Project import generated by Copybara.

GitOrigin-RevId: c31898adf5a8ed202ce5bea9f347b1c6871f32d1
This commit is contained in:
Default email 2024-10-04 18:56:33 +02:00
parent f7b83f8370
commit 472aeafc57
2709 changed files with 93617 additions and 41556 deletions
third_party/nixpkgs
.git-blame-ignore-revs
.github
doc
flake.nix
lib
maintainers
nixos

View file

@ -163,6 +163,15 @@ fbdcdde04a7caa007e825a8b822c75fab9adb2d6
# step-cli: format package.nix with nixfmt (#331629)
fc7a83f8b62e90de5679e993d4d49ca014ea013d
# ndn-cxx: format with nixfmt-rfc-style
160b2b769c3b8a6d1ae9947afa77520fa2887db7
# ndn-tools: format with nixfmt-rfc-style
4882ef721ce3d7bb3b5e48ff80125255db515013
# nfd: format with nixfmt-rfc-style
548c2377fa81e2abfc192fbf4f521e601251c468
# darwin.stdenv: format with nixfmt-rfc-style (#333962)
93c10ac9e561c6594d3baaeaff2341907390d9b8

View file

@ -1,6 +1,7 @@
## Description of changes
<!--
^ Please summarise the changes you have done and explain why they are necessary here ^
For package updates please link to a changelog or describe changes, this helps your fellow maintainers discover breaking updates.
For new packages please briefly describe the package or provide a link to its homepage.
-->

View file

@ -380,6 +380,17 @@
- any-glob-to-any-file:
- pkgs/applications/editors/vscode/**/*
"6.topic: xen-project":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/virtualisation/xen*
- pkgs/applications/virtualization/xen/**
- pkgs/by-name/xe/xen-guest-agent/*
- pkgs/by-name/xt/xtf/*
- pkgs/development/ocaml-modules/xen*/*
- pkgs/development/ocaml-modules/vchan/*
"6.topic: xfce":
- any:
- changed-files:

View file

@ -20,7 +20,7 @@ jobs:
if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Create backport PRs

View file

@ -19,8 +19,8 @@ jobs:
runs-on: ubuntu-latest
# we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.

View file

@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
filter: blob:none

View file

@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
@ -21,7 +21,7 @@ jobs:
sparse-checkout: |
lib
maintainers
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true

View file

@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
@ -38,7 +38,7 @@ jobs:
# This should not be a URL, because it would allow PRs to run arbitrary code in CI!
rev=$(jq -r .rev ci/pinned-nixpkgs.json)
echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true

View file

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
@ -32,7 +32,7 @@ jobs:
# This should not be a URL, because it would allow PRs to run arbitrary code in CI!
rev=$(jq -r .rev ci/pinned-nixpkgs.json)
echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true

View file

@ -10,11 +10,11 @@ jobs:
name: shell-check-x86_64-linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
- name: Build shell
run: nix-build shell.nix
@ -22,10 +22,10 @@ jobs:
name: shell-check-aarch64-darwin
runs-on: macos-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
- name: Build shell
run: nix-build shell.nix

View file

@ -25,11 +25,11 @@ jobs:
- name: print list of changed files
run: |
cat "$HOME/changed_files"
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
with:
# nixpkgs commit is pinned so that it doesn't break
# editorconfig-checker 2.4.0

View file

@ -15,11 +15,11 @@ jobs:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true

View file

@ -17,11 +17,11 @@ jobs:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true

View file

@ -25,12 +25,12 @@ jobs:
if [[ -s "$HOME/changed_files" ]]; then
echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
fi
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
if: ${{ env.CHANGED_FILES && env.CHANGED_FILES != '' }}
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
with:
nix_path: nixpkgs=channel:nixpkgs-unstable
- name: Parse all changed or added nix files

View file

@ -72,7 +72,7 @@ jobs:
else
echo "The PR cannot be merged, it has a merge conflict, skipping the rest.."
fi
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
if: env.mergedSha
with:
# pull_request_target checks out the base branch by default
@ -85,7 +85,7 @@ jobs:
base=$(mktemp -d)
git worktree add "$base" "$(git rev-parse HEAD^1)"
echo "base=$base" >> "$GITHUB_ENV"
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
if: env.mergedSha
- name: Fetching the pinned tool
if: env.mergedSha

View file

@ -41,7 +41,7 @@ jobs:
into: staging-24.05
name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

View file

@ -39,7 +39,7 @@ jobs:
into: staging
name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

View file

@ -16,8 +16,8 @@ jobs:
if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- uses: cachix/install-nix-action@9f70348d77d0422624097c4b7a75563948901306 # v29
with:
nix_path: nixpkgs=channel:nixpkgs-unstable
- name: setup

View file

@ -0,0 +1,5 @@
# desktop-file-utils {#desktop-file-utils}
This setup hook removes the MIME cache (located at `$out/share/applications/mimeinfo.cache`) in the `preFixupPhase`.
This hook is necessary because `mimeinfo.cache` can be created when a package uses `desktop-file-utils`, resulting in collisions if multiple packages are installed that contain this file (as in [#48295](https://github.com/NixOS/nixpkgs/issues/48295)).

View file

@ -12,6 +12,7 @@ bmake.section.md
breakpoint.section.md
cernlib.section.md
cmake.section.md
desktop-file-utils.section.md
gdk-pixbuf.section.md
ghc.section.md
gnome.section.md
@ -30,6 +31,7 @@ postgresql-test-hook.section.md
premake.section.md
python.section.md
scons.section.md
tauri.section.md
tetex-tex-live.section.md
unzip.section.md
validatePkgConfig.section.md

View file

@ -0,0 +1,108 @@
# cargo-tauri.hook {#tauri-hook}
[Tauri](https://tauri.app/) is a framework for building smaller, faster, and
more secure desktop applications with a web frontend.
In Nixpkgs, `cargo-tauri.hook` overrides the default build and install phases.
## Example code snippet {#tauri-hook-example-code-snippet}
```nix
{
lib,
stdenv,
rustPlatform,
fetchNpmDeps,
cargo-tauri,
darwin,
glib-networking,
libsoup,
nodejs,
npmHooks,
openssl,
pkg-config,
webkitgtk,
wrapGAppsHook3,
}:
rustPlatform.buildRustPackage rec {
# . . .
cargoHash = "...";
# Assuming our app's frontend uses `npm` as a package manager
npmDeps = fetchNpmDeps {
name = "${pname}-npm-deps-${version}";
inherit src;
hash = "...";
};
nativeBuildInputs = [
# Pull in our main hook
cargo-tauri.hook
# Setup npm
nodejs
npmHooks.npmConfigHook
# Make sure we can find our libraries
pkg-config
wrapGAppsHook3
];
buildInputs =
[ openssl ]
++ lib.optionals stdenv.isLinux [
glib-networking # Most Tauri apps need networking
libsoup
webkitgtk
]
++ lib.optionals stdenv.isDarwin (
with darwin.apple_sdk.frameworks;
[
AppKit
CoreServices
Security
WebKit
]
);
# Set our Tauri source directory
cargoRoot = "src-tauri";
# And make sure we build there too
buildAndTestSubdir = cargoRoot;
# . . .
}
```
## Variables controlling cargo-tauri {#tauri-hook-variables-controlling}
### Tauri Exclusive Variables {#tauri-hook-exclusive-variables}
#### `tauriBuildFlags` {#tauri-build-flags}
Controls the flags passed to `cargo tauri build`.
#### `tauriBundleType` {#tauri-bundle-type}
The [bundle type](https://tauri.app/v1/guides/building/) to build.
#### `dontTauriBuild` {#dont-tauri-build}
Disables using `tauriBuildHook`.
#### `dontTauriInstall` {#dont-tauri-install}
Disables using `tauriInstallPostBuildHook` and `tauriInstallHook`.
### Honored Variables {#tauri-hook-honored-variables}
Along with those found in [](#compiling-rust-applications-with-cargo), the
following variables used by `cargoBuildHook` and `cargoInstallHook` are honored
by the cargo-tauri setup hook.
- `buildAndTestSubdir`
- `cargoBuildType`
- `cargoBuildNoDefaultFeatures`
- `cargoBuildFeatures`

View file

@ -4,7 +4,7 @@
The end result of running Bower is a `bower_components` directory which can be included in the web app's build process.
Bower can be run interactively, by installing `nodePackages.bower`. More interestingly, the Bower components can be declared in a Nix derivation, with the help of `nodePackages.bower2nix`.
Bower can be run interactively, by installing `nodePackages.bower`. More interestingly, the Bower components can be declared in a Nix derivation, with the help of `bower2nix`.
## bower2nix usage {#ssec-bower2nix-usage}

View file

@ -1076,6 +1076,9 @@ benchmark component.
`disableLibraryProfiling drv`
: Sets the `enableLibraryProfiling` argument to `false` for `drv`.
`disableParallelBuilding drv`
: Sets the `enableParallelBuilding` argument to `false` for `drv`.
#### Library functions in the Haskell package sets {#haskell-package-set-lib-functions}
Some library functions depend on packages from the Haskell package sets. Thus they are

View file

@ -524,8 +524,8 @@ An example usage of the above attributes is:
fetchYarnDeps,
yarnConfigHook,
yarnBuildHook,
yarnInstallHook,
nodejs,
npmHooks,
}:
stdenv.mkDerivation (finalAttrs: {
@ -541,7 +541,7 @@ stdenv.mkDerivation (finalAttrs: {
yarnOfflineCache = fetchYarnDeps {
yarnLock = finalAttrs.src + "/yarn.lock";
hash = "sha256-mo8urQaWIHu33+r0Y7mL9mJ/aSe/5CihuIetTeDHEUQ=";
hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
};
nativeBuildInputs = [

View file

@ -16,10 +16,44 @@
});
in
{
/**
`nixpkgs.lib` is a combination of the [Nixpkgs library](https://nixos.org/manual/nixpkgs/unstable/#id-1.4), and other attributes
that are _not_ part of the Nixpkgs library, but part of the Nixpkgs flake:
- `lib.nixosSystem` for creating a NixOS system configuration
- `lib.nixos` for other NixOS-provided functionality, such as [`runTest`](https://nixos.org/manual/nixos/unstable/#sec-call-nixos-test-outside-nixos)
*/
lib = lib.extend (final: prev: {
/**
Other NixOS-provided functionality, such as [`runTest`](https://nixos.org/manual/nixos/unstable/#sec-call-nixos-test-outside-nixos).
See also `lib.nixosSystem`.
*/
nixos = import ./nixos/lib { lib = final; };
/**
Create a NixOS system configuration.
Example:
lib.nixosSystem {
modules = [ ./configuration.nix ];
}
Inputs:
- `modules` (list of paths or inline modules): The NixOS modules to include in the system configuration.
- `specialArgs` (attribute set): Extra arguments to pass to all modules, that are available in `imports` but can not be extended or overridden by the `modules`.
- `modulesLocation` (path): A default location for modules that aren't passed by path, used for error messages.
Legacy inputs:
- `system`: Legacy alias for `nixpkgs.hostPlatform`, but this is already set in the generated `hardware-configuration.nix`, included by `configuration.nix`.
- `pkgs`: Legacy alias for `nixpkgs.pkgs`; use `nixpkgs.pkgs` and `nixosModules.readOnlyPkgs` instead.
*/
nixosSystem = args:
import ./nixos/lib/eval-config.nix (
{
@ -78,28 +112,56 @@
};
devShells = forAllSystems (system: {
/** A shell to get tooling for Nixpkgs development. See nixpkgs/shell.nix. */
default = import ./shell.nix { inherit system; };
});
# The "legacy" in `legacyPackages` doesn't imply that the packages exposed
# through this attribute are "legacy" packages. Instead, `legacyPackages`
# is used here as a substitute attribute name for `packages`. The problem
# with `packages` is that it makes operations like `nix flake show
# nixpkgs` unusably slow due to the sheer number of packages the Nix CLI
# needs to evaluate. But when the Nix CLI sees a `legacyPackages`
# attribute it displays `omitted` instead of evaluating all packages,
# which keeps `nix flake show` on Nixpkgs reasonably fast, though less
# information rich.
/**
A nested structure of [packages](https://nix.dev/manual/nix/latest/glossary#package-attribute-set) and other values.
The "legacy" in `legacyPackages` doesn't imply that the packages exposed
through this attribute are "legacy" packages. Instead, `legacyPackages`
is used here as a substitute attribute name for `packages`. The problem
with `packages` is that it makes operations like `nix flake show
nixpkgs` unusably slow due to the sheer number of packages the Nix CLI
needs to evaluate. But when the Nix CLI sees a `legacyPackages`
attribute it displays `omitted` instead of evaluating all packages,
which keeps `nix flake show` on Nixpkgs reasonably fast, though less
information rich.
The reason why finding the tree structure of `legacyPackages` is slow,
is that for each attribute in the tree, it is necessary to check whether
the attribute value is a package or a package set that needs further
evaluation. Evaluating the attribute value tends to require a significant
amount of computation, even considering lazy evaluation.
*/
legacyPackages = forAllSystems (system:
(import ./. { inherit system; }).extend (final: prev: {
lib = prev.lib.extend libVersionInfoOverlay;
})
);
/**
Optional modules that can be imported into a NixOS configuration.
Example:
# flake.nix
outputs = { nixpkgs, ... }: {
nixosConfigurations = {
foo = nixpkgs.lib.nixosSystem {
modules = [
./foo/configuration.nix
nixpkgs.nixosModules.notDetected
];
};
};
};
*/
nixosModules = {
notDetected = ./nixos/modules/installer/scan/not-detected.nix;
/*
/**
Make the `nixpkgs.*` configuration read-only. Guarantees that `pkgs`
is the way you initialize it.

View file

@ -92,6 +92,11 @@ lib.mapAttrs mkLicense ({
free = false;
};
ampas = {
spdxId = "AMPAS";
fullName = "Academy of Motion Picture Arts and Sciences BSD";
};
aom = {
fullName = "Alliance for Open Media Patent License 1.0";
url = "https://aomedia.org/license/patent-license/";

