Project import generated by Copybara.
GitOrigin-RevId: b72b8b94cf0c012b0252a9100a636cad69696666
This commit is contained in:
parent
980a2be55c
commit
7d542a9f98
898 changed files with 20409 additions and 30829 deletions
|
@ -22,7 +22,7 @@ For new packages please briefly describe the package or provide a link to its ho
|
||||||
- made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
|
- made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
|
||||||
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
|
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
|
||||||
- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
|
- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
|
||||||
- [22.11 Release Notes (or backporting 22.05 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2211-release-notes)
|
- [23.05 Release Notes (or backporting 22.11 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2305-release-notes)
|
||||||
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
|
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
|
||||||
- [ ] (Module updates) Added a release notes entry if the change is significant
|
- [ ] (Module updates) Added a release notes entry if the change is significant
|
||||||
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module
|
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module
|
||||||
|
|
|
@ -26,7 +26,7 @@ jobs:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
ref: ${{ github.event.pull_request.head.sha }}
|
ref: ${{ github.event.pull_request.head.sha }}
|
||||||
- name: Create backport PRs
|
- name: Create backport PRs
|
||||||
uses: zeebe-io/backport-action@v0.0.8
|
uses: zeebe-io/backport-action@v0.0.9
|
||||||
with:
|
with:
|
||||||
# Config README: https://github.com/zeebe-io/backport-action#backport-action
|
# Config README: https://github.com/zeebe-io/backport-action#backport-action
|
||||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
github_token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
16
third_party/nixpkgs/CONTRIBUTING.md
vendored
16
third_party/nixpkgs/CONTRIBUTING.md
vendored
|
@ -98,17 +98,17 @@ git push origin feature --force-with-lease
|
||||||
|
|
||||||
Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches).
|
Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches).
|
||||||
|
|
||||||
You can add a label such as `backport release-22.05` to a PR, so that merging it will
|
You can add a label such as `backport release-22.11` to a PR, so that merging it will
|
||||||
automatically create a backport (via [a GitHub Action](.github/workflows/backport.yml)).
|
automatically create a backport (via [a GitHub Action](.github/workflows/backport.yml)).
|
||||||
This also works for PR's that have already been merged, and might take a couple of minutes to trigger.
|
This also works for PR's that have already been merged, and might take a couple of minutes to trigger.
|
||||||
|
|
||||||
You can also create the backport manually:
|
You can also create the backport manually:
|
||||||
|
|
||||||
1. Take note of the commits in which the change was introduced into `master` branch.
|
1. Take note of the commits in which the change was introduced into `master` branch.
|
||||||
2. Check out the target _release branch_, e.g. `release-22.05`. Do not use a _channel branch_ like `nixos-22.05` or `nixpkgs-22.05-darwin`.
|
2. Check out the target _release branch_, e.g. `release-22.11`. Do not use a _channel branch_ like `nixos-22.11` or `nixpkgs-22.11-darwin`.
|
||||||
3. Create a branch for your change, e.g. `git checkout -b backport`.
|
3. Create a branch for your change, e.g. `git checkout -b backport`.
|
||||||
4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe <original commit>` and add a reason. Otherwise use `git cherry-pick -x <original commit>`. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar. Please also ensure the commits exists on the master branch; in the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
|
4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe <original commit>` and add a reason. Otherwise use `git cherry-pick -x <original commit>`. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar. Please also ensure the commits exists on the master branch; in the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
|
||||||
5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-22.05`) as the target branch of the pull request, and link to the pull request in which the original change was comitted to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[22.05]`.
|
5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-22.11`) as the target branch of the pull request, and link to the pull request in which the original change was comitted to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[22.11]`.
|
||||||
6. When the backport pull request is merged and you have the necessary privileges you can also replace the label `9.needs: port to stable` with `8.has: port to stable` on the original pull request. This way maintainers can keep track of missing backports easier.
|
6. When the backport pull request is merged and you have the necessary privileges you can also replace the label `9.needs: port to stable` with `8.has: port to stable` on the original pull request. This way maintainers can keep track of missing backports easier.
|
||||||
|
|
||||||
## Criteria for Backporting changes
|
## Criteria for Backporting changes
|
||||||
|
@ -120,15 +120,15 @@ Anything that does not cause user or downstream dependency regressions can be ba
|
||||||
- Services which require a client to be up-to-date regardless. (E.g. `spotify`, `steam`, or `discord`)
|
- Services which require a client to be up-to-date regardless. (E.g. `spotify`, `steam`, or `discord`)
|
||||||
- Security critical applications (E.g. `firefox`)
|
- Security critical applications (E.g. `firefox`)
|
||||||
|
|
||||||
## Generating 22.11 Release Notes
|
## Generating 23.05 Release Notes
|
||||||
|
|
||||||
Documentation in nixpkgs is transitioning to a markdown-centric workflow. Release notes now require a translation step to convert from markdown to a compatible docbook document.
|
Documentation in nixpkgs is transitioning to a markdown-centric workflow. Release notes now require a translation step to convert from markdown to a compatible docbook document.
|
||||||
|
|
||||||
Steps for updating 22.11 Release notes:
|
Steps for updating 23.05 Release notes:
|
||||||
|
|
||||||
1. Edit `nixos/doc/manual/release-notes/rl-2211.section.md` with the desired changes
|
1. Edit `nixos/doc/manual/release-notes/rl-2305.section.md` with the desired changes
|
||||||
2. Run `./nixos/doc/manual/md-to-db.sh` to render `nixos/doc/manual/from_md/release-notes/rl-2211.section.xml`
|
2. Run `./nixos/doc/manual/md-to-db.sh` to render `nixos/doc/manual/from_md/release-notes/rl-2305.section.xml`
|
||||||
3. Include changes to `rl-2211.section.md` and `rl-2211.section.xml` in the same commit.
|
3. Include changes to `rl-2305.section.md` and `rl-2305.section.xml` in the same commit.
|
||||||
|
|
||||||
## Reviewing contributions
|
## Reviewing contributions
|
||||||
|
|
||||||
|
|
4
third_party/nixpkgs/README.md
vendored
4
third_party/nixpkgs/README.md
vendored
|
@ -51,9 +51,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration
|
||||||
system, [Hydra](https://hydra.nixos.org/).
|
system, [Hydra](https://hydra.nixos.org/).
|
||||||
|
|
||||||
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
|
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
|
||||||
* [Continuous package builds for the NixOS 22.05 release](https://hydra.nixos.org/jobset/nixos/release-22.05)
|
* [Continuous package builds for the NixOS 22.11 release](https://hydra.nixos.org/jobset/nixos/release-22.11)
|
||||||
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
|
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
|
||||||
* [Tests for the NixOS 22.05 release](https://hydra.nixos.org/job/nixos/release-22.05/tested#tabs-constituents)
|
* [Tests for the NixOS 22.11 release](https://hydra.nixos.org/job/nixos/release-22.11/tested#tabs-constituents)
|
||||||
|
|
||||||
Artifacts successfully built with Hydra are published to cache at
|
Artifacts successfully built with Hydra are published to cache at
|
||||||
https://cache.nixos.org/. When successful build and test criteria are
|
https://cache.nixos.org/. When successful build and test criteria are
|
||||||
|
|
|
@ -310,16 +310,16 @@ For this to work fully, you must also have this script sourced when you are logg
|
||||||
|
|
||||||
```ShellSession
|
```ShellSession
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
if [ -d $HOME/.nix-profile/etc/profile.d ]; then
|
if [ -d "${HOME}/.nix-profile/etc/profile.d" ]; then
|
||||||
for i in $HOME/.nix-profile/etc/profile.d/*.sh; do
|
for i in "${HOME}/.nix-profile/etc/profile.d/"*.sh; do
|
||||||
if [ -r $i ]; then
|
if [ -r "$i" ]; then
|
||||||
. $i
|
. "$i"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
```
|
```
|
||||||
|
|
||||||
Now just run `source $HOME/.profile` and you can starting loading man pages from your environment.
|
Now just run `. "${HOME}/.profile"` and you can start loading man pages from your environment.
|
||||||
|
|
||||||
### GNU info setup {#sec-gnu-info-setup}
|
### GNU info setup {#sec-gnu-info-setup}
|
||||||
|
|
||||||
|
|
|
@ -1071,6 +1071,12 @@
|
||||||
githubId = 56009;
|
githubId = 56009;
|
||||||
name = "Arcadio Rubio García";
|
name = "Arcadio Rubio García";
|
||||||
};
|
};
|
||||||
|
archer-65 = {
|
||||||
|
email = "mario.liguori.056@gmail.com";
|
||||||
|
github = "archer-65";
|
||||||
|
githubId = 76066109;
|
||||||
|
name = "Mario Liguori";
|
||||||
|
};
|
||||||
archseer = {
|
archseer = {
|
||||||
email = "blaz@mxxn.io";
|
email = "blaz@mxxn.io";
|
||||||
github = "archseer";
|
github = "archseer";
|
||||||
|
@ -3294,6 +3300,15 @@
|
||||||
fingerprint = "4E35 F2E5 2132 D654 E815 A672 DB2C BC24 2868 6000";
|
fingerprint = "4E35 F2E5 2132 D654 E815 A672 DB2C BC24 2868 6000";
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
deejayem = {
|
||||||
|
email = "nixpkgs.bu5hq@simplelogin.com";
|
||||||
|
github = "deejayem";
|
||||||
|
githubId = 2564003;
|
||||||
|
name = "David Morgan";
|
||||||
|
keys = [{
|
||||||
|
fingerprint = "9B43 6B14 77A8 79C2 6CDB 6604 C171 2510 02C2 00F2";
|
||||||
|
}];
|
||||||
|
};
|
||||||
deepfire = {
|
deepfire = {
|
||||||
email = "_deepfire@feelingofgreen.ru";
|
email = "_deepfire@feelingofgreen.ru";
|
||||||
github = "deepfire";
|
github = "deepfire";
|
||||||
|
@ -5896,6 +5911,13 @@
|
||||||
githubId = 40234257;
|
githubId = 40234257;
|
||||||
name = "ilkecan bozdogan";
|
name = "ilkecan bozdogan";
|
||||||
};
|
};
|
||||||
|
imincik = {
|
||||||
|
email = "ivan.mincik@gmail.com";
|
||||||
|
matrix = "@imincik:matrix.org";
|
||||||
|
github = "imincik";
|
||||||
|
githubId = 476346;
|
||||||
|
name = "Ivan Mincik";
|
||||||
|
};
|
||||||
not-my-segfault = {
|
not-my-segfault = {
|
||||||
email = "michal@tar.black";
|
email = "michal@tar.black";
|
||||||
matrix = "@michal:tar.black";
|
matrix = "@michal:tar.black";
|
||||||
|
@ -8771,6 +8793,12 @@
|
||||||
githubId = 4141584;
|
githubId = 4141584;
|
||||||
name = "Maxime Daniel";
|
name = "Maxime Daniel";
|
||||||
};
|
};
|
||||||
|
maxwell-lt = {
|
||||||
|
email = "maxwell.lt@live.com";
|
||||||
|
github = "maxwell-lt";
|
||||||
|
githubId = 17859747;
|
||||||
|
name = "Maxwell L-T";
|
||||||
|
};
|
||||||
maxxk = {
|
maxxk = {
|
||||||
email = "maxim.krivchikov@gmail.com";
|
email = "maxim.krivchikov@gmail.com";
|
||||||
github = "maxxk";
|
github = "maxxk";
|
||||||
|
@ -9647,6 +9675,12 @@
|
||||||
githubId = 43796009;
|
githubId = 43796009;
|
||||||
name = "Max Wilson";
|
name = "Max Wilson";
|
||||||
};
|
};
|
||||||
|
myaats = {
|
||||||
|
email = "mats@mats.sh";
|
||||||
|
github = "Myaats";
|
||||||
|
githubId = 6295090;
|
||||||
|
name = "Mats";
|
||||||
|
};
|
||||||
myrl = {
|
myrl = {
|
||||||
email = "myrl.0xf@gmail.com";
|
email = "myrl.0xf@gmail.com";
|
||||||
github = "Myrl";
|
github = "Myrl";
|
||||||
|
@ -9665,6 +9699,15 @@
|
||||||
githubId = 6783654;
|
githubId = 6783654;
|
||||||
name = "Nadrieril Feneanar";
|
name = "Nadrieril Feneanar";
|
||||||
};
|
};
|
||||||
|
nagy = {
|
||||||
|
email = "danielnagy@posteo.de";
|
||||||
|
github = "nagy";
|
||||||
|
githubId = 692274;
|
||||||
|
name = "Daniel Nagy";
|
||||||
|
keys = [{
|
||||||
|
fingerprint = "F6AE 2C60 9196 A1BC ECD8 7108 1B8E 8DCB 576F B671";
|
||||||
|
}];
|
||||||
|
};
|
||||||
nalbyuites = {
|
nalbyuites = {
|
||||||
email = "ashijit007@gmail.com";
|
email = "ashijit007@gmail.com";
|
||||||
github = "nalbyuites";
|
github = "nalbyuites";
|
||||||
|
@ -12701,6 +12744,13 @@
|
||||||
githubId = 4294323;
|
githubId = 4294323;
|
||||||
name = "Langston Barrett";
|
name = "Langston Barrett";
|
||||||
};
|
};
|
||||||
|
sielicki = {
|
||||||
|
name = "Nicholas Sielicki";
|
||||||
|
email = "nix@opensource.nslick.com";
|
||||||
|
github = "sielicki";
|
||||||
|
githubId = 4522995;
|
||||||
|
matrix = "@sielicki:matrix.org";
|
||||||
|
};
|
||||||
siers = {
|
siers = {
|
||||||
email = "veinbahs+nixpkgs@gmail.com";
|
email = "veinbahs+nixpkgs@gmail.com";
|
||||||
github = "siers";
|
github = "siers";
|
||||||
|
@ -14216,6 +14266,13 @@
|
||||||
github = "twitchyliquid64";
|
github = "twitchyliquid64";
|
||||||
githubId = 6328589;
|
githubId = 6328589;
|
||||||
};
|
};
|
||||||
|
tylerjl = {
|
||||||
|
email = "tyler+nixpkgs@langlois.to";
|
||||||
|
github = "tylerjl";
|
||||||
|
githubId = 1733846;
|
||||||
|
matrix = "@ty:tjll.net";
|
||||||
|
name = "Tyler Langlois";
|
||||||
|
};
|
||||||
typetetris = {
|
typetetris = {
|
||||||
email = "ericwolf42@mail.com";
|
email = "ericwolf42@mail.com";
|
||||||
github = "typetetris";
|
github = "typetetris";
|
||||||
|
@ -15745,7 +15802,7 @@
|
||||||
};
|
};
|
||||||
portothree = {
|
portothree = {
|
||||||
name = "Gustavo Porto";
|
name = "Gustavo Porto";
|
||||||
email = "gustavoporto@ya.ru";
|
email = "gus@p8s.co";
|
||||||
github = "portothree";
|
github = "portothree";
|
||||||
githubId = 3718120;
|
githubId = 3718120;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/sh
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
# Download patches from debian project
|
# Download patches from debian project
|
||||||
# Usage $0 debian-patches.txt debian-patches.nix
|
# Usage $0 debian-patches.txt debian-patches.nix
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#! /bin/sh
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
if [[ -z "$VERBOSE" ]]; then
|
if [[ -z "$VERBOSE" ]]; then
|
||||||
echo "You may set VERBOSE=1 to see debug output or to any other non-empty string to make this script completely silent"
|
echo "You may set VERBOSE=1 to see debug output or to any other non-empty string to make this script completely silent"
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/sh
|
#!/usr/bin/env bash
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
: ${NIXOS_CHANNELS:=https://nixos.org/channels/}
|
: ${NIXOS_CHANNELS:=https://nixos.org/channels/}
|
||||||
|
|
|
@ -265,6 +265,15 @@ with lib.maintainers; {
|
||||||
shortName = "GCC";
|
shortName = "GCC";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
geospatial = {
|
||||||
|
members = [
|
||||||
|
imincik
|
||||||
|
sikmir
|
||||||
|
];
|
||||||
|
scope = "Maintain geospatial packages.";
|
||||||
|
shortName = "Geospatial";
|
||||||
|
};
|
||||||
|
|
||||||
golang = {
|
golang = {
|
||||||
members = [
|
members = [
|
||||||
c00w
|
c00w
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
<emphasis>Stable channels</emphasis>, such as
|
<emphasis>Stable channels</emphasis>, such as
|
||||||
<link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.05</literal></link>.
