Project import generated by Copybara.

GitOrigin-RevId: 23cd13167a1432550e48734079c2ffeeb441fb96
This commit is contained in:
Default email 2021-07-15 00:03:04 +02:00
parent 1557066375
commit 3b21d1e521
1044 changed files with 38066 additions and 10869 deletions

View file

@ -3,7 +3,7 @@
- Thanks for your contribution! - Thanks for your contribution!
- To remove the stale label, just leave a new comment. - To remove the stale label, just leave a new comment.
- _How to find the right people to ping?_ → [`git blame`](https://git-scm.com/docs/git-blame) to the rescue! (or GitHub's history and blame buttons.) - _How to find the right people to ping?_ → [`git blame`](https://git-scm.com/docs/git-blame) to the rescue! (or GitHub's history and blame buttons.)
- You can always ask for help on [our Discourse Forum](https://discourse.nixos.org/) or on the [#nixos IRC channel](https://webchat.freenode.net/#nixos). - You can always ask for help on [our Discourse Forum](https://discourse.nixos.org/), [our Matrix room](https://matrix.to/#/#nix:nixos.org), or on the [#nixos IRC channel](https://web.libera.chat/#nixos).
## Suggestions for PRs ## Suggestions for PRs

View file

@ -0,0 +1,20 @@
name: Basic evaluation checks
on:
pull_request:
branches:
- master
- release-**
push:
branches:
- master
- release-**
jobs:
tests:
runs-on: ubuntu-latest
# we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
steps:
- uses: actions/checkout@v2
- uses: cachix/install-nix-action@v13
# explicit list of supportedSystems is needed until aarch64-darwin becomes part of the trunk jobset
- run: nix-build pkgs/top-level/release.nix -A tarball.nixpkgs-basic-release-checks --arg supportedSystems '[ "aarch64-darwin" "aarch64-linux" "x86_64-linux" "x86_64-darwin" ]'

View file

@ -41,7 +41,7 @@ weechat.override {
configure = { availablePlugins, ... }: { configure = { availablePlugins, ... }: {
init = '' init = ''
/set foo bar /set foo bar
/server add freenode chat.freenode.org /server add libera irc.libera.chat
''; '';
}; };
} }

View file

@ -1125,9 +1125,13 @@ There are flags available to harden packages at compile or link-time. These can
Both parameters take a list of flags as strings. The special `"all"` flag can be passed to `hardeningDisable` to turn off all hardening. These flags can also be used as environment variables for testing or development purposes. Both parameters take a list of flags as strings. The special `"all"` flag can be passed to `hardeningDisable` to turn off all hardening. These flags can also be used as environment variables for testing or development purposes.
For more in-depth information on these hardening flags and hardening in general, refer to the [Debian Wiki](https://wiki.debian.org/Hardening), [Ubuntu Wiki](https://wiki.ubuntu.com/Security/Features), [Gentoo Wiki](https://wiki.gentoo.org/wiki/Project:Hardened), and the [Arch Wiki](https://wiki.archlinux.org/title/Security).
### Hardening flags enabled by default {#sec-hardening-flags-enabled-by-default}
The following flags are enabled by default and might require disabling with `hardeningDisable` if the program to package is incompatible. The following flags are enabled by default and might require disabling with `hardeningDisable` if the program to package is incompatible.
### `format` {#format} #### `format` {#format}
Adds the `-Wformat -Wformat-security -Werror=format-security` compiler options. At present, this warns about calls to `printf` and `scanf` functions where the format string is not a string literal and there are no format arguments, as in `printf(foo);`. This may be a security hole if the format string came from untrusted input and contains `%n`. Adds the `-Wformat -Wformat-security -Werror=format-security` compiler options. At present, this warns about calls to `printf` and `scanf` functions where the format string is not a string literal and there are no format arguments, as in `printf(foo);`. This may be a security hole if the format string came from untrusted input and contains `%n`.
@ -1140,7 +1144,7 @@ This needs to be turned off or fixed for errors similar to:
cc1plus: some warnings being treated as errors cc1plus: some warnings being treated as errors
``` ```
### `stackprotector` {#stackprotector} #### `stackprotector` {#stackprotector}
Adds the `-fstack-protector-strong --param ssp-buffer-size=4` compiler options. This adds safety checks against stack overwrites rendering many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial of service or into non-issues (depending on the application). Adds the `-fstack-protector-strong --param ssp-buffer-size=4` compiler options. This adds safety checks against stack overwrites rendering many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial of service or into non-issues (depending on the application).
@ -1151,7 +1155,7 @@ bin/blib.a(bios_console.o): In function `bios_handle_cup':
/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail' /tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
``` ```
### `fortify` {#fortify} #### `fortify` {#fortify}
Adds the `-O2 -D_FORTIFY_SOURCE=2` compiler options. During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Additionally, format strings in writable memory that contain `%n` are blocked. If an application depends on such a format string, it will need to be worked around. Adds the `-O2 -D_FORTIFY_SOURCE=2` compiler options. During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Additionally, format strings in writable memory that contain `%n` are blocked. If an application depends on such a format string, it will need to be worked around.
@ -1172,7 +1176,7 @@ installwatch.c:3751:5: error: conflicting types for '__open_2'
fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
``` ```
### `pic` {#pic} #### `pic` {#pic}
Adds the `-fPIC` compiler options. This options adds support for position independent code in shared libraries and thus making ASLR possible. Adds the `-fPIC` compiler options. This options adds support for position independent code in shared libraries and thus making ASLR possible.
@ -1185,19 +1189,19 @@ ccbLfRgg.s: Assembler messages:
ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF' ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
``` ```
### `strictoverflow` {#strictoverflow} #### `strictoverflow` {#strictoverflow}
Signed integer overflow is undefined behaviour according to the C standard. If it happens, it is an error in the program as it should check for overflow before it can happen, not afterwards. GCC provides built-in functions to perform arithmetic with overflow checking, which are correct and faster than any custom implementation. As a workaround, the option `-fno-strict-overflow` makes gcc behave as if signed integer overflows were defined. Signed integer overflow is undefined behaviour according to the C standard. If it happens, it is an error in the program as it should check for overflow before it can happen, not afterwards. GCC provides built-in functions to perform arithmetic with overflow checking, which are correct and faster than any custom implementation. As a workaround, the option `-fno-strict-overflow` makes gcc behave as if signed integer overflows were defined.
This flag should not trigger any build or runtime errors. This flag should not trigger any build or runtime errors.
### `relro` {#relro} #### `relro` {#relro}
Adds the `-z relro` linker option. During program load, several ELF memory sections need to be written to by the linker, but can be turned read-only before turning over control to the program. This prevents some GOT (and .dtors) overwrite attacks, but at least the part of the GOT used by the dynamic linker (.got.plt) is still vulnerable. Adds the `-z relro` linker option. During program load, several ELF memory sections need to be written to by the linker, but can be turned read-only before turning over control to the program. This prevents some GOT (and .dtors) overwrite attacks, but at least the part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
This flag can break dynamic shared object loading. For instance, the module systems of Xorg and OpenCV are incompatible with this flag. In almost all cases the `bindnow` flag must also be disabled and incompatible programs typically fail with similar errors at runtime. This flag can break dynamic shared object loading. For instance, the module systems of Xorg and OpenCV are incompatible with this flag. In almost all cases the `bindnow` flag must also be disabled and incompatible programs typically fail with similar errors at runtime.
### `bindnow` {#bindnow} #### `bindnow` {#bindnow}
Adds the `-z bindnow` linker option. During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to `relro`). This prevents GOT overwrite attacks. For very large applications, this can incur some performance loss during initial load while symbols are resolved, but this shouldnt be an issue for daemons. Adds the `-z bindnow` linker option. During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to `relro`). This prevents GOT overwrite attacks. For very large applications, this can incur some performance loss during initial load while symbols are resolved, but this shouldnt be an issue for daemons.
@ -1207,13 +1211,18 @@ This flag can break dynamic shared object loading. For instance, the module syst
intel_drv.so: undefined symbol: vgaHWFreeHWRec intel_drv.so: undefined symbol: vgaHWFreeHWRec
``` ```
### Hardening flags disabled by default {#sec-hardening-flags-disabled-by-default}
The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services. The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services.
### `pie` {#pie} #### `pie` {#pie}
This flag is disabled by default for normal `glibc` based NixOS package builds, but enabled by default for `musl` based package builds.
Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the `pic` flag, so they gain ASLR automatically, but binary .text regions need to be build with `pie` to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack. Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the `pic` flag, so they gain ASLR automatically, but binary .text regions need to be build with `pie` to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.
For more in-depth information on these hardening flags and hardening in general, refer to the [Debian Wiki](https://wiki.debian.org/Hardening), [Ubuntu Wiki](https://wiki.ubuntu.com/Security/Features), [Gentoo Wiki](https://wiki.gentoo.org/wiki/Project:Hardened), and the [Arch Wiki](https://wiki.archlinux.org/index.php/DeveloperWiki:Security). Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
[^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation. [^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation.
[^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`. [^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`.

View file

@ -47,8 +47,20 @@
}) })
]; ];
})).config; })).config;
moduleDeclarationFile =
(builtins.unsafeGetAttrPos "modules" args).file;
# Add the invoking file as error message location for modules
# that don't have their own locations; presumably inline modules.
addModuleDeclarationFile =
m: {
_file = moduleDeclarationFile;
imports = [ m ];
};
in in
modules ++ [ map addModuleDeclarationFile modules ++ [
{ {
system.nixos.versionSuffix = system.nixos.versionSuffix =
".${final.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}.${self.shortRev or "dirty"}"; ".${final.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}.${self.shortRev or "dirty"}";

View file

@ -116,7 +116,7 @@ let
pushDownProperties dischargeProperties filterOverrides pushDownProperties dischargeProperties filterOverrides
sortProperties fixupOptionType mkIf mkAssert mkMerge mkOverride sortProperties fixupOptionType mkIf mkAssert mkMerge mkOverride
mkOptionDefault mkDefault mkForce mkVMOverride mkOptionDefault mkDefault mkForce mkVMOverride
mkOrder mkBefore mkAfter mkAliasDefinitions mkFixStrictness mkOrder mkBefore mkAfter mkAliasDefinitions
mkAliasAndWrapDefinitions fixMergeModules mkRemovedOptionModule mkAliasAndWrapDefinitions fixMergeModules mkRemovedOptionModule
mkRenamedOptionModule mkMergedOptionModule mkChangedOptionModule mkRenamedOptionModule mkMergedOptionModule mkChangedOptionModule
mkAliasOptionModule doRename; mkAliasOptionModule doRename;

View file

@ -713,6 +713,8 @@ rec {
mkForce = mkOverride 50; mkForce = mkOverride 50;
mkVMOverride = mkOverride 10; # used by nixos-rebuild build-vm mkVMOverride = mkOverride 10; # used by nixos-rebuild build-vm
mkFixStrictness = lib.warn "lib.mkFixStrictness has no effect and will be removed. It returns its argument unmodified, so you can just remove any calls." id;
mkOrder = priority: content: mkOrder = priority: content:
{ _type = "order"; { _type = "order";
inherit priority content; inherit priority content;

View file

@ -95,7 +95,7 @@ rec {
result with the specified separator interspersed between result with the specified separator interspersed between
elements. elements.
Type: concatMapStringsSep :: string -> (string -> string) -> [string] -> string Type: concatMapStringsSep :: string -> (a -> string) -> [a] -> string
Example: Example:
concatMapStringsSep "-" (x: toUpper x) ["foo" "bar" "baz"] concatMapStringsSep "-" (x: toUpper x) ["foo" "bar" "baz"]
@ -112,7 +112,7 @@ rec {
/* Same as `concatMapStringsSep`, but the mapping function /* Same as `concatMapStringsSep`, but the mapping function
additionally receives the position of its argument. additionally receives the position of its argument.
Type: concatIMapStringsSep :: string -> (int -> string -> string) -> [string] -> string Type: concatIMapStringsSep :: string -> (int -> a -> string) -> [a] -> string
Example: Example:
concatImapStringsSep "-" (pos: x: toString (x / pos)) [ 6 6 6 ] concatImapStringsSep "-" (pos: x: toString (x / pos)) [ 6 6 6 ]

View file

@ -680,6 +680,12 @@
githubId = 11699655; githubId = 11699655;
name = "Stanislas Lange"; name = "Stanislas Lange";
}; };
angustrau = {
name = "Angus Trau";
email = "nix@angus.ws";
github = "angustrau";
githubId = 13267947;
};
anhdle14 = { anhdle14 = {
name = "Le Anh Duc"; name = "Le Anh Duc";
email = "anhdle14@icloud.com"; email = "anhdle14@icloud.com";
@ -1731,6 +1737,12 @@
githubId = 977929; githubId = 977929;
name = "Cody Allen"; name = "Cody Allen";
}; };
centromere = {
email = "nix@centromere.net";
github = "centromere";
githubId = 543423;
name = "Alex Wied";
};
cfouche = { cfouche = {
email = "chaddai.fouche@gmail.com"; email = "chaddai.fouche@gmail.com";
github = "Chaddai"; github = "Chaddai";
@ -1915,6 +1927,16 @@
githubId = 3956062; githubId = 3956062;
name = "Simon Lackerbauer"; name = "Simon Lackerbauer";
}; };
citadelcore = {
email = "alex@arctarus.co.uk";
github = "citadelcore";
githubId = 5567402;
name = "Alex Zero";
keys = [{
longkeyid = "rsa4096/0xA51550EDB450302C";
fingerprint = "A0AA 4646 B8F6 9D45 4553 5A88 A515 50ED B450 302C";
}];
};
cizra = { cizra = {
email = "todurov+nix@gmail.com"; email = "todurov+nix@gmail.com";
github = "cizra"; github = "cizra";
@ -2549,6 +2571,12 @@
githubId = 4708206; githubId = 4708206;
name = "Daniel Fox Franke"; name = "Daniel Fox Franke";
}; };
dgliwka = {
email = "dawid.gliwka@gmail.com";
github = "dgliwka";
githubId = 33262214;
name = "Dawid Gliwka";
};
dgonyeo = { dgonyeo = {
email = "derek@gonyeo.com"; email = "derek@gonyeo.com";
github = "dgonyeo"; github = "dgonyeo";
@ -3093,6 +3121,12 @@
githubId = 57923898; githubId = 57923898;
name = "Elyhaka"; name = "Elyhaka";
}; };
em0lar = {
email = "nix@em0lar.dev";
github = "em0lar";
githubId = 11006031;
name = "Leo Maroni";
};
emmanuelrosa = { emmanuelrosa = {
email = "emmanuel_rosa@aol.com"; email = "emmanuel_rosa@aol.com";
github = "emmanuelrosa"; github = "emmanuelrosa";
@ -4627,6 +4661,12 @@
githubId = 6874204; githubId = 6874204;
name = "Jason Carr"; name = "Jason Carr";
}; };
j-brn = {
email = "me@bricker.io";
github = "j-brn";
githubId = 40566146;
name = "Jonas Braun";
};
j-keck = { j-keck = {
email = "jhyphenkeck@gmail.com"; email = "jhyphenkeck@gmail.com";
github = "j-keck"; github = "j-keck";
@ -5428,6 +5468,16 @@
githubId = 788813; githubId = 788813;
name = "Bryan Gardiner"; name = "Bryan Gardiner";
}; };
khushraj = {
email = "khushraj.rathod@gmail.com";
github = "KhushrajRathod";
githubId = 44947946;
name = "Khushraj Rathod";
keys = [{
longkeyid = "rsa2048/0xB77B2A40E7702F19";
fingerprint = "1988 3FD8 EA2E B4EC 0A93 1E22 B77B 2A40 E770 2F19";
}];
};
KibaFox = { KibaFox = {
email = "kiba.fox@foxypossibilities.com"; email = "kiba.fox@foxypossibilities.com";
github = "KibaFox"; github = "KibaFox";
@ -5639,6 +5689,12 @@
githubId = 735008; githubId = 735008;
name = "Louis Taylor"; name = "Louis Taylor";
}; };
kranzes = {
email = "personal@ilanjoselevich.com";
github = "Kranzes";
githubId = 56614642;
name = "Ilan Joselevich";
};
krav = { krav = {
email = "kristoffer@microdisko.no"; email = "kristoffer@microdisko.no";
github = "krav"; github = "krav";
@ -7474,6 +7530,12 @@
githubId = 1665818; githubId = 1665818;
name = "Philipp Eder"; name = "Philipp Eder";
}; };
nickcao = {
name = "Nick Cao";
email = "nickcao@nichi.co";
github = "NickCao";
githubId = 15247171;
};
nickhu = { nickhu = {
email = "me@nickhu.co.uk"; email = "me@nickhu.co.uk";
github = "nickhu"; github = "nickhu";
@ -7542,6 +7604,16 @@
githubId = 3159451; githubId = 3159451;
name = "Nicolas Schneider"; name = "Nicolas Schneider";
}; };
nkje = {
name = "Niels Kristian Lyshøj Jensen";
email = "n@nk.je";
github = "NKJe";
githubId = 1102306;
keys = [{
longkeyid = "nistp256/0xDE3BADFECD31A89D";
fingerprint = "B956 C6A4 22AF 86A0 8F77 A8CA DE3B ADFE CD31 A89D";
}];
};
nkpvk = { nkpvk = {
email = "niko.pavlinek@gmail.com"; email = "niko.pavlinek@gmail.com";
github = "nkpvk"; github = "nkpvk";
@ -8198,6 +8270,12 @@
githubId = 1179566; githubId = 1179566;
name = "Nicolas B. Pierron"; name = "Nicolas B. Pierron";
}; };
pimeys = {
email = "julius@nauk.io";
github = "pimeys";
githubId = 34967;
name = "Julius de Bruijn";
};
pingiun = { pingiun = {
email = "nixos@pingiun.com"; email = "nixos@pingiun.com";
github = "pingiun"; github = "pingiun";
@ -8470,7 +8548,7 @@
email = "sibi@psibi.in"; email = "sibi@psibi.in";
github = "psibi"; github = "psibi";
githubId = 737477; githubId = 737477;
name = "Sibi"; name = "Sibi Prabakaran";
}; };
pstn = { pstn = {
email = "philipp@xndr.de"; email = "philipp@xndr.de";
@ -9080,6 +9158,12 @@
githubId = 1387224; githubId = 1387224;
name = "Richard Szibele"; name = "Richard Szibele";
}; };
rsynnest = {
email = "contact@rsynnest.com";
github = "rsynnest";
githubId = 4392850;
name = "Roland Synnestvedt";
};
rtburns-jpl = { rtburns-jpl = {
email = "rtburns@jpl.nasa.gov"; email = "rtburns@jpl.nasa.gov";
github = "rtburns-jpl"; github = "rtburns-jpl";
@ -9588,6 +9672,16 @@
githubId = 819413; githubId = 819413;
name = "Benedict Aas"; name = "Benedict Aas";
}; };
shreerammodi = {
name = "Shreeram Modi";
email = "shreerammodi10@gmail.com";
github = "Shrimpram";
githubId = 67710369;
keys = [{
longkeyid = "rsa4096/0x163B16EE76ED24CE";
fingerprint = "EA88 EA07 26E9 6CBF 6365 3966 163B 16EE 76ED 24CE";
}];
};
shyim = { shyim = {
email = "s.sayakci@gmail.com"; email = "s.sayakci@gmail.com";
github = "shyim"; github = "shyim";
@ -9634,6 +9728,12 @@
githubId = 11135311; githubId = 11135311;
name = "Simon Chatterjee"; name = "Simon Chatterjee";
}; };
simonkampe = {
email = "simon.kampe+nix@gmail.com";
github = "simonkampe";
githubId = 254799;
name = "Simon Kämpe";
};
simonvandel = { simonvandel = {
email = "simon.vandel@gmail.com"; email = "simon.vandel@gmail.com";
github = "simonvandel"; github = "simonvandel";
@ -10806,6 +10906,16 @@
githubId = 1607770; githubId = 1607770;
name = "Ulrik Strid"; name = "Ulrik Strid";
}; };
unclechu = {
name = "Viacheslav Lotsmanov";
email = "lotsmanov89@gmail.com";
github = "unclechu";
githubId = 799353;
keys = [{
longkeyid = "rsa4096/0xD276FF7467007335";
fingerprint = "EE59 5E29 BB5B F2B3 5ED2 3F1C D276 FF74 6700 7335";
}];
};
unode = { unode = {
email = "alves.rjc@gmail.com"; email = "alves.rjc@gmail.com";
github = "unode"; github = "unode";
@ -10866,12 +10976,6 @@
github = "deviant"; github = "deviant";
githubId = 68829907; githubId = 68829907;
}; };
va1entin = {
email = "github@valentinsblog.com";
github = "va1entin";
githubId = 31535155;
name = "Valentin Heidelberger";
};
vaibhavsagar = { vaibhavsagar = {
email = "vaibhavsagar@gmail.com"; email = "vaibhavsagar@gmail.com";
github = "vaibhavsagar"; github = "vaibhavsagar";

View file

@ -133,7 +133,6 @@ with lib.maintainers; {
jitsi = { jitsi = {
members = [ members = [
mmilata
petabyteboy petabyteboy
ryantm ryantm
yuka yuka

View file

@ -20,6 +20,12 @@
PHP now defaults to PHP 8.0, updated from 7.4. PHP now defaults to PHP 8.0, updated from 7.4.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
kOps now defaults to 1.21.0, which uses containerd as the
default runtime.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section xml:id="sec-release-21.11-new-services"> <section xml:id="sec-release-21.11-new-services">
@ -65,6 +71,20 @@
be able to access programmers supported by flashrom. be able to access programmers supported by flashrom.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<link xlink:href="https://vikunja.io">vikunja</link>, a to-do
list app. Available as
<link linkend="opt-services.vikunja.enable">services.vikunja</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://www.snapraid.it/">snapraid</link>, a
backup program for disk arrays. Available as
<link linkend="opt-snapraid.enable">snapraid</link>.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section xml:id="sec-release-21.11-incompatibilities"> <section xml:id="sec-release-21.11-incompatibilities">
@ -342,6 +362,13 @@
release instead of the old 2.7.7 version. release instead of the old 2.7.7 version.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>pulseeffects</literal> package updated to
<link xlink:href="https://github.com/wwmm/easyeffects/releases/tag/v6.0.0">version
4.x</link> and renamed to <literal>easyeffects</literal>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <literal>libwnck</literal> package now defaults to the 3.x The <literal>libwnck</literal> package now defaults to the 3.x
@ -459,6 +486,16 @@
</itemizedlist> </itemizedlist>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>yggdrasil</literal> was upgraded to a new major
release with breaking changes, see
<link xlink:href="https://github.com/yggdrasil-network/yggdrasil-go/releases/tag/v0.4.0">upstream
changelog</link>.