View file

@ -354,12 +354,7 @@ let
else if m._type == "if" || m._type == "override" then
loadModule args fallbackFile fallbackKey { config = m; }
else
throw (
"Could not load a value as a module, because it is of type ${lib.strings.escapeNixString m._type}"
+ optionalString (fallbackFile != unknownModule) ", in file ${toString fallbackFile}."
+ optionalString (m._type == "configuration") " If you do intend to import this configuration, please only import the modules that make up the configuration. You may have to create a `let` binding, file or attribute to give yourself access to the relevant modules.\nWhile loading a configuration into the module system is a very sensible idea, it can not be done cleanly in practice."
# Extended explanation: That's because a finalized configuration is more than just a set of modules. For instance, it has its own `specialArgs` that, by the nature of `specialArgs` can't be loaded through `imports` or the the `modules` argument. So instead, we have to ask you to extract the relevant modules and use those instead. This way, we keep the module system comparatively simple, and hopefully avoid a bad surprise down the line.
)
throw (messages.not_a_module { inherit fallbackFile; value = m; _type = m._type; expectedClass = class; })
else if isList m then
let defs = [{ file = fallbackFile; value = m; }]; in
throw "Module imports can't be nested lists. Perhaps you meant to remove one level of lists? Definitions: ${showDefs defs}"
@ -1450,6 +1445,110 @@ let
collectModules = collectModules null;
};
/**
Error messages produced by the module system.
We factor these out to improve the flow when reading the code.
Functions in `messages` that produce error messages are spelled in
lower_snake_case. This goes against the convention in order to make the
error message implementation more readable, and to visually distinguish
them from other functions in the module system.
*/
messages = let
inherit (lib.strings) concatMapStringsSep escapeNixString trim;
/** "" or ", in file FOO" */
into_fallback_file_maybe = file:
optionalString
(file != null && file != unknownModule)
", while trying to load a module into ${toString file}";
/** Format text with one line break between each list item. */
lines = concatMapStringsSep "\n" trim;
/** Format text with two line break between each list item. */
paragraphs = concatMapStringsSep "\n\n" trim;
/**
```
optionalMatch
{ foo = "Foo result";
bar = "Bar result";
} "foo"
== [ "Foo result" ]
optionalMatch { foo = "Foo"; } "baz" == [ ]
optionalMatch { foo = "Foo"; } true == [ ]
```
*/
optionalMatch = cases: value:
if isString value && cases?${value}
then [ cases.${value} ]
else [];
# esc = builtins.fromJSON "\"\\u001b\"";
esc = builtins.fromJSON "\"\\u001b\"";
# Bold purple for warnings
warn = s: "${esc}[1;35m${s}${esc}[0m";
# Bold green for suggestions
good = s: "${esc}[1;32m${s}${esc}[0m";
# Bold, default color for code
code = s: "${esc}[1m${s}${esc}[0m";
in {
/** When load a value with a (wrong) _type as a module */
not_a_module = { fallbackFile, value, _type, expectedClass ? null }:
paragraphs (
[ ''
Expected a module, but found a value of type ${warn (escapeNixString _type)}${into_fallback_file_maybe fallbackFile}.
A module is typically loaded by adding it the ${code "imports = [ ... ];"} attribute of an existing module, or in the ${code "modules = [ ... ];"} argument of various functions.
Please make sure that each of the list items is a module, and not a different kind of value.
''
]
++ (optionalMatch
{
"configuration" = trim ''
If you really mean to import this configuration, instead please only import the modules that make up the configuration.
You may have to create a `let` binding, file or attribute to give yourself access to the relevant modules.
While loading a configuration into the module system is a very sensible idea, it can not be done cleanly in practice.
'';
# ^^ Extended explanation: That's because a finalized configuration is more than just a set of modules. For instance, it has its own `specialArgs` that, by the nature of `specialArgs` can't be loaded through `imports` or the the `modules` argument. So instead, we have to ask you to extract the relevant modules and use those instead. This way, we keep the module system comparatively simple, and hopefully avoid a bad surprise down the line.
"flake" = lines
([(trim ''
Perhaps you forgot to select an attribute name?
Instead of, for example,
${warn "inputs.someflake"}
you need to write something like
${warn "inputs.someflake"}${
if expectedClass == null
then good ".modules.someApp.default"
else good ".modules.${expectedClass}.default"
}
'')]
++ optionalMatch
{ # We'll no more than 5 custom suggestions here.
# Please switch to `.modules.${class}` in your Module System application.
"nixos" = trim ''
or
${warn "inputs.someflake"}${good ".nixosModules.default"}
'';
"darwin" = trim ''
or
${warn "inputs.someflake"}${good ".darwinModules.default"}
'';
}
expectedClass
);
}
_type
)
);
};
in
private //
{

View file

@ -277,25 +277,6 @@ let
let
selectEmulator = pkgs:
let
qemu-user = pkgs.qemu.override {
smartcardSupport = false;
spiceSupport = false;
openGLSupport = false;
virglSupport = false;
vncSupport = false;
gtkSupport = false;
sdlSupport = false;
alsaSupport = false;
pulseSupport = false;
pipewireSupport = false;
jackSupport = false;
smbdSupport = false;
seccompSupport = false;
tpmSupport = false;
capstoneSupport = false;
enableDocs = false;
hostCpuTargets = [ "${final.qemuArch}-linux-user" ];
};
wine = (pkgs.winePackagesFor "wine${toString final.parsed.cpu.bits}").minimal;
in
# Note: we guarantee that the return value is either `null` or a path
@ -306,7 +287,7 @@ let
else if final.isWindows
then "${wine}/bin/wine${optionalString (final.parsed.cpu.bits == 64) "64"}"
else if final.isLinux && pkgs.stdenv.hostPlatform.isLinux && final.qemuArch != null
then "${qemu-user}/bin/qemu-${final.qemuArch}"
then "${pkgs.qemu-user}/bin/qemu-${final.qemuArch}"
else if final.isWasi
then "${pkgs.wasmtime}/bin/wasmtime"
else if final.isMmix
@ -315,6 +296,10 @@ let
in {
emulatorAvailable = pkgs: (selectEmulator pkgs) != null;
# whether final.emulator pkgs.pkgsStatic works
staticEmulatorAvailable = pkgs: final.emulatorAvailable pkgs
&& (final.isLinux || final.isWasi || final.isMmix);
emulator = pkgs:
if (final.emulatorAvailable pkgs)
then selectEmulator pkgs
@ -384,8 +369,17 @@ let
}.${cpu.name} or cpu.name;
vendor_ = final.rust.platform.vendor;
# TODO: deprecate args.rustc in favour of args.rust after 23.05 is EOL.
in args.rust.rustcTarget or args.rustc.config
or "${cpu_}-${vendor_}-${kernel.name}${optionalString (abi.name != "unknown") "-${abi.name}"}";
in
args.rust.rustcTarget or
args.rustc.config or (
# Rust uses `wasm32-wasip?` rather than `wasm32-unknown-wasi`.
# We cannot know which subversion does the user want, and
# currently use WASI 0.1 as default for compatibility. Custom
# users can set `rust.rustcTarget` to override it.
if final.isWasi
then "${cpu_}-wasip1"
else "${cpu_}-${vendor_}-${kernel.name}${optionalString (abi.name != "unknown") "-${abi.name}"}"
);
# The name of the rust target if it is standard, or the json file
# containing the custom target spec.

View file

@ -256,7 +256,7 @@ rec {
iphone64 = {
config = "aarch64-apple-ios";
# config = "aarch64-apple-darwin14";
sdkVer = "14.3";
darwinSdkVersion = "14.3";
xcodeVer = "12.3";
xcodePlatform = "iPhoneOS";
useiOSPrebuilt = true;
@ -265,7 +265,7 @@ rec {
iphone32 = {
config = "armv7a-apple-ios";
# config = "arm-apple-darwin10";
sdkVer = "14.3";
darwinSdkVersion = "14.3";
xcodeVer = "12.3";
xcodePlatform = "iPhoneOS";
useiOSPrebuilt = true;
@ -274,7 +274,7 @@ rec {
iphone64-simulator = {
config = "x86_64-apple-ios";
# config = "x86_64-apple-darwin14";
sdkVer = "14.3";
darwinSdkVersion = "14.3";
xcodeVer = "12.3";
xcodePlatform = "iPhoneSimulator";
darwinPlatform = "ios-simulator";
@ -284,7 +284,7 @@ rec {
iphone32-simulator = {
config = "i686-apple-ios";
# config = "i386-apple-darwin11";
sdkVer = "14.3";
darwinSdkVersion = "14.3";
xcodeVer = "12.3";
xcodePlatform = "iPhoneSimulator";
darwinPlatform = "ios-simulator";

View file

@ -534,9 +534,10 @@ checkConfigError 'The module .*/module-class-is-darwin.nix was imported into nix
checkConfigError 'A submoduleWith option is declared multiple times with conflicting class values "darwin" and "nixos".' config.sub.mergeFail.config ./class-check.nix
# _type check
checkConfigError 'Could not load a value as a module, because it is of type "flake", in file .*/module-imports-_type-check.nix' config.ok.config ./module-imports-_type-check.nix
checkConfigOutput '^true$' "$@" config.enable ./declare-enable.nix ./define-enable-with-top-level-mkIf.nix
checkConfigError 'Could not load a value as a module, because it is of type "configuration", in file .*/import-configuration.nix.*please only import the modules that make up the configuration.*' config ./import-configuration.nix
checkConfigError 'Expected a module, but found a value of type .*"flake".*, while trying to load a module into .*/module-imports-_type-check.nix' config.ok.config ./module-imports-_type-check.nix
checkConfigOutput '^true$' config.enable ./declare-enable.nix ./define-enable-with-top-level-mkIf.nix
checkConfigError 'Expected a module, but found a value of type .*"configuration".*, while trying to load a module into .*/import-configuration.nix.' config ./import-configuration.nix
checkConfigError 'please only import the modules that make up the configuration' config ./import-configuration.nix
# doRename works when `warnings` does not exist.
checkConfigOutput '^1234$' config.c.d.e ./doRename-basic.nix

View file

@ -96,6 +96,7 @@ lib.runTests (
canExecute = null;
emulator = null;
emulatorAvailable = null;
staticEmulatorAvailable = null;
isCompatible = null;
}?${platformAttrName};
};

View file

@ -1016,6 +1016,12 @@
githubId = 50754358;
name = "Alex Winter";
};
alfarel = {
email = "alfarelcynthesis@proton.me";
github = "alfarelcynthesis";
githubId = 104072649;
name = "Cynth";
};
algram = {
email = "aliasgram@gmail.com";
github = "Algram";
@ -1028,12 +1034,6 @@
githubId = 30437811;
name = "Alex Andrews";
};
alibabzo = {
email = "alistair.bill@gmail.com";
github = "alistairbill";
githubId = 2822871;
name = "Alistair Bill";
};
alirezameskin = {
email = "alireza.meskin@gmail.com";
github = "alirezameskin";
@ -1234,6 +1234,12 @@
githubId = 37040543;
name = "Wroclaw";
};
amuckstot30 = {
email = "amuckstot30@tutanota.com";
github = "amuckstot30";
githubId = 157274630;
name = "amuckstot30";
};
amyipdev = {
email = "amy@amyip.net";
github = "amyipdev";
@ -2041,6 +2047,12 @@
github = "auchter";
githubId = 1190483;
};
aucub = {
name = "aucub";
email = "dr56ekgbb@mozmail.com";
github = "aucub";
githubId = 78630225;
};
augustebaum = {
email = "auguste.apple@gmail.com";
github = "augustebaum";
@ -2932,6 +2944,14 @@
githubId = 3229981;
name = "Duncan Fairbanks";
};
BonusPlay = {
name = "Bonus";
email = "nixos@bonusplay.pl";
matrix = "@bonus:bonusplay.pl";
github = "BonusPlay";
githubId = 8405359;
keys = [ { fingerprint = "8279 6487 A4CA 2A28 E8B3 3CD6 C7F9 9743 6A20 4683"; } ];
};
booklearner = {
name = "booklearner";
email = "booklearner@proton.me";
@ -3286,6 +3306,12 @@
{ fingerprint = "8916 F727 734E 77AB 437F A33A 19AB 76F5 CEE1 1392"; }
];
};
CaiqueFigueiredo = {
email = "public@caiquefigueiredo.me";
github = "caiquefigueiredo";
githubId = 20440897;
name = "Caique";
};
CaitlinDavitt = {
email = "CaitlinDavitt@gmail.com";
github = "CaitlinDavitt";
@ -5016,6 +5042,12 @@
github = "definfo";
githubId = 66514911;
};
deftdawg = {
name = "DeftDawg";
github = "deftdawg";
email = "deftdawg@gmail.com";
githubId = 4991612;
};
deifactor = {
name = "Ash Zahlen";
email = "ext0l@riseup.net";
@ -5579,6 +5611,12 @@
name = "Misha Gusarov";
keys = [ { fingerprint = "A8DF 1326 9E5D 9A38 E57C FAC2 9D20 F650 3E33 8888"; } ];
};
dottybot = {
name = "Scala Organization (dottybot)";
email = "dottybot@groupes.epfl.ch";
github = "dottybot";
githubId = 12519979;
};
dpaetzel = {
email = "david.paetzel@posteo.de";
github = "dpaetzel";
@ -6590,6 +6628,13 @@
githubId = 195032;
name = "Eric Evenchick";
};
eveeifyeve = {
name = "Eveeifyeve";
github = "eveeifyeve";
githubId = 88671402;
matrix = "@eveeifyeve:matrix.org";
email = "eveeg1971@gmail.com";
};
evenbrenden = {
email = "packages@anythingexternal.com";
github = "evenbrenden";
@ -6926,6 +6971,12 @@
{ fingerprint = "elY15tXap1tddxbBVoUoAioe1u0RDWti5rc9cauSmwo"; }
];
};
figboy9 = {
email = "figboy9@tuta.io";
github = "figboy9";
githubId = 52276064;
name = "figboy9";
};
figsoda = {
email = "figsoda@pm.me";
matrix = "@figsoda:matrix.org";
@ -8206,6 +8257,12 @@
githubId = 1742172;
name = "Hamish Hutchings";
};
hamzaremmal = {
email = "hamza.remmal@epfl.ch";
github = "hamzaremmal";
githubId = 56235032;
name = "Hamza Remmal";
};
hanemile = {
email = "mail@emile.space";
github = "HanEmile";
@ -8363,6 +8420,12 @@
githubId = 287769;
name = "Sergii Paryzhskyi";
};
hehongbo = {
name = "Hongbo";
github = "hehongbo";
githubId = 665472;
matrix = "@hehongbo:matrix.org";
};
heijligen = {
email = "src@posteo.de";
github = "heijligen";
@ -8460,6 +8523,11 @@
githubId = 15121114;
name = "Tom Herbers";
};
herschenglime = {
github = "Herschenglime";
githubId = 69494718;
name = "Herschenglime";
};
hexa = {
email = "hexa@darmstadt.ccc.de";
matrix = "@hexa:lossy.network";
@ -9377,6 +9445,13 @@
github = "jacbart";
githubId = 7909687;
};
jacekpoz = {
name = "Jacek Poziemski";
email = "jacekpoz@proton.me";
matrix = "@jacekpoz:jacekpoz.pl";
github = "jacekpoz";
githubId = 64381190;
};
jacfal = {
name = "Jakub Pravda";
email = "me@jakubpravda.net";
@ -10704,6 +10779,13 @@
githubId = 46386452;
name = "Jeroen Wijenbergh";
};
jwillikers = {
email = "jordan@jwillikers.com";
github = "jwillikers";
githubId = 19399197;
name = "Jordan Williams";
keys = [ { fingerprint = "A6AB 406A F5F1 DE02 CEA3 B6F0 9FB4 2B0E 7F65 7D8C"; } ];
};
jwygoda = {
email = "jaroslaw@wygoda.me";
github = "jwygoda";
@ -11354,6 +11436,12 @@
githubId = 787421;
name = "Kevin Quick";
};
kraanzu = {
name = "Murli Tawari";
email = "kraanzu@gmail.com";
github = "kraanzu";
githubId = 97718086;
};
kradalby = {
name = "Kristoffer Dalby";
email = "kristoffer@dalby.cc";
@ -13956,6 +14044,12 @@
githubId = 4587373;
name = "Mitchell Nordine";
};
mithicspirit = {
email = "rpc01234@gmail.com";
github = "MithicSpirit";
githubId = 24192522;
name = "MithicSpirit";
};
mjanczyk = {
email = "m@dragonvr.pl";
github = "mjanczyk";
@ -14127,6 +14221,12 @@
githubId = 754512;
name = "Mogria";
};
mohe2015 = {
name = "Moritz Hedtke";
email = "Moritz.Hedtke@t-online.de";
github = "mohe2015";
githubId = 13287984;
};
momeemt = {
name = "Mutsuha Asada";
email = "me@momee.mt";
@ -14204,6 +14304,12 @@
githubId = 42215704;
name = "Moritz Böhme";
};
mortenmunk = {
email = "mortenmunk97@gmail.com";
github = "MortenMunk";
githubId = 92527083;
name = "Morten Munk";
};
MostAwesomeDude = {
email = "cds@corbinsimpson.com";
github = "MostAwesomeDude";
@ -14633,6 +14739,12 @@
githubId = 6709831;
name = "Jake Hill";
};
nartsiss = {
name = "Daniil Nartsissov";
email = "nartsiss@proton.me";
github = "nartsisss";
githubId = 54633007;
};
nasageek = {
github = "NasaGeek";
githubId = 474937;
@ -14673,6 +14785,13 @@
githubId = 818502;
name = "Nathan Yong";
};
natsukagami = {
email = "natsukagami@gmail.com";
github = "natsukagami";
githubId = 9061737;
name = "Natsu Kagami";
keys = [ { fingerprint = "5581 26DC 886F E14D 501D B0F2 D6AD 7B57 A992 460C"; } ];
};
natsukium = {
email = "nixpkgs@natsukium.com";
github = "natsukium";
@ -15192,6 +15311,11 @@
github = "noaccOS";
githubId = 24324352;
};
noahgitsham = {
name = "Noah Gitsham";
github = "noahgitsham";
githubId = 73707948;
};
nobbz = {
name = "Norbert Melzer";
email = "timmelzer+nixpkgs@gmail.com";
@ -15717,12 +15841,6 @@
github = "ony";
githubId = 11265;
};
oo-infty = {
name = "Justin Chen";
email = "oo-infty@outlook.com";
github = "oo-infty";
githubId = 42143810;
};
ooliver1 = {
name = "Oliver Wilkes";
email = "oliverwilkes2006@icloud.com";
@ -15730,6 +15848,12 @@
githubId = 34910574;
keys = [ { fingerprint = "D055 8A23 3947 B7A0 F966 B07F 0B41 0348 9833 7273"; } ];
};
oosquare = {
name = "Justin Chen";
email = "oosquare@outlook.com";
github = "oosquare";
githubId = 42143810;
};
opeik = {
email = "sandro@stikic.com";
github = "opeik";
@ -16299,6 +16423,12 @@
githubId = 29493551;
name = "Josh Peters";
};
petertriho = {
email = "mail@petertriho.com";
github = "petertriho";
githubId = 7420227;
name = "Peter Tri Ho";
};
peterwilli = {
email = "peter@codebuffet.co";
github = "peterwilli";
@ -16582,6 +16712,12 @@
githubId = 14542417;
name = "Sergey Ichtchenko";
};
pizzapim = {
email = "pim@kunis.nl";
github = "pizzapim";
githubId = 23135512;
name = "Pim Kunis";
};
pjbarnoy = {
email = "pjbarnoy@gmail.com";
github = "waaamb";
@ -17478,6 +17614,12 @@
githubId = 5653911;
name = "Rampoina";
};
rane = {
email = "rane+nix@junkyard.systems";
github = "digitalrane";
githubId = 1829286;
name = "Rane";
};
ranfdev = {
email = "ranfdev@gmail.com";
name = "Lorenzo Miglietta";
@ -17559,6 +17701,12 @@
githubId = 145816;
name = "David McKay";
};
rayhem = {
email = "glosser1@gmail.com";
github = "rayhem";
githubId = 49202382;
name = "Connor Glosser";
};
raylas = {
email = "r@raymond.sh";
github = "raylas";
@ -18356,6 +18504,11 @@
githubId = 56157634;
name = "Ruben Hönle";
};
rubikcubed = {
github = "rubikcubed";
githubId = 91467402;
name = "rubikcubed";
};
ruby0b = {
github = "ruby0b";
githubId = 106119328;
@ -18709,6 +18862,13 @@
githubId = 34161949;
keys = [ { fingerprint = "155C F413 0129 C058 9A5F 5524 3658 73F2 F0C6 153B"; } ];
};
sanana = {
email = "asya@waifu.club";
github = "AsyaTheAbove";
githubId = 40492846;
keys = [ { fingerprint = "B766 7717 1644 5ABC DE82 94AA 4679 BF7D CC04 4783"; } ];
name = "sanana the skenana";
};
sander = {
email = "s.vanderburg@tudelft.nl";
github = "svanderburg";
@ -18907,6 +19067,12 @@
githubId = 11320;
name = "Sergiu Ivanov";
};
scraptux = {
email = "git@thomasjasny.de";
github = "scraptux";
githubId = 12714892;
name = "Thomas Jasny";
};
screendriver = {
email = "nix@echooff.de";
github = "screendriver";
@ -22604,6 +22770,12 @@
githubId = 24979302;
name = "Vladimír Zahradník";
};
wgunderwood = {
email = "wg.underwood13@gmail.com";
github = "WGUNDERWOOD";
githubId = 42812654;
name = "William Underwood";
};
wheelsandmetal = {
email = "jakob@schmutz.co.uk";
github = "wheelsandmetal";
@ -23634,6 +23806,13 @@
githubId = 1108325;
name = "Théo Zimmermann";
};
zimward = {
name = "zimward";
github = "zimward";
githubId = 96021122;
matrix = "@memoryfragmentation:matrix.org";
keys = [ { fingerprint = "CBF7 FA5E F4B5 8B68 5977 3E3E 4CAC 61D6 A482 FCD9"; } ];
};
zlepper = {
name = "Rasmus Hansen";
github = "zlepper";