|
<link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.11</literal></link>.
|
||||||
These only get conservative bug fixes and package upgrades. For
|
These only get conservative bug fixes and package upgrades. For
|
||||||
instance, a channel update may cause the Linux kernel on your
|
instance, a channel update may cause the Linux kernel on your
|
||||||
system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix),
|
system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix),
|
||||||
|
@ -33,7 +33,7 @@
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
<emphasis>Small channels</emphasis>, such as
|
<emphasis>Small channels</emphasis>, such as
|
||||||
<link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.05-small</literal></link>
|
<link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.11-small</literal></link>
|
||||||
or
|
or
|
||||||
<link xlink:href="https://nixos.org/channels/nixos-unstable-small"><literal>nixos-unstable-small</literal></link>.
|
<link xlink:href="https://nixos.org/channels/nixos-unstable-small"><literal>nixos-unstable-small</literal></link>.
|
||||||
These are identical to the stable and unstable channels
|
These are identical to the stable and unstable channels
|
||||||
|
@ -60,8 +60,8 @@
|
||||||
<para>
|
<para>
|
||||||
When you first install NixOS, you’re automatically subscribed to the
|
When you first install NixOS, you’re automatically subscribed to the
|
||||||
NixOS channel that corresponds to your installation source. For
|
NixOS channel that corresponds to your installation source. For
|
||||||
instance, if you installed from a 22.05 ISO, you will be subscribed
|
instance, if you installed from a 22.11 ISO, you will be subscribed
|
||||||
to the <literal>nixos-22.05</literal> channel. To see which NixOS
|
to the <literal>nixos-22.11</literal> channel. To see which NixOS
|
||||||
channel you’re subscribed to, run the following as root:
|
channel you’re subscribed to, run the following as root:
|
||||||
</para>
|
</para>
|
||||||
<programlisting>
|
<programlisting>
|
||||||
|
@ -76,17 +76,17 @@ nixos https://nixos.org/channels/nixos-unstable
|
||||||
</programlisting>
|
</programlisting>
|
||||||
<para>
|
<para>
|
||||||
(Be sure to include the <literal>nixos</literal> parameter at the
|
(Be sure to include the <literal>nixos</literal> parameter at the
|
||||||
end.) For instance, to use the NixOS 22.05 stable channel:
|
end.) For instance, to use the NixOS 22.11 stable channel:
|
||||||
</para>
|
</para>
|
||||||
<programlisting>
|
<programlisting>
|
||||||
# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos
|
# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
|
||||||
</programlisting>
|
</programlisting>
|
||||||
<para>
|
<para>
|
||||||
If you have a server, you may want to use the <quote>small</quote>
|
If you have a server, you may want to use the <quote>small</quote>
|
||||||
channel instead:
|
channel instead:
|
||||||
</para>
|
</para>
|
||||||
<programlisting>
|
<programlisting>
|
||||||
# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos
|
# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos
|
||||||
</programlisting>
|
</programlisting>
|
||||||
<para>
|
<para>
|
||||||
And if you want to live on the bleeding edge:
|
And if you want to live on the bleeding edge:
|
||||||
|
@ -146,7 +146,7 @@ system.autoUpgrade.allowReboot = true;
|
||||||
also specify a channel explicitly, e.g.
|
also specify a channel explicitly, e.g.
|
||||||
</para>
|
</para>
|
||||||
<programlisting language="bash">
|
<programlisting language="bash">
|
||||||
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05;
|
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11;
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</section>
|
</section>
|
||||||
</chapter>
|
</chapter>
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -13,7 +13,9 @@
|
||||||
<itemizedlist spacing="compact">
|
<itemizedlist spacing="compact">
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Create the first release note entry in this section!
|
Cinnamon has been updated to 5.6, see
|
||||||
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204">the
|
||||||
|
pull request</link> for what is changed.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
@ -56,6 +58,16 @@
|
||||||
<literal>fetch-ec2-metadata.service</literal>
|
<literal>fetch-ec2-metadata.service</literal>
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
<literal>services.sourcehut.dispatch</literal> and the
|
||||||
|
corresponding package
|
||||||
|
(<literal>sourcehut.dispatchsrht</literal>) have been removed
|
||||||
|
due to
|
||||||
|
<link xlink:href="https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/">upstream
|
||||||
|
deprecation</link>.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The EC2 image module previously detected and automatically
|
The EC2 image module previously detected and automatically
|
||||||
|
@ -76,14 +88,37 @@
|
||||||
relying on this should provide their own implementation.
|
relying on this should provide their own implementation.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The <literal>nix.readOnlyStore</literal> option has been
|
||||||
|
renamed to <literal>boot.readOnlyNixStore</literal> to clarify
|
||||||
|
that it configures the NixOS boot process, not the Nix daemon.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="sec-release-23.05-notable-changes">
|
<section xml:id="sec-release-23.05-notable-changes">
|
||||||
<title>Other Notable Changes</title>
|
<title>Other Notable Changes</title>
|
||||||
<itemizedlist spacing="compact">
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Create the first release note entry in this section!
|
The module for the application firewall
|
||||||
|
<literal>opensnitch</literal> got the ability to configure
|
||||||
|
rules. Available as
|
||||||
|
<link linkend="opt-services.opensnitch.rules">services.opensnitch.rules</link>
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
A new <literal>virtualisation.rosetta</literal> module was
|
||||||
|
added to allow running <literal>x86_64</literal> binaries
|
||||||
|
through
|
||||||
|
<link xlink:href="https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment">Rosetta</link>
|
||||||
|
inside virtualised NixOS guests on Apple silicon. This feature
|
||||||
|
works by default with the
|
||||||
|
<link xlink:href="https://docs.getutm.app/">UTM</link>
|
||||||
|
virtualisation
|
||||||
|
<link xlink:href="https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm">package</link>.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
|
@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated
|
||||||
automatically from NixOS's Git repository after certain tests have
|
automatically from NixOS's Git repository after certain tests have
|
||||||
passed and all packages have been built. These channels are:
|
passed and all packages have been built. These channels are:
|
||||||
|
|
||||||
- *Stable channels*, such as [`nixos-22.05`](https://nixos.org/channels/nixos-22.05).
|
- *Stable channels*, such as [`nixos-22.11`](https://nixos.org/channels/nixos-22.05).
|
||||||
These only get conservative bug fixes and package upgrades. For
|
These only get conservative bug fixes and package upgrades. For
|
||||||
instance, a channel update may cause the Linux kernel on your system
|
instance, a channel update may cause the Linux kernel on your system
|
||||||
to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
|
to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
|
||||||
|
@ -19,7 +19,7 @@ passed and all packages have been built. These channels are:
|
||||||
radical changes between channel updates. It's not recommended for
|
radical changes between channel updates. It's not recommended for
|
||||||
production systems.
|
production systems.
|
||||||
|
|
||||||
- *Small channels*, such as [`nixos-22.05-small`](https://nixos.org/channels/nixos-22.05-small)
|
- *Small channels*, such as [`nixos-22.11-small`](https://nixos.org/channels/nixos-22.05-small)
|
||||||
or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small).
|
or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small).
|
||||||
These are identical to the stable and unstable channels described above,
|
These are identical to the stable and unstable channels described above,
|
||||||
except that they contain fewer binary packages. This means they get updated
|
except that they contain fewer binary packages. This means they get updated
|
||||||
|
@ -38,8 +38,8 @@ newest supported stable release.
|
||||||
|
|
||||||
When you first install NixOS, you're automatically subscribed to the
|
When you first install NixOS, you're automatically subscribed to the
|
||||||
NixOS channel that corresponds to your installation source. For
|
NixOS channel that corresponds to your installation source. For
|
||||||
instance, if you installed from a 22.05 ISO, you will be subscribed to
|
instance, if you installed from a 22.11 ISO, you will be subscribed to
|
||||||
the `nixos-22.05` channel. To see which NixOS channel you're subscribed
|
the `nixos-22.11` channel. To see which NixOS channel you're subscribed
|
||||||
to, run the following as root:
|
to, run the following as root:
|
||||||
|
|
||||||
```ShellSession
|
```ShellSession
|
||||||
|
@ -54,16 +54,16 @@ To switch to a different NixOS channel, do
|
||||||
```
|
```
|
||||||
|
|
||||||
(Be sure to include the `nixos` parameter at the end.) For instance, to
|
(Be sure to include the `nixos` parameter at the end.) For instance, to
|
||||||
use the NixOS 22.05 stable channel:
|
use the NixOS 22.11 stable channel:
|
||||||
|
|
||||||
```ShellSession
|
```ShellSession
|
||||||
# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos
|
# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
|
||||||
```
|
```
|
||||||
|
|
||||||
If you have a server, you may want to use the "small" channel instead:
|
If you have a server, you may want to use the "small" channel instead:
|
||||||
|
|
||||||
```ShellSession
|
```ShellSession
|
||||||
# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos
|
# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos
|
||||||
```
|
```
|
||||||
|
|
||||||
And if you want to live on the bleeding edge:
|
And if you want to live on the bleeding edge:
|
||||||
|
@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel
|
||||||
modules. You can also specify a channel explicitly, e.g.
|
modules. You can also specify a channel explicitly, e.g.
