
as is the [convention for fetchers](#sec-pkgs-fetchers-updating-source-hashes-fakehash-method).
All other attributes in the set remain as-is.
# Example
```nix
normalizeHash { } { hash = ""; foo = "bar"; }
=>
{
outputHash = lib.fakeHash;
outputHashAlgo = null;
foo = "bar";
}
```
```nix
normalizeHash { } { sha256 = lib.fakeSha256; }
=>
{
outputHash = lib.fakeSha256;
outputHashAlgo = "sha256";
}
```
```nix
normalizeHash { } { sha512 = lib.fakeSha512; }
=>
{
outputHash = lib.fakeSha512;
outputHashAlgo = "sha512";
}
```
# Type
```
normalizeHash :: { hashTypes :: List String, required :: Bool } -> AttrSet -> AttrSet
```
# Arguments
hashTypes
: the set of attribute names accepted as hash inputs, in addition to `hash`
required
: whether to throw if no hash was present in the input; otherwise returns the original input, unmodified
*/
normalizeHash = {
hashTypes ? [ "sha256" ],
required ? true,
}:
let
inherit (lib) concatMapStringsSep head tail throwIf;
inherit (lib.attrsets) attrsToList intersectAttrs removeAttrs optionalAttrs;
inherit (commonH hashTypes) hashNames hashSet;
in
args:
if args ? "outputHash" then
args
else
let
# The argument hash, as a {name, value} pair
h =
# All hashes passed in arguments (possibly 0 or >1) as a list of {name, value} pairs
let hashesAsNVPairs = attrsToList (intersectAttrs hashSet args); in
if hashesAsNVPairs == [] then
throwIf required "fetcher called without `hash`" null
else if tail hashesAsNVPairs != [] then
throw "fetcher called with mutually-incompatible arguments: ${concatMapStringsSep ", " (a: a.name) hashesAsNVPairs}"
else
head hashesAsNVPairs
;
in
removeAttrs args hashNames // (optionalAttrs (h != null) {
outputHashAlgo = if h.name == "hash" then null else h.name;
outputHash =
if h.value == "" then
fakeH.${h.name} or (throw "no fake hash defined for ${h.name}")
else
h.value;
})
;
/**
Wraps a function which accepts `outputHash{,Algo}` into one which accepts `hash` or `sha{256,512}`
# Example
```nix
withNormalizedHash { hashTypes = [ "sha256" "sha512" ]; } (
{ outputHash, outputHashAlgo, ... }:
...
)
```
is a function which accepts one of `hash`, `sha256`, or `sha512` (or the original's `outputHash` and `outputHashAlgo`).
Its `functionArgs` metadata only lists `hash` as a parameter, optional iff. `outputHash` was an optional parameter of
the original function. `sha256`, `sha512`, `outputHash`, or `outputHashAlgo` are not mentioned in the `functionArgs`
metadata.
# Type
```
withNormalizedHash :: { hashTypes :: List String } -> (AttrSet -> T) -> (AttrSet -> T)
```
# Arguments
hashTypes
: the set of attribute names accepted as hash inputs, in addition to `hash`
: they must correspond to a valid value for `outputHashAlgo`, currently one of: `md5`, `sha1`, `sha256`, or `sha512`.
f
: the function to be wrapped
::: {.note}
In nixpkgs, `mkDerivation` rejects MD5 `outputHash`es, and SHA-1 is being deprecated.
As such, there is no reason to add `md5` to `hashTypes`, and
`sha1` should only ever be included for backwards compatibility.
:::
# Output
`withNormalizedHash { inherit hashTypes; } f` is functionally equivalent to
```nix
args: f (normalizeHash {
inherit hashTypes;
required = !(lib.functionArgs f).outputHash;
} args)
```
However, `withNormalizedHash` preserves `functionArgs` metadata insofar as possible,
and is implemented somewhat more efficiently.
*/
withNormalizedHash = {
hashTypes ? [ "sha256" ]
}: fetcher:
let
inherit (lib.attrsets) genAttrs intersectAttrs removeAttrs;
inherit (lib.trivial) const functionArgs setFunctionArgs;
inherit (commonH hashTypes) hashSet;
fArgs = functionArgs fetcher;
normalize = normalizeHash {
inherit hashTypes;
required = !fArgs.outputHash;
};
in
# The o.g. fetcher must *only* accept outputHash and outputHashAlgo
assert fArgs ? outputHash && fArgs ? outputHashAlgo;
assert intersectAttrs fArgs hashSet == {};
setFunctionArgs
(args: fetcher (normalize args))
(removeAttrs fArgs [ "outputHash" "outputHashAlgo" ] // { hash = fArgs.outputHash; });
}

View file

@ -63,7 +63,6 @@ rec {
See [`extends`](#function-library-lib.fixedPoints.extends) for an example use case.
There `self` is also often called `final`.
# Inputs
`f`
@ -90,7 +89,12 @@ rec {
:::
*/
fix = f: let x = f x; in x;
fix =
f:
let
x = f x;
in
x;
/**
A variant of `fix` that records the original recursive attribute set in the
@ -99,14 +103,20 @@ rec {
This is useful in combination with the `extends` function to
implement deep overriding.
# Inputs
`f`
: 1\. Function argument
*/
fix' = f: let x = f x // { __unfix__ = f; }; in x;
fix' =
f:
let
x = f x // {
__unfix__ = f;
};
in
x;
/**
Return the fixpoint that `f` converges to when called iteratively, starting
@ -117,7 +127,6 @@ rec {
0
```
# Inputs
`f`
@ -134,13 +143,12 @@ rec {
(a -> a) -> a -> a
```
*/
converge = f: x:
converge =
f: x:
let
x' = f x;
in
if x' == x
then x
else converge f x';
if x' == x then x else converge f x';
/**
Extend a function using an overlay.
@ -149,7 +157,6 @@ rec {
A fixed-point function is a function which is intended to be evaluated by passing the result of itself as the argument.
This is possible due to Nix's lazy evaluation.
A fixed-point function returning an attribute set has the form
```nix
@ -257,7 +264,6 @@ rec {
```
:::
# Inputs
`overlay`
@ -299,8 +305,7 @@ rec {
:::
*/
extends =
overlay:
f:
overlay: f:
# The result should be thought of as a function, the argument of that function is not an argument to `extends` itself
(
final:
@ -311,63 +316,98 @@ rec {
);
/**
Compose two extending functions of the type expected by 'extends'
into one where changes made in the first are available in the
'super' of the second
# Inputs
`f`
: 1\. Function argument
`g`
: 2\. Function argument
`final`
: 3\. Function argument
`prev`
: 4\. Function argument
Compose two overlay functions and return a single overlay function that combines them.
For more details see: [composeManyExtensions](#function-library-lib.fixedPoints.composeManyExtensions).
*/
composeExtensions =
f: g: final: prev:
let fApplied = f final prev;
let
fApplied = f final prev;
prev' = prev // fApplied;
in fApplied // g final prev';
in
fApplied // g final prev';
/**
Compose several extending functions of the type expected by 'extends' into
one where changes made in preceding functions are made available to
subsequent ones.
Composes a list of [`overlays`](#chap-overlays) and returns a single overlay function that combines them.
:::{.note}
The result is produced by using the update operator `//`.
This means nested values of previous overlays are not merged recursively.
In other words, previously defined attributes are replaced, ignoring the previous value, unless referenced by the overlay; for example `final: prev: { foo = final.foo + 1; }`.
:::
# Inputs
`extensions`
: A list of overlay functions
:::{.note}
The order of the overlays in the list is important.
:::
: Each overlay function takes two arguments, by convention `final` and `prev`, and returns an attribute set.
- `final` is the result of the fixed-point function, with all overlays applied.
- `prev` is the result of the previous overlay function(s).