View file

@ -1022,6 +1022,19 @@ with lib.maintainers;
shortName = "WDZ GmbH";
};
xen = {
members = [
hehongbo
lach
rane
sigmasquadron
];
scope = "Maintain the Xen Project Hypervisor and the related tooling ecosystem.";
shortName = "Xen Project Hypervisor";
enableFeatureFreezePing = true;
githubTeams = [ "xen-project" ];
};
xfce = {
members = [
bobby285271

View file

@ -80,6 +80,7 @@ Reviewing process:
- Ensure that all file paths [fit the guidelines](../CONTRIBUTING.md#file-naming-and-organisation).
- Ensure that the module tests, if any, are succeeding.
- Ensure that new module tests are added to the package `passthru.tests`.
- Ensure that the introduced options are correct.
- Type should be appropriate (string related types differs in their merging capabilities, `loaOf` and `string` types are deprecated).
- Description, default and example should be provided.
@ -95,7 +96,8 @@ Sample template for a new module review is provided below.
##### Reviewed points
- [ ] module path fits the guidelines
- [ ] module tests succeed on ARCHITECTURE
- [ ] module tests, if any, succeed on ARCHITECTURE
- [ ] module tests, if any, are added to package `passthru.tests`
- [ ] options have appropriate types
- [ ] options have default
- [ ] options have example

View file

@ -133,20 +133,3 @@ This section was moved to the [Nixpkgs manual](https://nixos.org/nixpkgs/manual#
It's a common issue that the latest stable version of ZFS doesn't support the latest
available Linux kernel. It is recommended to use the latest available LTS that's compatible
with ZFS. Usually this is the default kernel provided by nixpkgs (i.e. `pkgs.linuxPackages`).
Alternatively, it's possible to pin the system to the latest available kernel
version _that is supported by ZFS_ like this:
```nix
{
boot.kernelPackages = pkgs.zfs.latestCompatibleLinuxPackages;
}
```
Please note that the version this attribute points to isn't monotonic because the latest kernel
version only refers to kernel versions supported by the Linux developers. In other words,
the latest kernel version that ZFS is compatible with may decrease over time.
An example: the latest version ZFS is compatible with is 5.19 which is a non-longterm version. When 5.19
is out of maintenance, the latest supported kernel version is 5.15 because it's longterm and the versions
5.16, 5.17 and 5.18 are already out of maintenance because they're non-longterm.

View file

@ -17,6 +17,10 @@
[2.24](https://nix.dev/manual/nix/latest/release-notes/rl-2.24).
Notable changes include improvements to Git fetching, documentation comment support in `nix-repl> :doc`, as well as many quality of life improvements.
- This will be the last release of Nixpkgs to support versions of CUDA prior to CUDA 12.0.
These versions only work with old compiler versions that will be unsupported by the time of the Nixpkgs 25.05 release.
In future, users should expect CUDA versions to be dropped as the compiler versions they require leave upstream support windows.
- Convenience options for `amdgpu`, open source driver for Radeon cards, is now available under `hardware.amdgpu`.
- [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured as `hardware.amdgpu.amdvlk` option.
@ -49,13 +53,13 @@
- Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)
was added through the `boot.initrd.systemd.dmVerity` option.
- The [Xen Hypervisor](https://xenproject.org) is once again available as a virtualisation option under [`virtualisation.xen`](#opt-virtualisation.xen.enable).
- The [Xen Project Hypervisor](https://xenproject.org) is once again available as a virtualisation option under [`virtualisation.xen`](#opt-virtualisation.xen.enable).
- This release includes Xen [4.17.5](https://wiki.xenproject.org/wiki/Xen_Project_4.17_Release_Notes), [4.18.3](https://wiki.xenproject.org/wiki/Xen_Project_4.18_Release_Notes) and [4.19.0](https://wiki.xenproject.org/wiki/Xen_Project_4.19_Release_Notes), as well as support for booting the hypervisor on EFI systems.
::: {.warning}
Booting into Xen through a legacy BIOS bootloader or with the legacy script-based Stage 1 initrd have been **deprecated**. Only EFI booting and the new systemd-based Stage 1 initrd are supported.
Booting into the Xen Project Hypervisor through a legacy BIOS bootloader or with the legacy script-based Stage 1 initrd have been **deprecated**. Only EFI booting and the new systemd-based Stage 1 initrd are supported.
:::
- There are two flavours of Xen available by default: `xen`, which includes all built-in components, and `xen-slim`, which replaces the built-in components with their Nixpkgs equivalents.
- The `qemu-xen-traditional` component has been deprecated by upstream Xen, and is no longer available in any of the Xen packages.
- The `qemu-xen-traditional` component has been deprecated by the upstream Xen Project, and is no longer available in any of the Xen Project Hypervisor packages.
- The OCaml-based Xen Store can now be configured using [`virtualisation.xen.store.settings`](#opt-virtualisation.xen.store.settings).
- The `virtualisation.xen.bridge` options have been deprecated in this release cycle. Users who need network bridges are encouraged to set up their own networking configurations.
@ -69,6 +73,8 @@
- [Goatcounter](https://www.goatcounter.com/), Easy web analytics. No tracking of personal data. Available as [services.goatcounter](options.html#opt-services.goatcocunter.enable).
- [Privatebin](https://github.com/PrivateBin/PrivateBin/), A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable)
- [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland Compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable).
- [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI
@ -81,9 +87,11 @@
user management. This can be used instead of the `update-users-groups.pl`
Perl script and instead of systemd-sysusers. To achieve a system without
Perl, this is the now recommended tool over systemd-sysusers because it can
alos create normal users and change passwords. Available as
also create normal users and change passwords. Available as
[services.userborn](#opt-services.userborn.enable)
- [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu).
- [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood).
- [Firefly-iii Data Importer](https://github.com/firefly-iii/data-importer), a data importer for Firefly-III. Available as [services.firefly-iii-data-importer](options.html#opt-services.firefly-iii-data-importer)
@ -108,6 +116,8 @@
- [zeronsd](https://github.com/zerotier/zeronsd), a DNS server for ZeroTier users. Available with [services.zeronsd.servedNetworks](#opt-services.zeronsd.servedNetworks).
- [Collabora Online](https://www.collaboraonline.com/), a collaborative online office suite based on LibreOffice technology. Available as [services.collabora-online](options.html#opt-services.collabora-online.enable).
- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable).
- [Pingvin Share](https://github.com/stonith404/pingvin-share), a self-hosted file sharing platform and an alternative for WeTransfer. Available as [services.pingvin-share](#opt-services.pingvin-share.enable).
@ -116,12 +126,16 @@
- [Localsend](https://localsend.org/), an open source cross-platform alternative to AirDrop. Available as [programs.localsend](#opt-programs.localsend.enable).
- [Gatus](https://github.com/TwiN/gatus), an automated developer-oriented status page. Available as [services.gatus](#opt-services.gatus.enable).
- [cryptpad](https://cryptpad.org/), a privacy-oriented collaborative platform (docs/drive/etc), has been added back. Available as [services.cryptpad](#opt-services.cryptpad.enable).
- [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable).
- [Gotenberg](https://gotenberg.dev), an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as [services.gotenberg](options.html#opt-services.gotenberg).
- [Suricata](https://suricata.io/), a free and open source, mature, fast and robust network threat detection engine. Available as [services.suricata](options.html#opt-services.suricata).
- [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld).
- [MenhirLib](https://gitlab.inria.fr/fpottier/menhir/-/tree/master/coq-menhirlib) A support library for verified Coq parsers produced by Menhir.
@ -153,8 +167,22 @@
- [Immich](https://github.com/immich-app/immich), a self-hosted photo and video backup solution. Available as [services.immich](#opt-services.immich.enable).
- [obs-studio](https://obsproject.com/), Free and open source software for video recording and live streaming. Available as [programs.obs-studio.enable](#opt-programs.obs-studio.enable).
- [Veilid](https://veilid.com), a headless server that enables privacy-focused data sharing and messaging on a peer-to-peer network. Available as [services.veilid](#opt-services.veilid.enable).
- [Fedimint](https://github.com/fedimint/fedimint), a module based system for building federated applications (Federated E-Cash Mint). Available as [services.fedimintd](#opt-services.fedimintd).
## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
- The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details.
- The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver.
- All Cinnamon and XApp packages have been moved to top-level (i.e., `cinnamon.nemo` is now `nemo`).
- All GNOME packages have been moved to top-level (i.e., `gnome.nautilus` is now `nautilus`).
- `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage:
- `transmission-gtk`: `~/.config/transmission`
- `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`)
@ -167,6 +195,8 @@
- `services.kubernetes.kubelet.clusterDns` now accepts a list of DNS resolvers rather than a single string, bringing the module more in line with the upstream Kubelet configuration schema.
- `bluemap` has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: <https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2>. Unless you are using an SQL storage backend, this should only entail deleting the contents of `config.services.bluemap.coreSettings.data` (defaults to `/var/lib/bluemap`) and `config.services.bluemap.webRoot` (defaults to `/var/lib/bluemap/web`).
- `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust.
The module was updated to accommodate for breaking changes.
Breaking changes to the module API were minimised as much as possible,
@ -203,6 +233,9 @@
- The logrotate service has received hardening and now requires enabling `allowNetworking`, if logrotate needs to access the network.
- qBittorrent has been updated to major version 5, which drops support for Qt 5.
The `qbittorrent-qt5` package has been removed.
- The fcgiwrap module now allows multiple instances running as distinct users.
The option `services.fgciwrap` now takes an attribute set of the
configuration of each individual instance.
@ -216,8 +249,6 @@
- The `mautrix-signal` module was adapted to incorporate the configuration rearrangement that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
In case you want to update your configuration make sure to check the NixOS manual.
- The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver.
- `singularity-tools` have the `storeDir` argument removed from its override interface and use `builtins.storeDir` instead.
- Two build helpers in `singularity-tools`, i.e., `mkLayer` and `shellScript`, are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases.
@ -231,10 +262,6 @@
- The method to safely handle secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of wpa_supplicant.
The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade.
- All Cinnamon and XApp packages have been moved to top-level (i.e., `cinnamon.nemo` is now `nemo`).
- All GNOME packages have been moved to top-level (i.e., `gnome.nautilus` is now `nautilus`).
- `services.cgit` now runs as the cgit user by default instead of root.
This change requires granting access to the repositories to this user or
setting the appropriate one through `services.cgit.some-instance.user`.
@ -289,6 +316,12 @@
- `tests.overriding` has its `passthru.tests` restructured as an attribute set instead of a list, making individual tests accessible by their names.
- Package `skk-dict` was split into multiple packages under `skkDictionaries`.
If in doubt, try `skkDictionaries.l`. As part of this change, the dictionaries
were moved from `$out/share` to `$out/share/skk`. Also, the dictionaries won't
be converted to UTF-8 unless the `useUtf8` package option is enabled. UTF-8
converted dictionaries will have the .utf8 suffix appended to its filename.
- `vaultwarden` lost the capability to bind to privileged ports. If you rely on
this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in
your local configuration.
@ -300,6 +333,15 @@
a static `user` and `group`. The `writablePaths` option has been removed and
the models directory is now always exempt from sandboxing.
- The `gns3-server` service now runs under the `gns3` system user
instead of a dynamically created one via `DynamicUser`.
The use of SUID wrappers is incompatible with SystemD's `DynamicUser` setting,
and GNS3 requires calling ubridge through its SUID wrapper to function properly.
This change requires to manually move the following directories:
* from `/var/lib/private/gns3` to `/var/lib/gns3`
* from `/var/log/private/gns3` to `/var/log/gns3`
and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
- Legacy package `stalwart-mail_0_6` was dropped, please note the
[manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
before changing the package to `pkgs.stalwart-mail` in
@ -390,6 +432,8 @@
- `zx` was updated to v8, which introduces several breaking changes.
See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information.
- `feishin` removed support for Navidrome `< v0.53.2` due to an API change; more information in the [v0.10.0 release notes](https://github.com/jeffvli/feishin/releases/tag/v0.10.0).
- The `dnscrypt-wrapper` module was removed since the project has been effectively unmaintained since 2018; moreover the NixOS module had to rely on an abandoned version of dnscrypt-proxy v1 for the rotation of keys.
To wrap a resolver with DNSCrypt you can instead use `dnsdist`. See options `services.dnsdist.dnscrypt.*`
@ -415,6 +459,8 @@
- `programs.vim.defaultEditor` now only works if `programs.vim.enable` is enabled.
- `services.mautrix-meta` was updated to [0.4](https://github.com/mautrix/meta/releases/tag/v0.4.0). This release makes significant changes to the settings format. If you have custom settings you should migrate them to the new format. Unfortunately upstream provides little guidance for how to do this, but [the auto-migration code](https://github.com/mautrix/meta/blob/f5440b05aac125b4c95b1af85635a717cbc6dd0e/cmd/mautrix-meta/legacymigrate.go#L23) may serve as a useful reference. The NixOS module should warn you if you still have any old settings configured.
- The `indi-full` package no longer contains non-free drivers.
To get the old collection of drivers use `indi-full-nonfree` or create your own collection of drivers by overriding indi-with-drivers.
E.g.: `pkgs.indi-with-drivers.override {extraDrivers = with pkgs.indi-3rdparty; [indi-gphoto];}`
@ -432,8 +478,6 @@
- `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments.
- The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details.
- The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer.
Consequently the package `pkgs.ma1sd` has also been removed.
@ -470,7 +514,7 @@
- The `services.syncplay` module now exposes all currently available command-line arguments for `syncplay-server` as options, as well as a `useACMEHost` option for easy TLS setup.
The systemd service now uses `DynamicUser`/`StateDirectory` and the `user` and `group` options have been deprecated.
- The `openlens` package got removed, suggested replacment `lens-desktop`
- The `openlens` package got removed, suggested replacement `lens-desktop`
- The `services.dnsmasq.extraConfig` option has been removed, as it had been deprecated for over 2 years. This option has been replaced by `services.dnsmasq.settings`.
@ -516,6 +560,9 @@
- `lib.misc.mapAttrsFlatten` is now formally deprecated and will be removed in future releases; use the identical [`lib.attrsets.mapAttrsToList`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.mapAttrsToList) instead.
- Tailscale's `authKeyFile` can now have its corresponding parameters set through `config.services.tailscale.authKeyParameters`, allowing for non-ephemeral unsupervised deployment and more.
See [Registering new nodes using OAuth credentials](https://tailscale.com/kb/1215/oauth-clients#registering-new-nodes-using-oauth-credentials) for the supported options.
- `nixosTests` now provide a working IPv6 setup for VLAN 1 by default.
- Kanidm can now be provisioned using the new [`services.kanidm.provision`] option, but requires using a patched version available via `pkgs.kanidm.withSecretProvisioning`.
@ -524,6 +571,22 @@
- The kubelet configuration file can now be amended with arbitrary additional content using the `services.kubernetes.kubelet.extraConfig` option.
- The `services.seafile` module was updated to major version 11.
- As part of this upgrade, the database backend will be migrated to MySQL.
This process should be automatic, but in case of a botched migration,
old sqlite files are not removed and can be used to manually migrate the database.
- Additionally, the updated CSRF protection may prevent some users from logging in.
Specific origin addresses can be whitelisted using the `services.seafile.seahubExtraConf` option
(e.g. `services.seafile.seahubExtraConf = ''CSRF_TRUSTED_ORIGINS = ["https://example.com"]'';`).
Note that first solution of the [official FAQ answer](https://cloud.seatable.io/dtable/external-links/7b976c85f504491cbe8e/?tid=0000&vid=0000&row-id=BQhH-2HSQs68Nq2EW91DBA)
is not allowed by the `services.nginx` module's config-checker.
- The latest available version of Nextcloud is v30 (available as `pkgs.nextcloud30`). The installation logic is as follows:
- If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
- If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud29` will be installed by default.
- If [`system.stateVersion`](#opt-system.stateVersion) is >=24.11, `pkgs.nextcloud30` will be installed by default.
- Please note that an upgrade from v28 (or older) to v30 directly is not possible. Please upgrade to `nextcloud29` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud29;`](options.html#opt-services.nextcloud.package).
- To facilitate dependency injection, the `imgui` package now builds a static archive using vcpkg' CMake rules.
The derivation now installs "impl" headers selectively instead of by a wildcard.
Use `imgui.src` if you just want to access the unpacked sources.
@ -539,6 +602,8 @@
- `security.pam.u2f` now follows RFC42.
All module options are now settable through the freeform `.settings`.
- Mikutter was removed because the package was broken and had no maintainers.
- Gollum was upgraded to major version 6. Read their [migration notes](https://github.com/gollum/gollum/wiki/6.0-Release-Notes).
- The hooks `yarnConfigHook` and `yarnBuildHook` were added. These should replace `yarn2nix.mkYarnPackage` and other `yarn2nix` related tools. The motivation to get rid of `yarn2nix` tools is the fact that they are too complex and hard to maintain, and they rely upon too much Nix evaluation which is problematic if import-from-derivation is not allowed (see more details at [#296856](https://github.com/NixOS/nixpkgs/issues/296856). The transition from `mkYarnPackage` to `yarn{Config,Build}Hook` is tracked at [#324246](https://github.com/NixOS/nixpkgs/issues/324246).
@ -560,6 +625,11 @@
- `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).
- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
- `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside
`rustPlatform.buildRustPackage` and Node hooks such as `npmConfigHook`, `pnpm.configHook`, and the new `yarnConfig`
- Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
should be changed to using *runner authentication tokens* by configuring
@ -569,7 +639,9 @@
- `iproute2` now has libbpf support.
- `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.
Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overriden by the `NIX_PATH` configuration variable.
Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overridden by the `NIX_PATH` configuration variable.
- ZFS now imports its pools in `postResumeCommands` rather than `postDeviceCommands`. If you had `postDeviceCommands` scripts that depended on ZFS pools being imported, those now need to be in `postResumeCommands`.
## Detailed migration information {#sec-release-24.11-migration}