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05;
|
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11;
|
||||||
```
|
```
|
||||||
|
|
|
@ -1,27 +1,53 @@
|
||||||
# Release 22.11 (“Raccoon”, 2022.11/??) {#sec-release-22.11}
|
# Release 22.11 (“Raccoon”, 2022.11/30) {#sec-release-22.11}
|
||||||
|
|
||||||
Support is planned until the end of June 2023, handing over to 23.05.
|
The NixOS release team is happy to announce a new version of NixOS 22.11. NixOS is both a Linux distribution, and a set of packages usable on other Linux systems and macOS.
|
||||||
|
|
||||||
|
This release is supported until the end of June 2023, handing over to NixOS 23.05.
|
||||||
|
|
||||||
|
To upgrade to the latest release follow the [upgrade chapter](#sec-upgrading).
|
||||||
|
|
||||||
## Highlights {#sec-release-22.11-highlights}
|
## Highlights {#sec-release-22.11-highlights}
|
||||||
|
|
||||||
In addition to numerous new and upgraded packages, this release has the following highlights:
|
In addition to numerous new and upgraded packages, this release includes the following highlights:
|
||||||
|
|
||||||
- GNOME has been upgraded to 43. Please take a look at their [Release
|
- Software that uses the `crypt` password hashing API is now using the implementation provided by [`libxcrypt`](https://github.com/besser82/libxcrypt) instead of glibc's, which enables support for more secure algorithms.
|
||||||
Notes](https://release.gnome.org/43/) for details.
|
- Support for algorithms that `libxcrypt` [does not consider strong](https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41) are **deprecated** as of this release, and will be removed in NixOS 23.05.
|
||||||
|
- This includes system login passwords. Given this, we **strongly encourage** all users to update their system passwords, as you will be unable to login if password hashes are not migrated by the time their support is removed.
|
||||||
|
- When using `users.users.<name>.hashedPassword` to configure user passwords, run `mkpasswd`, and use the yescrypt hash that is provided as the new value.
|
||||||
|
- On the other hand, for interactively configured user passwords, simply re-set the passwords for all users with `passwd`.
|
||||||
|
- This release introduces warnings for the use of deprecated hash algorithms for both methods of configuring passwords. To make sure you migrated correctly, run `nixos-rebuild switch`.
|
||||||
|
|
||||||
- During cross-compilation, tests are now executed if the test suite can be executed
|
- The NixOS documentation is now generated from markdown. While docbook is still part of the documentation build process, it's a big step towards the full migration.
|
||||||
by the build platform. This is the case when doing “native” cross-compilation
|
|
||||||
where the build and host platforms are largely the same, but the nixpkgs' cross
|
|
||||||
compilation infrastructure is used, e.g. `pkgsStatic` and `pkgsLLVM`. Another
|
|
||||||
possibility is that the build platform is a superset of the host platform, e.g. when
|
|
||||||
cross-compiling from `x86_64-unknown-linux` to `i686-unknown-linux`.
|
|
||||||
The predicate gating test suite execution is the newly added `canExecute`
|
|
||||||
predicate: You can e.g. check if `stdenv.buildPlatform` can execute binaries
|
|
||||||
built for `stdenv.hostPlatform` (i.e. produced by `stdenv.cc`) by evaluating
|
|
||||||
`stdenv.buildPlatform.canExecute stdenv.hostPlatform`.
|
|
||||||
|
|
||||||
- The `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options have been added.
|
- `aarch64-linux` is now included in the `nixos-22.11` and `nixos-22.11-small` channels. This means that when those channel update, both `x86_64-linux` and `aarch64-linux` will be available in the binary cache.
|
||||||
These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options.
|
|
||||||
|
- `aarch64-linux` ISOs are now available on the [downloads page](https://nixos.org/download.html).
|
||||||
|
|
||||||
|
- `nsncd` is now available as a replacement of `nscd`.
|
||||||
|
|
||||||
|
`nscd` is responsible for resolving hostnames, users and more in NixOS and has been a long standing source of bugs, such as sporadic network freezes.
|
||||||
|
|
||||||
|
More context in this [issue](https://github.com/NixOS/nixpkgs/issues/135888).
|
||||||
|
|
||||||
|
Help us test the new implementation by setting `services.nscd.enableNsncd` to `true`.
|
||||||
|
|
||||||
|
We plan to use `nsncd` by default in NixOS 23.05.
|
||||||
|
|
||||||
|
- Linode cloud images are now supported by importing `${modulesPath}/virtualisation/linode-image.nix` and accessing `system.build.linodeImage` on the output.
|
||||||
|
|
||||||
|
- `hardware.nvidia` has a new option, `hardware.nvidia.open`, that can be used to enable the usage of NVIDIA's open-source kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [the release announcement](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for more information.
|
||||||
|
|
||||||
|
- The `emacs` package now makes use of native compilation which means:
|
||||||
|
- Emacs packages from Nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine;
|
||||||
|
- Emacs packages from somewhere else, e.g. `package-install`, will perform asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still benefiting from native compilation for packages from Nixpkgs.
|
||||||
|
|
||||||
|
## Internal changes {#sec-release-22.11-internal}
|
||||||
|
|
||||||
|
- Haskell `ghcWithPackages` is now up to 15 times faster to evaluate, thanks to changing `lib.closePropagation` from a quadratic to linear complexity. Please see backward incompatibilities notes below. <https://github.com/NixOS/nixpkgs/pull/194391>
|
||||||
|
|
||||||
|
- For cross-compilation targets that can also run on the building machine, we now run tests. This, for example, is the case for the `pkgsStatic` and `pkgsLLVM` package sets or i686 packages on `x86_64` machines.
|
||||||
|
|
||||||
|
- To simplify cross-compilation in NixOS, this release introduces the `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options. These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options.
|
||||||
|
|
||||||
- `hostPlatform` is the platform or "`system`" string of the NixOS system
|
- `hostPlatform` is the platform or "`system`" string of the NixOS system
|
||||||
described by the configuration.
|
described by the configuration.
|
||||||
|
@ -38,132 +64,24 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||||
for a transition period so that in time the ecosystem can switch without
|
for a transition period so that in time the ecosystem can switch without
|
||||||
breaking compatibility with any supported NixOS release.
|
breaking compatibility with any supported NixOS release.
|
||||||
|
|
||||||
- `emacs` enables native compilation which means:
|
## Notable version updates {#sec-release-22.11-version-updates}
|
||||||
- emacs packages from nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine;
|
|
||||||
- emacs packages from somewhere else, e.g. `package-install`, will do asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still enjoy the benefit of native compilation for packages from nixpkgs.
|
|
||||||
|
|
||||||
- `nixos-generate-config` now generates configurations that can be built in pure
|
- Nix has been upgraded from v2.8.1 to v2.11.0. For more information, please see the release notes for [2.9](https://nixos.org/manual/nix/stable/release-notes/rl-2.9.html), [2.10](https://nixos.org/manual/nix/stable/release-notes/rl-2.10.html) and [2.11](https://nixos.org/manual/nix/stable/release-notes/rl-2.11.html).
|
||||||
mode. This is achieved by setting the new `nixpkgs.hostPlatform` option.
|
|
||||||
|
|
||||||
You may have to unset the `system` parameter in `lib.nixosSystem`, or similarly
|
|
||||||
remove definitions of the `nixpkgs.{system,localSystem,crossSystem}` options.
|
|
||||||
|
|
||||||
Alternatively, you can remove the `hostPlatform` line and use NixOS like you
|
|
||||||
would in NixOS 22.05 and earlier.
|
|
||||||
|
|
||||||
- PHP now defaults to PHP 8.1, updated from 8.0.
|
|
||||||
|
|
||||||
- PHP is now built `NTS` (Non-Thread Safe) style by default, for Apache and
|
|
||||||
`mod_php` usage we still enable `ZTS` (Zend Thread Safe). This has been a
|
|
||||||
common practice for a long time in other distributions.
|
|
||||||
|
|
||||||
- PHP 8.2.0 RC 6 is available.
|
|
||||||
|
|
||||||
- `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it.
|
|
||||||
|
|
||||||
- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default.
|
|
||||||
|
|
||||||
- Improved performances of `lib.closePropagation` which was previously quadratic. This is used in e.g. `ghcWithPackages`. Please see backward incompatibilities notes below.
|
|
||||||
|
|
||||||
- Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to
|
|
||||||
blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream.
|
|
||||||
|
|
||||||
- OpenSSL now defaults to OpenSSL 3, updated from 1.1.1.
|
- OpenSSL now defaults to OpenSSL 3, updated from 1.1.1.
|
||||||
|
|
||||||
- An image configuration and generator has been added for Linode images, largely based on the present GCE configuration and image.
|
- GNOME has been upgraded to version 43. Please see the [release notes](https://release.gnome.org/43/) for details.
|
||||||
|
|
||||||
- `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement.
|
- KDE Plasma has been upgraded from v5.24 to v5.26. Please see the release notes for [v5.25](https://kde.org/announcements/plasma/5/5.25.0/) and [v5.26](https://kde.org/announcements/plasma/5/5.26.0/) for more details on the included changes.
|
||||||
|
|
||||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
- Cinnamon has been updated to 5.4, and the Cinnamon module now defaults to
|
||||||
|
Blueman as the Bluetooth manager and slick-greeter as the LightDM greeter, to match upstream.
|
||||||
|
|
||||||
## New Services {#sec-release-22.11-new-services}
|
- PHP now defaults to PHP 8.1, updated from 8.0.
|
||||||
|
|
||||||
- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable).
|
- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default.
|
||||||
|
|
||||||
- [automatic-timezoned](https://github.com/maxbrunet/automatic-timezoned). a Linux daemon to automatically update the system timezone based on location. Available as [services.automatic-timezoned](#opt-services.automatic-timezoned.enable).
|
- Python now defaults to 3.10, updated from 3.9.
|
||||||
|
|
||||||
- [xray] (https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable).
|
|
||||||
|
|
||||||
- [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable).
|
|
||||||
|
|
||||||
- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable).
|
|
||||||
|
|
||||||
- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable).
|
|
||||||
|
|
||||||
- [Tandoor Recipes](https://tandoor.dev), a self-hosted multi-tenant recipe collection. Available as [services.tandoor-recipes](options.html#opt-services.tandoor-recipes.enable).
|
|
||||||
|
|
||||||
- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).
|
|
||||||
|
|
||||||
- [Please](https://github.com/edneville/please), a Sudo clone written in Rust. Available as [security.please](#opt-security.please.enable)
|
|
||||||
|
|
||||||
- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable).
|
|
||||||
|
|
||||||
- [EVCC](https://evcc.io) is an EV charge controller with PV integration. It supports a multitude of chargers, meters, vehicle APIs and more and ties that together with a well-tested backend and a lightweight web frontend. Available as [services.evcc](#opt-services.evcc.enable).
|
|
||||||
|
|
||||||
- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
|
|
||||||
Available as [services.infnoise](options.html#opt-services.infnoise.enable).
|
|
||||||
|
|
||||||
- [kthxbye](https://github.com/prymitive/kthxbye), an alert acknowledgement management daemon for Prometheus Alertmanager. Available as [services.kthxbye](options.html#opt-services.kthxbye.enable)
|
|
||||||
|
|
||||||
- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization.
|
|
||||||
Available as [services.kanata](options.html#opt-services.kanata.enable).
|
|
||||||
|
|
||||||
- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable)
|
|
||||||
|
|
||||||
- [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker.
|
|
||||||
Available as [services.languagetool](options.html#opt-services.languagetool.enable).
|
|
||||||
|
|
||||||
- [OpenRGB](https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master), a FOSS tool for controlling RGB lighting. Available as [services.hardware.openrgb.enable](options.html#opt-services-hardware-openrgb-enable).
|
|
||||||
|
|
||||||
- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable).
|
|
||||||
|
|
||||||
- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable)
|
|
||||||
|
|
||||||
- [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable).
|
|
||||||
|
|
||||||
- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable).
|
|
||||||
|
|
||||||
- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable).
|
|
||||||
|
|
||||||
- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable).
|
|
||||||
|
|
||||||
- [netbird](https://netbird.io), a zero configuration VPN.
|
|
||||||
Available as [services.netbird](options.html#opt-services.netbird.enable).
|
|
||||||
|
|
||||||
- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable).
|
|
||||||
|
|
||||||
- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable).
|
|
||||||
|
|
||||||
- [Dolibarr](https://www.dolibarr.org/), an enterprise resource planning and customer relationship manager. Enable using [services.dolibarr](#opt-services.dolibarr.enable).
|
|
||||||
|
|
||||||
- [FreshRSS](https://freshrss.org/), a free, self-hostable RSS feed aggregator. Available as [services.freshrss](#opt-services.freshrss.enable).
|
|
||||||
|
|
||||||
- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable).
|
|
||||||
|
|
||||||
- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable)
|
|
||||||
|
|
||||||
- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable).
|
|
||||||
|
|
||||||
- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable).
|
|
||||||
|
|
||||||
- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).
|
|
||||||
|
|
||||||
- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable).
|
|
||||||
|
|
||||||
- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
|
|
||||||
Available as [services.patroni](options.html#opt-services.patroni.enable).
|
|
||||||
|
|
||||||
- [Prometheus IPMI exporter](https://github.com/prometheus-community/ipmi_exporter), an IPMI exporter for Prometheus. Available as [services.prometheus.exporters.ipmi](#opt-services.prometheus.exporters.ipmi.enable).
|
|
||||||
|
|
||||||
- [WriteFreely](https://writefreely.org), a simple blogging platform with ActivityPub support. Available as [services.writefreely](options.html#opt-services.writefreely.enable).
|
|
||||||
|
|
||||||
- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable).
|
|
||||||
|
|
||||||
- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable).
|
|
||||||
|
|
||||||
- [Mepo](https://mepo.milesalan.com), a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as [programs.mepo.enable](#opt-programs.mepo.enable).
|
|
||||||
|
|
||||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
|
||||||
|
|
||||||
## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
|
## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
|
||||||
|
|
||||||
|
@ -172,18 +90,17 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
- The `isCompatible` predicate checking CPU compatibility is no longer exposed
|
- The `isCompatible` predicate checking CPU compatibility is no longer exposed
|
||||||
by the platform sets generated using `lib.systems.elaborate`. In most cases
|
by the platform sets generated using `lib.systems.elaborate`. In most cases
|
||||||
you will want to use the new `canExecute` predicate instead which also
|
you will want to use the new `canExecute` predicate instead which also
|
||||||
considers the kernel / syscall interface. It is briefly described in the
|
takes the kernel / syscall interface into account.
|
||||||
release's [highlights section](#sec-release-22.11-highlights).
|
|
||||||
`lib.systems.parse.isCompatible` still exists, but has changed semantically:
|
`lib.systems.parse.isCompatible` still exists, but has changed semantically:
|
||||||
Architectures with differing endianness modes are *no longer considered compatible*.
|
Architectures with differing endianness modes are *no longer considered compatible*.
|
||||||
|
|
||||||
- `ngrok` has been upgraded from 2.3.40 to 3.0.4. Please see [the upgrade guide](https://ngrok.com/docs/guides/upgrade-v2-v3)
|
- `ngrok` has been upgraded from 2.3.40 to 3.0.4. Please see [the upgrade guide](https://ngrok.com/docs/guides/upgrade-v2-v3)
|
||||||
and [changelog](https://ngrok.com/docs/ngrok-agent/changelog). Notably, breaking changes are that the config file format has
|
and [changelog](https://ngrok.com/docs/ngrok-agent/changelog). Notably, breaking changes are that the config file format has
|
||||||
changed and support for single hypen arguments was dropped.
|
changed and support for single hyphen arguments was dropped.
|
||||||
|
|
||||||
- `i18n.supportedLocales` is now by default only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`.
|
- `i18n.supportedLocales` is now only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`.
|
||||||
This got partially copied over from the minimal profile and reduces the final system size by up to 200MB.