# Type
```
composeManyExtensions : [packageSet -> packageSet -> packageSet] -> packageSet -> packageSet -> packageSet
^final ^prev ^overrides ^final ^prev ^overrides
# Pseudo code
let
# final prev
# ↓ ↓
OverlayFn = { ... } -> { ... } -> { ... };
in
composeManyExtensions :: ListOf OverlayFn -> OverlayFn
```
# Examples
:::{.example}
## `lib.fixedPoints.composeManyExtensions` usage example
```nix
let
# The "original function" that is extended by the overlays.
# Note that it doesn't have prev: as argument since no overlay function precedes it.
original = final: { a = 1; };
# Each overlay function has 'final' and 'prev' as arguments.
overlayA = final: prev: { b = final.c; c = 3; };
overlayB = final: prev: { c = 10; x = prev.c or 5; };
extensions = composeManyExtensions [ overlayA overlayB ];
# Caluculate the fixed point of all composed overlays.
fixedpoint = lib.fix (lib.extends extensions original );
in fixedpoint
=>
{
a = 1;
b = 10;
c = 10;
x = 3;
}
```
:::
*/
composeManyExtensions =
lib.foldr (x: y: composeExtensions x y) (final: prev: {});
composeManyExtensions = lib.foldr (x: y: composeExtensions x y) (final: prev: { });
/**
Create an overridable, recursive attribute set. For example:
```
nix-repl> obj = makeExtensible (self: { })
nix-repl> obj = makeExtensible (final: { })
nix-repl> obj
{ __unfix__ = «lambda»; extend = «lambda»; }
nix-repl> obj = obj.extend (self: super: { foo = "foo"; })
nix-repl> obj = obj.extend (final: prev: { foo = "foo"; })
nix-repl> obj
{ __unfix__ = «lambda»; extend = «lambda»; foo = "foo"; }
nix-repl> obj = obj.extend (self: super: { foo = super.foo + " + "; bar = "bar"; foobar = self.foo + self.bar; })
nix-repl> obj = obj.extend (final: prev: { foo = prev.foo + " + "; bar = "bar"; foobar = final.foo + final.bar; })
nix-repl> obj
{ __unfix__ = «lambda»; bar = "bar"; extend = «lambda»; foo = "foo + "; foobar = "foo + bar"; }
@ -379,7 +419,6 @@ rec {
Same as `makeExtensible` but the name of the extending attribute is
customized.
# Inputs
`extenderName`
@ -390,8 +429,85 @@ rec {
: 2\. Function argument
*/
makeExtensibleWithCustomName = extenderName: rattrs:
fix' (self: (rattrs self) // {
makeExtensibleWithCustomName =
extenderName: rattrs:
fix' (
self:
(rattrs self)
// {
${extenderName} = f: makeExtensibleWithCustomName extenderName (extends f rattrs);
});
}
);
/**
Convert to an extending function (overlay).
`toExtension` is the `toFunction` for extending functions (a.k.a. extensions or overlays).
It converts a non-function or a single-argument function to an extending function,
while returning a two-argument function as-is.
That is, it takes a value of the shape `x`, `prev: x`, or `final: prev: x`,
and returns `final: prev: x`, assuming `x` is not a function.
This function takes care of the input to `stdenv.mkDerivation`'s
`overrideAttrs` function.
It bridges the gap between `<pkg>.overrideAttrs`
before and after the overlay-style support.
# Inputs
`f`
: The function or value to convert to an extending function.
# Type
```
toExtension ::
b' -> Any -> Any -> b'
or
toExtension ::
(a -> b') -> Any -> a -> b'
or
toExtension ::
(a -> a -> b) -> a -> a -> b
where b' = ! Callable
Set a = b = b' = AttrSet & ! Callable to make toExtension return an extending function.
```
# Examples
:::{.example}
## `lib.fixedPoints.toExtension` usage example
```nix
fix (final: { a = 0; c = final.a; })
=> { a = 0; c = 0; };
fix (extends (toExtension { a = 1; b = 2; }) (final: { a = 0; c = final.a; }))
=> { a = 1; b = 2; c = 1; };
fix (extends (toExtension (prev: { a = 1; b = prev.a; })) (final: { a = 0; c = final.a; }))
=> { a = 1; b = 0; c = 1; };
fix (extends (toExtension (final: prev: { a = 1; b = prev.a; c = final.a + 1 })) (final: { a = 0; c = final.a; }))
=> { a = 1; b = 0; c = 2; };
```
:::
*/
toExtension =
f:
if lib.isFunction f then
final: prev:
let
fPrev = f prev;
in
if lib.isFunction fPrev then
# f is (final: prev: { ... })
f final prev
else
# f is (prev: { ... })
fPrev
else
# f is not a function; probably { ... }
final: prev: f;
}

View file

@ -229,6 +229,7 @@ lib.mapAttrs mkLicense ({
};
bsl11 = {
spdxId = "BUSL-1.1";
fullName = "Business Source License 1.1";
url = "https://mariadb.com/bsl11";
free = false;
@ -403,6 +404,12 @@ lib.mapAttrs mkLicense ({
fullName = "CeCILL-C Free Software License Agreement";
};
cockroachdb-community-license = {
fullName = "CockroachDB Community License Agreement";
url = "https://www.cockroachlabs.com/cockroachdb-community-license/";
free = false;
};
cpal10 = {
spdxId = "CPAL-1.0";
fullName = "Common Public Attribution License 1.0";
@ -547,6 +554,13 @@ lib.mapAttrs mkLicense ({
redistributable = true;
};
fsl11Asl20 = {
fullName = "Functional Source License, Version 1.1, Apache 2.0 Future License";
url = "https://fsl.software/FSL-1.1-Apache-2.0.template.md";
free = false;
redistributable = true;
};
ftl = {
spdxId = "FTL";
fullName = "Freetype Project License";
@ -714,10 +728,9 @@ lib.mapAttrs mkLicense ({
fullName = "ISC License";
};
# Proprietary binaries; free to redistribute without modification.
databricks = {
fullName = "Databricks Proprietary License";
url = "https://pypi.org/project/databricks-connect";
fullName = "Databricks License";
url = "https://www.databricks.com/legal/db-license";
free = false;
};
@ -728,6 +741,12 @@ lib.mapAttrs mkLicense ({
redistributable = false;
};
databricks-license = {
fullName = "Databricks License";
url = "https://www.databricks.com/legal/db-license";
free = false;
};
fair = {
fullName = "Fair License";
spdxId = "Fair";
@ -820,11 +839,6 @@ lib.mapAttrs mkLicense ({
fullName = "PNG Reference Library version 2";
};
libssh2 = {
fullName = "libssh2 License";
url = "https://www.libssh2.org/license.html";
};
libtiff = {
spdxId = "libtiff";
fullName = "libtiff License";
@ -866,8 +880,6 @@ lib.mapAttrs mkLicense ({
url = "https://opensource.org/licenses/MirOS";
};
# spdx.org does not (yet) differentiate between the X11 and Expat versions
# for details see https://en.wikipedia.org/wiki/MIT_License#Various_versions
mit = {
spdxId = "MIT";
fullName = "MIT License";
@ -878,6 +890,12 @@ lib.mapAttrs mkLicense ({
fullName = "feh License";
};
mit-modern = {
# Also known as Zsh license
spdxId = "MIT-Modern-Variant";
fullName = "MIT License Modern Variant";
};
mitAdvertising = {
spdxId = "MIT-advertising";
fullName = "Enlightenment License (e16)";
@ -1099,6 +1117,11 @@ lib.mapAttrs mkLicense ({
url = "https://qwt.sourceforge.io/qwtlicense.html";
};
radiance = {
fullName = "The Radiance Software License, Version 2.0";
url = "https://github.com/LBNL-ETA/Radiance/blob/master/License.txt";
};
ruby = {
spdxId = "Ruby";
fullName = "Ruby License";
@ -1305,11 +1328,6 @@ lib.mapAttrs mkLicense ({
fullName = "zlib License";
};
zsh = {
url = "https://github.com/zsh-users/zsh/blob/master/LICENCE";
fullName = "Zsh License";
};
zpl20 = {
spdxId = "ZPL-2.0";
fullName = "Zope Public License 2.0";

View file

@ -7,6 +7,7 @@
let
inherit (lib) matchAttrs any all isDerivation getBin assertMsg;
inherit (lib.attrsets) mapAttrs' filterAttrs;
inherit (builtins) isString match typeOf;
in
@ -132,12 +133,17 @@ rec {
mapDerivationAttrset = f: set: lib.mapAttrs (name: pkg: if lib.isDerivation pkg then (f pkg) else pkg) set;
/**
Set the nix-env priority of the package.
The default priority of packages in Nix. See `defaultPriority` in [`src/nix/profile.cc`](https://github.com/NixOS/nix/blob/master/src/nix/profile.cc#L47).
*/
defaultPriority = 5;
/**
Set the nix-env priority of the package. Note that higher values are lower priority, and vice versa.
# Inputs
`priority`
: 1\. Function argument
: 1\. The priority to set.
`drv`
: 2\. Function argument
@ -158,8 +164,7 @@ rec {
lowPrio = setPrio 10;
/**
Apply lowPrio to an attrset with derivations
Apply lowPrio to an attrset with derivations.
# Inputs
@ -183,8 +188,7 @@ rec {
hiPrio = setPrio (-10);
/**
Apply hiPrio to an attrset with derivations
Apply hiPrio to an attrset with derivations.
# Inputs
@ -286,11 +290,39 @@ rec {
((!pkg?meta.platforms) || any (platformMatch platform) pkg.meta.platforms) &&
all (elem: !platformMatch platform elem) (pkg.meta.badPlatforms or []);
/**
Mapping of SPDX ID to the attributes in lib.licenses.
For SPDX IDs, see https://spdx.org/licenses.
Note that some SPDX licenses might be missing.