View file

@ -72,7 +72,7 @@ in
type = "path";
path = config.flake.outPath;
} // filterAttrs
(n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash")
(n: _: n == "lastModified" || n == "rev" || n == "narHash")
config.flake
));
};

View file

@ -24,13 +24,21 @@
config = {
# This should not contain packages that are broken or can't build, since it
# will break this expression
#
# Currently broken packages:
# - contour
#
# can be generated with:
# lib.attrNames (lib.filterAttrs
# (_: drv: (builtins.tryEval (lib.isDerivation drv && drv ? terminfo)).value)
# pkgs)
environment.systemPackages = lib.mkIf config.environment.enableAllTerminfo (map (x: x.terminfo) (with pkgs.pkgsBuildBuild; [
environment.systemPackages = lib.mkIf config.environment.enableAllTerminfo (
map (x: x.terminfo) (
with pkgs.pkgsBuildBuild;
[
alacritty
contour
foot
kitty
mtm
@ -42,7 +50,9 @@
tmux
wezterm
yaft
]));
]
)
);
environment.pathsToLink = [
"/share/terminfo"

View file

@ -13,6 +13,14 @@
[XDG Icon Theme specification](https://specifications.freedesktop.org/icon-theme-spec/icon-theme-spec-latest.html).
'';
};
xdg.icons.fallbackCursorThemes = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = ''
Names of the fallback cursor themes, in order of preference, to be used when no other icon source can be found.
Set to `[]` to disable the fallback entirely.
'';
};
};
config = lib.mkIf config.xdg.icons.enable {
@ -25,6 +33,15 @@
# Empty icon theme that contains index.theme file describing directories
# where toolkits should look for icons installed by apps.
pkgs.hicolor-icon-theme
] ++ lib.optionals (config.xdg.icons.fallbackCursorThemes != []) [
(pkgs.writeTextFile {
name = "fallback-cursor-theme";
text = ''
[Icon Theme]
Inherits=${lib.concatStringsSep "," config.xdg.icons.fallbackCursorThemes}
'';
destination = "/share/icons/default/index.theme";
})
];
# libXcursor looks for cursors in XCURSOR_PATH

View file

@ -1,8 +1,9 @@
{ config, pkgs, lib, ... }:
{ config, lib, ... }:
let
cfg = config.hardware.uinput;
in {
in
{
options.hardware.uinput = {
enable = lib.mkEnableOption "uinput support";
};
@ -10,7 +11,7 @@ in {
config = lib.mkIf cfg.enable {
boot.kernelModules = [ "uinput" ];
users.groups.uinput = {};
users.groups.uinput.gid = config.ids.gids.uinput;
services.udev.extraRules = ''
SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput"

View file

@ -30,7 +30,7 @@
, imageFileBasename
, compression
, fileSystems
, partitionsJSON
, finalPartitions
, split
, seed
, definitionsDirectory
@ -110,7 +110,9 @@ in
env = mkfsEnv;
inherit partitionsJSON definitionsDirectory;
inherit finalPartitions definitionsDirectory;
partitionsJSON = builtins.toJSON finalAttrs.finalPartitions;
# relative path to the repart definitions that are read by systemd-repart
finalRepartDefinitions = "repart.d";
@ -136,7 +138,7 @@ in
patchPhase = ''
runHook prePatch
amendedRepartDefinitionsDir=$(${amendRepartDefinitions} $partitionsJSON $definitionsDirectory)
amendedRepartDefinitionsDir=$(${amendRepartDefinitions} <(echo "$partitionsJSON") $definitionsDirectory)
ln -vs $amendedRepartDefinitionsDir $finalRepartDefinitions
runHook postPatch

View file

@ -163,21 +163,20 @@ in
createEmpty = false;
}).overrideAttrs
(
finalAttrs: previousAttrs:
let
copyUki = "CopyFiles=${config.system.build.uki}/${config.system.boot.loader.ukiFile}:${cfg.ukiPath}";
in
{
finalAttrs: previousAttrs: {
# add entry to inject UKI into ESP
finalPartitions = lib.recursiveUpdate previousAttrs.finalPartitions {
${cfg.partitionIds.esp}.contents = {
"${cfg.ukiPath}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
};
};
nativeBuildInputs = previousAttrs.nativeBuildInputs ++ [
pkgs.systemdUkify
verityHashCheck
pkgs.jq
];
postPatch = ''
# add entry to inject UKI into ESP
echo '${copyUki}' >> $finalRepartDefinitions/${cfg.partitionIds.esp}.conf
'';
preBuild = ''
# check that we build the final image with the same intermediate image for
# which the injected UKI was built by comparing the UKI cmdline with the repart output
@ -194,6 +193,24 @@ in
chmod +w ${config.image.repart.imageFileBasename}.raw
'';
# replace "TBD" with the original roothash values
preInstall = ''
mv -v repart-output{.json,_orig.json}
jq --slurp --indent -1 \
'.[0] as $intermediate | .[1] as $final
| $intermediate | map(select(.roothash != null) | { "uuid":.uuid,"roothash":.roothash }) as $uuids
| $final + $uuids
| group_by(.uuid)
| map(add)
| sort_by(.offset)' \
${config.system.build.intermediateImage}/repart-output.json \
repart-output_orig.json \
> repart-output.json
rm -v repart-output_orig.json
'';
# the image will be self-contained so we can drop references
# to the closure that was used to build it
unsafeDiscardReferences.out = true;

View file

@ -318,14 +318,12 @@ in
format
(lib.mapAttrs (_n: v: { Partition = v.repartConfig; }) cfg.finalPartitions);
partitionsJSON = pkgs.writeText "partitions.json" (builtins.toJSON cfg.finalPartitions);
mkfsEnv = mkfsOptionsToEnv cfg.mkfsOptions;
in
pkgs.callPackage ./repart-image.nix {
systemd = cfg.package;
inherit (cfg) name version imageFileBasename compression split seed sectorSize;
inherit fileSystems definitionsDirectory partitionsJSON mkfsEnv;
inherit (cfg) name version imageFileBasename compression split seed sectorSize finalPartitions;
inherit fileSystems definitionsDirectory mkfsEnv;
};
meta.maintainers = with lib.maintainers; [ nikstur willibutz ];

View file

@ -8,7 +8,7 @@ let
* to a menuentry for use in grub.
*
* * defaults: {name, image, params, initrd}
* * options: [ option... ]
* * options: [ option... ]
* * option: {name, params, class}
*/
menuBuilderGrub2 =
@ -772,9 +772,10 @@ in
# here and it causes a cyclic dependency.
boot.loader.grub.enable = false;
environment.systemPackages = [ grubPkgs.grub2 grubPkgs.grub2_efi ]
environment.systemPackages = [ grubPkgs.grub2 ]
++ lib.optional (config.isoImage.makeBiosBootable) pkgs.syslinux
;
system.extraDependencies = [ grubPkgs.grub2_efi ];
# In stage 1 of the boot, mount the CD as the root FS by label so
# that we don't need to know its device. We pass the label of the

View file

@ -1,7 +1,7 @@
{
x86_64-linux = "/nix/store/mczjdfprd67mdn90488854bf6b3nkp8j-nix-2.18.7";
i686-linux = "/nix/store/qqll8zrx7ibdx34ry1ijanqdpdpnibbc-nix-2.18.7";
aarch64-linux = "/nix/store/lwysvjn745fwsz8nv13zzsfq0dhiyxlp-nix-2.18.7";
x86_64-darwin = "/nix/store/frzvlvzzj7hwvg8p0y0ivl27430nxhfy-nix-2.18.7";
aarch64-darwin = "/nix/store/43dp3pl3k95gszp1hl9sjm22gly65sxi-nix-2.18.7";
x86_64-linux = "/nix/store/vhv7ckr0winivvwfqxd54d6pgq2hx1is-nix-2.18.8";
i686-linux = "/nix/store/8x7rmgi225r5kygpf17swvk3vll0c61y-nix-2.18.8";
aarch64-linux = "/nix/store/sbyj0rb1wd314zfxpf834d0clvxrxmv3-nix-2.18.8";
x86_64-darwin = "/nix/store/vsy1wl865md71qv177nchj0aj5p26pkl-nix-2.18.8";
aarch64-darwin = "/nix/store/54kqc2da3fjyjgzab4vaszxjmdvii6yk-nix-2.18.8";
}

View file

@ -35,7 +35,6 @@ in
};
config = {
ids.uids = {
@ -666,6 +665,7 @@ in
rstudio-server = 324;
localtimed = 325;
automatic-timezoned = 326;
uinput = 327;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

View file

@ -259,6 +259,7 @@
./programs/oblogout.nix
./programs/oddjobd.nix
./programs/openvpn3.nix
./programs/obs-studio.nix
./programs/partition-manager.nix
./programs/plotinus.nix
./programs/pqos-wrapper.nix
@ -882,6 +883,7 @@
./services/monitoring/datadog-agent.nix
./services/monitoring/do-agent.nix
./services/monitoring/fusion-inventory.nix
./services/monitoring/gatus.nix
./services/monitoring/goss.nix
./services/monitoring/grafana-agent.nix
./services/monitoring/grafana-image-renderer.nix
@ -1029,6 +1031,7 @@
./services/networking/expressvpn.nix
./services/networking/fakeroute.nix
./services/networking/fastnetmon-advanced.nix
./services/networking/fedimintd.nix
./services/networking/ferm.nix
./services/networking/firefox-syncserver.nix
./services/networking/fireqos.nix
@ -1251,6 +1254,7 @@
./services/networking/uptermd.nix
./services/networking/v2ray.nix
./services/networking/v2raya.nix
./services/networking/veilid.nix
./services/networking/vdirsyncer.nix
./services/networking/vsftpd.nix
./services/networking/wasabibackend.nix
@ -1383,6 +1387,7 @@
./services/web-apps/atlassian/crowd.nix
./services/web-apps/atlassian/jira.nix
./services/web-apps/audiobookshelf.nix
./services/web-apps/bluemap.nix
./services/web-apps/bookstack.nix
./services/web-apps/c2fmzq-server.nix
./services/web-apps/calibre-web.nix
@ -1392,6 +1397,7 @@
./services/web-apps/chatgpt-retrieval-plugin.nix
./services/web-apps/cloudlog.nix
./services/web-apps/code-server.nix
./services/web-apps/collabora-online.nix
./services/web-apps/commafeed.nix
./services/web-apps/convos.nix
./services/web-apps/crabfit.nix
@ -1423,6 +1429,7 @@
./services/web-apps/goatcounter.nix
./services/web-apps/guacamole-client.nix
./services/web-apps/guacamole-server.nix
./services/web-apps/hatsu.nix
./services/web-apps/healthchecks.nix
./services/web-apps/hedgedoc.nix
./services/web-apps/hledger-web.nix
@ -1482,6 +1489,7 @@
./services/web-apps/powerdns-admin.nix
./services/web-apps/pretalx.nix
./services/web-apps/pretix.nix
./services/web-apps/privatebin.nix
./services/web-apps/prosody-filer.nix
./services/web-apps/rimgo.nix
./services/web-apps/rutorrent.nix
@ -1513,7 +1521,6 @@
./services/web-apps/zitadel.nix
./services/web-servers/agate.nix
./services/web-servers/apache-httpd/default.nix
./services/web-servers/bluemap.nix
./services/web-servers/caddy/default.nix
./services/web-servers/darkhttpd.nix
./services/web-servers/fcgiwrap.nix