|
- This reduces the final system closure size by up to 200MB.
|
||||||
If you require all locales installed set the option to ``[ "all" ]``.
|
- If you require all locales installed, set the option to ``[ "all" ]``.
|
||||||
|
|
||||||
- Deprecated settings `logrotate.paths` and `logrotate.extraConfig` have
|
- Deprecated settings `logrotate.paths` and `logrotate.extraConfig` have
|
||||||
been removed. Please convert any uses to
|
been removed. Please convert any uses to
|
||||||
|
@ -195,7 +112,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The `fetchgit` fetcher supports sparse checkouts via the `sparseCheckout` option. This used to accept a multi-line string with directories/patterns to check out, but now requires a list of strings.
|
- The `fetchgit` fetcher supports sparse checkouts via the `sparseCheckout` option. This used to accept a multi-line string with directories/patterns to check out, but now requires a list of strings.
|
||||||
|
|
||||||
- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins
|
- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins.
|
||||||
|
|
||||||
- `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`.
|
- `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`.
|
||||||
|
|
||||||
|
@ -208,11 +125,11 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead.
|
- The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead.
|
||||||
|
|
||||||
- The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if
|
- The OpenSSL extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if
|
||||||
[](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html)
|
[](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html)
|
||||||
don't lose access to their files.
|
don't lose access to their files.
|
||||||
|
|
||||||
In any other case it's safe to use OpenSSL 3 for PHP's openssl extension. This can be done by setting
|
In any other case, it's safe to use OpenSSL 3 for PHP's OpenSSL extension. This can be done by setting
|
||||||
[](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`.
|
[](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`.
|
||||||
|
|
||||||
- The `coq` package and versioned variants starting at `coq_8_14` no
|
- The `coq` package and versioned variants starting at `coq_8_14` no
|
||||||
|
@ -231,7 +148,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
- Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
|
- Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
|
||||||
Users who still wish to remain using GTK can do so by using `emacs-gtk`.
|
Users who still wish to remain using GTK can do so by using `emacs-gtk`.
|
||||||
|
|
||||||
- `kanidm` has been updated to 1.1.0-alpha.10 and now requires a tls certificate and key. It will always start an https and – if enabled – an ldaps server and no http and ldap server anymore.
|
- `kanidm` has been updated to 1.1.0-alpha.10 and now requires a TLS certificate and key. It will always start `https` and-–-if enabled-–-an LDAPS server and no HTTP and LDAP server anymore.
|
||||||
|
|
||||||
- riak package removed along with `services.riak` module, due to lack of maintainer to update the package.
|
- riak package removed along with `services.riak` module, due to lack of maintainer to update the package.
|
||||||
|
|
||||||
|
@ -298,7 +215,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The `zrepl` package has been updated from 0.5.0 to 0.6.0. See the [changelog](https://zrepl.github.io/changelog.html) for details.
|
- The `zrepl` package has been updated from 0.5.0 to 0.6.0. See the [changelog](https://zrepl.github.io/changelog.html) for details.
|
||||||
|
|
||||||
- `k3s` no longer supports docker as runtime due to upstream dropping support.
|
- `k3s` no longer supports Docker as runtime due to upstream dropping support.
|
||||||
|
|
||||||
- `cassandra_2_1` and `cassandra_2_2` have been removed. Please update to `cassandra_3_11` or `cassandra_3_0`. See the [changelog](https://github.com/apache/cassandra/blob/cassandra-3.11.14/NEWS.txt) for more information about the upgrade process.
|
- `cassandra_2_1` and `cassandra_2_2` have been removed. Please update to `cassandra_3_11` or `cassandra_3_0`. See the [changelog](https://github.com/apache/cassandra/blob/cassandra-3.11.14/NEWS.txt) for more information about the upgrade process.
|
||||||
|
|
||||||
|
@ -322,7 +239,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
For further information, please read the upstream changelogs.
|
For further information, please read the upstream changelogs.
|
||||||
|
|
||||||
- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides, use `features` instead, which defaults to `[ "lua54" "luau" ]`.
|
- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides. Use `features` instead, which defaults to `[ "lua54" "luau" ]`.
|
||||||
|
|
||||||
- `ocamlPackages.ocaml_extlib` has been renamed to `ocamlPackages.extlib`.
|
- `ocamlPackages.ocaml_extlib` has been renamed to `ocamlPackages.extlib`.
|
||||||
|
|
||||||
|
@ -347,23 +264,29 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
## Other Notable Changes {#sec-release-22.11-notable-changes}
|
## Other Notable Changes {#sec-release-22.11-notable-changes}
|
||||||
|
|
||||||
- `firefox`, `thunderbird` and `librewolf` come with enabled Wayland support by default. The `firefox-wayland`, `firefox-esr-wayland`, `thunderbird-wayland` and `librewolf-wayland` attributes are obsolete and have been aliased to their generic attribute.
|
- PHP is now built in `NTS` (Non-Thread Safe) mode by default.
|
||||||
|
- For Apache and `mod_php` usage, we enable `ZTS` (Zend Thread Safe) mode. This has been a
|
||||||
|
common practice for a long time in other distributions.
|
||||||
|
|
||||||
|
- `firefox`, `thunderbird` and `librewolf` now come with Wayland support by default. The `firefox-wayland`, `firefox-esr-wayland`, `thunderbird-wayland` and `librewolf-wayland` attributes are obsolete and have been aliased to their generic attribute.
|
||||||
|
|
||||||
- The `xplr` package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the [upstream release notes](https://github.com/sayanarijit/xplr/releases/tag/v0.19.0) for more details.
|
- The `xplr` package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the [upstream release notes](https://github.com/sayanarijit/xplr/releases/tag/v0.19.0) for more details.
|
||||||
|
|
||||||
- Configuring multiple GitHub runners is now possible through `services.github-runners.<name>`. The option `services.github-runner` remains.
|
- Configuring multiple GitHub runners is now possible through `services.github-runners.<name>`. The options under `services.github-runner` remain, to configure a single runner.
|
||||||
|
|
||||||
- `github-runner` gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See `services.github-runner.ephemeral` and `services.github-runner.tokenFile` for details.
|
- `github-runner` gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See `services.github-runner.ephemeral` and `services.github-runner.tokenFile` for details.
|
||||||
|
|
||||||
- A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
|
- A new module was added to provide hardware support for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
|
||||||
|
|
||||||
- ZFS module will not allow hibernation by default, this is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). Use the `boot.zfs.allowHibernation` option to configure this behaviour.
|
- ZFS module will no longer allow hibernation by default.
|
||||||
|
- This is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842).
|
||||||
|
- Use the `boot.zfs.allowHibernation` option to configure this behaviour.
|
||||||
|
|
||||||
- `mastodon` now automatically removes remote media attachments older than 30 days. This is configurable through `services.mastodon.mediaAutoRemove`.
|
- Mastodon now automatically removes remote media attachments older than 30 days. This is configurable through `services.mastodon.mediaAutoRemove`.
|
||||||
|
|
||||||
- The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default.
|
- The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default.
|
||||||
|
|
||||||
- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.
|
- Neo4j was updated from version 3 to version 4. See upstream's [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) for information on how to migrate your instance.
|
||||||
|
|
||||||
- The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark.
|
- The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark.
|
||||||
|
|
||||||
|
@ -373,9 +296,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The `polymc` package has been removed due to a rogue maintainer. It has been
|
- The `polymc` package has been removed due to a rogue maintainer. It has been
|
||||||
replaced by `prismlauncher`, a fork by the rest of the maintainers. For more
|
replaced by `prismlauncher`, a fork by the rest of the maintainers. For more
|
||||||
details, see [the pull request that made this
|
details, see [the PR that made this change](https://github.com/NixOS/nixpkgs/pull/196624) and
|
||||||
change](https://github.com/NixOS/nixpkgs/pull/196624) and [this issue
|
[the issue detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460).
|
||||||
detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460).
|
|
||||||
Users with existing installations should rename `~/.local/share/polymc` to
|
Users with existing installations should rename `~/.local/share/polymc` to
|
||||||
`~/.local/share/PrismLauncher`. The main config file's path has also moved
|
`~/.local/share/PrismLauncher`. The main config file's path has also moved
|
||||||
from `~/.local/share/polymc/polymc.cfg` to
|
from `~/.local/share/polymc/polymc.cfg` to
|
||||||
|
@ -383,7 +305,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The `bloat` package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See [this upstream commit message](https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73) for details.
|
- The `bloat` package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See [this upstream commit message](https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73) for details.
|
||||||
|
|
||||||
- The `services.matrix-synapse` systemd unit has been hardened.
|
- Synapse's systemd unit has been hardened.
|
||||||
|
|
||||||
- The module `services.grafana` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:
|
- The module `services.grafana` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:
|
||||||
- The newly introduced option [](#opt-services.grafana.settings) is an attribute-set that
|
- The newly introduced option [](#opt-services.grafana.settings) is an attribute-set that
|
||||||
|
@ -448,7 +370,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The `services.grafana.provision.alerting` option was added. It includes suboptions for every alerting-related objects (with the exception of `notifiers`), which means it's now possible to configure modern Grafana alerting declaratively.
|
- The `services.grafana.provision.alerting` option was added. It includes suboptions for every alerting-related objects (with the exception of `notifiers`), which means it's now possible to configure modern Grafana alerting declaratively.
|
||||||
|
|
||||||
- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
|
- Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
|
||||||
|
|
||||||
- The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details.
|
- The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details.
|
||||||
|
|
||||||
|
@ -456,7 +378,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The `netlify-cli` package has been updated from 6.13.2 to 12.2.4, see the [changelog](https://github.com/netlify/cli/releases) for more details.
|
- The `netlify-cli` package has been updated from 6.13.2 to 12.2.4, see the [changelog](https://github.com/netlify/cli/releases) for more details.
|
||||||
|
|
||||||
- `dockerTools.buildImage` deprecates the misunderstood `contents` parameter, in favor of `copyToRoot`.
|
- `dockerTools.buildImage`'s `contents` parameter has been deprecated in favor of `copyToRoot`.
|
||||||
Use `copyToRoot = buildEnv { ... };` or similar if you intend to add packages to `/bin`.
|
Use `copyToRoot = buildEnv { ... };` or similar if you intend to add packages to `/bin`.
|
||||||
|
|
||||||
- The `proxmox.qemuConf.bios` option was added, it corresponds to `Hardware->BIOS` field in Proxmox web interface. Use `"ovmf"` value to build UEFI image, default value remains `"bios"`. New option `proxmox.partitionTableType` defaults to either `"legacy"` or `"efi"`, depending on the `bios` value. Setting `partitionTableType` to `"hybrid"` results in an image, which supports both methods (`"bios"` and `"ovmf"`), thereby remaining bootable after change to Proxmox `Hardware->BIOS` field.
|
- The `proxmox.qemuConf.bios` option was added, it corresponds to `Hardware->BIOS` field in Proxmox web interface. Use `"ovmf"` value to build UEFI image, default value remains `"bios"`. New option `proxmox.partitionTableType` defaults to either `"legacy"` or `"efi"`, depending on the `bios` value. Setting `partitionTableType` to `"hybrid"` results in an image, which supports both methods (`"bios"` and `"ovmf"`), thereby remaining bootable after change to Proxmox `Hardware->BIOS` field.
|
||||||
|
@ -467,7 +389,9 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The `documentation.nixos.options.allowDocBook` option was added to ease the transition to CommonMark option documentation. Setting this option to `false` causes an error for every option included in the manual that uses DocBook documentation; it defaults to `true` to preserve the previous behavior and will be removed once the transition to CommonMark is complete.
|
- The `documentation.nixos.options.allowDocBook` option was added to ease the transition to CommonMark option documentation. Setting this option to `false` causes an error for every option included in the manual that uses DocBook documentation; it defaults to `true` to preserve the previous behavior and will be removed once the transition to CommonMark is complete.
|
||||||
|
|
||||||
- The redis module now persists each instance's configuration file in the state directory, in order to support some more advanced use cases like sentinel.
|
- The Redis module now persists each instance's configuration file in the state directory, in order to support some more advanced use cases like Sentinel.
|
||||||
|
|
||||||
|
- `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it.
|
||||||
|
|
||||||
- The udisks2 service, available at `services.udisks2.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.
|
- The udisks2 service, available at `services.udisks2.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.
|
||||||
This also means that polkit will now actually be disabled by default. The default for `security.polkit.enable` was already flipped in the previous release, but udisks2 being enabled by default re-enabled it.
|
This also means that polkit will now actually be disabled by default. The default for `security.polkit.enable` was already flipped in the previous release, but udisks2 being enabled by default re-enabled it.
|
||||||
|
@ -476,22 +400,12 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
for Nextcloud in NixOS:
|
for Nextcloud in NixOS:
|
||||||
- For Nextcloud **>=24**, the default PHP version is 8.1.
|
- For Nextcloud **>=24**, the default PHP version is 8.1.
|
||||||
- Nextcloud **23** has been removed since it will reach its [end of life in December 2022](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d).
|
- Nextcloud **23** has been removed since it will reach its [end of life in December 2022](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d).
|
||||||
- For `system.stateVersion` being **>=22.11**, Nextcloud 25 will be installed by default. For older versions,
|
- If `system.stateVersion` is **>=22.11**, Nextcloud 25 will be installed by default. For older versions,
|
||||||
Nextcloud 24 will be installed.
|
Nextcloud 24 will be installed.
|
||||||
- Please ensure that you only upgrade on major release at a time! Nextcloud doesn't support
|
- Please ensure that you only upgrade one major release at a time! Nextcloud doesn't support
|
||||||
upgrades across multiple versions, i.e. an upgrade from **23** to **25** is only possible
|
upgrades across multiple versions, i.e. an upgrade from **23** to **25** is only possible
|
||||||
when upgrading to **24** first.
|
when upgrading to **24** first.