# Examples
:::{.example}
## `lib.meta.licensesSpdx` usage example
```nix
lib.licensesSpdx.MIT == lib.licenses.mit
=> true
lib.licensesSpdx."MY LICENSE"
=> error: attribute 'MY LICENSE' missing
```
:::
*/
licensesSpdx =
mapAttrs'
(_key: license: {
name = license.spdxId;
value = license;
})
(filterAttrs (_key: license: license ? spdxId) lib.licenses);
/**
Get the corresponding attribute in lib.licenses from the SPDX ID
or warn and fallback to `{ shortName = <license string>; }`.
For SPDX IDs, see https://spdx.org/licenses
For SPDX IDs, see https://spdx.org/licenses.
Note that some SPDX licenses might be missing.
# Type
@ -325,7 +357,8 @@ rec {
Get the corresponding attribute in lib.licenses from the SPDX ID
or fallback to the given default value.
For SPDX IDs, see https://spdx.org/licenses
For SPDX IDs, see https://spdx.org/licenses.
Note that some SPDX licenses might be missing.
# Inputs
@ -361,10 +394,12 @@ rec {
*/
getLicenseFromSpdxIdOr =
let
spdxLicenses = lib.mapAttrs (id: ls: assert lib.length ls == 1; builtins.head ls)
(lib.groupBy (l: lib.toLower l.spdxId) (lib.filter (l: l ? spdxId) (lib.attrValues lib.licenses)));
lowercaseLicenses = lib.mapAttrs' (name: value: {
name = lib.toLower name;
inherit value;
}) licensesSpdx;
in licstr: default:
spdxLicenses.${ lib.toLower licstr } or default;
lowercaseLicenses.${ lib.toLower licstr } or default;
/**
Get the path to the main program of a package based on meta.mainProgram

View file

@ -861,7 +861,7 @@ let
else
# (nixos-option detects this specific error message and gives it special
# handling. If changed here, please change it there too.)
throw "The option `${showOption loc}' is used but not defined.";
throw "The option `${showOption loc}' was accessed but has no value defined. Try setting the option.";
isDefined = defsFinal != [];
@ -1366,6 +1366,58 @@ let
]);
};
/**
`importApply file arg :: Path -> a -> Module`, where `import file :: a -> Module`
`importApply` imports a Nix expression file much like the module system would,
after passing an extra positional argument to the function in the file.
This function should be used when declaring a module in a file that refers to
values from a different scope, such as that in a flake.
It solves the problems of alternative solutions:
- While `importApply file arg` is _mostly_ equivalent to
`import file arg`, the latter returns a module without a location,
as `import` only returns the contained expression. This leads to worse
error messages.
- Using `specialArgs` to provide arguments to all modules. This effectively
creates an incomplete module, and requires the user of the module to
manually pass the `specialArgs` to the configuration, which is error-prone,
verbose, and unnecessary.
The nix file must contain a function that returns a module.
A module may itself be a function, so the file is often a function with two
positional arguments instead of one. See the example below.
This function does not add support for deduplication and `disabledModules`,
although that could be achieved by wrapping the returned module and setting
the `_key` module attribute.
The reason for this omission is that the file path is not guaranteed to be
a unique identifier for the module, as two instances of the module may
reference different `arg`s in their closures.
Example
# lib.nix
imports = [
(lib.modules.importApply ./module.nix { bar = bar; })
];
# module.nix
{ bar }:
{ lib, config, ... }:
{
options = ...;
config = ... bar ...;
}
*/
importApply =
modulePath: staticArg:
lib.setDefaultModuleLocation modulePath (import modulePath staticArg);
/* Use this function to import a JSON file as NixOS configuration.
modules.importJSON :: path -> attrs
@ -1415,6 +1467,7 @@ private //
filterOverrides'
fixMergeModules
fixupOptionType # should be private?
importApply
importJSON
importTOML
mergeDefinitions

View file

@ -408,7 +408,6 @@ rec {
start ? false,
end ? false,
}:
s:
let
# Define our own whitespace character class instead of using
# `[:space:]`, which is not well-defined.
@ -425,7 +424,9 @@ rec {
"(.*[^${chars}])[${chars}]*"
else
"(.*)";
in
s:
let
# If the string was empty or entirely whitespace,
# then the regex may not match and `res` will be `null`.
res = match regex s;
@ -1026,7 +1027,8 @@ rec {
replaceStrings (builtins.attrNames toEscape) (lib.mapAttrsToList (_: c: "%${fixedWidthString 2 "0" (lib.toHexString c)}") toEscape);
/**
Quote `string` to be used safely within the Bourne shell.
Quote `string` to be used safely within the Bourne shell if it has any
special characters.
# Inputs
@ -1051,10 +1053,17 @@ rec {
:::
*/
escapeShellArg = arg: "'${replaceStrings ["'"] ["'\\''"] (toString arg)}'";
escapeShellArg = arg:
let
string = toString arg;
in
if match "[[:alnum:],._+:@%/-]+" string == null
then "'${replaceStrings ["'"] ["'\\''"] string}'"
else string;
/**
Quote all arguments to be safely passed to the Bourne shell.
Quote all arguments that have special characters to be safely passed to the
Bourne shell.
# Inputs
@ -1073,7 +1082,7 @@ rec {
```nix
escapeShellArgs ["one" "two three" "four'five"]
=> "'one' 'two three' 'four'\\''five'"
=> "one 'two three' 'four'\\''five'"
```
:::

View file

@ -179,7 +179,7 @@ let
hasSharedLibraries = with final;
(isAndroid || isGnu || isMusl # Linux (allows multiple libcs)
|| isDarwin || isSunOS || isOpenBSD || isFreeBSD || isNetBSD # BSDs
|| isCygwin || isMinGW # Windows
|| isCygwin || isMinGW || isWindows # Windows
|| isWasm # WASM
) && !isStatic;
@ -257,6 +257,22 @@ let
if final.isMacOS then "MACOSX_DEPLOYMENT_TARGET"
else if final.isiOS then "IPHONEOS_DEPLOYMENT_TARGET"
else null;
# Remove before 25.05
androidSdkVersion =
if (args ? sdkVer && !args ? androidSdkVersion) then
throw "For android `sdkVer` has been renamed to `androidSdkVersion`"
else if (args ? androidSdkVersion) then
args.androidSdkVersion
else
null;
androidNdkVersion =
if (args ? ndkVer && !args ? androidNdkVersion) then
throw "For android `ndkVer` has been renamed to `androidNdkVersion`"
else if (args ? androidSdkVersion) then
args.androidNdkVersion
else
null;
} // (
let
selectEmulator = pkgs:
@ -282,8 +298,11 @@ let
};
wine = (pkgs.winePackagesFor "wine${toString final.parsed.cpu.bits}").minimal;