View file

@ -196,14 +196,8 @@ in
# To prevent gratuitous rebuilds on each change to Nixpkgs
nixos.revision = null;
stateVersion = lib.mkDefault (throw ''
The macOS linux builder should not need a stateVersion to be set, but a module
has accessed stateVersion nonetheless.
Please inspect the trace of the following command to figure out which module
has a dependency on stateVersion.
nix-instantiate --attr darwin.linux-builder --show-trace
'');
# to be updated by module maintainers, see nixpkgs#325610
stateVersion = "24.05";
};
users.users."${user}" = {

View file

@ -1,4 +1,9 @@
{ pkgs, config, lib, ... }:
{
pkgs,
config,
lib,
...
}:
let
cfg = config.programs.firefox;
@ -78,7 +83,7 @@ in
wrapperConfig = lib.mkOption {
type = lib.types.attrs;
default = {};
default = { };
description = "Arguments to pass to Firefox wrapper";
};
@ -99,7 +104,13 @@ in
};
preferences = lib.mkOption {
type = with lib.types; attrsOf (oneOf [ bool int str ]);
type =
with lib.types;
attrsOf (oneOf [
bool
int
str
]);
default = { };
description = ''
Preferences to set from `about:config`.
@ -112,7 +123,12 @@ in
};
preferencesStatus = lib.mkOption {
type = lib.types.enum [ "default" "locked" "user" "clear" ];
type = lib.types.enum [
"default"
"locked"
"user"
"clear"
];
default = "locked";
description = ''
The status of `firefox.preferences`.
@ -127,7 +143,8 @@ in
languagePacks = lib.mkOption {
# Available languages can be found in https://releases.mozilla.org/pub/firefox/releases/${cfg.package.version}/linux-x86_64/xpi/
type = lib.types.listOf (lib.types.enum ([
type = lib.types.listOf (
lib.types.enum ([
"ach"
"af"
"an"
@ -231,7 +248,8 @@ in
"xh"
"zh-CN"
"zh-TW"
]));
])
);
default = [ ];
description = ''
The language packs to install.
@ -249,10 +267,23 @@ in
'';
};
autoConfigFiles = lib.mkOption {
type = with lib.types; listOf path;
default = [ ];
description = ''
AutoConfig files can be used to set and lock preferences that are not covered
by the policies.json for Mac and Linux. This method can be used to automatically
change user preferences or prevent the end user from modifiying specific
preferences by locking them. More info can be found in https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig.
Files are concated and autoConfig is appended.
'';
};
nativeMessagingHosts = ({
packages = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [];
default = [ ];
description = ''
Additional packages containing native messaging hosts that should be made available to Firefox extensions.
'';
@ -260,20 +291,30 @@ in
}) // (builtins.mapAttrs (k: v: lib.mkEnableOption "${v.name} support") nmhOptions);
};
config = let
forEachEnabledNmh = fn: lib.flatten (lib.mapAttrsToList (k: v: lib.optional cfg.nativeMessagingHosts.${k} (fn k v)) nmhOptions);
in lib.mkIf cfg.enable {
warnings = forEachEnabledNmh (k: v:
"The `programs.firefox.nativeMessagingHosts.${k}` option is deprecated, " +
"please add `${v.package.pname}` to `programs.firefox.nativeMessagingHosts.packages` instead."
config =
let
forEachEnabledNmh =
fn:
lib.flatten (
lib.mapAttrsToList (k: v: lib.optional cfg.nativeMessagingHosts.${k} (fn k v)) nmhOptions
);
in
lib.mkIf cfg.enable {
warnings = forEachEnabledNmh (
k: v:
"The `programs.firefox.nativeMessagingHosts.${k}` option is deprecated, "
+ "please add `${v.package.pname}` to `programs.firefox.nativeMessagingHosts.packages` instead."
);
programs.firefox.nativeMessagingHosts.packages = forEachEnabledNmh (_: v: v.package);
environment.systemPackages = [
(cfg.package.override (old: {
extraPrefsFiles = old.extraPrefsFiles or [] ++ [(pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig)];
nativeMessagingHosts = old.nativeMessagingHosts or [] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or {}) // cfg.wrapperConfig;
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
}))
];
@ -288,20 +329,26 @@ in
# Preferences are converted into a policy
programs.firefox.policies = {
DisableAppUpdate = true;
Preferences = (builtins.mapAttrs
(_: value: { Value = value; Status = cfg.preferencesStatus; })
cfg.preferences);
ExtensionSettings = builtins.listToAttrs (builtins.map
(lang: lib.attrsets.nameValuePair
"langpack-${lang}@firefox.mozilla.org"
{
Preferences = (
builtins.mapAttrs (_: value: {
Value = value;
Status = cfg.preferencesStatus;
}) cfg.preferences
);
ExtensionSettings = builtins.listToAttrs (
builtins.map (
lang:
lib.attrsets.nameValuePair "langpack-${lang}@firefox.mozilla.org" {
installation_mode = "normal_installed";
install_url = "https://releases.mozilla.org/pub/firefox/releases/${cfg.package.version}/linux-x86_64/xpi/${lang}.xpi";
}
)
cfg.languagePacks);
) cfg.languagePacks
);
};
};
meta.maintainers = with lib.maintainers; [ danth ];
meta.maintainers = with lib.maintainers; [
danth
linsui
];
}

View file

@ -0,0 +1,64 @@
{
pkgs,
lib,
config,
...
}:
let
cfg = config.programs.obs-studio;
in
{
options.programs.obs-studio = {
enable = lib.mkEnableOption "Free and open source software for video recording and live streaming";
package = lib.mkPackageOption pkgs "obs-studio" { example = "obs-studio"; };
finalPackage = lib.mkOption {
type = lib.types.package;
visible = false;
readOnly = true;
description = "Resulting customized OBS Studio package.";
};
plugins = lib.mkOption {
default = [ ];
example = lib.literalExpression "[ pkgs.obs-studio-plugins.wlrobs ]";
description = "Optional OBS plugins.";
type = lib.types.listOf lib.types.package;
};
enableVirtualCamera = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Installs and sets up the v4l2loopback kernel module, necessary for OBS
to start a virtual camera.
'';
};
};
config = lib.mkIf cfg.enable {
programs.obs-studio.finalPackage = pkgs.wrapOBS.override { obs-studio = cfg.package; } {
plugins = cfg.plugins;
};
environment.systemPackages = [ cfg.finalPackage ];
boot = lib.mkIf cfg.enableVirtualCamera {
kernelModules = [ "v4l2loopback" ];
extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ];
extraModprobeConfig = ''
options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1
'';
};
security.polkit.enable = lib.mkIf cfg.enableVirtualCamera true;
};
meta.maintainers = with lib.maintainers; [
CaptainJawZ
GaetanLepage
];
}

View file

@ -22,7 +22,7 @@ let
serverOptions = { name, config, ... }: {
freeformType = attrsOf (either scalarType (listOf scalarType));
# Client system-options file directives are explained here:
# https://www.ibm.com/docs/en/storage-protect/8.1.23?topic=commands-processing-options
# https://www.ibm.com/docs/en/storage-protect/8.1.24?topic=commands-processing-options
options.servername = mkOption {
type = servernameType;
default = name;

View file

@ -19,6 +19,6 @@ in
# To make a cardboard session available for certain DMs like SDDM
services.displayManager.sessionPackages = [ cfg.package ];
}
(import ./wayland-session.nix { inherit lib; })
(import ./wayland-session.nix { inherit lib pkgs; })
]);
}

View file

@ -70,7 +70,7 @@ in
}
(import ./wayland-session.nix {
inherit lib;
inherit lib pkgs;
enableXWayland = cfg.xwayland.enable;
enableWlrPortal = lib.mkDefault false; # Hyprland has its own portal, wlr is not needed
})

View file

@ -20,6 +20,6 @@ in
# To make a labwc session available for certain DMs like SDDM
services.displayManager.sessionPackages = [ cfg.package ];
}
(import ./wayland-session.nix { inherit lib; })
(import ./wayland-session.nix { inherit lib pkgs; })
]);
}

View file

@ -30,11 +30,12 @@ in
}
(import ./wayland-session.nix {
inherit lib;
inherit lib pkgs;
# Hardcoded path in Mir, not really possible to disable
enableXWayland = true;
# No portal support yet: https://github.com/mattkae/miracle-wm/issues/164
enableWlrPortal = false;
enableGtkPortal = false;
})
]
);

View file

@ -56,7 +56,7 @@ in
}
(import ./wayland-session.nix {
inherit lib;
inherit lib pkgs;
enableXWayland = cfg.xwayland.enable;
})
]);

View file

@ -148,7 +148,7 @@ in
}
(import ./wayland-session.nix {
inherit lib;
inherit lib pkgs;
enableXWayland = cfg.xwayland.enable;
})
]);

View file

@ -11,7 +11,11 @@ in
{
options.programs.waybar = {
enable = lib.mkEnableOption "waybar, a highly customizable Wayland bar for Sway and Wlroots based compositors";
package = lib.mkPackageOption pkgs "waybar" { };
package =
lib.mkPackageOption pkgs "waybar" { }
// lib.mkOption {
apply = pkg: pkg.override { systemdSupport = true; };
};
};
config = lib.mkIf cfg.enable {

View file

@ -63,7 +63,7 @@ in
};
}
(import ./wayland-session.nix {
inherit lib;
inherit lib pkgs;
enableXWayland = cfg.xwayland.enable;
})
]

View file

@ -1,7 +1,9 @@
{
lib,
pkgs,
enableXWayland ? true,
enableWlrPortal ? true,
enableGtkPortal ? true,
}:
{
@ -18,6 +20,9 @@
services.graphical-desktop.enable = true;
xdg.portal.wlr.enable = enableWlrPortal;
xdg.portal.extraPortals = lib.mkIf enableGtkPortal [
pkgs.xdg-desktop-portal-gtk
];
# Window manager only sessions (unlike DEs) don't handle XDG
# autostart files, so force them to run the service

View file

@ -344,7 +344,7 @@ let
serviceConfig = commonServiceConfig // {
Group = data.group;
# Let's Encrypt Failed Validation Limit allows 5 retries per hour, per account, hostname and hour.
# Let's Encrypt Failed Validation Limit allows 5 retries per hour, per account, hostname and hour.
# This avoids eating them all up if something is misconfigured upon the first try.
RestartSec = 15 * 60;

View file

@ -125,7 +125,7 @@ in
};
systemd.slices.isolate = {
description = "Isolate sandbox slice";
description = "Isolate Sandbox Slice";
};
meta.maintainers = with maintainers; [ virchau13 ];

View file

@ -657,7 +657,7 @@ in {
config = mkIf (fd_cfg.enable || sd_cfg.enable || dir_cfg.enable) {
systemd.slices.system-bacula = {
description = "Bacula Slice";
description = "Bacula Backup System Slice";
documentation = [ "man:bacula(8)" "https://www.bacula.org/" ];
};

View file

@ -90,7 +90,7 @@ in
environment.HOME = "/var/lib/tsm-backup";
serviceConfig = {
# for exit status description see
# https://www.ibm.com/docs/en/storage-protect/8.1.23?topic=clients-client-return-codes
# https://www.ibm.com/docs/en/storage-protect/8.1.24?topic=clients-client-return-codes
SuccessExitStatus = "4 8";
# The `-se` option must come after the command.
# The `-optfile` option suppresses a `dsm.opt`-not-found warning.

View file

@ -103,7 +103,7 @@ let
};
network = lib.mkOption {
type = lib.types.nullOr (lib.types.enum [ "goerli" "rinkeby" "yolov2" "ropsten" ]);
type = lib.types.nullOr (lib.types.enum [ "goerli" "holesky" "rinkeby" "yolov2" "ropsten" ]);
default = null;
description = "The network to connect to. Mainnet (null) is the default ethereum network.";
};

View file

@ -311,7 +311,7 @@ in
];
systemd.slices.system-hydra = {
description = "Hydra Slice";
description = "Hydra CI Server Slice";
documentation = [ "file://${cfg.package}/share/doc/hydra/index.html" "https://nixos.org/hydra/manual/" ];
};

View file

@ -1,6 +1,7 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (lib) mkIf mkOption types;
cfg = config.services.jenkinsSlave;
masterCfg = config.services.jenkins;
in {
@ -47,16 +48,16 @@ in {
'';
};
javaPackage = mkPackageOption pkgs "jdk" { };
javaPackage = lib.mkPackageOption pkgs "jdk" { };
};
};
config = mkIf (cfg.enable && !masterCfg.enable) {
users.groups = optionalAttrs (cfg.group == "jenkins") {
users.groups = lib.optionalAttrs (cfg.group == "jenkins") {
jenkins.gid = config.ids.gids.jenkins;
};
users.users = optionalAttrs (cfg.user == "jenkins") {
users.users = lib.optionalAttrs (cfg.user == "jenkins") {
jenkins = {
description = "jenkins user";
createHome = true;

View file

@ -438,6 +438,7 @@ in
ZONEINFO = "${pkgs.tzdata}/share/zoneinfo";
};
serviceConfig = {
Type = "exec"; # When credentials are used with systemd before v257 this is necessary to make the service start reliably (see systemd/systemd#33953)
ExecStart = "${cfg.package}/bin/influxd --bolt-path \${STATE_DIRECTORY}/influxd.bolt --engine-path \${STATE_DIRECTORY}/engine";
StateDirectory = "influxdb2";
User = "influxdb2";

View file

@ -187,7 +187,7 @@ $ nix-instantiate --eval -A postgresql_13.psqlSchema
```
For an upgrade, a script like this can be used to simplify the process:
```nix
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
{
environment.systemPackages = [
(let
@ -196,6 +196,7 @@ For an upgrade, a script like this can be used to simplify the process:
newPostgres = pkgs.postgresql_13.withPackages (pp: [
# pp.plv8
]);
cfg = config.services.postgresql;
in pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
@ -205,12 +206,12 @@ For an upgrade, a script like this can be used to simplify the process:
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${config.services.postgresql.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
export OLDDATA="${cfg.dataDir}"
export OLDBIN="${cfg.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" ${lib.escapeShellArgs cfg.initdbArgs}
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \

View file

@ -7,6 +7,7 @@ let
concatStringsSep
const
elem
escapeShellArgs
filterAttrs
isString
literalExpression
@ -545,7 +546,7 @@ in
rm -f ${cfg.dataDir}/*.conf
# Initialise the database.
initdb -U ${cfg.superUser} ${concatStringsSep " " cfg.initdbArgs}
initdb -U ${cfg.superUser} ${escapeShellArgs cfg.initdbArgs}
# See postStart!
touch "${cfg.dataDir}/.first_startup"

View file

@ -58,6 +58,7 @@ in {
];
qt.enable = true;
programs.xwayland.enable = true;
environment.systemPackages = with kdePackages; let
requiredPackages = [
qtwayland # Hack? To make everything run on Wayland
@ -87,7 +88,6 @@ in {
# Core Plasma parts
kwin
pkgs.xwayland
kscreen
libkscreen
kscreenlocker
@ -143,10 +143,12 @@ in {
kate
khelpcenter
dolphin
baloo-widgets # baloo information in Dolphin
dolphin-plugins
spectacle
ffmpegthumbs
krdp
xwaylandvideobridge # exposes Wayland windows to X11 screen capture
] ++ lib.optionals config.services.flatpak.enable [
# Since PackageKit Nix support is not there yet,
# only install discover if flatpak is enabled.
@ -243,9 +245,13 @@ in {
systemd.services."drkonqi-coredump-processor@".wantedBy = ["systemd-coredump@.service"];
xdg.icons.enable = true;
xdg.icons.fallbackCursorThemes = mkDefault ["breeze_cursors"];
xdg.portal.enable = true;
xdg.portal.extraPortals = [kdePackages.xdg-desktop-portal-kde];
xdg.portal.extraPortals = [
kdePackages.xdg-desktop-portal-kde
pkgs.xdg-desktop-portal-gtk
];
xdg.portal.configPackages = mkDefault [kdePackages.xdg-desktop-portal-kde];
services.pipewire.enable = mkDefault true;

View file

@ -168,7 +168,7 @@ in
type = lib.types.package;
default = pkgs.go;
defaultText = lib.literalExpression "pkgs.go";
example = "pkgs.go_1_21";
example = "pkgs.go_1_23";
description = ''
The Go package used by Athens at runtime.