</para>
</listitem>
</itemizedlist>
</section> </section>
<section xml:id="sec-release-21.11-notable-changes"> <section xml:id="sec-release-21.11-notable-changes">
<title>Other Notable Changes</title> <title>Other Notable Changes</title>
@ -493,6 +530,14 @@
<literal>rxvt-unicode</literal> explicitly. <literal>rxvt-unicode</literal> explicitly.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>claws-mail</literal> package now references the
new GTK+ 3 release branch, major version 4. To use the GTK+ 2
releases, one can install the
<literal>claws-mail-gtk2</literal> package.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
</section> </section>

View file

@ -446,8 +446,8 @@
password for the <literal>root</literal> user, e.g. password for the <literal>root</literal> user, e.g.
<screen> <screen>
setting root password... setting root password...
Enter new UNIX password: *** New password: ***
Retype new UNIX password: ***</screen> Retype new password: ***</screen>
<note> <note>
<para> <para>
For unattended installations, it is possible to use For unattended installations, it is possible to use

View file

@ -108,7 +108,23 @@
</arg> </arg>
</group> <replaceable>name</replaceable> </group> <replaceable>name</replaceable>
</arg> </arg>
<sbr /> <sbr />
<arg>
<option>--build-host</option> <replaceable>host</replaceable>
</arg>
<arg>
<option>--target-host</option> <replaceable>host</replaceable>
</arg>
<arg>
<option>--use-remote-sudo</option>
</arg>
<sbr />
<arg> <arg>
<option>--show-trace</option> <option>--show-trace</option>
</arg> </arg>

View file

@ -18,12 +18,13 @@
<para> <para>
If you encounter problems, please report them on the If you encounter problems, please report them on the
<literal <literal
xlink:href="https://discourse.nixos.org">Discourse</literal> or xlink:href="https://discourse.nixos.org">Discourse</literal>,
on the <link the <link
xlink:href="irc://irc.freenode.net/#nixos"> xlink:href="https://matrix.to/#nix:nixos.org">Matrix room</link>,
<literal>#nixos</literal> channel on Freenode</link>, or or on the <link
consider xlink:href="irc://irc.libera.chat/#nixos">
<link <literal>#nixos</literal> channel on Libera.Chat</link>.
Alternatively, consider <link
xlink:href="#chap-contributing"> xlink:href="#chap-contributing">
contributing to this manual</link>. Bugs should be contributing to this manual</link>. Bugs should be
reported in reported in

View file

@ -7,6 +7,7 @@ In addition to numerous new and upgraded packages, this release has the followin
## Highlights {#sec-release-21.11-highlights} ## Highlights {#sec-release-21.11-highlights}
- PHP now defaults to PHP 8.0, updated from 7.4. - PHP now defaults to PHP 8.0, updated from 7.4.
- kOps now defaults to 1.21.0, which uses containerd as the default runtime.
## New Services {#sec-release-21.11-new-services} ## New Services {#sec-release-21.11-new-services}
@ -20,6 +21,12 @@ In addition to numerous new and upgraded packages, this release has the followin
- Users of flashrom should migrate to [programs.flashrom.enable](options.html#opt-programs.flashrom.enable) and add themselves to the `flashrom` group to be able to access programmers supported by flashrom. - Users of flashrom should migrate to [programs.flashrom.enable](options.html#opt-programs.flashrom.enable) and add themselves to the `flashrom` group to be able to access programmers supported by flashrom.
- [vikunja](https://vikunja.io), a to-do list app. Available as [services.vikunja](#opt-services.vikunja.enable).
- [snapraid](https://www.snapraid.it/), a backup program for disk arrays.
Available as [snapraid](#opt-snapraid.enable).
## Backward Incompatibilities {#sec-release-21.11-incompatibilities} ## Backward Incompatibilities {#sec-release-21.11-incompatibilities}
- The `staticjinja` package has been upgraded from 1.0.4 to 3.0.1 - The `staticjinja` package has been upgraded from 1.0.4 to 3.0.1
@ -84,6 +91,8 @@ In addition to numerous new and upgraded packages, this release has the followin
* The `antlr` package now defaults to the 4.x release instead of the * The `antlr` package now defaults to the 4.x release instead of the
old 2.7.7 version. old 2.7.7 version.
* The `pulseeffects` package updated to [version 4.x](https://github.com/wwmm/easyeffects/releases/tag/v6.0.0) and renamed to `easyeffects`.
* The `libwnck` package now defaults to the 3.x release instead of the * The `libwnck` package now defaults to the 3.x release instead of the
old 2.31.0 version. old 2.31.0 version.
@ -113,6 +122,8 @@ In addition to numerous new and upgraded packages, this release has the followin
* The data directory remains located at `/var/lib/bitwarden_rs`, for backwards compatibility. * The data directory remains located at `/var/lib/bitwarden_rs`, for backwards compatibility.
- `yggdrasil` was upgraded to a new major release with breaking changes, see [upstream changelog](https://github.com/yggdrasil-network/yggdrasil-go/releases/tag/v0.4.0).
## Other Notable Changes {#sec-release-21.11-notable-changes} ## Other Notable Changes {#sec-release-21.11-notable-changes}
- The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets. - The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.
@ -120,3 +131,5 @@ In addition to numerous new and upgraded packages, this release has the followin
However, if [`services.fail2ban.enable`](options.html#opt-services.fail2ban.enable) is `true`, the `fail2ban` will override the verbosity to `"VERBOSE"`, so that `fail2ban` can observe the failed login attempts from the SSH logs. However, if [`services.fail2ban.enable`](options.html#opt-services.fail2ban.enable) is `true`, the `fail2ban` will override the verbosity to `"VERBOSE"`, so that `fail2ban` can observe the failed login attempts from the SSH logs.
- Sway: The terminal emulator `rxvt-unicode` is no longer installed by default via `programs.sway.extraPackages`. The current default configuration uses `alacritty` (and soon `foot`) so this is only an issue when using a customized configuration and not installing `rxvt-unicode` explicitly. - Sway: The terminal emulator `rxvt-unicode` is no longer installed by default via `programs.sway.extraPackages`. The current default configuration uses `alacritty` (and soon `foot`) so this is only an issue when using a customized configuration and not installing `rxvt-unicode` explicitly.
- The `claws-mail` package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install the `claws-mail-gtk2` package.

View file

@ -292,7 +292,12 @@ class Machine:
net_frontend += "," + args["netFrontendArgs"] net_frontend += "," + args["netFrontendArgs"]
start_command = ( start_command = (
"qemu-kvm -m 384 " + net_backend + " " + net_frontend + " $QEMU_OPTS " args.get("qemuBinary", "qemu-kvm")
+ " -m 384 "
+ net_backend
+ " "
+ net_frontend
+ " $QEMU_OPTS "
) )
if "hda" in args: if "hda" in args:

View file

@ -1,11 +1 @@
{lib, stdenv, boost, cmake, pkg-config, nix, ... }: { pkgs, ... }: pkgs.nixos-option
stdenv.mkDerivation rec {
name = "nixos-option";
src = ./.;
nativeBuildInputs = [ cmake pkg-config ];
buildInputs = [ boost nix ];
meta = with lib; {
license = licenses.lgpl2Plus;
maintainers = with maintainers; [ chkno ];
};
}

View file

@ -42,7 +42,7 @@ let
nixos-option = nixos-option =
if lib.versionAtLeast (lib.getVersion config.nix.package) "2.4pre" if lib.versionAtLeast (lib.getVersion config.nix.package) "2.4pre"
then null then null
else pkgs.callPackage ./nixos-option { }; else pkgs.nixos-option;
nixos-version = makeProg { nixos-version = makeProg {
name = "nixos-version"; name = "nixos-version";

View file

@ -388,6 +388,7 @@
./services/hardware/bluetooth.nix ./services/hardware/bluetooth.nix
./services/hardware/bolt.nix ./services/hardware/bolt.nix
./services/hardware/brltty.nix ./services/hardware/brltty.nix
./services/hardware/ddccontrol.nix
./services/hardware/fancontrol.nix ./services/hardware/fancontrol.nix
./services/hardware/freefall.nix ./services/hardware/freefall.nix
./services/hardware/fwupd.nix ./services/hardware/fwupd.nix
@ -847,6 +848,7 @@
./services/networking/ucarp.nix ./services/networking/ucarp.nix
./services/networking/unbound.nix ./services/networking/unbound.nix
./services/networking/unifi.nix ./services/networking/unifi.nix
./services/video/unifi-video.nix
./services/networking/v2ray.nix ./services/networking/v2ray.nix
./services/networking/vsftpd.nix ./services/networking/vsftpd.nix
./services/networking/wakeonlan.nix ./services/networking/wakeonlan.nix
@ -968,6 +970,7 @@
./services/web-apps/trilium.nix ./services/web-apps/trilium.nix
./services/web-apps/selfoss.nix ./services/web-apps/selfoss.nix
./services/web-apps/shiori.nix ./services/web-apps/shiori.nix
./services/web-apps/vikunja.nix
./services/web-apps/virtlyst.nix ./services/web-apps/virtlyst.nix
./services/web-apps/wiki-js.nix ./services/web-apps/wiki-js.nix
./services/web-apps/whitebophir.nix ./services/web-apps/whitebophir.nix
@ -1101,6 +1104,7 @@
./tasks/network-interfaces-systemd.nix ./tasks/network-interfaces-systemd.nix
./tasks/network-interfaces-scripted.nix ./tasks/network-interfaces-scripted.nix
./tasks/scsi-link-power-management.nix ./tasks/scsi-link-power-management.nix
./tasks/snapraid.nix
./tasks/swraid.nix ./tasks/swraid.nix
./tasks/trackpoint.nix ./tasks/trackpoint.nix
./tasks/powertop.nix ./tasks/powertop.nix

View file

@ -6,7 +6,7 @@ with lib;
meta.maintainers = pkgs.hamster.meta.maintainers; meta.maintainers = pkgs.hamster.meta.maintainers;
options.programs.hamster.enable = options.programs.hamster.enable =
mkEnableOption "Whether to enable hamster time tracking."; mkEnableOption "hamster, a time tracking program";
config = lib.mkIf config.programs.hamster.enable { config = lib.mkIf config.programs.hamster.enable {
environment.systemPackages = [ pkgs.hamster ]; environment.systemPackages = [ pkgs.hamster ];

View file

@ -124,7 +124,8 @@ in
example = "/run/keys/ssmtp-authpass"; example = "/run/keys/ssmtp-authpass";
description = '' description = ''
Path to a file that contains the password used for SMTP auth. The file Path to a file that contains the password used for SMTP auth. The file
should not contain a trailing newline, if the password does not contain one. should not contain a trailing newline, if the password does not contain one
(e.g. use <command>echo -n "password" > file</command>).
This file should be readable by the users that need to execute ssmtp. This file should be readable by the users that need to execute ssmtp.
''; '';
}; };

View file

@ -46,6 +46,7 @@ let
serviceConfig = commonServiceConfig // { serviceConfig = commonServiceConfig // {
StateDirectory = "acme/.minica"; StateDirectory = "acme/.minica";
BindPaths = "/var/lib/acme/.minica:/tmp/ca"; BindPaths = "/var/lib/acme/.minica:/tmp/ca";
UMask = 0077;
}; };
# Working directory will be /tmp # Working directory will be /tmp
@ -54,8 +55,6 @@ let
--ca-key ca/key.pem \ --ca-key ca/key.pem \
--ca-cert ca/cert.pem \ --ca-cert ca/cert.pem \
--domains selfsigned.local --domains selfsigned.local
chmod 600 ca/*
''; '';
}; };
@ -196,6 +195,7 @@ let
serviceConfig = commonServiceConfig // { serviceConfig = commonServiceConfig // {
Group = data.group; Group = data.group;
UMask = 0027;
StateDirectory = "acme/${cert}"; StateDirectory = "acme/${cert}";
@ -220,10 +220,12 @@ let
cat cert.pem chain.pem > fullchain.pem cat cert.pem chain.pem > fullchain.pem
cat key.pem fullchain.pem > full.pem cat key.pem fullchain.pem > full.pem
chmod 640 *
# Group might change between runs, re-apply it # Group might change between runs, re-apply it
chown 'acme:${data.group}' * chown 'acme:${data.group}' *
# Default permissions make the files unreadable by group + anon
# Need to be readable by group
chmod 640 *
''; '';
}; };
@ -340,8 +342,6 @@ let
fi fi
mv domainhash.txt certificates/ mv domainhash.txt certificates/
chmod 640 certificates/*
chmod -R u=rwX,g=,o= accounts/*
# Group might change between runs, re-apply it # Group might change between runs, re-apply it
chown 'acme:${data.group}' certificates/* chown 'acme:${data.group}' certificates/*
@ -357,6 +357,10 @@ let
ln -sf fullchain.pem out/cert.pem ln -sf fullchain.pem out/cert.pem
cat out/key.pem out/fullchain.pem > out/full.pem cat out/key.pem out/fullchain.pem > out/full.pem
fi fi
# By default group will have no access to the cert files.
# This chmod will fix that.
chmod 640 out/*
''; '';
}; };
}; };

View file

@ -57,7 +57,7 @@ in {
description = '' description = ''
Port on which RabbitMQ will listen for AMQP connections. Port on which RabbitMQ will listen for AMQP connections.
''; '';
type = types.int; type = types.port;
}; };
dataDir = mkOption { dataDir = mkOption {

View file

@ -14,15 +14,21 @@ let
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
path = [ pkgs.coreutils pkgs.gzip config.services.postgresql.package ];
script = '' script = ''
set -e -o pipefail
umask 0077 # ensure backup is only readable by postgres user umask 0077 # ensure backup is only readable by postgres user
if [ -e ${cfg.location}/${db}.sql.gz ]; then if [ -e ${cfg.location}/${db}.sql.gz ]; then
${pkgs.coreutils}/bin/mv ${cfg.location}/${db}.sql.gz ${cfg.location}/${db}.prev.sql.gz mv ${cfg.location}/${db}.sql.gz ${cfg.location}/${db}.prev.sql.gz
fi fi
${dumpCmd} | \ ${dumpCmd} | \
${pkgs.gzip}/bin/gzip -c > ${cfg.location}/${db}.sql.gz gzip -c > ${cfg.location}/${db}.in-progress.sql.gz
mv ${cfg.location}/${db}.in-progress.sql.gz ${cfg.location}/${db}.sql.gz
''; '';
serviceConfig = { serviceConfig = {
@ -113,12 +119,12 @@ in {
}) })
(mkIf (cfg.enable && cfg.backupAll) { (mkIf (cfg.enable && cfg.backupAll) {
systemd.services.postgresqlBackup = systemd.services.postgresqlBackup =
postgresqlBackupService "all" "${config.services.postgresql.package}/bin/pg_dumpall"; postgresqlBackupService "all" "pg_dumpall";
}) })
(mkIf (cfg.enable && !cfg.backupAll) { (mkIf (cfg.enable && !cfg.backupAll) {
systemd.services = listToAttrs (map (db: systemd.services = listToAttrs (map (db:
let let
cmd = "${config.services.postgresql.package}/bin/pg_dump ${cfg.pgdumpOptions} ${db}"; cmd = "pg_dump ${cfg.pgdumpOptions} ${db}";
in { in {
name = "postgresqlBackup-${db}"; name = "postgresqlBackup-${db}";
value = postgresqlBackupService db cmd; value = postgresqlBackupService db cmd;

View file

@ -2,6 +2,7 @@
with lib; with lib;
let let
cfg = config.services.jenkins; cfg = config.services.jenkins;
jenkinsUrl = "http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix}";
in { in {
options = { options = {
services.jenkins = { services.jenkins = {
@ -141,14 +142,34 @@ in {
Additional command line arguments to pass to the Java run time (as opposed to Jenkins). Additional command line arguments to pass to the Java run time (as opposed to Jenkins).