in
# Note: we guarantee that the return value is either `null` or a path
# to an emulator program. That is, if an emulator requires additional
# arguments, a wrapper should be used.
if pkgs.stdenv.hostPlatform.canExecute final
then "${pkgs.runtimeShell} -c '\"$@\"' --"
then "${pkgs.execline}/bin/exec"
else if final.isWindows
then "${wine}/bin/wine${optionalString (final.parsed.cpu.bits == 64) "64"}"
else if final.isLinux && pkgs.stdenv.hostPlatform.isLinux && final.qemuArch != null
@ -360,6 +379,7 @@ let
"armv7l" = "armv7";
"armv6l" = "arm";
"armv5tel" = "armv5te";
"riscv32" = "riscv32gc";
"riscv64" = "riscv64gc";
}.${cpu.name} or cpu.name;
vendor_ = final.rust.platform.vendor;

View file

@ -69,6 +69,7 @@ in {
arm = filterDoubles predicates.isAarch32;
armv7 = filterDoubles predicates.isArmv7;
aarch = filterDoubles predicates.isAarch;
aarch64 = filterDoubles predicates.isAarch64;
x86 = filterDoubles predicates.isx86;
i686 = filterDoubles predicates.isi686;
@ -114,6 +115,4 @@ in {
genode = filterDoubles predicates.isGenode;
embedded = filterDoubles predicates.isNone;
mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "armv7a-linux" "aarch64-linux" "powerpc64-linux" "powerpc64le-linux" "aarch64-darwin" "riscv64-linux"];
}

View file

@ -60,23 +60,23 @@ rec {
armv7a-android-prebuilt = {
config = "armv7a-unknown-linux-androideabi";
rust.rustcTarget = "armv7-linux-androideabi";
sdkVer = "33";
ndkVer = "26";
androidSdkVersion = "33";
androidNdkVersion = "26";
useAndroidPrebuilt = true;
} // platforms.armv7a-android;
aarch64-android-prebuilt = {
config = "aarch64-unknown-linux-android";
rust.rustcTarget = "aarch64-linux-android";
sdkVer = "33";
ndkVer = "26";
androidSdkVersion = "33";
androidNdkVersion = "26";
useAndroidPrebuilt = true;
};
aarch64-android = {
config = "aarch64-unknown-linux-android";
sdkVer = "33";
ndkVer = "26";
androidSdkVersion = "33";
androidNdkVersion = "26";
libc = "bionic";
useAndroidPrebuilt = false;
useLLVM = true;

View file

@ -201,8 +201,9 @@ rec {
target = "zImage";
};
gcc = {
arch = "armv6";
fpu = "vfp";
# https://en.wikipedia.org/wiki/Raspberry_Pi#Specifications
arch = "armv6kz";
fpu = "vfpv2";
};
};

View file

@ -0,0 +1,165 @@
let
lib = import ./..;
inherit (lib)
fakeHash
fakeSha256
fakeSha512
flip
functionArgs
runTests
;
inherit (lib.fetchers) normalizeHash withNormalizedHash;
testingThrow = expr: {
expr = with builtins; tryEval (seq expr "didn't throw");
expected = {
success = false;
value = false;
};
};
# hashes of empty
sri256 = "sha256-d6xi4mKdjkX2JFicDIv5niSzpyI0m/Hnm8GGAIU04kY=";
sri512 = "sha512-AXFyVo7jiZ5we10fxZ5E9qfPjSfqkizY2apCzORKFVYZaNhCIVbooY+J4cYST00ztLf0EjivIBPPdtIYFUMfzQ==";
unionOfDisjoints = lib.foldl lib.attrsets.unionOfDisjoint { };
genTests = n: f: {
"test${n}AlreadyNormalized" = {
expr = f { } {
outputHash = "";
outputHashAlgo = "md42";
};
expected = {
outputHash = "";
outputHashAlgo = "md42";
};
};
"test${n}EmptySha256" = {
expr = f { } { sha256 = ""; };
expected = {
outputHash = fakeSha256;
outputHashAlgo = "sha256";
};
};
"test${n}EmptySha512" = {
expr = f { hashTypes = [ "sha512" ]; } { sha512 = ""; };
expected = {
outputHash = fakeSha512;
outputHashAlgo = "sha512";
};
};
"test${n}EmptyHash" = {
expr = f { } { hash = ""; };
expected = {
outputHash = fakeHash;
outputHashAlgo = null;
};
};
"test${n}Sri256" = {
expr = f { } { hash = sri256; };
expected = {
outputHash = sri256;
outputHashAlgo = null;
};
};
"test${n}Sri512" = {
expr = f { } { hash = sri512; };
expected = {
outputHash = sri512;
outputHashAlgo = null;
};
};
"test${n}PreservesAttrs" = {
expr = f { } {
hash = "aaaa";
destination = "Earth";
};
expected = {
outputHash = "aaaa";
outputHashAlgo = null;
destination = "Earth";
};
};
"test${n}RejectsSha1ByDefault" = testingThrow (f { } { sha1 = ""; });
"test${n}RejectsSha512ByDefault" = testingThrow (f { } { sha512 = ""; });
"test${n}ThrowsOnMissing" = testingThrow (f { } { gibi = false; });
};
in
runTests (unionOfDisjoints [
(genTests "NormalizeHash" normalizeHash)
(genTests "WithNormalized" (
flip withNormalizedHash ({ outputHash, outputHashAlgo, ... }@args: args)
))
{
testNormalizeNotRequiredEquivalent = {
expr = normalizeHash { required = false; } {
hash = "";
prof = "shadoko";
};
expected = normalizeHash { } {
hash = "";
prof = "shadoko";
};
};
testNormalizeNotRequiredPassthru = {
expr = normalizeHash { required = false; } { "ga bu" = "zo meu"; };
expected."ga bu" = "zo meu";
};
testOptionalArg = {
expr = withNormalizedHash { } (
{
outputHash ? "",
outputHashAlgo ? null,
...
}@args:
args
) { author = "Jacques Rouxel"; };
expected.author = "Jacques Rouxel";
};
testOptionalArgMetadata = {
expr = functionArgs (
withNormalizedHash { } (
{
outputHash ? "",
outputHashAlgo ? null,
}:
{ }
)
);
expected.hash = true;
};
testPreservesArgsMetadata = {
expr = functionArgs (
withNormalizedHash { } (
{
outputHash,
outputHashAlgo,
pumping ? true,
}:
{ }
)
);
expected = {
hash = false;
pumping = true;
};
};
testRejectsMissingHashArg = testingThrow (withNormalizedHash { } ({ outputHashAlgo }: { }));
testRejectsMissingAlgoArg = testingThrow (withNormalizedHash { } ({ outputHash }: { }));
}
])

View file

@ -45,6 +45,7 @@ let
const
escapeXML
evalModules
extends
filter
fix
fold
@ -102,6 +103,7 @@ let
take
testAllTrue
toBaseDigits
toExtension
toHexString
fromHexString
toInt
@ -233,11 +235,6 @@ runTests {
];
};
testFix = {
expr = fix (x: {a = if x ? a then "a" else "b";});
expected = {a = "a";};
};
testComposeExtensions = {
expr = let obj = makeExtensible (self: { foo = self.bar; });
f = self: super: { bar = false; baz = true; };
@ -470,6 +467,26 @@ runTests {
expected = [ "A" "B" ];
};
testEscapeShellArg = {
expr = strings.escapeShellArg "esc'ape\nme";
expected = "'esc'\\''ape\nme'";
};
testEscapeShellArgEmpty = {
expr = strings.escapeShellArg "";
expected = "''";
};
testEscapeShellArgs = {
expr = strings.escapeShellArgs ["one" "two three" "four'five"];
expected = "one 'two three' 'four'\\''five'";
};
testEscapeShellArgsUnicode = {
expr = strings.escapeShellArg "á";
expected = "'á'";
};
testSplitStringsDerivation = {
expr = take 3 (strings.splitString "/" (derivation {
name = "name";
@ -569,12 +586,12 @@ runTests {
'';
expected = ''
STRing01='just a '\'''string'\''''
declare -a _array_=('with' 'more strings')
declare -a _array_=(with 'more strings')
declare -A assoc=(['with some']='strings
possibly newlines
')
drv='/drv'
path='/path'
drv=/drv
path=/path
stringable='hello toString'
'';
};
@ -1217,6 +1234,28 @@ runTests {
attrsToList { someFunc= a: a + 1;}
);
# FIXED-POINTS
testFix = {
expr = fix (x: {a = if x ? a then "a" else "b";});
expected = {a = "a";};
};
testToExtension = {
expr = [
(fix (final: { a = 0; c = final.a; }))
(fix (extends (toExtension { a = 1; b = 2; }) (final: { a = 0; c = final.a; })))
(fix (extends (toExtension (prev: { a = 1; b = prev.a; })) (final: { a = 0; c = final.a; })))
(fix (extends (toExtension (final: prev: { a = 1; b = prev.a; c = final.a + 1; })) (final: { a = 0; c = final.a; })))
];
expected = [
{ a = 0; c = 0; }
{ a = 1; b = 2; c = 1; }
{ a = 1; b = 0; c = 1; }
{ a = 1; b = 0; c = 2; }
];
};
# GENERATORS
# these tests assume attributes are converted to lists
# in alphabetical order
@ -1754,7 +1793,7 @@ runTests {
verbose = true;
};
expected = "'-X' 'PUT' '--data' '{\"id\":0}' '--retry' '3' '--url' 'https://example.com/foo' '--url' 'https://example.com/bar' '--verbose'";
expected = "-X PUT --data '{\"id\":0}' --retry 3 --url https://example.com/foo --url https://example.com/bar --verbose";
};
testSanitizeDerivationNameLeadingDots = testSanitizeDerivationName {

View file

@ -13,13 +13,44 @@ set -o errexit -o noclobber -o nounset -o pipefail
shopt -s failglob inherit_errexit
# https://stackoverflow.com/a/246128/6605742
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
cd "$DIR"/modules
pass=0
fail=0
# loc
# prints the location of the call of to the function that calls it
# loc n
# prints the location n levels up the call stack
loc() {
local caller depth
depth=1
if [[ $# -gt 0 ]]; then
depth=$1
fi
# ( lineno fnname file ) of the caller
caller=( $(caller $depth) )
echo "${caller[2]}:${caller[0]}"
}
line() {
echo "----------------------------------------"
}
logStartFailure() {
line
}
logEndFailure() {
line
echo
}
logFailure() {
# bold red
printf '\033[1;31mTEST FAILED\033[0m at %s\n' "$(loc 2)"
}
evalConfig() {
local attr=$1
shift
@ -31,7 +62,7 @@ reportFailure() {
local attr=$1
shift
local script="import ./default.nix { modules = [ $* ];}"
echo 2>&1 "$ nix-instantiate -E '$script' -A '$attr' --eval-only --json"
echo "$ nix-instantiate -E '$script' -A '$attr' --eval-only --json"
evalConfig "$attr" "$@" || true
((++fail))
}
@ -42,8 +73,12 @@ checkConfigOutput() {
if evalConfig "$@" 2>/dev/null | grep -E --silent "$outputContains" ; then
((++pass))
else
echo 2>&1 "error: Expected result matching '$outputContains', while evaluating"
logStartFailure
echo "ACTUAL:"
reportFailure "$@"
echo "EXPECTED: result matching '$outputContains'"
logFailure
logEndFailure
fi
}
@ -52,14 +87,22 @@ checkConfigError() {
local err=""
shift
if err="$(evalConfig "$@" 2>&1 >/dev/null)"; then
echo 2>&1 "error: Expected error code, got exit code 0, while evaluating"
logStartFailure
echo "ACTUAL: exit code 0, output:"
reportFailure "$@"
echo "EXPECTED: non-zero exit code"
logFailure
logEndFailure
else
if echo "$err" | grep -zP --silent "$errorContains" ; then
((++pass))
else
echo 2>&1 "error: Expected error matching '$errorContains', while evaluating"
logStartFailure
echo "ACTUAL:"
reportFailure "$@"
echo "EXPECTED: error matching '$errorContains'"
logFailure
logEndFailure
fi
fi
}
@ -204,6 +247,14 @@ checkConfigOutput '^true$' "$@" ./define-enable.nix ./define-attrsOfSub-if-foo-e
checkConfigOutput '^true$' "$@" ./define-enable.nix ./define-attrsOfSub-foo-if-enable.nix
checkConfigOutput '^true$' "$@" ./define-enable.nix ./define-attrsOfSub-foo-enable-if.nix