|
||||||
|
|
||||||
- Add udev rules for the Teensy family of microcontrollers.
|
|
||||||
|
|
||||||
- The Qt QML disk cache is now disabled by default. This fixes a
|
|
||||||
long-standing issue where updating Qt/KDE apps would sometimes cause
|
|
||||||
them to crash or behave strangely without explanation. Those concerned
|
|
||||||
about the small (~10%) performance hit to application startup can
|
|
||||||
re-enable the cache (and expose themselves to gremlins) by setting the
|
|
||||||
envrionment variable `QML_FORCE_DISK_CACHE` to `1` using e.g. the
|
|
||||||
`environment.sessionVariables` NixOS option.
|
|
||||||
|
|
||||||
- systemd-oomd is enabled by default. Depending on which systemd units have
|
- systemd-oomd is enabled by default. Depending on which systemd units have
|
||||||
`ManagedOOMSwap=kill` or `ManagedOOMMemoryPressure=kill`, systemd-oomd will
|
`ManagedOOMSwap=kill` or `ManagedOOMMemoryPressure=kill`, systemd-oomd will
|
||||||
SIGKILL all the processes under the appropriate descendant cgroups when the
|
SIGKILL all the processes under the appropriate descendant cgroups when the
|
||||||
|
@ -505,25 +419,23 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API.
|
- The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API.
|
||||||
|
|
||||||
- There is a new module for AMD SEV CPU functionality, which grants access to the hardware.
|
- The Wordpress module now has support for installing language packs through a new option, `services.wordpress.sites.<site>.languages`.
|
||||||
|
|
||||||
- The Wordpress module got support for installing language packs through `services.wordpress.sites.<site>.languages`.
|
|
||||||
|
|
||||||
- The default package for `services.mullvad-vpn.package` was changed to `pkgs.mullvad`, allowing cross-platform usage of Mullvad. `pkgs.mullvad` only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to `pkgs.mullvad-vpn`, or add `pkgs.mullvad-vpn` to their environment.
|
- The default package for `services.mullvad-vpn.package` was changed to `pkgs.mullvad`, allowing cross-platform usage of Mullvad. `pkgs.mullvad` only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to `pkgs.mullvad-vpn`, or add `pkgs.mullvad-vpn` to their environment.
|
||||||
|
|
||||||
- PowerDNS has been updated from `4.6.x` to `4.7.x`. Please be sure to review the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master) provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the gsql database backends, which has to be manually applied.
|
- PowerDNS has been updated from v4.6.2 to v4.7.2. Please be sure to review the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master) provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the GSQL database backends, which has to be manually applied.
|
||||||
|
|
||||||
- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed.
|
- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and may be removed in a future release.
|
||||||
|
|
||||||
- There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service.
|
- There is a new module for `xfconf` (the Xfce configuration storage system), which has a dbus service.
|
||||||
|
|
||||||
- The Mastodon package got upgraded from the major version 3 to 4. See the [v4.0.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.0.0) for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended.
|
- The Mastodon package has been upgraded to v4.0.0. See the [v4.0.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.0.0) for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended.
|
||||||
|
|
||||||
- The `nomad` package now defaults to 1.3, which no longer has a downgrade path to releases 1.2 or older.
|
- The `nomad` package now defaults to v1.3, which no longer has a downgrade path to v1.2 or older.
|
||||||
|
|
||||||
- The `nodePackages` package set now defaults to the LTS release in the `nodejs` package again, instead of being pinned to `nodejs-14_x`. Several updates to node2nix have been made for compatibility with newer Node.js and npm versions and a new `postRebuild` hook has been added for packages to perform extra build steps before the npm install step prunes dev dependencies.
|
- The `nodePackages` package set now defaults to the LTS release in the `nodejs` package again, instead of being pinned to `nodejs-14_x`. Several updates to node2nix have been made for compatibility with newer Node.js and npm versions and a new `postRebuild` hook has been added for packages to perform extra build steps before the npm install step prunes dev dependencies.
|
||||||
|
|
||||||
- `boot.kernel.sysctl` is defined as a freeformType and adds a custom merge option for "net.core.rmem_max" (taking the highest value defined to avoid conflicts between 2 services trying to set that value).
|
- `boot.kernel.sysctl` is defined as a freeformType and adds a custom merge option for `net.core.rmem_max` (taking the highest value defined to avoid conflicts between 2 services trying to set that value).
|
||||||
|
|
||||||
- The `mame` package does not ship with its tools anymore in the default output. They were moved to a separate `tools` output instead. For convenience, `mame-tools` package was added for those who want to use it.
|
- The `mame` package does not ship with its tools anymore in the default output. They were moved to a separate `tools` output instead. For convenience, `mame-tools` package was added for those who want to use it.
|
||||||
|
|
||||||
|
@ -531,8 +443,94 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
- The option `services.picom.experimentalBackends` was removed since it is now the default and the option will cause `picom` to quit instead.
|
- The option `services.picom.experimentalBackends` was removed since it is now the default and the option will cause `picom` to quit instead.
|
||||||
|
|
||||||
- `haskellPackage.callHackage` is not always invalidated if `all-cabal-hashes` changes, leading to less rebuilds of haskell dependencies.
|
- `haskellPackages.callHackage` is not always invalidated if `all-cabal-hashes` changes, leading to less rebuilds of haskell dependencies.
|
||||||
|
|
||||||
- `haskellPackages.callHackage` and `haskellPackages.callCabal2nix` (and related functions) no longer keep a reference to the `cabal2nix` call used to generate them. As a result, they will be garbage collected more often.
|
- `haskellPackages.callHackage` and `haskellPackages.callCabal2nix` (and related functions) no longer keep a reference to the `cabal2nix` call used to generate them. As a result, they will be garbage collected more often.
|
||||||
|
|
||||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||||
|
|
||||||
|
## New Services {#sec-release-22.11-new-services}
|
||||||
|
|
||||||
|
- [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable).
|
||||||
|
|
||||||
|
- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable).
|
||||||
|
|
||||||
|
- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable).
|
||||||
|
|
||||||
|
- [automatic-timezoned](https://github.com/maxbrunet/automatic-timezoned). a Linux daemon to automatically update the system timezone based on location. Available as [services.automatic-timezoned](#opt-services.automatic-timezoned.enable).
|
||||||
|
|
||||||
|
- [Dolibarr](https://www.dolibarr.org/), an enterprise resource planning and customer relationship manager. Enable using [services.dolibarr](#opt-services.dolibarr.enable).
|
||||||
|
|
||||||
|
- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable).
|
||||||
|
|
||||||
|
- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable).
|
||||||
|
|
||||||
|
- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable).
|
||||||
|
|
||||||
|
- [EVCC](https://evcc.io) is an EV charge controller with PV integration. It supports a multitude of chargers, meters, vehicle APIs and more and ties that together with a well-tested backend and a lightweight web frontend. Available as [services.evcc](#opt-services.evcc.enable).
|
||||||
|
|
||||||
|
- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable).
|
||||||
|
|
||||||
|
- [FreshRSS](https://freshrss.org/), a free, self-hostable RSS feed aggregator. Available as [services.freshrss](#opt-services.freshrss.enable).
|
||||||
|
|
||||||
|
- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable).
|
||||||
|
|
||||||
|
- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable).
|
||||||
|
|
||||||
|
- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).
|
||||||
|
|
||||||
|
- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).
|
||||||
|
|
||||||
|
- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. Available as [services.infnoise](options.html#opt-services.infnoise.enable).
|
||||||
|
|
||||||
|
- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization. Available as [services.kanata](options.html#opt-services.kanata.enable).
|
||||||
|
|
||||||
|
- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable)
|
||||||
|
|
||||||
|
- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable).
|
||||||
|
|
||||||
|
- [kthxbye](https://github.com/prymitive/kthxbye), an alert acknowledgement management daemon for Prometheus Alertmanager. Available as [services.kthxbye](options.html#opt-services.kthxbye.enable)
|
||||||
|
|
||||||
|
- [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker. Available as [services.languagetool](options.html#opt-services.languagetool.enable).
|
||||||
|
|
||||||
|
- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable).
|
||||||
|
|
||||||
|
- [Mepo](https://mepo.milesalan.com), a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as [programs.mepo.enable](#opt-programs.mepo.enable).
|
||||||
|
|
||||||
|
- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable)
|
||||||
|
|
||||||
|
- [netbird](https://netbird.io), a zero configuration VPN. Available as [services.netbird](options.html#opt-services.netbird.enable).
|
||||||
|
|
||||||
|
- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable)
|
||||||
|
|
||||||
|
- [OpenRGB](https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master), a FOSS tool for controlling RGB lighting. Available as [services.hardware.openrgb.enable](options.html#opt-services.hardware.openrgb.enable).
|
||||||
|
|
||||||
|
- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable).
|
||||||
|
|
||||||
|
- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul. Available as [services.patroni](options.html#opt-services.patroni.enable).
|
||||||
|
|
||||||
|
- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable).
|
||||||
|
|
||||||
|
- [Please](https://github.com/edneville/please), a Sudo clone written in Rust. Available as [security.please](#opt-security.please.enable).
|
||||||
|
|
||||||
|
- [Prometheus IPMI exporter](https://github.com/prometheus-community/ipmi_exporter), an IPMI exporter for Prometheus. Available as [services.prometheus.exporters.ipmi](#opt-services.prometheus.exporters.ipmi.enable).
|
||||||
|
|
||||||
|
- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable).
|
||||||
|
|
||||||
|
- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable).
|
||||||
|
|
||||||
|
- [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable).
|
||||||
|
|
||||||
|
- [Tandoor Recipes](https://tandoor.dev), a self-hosted multi-tenant recipe collection. Available as [services.tandoor-recipes](options.html#opt-services.tandoor-recipes.enable).
|
||||||
|
|
||||||
|
- [TAYGA](http://www.litech.org/tayga/), an out-of-kernel stateless NAT64 implementation. Available as [services.tayga](#opt-services.tayga.enable).
|
||||||
|
|
||||||
|
- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable).
|
||||||
|
|
||||||
|
- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable).
|
||||||
|
|
||||||
|
- [WriteFreely](https://writefreely.org), a simple blogging platform with ActivityPub support. Available as [services.writefreely](options.html#opt-services.writefreely.enable).
|
||||||
|
|
||||||
|
- [xray](https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable).
|
||||||
|
|
||||||
|
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||||
|
|
|
@ -8,7 +8,7 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||||
|
|
||||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||||
|
|
||||||
- Create the first release note entry in this section!
|
- Cinnamon has been updated to 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what is changed.
|
||||||
|
|
||||||
## New Services {#sec-release-23.05-new-services}
|
## New Services {#sec-release-23.05-new-services}
|
||||||
|
|
||||||
|
@ -25,12 +25,18 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||||
- The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services.
|
- The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services.
|
||||||
This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service`
|
This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service`
|
||||||
|
|
||||||
|
- `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/).
|
||||||
|
|
||||||
- The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.
|
- The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.
|
||||||
|
|
||||||
- The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.
|
- The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.
|
||||||
|
|
||||||
|
- The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon.
|
||||||
|
|
||||||
## Other Notable Changes {#sec-release-23.05-notable-changes}
|
## Other Notable Changes {#sec-release-23.05-notable-changes}
|
||||||
|
|
||||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||||
|
|
||||||
- Create the first release note entry in this section!
|
- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)
|
||||||
|
|
||||||
|
- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).