''; '';
}; };
withCLI = mkOption {
type = types.bool;
default = false;
description = ''
Whether to make the CLI available.
More info about the CLI available at
<link xlink:href="https://www.jenkins.io/doc/book/managing/cli">
https://www.jenkins.io/doc/book/managing/cli</link> .
'';
};
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment = {
# server references the dejavu fonts # server references the dejavu fonts
environment.systemPackages = [ systemPackages = [
pkgs.dejavu_fonts pkgs.dejavu_fonts
]; ] ++ optional cfg.withCLI cfg.package;
variables = {}
// optionalAttrs cfg.withCLI {
# Make it more convenient to use the `jenkins-cli`.
JENKINS_URL = jenkinsUrl;
};
};
users.groups = optionalAttrs (cfg.group == "jenkins") { users.groups = optionalAttrs (cfg.group == "jenkins") {
jenkins.gid = config.ids.gids.jenkins; jenkins.gid = config.ids.gids.jenkins;
@ -215,7 +236,7 @@ in {
''; '';
postStart = '' postStart = ''
until [[ $(${pkgs.curl.bin}/bin/curl -L -s --head -w '\n%{http_code}' http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} | tail -n1) =~ ^(200|403)$ ]]; do until [[ $(${pkgs.curl.bin}/bin/curl -L -s --head -w '\n%{http_code}' ${jenkinsUrl} | tail -n1) =~ ^(200|403)$ ]]; do
sleep 1 sleep 1
done done
''; '';

View file

@ -48,7 +48,7 @@ in
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 3306; default = 3306;
description = "Port of MySQL."; description = "Port of MySQL.";
}; };

View file

@ -0,0 +1,197 @@
{
"bluez5.features.device": [
{
"name": "Air 1 Plus",
"no-features": [
"hw-volume-mic"
]
},
{
"name": "AirPods",
"no-features": [
"msbc-alt1",
"msbc-alt1-rtl"
]
},
{
"name": "AirPods Pro",
"no-features": [
"msbc-alt1",
"msbc-alt1-rtl"
]
},
{
"name": "AXLOIE Goin",
"no-features": [
"msbc-alt1",
"msbc-alt1-rtl"
]
},
{
"name": "JBL Endurance RUN BT",
"no-features": [
"msbc-alt1",
"msbc-alt1-rtl",
"sbc-xq"
]
},
{
"name": "JBL LIVE650BTNC"
},
{
"name": "Soundcore Life P2-L",
"no-features": [
"msbc-alt1",
"msbc-alt1-rtl"
]
},
{
"name": "Urbanista Stockholm Plus",
"no-features": [
"msbc-alt1",
"msbc-alt1-rtl"
]
},
{
"address": "~^94:16:25:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^9c:64:8b:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^a0:e9:db:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^0c:a6:94:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^00:14:02:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^44:5e:f3:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^d4:9c:28:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^00:18:6b:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^b8:ad:3e:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^a0:e9:db:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^00:24:1c:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^00:11:b1:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^a4:15:66:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^00:14:f1:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^00:26:7e:",
"no-features": [
"hw-volume"
]
},
{
"address": "~^90:03:b7:",
"no-features": [
"hw-volume"
]
}
],
"bluez5.features.adapter": [
{
"bus-type": "usb",
"vendor-id": "usb:0bda"
},
{
"bus-type": "usb",
"no-features": [
"msbc-alt1-rtl"
]
},
{
"no-features": [
"msbc-alt1-rtl"
]
}
],
"bluez5.features.kernel": [
{
"sysname": "Linux",
"release": "~^[0-4]\\.",
"no-features": [
"msbc-alt1",
"msbc-alt1-rtl"
]
},
{
"sysname": "Linux",
"release": "~^5\\.[1-7]\\.",
"no-features": [
"msbc-alt1",
"msbc-alt1-rtl"
]
},
{
"sysname": "Linux",
"release": "~^5\\.(8|9|10)\\.",
"no-features": [
"msbc-alt1"
]
},
{
"no-features": []
}
]
}

View file

@ -7,7 +7,7 @@
}, },
"context.modules": [ "context.modules": [
{ {
"name": "libpipewire-module-rtkit", "name": "libpipewire-module-rt",
"args": {}, "args": {},
"flags": [ "flags": [
"ifexists", "ifexists",

View file

@ -15,6 +15,7 @@ let
defaults = { defaults = {
alsa-monitor = (builtins.fromJSON (builtins.readFile ./alsa-monitor.conf.json)); alsa-monitor = (builtins.fromJSON (builtins.readFile ./alsa-monitor.conf.json));
bluez-monitor = (builtins.fromJSON (builtins.readFile ./bluez-monitor.conf.json)); bluez-monitor = (builtins.fromJSON (builtins.readFile ./bluez-monitor.conf.json));
bluez-hardware = (builtins.fromJSON (builtins.readFile ./bluez-hardware.conf.json));
media-session = (builtins.fromJSON (builtins.readFile ./media-session.conf.json)); media-session = (builtins.fromJSON (builtins.readFile ./media-session.conf.json));
v4l2-monitor = (builtins.fromJSON (builtins.readFile ./v4l2-monitor.conf.json)); v4l2-monitor = (builtins.fromJSON (builtins.readFile ./v4l2-monitor.conf.json));
}; };
@ -22,6 +23,7 @@ let
configs = { configs = {
alsa-monitor = recursiveUpdate defaults.alsa-monitor cfg.config.alsa-monitor; alsa-monitor = recursiveUpdate defaults.alsa-monitor cfg.config.alsa-monitor;
bluez-monitor = recursiveUpdate defaults.bluez-monitor cfg.config.bluez-monitor; bluez-monitor = recursiveUpdate defaults.bluez-monitor cfg.config.bluez-monitor;
bluez-hardware = defaults.bluez-hardware;
media-session = recursiveUpdate defaults.media-session cfg.config.media-session; media-session = recursiveUpdate defaults.media-session cfg.config.media-session;
v4l2-monitor = recursiveUpdate defaults.v4l2-monitor cfg.config.v4l2-monitor; v4l2-monitor = recursiveUpdate defaults.v4l2-monitor cfg.config.v4l2-monitor;
}; };
@ -120,6 +122,10 @@ in {
mkIf config.services.pipewire.pulse.enable { mkIf config.services.pipewire.pulse.enable {
source = json.generate "bluez-monitor.conf" configs.bluez-monitor; source = json.generate "bluez-monitor.conf" configs.bluez-monitor;
}; };
environment.etc."pipewire/media-session.d/bluez-hardware.conf" =
mkIf config.services.pipewire.pulse.enable {
source = json.generate "bluez-hardware.conf" configs.bluez-hardware;
};
environment.etc."pipewire/media-session.d/with-jack" = environment.etc."pipewire/media-session.d/with-jack" =
mkIf config.services.pipewire.jack.enable { mkIf config.services.pipewire.jack.enable {

View file

@ -51,7 +51,7 @@ in {
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 6523; default = 6523;
description = '' description = ''
Port to listen on Port to listen on

View file

@ -0,0 +1,36 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.services.ddccontrol;
in
{
###### interface
options = {
services.ddccontrol = {
enable = lib.mkEnableOption "ddccontrol for controlling displays";
};
};
###### implementation
config = lib.mkIf cfg.enable {
# Give users access to the "gddccontrol" tool
environment.systemPackages = [
pkgs.ddccontrol
];
services.dbus.packages = [
pkgs.ddccontrol
];
systemd.packages = [
pkgs.ddccontrol
];
};
}

View file

@ -58,7 +58,7 @@ in {
port = mkOption { port = mkOption {
description = "Docker registry port to bind to."; description = "Docker registry port to bind to.";
default = 5000; default = 5000;
type = types.int; type = types.port;
}; };
storagePath = mkOption { storagePath = mkOption {

View file

@ -82,7 +82,7 @@ in
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = (if !usePostgresql then 3306 else pg.port); default = (if !usePostgresql then 3306 else pg.port);
description = "Database host port."; description = "Database host port.";
}; };

View file

@ -140,6 +140,14 @@ let
port = 3807; port = 3807;
}; };
}; };
registry = lib.optionalAttrs cfg.registry.enable {
enabled = true;
host = cfg.registry.externalAddress;
port = cfg.registry.externalPort;
key = cfg.registry.keyFile;
api_url = "http://${config.services.dockerRegistry.listenAddress}:${toString config.services.dockerRegistry.port}/";
issuer = "gitlab-issuer";
};
extra = {}; extra = {};
uploads.storage_path = cfg.statePath; uploads.storage_path = cfg.statePath;
}; };
@ -156,7 +164,7 @@ let
prometheus_multiproc_dir = "/run/gitlab"; prometheus_multiproc_dir = "/run/gitlab";
RAILS_ENV = "production"; RAILS_ENV = "production";
MALLOC_ARENA_MAX = "2"; MALLOC_ARENA_MAX = "2";
}; } // cfg.extraEnv;
gitlab-rake = pkgs.stdenv.mkDerivation { gitlab-rake = pkgs.stdenv.mkDerivation {
name = "gitlab-rake"; name = "gitlab-rake";
@ -277,6 +285,14 @@ in {
''; '';
}; };
extraEnv = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
Additional environment variables for the GitLab environment.
'';
};
backup.startAt = mkOption { backup.startAt = mkOption {
type = with types; either str (listOf str); type = with types; either str (listOf str);
default = []; default = [];
@ -508,6 +524,58 @@ in {
''; '';
}; };
registry = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable GitLab container registry.";
};
host = mkOption {
type = types.str;
default = config.services.gitlab.host;
description = "GitLab container registry host name.";
};
port = mkOption {
type = types.int;
default = 4567;
description = "GitLab container registry port.";
};
certFile = mkOption {
type = types.path;
default = null;
description = "Path to GitLab container registry certificate.";
};
keyFile = mkOption {
type = types.path;
default = null;
description = "Path to GitLab container registry certificate-key.";
};
defaultForProjects = mkOption {
type = types.bool;
default = cfg.registry.enable;
description = "If GitLab container registry should be enabled by default for projects.";
};
issuer = mkOption {
type = types.str;
default = "gitlab-issuer";
description = "GitLab container registry issuer.";
};
serviceName = mkOption {
type = types.str;
default = "container_registry";
description = "GitLab container registry service name.";
};
externalAddress = mkOption {
type = types.str;
default = "";
description = "External address used to access registry from the internet";
};
externalPort = mkOption {
type = types.int;
description = "External port used to access registry from the internet";
};
};
smtp = { smtp = {
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
@ -843,7 +911,7 @@ in {
} }
{ {
assertion = versionAtLeast postgresqlPackage.version "12.0.0"; assertion = versionAtLeast postgresqlPackage.version "12.0.0";
message = "PostgreSQL >=12 is required to run GitLab 14."; message = "PostgreSQL >=12 is required to run GitLab 14. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading";
} }
]; ];
@ -905,6 +973,44 @@ in {
}; };
}; };
systemd.services.gitlab-registry-cert = optionalAttrs cfg.registry.enable {
path = with pkgs; [ openssl ];
script = ''
mkdir -p $(dirname ${cfg.registry.keyFile})
mkdir -p $(dirname ${cfg.registry.certFile})
openssl req -nodes -newkey rsa:4096 -keyout ${cfg.registry.keyFile} -out /tmp/registry-auth.csr -subj "/CN=${cfg.registry.issuer}"
openssl x509 -in /tmp/registry-auth.csr -out ${cfg.registry.certFile} -req -signkey ${cfg.registry.keyFile} -days 3650
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.keyFile})
chown ${cfg.user}:${cfg.group} $(dirname ${cfg.registry.certFile})
chown ${cfg.user}:${cfg.group} ${cfg.registry.keyFile}
chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile}
'';
serviceConfig = {
ConditionPathExists = "!${cfg.registry.certFile}";
};
};
# Ensure Docker Registry launches after the certificate generation job
systemd.services.docker-registry = optionalAttrs cfg.registry.enable {
wants = [ "gitlab-registry-cert.service" ];
};
# Enable Docker Registry, if GitLab-Container Registry is enabled
services.dockerRegistry = optionalAttrs cfg.registry.enable {
enable = true;
enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly
extraConfig = {
auth.token = {
realm = "http${if cfg.https == true then "s" else ""}://${cfg.host}/jwt/auth";
service = cfg.registry.serviceName;
issuer = cfg.registry.issuer;
rootcertbundle = cfg.registry.certFile;
};
};
};
# Use postfix to send out mails. # Use postfix to send out mails.
services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost"); services.postfix.enable = mkDefault (cfg.smtp.enable && cfg.smtp.address == "localhost");

View file

@ -62,7 +62,7 @@ in
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 2947; default = 2947;
description = '' description = ''
The port where to listen for TCP connections. The port where to listen for TCP connections.

View file

@ -11,7 +11,7 @@ in
services.leaps = { services.leaps = {
enable = mkEnableOption "leaps"; enable = mkEnableOption "leaps";
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 8080; default = 8080;
description = "A port where leaps listens for incoming http requests"; description = "A port where leaps listens for incoming http requests";
}; };

View file

@ -34,7 +34,7 @@ in
port = mkOption { port = mkOption {
default = 8899; default = 8899;
type = types.int; type = types.port;
description = "Specify port to listen on."; description = "Specify port to listen on.";
}; # nserve.port }; # nserve.port
@ -68,7 +68,7 @@ in
port = mkOption { port = mkOption {
default = 14311; default = 14311;
type = types.int; type = types.port;
description = "Specify port to listen on."; description = "Specify port to listen on.";
}; # qserve.port }; # qserve.port
@ -137,7 +137,7 @@ in
port = mkOption { port = mkOption {
default = 8898; default = 8898;
type = types.int; type = types.port;
description = "Port to listen to when serving files from cache."; description = "Port to listen to when serving files from cache.";
}; # nslave.http.port }; # nslave.http.port

View file

@ -40,7 +40,7 @@ in
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 5000; default = 5000;
description = '' description = ''
Port to bind OctoPrint to. Port to bind OctoPrint to.

View file

@ -67,7 +67,7 @@ in
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 28981; default = 28981;
description = "Server port to listen on."; description = "Server port to listen on.";
}; };

View file

@ -71,7 +71,7 @@ in
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 3000; default = 3000;
description = "Port on which Redmine is ran."; description = "Port on which Redmine is ran.";
}; };

View file

@ -28,7 +28,7 @@ let cfg = config.services.subsonic; in {
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 4040; default = 4040;
description = '' description = ''
The port on which Subsonic will listen for The port on which Subsonic will listen for
@ -37,7 +37,7 @@ let cfg = config.services.subsonic; in {
}; };
httpsPort = mkOption { httpsPort = mkOption {
type = types.int; type = types.port;
default = 0; default = 0;
description = '' description = ''
The port on which Subsonic will listen for The port on which Subsonic will listen for

View file

@ -292,7 +292,7 @@ in {
port = mkOption { port = mkOption {
description = "Listening port."; description = "Listening port.";
default = 3000; default = 3000;
type = types.int; type = types.port;
}; };
socket = mkOption { socket = mkOption {

View file

@ -323,15 +323,13 @@ let
HTTP username HTTP username
''; '';
}; };
password = mkOption { password = mkOpt types.str "HTTP password";
type = types.str; password_file = mkOpt types.str "HTTP password file";
description = ''
HTTP password
'';
};
}; };
}) '' }) ''
Optional http login credentials for metrics scraping. Sets the `Authorization` header on every scrape request with the
configured username and password.
password and password_file are mutually exclusive.
''; '';
bearer_token = mkOpt types.str '' bearer_token = mkOpt types.str ''

View file

@ -6,6 +6,8 @@ let
cfg = config.services.bind; cfg = config.services.bind;
bindPkg = config.services.bind.package;
bindUser = "named"; bindUser = "named";
bindZoneCoerce = list: builtins.listToAttrs (lib.forEach list (zone: { name = zone.name; value = zone; })); bindZoneCoerce = list: builtins.listToAttrs (lib.forEach list (zone: { name = zone.name; value = zone; }));
@ -104,6 +106,14 @@ in
enable = mkEnableOption "BIND domain name server"; enable = mkEnableOption "BIND domain name server";
package = mkOption {
type = types.package;
default = pkgs.bind;
defaultText = "pkgs.bind";
description = "The BIND package to use.";
};
cacheNetworks = mkOption { cacheNetworks = mkOption {
default = [ "127.0.0.0/24" ]; default = [ "127.0.0.0/24" ];
type = types.listOf types.str; type = types.listOf types.str;
@ -225,7 +235,7 @@ in
preStart = '' preStart = ''
mkdir -m 0755 -p /etc/bind mkdir -m 0755 -p /etc/bind
if ! [ -f "/etc/bind/rndc.key" ]; then if ! [ -f "/etc/bind/rndc.key" ]; then
${pkgs.bind.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null ${bindPkg.out}/sbin/rndc-confgen -c /etc/bind/rndc.key -u ${bindUser} -a -A hmac-sha256 2>/dev/null
fi fi
${pkgs.coreutils}/bin/mkdir -p /run/named ${pkgs.coreutils}/bin/mkdir -p /run/named
@ -233,9 +243,9 @@ in
''; '';
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.bind.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f"; ExecStart = "${bindPkg.out}/sbin/named -u ${bindUser} ${optionalString cfg.ipv4Only "-4"} -c ${cfg.configFile} -f";
ExecReload = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' reload"; ExecReload = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' reload";
ExecStop = "${pkgs.bind.out}/sbin/rndc -k '/etc/bind/rndc.key' stop"; ExecStop = "${bindPkg.out}/sbin/rndc -k '/etc/bind/rndc.key' stop";
}; };
unitConfig.Documentation = "man:named(8)"; unitConfig.Documentation = "man:named(8)";

View file

@ -18,6 +18,7 @@ let
${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"} ${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"}
ssl=${boolToStr cfg.ssl} ssl=${boolToStr cfg.ssl}
wildcard=YES wildcard=YES
ipv6=${boolToStr cfg.ipv6}
quiet=${boolToStr cfg.quiet} quiet=${boolToStr cfg.quiet}
verbose=${boolToStr cfg.verbose} verbose=${boolToStr cfg.verbose}
${cfg.extraConfig} ${cfg.extraConfig}
@ -116,7 +117,15 @@ with lib;
default = true; default = true;
type = bool; type = bool;
description = '' description = ''
Whether to use to use SSL/TLS to connect to dynamic DNS provider. Whether to use SSL/TLS to connect to dynamic DNS provider.