# Check importApply
checkConfigOutput '"abc"' config.value ./importApply.nix
# importApply does not set a key.
# Disabling the function file is not sufficient, because importApply can't reasonably assume that the key is unique.
# e.g. user may call it multiple times with different arguments and expect each of the module to apply.
# While this is excusable for the disabledModules aspect, it is not for the deduplication of modules.
checkConfigOutput '"abc"' config.value ./importApply-disabling.nix
# Check disabledModules with config definitions and option declarations.
set -- config.enable ./define-enable.nix ./declare-enable.nix
checkConfigOutput '^true$' "$@"
@ -243,6 +294,9 @@ checkConfigOutput '^"42"$' config.value ./declare-coerced-value.nix
checkConfigOutput '^"24"$' config.value ./declare-coerced-value.nix ./define-value-string.nix
checkConfigError 'A definition for option .* is not.*string or signed integer convertible to it.*. Definition values:\n\s*- In .*: \[ \]' config.value ./declare-coerced-value.nix ./define-value-list.nix
# Check coerced option merging.
checkConfigError 'The option .value. in .*/declare-coerced-value.nix. is already declared in .*/declare-coerced-value-no-default.nix.' config.value ./declare-coerced-value.nix ./declare-coerced-value-no-default.nix
# Check coerced value with unsound coercion
checkConfigOutput '^12$' config.value ./declare-coerced-value-unsound.nix
checkConfigError 'A definition for option .* is not of type .*. Definition values:\n\s*- In .*: "1000"' config.value ./declare-coerced-value-unsound.nix ./define-value-string-bigint.nix
@ -261,7 +315,7 @@ checkConfigOutput '^".*Hello.*"$' options.namedPackage.description ./declare-mkP
checkConfigOutput '^"hello"$' config.pathPackage.pname ./declare-mkPackageOption.nix
checkConfigOutput '^"pkgs\.hello\.override \{ stdenv = pkgs\.clangStdenv; \}"$' options.packageWithExample.example.text ./declare-mkPackageOption.nix
checkConfigOutput '^".*Example extra description\..*"$' options.packageWithExtraDescription.description ./declare-mkPackageOption.nix
checkConfigError 'The option .undefinedPackage. is used but not defined' config.undefinedPackage ./declare-mkPackageOption.nix
checkConfigError 'The option .undefinedPackage. was accessed but has no value defined. Try setting the option.' config.undefinedPackage ./declare-mkPackageOption.nix
checkConfigOutput '^null$' config.nullablePackage ./declare-mkPackageOption.nix
checkConfigOutput '^"null or package"$' options.nullablePackageWithDefault.type.description ./declare-mkPackageOption.nix
checkConfigOutput '^"myPkgs\.hello"$' options.packageWithPkgsText.defaultText.text ./declare-mkPackageOption.nix
@ -359,7 +413,7 @@ checkConfigOutput '^null$' config.foo ./freeform-attrsOf.nix ./freeform-str-dep-
checkConfigOutput '^"24"$' config.foo ./freeform-attrsOf.nix ./freeform-str-dep-unstr.nix ./define-value-string.nix
# Check whether an freeform-typed value can depend on a declared option, this can only work with lazyAttrsOf
checkConfigError 'infinite recursion encountered' config.foo ./freeform-attrsOf.nix ./freeform-unstr-dep-str.nix
checkConfigError 'The option .* is used but not defined' config.foo ./freeform-lazyAttrsOf.nix ./freeform-unstr-dep-str.nix
checkConfigError 'The option .* was accessed but has no value defined. Try setting the option.' config.foo ./freeform-lazyAttrsOf.nix ./freeform-unstr-dep-str.nix
checkConfigOutput '^"24"$' config.foo ./freeform-lazyAttrsOf.nix ./freeform-unstr-dep-str.nix ./define-value-string.nix
# submodules in freeformTypes should have their locations annotated
checkConfigOutput '/freeform-submodules.nix"$' config.fooDeclarations.0 ./freeform-submodules.nix
@ -375,8 +429,8 @@ checkConfigOutput '^null$' config.value.l1.l2.foo ./types-anything/nested-attrs.
checkConfigOutput '^null$' config.value.l1.l2.l3.foo ./types-anything/nested-attrs.nix
# Attribute sets that are coercible to strings shouldn't be recursed into
checkConfigOutput '^"foo"$' config.value.outPath ./types-anything/attrs-coercible.nix
# Multiple lists aren't concatenated together
checkConfigError 'The option .* has conflicting definitions' config.value ./types-anything/lists.nix
# Multiple lists aren't concatenated together if their definitions are not equal
checkConfigError 'The option .* has conflicting definition values' config.value ./types-anything/lists.nix
# Check that all equalizable atoms can be used as long as all definitions are equal
checkConfigOutput '^0$' config.value.int ./types-anything/equal-atoms.nix
checkConfigOutput '^false$' config.value.bool ./types-anything/equal-atoms.nix
@ -384,6 +438,7 @@ checkConfigOutput '^""$' config.value.string ./types-anything/equal-atoms.nix
checkConfigOutput '^"/[^"]+"$' config.value.path ./types-anything/equal-atoms.nix
checkConfigOutput '^null$' config.value.null ./types-anything/equal-atoms.nix
checkConfigOutput '^0.1$' config.value.float ./types-anything/equal-atoms.nix
checkConfigOutput '^\[1,"a",{"x":null}\]$' config.value.list ./types-anything/equal-atoms.nix
# Functions can't be merged together
checkConfigError "The option .value.multiple-lambdas.<function body>. has conflicting option types" config.applied.multiple-lambdas ./types-anything/functions.nix
checkConfigOutput '^true$' config.valueIsFunction.single-lambda ./types-anything/functions.nix
@ -418,8 +473,8 @@ checkConfigOutput "{}" config.attrs.a ./emptyValues.nix
checkConfigOutput "null" config.null.a ./emptyValues.nix
checkConfigOutput "{}" config.submodule.a ./emptyValues.nix
# These types don't have empty values
checkConfigError 'The option .int.a. is used but not defined' config.int.a ./emptyValues.nix
checkConfigError 'The option .nonEmptyList.a. is used but not defined' config.nonEmptyList.a ./emptyValues.nix
checkConfigError 'The option .int.a. was accessed but has no value defined. Try setting the option.' config.int.a ./emptyValues.nix
checkConfigError 'The option .nonEmptyList.a. was accessed but has no value defined. Try setting the option.' config.nonEmptyList.a ./emptyValues.nix
# types.unique
# requires a single definition
@ -499,21 +554,21 @@ checkConfigOutput '^"pear\\npear"$' config.twice.raw ./merge-module-with-key.nix
# Declaration positions
# Line should be present for direct options
checkConfigOutput '^10$' options.imported.line10.declarationPositions.0.line ./declaration-positions.nix
checkConfigOutput '/declaration-positions.nix"$' options.imported.line10.declarationPositions.0.file ./declaration-positions.nix
checkConfigOutput '^14$' options.imported.line14.declarationPositions.0.line ./declaration-positions.nix
checkConfigOutput '/declaration-positions.nix"$' options.imported.line14.declarationPositions.0.file ./declaration-positions.nix
# Generated options may not have line numbers but they will at least get the
# right file
checkConfigOutput '/declaration-positions.nix"$' options.generated.line18.declarationPositions.0.file ./declaration-positions.nix
checkConfigOutput '^null$' options.generated.line18.declarationPositions.0.line ./declaration-positions.nix
checkConfigOutput '/declaration-positions.nix"$' options.generated.line22.declarationPositions.0.file ./declaration-positions.nix
checkConfigOutput '^null$' options.generated.line22.declarationPositions.0.line ./declaration-positions.nix
# Submodules don't break it
checkConfigOutput '^39$' config.submoduleLine34.submodDeclLine39.0.line ./declaration-positions.nix
checkConfigOutput '/declaration-positions.nix"$' config.submoduleLine34.submodDeclLine39.0.file ./declaration-positions.nix
checkConfigOutput '^45$' config.submoduleLine38.submodDeclLine45.0.line ./declaration-positions.nix
checkConfigOutput '/declaration-positions.nix"$' config.submoduleLine38.submodDeclLine45.0.file ./declaration-positions.nix
# New options under freeform submodules get collected into the parent submodule
# (consistent with .declarations behaviour, but weird; notably appears in system.build)
checkConfigOutput '^34|23$' options.submoduleLine34.declarationPositions.0.line ./declaration-positions.nix
checkConfigOutput '^34|23$' options.submoduleLine34.declarationPositions.1.line ./declaration-positions.nix
checkConfigOutput '^38|27$' options.submoduleLine38.declarationPositions.0.line ./declaration-positions.nix
checkConfigOutput '^38|27$' options.submoduleLine38.declarationPositions.1.line ./declaration-positions.nix
# nested options work
checkConfigOutput '^30$' options.nested.nestedLine30.declarationPositions.0.line ./declaration-positions.nix
checkConfigOutput '^34$' options.nested.nestedLine34.declarationPositions.0.line ./declaration-positions.nix
cat <<EOF
====== module tests ======

View file

@ -1,13 +1,17 @@
{ lib, options, ... }:
let discardPositions = lib.mapAttrs (k: v: v);
let
discardPositions = lib.mapAttrs (k: v: v);
in
# unsafeGetAttrPos is unspecified best-effort behavior, so we only want to consider this test on an evaluator that satisfies some basic assumptions about this function.