|
||||||
|
|
|
@ -618,7 +618,7 @@ in {
|
||||||
# Install all the user shells
|
# Install all the user shells
|
||||||
environment.systemPackages = systemShells;
|
environment.systemPackages = systemShells;
|
||||||
|
|
||||||
environment.etc = (mapAttrs' (_: { packages, name, ... }: {
|
environment.etc = mapAttrs' (_: { packages, name, ... }: {
|
||||||
name = "profiles/per-user/${name}";
|
name = "profiles/per-user/${name}";
|
||||||
value.source = pkgs.buildEnv {
|
value.source = pkgs.buildEnv {
|
||||||
name = "user-environment";
|
name = "user-environment";
|
||||||
|
@ -626,7 +626,7 @@ in {
|
||||||
inherit (config.environment) pathsToLink extraOutputsToInstall;
|
inherit (config.environment) pathsToLink extraOutputsToInstall;
|
||||||
inherit (config.system.path) ignoreCollisions postBuild;
|
inherit (config.system.path) ignoreCollisions postBuild;
|
||||||
};
|
};
|
||||||
}) (filterAttrs (_: u: u.packages != []) cfg.users));
|
}) (filterAttrs (_: u: u.packages != []) cfg.users);
|
||||||
|
|
||||||
environment.profiles = [
|
environment.profiles = [
|
||||||
"$HOME/.nix-profile"
|
"$HOME/.nix-profile"
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{
|
{
|
||||||
x86_64-linux = "/nix/store/nmq5zcd93qb1yskx42rs910ff0247nn2-nix-2.11.0";
|
x86_64-linux = "/nix/store/xdlpraypxdimjyfrr4k06narrv8nmfgh-nix-2.11.1";
|
||||||
i686-linux = "/nix/store/ja6im1sw9a8lzczi10lc0iddffl9kzmn-nix-2.11.0";
|
i686-linux = "/nix/store/acghbpn3aaj2q64mz3ljipsgf9d9qxlp-nix-2.11.1";
|
||||||
aarch64-linux = "/nix/store/myr6fcqa9y4y2fb83zz73dck52vcn81z-nix-2.11.0";
|
aarch64-linux = "/nix/store/0lrf6danhdqjsrhala134ak8vn0b9ghj-nix-2.11.1";
|
||||||
x86_64-darwin = "/nix/store/2pfjz9b22k9997gh7cb0hjk1qa4lxrvy-nix-2.11.0";
|
x86_64-darwin = "/nix/store/60sx4c6xflgqk11gvijwzlsczbxgxgwh-nix-2.11.1";
|
||||||
aarch64-darwin = "/nix/store/lr32i0bdarx1iqsch4sy24jj1jkfw9vf-nix-2.11.0";
|
aarch64-darwin = "/nix/store/dmk5m3nlqp1awaqrp1f06qhhkh3l102n-nix-2.11.1";
|
||||||
}
|
}
|
||||||
|
|
|
@ -52,9 +52,13 @@ in
|
||||||
environment.systemPackages = [ cfg.package ];
|
environment.systemPackages = [ cfg.package ];
|
||||||
environment.etc."man_db.conf".text =
|
environment.etc."man_db.conf".text =
|
||||||
let
|
let
|
||||||
|
mandbForBuild = if pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform then
|
||||||
|
cfg.package
|
||||||
|
else
|
||||||
|
pkgs.buildPackages.man-db;
|
||||||
manualCache = pkgs.runCommand "man-cache" { } ''
|
manualCache = pkgs.runCommand "man-cache" { } ''
|
||||||
echo "MANDB_MAP ${cfg.manualPages}/share/man $out" > man.conf
|
echo "MANDB_MAP ${cfg.manualPages}/share/man $out" > man.conf
|
||||||
${cfg.package}/bin/mandb -C man.conf -psc >/dev/null 2>&1
|
${mandbForBuild}/bin/mandb -C man.conf -psc >/dev/null 2>&1
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
''
|
''
|
||||||
|
|
|
@ -23,12 +23,12 @@ let
|
||||||
optionalAttrs (lhs ? packageOverrides) {
|
optionalAttrs (lhs ? packageOverrides) {
|
||||||
packageOverrides = pkgs:
|
packageOverrides = pkgs:
|
||||||
optCall lhs.packageOverrides pkgs //
|
optCall lhs.packageOverrides pkgs //
|
||||||
optCall (attrByPath ["packageOverrides"] ({}) rhs) pkgs;
|
optCall (attrByPath [ "packageOverrides" ] { } rhs) pkgs;
|
||||||
} //
|
} //
|
||||||
optionalAttrs (lhs ? perlPackageOverrides) {
|
optionalAttrs (lhs ? perlPackageOverrides) {
|
||||||
perlPackageOverrides = pkgs:
|
perlPackageOverrides = pkgs:
|
||||||
optCall lhs.perlPackageOverrides pkgs //
|
optCall lhs.perlPackageOverrides pkgs //
|
||||||
optCall (attrByPath ["perlPackageOverrides"] ({}) rhs) pkgs;
|
optCall (attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs;
|
||||||
};
|
};
|
||||||
|
|
||||||
configType = mkOptionType {
|
configType = mkOptionType {
|
||||||
|
@ -67,11 +67,6 @@ let
|
||||||
# Context for messages
|
# Context for messages
|
||||||
hostPlatformLine = optionalString hasHostPlatform "${showOptionWithDefLocs opt.hostPlatform}";
|
hostPlatformLine = optionalString hasHostPlatform "${showOptionWithDefLocs opt.hostPlatform}";
|
||||||
buildPlatformLine = optionalString hasBuildPlatform "${showOptionWithDefLocs opt.buildPlatform}";
|
buildPlatformLine = optionalString hasBuildPlatform "${showOptionWithDefLocs opt.buildPlatform}";
|
||||||
platformLines = optionalString hasPlatform ''
|
|
||||||
Your system configuration configures nixpkgs with platform parameters:
|
|
||||||
${hostPlatformLine
|
|
||||||
}${buildPlatformLine
|
|
||||||
}'';
|
|
||||||
|
|
||||||
legacyOptionsDefined =
|
legacyOptionsDefined =
|
||||||
optional (opt.localSystem.highestPrio < (mkDefault {}).priority) opt.system
|
optional (opt.localSystem.highestPrio < (mkDefault {}).priority) opt.system
|
||||||
|
|
|
@ -46,6 +46,7 @@
|
||||||
./hardware/brillo.nix
|
./hardware/brillo.nix
|
||||||
./hardware/ckb-next.nix
|
./hardware/ckb-next.nix
|
||||||
./hardware/cpu/amd-microcode.nix
|
./hardware/cpu/amd-microcode.nix
|
||||||
|
./hardware/cpu/amd-sev.nix
|
||||||
./hardware/cpu/intel-microcode.nix
|
./hardware/cpu/intel-microcode.nix
|
||||||
./hardware/cpu/intel-sgx.nix
|
./hardware/cpu/intel-sgx.nix
|
||||||
./hardware/corectrl.nix
|
./hardware/corectrl.nix
|
||||||
|
@ -966,6 +967,7 @@
|
||||||
./services/networking/syncthing-relay.nix
|
./services/networking/syncthing-relay.nix
|
||||||
./services/networking/syncplay.nix
|
./services/networking/syncplay.nix
|
||||||
./services/networking/tailscale.nix
|
./services/networking/tailscale.nix
|
||||||
|
./services/networking/tayga.nix
|
||||||
./services/networking/tcpcrypt.nix
|
./services/networking/tcpcrypt.nix
|
||||||
./services/networking/teamspeak3.nix
|
./services/networking/teamspeak3.nix
|
||||||
./services/networking/tedicross.nix
|
./services/networking/tedicross.nix
|
||||||
|
@ -1329,6 +1331,7 @@
|
||||||
./virtualisation/parallels-guest.nix
|
./virtualisation/parallels-guest.nix
|
||||||
./virtualisation/podman/default.nix
|
./virtualisation/podman/default.nix
|
||||||
./virtualisation/qemu-guest-agent.nix
|
./virtualisation/qemu-guest-agent.nix
|
||||||
|
./virtualisation/rosetta.nix
|
||||||
./virtualisation/spice-usb-redirection.nix
|
./virtualisation/spice-usb-redirection.nix
|
||||||
./virtualisation/virtualbox-guest.nix
|
./virtualisation/virtualbox-guest.nix
|
||||||
./virtualisation/virtualbox-host.nix
|
./virtualisation/virtualbox-host.nix
|
||||||
|
|
|
@ -31,7 +31,7 @@ in
|
||||||
"pata_winbond"
|
"pata_winbond"
|
||||||
|
|
||||||
# SCSI support (incomplete).
|
# SCSI support (incomplete).
|
||||||
"3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr"
|
"3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr" "hpsa"
|
||||||
|
|
||||||
# USB support, especially for booting from USB CD-ROM
|
# USB support, especially for booting from USB CD-ROM
|
||||||
# drives.
|
# drives.
|
||||||
|
|
|
@ -1,13 +1,12 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let inherit (pkgs) writeScript; in
|
|
||||||
|
|
||||||
let
|
let
|
||||||
pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
|
inherit (pkgs) writeScript;
|
||||||
|
|
||||||
in {
|
pkgs2storeContents = map (x: { object = x; symlink = "none"; });
|
||||||
|
in
|
||||||
|
|
||||||
|
{
|
||||||
# Docker image config.
|
# Docker image config.
|
||||||
imports = [
|
imports = [
|
||||||
../installer/cd-dvd/channel.nix
|
../installer/cd-dvd/channel.nix
|
||||||
|
|
|
@ -13,6 +13,12 @@ in {
|
||||||
services.erigon = {
|
services.erigon = {
|
||||||
enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier");
|
enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier");
|
||||||
|
|
||||||
|
extraArgs = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
description = lib.mdDoc "Additional arguments passed to Erigon";
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
|
||||||
secretJwtPath = mkOption {
|
secretJwtPath = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
description = lib.mdDoc ''
|
description = lib.mdDoc ''
|
||||||
|
@ -86,7 +92,7 @@ in {
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}";
|
LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}";
|
||||||
ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT";
|
ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT ${lib.escapeShellArgs cfg.extraArgs}";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
StateDirectory = "erigon";
|
StateDirectory = "erigon";
|
||||||
|
|
|
@ -141,9 +141,9 @@ in
|
||||||
|
|
||||||
services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir;
|
services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir;
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = (mkIf cfg.hbase.master.openFirewall [
|
networking.firewall.allowedTCPPorts = mkIf cfg.hbase.master.openFirewall [
|
||||||
16000 16010
|
16000 16010
|
||||||
]);
|
];
|
||||||
|
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@ -168,9 +168,9 @@ in
|
||||||
services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir;
|
services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir;
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
firewall.allowedTCPPorts = (mkIf cfg.hbase.regionServer.openFirewall [
|
firewall.allowedTCPPorts = mkIf cfg.hbase.regionServer.openFirewall [
|
||||||
16020 16030
|
16020 16030
|
||||||
]);
|
];
|
||||||
hosts = mkIf cfg.hbase.regionServer.overrideHosts {
|
hosts = mkIf cfg.hbase.regionServer.overrideHosts {
|
||||||
"127.0.0.2" = mkForce [ ];
|
"127.0.0.2" = mkForce [ ];
|
||||||
"::1" = mkForce [ ];
|
"::1" = mkForce [ ];
|
||||||
|
|
|
@ -10,7 +10,7 @@ let
|
||||||
|
|
||||||
python = cfg.package.pythonModule;
|
python = cfg.package.pythonModule;
|
||||||
|
|
||||||
escapeStr = s: escape ["'"] s;
|
escapeStr = escape [ "'" ];
|
||||||
|
|
||||||
defaultMasterCfg = pkgs.writeText "master.cfg" ''
|
defaultMasterCfg = pkgs.writeText "master.cfg" ''
|
||||||
from buildbot.plugins import *
|
from buildbot.plugins import *
|
||||||
|
@ -245,9 +245,7 @@ in {
|
||||||
description = "Buildbot User.";
|
description = "Buildbot User.";
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
home = cfg.home;
|
inherit (cfg) home group extraGroups;
|
||||||
group = cfg.group;
|
|
||||||
extraGroups = cfg.extraGroups;
|
|
||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -67,7 +67,7 @@ in {
|
||||||
'');
|
'');
|
||||||
|
|
||||||
servers = mkOption {
|
servers = mkOption {
|
||||||
type = with types; attrsOf (submodule ({config, name, ...}@args: {
|
type = with types; attrsOf (submodule ({ config, name, ... }: {
|
||||||
options = {
|
options = {
|
||||||
enable = mkEnableOption (lib.mdDoc ''
|
enable = mkEnableOption (lib.mdDoc ''
|
||||||
Redis server.
|
Redis server.
|
||||||
|
@ -271,14 +271,11 @@ in {
|
||||||
};
|
};
|
||||||
config.settings = mkMerge [
|
config.settings = mkMerge [
|
||||||
{
|
{
|
||||||
port = config.port;
|
inherit (config) port logfile databases maxclients appendOnly;
|
||||||
daemonize = false;
|
daemonize = false;
|
||||||
supervised = "systemd";
|
supervised = "systemd";
|
||||||
loglevel = config.logLevel;
|
loglevel = config.logLevel;
|
||||||
logfile = config.logfile;
|
|
||||||
syslog-enabled = config.syslog;
|
syslog-enabled = config.syslog;
|
||||||
databases = config.databases;
|
|
||||||
maxclients = config.maxclients;
|
|
||||||
save = if config.save == []
|
save = if config.save == []
|
||||||
then ''""'' # Disable saving with `save = ""`
|
then ''""'' # Disable saving with `save = ""`
|
||||||
else map
|
else map
|
||||||
|
@ -286,12 +283,11 @@ in {
|
||||||
config.save;
|
config.save;
|
||||||
dbfilename = "dump.rdb";
|
dbfilename = "dump.rdb";
|
||||||
dir = "/var/lib/${redisName name}";
|
dir = "/var/lib/${redisName name}";
|
||||||
appendOnly = config.appendOnly;
|
|
||||||
appendfsync = config.appendFsync;
|
appendfsync = config.appendFsync;
|
||||||
slowlog-log-slower-than = config.slowLogLogSlowerThan;
|
slowlog-log-slower-than = config.slowLogLogSlowerThan;
|
||||||
slowlog-max-len = config.slowLogMaxLen;
|
slowlog-max-len = config.slowLogMaxLen;
|
||||||
}
|
}
|
||||||
(mkIf (config.bind != null) { bind = config.bind; })
|
(mkIf (config.bind != null) { inherit (config) bind; })
|
||||||
(mkIf (config.unixSocket != null) {
|
(mkIf (config.unixSocket != null) {
|
||||||
unixsocket = config.unixSocket;
|
unixsocket = config.unixSocket;
|
||||||
unixsocketperm = toString config.unixSocketPerm;
|
unixsocketperm = toString config.unixSocketPerm;
|
||||||
|
|
|
@ -119,7 +119,7 @@ in {
|
||||||
|
|
||||||
kernels = mkOption {
|
kernels = mkOption {
|
||||||
type = types.nullOr (types.attrsOf(types.submodule (import ./kernel-options.nix {
|
type = types.nullOr (types.attrsOf(types.submodule (import ./kernel-options.nix {
|
||||||
inherit lib;
|
inherit lib pkgs;
|
||||||
})));
|
})));
|
||||||
|
|
||||||
default = null;
|
default = null;
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
# Options that can be used for creating a jupyter kernel.
|
# Options that can be used for creating a jupyter kernel.
|
||||||
{lib }:
|
{ lib, pkgs }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
{
|
{
|
||||||
|
freeformType = (pkgs.formats.json { }).type;
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
|
|
||||||
displayName = mkOption {
|
displayName = mkOption {
|
||||||
|
@ -40,6 +42,15 @@ with lib;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
env = mkOption {
|
||||||
|
type = types.attrsOf types.str;
|
||||||
|
default = { };
|
||||||
|
example = { OMP_NUM_THREADS = "1"; };
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Environment variables to set for the kernel.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
logo32 = mkOption {
|
logo32 = mkOption {
|
||||||
type = types.nullOr types.path;
|
type = types.nullOr types.path;
|
||||||
default = null;
|
default = null;
|
||||||
|
|
|
@ -119,7 +119,7 @@ in {
|
||||||
|
|
||||||
kernels = mkOption {
|
kernels = mkOption {
|
||||||
type = types.nullOr (types.attrsOf(types.submodule (import ../jupyter/kernel-options.nix {
|
type = types.nullOr (types.attrsOf(types.submodule (import ../jupyter/kernel-options.nix {
|
||||||
inherit lib;
|
inherit lib pkgs;
|
||||||
})));
|
})));
|
||||||
|
|
||||||
default = null;
|
default = null;
|
||||||
|
|
|
@ -131,9 +131,9 @@ in {
|
||||||
exp_table = "";
|
exp_table = "";
|
||||||
forbid = "";
|
forbid = "";
|
||||||
metaserver2 = "";
|
metaserver2 = "";
|
||||||
motd = (fileContents "${cfg.package}/etc/crossfire/motd");
|
motd = fileContents "${cfg.package}/etc/crossfire/motd";
|
||||||
news = (fileContents "${cfg.package}/etc/crossfire/news");
|
news = fileContents "${cfg.package}/etc/crossfire/news";
|
||||||
rules = (fileContents "${cfg.package}/etc/crossfire/rules");
|
rules = fileContents "${cfg.package}/etc/crossfire/rules";
|
||||||
settings = "";
|
settings = "";
|
||||||
stat_bonus = "";
|
stat_bonus = "";
|
||||||
} // cfg.configFiles);
|
} // cfg.configFiles);
|
||||||
|
|
|
@ -126,6 +126,15 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
hardware.sane.openFirewall = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Open ports needed for discovery of scanners on the local network, e.g.
|
||||||
|
needed for Canon scanners (BJNP protocol).