'';
};
ipv6 = mkOption {
default = false;
type = bool;
description = ''
Whether to use IPv6.
''; '';
}; };

View file

@ -38,8 +38,8 @@ in
# Use services.matterbridge.configPath instead. # Use services.matterbridge.configPath instead.
[irc] [irc]
[irc.freenode] [irc.libera]
Server="irc.freenode.net:6667" Server="irc.libera.chat:6667"
Nick="matterbot" Nick="matterbot"
[mattermost] [mattermost]
@ -55,7 +55,7 @@ in
name="gateway1" name="gateway1"
enable=true enable=true
[[gateway.inout]] [[gateway.inout]]
account="irc.freenode" account="irc.libera"
channel="#testing" channel="#testing"
[[gateway.inout]] [[gateway.inout]]

View file

@ -98,7 +98,7 @@ in
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 64738; default = 64738;
description = "Ports to bind to (UDP and TCP)."; description = "Ports to bind to (UDP and TCP).";
}; };

View file

@ -105,7 +105,7 @@ in
}; };
rpc.port = mkOption { rpc.port = mkOption {
type = types.int; type = types.port;
default = 8332; default = 8332;
description = '' description = ''
Port the RPC server will bind to. Port the RPC server will bind to.

View file

@ -13,7 +13,7 @@ in
enable = mkEnableOption "Serve NAR file contents via HTTP"; enable = mkEnableOption "Serve NAR file contents via HTTP";
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 8383; default = 8383;
description = '' description = ''
Port number where nar-serve will listen on. Port number where nar-serve will listen on.

View file

@ -11,7 +11,7 @@ in
enable = mkEnableOption "nix-serve, the standalone Nix binary cache server"; enable = mkEnableOption "nix-serve, the standalone Nix binary cache server";
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 5000; default = 5000;
description = '' description = ''
Port number where nix-serve will listen on. Port number where nix-serve will listen on.

View file

@ -54,6 +54,7 @@ in {
systemd.packages = [ pkgs.smartdns ]; systemd.packages = [ pkgs.smartdns ];
systemd.services.smartdns.wantedBy = [ "multi-user.target" ]; systemd.services.smartdns.wantedBy = [ "multi-user.target" ];
systemd.services.smartdns.restartTriggers = [ confFile ];
environment.etc."smartdns/smartdns.conf".source = confFile; environment.etc."smartdns/smartdns.conf".source = confFile;
environment.etc."default/smartdns".source = environment.etc."default/smartdns".source =
"${pkgs.smartdns}/etc/default/smartdns"; "${pkgs.smartdns}/etc/default/smartdns";

View file

@ -133,8 +133,8 @@ in
Nick = "paul"; Nick = "paul";
AltNick = "paul1"; AltNick = "paul1";
LoadModule = [ "chansaver" "controlpanel" ]; LoadModule = [ "chansaver" "controlpanel" ];
Network.freenode = { Network.libera = {
Server = "chat.freenode.net +6697"; Server = "irc.libera.chat +6697";
LoadModule = [ "simple_away" ]; LoadModule = [ "simple_away" ];
Chan = { Chan = {
"#nixos" = { Detached = false; }; "#nixos" = { Detached = false; };

View file

@ -11,7 +11,7 @@ let
server = mkOption { server = mkOption {
type = types.str; type = types.str;
example = "chat.freenode.net"; example = "irc.libera.chat";
description = '' description = ''
IRC server address. IRC server address.
''; '';
@ -150,8 +150,8 @@ in
''; '';
example = literalExample '' example = literalExample ''
{ {
"freenode" = { "libera" = {
server = "chat.freenode.net"; server = "irc.libera.chat";
port = 6697; port = 6697;
useSSL = true; useSSL = true;
modules = [ "simple_away" ]; modules = [ "simple_away" ];

View file

@ -26,12 +26,12 @@ let
if value != null then [ (nameValuePair (nameToEnvVar name) (if isBool value then boolToString value else toString value)) ] else [] if value != null then [ (nameValuePair (nameToEnvVar name) (if isBool value then boolToString value else toString value)) ] else []
) cfg.config)); ) cfg.config));
in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") { in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
WEB_VAULT_FOLDER = "${pkgs.vaultwarden-vault}/share/vaultwarden/vault"; WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
} // configEnv; } // configEnv;
configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv));
vaultwarden = pkgs.vaultwarden.override { inherit (cfg) dbBackend; }; vaultwarden = cfg.package.override { inherit (cfg) dbBackend; };
in { in {
imports = [ imports = [
@ -102,6 +102,20 @@ in {
<literal>vaultwarden</literal> is running. <literal>vaultwarden</literal> is running.
''; '';
}; };
package = mkOption {
type = package;
default = pkgs.vaultwarden;
defaultText = "pkgs.vaultwarden";
description = "Vaultwarden package to use.";
};
webVaultPackage = mkOption {
type = package;
default = pkgs.vaultwarden-vault;
defaultText = "pkgs.vaultwarden-vault";
description = "Web vault package to use.";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {

View file

@ -0,0 +1,265 @@
{ config, lib, pkgs, utils, ... }:
with lib;
let
cfg = config.services.unifi-video;
mainClass = "com.ubnt.airvision.Main";
cmd = ''
${pkgs.jsvc}/bin/jsvc \
-cwd ${stateDir} \
-debug \
-verbose:class \
-nodetach \
-user unifi-video \
-home ${cfg.jrePackage}/lib/openjdk \
-cp ${pkgs.commonsDaemon}/share/java/commons-daemon-1.2.4.jar:${stateDir}/lib/airvision.jar \
-pidfile ${cfg.pidFile} \
-procname unifi-video \
-Djava.security.egd=file:/dev/./urandom \
-Xmx${cfg.maximumJavaHeapSize}M \
-Xss512K \
-XX:+UseG1GC \
-XX:+UseStringDeduplication \
-XX:MaxMetaspaceSize=768M \
-Djava.library.path=${stateDir}/lib \
-Djava.awt.headless=true \
-Djavax.net.ssl.trustStore=${stateDir}/etc/ufv-truststore \
-Dfile.encoding=UTF-8 \
-Dav.tempdir=/var/cache/unifi-video
'';
mongoConf = pkgs.writeTextFile {
name = "mongo.conf";
executable = false;
text = ''
# for documentation of all options, see http://docs.mongodb.org/manual/reference/configuration-options/
storage:
dbPath: ${cfg.dataDir}/db
journal:
enabled: true
syncPeriodSecs: 60
systemLog:
destination: file
logAppend: true
path: ${stateDir}/logs/mongod.log
net:
port: 7441
bindIp: 127.0.0.1
http:
enabled: false
operationProfiling:
slowOpThresholdMs: 500
mode: off
'';
};
mongoWtConf = pkgs.writeTextFile {
name = "mongowt.conf";
executable = false;
text = ''
# for documentation of all options, see:
# http://docs.mongodb.org/manual/reference/configuration-options/
storage:
dbPath: ${cfg.dataDir}/db-wt
journal:
enabled: true
wiredTiger:
engineConfig:
cacheSizeGB: 1
systemLog:
destination: file
logAppend: true
path: logs/mongod.log
net:
port: 7441
bindIp: 127.0.0.1
operationProfiling:
slowOpThresholdMs: 500
mode: off
'';
};
stateDir = "/var/lib/unifi-video";
in
{
options.services.unifi-video = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether or not to enable the unifi-video service.
'';
};
jrePackage = mkOption {
type = types.package;
default = pkgs.jre8;
defaultText = "pkgs.jre8";
description = ''
The JRE package to use. Check the release notes to ensure it is supported.
'';
};
unifiVideoPackage = mkOption {
type = types.package;
default = pkgs.unifi-video;
defaultText = "pkgs.unifi-video";
description = ''
The unifi-video package to use.
'';
};
mongodbPackage = mkOption {
type = types.package;
default = pkgs.mongodb-4_0;
defaultText = "pkgs.mongodb";
description = ''
The mongodb package to use.
'';
};
logDir = mkOption {
type = types.str;
default = "${stateDir}/logs";
description = ''
Where to store the logs.
'';
};
dataDir = mkOption {
type = types.str;
default = "${stateDir}/data";
description = ''
Where to store the database and other data.
'';
};
openPorts = mkOption {
type = types.bool;
default = true;
description = ''
Whether or not to open the required ports on the firewall.
'';
};
maximumJavaHeapSize = mkOption {
type = types.nullOr types.int;
default = 1024;
example = 4096;
description = ''
Set the maximimum heap size for the JVM in MB.
'';
};
pidFile = mkOption {
type = types.path;
default = "${cfg.dataDir}/unifi-video.pid";
description = "Location of unifi-video pid file.";
};
};
config = mkIf cfg.enable {
users = {
users.unifi-video = {
description = "UniFi Video controller daemon user";
home = stateDir;
group = "unifi-video";
isSystemUser = true;
};
groups.unifi-video = {};
};
networking.firewall = mkIf cfg.openPorts {
# https://help.ui.com/hc/en-us/articles/217875218-UniFi-Video-Ports-Used
allowedTCPPorts = [
7080 # HTTP portal
7443 # HTTPS portal
7445 # Video over HTTP (mobile app)
7446 # Video over HTTPS (mobile app)
7447 # RTSP via the controller
7442 # Camera management from cameras to NVR over WAN
];
allowedUDPPorts = [
6666 # Inbound camera streams sent over WAN
];
};
systemd.tmpfiles.rules = [
"d '${stateDir}' 0700 unifi-video unifi-video - -"
"d '/var/cache/unifi-video' 0700 unifi-video unifi-video - -"
"d '${stateDir}/logs' 0700 unifi-video unifi-video - -"
"C '${stateDir}/etc' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/etc"
"C '${stateDir}/webapps' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/webapps"
"C '${stateDir}/email' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/email"
"C '${stateDir}/fw' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/fw"
"C '${stateDir}/lib' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/lib"
"d '${stateDir}/data' 0700 unifi-video unifi-video - -"
"d '${stateDir}/data/db' 0700 unifi-video unifi-video - -"
"C '${stateDir}/data/system.properties' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/etc/system.properties"
"d '${stateDir}/bin' 0700 unifi-video unifi-video - -"
"f '${stateDir}/bin/evostreamms' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/bin/evostreamms"
"f '${stateDir}/bin/libavcodec.so.54' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/bin/libavcodec.so.54"
"f '${stateDir}/bin/libavformat.so.54' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/bin/libavformat.so.54"
"f '${stateDir}/bin/libavutil.so.52' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/bin/libavutil.so.52"
"f '${stateDir}/bin/ubnt.avtool' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/bin/ubnt.avtool"
"f '${stateDir}/bin/ubnt.updater' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/bin/ubnt.updater"
"C '${stateDir}/bin/mongo' 0700 unifi-video unifi-video - ${cfg.mongodbPackage}/bin/mongo"
"C '${stateDir}/bin/mongod' 0700 unifi-video unifi-video - ${cfg.mongodbPackage}/bin/mongod"
"C '${stateDir}/bin/mongoperf' 0700 unifi-video unifi-video - ${cfg.mongodbPackage}/bin/mongoperf"
"C '${stateDir}/bin/mongos' 0700 unifi-video unifi-video - ${cfg.mongodbPackage}/bin/mongos"
"d '${stateDir}/conf' 0700 unifi-video unifi-video - -"
"C '${stateDir}/conf/evostream' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/evostream"
"Z '${stateDir}/conf/evostream' 0700 unifi-video unifi-video - -"
"L+ '${stateDir}/conf/mongodv3.0+.conf' 0700 unifi-video unifi-video - ${mongoConf}"
"L+ '${stateDir}/conf/mongodv3.6+.conf' 0700 unifi-video unifi-video - ${mongoConf}"
"L+ '${stateDir}/conf/mongod-wt.conf' 0700 unifi-video unifi-video - ${mongoWtConf}"
"L+ '${stateDir}/conf/catalina.policy' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/catalina.policy"
"L+ '${stateDir}/conf/catalina.properties' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/catalina.properties"
"L+ '${stateDir}/conf/context.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/context.xml"
"L+ '${stateDir}/conf/logging.properties' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/logging.properties"
"L+ '${stateDir}/conf/server.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/server.xml"
"L+ '${stateDir}/conf/tomcat-users.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/tomcat-users.xml"
"L+ '${stateDir}/conf/web.xml' 0700 unifi-video unifi-video - ${pkgs.unifi-video}/lib/unifi-video/conf/web.xml"
];
systemd.services.unifi-video = {
description = "UniFi Video NVR daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ] ;
unitConfig.RequiresMountsFor = stateDir;
# Make sure package upgrades trigger a service restart
restartTriggers = [ cfg.unifiVideoPackage cfg.mongodbPackage ];
path = with pkgs; [ gawk coreutils busybox which jre8 lsb-release libcap util-linux ];
serviceConfig = {
Type = "simple";
ExecStart = "${(removeSuffix "\n" cmd)} ${mainClass} start";
ExecStop = "${(removeSuffix "\n" cmd)} stop ${mainClass} stop";
Restart = "on-failure";
UMask = "0077";
User = "unifi-video";
WorkingDirectory = "${stateDir}";
};
};
};
meta = {
maintainers = with lib.maintainers; [ rsynnest ];
};
}

View file

@ -92,7 +92,7 @@ in {
package = mkOption { package = mkOption {
type = types.package; type = types.package;
description = "Which package to use for the Nextcloud instance."; description = "Which package to use for the Nextcloud instance.";
relatedPackages = [ "nextcloud19" "nextcloud20" "nextcloud21" ]; relatedPackages = [ "nextcloud20" "nextcloud21" "nextcloud22" ];
}; };
maxUploadSize = mkOption { maxUploadSize = mkOption {
@ -385,7 +385,7 @@ in {
]; ];
warnings = let warnings = let
latest = 21; latest = 22;
upgradeWarning = major: nixos: upgradeWarning = major: nixos:
'' ''
A legacy Nextcloud install (from before NixOS ${nixos}) may be installed. A legacy Nextcloud install (from before NixOS ${nixos}) may be installed.
@ -403,9 +403,9 @@ in {
Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release. Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release.
Please migrate your configuration to config.services.nextcloud.poolSettings. Please migrate your configuration to config.services.nextcloud.poolSettings.
'') '')
++ (optional (versionOlder cfg.package.version "19") (upgradeWarning 18 "20.09"))
++ (optional (versionOlder cfg.package.version "20") (upgradeWarning 19 "21.05")) ++ (optional (versionOlder cfg.package.version "20") (upgradeWarning 19 "21.05"))
++ (optional (versionOlder cfg.package.version "21") (upgradeWarning 20 "21.05")); ++ (optional (versionOlder cfg.package.version "21") (upgradeWarning 20 "21.05"))
++ (optional (versionOlder cfg.package.version "22") (upgradeWarning 21 "21.11"));
services.nextcloud.package = with pkgs; services.nextcloud.package = with pkgs;
mkDefault ( mkDefault (
@ -415,13 +415,13 @@ in {
nextcloud defined in an overlay, please set `services.nextcloud.package` to nextcloud defined in an overlay, please set `services.nextcloud.package` to
`pkgs.nextcloud`. `pkgs.nextcloud`.
'' ''
else if versionOlder stateVersion "20.09" then nextcloud18
# 21.03 will not be an official release - it was instead 21.05. # 21.03 will not be an official release - it was instead 21.05.
# This versionOlder statement remains set to 21.03 for backwards compatibility. # This versionOlder statement remains set to 21.03 for backwards compatibility.
# See https://github.com/NixOS/nixpkgs/pull/108899 and # See https://github.com/NixOS/nixpkgs/pull/108899 and
# https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md. # https://github.com/NixOS/rfcs/blob/master/rfcs/0080-nixos-release-schedule.md.
else if versionOlder stateVersion "21.03" then nextcloud19 else if versionOlder stateVersion "21.03" then nextcloud19
else nextcloud21 else if versionOlder stateVersion "21.11" then nextcloud21
else nextcloud22
); );
} }
@ -616,9 +616,7 @@ in {
services.nginx.enable = mkDefault true; services.nginx.enable = mkDefault true;
services.nginx.virtualHosts.${cfg.hostName} = let services.nginx.virtualHosts.${cfg.hostName} = {
major = toInt (versions.major cfg.package.version);
in {
root = cfg.package; root = cfg.package;
locations = { locations = {
"= /robots.txt" = { "= /robots.txt" = {

View file

@ -11,7 +11,7 @@
desktop client is packaged at <literal>pkgs.nextcloud-client</literal>. desktop client is packaged at <literal>pkgs.nextcloud-client</literal>.
</para> </para>
<para> <para>
The current default by NixOS is <package>nextcloud21</package> which is also the latest The current default by NixOS is <package>nextcloud22</package> which is also the latest
major version available. major version available.
</para> </para>
<section xml:id="module-services-nextcloud-basic-usage"> <section xml:id="module-services-nextcloud-basic-usage">

View file

@ -0,0 +1,145 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.services.vikunja;
format = pkgs.formats.yaml {};
configFile = format.generate "config.yaml" cfg.settings;
useMysql = cfg.database.type == "mysql";
usePostgresql = cfg.database.type == "postgres";
in {
options.services.vikunja = with lib; {
enable = mkEnableOption "vikunja service";
package-api = mkOption {
default = pkgs.vikunja-api;
type = types.package;
defaultText = "pkgs.vikunja-api";
description = "vikunja-api derivation to use.";
};
package-frontend = mkOption {
default = pkgs.vikunja-frontend;
type = types.package;
defaultText = "pkgs.vikunja-frontend";
description = "vikunja-frontend derivation to use.";
};
environmentFiles = mkOption {
type = types.listOf types.path;
default = [ ];
description = ''
List of environment files set in the vikunja systemd service.
For example passwords should be set in one of these files.
'';
};
setupNginx = mkOption {
type = types.bool;
default = config.services.nginx.enable;
defaultText = "config.services.nginx.enable";
description = ''
Whether to setup NGINX.
Further nginx configuration can be done by changing
<option>services.nginx.virtualHosts.&lt;frontendHostname&gt;</option>.
This does not enable TLS or ACME by default. To enable this, set the
<option>services.nginx.virtualHosts.&lt;frontendHostname&gt;.enableACME</option> to
<literal>true</literal> and if appropriate do the same for
<option>services.nginx.virtualHosts.&lt;frontendHostname&gt;.forceSSL</option>.
'';
};
frontendScheme = mkOption {
type = types.enum [ "http" "https" ];
description = ''
Whether the site is available via http or https.