assert builtins.unsafeGetAttrPos "a" { a = true; } != null;
assert builtins.unsafeGetAttrPos "a" (discardPositions { a = true; }) == null;
assert
builtins.unsafeGetAttrPos "a" (discardPositions {
a = true;
}) == null;
{
imports = [
{
options.imported.line10 = lib.mkOption {
options.imported.line14 = lib.mkOption {
type = lib.types.int;
};
@ -15,35 +19,39 @@ assert builtins.unsafeGetAttrPos "a" (discardPositions { a = true; }) == null;
# programs.firefox.nativeMessagingHosts.ff2mpv. We don't expect to get
# line numbers for these, but we can fall back on knowing the file.
options.generated = discardPositions {
line18 = lib.mkOption {
line22 = lib.mkOption {
type = lib.types.int;
};
};
options.submoduleLine34.extraOptLine23 = lib.mkOption {
options.submoduleLine38.extraOptLine27 = lib.mkOption {
default = 1;
type = lib.types.int;
};
}
];
options.nested.nestedLine30 = lib.mkOption {
options.nested.nestedLine34 = lib.mkOption {
type = lib.types.int;
};
options.submoduleLine34 = lib.mkOption {
options.submoduleLine38 = lib.mkOption {
default = { };
type = lib.types.submoduleWith {
modules = [
({ options, ... }: {
options.submodDeclLine39 = lib.mkOption { };
})
(
{ options, ... }:
{
options.submodDeclLine45 = lib.mkOption { };
}
)
{ freeformType = with lib.types; lazyAttrsOf (uniq unspecified); }
];
};
};
config = {
submoduleLine34.submodDeclLine39 = (options.submoduleLine34.type.getSubOptions [ ]).submodDeclLine39.declarationPositions;
submoduleLine38.submodDeclLine45 =
(options.submoduleLine38.type.getSubOptions [ ]).submodDeclLine45.declarationPositions;
};
}

View file

@ -0,0 +1,9 @@
{ lib, ... }:
{
options = {
value = lib.mkOption {
type = lib.types.coercedTo lib.types.int builtins.toString lib.types.str;
};
};
}

View file

@ -0,0 +1,4 @@
{
imports = [ ./importApply.nix ];
disabledModules = [ ./importApply-function.nix ];
}

View file

@ -0,0 +1,5 @@
{ foo }:
{ lib, config, ... }:
{
value = foo;
}

View file

@ -0,0 +1,5 @@
{ lib, ... }:
{
options.value = lib.mkOption { default = 1; };
imports = [ (lib.modules.importApply ./importApply-function.nix { foo = "abc"; }) ];
}

View file

@ -12,6 +12,7 @@
value.path = ./.;
value.null = null;
value.float = 0.1;
value.list = [1 "a" {x=null;}];
}
{
value.int = 0;
@ -20,6 +21,7 @@
value.path = ./.;
value.null = null;
value.float = 0.1;
value.list = [1 "a" {x=null;}];
}
];

View file

@ -6,10 +6,10 @@
config = lib.mkMerge [
{
value = [ null ];
value = [ "a value" ];
}
{
value = [ null ];
value = [ "another value" ];
}
];

View file

@ -17,6 +17,7 @@
pkgs.runCommand "nixpkgs-lib-tests-nix-${nix.version}" {
buildInputs = [
(import ./check-eval.nix)
(import ./fetchers.nix)
(import ./maintainers.nix {
inherit pkgs;
lib = import ../.;

View file

@ -219,7 +219,7 @@ rec {
else "(${t.description})";
# When adding new types don't forget to document them in
# nixos/doc/manual/development/option-types.xml!
# nixos/doc/manual/development/option-types.section.md!
types = rec {
raw = mkOptionType {
@ -253,12 +253,6 @@ rec {
mergeFunction = {
# Recursively merge attribute sets
set = (attrsOf anything).merge;
# Safe and deterministic behavior for lists is to only accept one definition
# listOf only used to apply mkIf and co.
list =
if length defs > 1
then throw "The option `${showOption loc}' has conflicting definitions, in ${showFiles (getFiles defs)}."
else (listOf anything).merge;
# This is the type of packages, only accept a single definition
stringCoercibleSet = mergeOneOption;
lambda = loc: defs: arg: anything.merge
@ -1035,7 +1029,7 @@ rec {
getSubOptions = finalType.getSubOptions;
getSubModules = finalType.getSubModules;
substSubModules = m: coercedTo coercedType coerceFunc (finalType.substSubModules m);
typeMerge = t1: t2: null;
typeMerge = t: null;
functor = (defaultFunctor name) // { wrapped = finalType; };
nestedTypes.coercedType = coercedType;
nestedTypes.finalType = finalType;

File diff suppressed because it is too large Load diff

View file

@ -9,10 +9,6 @@ What follows is a (very incomplete) overview of available scripts.
## Metadata
### `check-by-name.sh`
An alias for `pkgs/test/check-by-name/run-local.sh`, see [documentation](../../pkgs/test/check-by-name/README.md).
### `get-maintainer.sh`
`get-maintainer.sh [selector] value` returns a JSON object describing
@ -60,3 +56,16 @@ The maintainer is designated by a `selector` which must be one of:
see [`maintainer-list.nix`] for the fields' definition.
[`maintainer-list.nix`]: ../maintainer-list.nix
## Conventions
### `sha-to-sri.py`
`sha-to-sri.py path ...` (atomically) rewrites hash attributes (named `hash` or `sha(1|256|512)`)
into the SRI format: `hash = "{hash name}-{base64 encoded value}"`.
`path` must point to either a nix file, or a directory which will be automatically traversed.
`sha-to-sri.py` automatically skips files whose first non-empty line contains `generated by` or `do not edit`.
Moreover, when walking a directory tree, the script will skip files whose name is `yarn.nix` or contains `generated`.