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
services.saned.enable = mkOption {
|
services.saned.enable = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
|
@ -163,6 +172,7 @@ in
|
||||||
services.udev.packages = backends;
|
services.udev.packages = backends;
|
||||||
|
|
||||||
users.groups.scanner.gid = config.ids.gids.scanner;
|
users.groups.scanner.gid = config.ids.gids.scanner;
|
||||||
|
networking.firewall.allowedUDPPorts = mkIf config.hardware.sane.openFirewall [ 8612 ];
|
||||||
})
|
})
|
||||||
|
|
||||||
(mkIf config.services.saned.enable {
|
(mkIf config.services.saned.enable {
|
||||||
|
|
|
@ -45,8 +45,8 @@ let
|
||||||
initDBDir = "share/doc/gammu/examples/sql";
|
initDBDir = "share/doc/gammu/examples/sql";
|
||||||
|
|
||||||
gammuPackage = with cfg.backend; (pkgs.gammu.override {
|
gammuPackage = with cfg.backend; (pkgs.gammu.override {
|
||||||
dbiSupport = (service == "sql" && sql.driver == "sqlite");
|
dbiSupport = service == "sql" && sql.driver == "sqlite";
|
||||||
postgresSupport = (service == "sql" && sql.driver == "native_pgsql");
|
postgresSupport = service == "sql" && sql.driver == "native_pgsql";
|
||||||
});
|
});
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
|
@ -483,7 +483,7 @@ in
|
||||||
description = "gitea";
|
description = "gitea";
|
||||||
after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service";
|
after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
path = [ gitea pkgs.git ];
|
path = [ gitea pkgs.git pkgs.gnupg ];
|
||||||
|
|
||||||
# In older versions the secret naming for JWT was kind of confusing.
|
# In older versions the secret naming for JWT was kind of confusing.
|
||||||
# The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET
|
# The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET
|
||||||
|
|
|
@ -16,22 +16,6 @@ let
|
||||||
else
|
else
|
||||||
pkgs.postgresql_12;
|
pkgs.postgresql_12;
|
||||||
|
|
||||||
# Git 2.36.1 seemingly contains a commit-graph related bug which is
|
|
||||||
# easily triggered through GitLab, so we downgrade it to 2.35.x
|
|
||||||
# until this issue is solved. See
|
|
||||||
# https://gitlab.com/gitlab-org/gitlab/-/issues/360783#note_992870101.
|
|
||||||
gitPackage =
|
|
||||||
let
|
|
||||||
version = "2.35.4";
|
|
||||||
in
|
|
||||||
pkgs.git.overrideAttrs (oldAttrs: rec {
|
|
||||||
inherit version;
|
|
||||||
src = pkgs.fetchurl {
|
|
||||||
url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz";
|
|
||||||
sha256 = "sha256-mv13OdNkXggeKQkJ+47QcJ6lYmcw6Qjri1ZJ2ETCTOk=";
|
|
||||||
};
|
|
||||||
});
|
|
||||||
|
|
||||||
gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket";
|
gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket";
|
||||||
gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket";
|
gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket";
|
||||||
pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url;
|
pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url;
|
||||||
|
@ -60,7 +44,7 @@ let
|
||||||
prometheus_listen_addr = "localhost:9236"
|
prometheus_listen_addr = "localhost:9236"
|
||||||
|
|
||||||
[git]
|
[git]
|
||||||
bin_path = "${gitPackage}/bin/git"
|
bin_path = "${pkgs.git}/bin/git"
|
||||||
|
|
||||||
[gitaly-ruby]
|
[gitaly-ruby]
|
||||||
dir = "${cfg.packages.gitaly.ruby}"
|
dir = "${cfg.packages.gitaly.ruby}"
|
||||||
|
@ -157,7 +141,7 @@ let
|
||||||
};
|
};
|
||||||
workhorse.secret_file = "${cfg.statePath}/.gitlab_workhorse_secret";
|
workhorse.secret_file = "${cfg.statePath}/.gitlab_workhorse_secret";
|
||||||
gitlab_kas.secret_file = "${cfg.statePath}/.gitlab_kas_secret";
|
gitlab_kas.secret_file = "${cfg.statePath}/.gitlab_kas_secret";
|
||||||
git.bin_path = "${gitPackage}/bin/git";
|
git.bin_path = "git";
|
||||||
monitoring = {
|
monitoring = {
|
||||||
ip_whitelist = [ "127.0.0.0/8" "::1/128" ];
|
ip_whitelist = [ "127.0.0.0/8" "::1/128" ];
|
||||||
sidekiq_exporter = {
|
sidekiq_exporter = {
|
||||||
|
@ -1325,7 +1309,7 @@ in {
|
||||||
});
|
});
|
||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
postgresqlPackage
|
postgresqlPackage
|
||||||
gitPackage
|
git
|
||||||
ruby
|
ruby
|
||||||
openssh
|
openssh
|
||||||
nodejs
|
nodejs
|
||||||
|
@ -1356,7 +1340,7 @@ in {
|
||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
openssh
|
openssh
|
||||||
procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562
|
procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562
|
||||||
gitPackage
|
git
|
||||||
cfg.packages.gitaly.rubyEnv
|
cfg.packages.gitaly.rubyEnv
|
||||||
cfg.packages.gitaly.rubyEnv.wrappedRuby
|
cfg.packages.gitaly.rubyEnv.wrappedRuby
|
||||||
gzip
|
gzip
|
||||||
|
@ -1402,7 +1386,7 @@ in {
|
||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
remarshal
|
remarshal
|
||||||
exiftool
|
exiftool
|
||||||
gitPackage
|
git
|
||||||
gnutar
|
gnutar
|
||||||
gzip
|
gzip
|
||||||
openssh
|
openssh
|
||||||
|
@ -1475,7 +1459,7 @@ in {
|
||||||
environment = gitlabEnv;
|
environment = gitlabEnv;
|
||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
postgresqlPackage
|
postgresqlPackage
|
||||||
gitPackage
|
git
|
||||||
openssh
|
openssh
|
||||||
nodejs
|
nodejs
|
||||||
procps
|
procps
|
||||||
|
|
|
@ -115,6 +115,7 @@ in
|
||||||
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; })
|
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; })
|
||||||
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; })
|
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; })
|
||||||
(mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; })
|
(mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; })
|
||||||
|
(mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; })
|
||||||
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
|
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
|
||||||
] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" oldConf ]; to = [ "nix" "settings" newConf ]; }) legacyConfMappings;
|
] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" oldConf ]; to = [ "nix" "settings" newConf ]; }) legacyConfMappings;
|
||||||
|
|
||||||
|
@ -366,17 +367,6 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
readOnlyStore = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
If set, NixOS will enforce the immutability of the Nix store
|
|
||||||
by making {file}`/nix/store` a read-only bind
|
|
||||||
mount. Nix will automatically make the store writable when
|
|
||||||
needed.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
nixPath = mkOption {
|
nixPath = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [
|
default = [
|
||||||
|
@ -414,6 +404,7 @@ in
|
||||||
str
|
str
|
||||||
int
|
int
|
||||||
bool
|
bool
|
||||||
|
path
|
||||||
package
|
package
|
||||||
]);
|
]);
|
||||||
in
|
in
|
||||||
|
|
|
@ -47,6 +47,12 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
openFirewall = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc "Open ports in the firewall for OctoPrint.";
|
||||||
|
};
|
||||||
|
|
||||||
user = mkOption {
|
user = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "octoprint";
|
default = "octoprint";
|
||||||
|
@ -128,6 +134,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,29 +19,66 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
settings = mkOption {
|
settings = mkOption {
|
||||||
type = format.type;
|
default = {};
|
||||||
description = lib.mdDoc ''
|
description = lib.mdDoc ''
|
||||||
Your {file}`pinnwand.toml` as a Nix attribute set. Look up
|
Your {file}`pinnwand.toml` as a Nix attribute set. Look up
|
||||||
possible options in the [pinnwand.toml-example](https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example).
|
possible options in the [documentation](https://pinnwand.readthedocs.io/en/v${pkgs.pinnwand.version}/configuration.html).
|
||||||
'';
|
'';
|
||||||
default = {};
|
type = types.submodule {
|
||||||
|
freeformType = format.type;
|
||||||
|
options = {
|
||||||
|
database_uri = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "sqlite:////var/lib/pinnwand/pinnwand.db";
|
||||||
|
example = "sqlite:///:memory";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Database URI compatible with [SQLAlchemyhttps://docs.sqlalchemy.org/en/14/core/engines.html#database-urls].
|
||||||
|
|
||||||
|
Additional packages may need to be introduced into the environment for certain databases.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
paste_size = mkOption {
|
||||||
|
type = types.ints.positive;
|
||||||
|
default = 262144;
|
||||||
|
example = 524288;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Maximum size of a paste in bytes.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
paste_help = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = ''
|
||||||
|
<p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p>
|
||||||
|
'';
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Raw HTML help text shown in the header area.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
footer = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = ''
|
||||||
|
View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page.