This does not configure https or ACME in nginx!
'';
};
frontendHostname = mkOption {
type = types.str;
description = "The Hostname under which the frontend is running.";
};
settings = mkOption {
type = format.type;
default = {};
description = ''
Vikunja configuration. Refer to
<link xlink:href="https://vikunja.io/docs/config-options/"/>
for details on supported values.
'';
};
database = {
type = mkOption {
type = types.enum [ "sqlite" "mysql" "postgres" ];
example = "postgres";
default = "sqlite";
description = "Database engine to use.";
};
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address. Can also be a socket.";
};
user = mkOption {
type = types.str;
default = "vikunja";
description = "Database user.";
};
database = mkOption {
type = types.str;
default = "vikunja";
description = "Database name.";
};
path = mkOption {
type = types.str;
default = "/var/lib/vikunja/vikunja.db";
description = "Path to the sqlite3 database file.";
};
};
};
config = lib.mkIf cfg.enable {
services.vikunja.settings = {
database = {
inherit (cfg.database) type host user database path;
};
service = {
frontendurl = "${cfg.frontendScheme}://${cfg.frontendHostname}/";
};
files = {
basepath = "/var/lib/vikunja/files";
};
};
systemd.services.vikunja-api = {
description = "vikunja-api";
after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service";
wantedBy = [ "multi-user.target" ];
path = [ cfg.package-api ];
restartTriggers = [ configFile ];
serviceConfig = {
Type = "simple";
DynamicUser = true;
StateDirectory = "vikunja";
ExecStart = "${cfg.package-api}/bin/vikunja";
Restart = "always";
EnvironmentFile = cfg.environmentFiles;
};
};
services.nginx.virtualHosts."${cfg.frontendHostname}" = mkIf cfg.setupNginx {
locations = {
"/" = {
root = cfg.package-frontend;
tryFiles = "try_files $uri $uri/ /";
};
"~* ^/(api|dav|\\.well-known)/" = {
proxyPass = "http://localhost:3456";
extraConfig = ''
client_max_body_size 20M;
'';
};
};
};
environment.etc."vikunja/config.yaml".source = configFile;
};
}

View file

@ -33,7 +33,7 @@ in
enable = mkEnableOption "ttyd daemon"; enable = mkEnableOption "ttyd daemon";
port = mkOption { port = mkOption {
type = types.int; type = types.port;
default = 7681; default = 7681;
description = "Port to listen on (use 0 for random port)"; description = "Port to listen on (use 0 for random port)";
}; };

View file

@ -755,7 +755,7 @@ in
default = []; default = [];
example = [ "d /tmp 1777 root root 10d" ]; example = [ "d /tmp 1777 root root 10d" ];
description = '' description = ''
Rules for creating and cleaning up temporary files Rules for creation, deletion and cleaning of volatile and temporary files
automatically. See automatically. See
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the exact format. for the exact format.

View file

@ -55,7 +55,16 @@ in
(mkIf enableBtrfs { (mkIf enableBtrfs {
system.fsPackages = [ pkgs.btrfs-progs ]; system.fsPackages = [ pkgs.btrfs-progs ];
boot.initrd.kernelModules = mkIf inInitrd [ "btrfs" "crc32c" ]; boot.initrd.kernelModules = mkIf inInitrd [ "btrfs" ];
boot.initrd.availableKernelModules = mkIf inInitrd (
[ "crc32c" ]
++ optionals (config.boot.kernelPackages.kernel.kernelAtLeast "5.5") [
# Needed for mounting filesystems with new checksums
"xxhash_generic"
"blake2b_generic"
"sha256_generic" # Should be baked into our kernel, just to be sure
]
);
boot.initrd.extraUtilsCommands = mkIf inInitrd boot.initrd.extraUtilsCommands = mkIf inInitrd
'' ''

View file

@ -0,0 +1,230 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.snapraid;
in
{
options.snapraid = with types; {
enable = mkEnableOption "SnapRAID";
dataDisks = mkOption {
default = { };
example = {
d1 = "/mnt/disk1/";
d2 = "/mnt/disk2/";
d3 = "/mnt/disk3/";
};
description = "SnapRAID data disks.";
type = attrsOf str;
};
parityFiles = mkOption {
default = [ ];
example = [
"/mnt/diskp/snapraid.parity"
"/mnt/diskq/snapraid.2-parity"
"/mnt/diskr/snapraid.3-parity"
"/mnt/disks/snapraid.4-parity"
"/mnt/diskt/snapraid.5-parity"
"/mnt/disku/snapraid.6-parity"
];
description = "SnapRAID parity files.";
type = listOf str;
};
contentFiles = mkOption {
default = [ ];
example = [
"/var/snapraid.content"
"/mnt/disk1/snapraid.content"
"/mnt/disk2/snapraid.content"
];
description = "SnapRAID content list files.";
type = listOf str;
};
exclude = mkOption {
default = [ ];
example = [ "*.unrecoverable" "/tmp/" "/lost+found/" ];
description = "SnapRAID exclude directives.";
type = listOf str;
};
touchBeforeSync = mkOption {
default = true;
example = false;
description =
"Whether <command>snapraid touch</command> should be run before <command>snapraid sync</command>.";
type = bool;
};
sync.interval = mkOption {
default = "01:00";
example = "daily";
description = "How often to run <command>snapraid sync</command>.";
type = str;
};
scrub = {
interval = mkOption {
default = "Mon *-*-* 02:00:00";
example = "weekly";
description = "How often to run <command>snapraid scrub</command>.";
type = str;
};
plan = mkOption {
default = 8;
example = 5;
description =
"Percent of the array that should be checked by <command>snapraid scrub</command>.";
type = int;
};
olderThan = mkOption {
default = 10;
example = 20;
description =
"Number of days since data was last scrubbed before it can be scrubbed again.";
type = int;
};
};
extraConfig = mkOption {
default = "";
example = ''
nohidden
blocksize 256
hashsize 16
autosave 500
pool /pool
'';
description = "Extra config options for SnapRAID.";
type = lines;
};
};
config =
let
nParity = builtins.length cfg.parityFiles;
mkPrepend = pre: s: pre + s;
in
mkIf cfg.enable {
assertions = [
{
assertion = nParity <= 6;
message = "You can have no more than six SnapRAID parity files.";
}
{
assertion = builtins.length cfg.contentFiles >= nParity + 1;
message =
"There must be at least one SnapRAID content file for each SnapRAID parity file plus one.";
}
];
environment = {
systemPackages = with pkgs; [ snapraid ];
etc."snapraid.conf" = {
text = with cfg;
let
prependData = mkPrepend "data ";
prependContent = mkPrepend "content ";
prependExclude = mkPrepend "exclude ";
in
concatStringsSep "\n"
(map prependData
((mapAttrsToList (name: value: name + " " + value)) dataDisks)
++ zipListsWith (a: b: a + b)
([ "parity " ] ++ map (i: toString i + "-parity ") (range 2 6))
parityFiles ++ map prependContent contentFiles
++ map prependExclude exclude) + "\n" + extraConfig;
};
};
systemd.services = with cfg; {
snapraid-scrub = {
description = "Scrub the SnapRAID array";
startAt = scrub.interval;
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.snapraid}/bin/snapraid scrub -p ${
toString scrub.plan
} -o ${toString scrub.olderThan}";
Nice = 19;
IOSchedulingPriority = 7;
CPUSchedulingPolicy = "batch";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = "none";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
CapabilityBoundingSet = "CAP_DAC_OVERRIDE";
ProtectSystem = "strict";
ProtectHome = "read-only";
ReadWritePaths =
# scrub requires access to directories containing content files
# to remove them if they are stale
let
contentDirs = map dirOf contentFiles;
in
unique (
attrValues dataDisks ++ contentDirs
);
};
unitConfig.After = "snapraid-sync.service";
};
snapraid-sync = {
description = "Synchronize the state of the SnapRAID array";
startAt = sync.interval;
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.snapraid}/bin/snapraid sync";
Nice = 19;
IOSchedulingPriority = 7;
CPUSchedulingPolicy = "batch";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = "none";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
CapabilityBoundingSet = "CAP_DAC_OVERRIDE";
ProtectSystem = "strict";
ProtectHome = "read-only";
ReadWritePaths =
# sync requires access to directories containing content files
# to remove them if they are stale
let
contentDirs = map dirOf contentFiles;
in
unique (
attrValues dataDisks ++ parityFiles ++ contentDirs
);
} // optionalAttrs touchBeforeSync {
ExecStartPre = "${pkgs.snapraid}/bin/snapraid touch";
};
};
};
};
}

View file

@ -31,6 +31,30 @@ let
example = literalExample "pkgs.dockerTools.buildDockerImage {...};"; example = literalExample "pkgs.dockerTools.buildDockerImage {...};";
}; };
login = {
username = mkOption {
type = with types; nullOr str;
default = null;
description = "Username for login.";
};
passwordFile = mkOption {
type = with types; nullOr str;
default = null;
description = "Path to file containing password.";
example = "/etc/nixos/dockerhub-password.txt";
};
registry = mkOption {
type = with types; nullOr str;
default = null;
description = "Registry where to login to.";
example = "https://docker.pkg.github.com";
};
};
cmd = mkOption { cmd = mkOption {
type = with types; listOf str; type = with types; listOf str;
default = []; default = [];
@ -220,6 +244,8 @@ let
}; };
}; };
isValidLogin = login: login.username != null && login.passwordFile != null && login.registry != null;
mkService = name: container: let mkService = name: container: let
dependsOn = map (x: "${cfg.backend}-${x}.service") container.dependsOn; dependsOn = map (x: "${cfg.backend}-${x}.service") container.dependsOn;
in { in {
@ -235,6 +261,13 @@ let
preStart = '' preStart = ''
${cfg.backend} rm -f ${name} || true ${cfg.backend} rm -f ${name} || true
${optionalString (isValidLogin container.login) ''
cat ${container.login.passwordFile} | \
${cfg.backend} login \
${container.login.registry} \
--username ${container.login.username} \
--password-stdin
''}
${optionalString (container.imageFile != null) '' ${optionalString (container.imageFile != null) ''
${cfg.backend} load -i ${container.imageFile} ${cfg.backend} load -i ${container.imageFile}
''} ''}
@ -262,9 +295,6 @@ let
postStop = "${cfg.backend} rm -f ${name} || true"; postStop = "${cfg.backend} rm -f ${name} || true";
serviceConfig = { serviceConfig = {
StandardOutput = "null";
StandardError = "null";
### There is no generalized way of supporting `reload` for docker ### There is no generalized way of supporting `reload` for docker
### containers. Some containers may respond well to SIGHUP sent to their ### containers. Some containers may respond well to SIGHUP sent to their
### init process, but it is not guaranteed; some apps have other reload ### init process, but it is not guaranteed; some apps have other reload

View file

@ -56,5 +56,7 @@ in
${open-vm-tools}/bin/vmware-user-suid-wrapper ${open-vm-tools}/bin/vmware-user-suid-wrapper
''; '';
}; };
services.udev.packages = [ open-vm-tools ];
}; };
} }

View file

@ -330,30 +330,38 @@ in import ./make-test-python.nix ({ lib, ... }: {
with subtest("Can request certificate with HTTPS-01 challenge"): with subtest("Can request certificate with HTTPS-01 challenge"):
webserver.wait_for_unit("acme-finished-a.example.test.target") webserver.wait_for_unit("acme-finished-a.example.test.target")
check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "pebble")
check_connection(client, "a.example.test")
with subtest("Certificates and accounts have safe + valid permissions"): with subtest("Certificates and accounts have safe + valid permissions"):
group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}" group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}"
webserver.succeed( webserver.succeed(
f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
) )
webserver.succeed( webserver.succeed(
f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/.lego/a.example.test/**/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" f"test $(stat -L -c '%a %U %G' /var/lib/acme/.lego/a.example.test/**/a.example.test* | tee /dev/stderr | grep '600 acme {group}' | wc -l) -eq 4"
) )
webserver.succeed( webserver.succeed(
f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1" f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1"
) )
webserver.succeed( webserver.succeed(
f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c \"%a %U %G\" {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0" f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c '%a %U %G' {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0"
) )
with subtest("Certs are accepted by web server"):
webserver.succeed("systemctl start nginx.service")
check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "pebble")
check_connection(client, "a.example.test")
# Selfsigned certs tests happen late so we aren't fighting the system init triggering cert renewal
with subtest("Can generate valid selfsigned certs"): with subtest("Can generate valid selfsigned certs"):
webserver.succeed("systemctl clean acme-a.example.test.service --what=state") webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
webserver.succeed("systemctl start acme-selfsigned-a.example.test.service") webserver.succeed("systemctl start acme-selfsigned-a.example.test.service")
check_fullchain(webserver, "a.example.test") check_fullchain(webserver, "a.example.test")
check_issuer(webserver, "a.example.test", "minica") check_issuer(webserver, "a.example.test", "minica")
# Check selfsigned permissions
webserver.succeed(
f"test $(stat -L -c '%a %U %G' /var/lib/acme/a.example.test/*.pem | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5"
)
# Will succeed if nginx can load the certs # Will succeed if nginx can load the certs
webserver.succeed("systemctl start nginx-config-reload.service") webserver.succeed("systemctl start nginx-config-reload.service")
@ -376,6 +384,8 @@ in import ./make-test-python.nix ({ lib, ... }: {
webserver.wait_for_unit("acme-finished-a.example.test.target") webserver.wait_for_unit("acme-finished-a.example.test.target")
check_connection_key_bits(client, "a.example.test", "384") check_connection_key_bits(client, "a.example.test", "384")
webserver.succeed("grep testing /var/lib/acme/a.example.test/test") webserver.succeed("grep testing /var/lib/acme/a.example.test/test")
# Clean to remove the testing file (and anything else messy we did)
webserver.succeed("systemctl clean acme-a.example.test.service --what=state")
with subtest("Correctly implements OCSP stapling"): with subtest("Correctly implements OCSP stapling"):
switch_to(webserver, "ocsp-stapling") switch_to(webserver, "ocsp-stapling")

View file

@ -43,7 +43,7 @@ in
bitcoind = handleTest ./bitcoind.nix {}; bitcoind = handleTest ./bitcoind.nix {};
bittorrent = handleTest ./bittorrent.nix {}; bittorrent = handleTest ./bittorrent.nix {};
blockbook-frontend = handleTest ./blockbook-frontend.nix {}; blockbook-frontend = handleTest ./blockbook-frontend.nix {};
boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 boot = handleTestOn ["x86_64-linux" "aarch64-linux"] ./boot.nix {};
boot-stage1 = handleTest ./boot-stage1.nix {}; boot-stage1 = handleTest ./boot-stage1.nix {};
borgbackup = handleTest ./borgbackup.nix {}; borgbackup = handleTest ./borgbackup.nix {};
botamusique = handleTest ./botamusique.nix {}; botamusique = handleTest ./botamusique.nix {};
@ -450,6 +450,7 @@ in
vaultwarden = handleTest ./vaultwarden.nix {}; vaultwarden = handleTest ./vaultwarden.nix {};
vector = handleTest ./vector.nix {}; vector = handleTest ./vector.nix {};
victoriametrics = handleTest ./victoriametrics.nix {}; victoriametrics = handleTest ./victoriametrics.nix {};
vikunja = handleTest ./vikunja.nix {};
virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};
vscodium = handleTest ./vscodium.nix {}; vscodium = handleTest ./vscodium.nix {};
wasabibackend = handleTest ./wasabibackend.nix {}; wasabibackend = handleTest ./wasabibackend.nix {};

View file

@ -4,6 +4,7 @@
}: }:
with import ../lib/testing-python.nix { inherit system pkgs; }; with import ../lib/testing-python.nix { inherit system pkgs; };
with import ../lib/qemu-flags.nix { inherit pkgs; };
with pkgs.lib; with pkgs.lib;
let let
@ -21,7 +22,10 @@ let
makeBootTest = name: extraConfig: makeBootTest = name: extraConfig:
let let
machineConfig = pythonDict ({ qemuFlags = "-m 768"; } // extraConfig); machineConfig = pythonDict ({
qemuBinary = qemuBinary pkgs.qemu_test;
qemuFlags = "-m 768";
} // extraConfig);
in in
makeTest { makeTest {
inherit iso; inherit iso;
@ -61,6 +65,7 @@ let
]; ];
}; };
machineConfig = pythonDict ({ machineConfig = pythonDict ({
qemuBinary = qemuBinary pkgs.qemu_test;
qemuFlags = "-boot order=n -m 2000"; qemuFlags = "-boot order=n -m 2000";
netBackendArgs = "tftp=${ipxeBootDir},bootfile=netboot.ipxe"; netBackendArgs = "tftp=${ipxeBootDir},bootfile=netboot.ipxe";
} // extraConfig); } // extraConfig);
@ -75,8 +80,27 @@ let
machine.shutdown() machine.shutdown()
''; '';
}; };
uefiBinary = {
x86_64-linux = "${pkgs.OVMF.fd}/FV/OVMF.fd";
aarch64-linux = "${pkgs.OVMF.fd}/FV/QEMU_EFI.fd";
}.${pkgs.stdenv.hostPlatform.system};
in { in {
uefiCdrom = makeBootTest "uefi-cdrom" {
cdrom = "${iso}/iso/${iso.isoName}";
bios = uefiBinary;
};
uefiUsb = makeBootTest "uefi-usb" {
usb = "${iso}/iso/${iso.isoName}";
bios = uefiBinary;
};
uefiNetboot = makeNetbootTest "uefi" {
bios = uefiBinary;
# Custom ROM is needed for EFI PXE boot. I failed to understand exactly why, because QEMU should still use iPXE for EFI.
netFrontendArgs = "romfile=${pkgs.ipxe}/ipxe.efirom";
};
} // optionalAttrs (pkgs.stdenv.hostPlatform.system == "x86_64-linux") {
biosCdrom = makeBootTest "bios-cdrom" { biosCdrom = makeBootTest "bios-cdrom" {
cdrom = "${iso}/iso/${iso.isoName}"; cdrom = "${iso}/iso/${iso.isoName}";
}; };
@ -85,21 +109,5 @@ in {
usb = "${iso}/iso/${iso.isoName}"; usb = "${iso}/iso/${iso.isoName}";
}; };
uefiCdrom = makeBootTest "uefi-cdrom" {
cdrom = "${iso}/iso/${iso.isoName}";
bios = "${pkgs.OVMF.fd}/FV/OVMF.fd";
};
uefiUsb = makeBootTest "uefi-usb" {
usb = "${iso}/iso/${iso.isoName}";
bios = "${pkgs.OVMF.fd}/FV/OVMF.fd";
};
biosNetboot = makeNetbootTest "bios" {}; biosNetboot = makeNetbootTest "bios" {};
uefiNetboot = makeNetbootTest "uefi" {
bios = "${pkgs.OVMF.fd}/FV/OVMF.fd";
# Custom ROM is needed for EFI PXE boot. I failed to understand exactly why, because QEMU should still use iPXE for EFI.
netFrontendArgs = "romfile=${pkgs.ipxe}/ipxe.efirom";
};
} }

View file

@ -30,7 +30,10 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
machine.imports = [ ./common/user-account.nix ./common/x11.nix ]; machine.imports = [ ./common/user-account.nix ./common/x11.nix ];
machine.virtualisation.memorySize = 2047; machine.virtualisation.memorySize = 2047;
machine.test-support.displayManager.auto.user = user; machine.test-support.displayManager.auto.user = user;
machine.environment.systemPackages = [ chromiumPkg ]; machine.environment = {
systemPackages = [ chromiumPkg ];
variables."XAUTHORITY" = "/home/alice/.Xauthority";
};
startupHTML = pkgs.writeText "chromium-startup.html" '' startupHTML = pkgs.writeText "chromium-startup.html" ''
<!DOCTYPE html> <!DOCTYPE html>
@ -63,17 +66,32 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
return "su - ${user} -c " + shlex.quote(cmd) return "su - ${user} -c " + shlex.quote(cmd)
def get_browser_binary(): def launch_browser():
"""Returns the name of the browser binary.""" """Launches the web browser with the correct options."""