View file

@ -95,6 +95,7 @@ CROSS_TARGETS=(
powerpc64-unknown-linux-gnuabielfv2
powerpc64le-unknown-linux-gnu
riscv64-unknown-linux-gnu
s390x-unknown-linux-gnu
x86_64-unknown-freebsd
)

View file

@ -12,7 +12,27 @@
# nix-build build.nix --argstr maintainer <yourname> --argstr system aarch64-linux
let
pkgs = import ./../../default.nix (removeAttrs args [ "maintainer" ]);
# This avoids a common situation for maintainers, where due to Git's behavior of not tracking
# directories, they have an empty directory somewhere in `pkgs/by-name`. Because that directory
# exists, `pkgs/top-level/by-name-overlay.nix` picks it up and attempts to read `package.nix` out
# of it... which doesn't exist, since it's empty.
#
# We don't want to run the code below on every instantiation of `nixpkgs`, as the `pkgs/by-name`
# eval machinery is quite performance sensitive. So we use the internals of the `by-name` overlay
# to implement our own way to avoid an evaluation failure for this script.
#
# See <https://github.com/NixOS/nixpkgs/issues/338227> for more motivation for this code block.
overlay = self: super: {
_internalCallByNamePackageFile =
file: if builtins.pathExists file then super._internalCallByNamePackageFile file else null;
};
nixpkgsArgs = removeAttrs args [ "maintainer" "overlays" ] // {
overlays = args.overlays or [] ++ [ overlay ];
};
pkgs = import ./../../default.nix nixpkgsArgs;
maintainer_ = pkgs.lib.maintainers.${maintainer};
packagesWith = cond: return: set:
(pkgs.lib.flatten

View file

@ -61,13 +61,11 @@ trace "Done"
trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
git -C "$tmp/merged" merge -q --no-edit "$baseSha"
trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
trace -n "Reading pinned nixpkgs-check-by-name version from pinned-version.txt.. "
toolVersion=$(<"$tmp/merged/pkgs/test/check-by-name/pinned-version.txt")
trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
trace -e "\e[34m$toolVersion\e[0m"
trace -n "Building tool.. "
nix-build https://github.com/NixOS/nixpkgs-check-by-name/tarball/"$toolVersion" -o "$tmp/tool" -A build
trace "Running nixpkgs-check-by-name.."
"$tmp/tool/bin/nixpkgs-check-by-name" --base "$tmp/base" "$tmp/merged"
nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
trace "Running nixpkgs-vet.."
"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"

View file

@ -1,6 +1,6 @@
#! /usr/bin/env nix-shell
#! nix-shell -p "haskellPackages.ghcWithPackages (p: [p.aeson p.req])"
#! nix-shell -p hydra-unstable
#! nix-shell -p hydra
#! nix-shell -i runhaskell
{-

View file

@ -63,6 +63,7 @@ sed -r \
-e '/ language-nix /d' \
-e '/ hackage-db /d' \
-e '/ cabal-install /d' \
-e '/ cabal-install-solver /d' \
-e '/ lsp /d' \
-e '/ lsp-types /d' \
-e '/ lsp-test /d' \

View file

@ -73,6 +73,9 @@ OK_MISSING_BY_PACKAGE = {
"kwin": {
"display-info", # newer versions identify as libdisplay-info
},
"libksysguard": {
"Libcap", # used to call setcap at build time and nothing else
},
"mlt": {
"Qt5", # intentionally disabled
"SWIG",
@ -88,6 +91,9 @@ OK_MISSING_BY_PACKAGE = {
"powerdevil": {
"DDCUtil", # cursed, intentionally disabled
},
"print-manager": {
"PackageKitQt6", # used for auto-installing drivers which does not work for obvious reasons
},
"pulseaudio-qt": {
"Qt6Qml", # tests only
"Qt6Quick",

View file

@ -75,7 +75,7 @@ def main(set: str, version: str, nixpkgs: pathlib.Path, sources_url: Optional[st
"gear": "releases",
"plasma": "plasma",
}[set]
sources_url = f"https://kde.org/info/sources/source-{set_url}-{version}.html"
sources_url = f"https://kde.org/info/sources/source-{set_url}-{version}/"
sources = httpx.get(sources_url)
sources.raise_for_status()

View file

@ -45,6 +45,7 @@ lpeglabel,,,,1.6.0,,
lrexlib-gnu,,,,,,
lrexlib-pcre,,,,,,vyp
lrexlib-posix,,,,,,
lsp-progress.nvim,,,,,,gepbird
lua-cjson,,,,,,
lua-cmsgpack,,,,,,
lua-curl,,,,,,
@ -84,6 +85,7 @@ luarepl,,,,,,
luarocks,,,,,,mrcjkb teto
luarocks-build-rust-mlua,,,,,,mrcjkb
luarocks-build-treesitter-parser,,,,,,mrcjkb
luarocks-build-treesitter-parser-cpp,,,,,,mrcjkb
luasec,,,,,,flosse
luasnip,,,,,,
luasocket,,,,,,
@ -103,6 +105,8 @@ luv,,,,1.48.0-2,,
lush.nvim,,,https://luarocks.org/dev,,,teto
lyaml,,,,,,lblasc
lz.n,,,,,,mrcjkb
lze,,,,,,birdee
lzn-auto-require,,,,,,mrcjkb
magick,,,,,5.1,donovanglover
markdown,,,,,,
mediator_lua,,,,,,

1 name rockspec ref server version luaversion maintainers
45 lrexlib-gnu
46 lrexlib-pcre vyp
47 lrexlib-posix
48 lsp-progress.nvim gepbird
49 lua-cjson
50 lua-cmsgpack
51 lua-curl
85 luarocks mrcjkb teto
86 luarocks-build-rust-mlua mrcjkb
87 luarocks-build-treesitter-parser mrcjkb
88 luarocks-build-treesitter-parser-cpp mrcjkb
89 luasec flosse
90 luasnip
91 luasocket
105 lush.nvim https://luarocks.org/dev teto
106 lyaml lblasc
107 lz.n mrcjkb
108 lze birdee
109 lzn-auto-require mrcjkb
110 magick 5.1 donovanglover
111 markdown
112 mediator_lua

View file

@ -791,6 +791,11 @@ def update_plugins(editor: Editor, args):
All input arguments are grouped in the `Editor`."""
log.info("Start updating plugins")
if args.proc > 1 and args.github_token == None:
log.warning("You have enabled parallel updates but haven't set a github token.\n"
"You may be hit with `HTTP Error 429: too many requests` as a consequence."
"Either set --proc=1 or --github-token=YOUR_TOKEN. ")
fetch_config = FetchConfig(args.proc, args.github_token)
update = editor.get_update(args.input_file, args.outfile, fetch_config)

View file

@ -1,13 +1,13 @@
#!/usr/bin/env nix-shell
#! nix-shell -i "python3 -I" -p "python3.withPackages(p: with p; [ rich structlog ])"
from abc import ABC, abstractclassmethod, abstractmethod
from abc import ABC, abstractmethod
from contextlib import contextmanager
from pathlib import Path
from structlog.contextvars import bound_contextvars as log_context
from typing import ClassVar, List, Tuple
import hashlib, re, structlog
import hashlib, logging, re, structlog
logger = structlog.getLogger("sha-to-SRI")
@ -26,10 +26,11 @@ class Encoding(ABC):
assert len(digest) == self.n
from base64 import b64encode
return f"{self.hashName}-{b64encode(digest).decode()}"
@classmethod
def all(cls, h) -> 'List[Encoding]':
def all(cls, h) -> "List[Encoding]":
return [c(h) for c in cls.__subclasses__()]
def __init__(self, h):
@ -38,16 +39,14 @@ class Encoding(ABC):
@property
@abstractmethod
def length(self) -> int:
...
def length(self) -> int: ...
@property
def regex(self) -> str:
return f"[{self.alphabet}]{{{self.length}}}"
@abstractmethod
def decode(self, s: str) -> bytes:
...
def decode(self, s: str) -> bytes: ...
class Nix32(Encoding):
@ -57,15 +56,15 @@ class Nix32(Encoding):
@property
def length(self):
return 1 + (8 * self.n) // 5
def decode(self, s: str):
assert len(s) == self.length
out = [ 0 for _ in range(self.n) ]
# TODO: Do better than a list of byte-sized ints
out = bytearray(self.n)
for n, c in enumerate(reversed(s)):
digit = self.inverted[c]
i, j = divmod(5 * n, 8)
out[i] = out[i] | (digit << j) & 0xff
out[i] = out[i] | (digit << j) & 0xFF
rem = digit >> (8 - j)
if rem == 0:
continue
@ -76,16 +75,20 @@ class Nix32(Encoding):
return bytes(out)
class Hex(Encoding):
alphabet = "0-9A-Fa-f"
@property
def length(self):
return 2 * self.n
def decode(self, s: str):
from binascii import unhexlify
return unhexlify(s)
class Base64(Encoding):
alphabet = "A-Za-z0-9+/"
@ -94,36 +97,39 @@ class Base64(Encoding):
"""Number of characters in data and padding."""
i, k = divmod(self.n, 3)
return 4 * i + (0 if k == 0 else k + 1), (3 - k) % 3
@property
def length(self):
return sum(self.format)
@property
def regex(self):
data, padding = self.format
return f"[{self.alphabet}]{{{data}}}={{{padding}}}"
def decode(self, s):
from base64 import b64decode
return b64decode(s, validate = True)
_HASHES = (hashlib.new(n) for n in ('SHA-256', 'SHA-512'))
ENCODINGS = {
h.name: Encoding.all(h)
for h in _HASHES
}
_HASHES = (hashlib.new(n) for n in ("SHA-256", "SHA-512"))
ENCODINGS = {h.name: Encoding.all(h) for h in _HASHES}
RE = {
h: "|".join(
(f"({h}-)?" if e.name == 'base64' else '') +
f"(?P<{h}_{e.name}>{e.regex})"
(f"({h}-)?" if e.name == "base64" else "") + f"(?P<{h}_{e.name}>{e.regex})"
for e in encodings
) for h, encodings in ENCODINGS.items()
)
for h, encodings in ENCODINGS.items()
}
_DEF_RE = re.compile("|".join(
_DEF_RE = re.compile(
"|".join(
f"(?P<{h}>{h} = (?P<{h}_quote>['\"])({re})(?P={h}_quote);)"
for h, re in RE.items()
))
)
)
def defToSRI(s: str) -> str:
@ -153,7 +159,7 @@ def defToSRI(s: str) -> str:
@contextmanager
def atomicFileUpdate(target: Path):
'''Atomically replace the contents of a file.