View file

@ -85,7 +85,7 @@ in
percentageLow = lib.mkOption {
type = lib.types.ints.unsigned;
default = 10;
default = 20;
description = ''
When `usePercentageForPolicy` is
`true`, the levels at which UPower will consider the
@ -103,7 +103,7 @@ in
percentageCritical = lib.mkOption {
type = lib.types.ints.unsigned;
default = 3;
default = 5;
description = ''
When `usePercentageForPolicy` is
`true`, the levels at which UPower will consider the

View file

@ -260,6 +260,9 @@ in
# hardening
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_DAC_OVERRIDE"
"CAP_KILL"
"CAP_SETUID"
"CAP_SETGID"
];
DevicePolicy = "closed";
@ -280,16 +283,16 @@ in
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictSUIDSGID = false; # can create sgid directories
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
"@chown"
"@chown @setuid"
];
UMask = "0027";
} // lib.optionalAttrs (!cfg.allowNetworking) {
PrivateNetwork = true;
PrivateNetwork = true; # e.g. mail delivery
RestrictAddressFamilies = "none";
};
};

View file

@ -69,11 +69,6 @@ in {
appservice = {
id = "";
database = {
type = "sqlite3-fk-wal";
uri = "file:${fullDataDir config}/mautrix-meta.db?_txlock=immediate";
};
bot = {
username = "";
};
@ -83,11 +78,15 @@ in {
address = "http://${config.settings.appservice.hostname}:${toString config.settings.appservice.port}";
};
meta = {
mode = "";
bridge = {
permissions = {};
};
database = {
type = "sqlite3-fk-wal";
uri = "file:${fullDataDir config}/mautrix-meta.db?_txlock=immediate";
};
bridge = {
# Enable encryption by default to make the bridge more secure
encryption = {
allow = true;
@ -106,6 +105,11 @@ in {
delete_outdated_inbound = true;
};
# TODO: This effectively disables encryption. But this is the value provided when a <0.4 config is migrated. Changing it will corrupt the database.
# https://github.com/mautrix/meta/blob/f5440b05aac125b4c95b1af85635a717cbc6dd0e/cmd/mautrix-meta/legacymigrate.go#L24
# If you wish to encrypt the local database you should set this to an environment variable substitution and reset the bridge or somehow migrate the DB.
pickle_key = "mautrix.bridge.e2ee";
verification_levels = {
receive = "cross-signed-tofu";
send = "cross-signed-tofu";
@ -113,9 +117,6 @@ in {
};
};
permissions = {};
};
logging = {
min_level = "info";
writers = lib.singleton {
@ -124,6 +125,10 @@ in {
time_format = " ";
};
};
network = {
mode = "";
};
};
defaultText = ''
{
@ -261,7 +266,7 @@ in {
description = ''
Configuration of multiple `mautrix-meta` instances.
`services.mautrix-meta.instances.facebook` and `services.mautrix-meta.instances.instagram`
come preconfigured with meta.mode, appservice.id, bot username, display name and avatar.
come preconfigured with network.mode, appservice.id, bot username, display name and avatar.
'';
example = ''
@ -283,7 +288,7 @@ in {
messenger = {
enable = true;
settings = {
meta.mode = "messenger";
network.mode = "messenger";
homeserver.domain = "example.com";
appservice = {
id = "messenger";
@ -313,9 +318,9 @@ in {
'';
}
{
assertion = builtins.elem cfg.settings.meta.mode [ "facebook" "facebook-tor" "messenger" "instagram" ];
assertion = builtins.elem cfg.settings.network.mode [ "facebook" "facebook-tor" "messenger" "instagram" ];
message = ''
The option `services.mautrix-meta.instances.${name}.settings.meta.mode` has to be set
The option `services.mautrix-meta.instances.${name}.settings.network.mode` has to be set
to one of: facebook, facebook-tor, messenger, instagram.
This configures the mode of the bridge.
'';
@ -338,6 +343,24 @@ in {
The option `services.mautrix-meta.instances.${name}.settings.appservice.bot.username` has to be set.
'';
}
{
assertion = !(cfg.settings ? bridge.disable_xma);
message = ''
The option `bridge.disable_xma` has been moved to `network.disable_xma_always`. Please [migrate your configuration](https://github.com/mautrix/meta/releases/tag/v0.4.0). You may wish to use [the auto-migration code](https://github.com/mautrix/meta/blob/f5440b05aac125b4c95b1af85635a717cbc6dd0e/cmd/mautrix-meta/legacymigrate.go#L23) for reference.
'';
}
{
assertion = !(cfg.settings ? bridge.displayname_template);
message = ''
The option `bridge.displayname_template` has been moved to `network.displayname_template`. Please [migrate your configuration](https://github.com/mautrix/meta/releases/tag/v0.4.0). You may wish to use [the auto-migration code](https://github.com/mautrix/meta/blob/f5440b05aac125b4c95b1af85635a717cbc6dd0e/cmd/mautrix-meta/legacymigrate.go#L23) for reference.
'';
}
{
assertion = !(cfg.settings ? meta);
message = ''
The options in `meta` have been moved to `network`. Please [migrate your configuration](https://github.com/mautrix/meta/releases/tag/v0.4.0). You may wish to use [the auto-migration code](https://github.com/mautrix/meta/blob/f5440b05aac125b4c95b1af85635a717cbc6dd0e/cmd/mautrix-meta/legacymigrate.go#L23) for reference.
'';
}
]) enabledInstances));
users.users = lib.mapAttrs' (name: cfg: lib.nameValuePair "mautrix-meta-${name}" {
@ -518,11 +541,7 @@ in {
in {
instagram = {
settings = {
meta.mode = mkDefault "instagram";
bridge = {
username_template = mkDefault "instagram_{{.}}";
};
network.mode = mkDefault "instagram";
appservice = {
id = mkDefault "instagram";
@ -532,16 +551,13 @@ in {
displayname = mkDefault "Instagram bridge bot";
avatar = mkDefault "mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv";
};
username_template = mkDefault "instagram_{{.}}";
};
};
};
facebook = {
settings = {
meta.mode = mkDefault "facebook";
bridge = {
username_template = mkDefault "facebook_{{.}}";
};
network.mode = mkDefault "facebook";
appservice = {
id = mkDefault "facebook";
@ -551,6 +567,7 @@ in {
displayname = mkDefault "Facebook bridge bot";
avatar = mkDefault "mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak";
};
username_template = mkDefault "facebook_{{.}}";
};
};
};
@ -558,5 +575,5 @@ in {
}
];
meta.maintainers = with lib.maintainers; [ rutherther ];
meta.maintainers = with lib.maintainers; [ ];
}

View file

@ -8,7 +8,9 @@ in {
options = {
services.fstrim = {
enable = lib.mkEnableOption "periodic SSD TRIM of mounted partitions in background";
enable = (lib.mkEnableOption "periodic SSD TRIM of mounted partitions in background" // {
default = true;
});
interval = lib.mkOption {
type = lib.types.str;

View file

@ -1127,6 +1127,11 @@ in {
environment.systemPackages = [ gitlab-rake gitlab-rails cfg.packages.gitlab-shell ];
systemd.slices.system-gitlab = {
description = "GitLab DevOps Platform Slice";
documentation = [ "https://docs.gitlab.com/" ];
};
systemd.targets.gitlab = {
description = "Common target for all GitLab services.";
wantedBy = [ "multi-user.target" ];
@ -1197,6 +1202,7 @@ in {
'';
serviceConfig = {
Slice = "system-gitlab.slice";
User = pgsql.superUser;
Type = "oneshot";
RemainAfterExit = true;
@ -1220,6 +1226,9 @@ in {
unitConfig = {
ConditionPathExists = "!${cfg.registry.certFile}";
};
serviceConfig = {
Slice = "system-gitlab.slice";
};
};
# Ensure Docker Registry launches after the certificate generation job
@ -1308,6 +1317,7 @@ in {
TimeoutSec = "infinity";
Restart = "on-failure";
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
Slice = "system-gitlab.slice";
RemainAfterExit = true;
ExecStartPre = let
@ -1424,6 +1434,7 @@ in {
TimeoutSec = "infinity";
Restart = "on-failure";
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
Slice = "system-gitlab.slice";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "gitlab-db-config" ''
@ -1480,6 +1491,7 @@ in {
TimeoutSec = "infinity";
Restart = "always";
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
Slice = "system-gitlab.slice";
ExecStart = utils.escapeSystemdExecArgs (
[
"${cfg.packages.gitlab}/share/gitlab/bin/sidekiq-cluster"
@ -1512,6 +1524,7 @@ in {
Restart = "on-failure";
WorkingDirectory = gitlabEnv.HOME;
RuntimeDirectory = "gitaly";
Slice = "system-gitlab.slice";
ExecStart = "${cfg.packages.gitaly}/bin/gitaly ${gitalyToml}";
};
};
@ -1573,6 +1586,7 @@ in {
WorkingDirectory = gitlabEnv.HOME;
RuntimeDirectory = "gitlab-pages";
RuntimeDirectoryMode = "0700";
Slice = "system-gitlab.slice";
};
};
@ -1596,6 +1610,7 @@ in {
TimeoutSec = "infinity";
Restart = "on-failure";
WorkingDirectory = gitlabEnv.HOME;
Slice = "system-gitlab.slice";
ExecStartPre = pkgs.writeShellScript "gitlab-workhorse-pre-start" ''
set -o errexit -o pipefail -o nounset
shopt -s dotglob nullglob inherit_errexit
@ -1637,6 +1652,7 @@ in {
Group = cfg.group;
ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/bundle exec mail_room -c ${cfg.statePath}/config/mail_room.yml";
WorkingDirectory = gitlabEnv.HOME;
Slice = "system-gitlab.slice";
};
};
@ -1671,6 +1687,7 @@ in {
TimeoutSec = "infinity";
Restart = "on-failure";
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
Slice = "system-gitlab.slice";
ExecStart = concatStringsSep " " [
"${cfg.packages.gitlab.rubyEnv}/bin/bundle" "exec" "puma"
"-e production"
@ -1695,6 +1712,7 @@ in {
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Slice = "system-gitlab.slice";
ExecStart = "${gitlab-rake}/bin/gitlab-rake gitlab:backup:create";
};
};

View file

@ -244,7 +244,6 @@ in
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
SystemCallArchitectures = "native";

View file

@ -93,6 +93,7 @@ in
DATA_DIR = ".";
HF_HOME = ".";
SENTENCE_TRANSFORMERS_HOME = ".";
WEBUI_URL = "http://localhost:${toString cfg.port}";
} // cfg.environment;
serviceConfig = {

View file

@ -234,7 +234,7 @@ in
services.redis.servers.paperless.enable = mkIf enableRedis true;
systemd.slices.system-paperless = {
description = "Paperless slice";
description = "Paperless Document Management System Slice";
documentation = [ "https://docs.paperless-ngx.com" ];
};

View file

@ -74,6 +74,12 @@ in
description = "Group under which Redmine is ran.";
};
address = mkOption {
type = types.str;
default = "0.0.0.0";
description = "IP address Redmine should bind to.";
};
port = mkOption {
type = types.port;
default = 3000;
@ -429,7 +435,7 @@ in
Group = cfg.group;
TimeoutSec = "300";
WorkingDirectory = "${cfg.package}/share/redmine";
ExecStart="${bundle} exec rails server -u webrick -e production -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'";
ExecStart="${bundle} exec rails server -u webrick -e production -b ${toString cfg.address} -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'";
};
};

View file

@ -35,6 +35,14 @@ let
descriptionClass = "conjunction";
};
intOrNumberOrRange = lib.types.either lib.types.ints.unsigned (
lib.types.strMatching "[[:digit:]]+(\-[[:digit:]]+)?"
// {
description = "string containing either a number or a range";
descriptionClass = "conjunction";
}
);
configOptions = {
SUBVOLUME = lib.mkOption {
type = lib.types.path;
@ -93,7 +101,7 @@ let
};
TIMELINE_LIMIT_HOURLY = lib.mkOption {
type = lib.types.int;
type = intOrNumberOrRange;
default = 10;
description = ''
Limits for timeline cleanup.
@ -101,7 +109,7 @@ let
};
TIMELINE_LIMIT_DAILY = lib.mkOption {
type = lib.types.int;
type = intOrNumberOrRange;
default = 10;
description = ''
Limits for timeline cleanup.
@ -109,7 +117,7 @@ let
};
TIMELINE_LIMIT_WEEKLY = lib.mkOption {
type = lib.types.int;
type = intOrNumberOrRange;
default = 0;
description = ''
Limits for timeline cleanup.
@ -117,7 +125,7 @@ let
};
TIMELINE_LIMIT_MONTHLY = lib.mkOption {
type = lib.types.int;
type = intOrNumberOrRange;
default = 10;
description = ''
Limits for timeline cleanup.
@ -125,7 +133,7 @@ let
};
TIMELINE_LIMIT_QUARTERLY = lib.mkOption {
type = lib.types.int;
type = intOrNumberOrRange;
default = 0;
description = ''
Limits for timeline cleanup.
@ -133,7 +141,7 @@ let
};
TIMELINE_LIMIT_YEARLY = lib.mkOption {
type = lib.types.int;
type = intOrNumberOrRange;
default = 10;
description = ''
Limits for timeline cleanup.