# Determine the name of the binary:
pname = "${getName chromiumPkg.name}" pname = "${getName chromiumPkg.name}"
if pname.find("chromium") != -1: if pname.find("chromium") != -1:
return "chromium" # Same name for all channels and ungoogled-chromium binary = "chromium" # Same name for all channels and ungoogled-chromium
if pname == "google-chrome": elif pname == "google-chrome":
return "google-chrome-stable" binary = "google-chrome-stable"
if pname == "google-chrome-dev": elif pname == "google-chrome-dev":
return "google-chrome-unstable" binary = "google-chrome-unstable"
# For google-chrome-beta and as fallback: else: # For google-chrome-beta and as fallback:
return pname binary = pname
# Add optional CLI options:
options = []
major_version = "${versions.major (getVersion chromiumPkg.name)}"
if major_version > "91":
# To avoid a GPU crash:
options += ["--use-gl=angle", "--use-angle=swiftshader"]
options.append("file://${startupHTML}")
# Launch the process:
machine.succeed(ru(f'ulimit -c unlimited; {binary} {shlex.join(options)} & disown'))
if binary.startswith("google-chrome"):
# Need to click away the first window:
machine.wait_for_text("Make Google Chrome the default browser")
machine.screenshot("google_chrome_default_browser_prompt")
machine.send_key("ret")
def create_new_win(): def create_new_win():
@ -124,24 +142,32 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
@contextmanager @contextmanager
def test_new_win(description): def test_new_win(description, url, window_name):
create_new_win() create_new_win()
machine.wait_for_window("New Tab")
machine.send_chars(f"{url}\n")
machine.wait_for_window(window_name)
machine.screenshot(description)
machine.succeed(
ru(
"${xdo "copy-all" ''
key --delay 1000 Ctrl+a Ctrl+c
''}"
)
)
clipboard = machine.succeed(
ru("${pkgs.xclip}/bin/xclip -o")
)
print(f"{description} window content:\n{clipboard}")
with machine.nested(description): with machine.nested(description):
yield yield clipboard
# Close the newly created window: # Close the newly created window:
machine.send_key("ctrl-w") machine.send_key("ctrl-w")
machine.wait_for_x() machine.wait_for_x()
url = "file://${startupHTML}" launch_browser()
machine.succeed(ru(f'ulimit -c unlimited; "{get_browser_binary()}" "{url}" & disown'))
if get_browser_binary().startswith("google-chrome"):
# Need to click away the first window:
machine.wait_for_text("Make Google Chrome the default browser")
machine.screenshot("google_chrome_default_browser_prompt")
machine.send_key("ret")
machine.wait_for_text("startup done") machine.wait_for_text("startup done")
machine.wait_until_succeeds( machine.wait_until_succeeds(
@ -164,49 +190,7 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
machine.screenshot("startup_done") machine.screenshot("startup_done")
with test_new_win("check sandbox"): with test_new_win("sandbox_info", "chrome://sandbox", "Sandbox Status") as clipboard:
machine.succeed(
ru(
"${xdo "type-url" ''
search --sync --onlyvisible --name "New Tab"
windowfocus --sync
type --delay 1000 "chrome://sandbox"
''}"
)
)
machine.succeed(
ru(
"${xdo "submit-url" ''
search --sync --onlyvisible --name "New Tab"
windowfocus --sync
key --delay 1000 Return
''}"
)
)
machine.screenshot("sandbox_info")
machine.succeed(
ru(
"${xdo "find-window" ''
search --sync --onlyvisible --name "Sandbox Status"
windowfocus --sync
''}"
)
)
machine.succeed(
ru(
"${xdo "copy-sandbox-info" ''
key --delay 1000 Ctrl+a Ctrl+c
''}"
)
)
clipboard = machine.succeed(
ru("${pkgs.xclip}/bin/xclip -o")
)
filters = [ filters = [
"layer 1 sandbox.*namespace", "layer 1 sandbox.*namespace",
"pid namespaces.*yes", "pid namespaces.*yes",
@ -253,6 +237,11 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
machine.screenshot("after_copy_from_chromium") machine.screenshot("after_copy_from_chromium")
with test_new_win("gpu_info", "chrome://gpu", "chrome://gpu"):
pass
machine.shutdown() machine.shutdown()
''; '';
}) channelMap }) channelMap

View file

@ -0,0 +1,30 @@
import ./make-test-python.nix ({ pkgs, ...} : rec {
name = "jenkins-cli";
meta = with pkgs.lib.maintainers; {
maintainers = [ pamplemousse ];
};
nodes = {
machine =
{ ... }:
{
services.jenkins = {
enable = true;
withCLI = true;
};
};
};
testScript = ''
start_all()
machine.wait_for_unit("jenkins")
assert "JENKINS_URL" in machine.succeed("env")
assert "http://0.0.0.0:8080" in machine.succeed("echo $JENKINS_URL")
machine.succeed(
"jenkins-cli -auth admin:$(cat /var/lib/jenkins/secrets/initialAdminPassword)"
)
'';
})

View file

@ -98,7 +98,7 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
}]; }];
services.mysql.settings = { services.mysql.settings = {
mysqld = { mysqld = {
plugin-load-add = [ "ha_rocksdb.so" ]; plugin-load-add = [ "ha_mroonga.so" "ha_rocksdb.so" ];
}; };
}; };
services.mysql.package = pkgs.mariadb; services.mysql.package = pkgs.mariadb;
@ -172,6 +172,20 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
"echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42" "echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 42"
) )
# Check if Mroonga plugin works
mariadb.succeed(
"echo 'use testdb; create table mroongadb (test_id INT, PRIMARY KEY (test_id)) ENGINE = Mroonga;' | sudo -u testuser mysql -u testuser"
)
mariadb.succeed(
"echo 'use testdb; insert into mroongadb values (25);' | sudo -u testuser mysql -u testuser"
)
mariadb.succeed(
"echo 'use testdb; select test_id from mroongadb;' | sudo -u testuser mysql -u testuser -N | grep 25"
)
mariadb.succeed(
"echo 'use testdb; drop table mroongadb;' | sudo -u testuser mysql -u testuser"
)
# Check if RocksDB plugin works # Check if RocksDB plugin works
mariadb.succeed( mariadb.succeed(
"echo 'use testdb; create table rocksdb (test_id INT, PRIMARY KEY (test_id)) ENGINE = RocksDB;' | sudo -u testuser mysql -u testuser" "echo 'use testdb; create table rocksdb (test_id INT, PRIMARY KEY (test_id)) ENGINE = RocksDB;' | sudo -u testuser mysql -u testuser"

View file

@ -29,5 +29,5 @@ builtins.listToAttrs (
}; };
} }
) )
[ "nginxStable" "nginxMainline" "nginxShibboleth" "openresty" "tengine" ] [ "nginxStable" "nginxMainline" "nginxQuic" "nginxShibboleth" "openresty" "tengine" ]
) )

View file

@ -73,8 +73,30 @@ let
machine.succeed( machine.succeed(
"systemctl start ${backupService}.service", "systemctl start ${backupService}.service",
"zcat /var/backup/postgresql/${backupName}.sql.gz | grep '<test>ok</test>'", "zcat /var/backup/postgresql/${backupName}.sql.gz | grep '<test>ok</test>'",
"ls -hal /var/backup/postgresql/ >/dev/console",
"stat -c '%a' /var/backup/postgresql/${backupName}.sql.gz | grep 600", "stat -c '%a' /var/backup/postgresql/${backupName}.sql.gz | grep 600",
) )
with subtest("Backup service fails gracefully"):
# Sabotage the backup process
machine.succeed("rm /run/postgresql/.s.PGSQL.5432")
machine.fail(
"systemctl start ${backupService}.service",
)
machine.succeed(
"ls -hal /var/backup/postgresql/ >/dev/console",
"zcat /var/backup/postgresql/${backupName}.prev.sql.gz | grep '<test>ok</test>'",
"stat /var/backup/postgresql/${backupName}.in-progress.sql.gz",
)
# In a previous version, the second run would overwrite prev.sql.gz,
# so we test a second run as well.
machine.fail(
"systemctl start ${backupService}.service",
)
machine.succeed(
"stat /var/backup/postgresql/${backupName}.in-progress.sql.gz",
"zcat /var/backup/postgresql/${backupName}.prev.sql.gz | grep '<test>ok</test>'",
)
with subtest("Initdb works"): with subtest("Initdb works"):
machine.succeed("sudo -u postgres initdb -D /tmp/testpostgres2") machine.succeed("sudo -u postgres initdb -D /tmp/testpostgres2")

View file

@ -454,15 +454,21 @@ let
enable = true; enable = true;
lndTlsPath = "/var/lib/lnd/tls.cert"; lndTlsPath = "/var/lib/lnd/tls.cert";
lndMacaroonDir = "/var/lib/lnd"; lndMacaroonDir = "/var/lib/lnd";
extraFlags = [ "--lnd.network=regtest" ];
}; };
metricProvider = { metricProvider = {
systemd.services.prometheus-lnd-exporter.serviceConfig.DynamicUser = false; virtualisation.memorySize = 1024;
services.bitcoind.main.enable = true; systemd.services.prometheus-lnd-exporter.serviceConfig.RestartSec = 15;
services.bitcoind.main.extraConfig = '' systemd.services.prometheus-lnd-exporter.after = [ "lnd.service" ];
services.bitcoind.regtest = {
enable = true;
extraConfig = ''
rpcauth=bitcoinrpc:e8fe33f797e698ac258c16c8d7aadfbe$872bdb8f4d787367c26bcfd75e6c23c4f19d44a69f5d1ad329e5adf3f82710f7 rpcauth=bitcoinrpc:e8fe33f797e698ac258c16c8d7aadfbe$872bdb8f4d787367c26bcfd75e6c23c4f19d44a69f5d1ad329e5adf3f82710f7
bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332 zmqpubrawblock=tcp://127.0.0.1:28332
bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333 zmqpubrawtx=tcp://127.0.0.1:28333
''; '';
extraCmdlineOptions = [ "-regtest" ];
};
systemd.services.lnd = { systemd.services.lnd = {
serviceConfig.ExecStart = '' serviceConfig.ExecStart = ''
${pkgs.lnd}/bin/lnd \ ${pkgs.lnd}/bin/lnd \
@ -471,7 +477,7 @@ let
--tlskeypath=/var/lib/lnd/tls.key \ --tlskeypath=/var/lib/lnd/tls.key \
--logdir=/var/log/lnd \ --logdir=/var/log/lnd \
--bitcoin.active \ --bitcoin.active \
--bitcoin.mainnet \ --bitcoin.regtest \
--bitcoin.node=bitcoind \ --bitcoin.node=bitcoind \
--bitcoind.rpcuser=bitcoinrpc \ --bitcoind.rpcuser=bitcoinrpc \
--bitcoind.rpcpass=hunter2 \ --bitcoind.rpcpass=hunter2 \
@ -483,13 +489,31 @@ let
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
}; };
# initialize wallet, creates macaroon needed by exporter
systemd.services.lnd.postStart = ''
${pkgs.curl}/bin/curl \
--retry 20 \
--retry-delay 1 \
--retry-connrefused \
--cacert /var/lib/lnd/tls.cert \
-X GET \
https://localhost:8080/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > /tmp/seed
${pkgs.curl}/bin/curl \
--retry 20 \
--retry-delay 1 \
--retry-connrefused \
--cacert /var/lib/lnd/tls.cert \
-X POST \
-d "{\"wallet_password\": \"asdfasdfasdf\", \"cipher_seed_mnemonic\": $(cat /tmp/seed | tr -d '\n')}" \
https://localhost:8080/v1/initwallet
'';
}; };
exporterTest = '' exporterTest = ''
wait_for_unit("lnd.service") wait_for_unit("lnd.service")
wait_for_open_port(10009) wait_for_open_port(10009)
wait_for_unit("prometheus-lnd-exporter.service") wait_for_unit("prometheus-lnd-exporter.service")
wait_for_open_port(9092) wait_for_open_port(9092)
succeed("curl -sSf localhost:9092/metrics | grep '^promhttp_metric_handler'") succeed("curl -sSf localhost:9092/metrics | grep '^lnd_peer_count'")
''; '';
}; };

View file

@ -104,6 +104,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
ats.wait_for_open_port(80) ats.wait_for_open_port(80)
httpbin.wait_for_unit("httpbin") httpbin.wait_for_unit("httpbin")
httpbin.wait_for_open_port(80) httpbin.wait_for_open_port(80)
client.wait_for_unit("network-online.target")
with subtest("Traffic Server is running"): with subtest("Traffic Server is running"):
out = ats.succeed("traffic_ctl server status") out = ats.succeed("traffic_ctl server status")

View file

@ -0,0 +1,65 @@
import ./make-test-python.nix ({ pkgs, lib, ... }: {
name = "vikunja";
meta = with lib.maintainers; {
maintainers = [ em0lar ];
};
nodes = {
vikunjaSqlite = { ... }: {
services.vikunja = {
enable = true;
database = {
type = "sqlite";
};
frontendScheme = "http";
frontendHostname = "localhost";
};
services.nginx.enable = true;
};
vikunjaPostgresql = { pkgs, ... }: {
services.vikunja = {
enable = true;
database = {
type = "postgres";
user = "vikunja-api";
database = "vikunja-api";
host = "/run/postgresql";
};
frontendScheme = "http";
frontendHostname = "localhost";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "vikunja-api" ];
ensureUsers = [
{ name = "vikunja-api";
ensurePermissions = { "DATABASE \"vikunja-api\"" = "ALL PRIVILEGES"; };
}
];
};
services.nginx.enable = true;
};
};
testScript =
''
vikunjaSqlite.wait_for_unit("vikunja-api.service")
vikunjaSqlite.wait_for_open_port(3456)
vikunjaSqlite.succeed("curl --fail http://localhost:3456/api/v1/info")
vikunjaSqlite.wait_for_unit("nginx.service")
vikunjaSqlite.wait_for_open_port(80)
vikunjaSqlite.succeed("curl --fail http://localhost/api/v1/info")
vikunjaSqlite.succeed("curl --fail http://localhost")
vikunjaPostgresql.wait_for_unit("vikunja-api.service")
vikunjaPostgresql.wait_for_open_port(3456)
vikunjaPostgresql.succeed("curl --fail http://localhost:3456/api/v1/info")
vikunjaPostgresql.wait_for_unit("nginx.service")
vikunjaPostgresql.wait_for_open_port(80)
vikunjaPostgresql.succeed("curl --fail http://localhost/api/v1/info")
vikunjaPostgresql.succeed("curl --fail http://localhost")
'';
})

View file

@ -1,23 +1,19 @@
let let
aliceIp6 = "200:3b91:b2d8:e708:fbf3:f06:fdd5:90d0"; aliceIp6 = "202:b70:9b0b:cf34:f93c:8f18:bbfd:7034";
aliceKeys = { aliceKeys = {
EncryptionPublicKey = "13e23986fe76bc3966b42453f479bc563348b7ff76633b7efcb76e185ec7652f"; PublicKey = "3e91ec9e861960d86e1ce88051f97c435bdf2859640ab681dfa906eb45ad5182";
EncryptionPrivateKey = "9f86947b15e86f9badac095517a1982e39a2db37ca726357f95987b898d82208"; PrivateKey = "a867f9e078e4ce58d310cf5acd4622d759e2a21df07e1d6fc380a2a26489480d3e91ec9e861960d86e1ce88051f97c435bdf2859640ab681dfa906eb45ad5182";
SigningPublicKey = "e2c43349083bc1e998e4ec4535b4c6a8f44ca9a5a8e07336561267253b2be5f4";
SigningPrivateKey = "fe3add8da35316c05f6d90d3ca79bd2801e6ccab6d37e5339fef4152589398abe2c43349083bc1e998e4ec4535b4c6a8f44ca9a5a8e07336561267253b2be5f4";
}; };
bobIp6 = "201:ebbd:bde9:f138:c302:4afa:1fb6:a19a"; bobIp6 = "202:a483:73a4:9f2d:a559:4a19:bc9:8458";
bobPrefix = "301:ebbd:bde9:f138"; bobPrefix = "302:a483:73a4:9f2d";
bobConfig = { bobConfig = {
InterfacePeers = { InterfacePeers = {
eth1 = [ "tcp://192.168.1.200:12345" ]; eth1 = [ "tcp://192.168.1.200:12345" ];
}; };
MulticastInterfaces = [ "eth1" ]; MulticastInterfaces = [ "eth1" ];
LinkLocalTCPPort = 54321; LinkLocalTCPPort = 54321;
EncryptionPublicKey = "c99d6830111e12d1b004c52fe9e5a2eef0f6aefca167aca14589a370b7373279"; PublicKey = "2b6f918b6c1a4b54d6bcde86cf74e074fb32ead4ee439b7930df2aa60c825186";
EncryptionPrivateKey = "2e698a53d3fdce5962d2ff37de0fe77742a5c8b56cd8259f5da6aa792f6e8ba3"; PrivateKey = "0c4a24acd3402722ce9277ed179f4a04b895b49586493c25fbaed60653d857d62b6f918b6c1a4b54d6bcde86cf74e074fb32ead4ee439b7930df2aa60c825186";
SigningPublicKey = "de111da0ec781e45bf6c63ecb45a78c24d7d4655abfaeea83b26c36eb5c0fd5b";
SigningPrivateKey = "2a6c21550f3fca0331df50668ffab66b6dce8237bcd5728e571e8033b363e247de111da0ec781e45bf6c63ecb45a78c24d7d4655abfaeea83b26c36eb5c0fd5b";
}; };
danIp6 = bobPrefix + "::2"; danIp6 = bobPrefix + "::2";

View file

@ -18,14 +18,14 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "squeekboard"; pname = "squeekboard";
version = "1.13.0"; version = "1.14.0";
src = fetchFromGitLab { src = fetchFromGitLab {
domain = "source.puri.sm"; domain = "source.puri.sm";
owner = "Librem5"; owner = "Librem5";
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
sha256 = "0xyd6ickbaqvrr8a7ak6j1ziqjk05jlnganjrdv43p74nnjyqr8y"; sha256 = "1ayap40pgzcpmfydk5pbf3gwhh26m3cmbk6lyly4jihr9qw7dgb0";
}; };
cargoDeps = rustPlatform.fetchCargoTarball { cargoDeps = rustPlatform.fetchCargoTarball {
@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
cat Cargo.toml.in Cargo.deps > Cargo.toml cat Cargo.toml.in Cargo.deps > Cargo.toml
''; '';
name = "${pname}-${version}"; name = "${pname}-${version}";
sha256 = "096skk7vmr93axcf0qj7kyr8hm1faj0nkmd349g8mnzwd68a9npz"; sha256 = "0148ynzmapxfrlccikf20ikmi0ssbkn9fl5wi6nh6azflv50pzzn";
}; };
nativeBuildInputs = [ nativeBuildInputs = [

View file

@ -62,6 +62,13 @@ let
in in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "audacity"; pname = "audacity";