"""Atomically replace the contents of a file.
Guarantees that no temporary files are left behind, and `target` is either
left untouched, or overwritten with new content if no exception was raised.
@ -164,18 +170,20 @@ def atomicFileUpdate(target: Path):
Upon exiting the context, the files are closed; if no exception was
raised, `new` (atomically) replaces the `target`, otherwise it is deleted.
'''
"""
# That's mostly copied from noto-emoji.py, should DRY it out
from tempfile import mkstemp
fd, _p = mkstemp(
dir = target.parent,
prefix = target.name,
)
tmpPath = Path(_p)
from tempfile import NamedTemporaryFile
try:
with target.open() as original:
with tmpPath.open('w') as new:
with NamedTemporaryFile(
dir = target.parent,
prefix = target.stem,
suffix = target.suffix,
delete = False,
mode="w", # otherwise the file would be opened in binary mode by default
) as new:
tmpPath = Path(new.name)
yield (original, new)
tmpPath.replace(target)
@ -192,33 +200,31 @@ def fileToSRI(p: Path):
new.write(defToSRI(line))
_SKIP_RE = re.compile(
"(generated by)|(do not edit)",
re.IGNORECASE
)
_SKIP_RE = re.compile("(generated by)|(do not edit)", re.IGNORECASE)
_IGNORE = frozenset({
"gemset.nix",
"yarn.nix",
})
if __name__ == "__main__":
from sys import argv, stderr
from sys import argv
logger.info("Starting!")
for arg in argv[1:]:
p = Path(arg)
with log_context(path=str(p)):
def handleFile(p: Path, skipLevel = logging.INFO):
with log_context(file = str(p)):
try:
if p.name == "yarn.nix" or p.name.find("generated") != -1:
logger.warning("File looks autogenerated, skipping!")
continue
with p.open() as f:
for line in f:
if line.strip():
break
if _SKIP_RE.search(line):
logger.warning("File looks autogenerated, skipping!")
continue
logger.log(skipLevel, "File looks autogenerated, skipping!")
return
fileToSRI(p)
except Exception as exn:
logger.error(
"Unhandled exception, skipping file!",
@ -226,3 +232,19 @@ if __name__ == "__main__":
)
else:
logger.info("Finished processing file")
for arg in argv[1:]:
p = Path(arg)
with log_context(arg = arg):
if p.is_file():
handleFile(p, skipLevel = logging.WARNING)
elif p.is_dir():
logger.info("Recursing into directory")
for q in p.glob("**/*.nix"):
if q.is_file():
if q.name in _IGNORE or q.name.find("generated") != -1:
logger.info("File looks autogenerated, skipping!")
continue
handleFile(q)

View file

@ -9,15 +9,15 @@
infrastructure. Regular updates should be done through the individual packages
update scripts.
*/
{ startWith ? null }:
let
pkgs = import ../.. {};
pkgs = import ../.. { config.allowAliases = false; };
inherit (pkgs) lib;
packagesWith = cond: pkgs:
let
packagesWithInner = attrs:
lib.unique (
lib.concatLists (
lib.mapAttrsToList (name: elem:
let
@ -33,12 +33,16 @@ let
if lib.isAttrs value && (value.recurseForDerivations or false || value.recurseForRelease or false) then
packagesWithInner value
else []
else []) attrs));
else []) attrs);
in
packagesWithInner pkgs;
packages =
packagesWith (pkgs: pkgs ? fetch-deps) pkgs;
packages = lib.unique
(lib.filter (p:
(builtins.tryEval p.outPath).success ||
builtins.trace "warning: skipping ${p.name} because it failed to evaluate" false)
((pkgs: (lib.drop (lib.lists.findFirstIndex (p: p.name == startWith) 0 pkgs) pkgs))
(packagesWith (p: p ? fetch-deps) pkgs)));
helpText = ''
Please run:

0
third_party/nixpkgs/maintainers/scripts/update.nix vendored Executable file → Normal file
View file

View file

@ -183,6 +183,16 @@ with lib.maintainers;
githubTeams = [ "cuda-maintainers" ];
};
cyberus = {
# Verify additions by approval of an already existing member of the team.
members = [
xanderio
blitz
];
scope = "Team for Cyberus Technology employees who collectively maintain packages.";
shortName = "Cyberus Technology employees";
};
darwin = {
members = [ toonn ];
githubTeams = [ "darwin-maintainers" ];
@ -315,6 +325,7 @@ with lib.maintainers;
leona
osnyx
ma27
laalsaas
];
scope = "Team for Flying Circus employees who collectively maintain packages.";
shortName = "Flying Circus employees";
@ -504,10 +515,10 @@ with lib.maintainers;
githubTeams = [ "k3s" ];
members = [
euank
frederictobiasc
marcusramberg
mic92
rorosen
superherointj
wrmilling
yajo
];
@ -752,6 +763,7 @@ with lib.maintainers;
members = [
SuperSandro2000
anthonyroussel
vinetos
];
scope = "Maintain the ecosystem around OpenStack";
shortName = "OpenStack";
@ -780,7 +792,11 @@ with lib.maintainers;
};
perl = {
members = [ sgo ];
members = [
sgo
marcusramberg
zakame
];
scope = "Maintain the Perl interpreter and Perl packages.";
shortName = "Perl";
enableFeatureFreezePing = true;
@ -936,7 +952,6 @@ with lib.maintainers;
steam = {
members = [
atemu
eclairevoyant
k900
mkg20001
];
@ -947,7 +962,6 @@ with lib.maintainers;
stridtech = {
# Verify additions by approval of an already existing member of the team
members = [
superherointj
ulrikstrid
];
scope = "Group registration for Strid Tech AB team members who collectively maintain packages";

View file

@ -1,11 +1,5 @@
# Perlless {#sec-perlless}
::: {.warning}
If you enable this profile, you will NOT be able to switch to a new
configuration and thus you will not be able to rebuild your system with
nixos-rebuild!
:::
Render your system completely perlless (i.e. without the perl interpreter). This
includes a mechanism so that your build fails if it contains a Nix store path
that references the string "perl".

View file

@ -12,12 +12,12 @@ By default, root logins using a password are disallowed. They can be
disabled entirely by setting
[](#opt-services.openssh.settings.PermitRootLogin) to `"no"`.
You can declaratively specify authorised RSA/DSA public keys for a user
You can declaratively specify authorised public keys for a user
as follows:
```nix
{
users.users.alice.openssh.authorizedKeys.keys =
[ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ];
[ "ssh-ed25519 AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ];
}
```

View file

@ -100,6 +100,9 @@ modified using `usermod`. Unix groups can be managed using `groupadd`,
::: {.note}
This is experimental.
Please consider using [Userborn](#sec-userborn) over systemd-sysusers as it's
more feature complete.
:::
Instead of using a custom perl script to create users and groups, you can use
@ -112,3 +115,43 @@ systemd-sysusers:
```
The primary benefit of this is to remove a dependency on perl.
## Manage users and groups with `userborn` {#sec-userborn}
::: {.note}
This is experimental.
:::
Like systemd-sysusers, Userborn adoesn't depend on Perl but offers some more
advantages over systemd-sysusers:
1. It can create "normal" users (with a GID >= 1000).
2. It can update some information about users. Most notably it can update their
passwords.
3. It will warn when users use an insecure or unsupported password hashing
scheme.
Userborn is the recommended way to manage users if you don't want to rely on
the Perl script. It aims to eventually replace the Perl script by default.
You can enable Userborn via:
```nix
services.userborn.enable = true;
```
You can configure Userborn to store the password files
(`/etc/{group,passwd,shadow}`) outside of `/etc` and symlink them from this
location to `/etc`:
```nix
services.userborn.passwordFilesLocation = "/persistent/etc";
```
This is useful when you store `/etc` on a `tmpfs` or if `/etc` is immutable
(e.g. when using `system.etc.overlay.mutable = false;`). In the latter case the
original files are by default stored in `/var/lib/nixos`.
Userborn implements immutable users by re-mounting the password files
read-only. This means that unlike when using the Perl script, trying to add a
new user (e.g. via `useradd`) will fail right away.

Some files were not shown because too many files have changed in this diff Show more