View file

@ -30,16 +30,15 @@ in {
description = "tzupdate timezone update service";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
script = ''
timedatectl set-timezone $(${lib.getExe pkgs.tzupdate} --print-only)
'';
serviceConfig = {
Type = "oneshot";
# We could link directly into pkgs.tzdata, but at least timedatectl seems
# to expect the symlink to point directly to a file in etc.
# Setting the "debian timezone file" to point at /dev/null stops it doing anything.
ExecStart = "${pkgs.tzupdate}/bin/tzupdate -z /etc/zoneinfo -d /dev/null";
};
};
};
meta.maintainers = [ ];
meta.maintainers = with lib.maintainers; [ doronbehar ];
}

View file

@ -288,7 +288,7 @@ in {
path = [ ];
script = ''
export DD_API_KEY=$(head -n 1 ${cfg.apiKeyFile})
${datadogPkg}/bin/trace-agent -config /etc/datadog-agent/datadog.yaml
${datadogPkg}/bin/trace-agent --config /etc/datadog-agent/datadog.yaml
'';
});

View file

@ -0,0 +1,132 @@
{
pkgs,
lib,
config,
...
}:
let
cfg = config.services.gatus;
settingsFormat = pkgs.formats.yaml { };
inherit (lib)
getExe
literalExpression
maintainers
mkEnableOption
mkIf
mkOption
mkPackageOption
;
inherit (lib.types)
bool
int
nullOr
path
submodule
;
in
{
options.services.gatus = {
enable = mkEnableOption "Gatus";
package = mkPackageOption pkgs "gatus" { };
configFile = mkOption {
type = path;
default = settingsFormat.generate "gatus.yaml" cfg.settings;
defaultText = literalExpression ''
let settingsFormat = pkgs.formats.yaml { }; in settingsFormat.generate "gatus.yaml" cfg.settings;
'';
description = ''
Path to the Gatus configuration file.
Overrides any configuration made using the `settings` option.
'';
};
environmentFile = mkOption {
type = nullOr path;
default = null;
description = ''
File to load as environment file.
Environmental variables from this file can be interpolated in the configuration file using `''${VARIABLE}`.
This is useful to avoid putting secrets into the nix store.
'';
};
settings = mkOption {
type = submodule {
freeformType = settingsFormat.type;
options = {
web.port = mkOption {
type = int;
default = 8080;
description = ''
The TCP port to serve the Gatus service at.
'';
};
};
};
default = { };
example = literalExpression ''
{
web.port = 8080;
endpoints = [{
name = "website";
url = "https://twin.sh/health";
interval = "5m";
conditions = [
"[STATUS] == 200"
"[BODY].status == UP"
"[RESPONSE_TIME] < 300"
];
}];
}
'';
description = ''
Configuration for Gatus.
Supported options can be found at the [docs](https://gatus.io/docs).
'';
};
openFirewall = mkOption {
type = bool;
default = false;
description = ''
Whether to open the firewall for the Gatus web interface.
'';
};
};
config = mkIf cfg.enable {
systemd.services.gatus = {
description = "Automated developer-oriented status page";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
User = "gatus";
Group = "gatus";
Type = "simple";
Restart = "on-failure";
ExecStart = getExe cfg.package;
StateDirectory = "gatus";
SyslogIdentifier = "gatus";
EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
};
environment = {
GATUS_CONFIG_PATH = cfg.configFile;
};
};
networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.settings.web.port ];
};
meta.maintainers = with maintainers; [ pizzapim ];
}

View file

@ -273,6 +273,7 @@ in {
after = [ "network.target" ];
environment = carbonEnv;
serviceConfig = {
Slice = "system-graphite.slice";
RuntimeDirectory = name;
ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}";
User = "graphite";
@ -295,6 +296,7 @@ in {
after = [ "network.target" ];
environment = carbonEnv;
serviceConfig = {
Slice = "system-graphite.slice";
RuntimeDirectory = name;
ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}";
User = "graphite";
@ -311,6 +313,7 @@ in {
after = [ "network.target" ];
environment = carbonEnv;
serviceConfig = {
Slice = "system-graphite.slice";
RuntimeDirectory = name;
ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}";
User = "graphite";
@ -360,6 +363,7 @@ in {
User = "graphite";
Group = "graphite";
PermissionsStartOnly = true;
Slice = "system-graphite.slice";
};
preStart = ''
if ! test -e ${dataDir}/db-created; then
@ -397,6 +401,7 @@ in {
WorkingDirectory = dataDir;
User = "graphite";
Group = "graphite";
Slice = "system-graphite.slice";
};
preStart = ''
if ! test -e ${dataDir}/db-created; then
@ -413,6 +418,11 @@ in {
cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay ||
cfg.web.enable || cfg.seyren.enable
) {
systemd.slices.system-graphite = {
description = "Graphite Graphing System Slice";
documentation = [ "https://graphite.readthedocs.io/en/latest/overview.html" ];
};
users.users.graphite = {
uid = config.ids.uids.graphite;
group = "graphite";

View file

@ -21,8 +21,8 @@ in
};
leasesPath = mkOption {
type = types.path;
default = "/var/lib/misc/dnsmasq.leases";
example = "/var/lib/dnsmasq/dnsmasq.leases";
default = "/var/lib/dnsmasq/dnsmasq.leases";
example = "/var/lib/misc/dnsmasq.leases";
description = ''
Path to the `dnsmasq.leases` file.
'';

View file

@ -86,7 +86,7 @@ in {
systemd.slices.system-rustdesk = {
enable = true;
description = "Slice designed to contain RustDesk Signal & RustDesk Relay";
description = "RustDesk Remote Desktop Slice";
};
systemd.targets.rustdesk = {

View file

@ -177,6 +177,18 @@ in
SCRUTINY_WEB_DATABASE_LOCATION = "/var/lib/scrutiny/scrutiny.db";
SCRUTINY_WEB_SRC_FRONTEND_PATH = "${cfg.package}/share/scrutiny";
};
postStart = ''
for i in $(seq 300); do
if "${lib.getExe pkgs.curl}" --fail --silent --head "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}" >/dev/null; then
echo "Scrutiny is ready (port is open)"
exit 0
fi
echo "Waiting for Scrutiny to open port..."
sleep 0.2
done
echo "Timeout waiting for Scrutiny to open port" >&2
exit 1
'';
serviceConfig = {
DynamicUser = true;
ExecStart = "${getExe cfg.package} start --config ${settingsFormat.generate "scrutiny.yaml" cfg.settings}";

View file

@ -179,7 +179,7 @@ in
systemd = {
slices.system-samba = {
description = "Samba slice";
description = "Samba (SMB Networking Protocol) Slice";
};
targets.samba = {
description = "Samba Server";

View file

@ -45,7 +45,7 @@ let
default = [ "any" ];
};
extraConfig = lib.mkOption {
type = lib.types.str;
type = lib.types.lines;
description = "Extra zone config to be appended at the end of the zone section.";
default = "";
};

View file

@ -0,0 +1,304 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
concatLists
filterAttrs
mapAttrs'
mapAttrsToList
mkEnableOption
mkIf
mkOption
mkOverride
mkPackageOption
nameValuePair
recursiveUpdate
types
;
fedimintdOpts =
{
config,
lib,
name,
...
}:
{
options = {
enable = mkEnableOption "fedimintd";
package = mkPackageOption pkgs "fedimint" { };
environment = mkOption {
type = types.attrsOf types.str;
description = "Extra Environment variables to pass to the fedimintd.";
default = {
RUST_BACKTRACE = "1";
};
example = {
RUST_LOG = "info,fm=debug";
RUST_BACKTRACE = "1";
};
};
p2p = {
openFirewall = mkOption {
type = types.bool;
default = true;
description = "Opens port in firewall for fedimintd's p2p port";
};
port = mkOption {
type = types.port;
default = 8173;
description = "Port to bind on for p2p connections from peers";
};
bind = mkOption {
type = types.str;
default = "0.0.0.0";
description = "Address to bind on for p2p connections from peers";
};
url = mkOption {
type = types.str;
example = "fedimint://p2p.myfedimint.com";
description = ''
Public address for p2p connections from peers
'';
};
};
api = {
openFirewall = mkOption {
type = types.bool;
default = false;
description = "Opens port in firewall for fedimintd's api port";
};
port = mkOption {
type = types.port;
default = 8174;
description = "Port to bind on for API connections relied by the reverse proxy/tls terminator.";
};
bind = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Address to bind on for API connections relied by the reverse proxy/tls terminator.";
};
url = mkOption {
type = types.str;
description = ''
Public URL of the API address of the reverse proxy/tls terminator. Usually starting with `wss://`.
'';
};
};
bitcoin = {
network = mkOption {
type = types.str;
default = "signet";
example = "bitcoin";
description = "Bitcoin network to participate in.";
};
rpc = {
url = mkOption {
type = types.str;
default = "http://127.0.0.1:38332";
example = "signet";
description = "Bitcoin node (bitcoind/electrum/esplora) address to connect to";
};
kind = mkOption {
type = types.str;
default = "bitcoind";
example = "electrum";
description = "Kind of a bitcoin node.";
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
If set the URL specified in `bitcoin.rpc.url` will get the content of this file added
as an URL password, so `http://user@example.com` will turn into `http://user:SOMESECRET@example.com`.
Example:
`/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-public` (for nix-bitcoin default)
'';
};
};
};
consensus.finalityDelay = mkOption {
type = types.ints.unsigned;
default = 10;
description = "Consensus peg-in finality delay.";
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/fedimintd-${name}/";
readOnly = true;
description = ''
Path to the data dir fedimintd will use to store its data.
Note that due to using the DynamicUser feature of systemd, this value should not be changed
and is set to be read only.
'';
};
nginx = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to configure nginx for fedimintd
'';
};
fqdn = mkOption {
type = types.str;
example = "api.myfedimint.com";
description = "Public domain of the API address of the reverse proxy/tls terminator.";
};
config = mkOption {
type = types.submodule (
recursiveUpdate (import ../web-servers/nginx/vhost-options.nix {
inherit config lib;
}) { }
);
default = { };
description = "Overrides to the nginx vhost section for api";
};
};
};
};
in
{
options = {
services.fedimintd = mkOption {
type = types.attrsOf (types.submodule fedimintdOpts);
default = { };
description = "Specification of one or more fedimintd instances.";
};
};
config =
let
eachFedimintd = filterAttrs (fedimintdName: cfg: cfg.enable) config.services.fedimintd;
eachFedimintdNginx = filterAttrs (fedimintdName: cfg: cfg.nginx.enable) eachFedimintd;
in
mkIf (eachFedimintd != { }) {
networking.firewall.allowedTCPPorts = concatLists (
mapAttrsToList (
fedimintdName: cfg:
(lib.optional cfg.api.openFirewall cfg.api.port ++ lib.optional cfg.p2p.openFirewall cfg.p2p.port)
) eachFedimintd
);
systemd.services = mapAttrs' (
fedimintdName: cfg:
(nameValuePair "fedimintd-${fedimintdName}" (
let
startScript = pkgs.writeShellScript "fedimintd-start" (
(
if cfg.bitcoin.rpc.secretFile != null then
''
secret=$(${pkgs.coreutils}/bin/head -n 1 "${cfg.bitcoin.rpc.secretFile}")
prefix="''${FM_BITCOIN_RPC_URL%*@*}" # Everything before the last '@'
suffix="''${FM_BITCOIN_RPC_URL##*@}" # Everything after the last '@'
FM_BITCOIN_RPC_URL="''${prefix}:''${secret}@''${suffix}"
''
else
""
)
+ ''
exec ${cfg.package}/bin/fedimintd
''
);
in
{
description = "Fedimint Server";
documentation = [ "https://github.com/fedimint/fedimint/" ];
wantedBy = [ "multi-user.target" ];
environment = lib.mkMerge [
{
FM_BIND_P2P = "${cfg.p2p.bind}:${toString cfg.p2p.port}";
FM_BIND_API = "${cfg.api.bind}:${toString cfg.api.port}";
FM_P2P_URL = cfg.p2p.url;
FM_API_URL = cfg.api.url;
FM_DATA_DIR = cfg.dataDir;
FM_BITCOIN_NETWORK = cfg.bitcoin.network;
FM_BITCOIN_RPC_URL = cfg.bitcoin.rpc.url;
FM_BITCOIN_RPC_KIND = cfg.bitcoin.rpc.kind;
}
cfg.environment
];
serviceConfig = {
DynamicUser = true;
StateDirectory = "fedimintd-${fedimintdName}";
StateDirectoryMode = "0700";
ExecStart = startScript;
Restart = "always";
RestartSec = 10;
StartLimitBurst = 5;
UMask = "007";
LimitNOFILE = "100000";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "full";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
};
}
))
) eachFedimintd;
services.nginx.virtualHosts = mapAttrs' (
fedimintdName: cfg:
(nameValuePair cfg.nginx.fqdn (
lib.mkMerge [
cfg.nginx.config
{
# Note: we want by default to enable OpenSSL, but it seems anything 100 and above is
# overriden by default value from vhost-options.nix
enableACME = mkOverride 99 true;
forceSSL = mkOverride 99 true;
# Currently Fedimint API only support JsonRPC on `/ws/` endpoint, so no need to handle `/`
locations."/ws/" = {
proxyPass = "http://127.0.0.1:${toString cfg.api.port}/";
proxyWebsockets = true;
extraConfig = ''
proxy_pass_header Authorization;
'';
};
}
]
))
) eachFedimintdNginx;
};
meta.maintainers = with lib.maintainers; [ dpc ];
}

View file

@ -10,14 +10,14 @@ let
after = ["network.target"];
wants = ["network.target"];
preStart = ''
${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
${cfg.package}/bin/radiusd -C -d ${cfg.configDir} -l stdout
'';
serviceConfig = {
ExecStart = "${pkgs.freeradius}/bin/radiusd -f -d ${cfg.configDir} -l stdout" +
ExecStart = "${cfg.package}/bin/radiusd -f -d ${cfg.configDir} -l stdout" +
lib.optionalString cfg.debug " -xx";
ExecReload = [
"${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
"${cfg.package}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
"${pkgs.coreutils}/bin/kill -HUP $MAINPID"
];
User = "radius";
@ -32,6 +32,8 @@ let
freeradiusConfig = {
enable = lib.mkEnableOption "the freeradius server";
package = lib.mkPackageOption pkgs "freeradius" { };
configDir = lib.mkOption {
type = lib.types.path;
default = "/etc/raddb";
@ -72,7 +74,9 @@ in
/*uid = config.ids.uids.radius;*/
description = "Radius daemon user";
isSystemUser = true;
group = "radius";
};
groups.radius = {};
};
systemd.services.freeradius = freeradiusService cfg;

View file

@ -129,8 +129,15 @@ in {
}
];
users.groups.gns3 = { };
users.groups.ubridge = lib.mkIf cfg.ubridge.enable { };
users.users.gns3 = {
group = "gns3";
isSystemUser = true;
};
security.wrappers.ubridge = lib.mkIf cfg.ubridge.enable {
capabilities = "cap_net_raw,cap_net_admin=eip";
group = "ubridge";
@ -150,7 +157,7 @@ in {
};
}
(lib.mkIf (cfg.ubridge.enable) {
Server.ubridge_path = lib.mkDefault (lib.getExe cfg.ubridge.package);
Server.ubridge_path = lib.mkDefault "/run/wrappers/bin/ubridge";
})
(lib.mkIf (cfg.auth.enable) {
Server = {
@ -206,7 +213,6 @@ in {
serviceConfig = {
ConfigurationDirectory = "gns3";
ConfigurationDirectoryMode = "0750";
DynamicUser = true;
Environment = "HOME=%S/gns3";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStart = "${lib.getExe cfg.package} ${commandArgs}";
@ -227,14 +233,27 @@ in {
User = "gns3";
WorkingDirectory = "%S/gns3";
# Required for ubridge integration to work
#
# GNS3 needs to run SUID binaries (ubridge)
# but NoNewPrivileges breaks execution of SUID binaries
DynamicUser = false;
NoNewPrivileges = false;
RestrictSUIDSGID = false;
PrivateUsers = false;
# Hardening
DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm";
DeviceAllow = [
# ubridge needs access to tun/tap devices
"/dev/net/tap rw"
"/dev/net/tun rw"
] ++ lib.optionals flags.enableLibvirtd [
"/dev/kvm"
];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
# Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat
# ProcSubset = "pid";
ProtectClock = true;
@ -255,8 +274,7 @@ in {
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0077";
UMask = "0022";
};
};
};