# nixpkgs-update: no auto update
# Humans too! Let's wait to see how the situation with
# https://github.com/audacity/audacity/issues/1213 develops before
# pulling any updates that are subject to this privacy policy. We
# may wish to switch to a fork, but at the time of writing
# (2021-07-05) it's too early to tell how well any of the forks will
# be maintained.
version = "3.0.2"; version = "3.0.2";
src = fetchFromGitHub { src = fetchFromGitHub {

View file

@ -0,0 +1,107 @@
{ lib
, stdenv
, desktop-file-utils
, fetchFromGitHub
, calf
, fftwFloat
, glib
, glibmm
, gtk4
, gtkmm4
, itstool
, libbs2b
, libebur128
, libsamplerate
, libsndfile
, lilv
, lsp-plugins
, lv2
, meson
, ninja
, nlohmann_json
, pipewire
, pkg-config
, python3
, rnnoise
, rubberband
, speexdsp
, wrapGAppsHook
, zam-plugins
, zita-convolver
}:
stdenv.mkDerivation rec {
pname = "easyeffects";
version = "6.0.0";
src = fetchFromGitHub {
owner = "wwmm";
repo = "easyeffects";
rev = "v${version}";
hash = "sha256:1m3jamnhgpx3z51nfc8xg7adhf5x7dirvw0wf129hzxx4fjl7rch";
};
nativeBuildInputs = [
desktop-file-utils
itstool
meson
ninja
pkg-config
python3
wrapGAppsHook
];
buildInputs = [
fftwFloat
glib
glibmm
gtk4
gtkmm4
libbs2b
libebur128
libsamplerate
libsndfile
lilv
lv2
nlohmann_json
pipewire
rnnoise
rubberband
speexdsp
zita-convolver
];
postPatch = ''
chmod +x meson_post_install.py
patchShebangs meson_post_install.py
'';
preFixup =
let
lv2Plugins = [
calf # limiter, compressor exciter, bass enhancer and others
lsp-plugins # delay
];
ladspaPlugins = [
rubberband # pitch shifting
zam-plugins # maximizer
];
in
''
gappsWrapperArgs+=(
--set LV2_PATH "${lib.makeSearchPath "lib/lv2" lv2Plugins}"
--set LADSPA_PATH "${lib.makeSearchPath "lib/ladspa" ladspaPlugins}"
)
'';
separateDebugInfo = true;
meta = with lib; {
description = "Audio effects for PipeWire applications.";
homepage = "https://github.com/wwmm/easyeffects";
license = licenses.gpl3Plus;
maintainers = with maintainers; [ jtojnar ];
platforms = platforms.linux;
badPlatforms = [ "aarch64-linux" ];
};
}

View file

@ -1,7 +1,6 @@
{ lib { lib
, python3 , python3
, fetchFromGitHub , fetchFromGitHub
, fetchpatch
, appstream-glib , appstream-glib
, desktop-file-utils , desktop-file-utils
, gettext , gettext
@ -19,7 +18,7 @@
python3.pkgs.buildPythonApplication rec { python3.pkgs.buildPythonApplication rec {
pname = "mousai"; pname = "mousai";
version = "0.4.1"; version = "0.4.2";
format = "other"; format = "other";
@ -27,17 +26,9 @@ python3.pkgs.buildPythonApplication rec {
owner = "SeaDve"; owner = "SeaDve";
repo = "Mousai"; repo = "Mousai";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-AfR5n1dIm9X5OoPiikQEhHBFQq0rmQH4h7cCJ2yXoXI="; sha256 = "sha256-zH++GGFIz3oxkKOYB4zhY6yL3vENEXxtrv8mZZ+41kU=";
}; };
patches = [
(fetchpatch {
name = "fix-ABI-breakage-from-libadwaita.patch";
url = "https://github.com/SeaDve/Mousai/commit/e3db2d9d1949300f49399209b56d667746e539df.patch";
sha256 = "078kvmyhw4jd1m2npai0yl00lwh47jys2n03pkgxp6jf873y83vs";
})
];
postPatch = '' postPatch = ''
patchShebangs build-aux/meson patchShebangs build-aux/meson
''; '';

View file

@ -3,11 +3,11 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "openmpt123"; pname = "openmpt123";
version = "0.5.9"; version = "0.5.10";
src = fetchurl { src = fetchurl {
url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}+release.autotools.tar.gz"; url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}+release.autotools.tar.gz";
sha256 = "0h86p8mnpm98vc4v6jbvrmm02fch7dnn332i26fg3a2s1738m04d"; sha256 = "sha256-Waj6KNi432nLf6WXK9+TEIHatOHhFWxpoaU7ZcK+n/o=";
}; };
enableParallelBuilding = true; enableParallelBuilding = true;

View file

@ -0,0 +1,200 @@
{ lib, stdenv, curl, gnugrep, jq, xorg, alsa-lib, freetype, p7zip, autoPatchelfHook, writeShellScript, zlib, libjack2, makeWrapper }:
let
versionForFile = v: builtins.replaceStrings ["."] [""] v;
mkPianoteq = { name, src, version, archdir, ... }:
stdenv.mkDerivation rec {
inherit src version;
pname = "pianoteq-${name}";
unpackPhase = ''
${p7zip}/bin/7z x $src
'';
nativeBuildInputs = [
autoPatchelfHook
makeWrapper
];
buildInputs = [
stdenv.cc.cc.lib
xorg.libX11 # libX11.so.6
xorg.libXext # libXext.so.6
alsa-lib # libasound.so.2
freetype # libfreetype.so.6
];
installPhase = ''
mkdir -p $out/bin
mv -t $out/bin Pianoteq*/${archdir}/*
for f in $out/bin/Pianoteq*; do
if [ -x "$f" ] && [ -f "$f" ]; then
wrapProgram "$f" --prefix LD_LIBRARY_PATH : ${
lib.makeLibraryPath (buildInputs ++ [
xorg.libXcursor
xorg.libXinerama
xorg.libXrandr
libjack2
zlib
])
}
fi
done
'';
meta = with lib; {
homepage = "https://www.modartt.com/pianoteq";
description = "Software synthesizer that features real-time MIDI-control of digital physically modeled pianos and related instruments";
license = licenses.unfree;
platforms = [ "x86_64-linux" ]; # TODO extract binary according to each platform?
maintainers = [ maintainers.mausch ];
};
};
fetchWithCurlScript = { name, sha256, script, impureEnvVars ? [] }:
stdenv.mkDerivation {
inherit name;
builder = writeShellScript "builder.sh" ''
source $stdenv/setup
curlVersion=$(${curl}/bin/curl -V | head -1 | cut -d' ' -f2)
# Curl flags to handle redirects, not use EPSV, handle cookies for
# servers to need them during redirects, and work on SSL without a
# certificate (this isn't a security problem because we check the
# cryptographic hash of the output anyway).
curl=(
${curl}/bin/curl
--location
--max-redirs 20
--retry 3
--disable-epsv
--cookie-jar cookies
--insecure
--user-agent "curl/$curlVersion Nixpkgs/${lib.trivial.release}"
$NIX_CURL_FLAGS
)
${script}
'';
nativeBuildInputs = [ curl ];
outputHashAlgo = "sha256";
outputHash = sha256;
impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ impureEnvVars ++ [
# This variable allows the user to pass additional options to curl
"NIX_CURL_FLAGS"
];
};
fetchPianoteqTrial = { name, sha256 }:
fetchWithCurlScript {
inherit name sha256;
script = ''
"''${curl[@]}" --silent --request POST \
--cookie cookies \
--header "modartt-json: request" \
--header "origin: https://www.modartt.com" \
--header "content-type: application/json; charset=UTF-8" \
--header "accept: application/json, text/javascript, */*" \
--data-raw '{"file": "${name}", "get": "url"}' \
https://www.modartt.com/json/download -o /dev/null
json=$(
"''${curl[@]}" --silent --request POST \
--cookie cookies \
--header "modartt-json: request" \
--header "origin: https://www.modartt.com" \
--header "content-type: application/json; charset=UTF-8" \
--header "accept: application/json, text/javascript, */*" \
--data-raw '{"file": "${name}", "get": "url"}' \
https://www.modartt.com/json/download
)
url=$(echo $json | ${jq}/bin/jq -r .url)
"''${curl[@]}" --progress-bar --cookie cookies -o $out "$url"
'';
};
fetchPianoteqWithLogin = { name, sha256 }:
fetchWithCurlScript {
inherit name sha256;
impureEnvVars = [ "NIX_MODARTT_USERNAME" "NIX_MODARTT_PASSWORD" ];
script = ''
if [ -z "''${NIX_MODARTT_USERNAME}" -o -z "''${NIX_MODARTT_PASSWORD}" ]; then
echo "Error: Downloading a personal Pianoteq instance requires the nix building process (nix-daemon in multi user mode) to have the NIX_MODARTT_USERNAME and NIX_MODARTT_PASSWORD env vars set." >&2
exit 1
fi
"''${curl[@]}" -s -o /dev/null "https://www.modartt.com/user_area"
${jq}/bin/jq -n "{connect: 1, login: \"''${NIX_MODARTT_USERNAME}\", password: \"''${NIX_MODARTT_PASSWORD}\"}" > login.json
"''${curl[@]}" --silent --request POST \
--cookie cookies \
--referer "https://www.modartt.com/user_area" \
--header "modartt-json: request" \
--header "origin: https://www.modartt.com" \
--header "content-type: application/json; charset=UTF-8" \
--header "accept: application/json, text/javascript, */*" \
--data @login.json \
https://www.modartt.com/json/session
json=$(
"''${curl[@]}" --silent --request POST \
--cookie cookies \
--header "modartt-json: request" \
--header "origin: https://www.modartt.com" \
--header "content-type: application/json; charset=UTF-8" \
--header "accept: application/json, text/javascript, */*" \
--data-raw '{"file": "${name}", "get": "url"}' \
https://www.modartt.com/json/download
)
url=$(echo $json | ${jq}/bin/jq -r .url)
"''${curl[@]}" --progress-bar --cookie cookies -o $out "$url"
'';
};
in {
# TODO currently can't install more than one because `lame` clashes
stage-trial = mkPianoteq rec {
name = "stage-trial";
version = "7.4.1";
archdir = "x86-64bit";
src = fetchPianoteqTrial {
name = "pianoteq_stage_linux_trial_v${versionForFile version}.7z";
sha256 = "14mbaz6i1rxqayrjjkck9yx8iijkm4q1qz29ymkd7sz2gpk7fcpa";
};
};
standard-trial = mkPianoteq rec {
name = "standard-trial";
version = "7.4.1";
archdir = "x86-64bit";
src = fetchPianoteqTrial {
name = "pianoteq_linux_trial_v${versionForFile version}.7z";
sha256 = "01xh4n0h7dd3xqhm0bx0a62mqmfvxvmr5cm5r2g249c9wqg5i32a";
};
};
stage-6 = mkPianoteq rec {
name = "stage-6";
version = "6.7.3";
archdir = "amd64";
src = fetchPianoteqWithLogin {
name = "pianoteq_stage_linux_v${versionForFile version}.7z";
sha256 = "0jy0hkdynhwv0zhrqkby0hdphgmcc09wxmy74rhg9afm1pzl91jy";
};
};
stage-7 = mkPianoteq rec {
name = "stage-7";
version = "7.3.0";
archdir = "x86-64bit";
src = fetchPianoteqWithLogin {
name = "pianoteq_stage_linux_v${versionForFile version}.7z";
sha256 = "05w7sv9v38r6ljz9xai816w5z2qqwx88hcfjm241fvgbs54125hx";
};
};
# TODO other paid binaries, I don't own that so I don't know their hash.
}

View file

@ -2,13 +2,13 @@
let let
pname = "plexamp"; pname = "plexamp";
version = "3.4.7"; version = "3.5.0";
name = "${pname}-${version}"; name = "${pname}-${version}";
src = fetchurl { src = fetchurl {
url = "https://plexamp.plex.tv/plexamp.plex.tv/desktop/Plexamp-${version}.AppImage"; url = "https://plexamp.plex.tv/plexamp.plex.tv/desktop/Plexamp-${version}.AppImage";
name="${pname}-${version}.AppImage"; name="${pname}-${version}.AppImage";
sha512 = "+jmx4X9KiK1Tv2Cjb/445MY9G2b7pLdKxFtBFMaQwRhqTItA33MfHqKBwmytmbEhxhy0LDTU2woJvEMPQCmnvg=="; sha512 = "NjhrtGQsIbNDmGPEDmEbaHSfvUTFb1e7yPorF/BzWTfwVoFZEJiNzP/1k+zTJ4Yfd4mG0W0GYx0jh8m/micWIg==";
}; };
appimageContents = appimageTools.extractType2 { appimageContents = appimageTools.extractType2 {
@ -34,7 +34,7 @@ in appimageTools.wrapType2 {
meta = with lib; { meta = with lib; {
description = "A beautiful Plex music player for audiophiles, curators, and hipsters"; description = "A beautiful Plex music player for audiophiles, curators, and hipsters";
homepage = "https://plexamp.com/"; homepage = "https://plexamp.com/";
changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/29"; changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/30";
license = licenses.unfree; license = licenses.unfree;
maintainers = with maintainers; [ killercup synthetica ]; maintainers = with maintainers; [ killercup synthetica ];
platforms = [ "x86_64-linux" ]; platforms = [ "x86_64-linux" ];

View file

@ -1,30 +1,34 @@
{ lib, stdenv, fetchurl, alsa-lib, gtk2, pkg-config }: { lib, stdenv, fetchFromGitHub, pkg-config, wrapGAppsHook, alsa-lib, gtk3, libpulseaudio }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "praat"; pname = "praat";
version = "6.0.43"; version = "6.1.50";
src = fetchurl { src = fetchFromGitHub {
url = "https://github.com/praat/praat/archive/v${version}.tar.gz"; owner = "praat";
sha256 = "1l13bvnl7sv8v6s5z63201bhzavnj6bnqcj446akippsam13z4sf"; repo = "praat";
rev = "v${version}";
sha256 = "11cw4292pml71hdnfy8y91blwyh45dyam1ywr09355zk44c5njpq";
}; };
configurePhase = '' configurePhase = ''
cp makefiles/makefile.defs.linux.alsa makefile.defs cp makefiles/makefile.defs.linux.pulse makefile.defs
''; '';
installPhase = '' installPhase = ''
mkdir -p $out/bin install -Dt $out/bin praat
cp praat $out/bin
''; '';
nativeBuildInputs = [ pkg-config ]; nativeBuildInputs = [ pkg-config wrapGAppsHook ];
buildInputs = [ alsa-lib gtk2 ]; buildInputs = [ alsa-lib gtk3 libpulseaudio ];
meta = { enableParallelBuilding = true;
meta = with lib; {
description = "Doing phonetics by computer"; description = "Doing phonetics by computer";
homepage = "https://www.fon.hum.uva.nl/praat/"; homepage = "https://www.fon.hum.uva.nl/praat/";
license = lib.licenses.gpl2Plus; # Has some 3rd-party code in it though license = licenses.gpl2Plus; # Has some 3rd-party code in it though
platforms = lib.platforms.linux; maintainers = with maintainers; [ orivej ];
platforms = platforms.linux;
}; };
} }

View file

@ -1,127 +0,0 @@
{ lib, stdenv
, fetchFromGitHub
, fetchpatch
, meson
, ninja
, pkg-config
, itstool
, python3
, libxml2
, desktop-file-utils
, wrapGAppsHook
, gst_all_1
, pipewire
, gtk3
, glib
, glibmm
, gtkmm3
, lilv
, lv2
, serd
, sord
, sratom
, libbs2b
, libsamplerate
, libsndfile
, libebur128
, rnnoise
, boost
, dbus
, fftwFloat
, calf
, zita-convolver
, zam-plugins
, rubberband
, lsp-plugins
}:
let
lv2Plugins = [
calf # limiter, compressor exciter, bass enhancer and others
lsp-plugins # delay
];
ladspaPlugins = [
rubberband # pitch shifting
zam-plugins # maximizer
];
in stdenv.mkDerivation rec {
pname = "pulseeffects";
version = "5.0.3";
src = fetchFromGitHub {
owner = "wwmm";
repo = "pulseeffects";
rev = "v${version}";
sha256 = "1dicvq17vajk3vr4g1y80599ahkw0dp5ynlany1cfljfjz40s8sx";
};
nativeBuildInputs = [
meson
ninja
pkg-config
libxml2
itstool
python3
desktop-file-utils
wrapGAppsHook
];
buildInputs = [
pipewire
glib
glibmm
gtk3
gtkmm3
gst_all_1.gstreamer
gst_all_1.gst-plugins-base # gst-fft
gst_all_1.gst-plugins-good # spectrum plugin
gst_all_1.gst-plugins-bad
lilv lv2 serd sord sratom
libbs2b
libebur128
libsamplerate
libsndfile
rnnoise
boost
dbus
fftwFloat
zita-convolver
];
patches = [
(fetchpatch {
# Fix build failure.
# https://github.com/wwmm/pulseeffects/pull/934
url = "https://github.com/wwmm/pulseeffects/commit/ab7354a6850d23840b4c9af212dbebf4f31a562f.patch";
sha256 = "1hd05xn6sp0xs632mqgwk19hl40kh2f69mx5mgzahysrj057w22c";
})
];
postPatch = ''
chmod +x meson_post_install.py
patchShebangs meson_post_install.py
'';
preFixup = ''
gappsWrapperArgs+=(
--set LV2_PATH "${lib.makeSearchPath "lib/lv2" lv2Plugins}"
--set LADSPA_PATH "${lib.makeSearchPath "lib/ladspa" ladspaPlugins}"
)
'';
# Meson is no longer able to pick up Boost automatically.
# https://github.com/NixOS/nixpkgs/issues/86131
BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
separateDebugInfo = true;
meta = with lib; {
description = "Limiter, compressor, reverberation, equalizer and auto volume effects for Pulseaudio applications";
homepage = "https://github.com/wwmm/pulseeffects";
license = licenses.gpl3Plus;
maintainers = with maintainers; [ jtojnar ];
platforms = platforms.linux;
badPlatforms = [ "aarch64-linux" ];
};
}

View file

@ -1,4 +1,4 @@
{ lib, stdenv, fetchurl, pkg-config { lib, stdenv, fetchurl, pkg-config, fetchFromGitLab
, python3 , python3
, perl , perl
, perlPackages , perlPackages
@ -6,6 +6,7 @@
, intltool , intltool
, libpeas , libpeas
, libsoup , libsoup
, libdmapsharing
, gnome , gnome
, totem-pl-parser , totem-pl-parser
, tdb , tdb
@ -18,6 +19,25 @@
let let
pname = "rhythmbox"; pname = "rhythmbox";
version = "3.4.4"; version = "3.4.4";
# The API version of libdmapsharing required by rhythmbox 3.4.4 is 3.0.
# This PR would solve the issue:
# https://gitlab.gnome.org/GNOME/rhythmbox/-/merge_requests/12
# Unfortunately applying this patch produces a rhythmbox which
# cannot fetch data from DAAP shares.
libdmapsharing_3 = libdmapsharing.overrideAttrs (old: rec {
version = "2.9.41";
src = fetchFromGitLab {
domain = "gitlab.gnome.org";
owner = "GNOME";
repo = old.pname;
rev = "${lib.toUpper old.pname}_${lib.replaceStrings ["."] ["_"] version}";
sha256 = "05kvrzf0cp3mskdy6iv7zqq24qdczl800q2dn1h4bk3d9wchgm4p";
};
});
in stdenv.mkDerivation rec { in stdenv.mkDerivation rec {
name = "${pname}-${version}"; name = "${pname}-${version}";
@ -46,8 +66,12 @@ in stdenv.mkDerivation rec {
gst_all_1.gstreamer gst_all_1.gstreamer
gst_all_1.gst-plugins-base gst_all_1.gst-plugins-base
libdmapsharing_3 # necessary for daap support
] ++ gst_plugins; ] ++ gst_plugins;
configureFlags = [ "--enable-daap" ];
enableParallelBuilding = true; enableParallelBuilding = true;
passthru = { passthru = {

View file

@ -8,8 +8,8 @@
, gitMinimal , gitMinimal
, glib , glib
, gst_all_1 , gst_all_1
, gtk3 , gtk4
, libhandy_0 , libadwaita
, meson , meson
, ninja , ninja
, openssl , openssl
@ -22,20 +22,20 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "shortwave"; pname = "shortwave";
version = "1.1.1"; version = "2.0.1";
src = fetchFromGitLab { src = fetchFromGitLab {
domain = "gitlab.gnome.org"; domain = "gitlab.gnome.org";
owner = "World"; owner = "World";
repo = "Shortwave"; repo = "Shortwave";
rev = version; rev = version;
sha256 = "1vlhp2ss06j41simjrrjg38alp85jddhqyvccy6bhfzm0gzynwld"; sha256 = "sha256-25qPb7qlqCwYJzl4qZxAZYx5asxSlXBlc/0dGyBdk1o=";
}; };
cargoDeps = rustPlatform.fetchCargoTarball { cargoDeps = rustPlatform.fetchCargoTarball {
inherit src; inherit src;
name = "${pname}-${version}"; name = "${pname}-${version}";
hash = "sha256-0+KEbjTLecL0u/3S9FWf2r2h9ZrgcRTY163kS3NKJqA="; hash = "sha256-00dQXcSNmdZb2nSLG3q7jm4sugF9XR4LbH0OmcuHVxA=";
}; };
nativeBuildInputs = [ nativeBuildInputs = [
@ -57,8 +57,8 @@ stdenv.mkDerivation rec {
dbus dbus
gdk-pixbuf gdk-pixbuf
glib glib
gtk3 gtk4
libhandy_0 libadwaita
openssl openssl
sqlite sqlite
] ++ (with gst_all_1; [ ] ++ (with gst_all_1; [

View file

@ -0,0 +1,60 @@
{ stdenv
, dpkg
, lib
, autoPatchelfHook
, fetchurl
, gtk3
, glib
, desktop-file-utils
, alsa-lib
, libjack2
, harfbuzz
, fribidi
, pango
, freetype
}:
stdenv.mkDerivation rec {
pname = "tonelib-jam";
version = "4.6.6";
src = fetchurl {
url = "https://www.tonelib.net/download/0509/ToneLib-Jam-amd64.deb";
sha256 = "sha256-cizIQgO35CQSLme/LKQqP+WzB/jCTk+fS5Z+EtF7wnQ=";
};
buildInputs = [
dpkg
gtk3
glib
desktop-file-utils
alsa-lib
libjack2
harfbuzz
fribidi
pango
freetype
];
nativeBuildInputs = [
autoPatchelfHook
];
unpackPhase = ''
mkdir -p $TMP/ $out/
dpkg -x $src $TMP
'';
installPhase = ''
cp -R $TMP/usr/* $out/
mv $out/bin/ToneLib-Jam $out/bin/tonelib-jam
'';
meta = with lib; {
description = "ToneLib Jam the learning and practice software for guitar players";
homepage = "https://tonelib.net/";
license = licenses.unfree;
maintainers = with maintainers; [ dan4ik605743 ];
platforms = platforms.linux;
};
}

View file

@ -0,0 +1,48 @@
{ stdenv
, dpkg
, lib
, autoPatchelfHook
, fetchurl
, webkitgtk
, libjack2
, alsa-lib
}:
stdenv.mkDerivation rec {
pname = "tonelib-zoom";
version = "4.3.1";
src = fetchurl {
url = "https://www.tonelib.net/download/0129/ToneLib-Zoom-amd64.deb";
sha256 = "sha256-4q2vM0/q7o/FracnO2xxnr27opqfVQoN7fsqTD9Tr/c=";
};
buildInputs = [
dpkg
webkitgtk
libjack2
alsa-lib
];
nativeBuildInputs = [
autoPatchelfHook
];
unpackPhase = ''
mkdir -p $TMP/ $out/
dpkg -x $src $TMP
'';
installPhase = ''
cp -R $TMP/usr/* $out/
mv $out/bin/ToneLib-Zoom $out/bin/tonelib-zoom
'';
meta = with lib; {
description = "ToneLib Zoom change and save all the settings in your Zoom(r) guitar pedal";
homepage = "https://tonelib.net/";
license = licenses.unfree;
maintainers = with maintainers; [ dan4ik605743 ];
platforms = platforms.linux;
};
}

View file

@ -0,0 +1,41 @@
{ stdenv, lib, fetchFromGitHub, rustPlatform, pkg-config
, withGui ? true, webkitgtk, Cocoa, WebKit
}:
rustPlatform.buildRustPackage rec {
pname = "alfis";
version = "0.6.5";
src = fetchFromGitHub {
owner = "Revertron";
repo = "Alfis";
rev = "v${version}";
sha256 = "1g95yvkvlj78bqrk3p2xbhrmg1hrlgbyr1a4s7vg45y60zys2c2j";
};
cargoSha256 = "1n7kb1lyghpkgdgd58pw8ldvfps30rnv5niwx35pkdg74h59hqgj";
cargoBuildFlags = [ "--no-default-features" ]
++ lib.optional withGui "--features webgui";
cargoTestFlags = [ "--no-default-features" ]
++ lib.optional withGui "--features webgui";
checkFlags = [
# these want internet access, disable them
"--skip=dns::client::tests::test_tcp_client"
"--skip=dns::client::tests::test_udp_client"
];
nativeBuildInputs = [ pkg-config ];
buildInputs = lib.optional (withGui && stdenv.isLinux) webkitgtk
++ lib.optionals (withGui && stdenv.isDarwin) [ Cocoa WebKit ];
meta = with lib; {
description = "Alternative Free Identity System";
homepage = "https://alfis.name";
license = licenses.agpl3Only;
maintainers = with maintainers; [ misuzu ];
platforms = platforms.unix;
};
}

View file

@ -15,13 +15,13 @@ in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "btcpayserver"; pname = "btcpayserver";
version = "1.1.1"; version = "1.1.2";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = pname; owner = pname;
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-cCm4CZdVtjO2nj69CgRCrcwO0lAbiQVD6KocOj4CSdY="; sha256 = "sha256-A9XIKCw1dL4vUQYSu6WdmpR82dAbtKVTyjllquyRGgs=";
}; };
nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget makeWrapper ]; nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget makeWrapper ];

View file

@ -2,13 +2,13 @@
python3Packages.buildPythonApplication rec { python3Packages.buildPythonApplication rec {
pname = "charge-lnd"; pname = "charge-lnd";
version = "0.1.3"; version = "0.2.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "accumulator"; owner = "accumulator";
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
sha256 = "0npn45qbbsbzj5qy9kwx662hml1y610ysmfl89sda02l6wf1sp3y"; sha256 = "0l4h3fdvln03ycbg3xngh8vkhgrz4ad864yyn4gmdjp0ypi69qa1";
}; };
propagatedBuildInputs = with python3Packages; [ propagatedBuildInputs = with python3Packages; [

View file

@ -6,18 +6,16 @@
python3Packages.buildPythonApplication rec { python3Packages.buildPythonApplication rec {
pname = "chia"; pname = "chia";
version = "1.1.7"; version = "1.2.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "Chia-Network"; owner = "Chia-Network";
repo = "chia-blockchain"; repo = "chia-blockchain";
rev = version; rev = version;
sha256 = "05hcckkv3vhz172w9kp5lh4srakizx1l383dijs50vgx2bj30m8v"; sha256 = "sha256-ZNSNROWl6RR4GZnoRGAXrdw48wH9OOgrsoKz0RNIIcs=";
}; };
patches = [ patches = [
# tweak version requirements to what's available in Nixpkgs
./dependencies.patch
# Allow later websockets release, https://github.com/Chia-Network/chia-blockchain/pull/6304 # Allow later websockets release, https://github.com/Chia-Network/chia-blockchain/pull/6304
(fetchpatch { (fetchpatch {
name = "later-websockets.patch"; name = "later-websockets.patch";
@ -66,6 +64,16 @@ python3Packages.buildPythonApplication rec {
"test_spend_zero_coin" "test_spend_zero_coin"
]; ];
postPatch = ''
# tweak version requirements to what's available in Nixpkgs
substituteInPlace setup.py \
--replace "aiohttp==3.7.4" "aiohttp>=3.7.4" \
--replace "sortedcontainers==2.3.0" "sortedcontainers>=2.3.0" \
--replace "click==7.1.2" "click>=7.1.2" \
--replace "clvm_rs==0.1.8" "clvm_rs>=0.1.8" \
--replace "clvm==0.9.7" "clvm>=0.9.7" \
'';
preCheck = '' preCheck = ''
export HOME=`mktemp -d` export HOME=`mktemp -d`
''; '';

View file

@ -1,13 +0,0 @@
diff --git a/setup.py b/setup.py
index c5cf95db..b783a9e6 100644
--- a/setup.py
+++ b/setup.py
@@ -8,7 +8,7 @@ dependencies = [
"clvm==0.9.6",
"clvm_rs==0.1.7",
"clvm_tools==0.4.3",
- "aiohttp==3.7.4", # HTTP server for full node rpc
+ "aiohttp==3.7.4.post0", # HTTP server for full node rpc
"aiosqlite==0.17.0", # asyncio wrapper for sqlite, to store blocks
"bitstring==3.1.7", # Binary data management library
"colorlog==5.0.1", # Adds color to logs

View file

@ -6,20 +6,20 @@
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage rec {
pname = "electrs"; pname = "electrs";
version = "0.8.9"; version = "0.8.10";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "romanz"; owner = "romanz";
repo = pname; repo = pname;
rev = "v${version}"; rev = "v${version}";
sha256 = "01fli2k5yh4iwlds97p5c36q19s3zxrqhkzp9dsjbgsf7sv35r3y"; sha256 = "0q7mvpflnzzm88jbsdxgvhk9jr5mvn23hhj2iwy2grnfngxsmz3y";
}; };
# needed for librocksdb-sys # needed for librocksdb-sys
nativeBuildInputs = [ llvmPackages.clang ]; nativeBuildInputs = [ llvmPackages.clang ];
LIBCLANG_PATH = "${llvmPackages.libclang.lib}/lib"; LIBCLANG_PATH = "${llvmPackages.libclang.lib}/lib";
cargoSha256 = "1rqpadlr9r4z2z825li6vi5a21hivc3bsn5ibxshrdrwiycyyxz8"; cargoSha256 = "0i8npa840g4kz50n6x40z22x9apq8snw6xgjz4vn2kh67xc4c738";
meta = with lib; { meta = with lib; {
description = "An efficient re-implementation of Electrum Server in Rust"; description = "An efficient re-implementation of Electrum Server in Rust";

View file

@ -0,0 +1,37 @@
{ buildGoModule, fetchFromGitHub, lib }:
buildGoModule rec {
pname = "lightwalletd";
version = "0.4.7";
src = fetchFromGitHub {
owner = "zcash";
repo = "lightwalletd";
rev = "v${version}";
sha256 = "0dwam3fhc4caga7kjg6cc06sz47g4ii7n3sa4j2ac4aiy21hsbjk";
};
vendorSha256 = null;
ldflags = [
"-s" "-w"
"-X github.com/zcash/lightwalletd/common.Version=v${version}"
"-X github.com/zcash/lightwalletd/common.GitCommit=v${version}"
"-X github.com/zcash/lightwalletd/common.BuildDate=1970-01-01"
"-X github.com/zcash/lightwalletd/common.BuildUser=nixbld"
];
postFixup = ''
shopt -s extglob
cd $out/bin
rm !(lightwalletd)
'';
meta = with lib; {
description = "A backend service that provides a bandwidth-efficient interface to the Zcash blockchain";
homepage = "https://github.com/zcash/lightwalletd";
maintainers = with maintainers; [ centromere ];
license = licenses.mit;
platforms = platforms.linux;
};
}

View file

@ -15,13 +15,13 @@ in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "nbxplorer"; pname = "nbxplorer";
version = "2.1.51"; version = "2.1.52";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "dgarage"; owner = "dgarage";
repo = "NBXplorer"; repo = "NBXplorer";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-tvuuoDZCSDFa8gAVyH+EP1DLtdPfbkr+w5lSxZkzZXg="; sha256 = "sha256-+BP71TQ8BTGZ/SbS7CrI4D7hcQaVLt+hCpInbOdU5GY=";
}; };
nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget makeWrapper ]; nativeBuildInputs = [ dotnetSdk dotnetPackages.Nuget makeWrapper ];

View file

@ -181,23 +181,23 @@
}) })
(fetchNuGet { (fetchNuGet {
name = "NBitcoin.Altcoins"; name = "NBitcoin.Altcoins";
version = "2.0.31"; version = "2.0.33";
sha256 = "13gcfsxpfq8slmsvgzf6iv581x7n535zq0p9c88bqs5p88r6lygm"; sha256 = "12r4w89247xzrl2g01iv13kg1wl7gzfz1zikimx6dyhr4iipbmgf";
}) })
(fetchNuGet { (fetchNuGet {
name = "NBitcoin.TestFramework"; name = "NBitcoin.TestFramework";
version = "2.0.22"; version = "2.0.23";
sha256 = "1zwhjy6xppl01jhkgl7lqjsmi8crny4qq22ml20cz8l437j1zi4n"; sha256 = "03jw3gay7brm7s7jwn4zbk1n1sq7gck523cx3ckx87v3wi2062lx";
}) })
(fetchNuGet { (fetchNuGet {
name = "NBitcoin"; name = "NBitcoin";
version = "5.0.76"; version = "5.0.78";
sha256 = "0q3ilmsrw9ip1s38qmfs4qi02xvccmy1naafffn5yxj08q0n1p79"; sha256 = "1mfn045l489bm2xgjhvddhfy4xxcy42q6jhq4nyd6fnxg4scxyg9";
}) })
(fetchNuGet { (fetchNuGet {
name = "NBitcoin"; name = "NBitcoin";
version = "5.0.77"; version = "5.0.81";
sha256 = "0ykz4ii6lh6gdlz6z264wnib5pfnmq9q617qqbg0f04mq654jygb"; sha256 = "1fba94kc8yzykb1m5lvpx1hm63mpycpww9cz5zfp85phs1spdn8x";
}) })
(fetchNuGet { (fetchNuGet {
name = "NETStandard.Library"; name = "NETStandard.Library";

View file

@ -7,16 +7,16 @@
}: }:
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage rec {
pname = "polkadot"; pname = "polkadot";
version = "0.9.7"; version = "0.9.8";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "paritytech"; owner = "paritytech";
repo = "polkadot"; repo = "polkadot";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-swPLJIcm8XD0+/e9pGK2bDqUb7AS/5FdQ3A7Ceh5dZc="; sha256 = "sha256-5PNogoahAZUjIlQsVXwm7j5OmP3/uEEdV0vrIDXXBx8=";
}; };
cargoSha256 = "sha256-4njx8T3kzyN63Jo0aHee5ImqcObiADvi+dHKWcRmbQw="; cargoSha256 = "0iikys90flzmnnb6l2wzag8mp91p6z9y7rjzym2sd6m7xhgbc1x6";
nativeBuildInputs = [ clang ]; nativeBuildInputs = [ clang ];

View file

@ -6,16 +6,16 @@
rustPlatform.buildRustPackage.override { stdenv = stdenv; } rec { rustPlatform.buildRustPackage.override { stdenv = stdenv; } rec {
pname = "zcash"; pname = "zcash";
version = "4.4.0"; version = "4.4.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "zcash"; owner = "zcash";
repo = "zcash"; repo = "zcash";
rev = "v${version}"; rev = "v${version}";
sha256 = "19vhblyqkaf1lapx8s4v88xjpslqmrd1jnar46rschzcz0mm9sq4"; sha256 = "0nhrjizx518khrl8aygag6a1ianzzqpchasggi963f807kv7ipb7";
}; };
cargoSha256 = "1yiy1506ijndxb9bx79p7fkfvw1c5zdsljil4m55xz1mv8dzhbgm"; cargoSha256 = "101j8cn2lg3l1gn53yg3svzwx783z331g9kzn9ici4azindyx903";
nativeBuildInputs = [ autoreconfHook cargo hexdump makeWrapper pkg-config ]; nativeBuildInputs = [ autoreconfHook cargo hexdump makeWrapper pkg-config ];
buildInputs = [ boost174 libevent libsodium utf8cpp ] buildInputs = [ boost174 libevent libsodium utf8cpp ]

Some files were not shown because too many files have changed in this diff Show more