View file

@ -1,17 +1,17 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (lib) mkIf mkOption mkDefault mkEnableOption types optional optionals;
inherit (lib.types) nullOr bool listOf str attrsOf submodule;
cfg = config.services.i2pd;
homeDir = "/var/lib/i2pd";
strOpt = k: v: k + " = " + v;
boolOpt = k: v: k + " = " + boolToString v;
boolOpt = k: v: k + " = " + lib.boolToString v;
intOpt = k: v: k + " = " + toString v;
lstOpt = k: xs: k + " = " + concatStringsSep "," xs;
lstOpt = k: xs: k + " = " + lib.concatStringsSep "," xs;
optionalNullString = o: s: optional (s != null) (strOpt o s);
optionalNullBool = o: b: optional (b != null) (boolOpt o b);
optionalNullInt = o: i: optional (i != null) (intOpt o i);
@ -54,7 +54,7 @@ let
mkKeyedEndpointOpt = name: addr: port: keyloc:
(mkEndpointOpt name addr port) // {
keys = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = keyloc;
description = ''
File to persist ${lib.toUpper name} keys.
@ -162,8 +162,8 @@ let
(sec "meshnets")
(boolOpt "yggdrasil" cfg.yggdrasil.enable)
] ++ (optionalNullString "yggaddress" cfg.yggdrasil.address)
++ (flip map
(collect (proto: proto ? port && proto ? address) cfg.proto)
++ (lib.flip map
(lib.collect (proto: proto ? port && proto ? address) cfg.proto)
(proto: let protoOpts = [
(sec proto.name)
(boolOpt "enabled" proto.enable)
@ -178,10 +178,10 @@ let
++ (optionals (proto ? outproxy) (optionalNullString "outproxy" proto.outproxy))
++ (optionals (proto ? outproxyPort) (optionalNullInt "outproxyport" proto.outproxyPort))
++ (optionals (proto ? outproxyEnable) (optionalNullBool "outproxy.enabled" proto.outproxyEnable));
in (concatStringsSep "\n" protoOpts)
in (lib.concatStringsSep "\n" protoOpts)
));
in
pkgs.writeText "i2pd.conf" (concatStringsSep "\n" opts);
pkgs.writeText "i2pd.conf" (lib.concatStringsSep "\n" opts);
tunnelConf = let
mkOutTunnel = tun:
@ -200,7 +200,7 @@ let
++ (optionals (tun ? outbound.quantity) (optionalNullInt "outbound.quantity" tun.outbound.quantity))
++ (optionals (tun ? crypto.tagsToSend) (optionalNullInt "crypto.tagstosend" tun.crypto.tagsToSend));
in
concatStringsSep "\n" outTunOpts;
lib.concatStringsSep "\n" outTunOpts;
mkInTunnel = tun:
let
@ -214,16 +214,16 @@ let
++ (optionals (tun ? inPort) (optionalNullInt "inport" tun.inPort))
++ (optionals (tun ? accessList) (optionalEmptyList "accesslist" tun.accessList));
in
concatStringsSep "\n" inTunOpts;
lib.concatStringsSep "\n" inTunOpts;
allOutTunnels = collect (tun: tun ? port && tun ? destination) cfg.outTunnels;
allInTunnels = collect (tun: tun ? port && tun ? address) cfg.inTunnels;
allOutTunnels = lib.collect (tun: tun ? port && tun ? destination) cfg.outTunnels;
allInTunnels = lib.collect (tun: tun ? port && tun ? address) cfg.inTunnels;
opts = [ notice ] ++ (map mkOutTunnel allOutTunnels) ++ (map mkInTunnel allInTunnels);
in
pkgs.writeText "i2pd-tunnels.conf" (concatStringsSep "\n" opts);
pkgs.writeText "i2pd-tunnels.conf" (lib.concatStringsSep "\n" opts);
i2pdFlags = concatStringsSep " " (
i2pdFlags = lib.concatStringsSep " " (
optional (cfg.address != null) ("--host=" + cfg.address) ++ [
"--service"
("--conf=" + i2pdConf)
@ -235,7 +235,7 @@ in
{
imports = [
(mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ])
(lib.mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ])
];
###### interface
@ -252,7 +252,7 @@ in
'';
};
package = mkPackageOption pkgs "i2pd" { };
package = lib.mkPackageOption pkgs "i2pd" { };
logLevel = mkOption {
type = types.enum ["debug" "info" "warn" "error"];
@ -269,7 +269,7 @@ in
logCLFTime = mkEnableOption "full CLF-formatted date and time to log";
address = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Your external IP or hostname.
@ -277,7 +277,7 @@ in
};
family = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Specify a family the router belongs to.
@ -285,7 +285,7 @@ in
};
dataDir = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Alternative path to storage of i2pd data (RI, keys, peer profiles, ...)
@ -301,7 +301,7 @@ in
};
ifname = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Network interface to bind to.
@ -309,7 +309,7 @@ in
};
ifname4 = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
IPv4 interface to bind to.
@ -317,7 +317,7 @@ in
};
ifname6 = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
IPv6 interface to bind to.
@ -325,7 +325,7 @@ in
};
ntcpProxy = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Proxy URL for NTCP transport.
@ -399,7 +399,7 @@ in
reseed.verify = mkEnableOption "SU3 signature verification";
reseed.file = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Full path to SU3 file to reseed from.
@ -407,7 +407,7 @@ in
};
reseed.urls = mkOption {
type = with types; listOf str;
type = listOf str;
default = [];
description = ''
Reseed URLs.
@ -415,7 +415,7 @@ in
};
reseed.floodfill = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Path to router info of floodfill to reseed from.
@ -423,7 +423,7 @@ in
};
reseed.zipfile = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Path to local .zip file to reseed from.
@ -431,7 +431,7 @@ in
};
reseed.proxy = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
URL for reseed proxy, supports http/socks.
@ -446,7 +446,7 @@ in
'';
};
addressbook.subscriptions = mkOption {
type = with types; listOf str;
type = listOf str;
default = [
"http://inr.i2p/export/alive-hosts.txt"
"http://i2p-projekt.i2p/hosts.txt"
@ -460,7 +460,7 @@ in
trust.enable = mkEnableOption "explicit trust options";
trust.family = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Router Family to trust for first hops.
@ -468,7 +468,7 @@ in
};
trust.routers = mkOption {
type = with types; listOf str;
type = listOf str;
default = [];
description = ''
Only connect to the listed routers.
@ -543,7 +543,7 @@ in
yggdrasil.enable = mkEnableOption "Yggdrasil";
yggdrasil.address = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Your local yggdrasil address. Specify it if you want to bind your router to a
@ -572,7 +572,7 @@ in
};
strictHeaders = mkOption {
type = with types; nullOr bool;
type = nullOr bool;
default = null;
description = ''
Enable strict host checking on WebUI.
@ -580,7 +580,7 @@ in
};
hostname = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = ''
Expected hostname for WebUI.
@ -591,7 +591,7 @@ in
proto.httpProxy = (mkKeyedEndpointOpt "httpproxy" "127.0.0.1" 4444 "httpproxy-keys.dat")
// {
outproxy = mkOption {
type = with types; nullOr str;
type = nullOr str;
default = null;
description = "Upstream outproxy bind address.";
};
@ -618,7 +618,7 @@ in
outTunnels = mkOption {
default = {};
type = with types; attrsOf (submodule (
type = attrsOf (submodule (
{ name, ... }: {
options = {
destinationPort = mkOption {
@ -639,7 +639,7 @@ in
inTunnels = mkOption {
default = {};
type = with types; attrsOf (submodule (
type = attrsOf (submodule (
{ name, ... }: {
options = {
inPort = mkOption {
@ -648,7 +648,7 @@ in
description = "Service port. Default to the tunnel's listen port.";
};
accessList = mkOption {
type = with types; listOf str;
type = listOf str;
default = [];
description = "I2P nodes that are allowed to connect to this service.";
};

View file

@ -156,7 +156,7 @@ in
default = null;
example = "192.168.1.42";
description = ''
Local address when running behind NAT.
Local address to assume when running behind NAT.
'';
};
@ -165,7 +165,25 @@ in
default = null;
example = "1.2.3.4";
description = ''
Public address when running behind NAT.
Public address to assume when running behind NAT.
'';
};
harvesterAddresses = lib.mkOption {
type = listOf str;
default = [
"stunserver.stunprotocol.org:3478"
"stun.framasoft.org:3478"
"meet-jit-si-turnrelay.jitsi.net:443"
];
example = [];
description = ''
Addresses of public STUN services to use to automatically find
the public and local addresses of this Jitsi-Videobridge instance
without the need for manual configuration.
This option is ignored if {option}`services.jitsi-videobridge.nat.localAddress`
and {option}`services.jitsi-videobridge.nat.publicAddress` are set.
'';
};
};
@ -199,9 +217,12 @@ in
config = lib.mkIf cfg.enable {
users.groups.jitsi-meet = {};
services.jitsi-videobridge.extraProperties = lib.optionalAttrs (cfg.nat.localAddress != null) {
services.jitsi-videobridge.extraProperties =
if (cfg.nat.localAddress != null) then {
"org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS" = cfg.nat.localAddress;
"org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS" = cfg.nat.publicAddress;
} else {
"org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES" = lib.concatStringsSep "," cfg.nat.harvesterAddresses;
};
systemd.services.jitsi-videobridge2 = let

View file

@ -1,12 +1,10 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.monero;
listToConf = option: list:
concatMapStrings (value: "${option}=${value}\n") list;
lib.concatMapStrings (value: "${option}=${value}\n") list;
login = (cfg.rpc.user != null && cfg.rpc.password != null);
@ -14,17 +12,17 @@ let
log-file=/dev/stdout
data-dir=${dataDir}
${optionalString mining.enable ''
${lib.optionalString mining.enable ''
start-mining=${mining.address}
mining-threads=${toString mining.threads}
''}
rpc-bind-ip=${rpc.address}
rpc-bind-port=${toString rpc.port}
${optionalString login ''
${lib.optionalString login ''
rpc-login=${rpc.user}:${rpc.password}
''}
${optionalString rpc.restricted ''
${lib.optionalString rpc.restricted ''
restricted-rpc=1
''}
@ -50,34 +48,34 @@ in
services.monero = {
enable = mkEnableOption "Monero node daemon";
enable = lib.mkEnableOption "Monero node daemon";
dataDir = mkOption {
type = types.str;
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/monero";
description = ''
The directory where Monero stores its data files.
'';
};
mining.enable = mkOption {
type = types.bool;
mining.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to mine monero.
'';
};
mining.address = mkOption {
type = types.str;
mining.address = lib.mkOption {
type = lib.types.str;
default = "";
description = ''
Monero address where to send mining rewards.
'';
};
mining.threads = mkOption {
type = types.addCheck types.int (x: x>=0);
mining.threads = lib.mkOption {
type = lib.types.addCheck lib.types.int (x: x>=0);
default = 0;
description = ''
Number of threads used for mining.
@ -85,48 +83,48 @@ in
'';
};
rpc.user = mkOption {
type = types.nullOr types.str;
rpc.user = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
User name for RPC connections.
'';
};
rpc.password = mkOption {
type = types.nullOr types.str;
rpc.password = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Password for RPC connections.
'';
};
rpc.address = mkOption {
type = types.str;
rpc.address = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = ''
IP address the RPC server will bind to.
'';
};
rpc.port = mkOption {
type = types.port;
rpc.port = lib.mkOption {
type = lib.types.port;
default = 18081;
description = ''
Port the RPC server will bind to.
'';
};
rpc.restricted = mkOption {
type = types.bool;
rpc.restricted = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to restrict RPC to view only commands.
'';
};
limits.upload = mkOption {
type = types.addCheck types.int (x: x>=-1);
limits.upload = lib.mkOption {
type = lib.types.addCheck lib.types.int (x: x>=-1);
default = -1;
description = ''
Limit of the upload rate in kB/s.
@ -134,8 +132,8 @@ in
'';
};
limits.download = mkOption {
type = types.addCheck types.int (x: x>=-1);
limits.download = lib.mkOption {
type = lib.types.addCheck lib.types.int (x: x>=-1);
default = -1;
description = ''
Limit of the download rate in kB/s.
@ -143,8 +141,8 @@ in
'';
};
limits.threads = mkOption {
type = types.addCheck types.int (x: x>=0);
limits.threads = lib.mkOption {
type = lib.types.addCheck lib.types.int (x: x>=0);
default = 0;
description = ''
Maximum number of threads used for a parallel job.
@ -152,8 +150,8 @@ in
'';
};
limits.syncSize = mkOption {
type = types.addCheck types.int (x: x>=0);
limits.syncSize = lib.mkOption {
type = lib.types.addCheck lib.types.int (x: x>=0);
default = 0;
description = ''
Maximum number of blocks to sync at once.
@ -161,16 +159,16 @@ in
'';
};
extraNodes = mkOption {
type = types.listOf types.str;
extraNodes = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
List of additional peer IP addresses to add to the local list.
'';
};
priorityNodes = mkOption {
type = types.listOf types.str;
priorityNodes = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
List of peer IP addresses to connect to and
@ -178,8 +176,8 @@ in
'';
};
exclusiveNodes = mkOption {
type = types.listOf types.str;
exclusiveNodes = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
List of peer IP addresses to connect to *only*.
@ -187,8 +185,8 @@ in
'';
};
extraConfig = mkOption {
type = types.lines;
extraConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
Extra lines to be added verbatim to monerod configuration.
@ -202,7 +200,7 @@ in
###### implementation
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
users.users.monero = {
isSystemUser = true;
@ -228,7 +226,7 @@ in
};
};
assertions = singleton {
assertions = lib.singleton {
assertion = cfg.mining.enable -> cfg.mining.address != "";
message = ''
You need a Monero address to receive mining rewards:

View file

@ -514,6 +514,12 @@ in
environment.etc = {
"NetworkManager/NetworkManager.conf".source = configFile;
# The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets;
# see https://github.com/NixOS/nixpkgs/issues/64965
"ipsec.secrets".text = ''
include ipsec.d/ipsec.nm-l2tp.secrets
'';
}
// builtins.listToAttrs (map
(pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" {

View file

@ -1,7 +1,13 @@
{ config, options, lib, pkgs, stdenv, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.pleroma;
in {
in
{
options = {
services.pleroma = with lib; {
enable = mkEnableOption "pleroma";
@ -73,7 +79,7 @@ in {
group = cfg.group;
isSystemUser = true;
};
groups."${cfg.group}" = {};
groups."${cfg.group}" = { };
};
environment.systemPackages = [ cfg.package ];
@ -90,43 +96,14 @@ in {
import_config "${cfg.secretConfigFile}"
'';
systemd.services.pleroma = {
description = "Pleroma social network";
wants = [ "network-online.target" ];
after = [ "network-online.target" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
serviceConfig = {
systemd.services =
let
commonSystemdServiceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "exec";
WorkingDirectory = "~";
StateDirectory = "pleroma pleroma/static pleroma/uploads";
StateDirectoryMode = "700";
# Checking the conf file is there then running the database
# migration before each service start, just in case there are
# some pending ones.
#
# It's sub-optimal as we'll always run this, even if pleroma
# has not been updated. But the no-op process is pretty fast.
# Better be safe than sorry migration-wise.
ExecStartPre =
let preScript = pkgs.writers.writeBashBin "pleromaStartPre" ''
if [ ! -f /var/lib/pleroma/.cookie ]
then
echo "Creating cookie file"
dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie
fi
${cfg.package}/bin/pleroma_ctl migrate
'';
in "${preScript}/bin/pleromaStartPre";
ExecStart = "${cfg.package}/bin/pleroma start";
ExecStop = "${cfg.package}/bin/pleroma stop";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
# Systemd sandboxing directives.
# Taken from the upstream contrib systemd service at
# pleroma/installation/pleroma.service
@ -137,10 +114,61 @@ in {
NoNewPrivileges = true;
CapabilityBoundingSet = "~CAP_SYS_ADMIN";
};
in
{
pleroma-migrations = {
description = "Pleroma social network migrations";
wants = [ "network-online.target" ];
after = [
"network-online.target"
"postgresql.service"
];
wantedBy = [ "pleroma.service" ];
environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
serviceConfig = commonSystemdServiceConfig // {
Type = "oneshot";
# Checking the conf file is there then running the database
# migration before each service start, just in case there are
# some pending ones.
#
# It's sub-optimal as we'll always run this, even if pleroma
# has not been updated. But the no-op process is pretty fast.
# Better be safe than sorry migration-wise.
ExecStart =
let
preScript = pkgs.writers.writeBashBin "pleroma-migrations" ''
if [ ! -f /var/lib/pleroma/.cookie ]
then
echo "Creating cookie file"
dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie
fi
${cfg.package}/bin/pleroma_ctl migrate
'';
in
"${preScript}/bin/pleroma-migrations";
};
# disksup requires bash
path = [ pkgs.bash ];
};
pleroma = {
description = "Pleroma social network";
wants = [ "pleroma-migrations.service" ];
after = [ "pleroma-migrations.service" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
serviceConfig = commonSystemdServiceConfig // {
Type = "exec";
ExecStart = "${cfg.package}/bin/pleroma start";
ExecStop = "${cfg.package}/bin/pleroma stop";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};
# disksup requires bash
path = [ pkgs.bash ];
};
};
};
meta.maintainers = with lib.maintainers; [ picnoir ];
meta.doc = ./pleroma.md;

View file

@ -201,11 +201,11 @@ in {
--syncmode ${cfg.syncmode} \
${optionalString (cfg.permissioned)
"--permissioned"} \
--mine --minerthreads 1 \
--mine --miner.threads 1 \
${optionalString (cfg.rpc.enable)
"--rpc --rpcaddr ${cfg.rpc.address} --rpcport ${toString cfg.rpc.port} --rpcapi ${cfg.rpc.api}"} \
${optionalString (cfg.ws.enable)
"--ws --wsaddr ${cfg.ws.address} --wsport ${toString cfg.ws.port} --wsapi ${cfg.ws.api} --wsorigins ${cfg.ws.origins}"} \
"--ws --ws.addr ${cfg.ws.address} --ws.port ${toString cfg.ws.port} --ws.api ${cfg.ws.api} --ws.origins ${cfg.ws.origins}"} \
--emitcheckpoints \
--datadir ${dataDir} \
--port ${toString cfg.port}'';

Some files were not shown because too many files have changed in this diff Show more