|
||||||
|
'';
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The footer in raw HTML.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.pinnwand.settings = {
|
systemd.services.pinnwand = {
|
||||||
database_uri = mkDefault "sqlite:////var/lib/pinnwand/pinnwand.db";
|
description = "Pinnwannd HTTP Server";
|
||||||
paste_size = mkDefault 262144;
|
after = [ "network.target" ];
|
||||||
paste_help = mkDefault ''
|
wantedBy = [ "multi-user.target" ];
|
||||||
<p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p>
|
|
||||||
'';
|
|
||||||
footer = mkDefault ''
|
|
||||||
View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services = let
|
unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/";
|
||||||
hardeningOptions = {
|
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString cfg.port}";
|
||||||
User = "pinnwand";
|
User = "pinnwand";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
|
|
||||||
|
@ -72,32 +109,14 @@ in
|
||||||
RestrictNamespaces = true;
|
RestrictNamespaces = true;
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
SystemCallArchitectures = "native";
|
SystemCallArchitectures = "native";
|
||||||
SystemCallFilter = "@system-service";
|
SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
"~@privileged"
|
||||||
|
];
|
||||||
UMask = "0077";
|
UMask = "0077";
|
||||||
};
|
};
|
||||||
|
|
||||||
command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}";
|
|
||||||
in {
|
|
||||||
pinnwand = {
|
|
||||||
description = "Pinnwannd HTTP Server";
|
|
||||||
after = [ "network.target" ];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
|
|
||||||
unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/";
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${command} http --port ${toString(cfg.port)}";
|
|
||||||
} // hardeningOptions;
|
|
||||||
};
|
|
||||||
|
|
||||||
pinnwand-reaper = {
|
|
||||||
description = "Pinnwand Reaper";
|
|
||||||
startAt = "daily";
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes
|
|
||||||
} // hardeningOptions;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
meta.buildDocsInSandbox = false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -206,6 +206,57 @@ in
|
||||||
description = lib.mdDoc "Create the database and database user locally.";
|
description = lib.mdDoc "Create the database and database user locally.";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
components = {
|
||||||
|
subversion = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc "Subversion integration.";
|
||||||
|
};
|
||||||
|
|
||||||
|
mercurial = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc "Mercurial integration.";
|
||||||
|
};
|
||||||
|
|
||||||
|
git = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc "git integration.";
|
||||||
|
};
|
||||||
|
|
||||||
|
cvs = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc "cvs integration.";
|
||||||
|
};
|
||||||
|
|
||||||
|
breezy = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc "bazaar integration.";
|
||||||
|
};
|
||||||
|
|
||||||
|
imagemagick = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc "Allows exporting Gant diagrams as PNG.";
|
||||||
|
};
|
||||||
|
|
||||||
|
ghostscript = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc "Allows exporting Gant diagrams as PDF.";
|
||||||
|
};
|
||||||
|
|
||||||
|
minimagick_font_path = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "";
|
||||||
|
description = lib.mdDoc "MiniMagick font path";
|
||||||
|
example = "/run/current-system/sw/share/X11/fonts/LiberationSans-Regular.ttf";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -225,16 +276,21 @@ in
|
||||||
{ assertion = cfg.database.createLocally -> cfg.database.host == "localhost";
|
{ assertion = cfg.database.createLocally -> cfg.database.host == "localhost";
|
||||||
message = "services.redmine.database.host must be set to localhost if services.redmine.database.createLocally is set to true";
|
message = "services.redmine.database.host must be set to localhost if services.redmine.database.createLocally is set to true";
|
||||||
}
|
}
|
||||||
|
{ assertion = cfg.components.imagemagick -> cfg.components.minimagick_font_path != "";
|
||||||
|
message = "services.redmine.components.minimagick_font_path must be configured with a path to a font file if services.redmine.components.imagemagick is set to true.";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
services.redmine.settings = {
|
services.redmine.settings = {
|
||||||
production = {
|
production = {
|
||||||
scm_subversion_command = "${pkgs.subversion}/bin/svn";
|
scm_subversion_command = if cfg.components.subversion then "${pkgs.subversion}/bin/svn" else "";
|
||||||
scm_mercurial_command = "${pkgs.mercurial}/bin/hg";
|
scm_mercurial_command = if cfg.components.mercurial then "${pkgs.mercurial}/bin/hg" else "";
|
||||||
scm_git_command = "${pkgs.git}/bin/git";
|
scm_git_command = if cfg.components.git then "${pkgs.git}/bin/git" else "";
|
||||||
scm_cvs_command = "${pkgs.cvs}/bin/cvs";
|
scm_cvs_command = if cfg.components.cvs then "${pkgs.cvs}/bin/cvs" else "";
|
||||||
scm_bazaar_command = "${pkgs.breezy}/bin/bzr";
|
scm_bazaar_command = if cfg.components.breezy then "${pkgs.breezy}/bin/bzr" else "";
|
||||||
scm_darcs_command = "${pkgs.darcs}/bin/darcs";
|
imagemagick_convert_command = if cfg.components.imagemagick then "${pkgs.imagemagick}/bin/convert" else "";
|
||||||
|
gs_command = if cfg.components.ghostscript then "${pkgs.ghostscript}/bin/gs" else "";
|
||||||
|
minimagick_font_path = "${cfg.components.minimagick_font_path}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -296,14 +352,15 @@ in
|
||||||
environment.REDMINE_LANG = "en";
|
environment.REDMINE_LANG = "en";
|
||||||
environment.SCHEMA = "${cfg.stateDir}/cache/schema.db";
|
environment.SCHEMA = "${cfg.stateDir}/cache/schema.db";
|
||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
imagemagick
|
]
|
||||||
breezy
|
++ optional cfg.components.subversion subversion
|
||||||
cvs
|
++ optional cfg.components.mercurial mercurial
|
||||||
darcs
|
++ optional cfg.components.git git
|
||||||
git
|
++ optional cfg.components.cvs cvs
|
||||||
mercurial
|
++ optional cfg.components.breezy breezy
|
||||||
subversion
|
++ optional cfg.components.imagemagick imagemagick
|
||||||
];
|
++ optional cfg.components.ghostscript ghostscript;
|
||||||
|
|
||||||
preStart = ''
|
preStart = ''
|
||||||
rm -rf "${cfg.stateDir}/plugins/"*
|
rm -rf "${cfg.stateDir}/plugins/"*
|
||||||
rm -rf "${cfg.stateDir}/public/themes/"*
|
rm -rf "${cfg.stateDir}/public/themes/"*
|
||||||
|
|
|
@ -88,7 +88,6 @@ let
|
||||||
# Sourcehut services
|
# Sourcehut services
|
||||||
srht
|
srht
|
||||||
buildsrht
|
buildsrht
|
||||||
dispatchsrht
|
|
||||||
gitsrht
|
gitsrht
|
||||||
hgsrht
|
hgsrht
|
||||||
hubsrht
|
hubsrht
|
||||||
|
@ -109,13 +108,13 @@ in
|
||||||
{
|
{
|
||||||
options.services.sourcehut = {
|
options.services.sourcehut = {
|
||||||
enable = mkEnableOption (lib.mdDoc ''
|
enable = mkEnableOption (lib.mdDoc ''
|
||||||
sourcehut - git hosting, continuous integration, mailing list, ticket tracking,
|
sourcehut - git hosting, continuous integration, mailing list, ticket tracking, wiki
|
||||||
task dispatching, wiki and account management services
|
and account management services
|
||||||
'');
|
'');
|
||||||
|
|
||||||
services = mkOption {
|
services = mkOption {
|
||||||
type = with types; listOf (enum
|
type = with types; listOf (enum
|
||||||
[ "builds" "dispatch" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]);
|
[ "builds" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]);
|
||||||
defaultText = "locally enabled services";
|
defaultText = "locally enabled services";
|
||||||
description = lib.mdDoc ''
|
description = lib.mdDoc ''
|
||||||
Services that may be displayed as links in the title bar of the Web interface.
|
Services that may be displayed as links in the title bar of the Web interface.
|
||||||
|
@ -301,32 +300,6 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
options."dispatch.sr.ht" = commonServiceSettings "dispatch" // {
|
|
||||||
};
|
|
||||||
options."dispatch.sr.ht::github" = {
|
|
||||||
oauth-client-id = mkOptionNullOrStr "OAuth client id.";
|
|
||||||
oauth-client-secret = mkOptionNullOrStr "OAuth client secret.";
|
|
||||||
};
|
|
||||||
options."dispatch.sr.ht::gitlab" = {
|
|
||||||
enabled = mkEnableOption (lib.mdDoc "GitLab integration");
|
|
||||||
canonical-upstream = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Canonical upstream.";
|
|
||||||
default = "gitlab.com";
|
|
||||||
};
|
|
||||||
repo-cache = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Repository cache directory.";
|
|
||||||
default = "./repo-cache";
|
|
||||||
};
|
|
||||||
"gitlab.com" = mkOption {
|
|
||||||
type = with types; nullOr str;
|
|
||||||
description = lib.mdDoc "GitLab id and secret.";
|
|
||||||
default = null;
|
|
||||||
example = "GitLab:application id:secret";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
options."builds.sr.ht" = commonServiceSettings "builds" // {
|
options."builds.sr.ht" = commonServiceSettings "builds" // {
|
||||||
allow-free = mkEnableOption (lib.mdDoc "nonpaying users to submit builds");
|
allow-free = mkEnableOption (lib.mdDoc "nonpaying users to submit builds");
|
||||||
redis = mkOption {
|
redis = mkOption {
|
||||||
|
@ -1021,11 +994,6 @@ in
|
||||||
];
|
];
|
||||||
})
|
})
|
||||||
|
|
||||||
(import ./service.nix "dispatch" {
|
|
||||||
inherit configIniOfService;
|
|
||||||
port = 5005;
|
|
||||||
})
|
|
||||||
|
|
||||||
(import ./service.nix "git" (let
|
(import ./service.nix "git" (let
|
||||||
baseService = {
|
baseService = {
|
||||||
path = [ cfg.git.package ];
|
path = [ cfg.git.package ];
|
||||||
|
@ -1416,6 +1384,10 @@ in
|
||||||
(mkRenamedOptionModule [ "services" "sourcehut" "address" ]
|
(mkRenamedOptionModule [ "services" "sourcehut" "address" ]
|
||||||
[ "services" "sourcehut" "listenAddress" ])
|
[ "services" "sourcehut" "listenAddress" ])
|
||||||
|
|
||||||
|
(mkRemovedOptionModule [ "services" "sourcehut" "dispatch" ] ''
|
||||||
|
dispatch is deprecated. See https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/
|
||||||
|
for more information.
|
||||||
|
'')
|
||||||
];
|
];
|
||||||
|
|
||||||
meta.doc = ./sourcehut.xml;
|
meta.doc = ./sourcehut.xml;
|
||||||
|
|
|
@ -10,7 +10,7 @@ let
|
||||||
text = "default:";
|
text = "default:";
|
||||||
};
|
};
|
||||||
|
|
||||||
computedConfigFile = "${if cfg.configFile == null then emptyConfigFile else cfg.configFile}";
|
computedConfigFile = if cfg.configFile == null then emptyConfigFile else cfg.configFile;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
port = 9221;
|
port = 9221;
|
||||||
|
@ -100,6 +100,8 @@ in
|
||||||
};
|
};
|
||||||
serviceOpts = {
|
serviceOpts = {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
DynamicUser = cfg.environmentFile == null;
|
||||||
|
LoadCredential = "configFile:${computedConfigFile}";
|
||||||
ExecStart = ''
|
ExecStart = ''
|
||||||
${cfg.package}/bin/pve_exporter \
|
${cfg.package}/bin/pve_exporter \
|
||||||
--${if cfg.collectors.status == true then "" else "no-"}collector.status \
|
--${if cfg.collectors.status == true then "" else "no-"}collector.status \
|
||||||
|
@ -108,7 +110,7 @@ in
|
||||||
--${if cfg.collectors.cluster == true then "" else "no-"}collector.cluster \
|
--${if cfg.collectors.cluster == true then "" else "no-"}collector.cluster \
|
||||||
--${if cfg.collectors.resources == true then "" else "no-"}collector.resources \
|
--${if cfg.collectors.resources == true then "" else "no-"}collector.resources \
|
||||||
--${if cfg.collectors.config == true then "" else "no-"}collector.config \
|
--${if cfg.collectors.config == true then "" else "no-"}collector.config \
|
||||||
${computedConfigFile} \
|
%d/configFile \
|
||||||
${toString cfg.port} ${cfg.listenAddress}
|
${toString cfg.port} ${cfg.listenAddress}
|
||||||
'';
|
'';
|
||||||
} // optionalAttrs (cfg.environmentFile != null) {
|
} // optionalAttrs (cfg.environmentFile != null) {
|
||||||
|
|
|
@ -84,13 +84,11 @@ let
|
||||||
''
|
''
|
||||||
) vrrpInstances);
|
) vrrpInstances);
|
||||||
|
|
||||||
virtualIpLine = (ip:
|
virtualIpLine = ip: ip.addr
|
||||||
ip.addr
|
|
||||||
+ optionalString (notNullOrEmpty ip.brd) " brd ${ip.brd}"
|
+ optionalString (notNullOrEmpty ip.brd) " brd ${ip.brd}"
|
||||||
+ optionalString (notNullOrEmpty ip.dev) " dev ${ip.dev}"
|
+ optionalString (notNullOrEmpty ip.dev) " dev ${ip.dev}"
|
||||||
+ optionalString (notNullOrEmpty ip.scope) " scope ${ip.scope}"
|
+ optionalString (notNullOrEmpty ip.scope) " scope ${ip.scope}"
|
||||||
+ optionalString (notNullOrEmpty ip.label) " label ${ip.label}"
|
+ optionalString (notNullOrEmpty ip.label) " label ${ip.label}";
|
||||||
);
|
|
||||||
|
|
||||||
notNullOrEmpty = s: !(s == null || s == "");
|
notNullOrEmpty = s: !(s == null || s == "");
|
||||||
|
|
||||||
|
|
|
@ -263,7 +263,7 @@ let
|
||||||
if builtins.isString x then ''"${x}"''
|
if builtins.isString x then ''"${x}"''
|
||||||
else if builtins.isBool x then boolToString x
|
else if builtins.isBool x then boolToString x
|
||||||
else if builtins.isInt x then toString x
|
else if builtins.isInt x then toString x
|
||||||
else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }''
|
else if builtins.isList x then "{ ${lib.concatMapStringsSep ", " toLua x} }"
|
||||||
else throw "Invalid Lua value";
|
else throw "Invalid Lua value";
|
||||||
|
|
||||||
createSSLOptsStr = o: ''
|
createSSLOptsStr = o: ''
|
||||||
|
|
|
@ -5,7 +5,7 @@ with lib;
|
||||||
let
|
let
|
||||||
cfg = config.services.softether;
|
cfg = config.services.softether;
|
||||||
|
|
||||||
package = cfg.package.override { dataDir = cfg.dataDir; };
|
package = cfg.package.override { inherit (cfg) dataDir; };
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -88,7 +88,7 @@ in
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
(mkIf (cfg.vpnserver.enable) {
|
(mkIf cfg.vpnserver.enable {
|
||||||
systemd.services.vpnserver = {
|
systemd.services.vpnserver = {
|
||||||
description = "SoftEther VPN Server";
|
description = "SoftEther VPN Server";
|
||||||
after = [ "softether-init.service" ];
|
after = [ "softether-init.service" ];
|
||||||
|
@ -109,7 +109,7 @@ in
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
|
||||||
(mkIf (cfg.vpnbridge.enable) {
|
(mkIf cfg.vpnbridge.enable {
|
||||||
systemd.services.vpnbridge = {
|
systemd.services.vpnbridge = {
|
||||||
description = "SoftEther VPN Bridge";
|
description = "SoftEther VPN Bridge";
|
||||||
after = [ "softether-init.service" ];
|
after = [ "softether-init.service" ];
|
||||||
|
@ -130,7 +130,7 @@ in
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
|
||||||
(mkIf (cfg.vpnclient.enable) {
|
(mkIf cfg.vpnclient.enable {
|
||||||
systemd.services.vpnclient = {
|
systemd.services.vpnclient = {
|
||||||
description = "SoftEther VPN Client";
|
description = "SoftEther VPN Client";
|
||||||
after = [ "softether-init.service" ];
|
after = [ "softether-init.service" ];
|
||||||
|
|
|
@ -7,7 +7,9 @@ let
|
||||||
settingsFormat = pkgs.formats.yaml { };
|
settingsFormat = pkgs.formats.yaml { };
|
||||||
confFile = settingsFormat.generate "stubby.yml" cfg.settings;
|
confFile = settingsFormat.generate "stubby.yml" cfg.settings;
|
||||||
in {
|
in {
|
||||||
imports = map (x:
|
imports = [
|
||||||
|
(mkRemovedOptionModule [ "stubby" "debugLogging" ] "Use services.stubby.logLevel = \"debug\"; instead.")
|
||||||
|
] ++ map (x:
|
||||||
(mkRemovedOptionModule [ "services" "stubby" x ]
|
(mkRemovedOptionModule [ "services" "stubby" x ]
|
||||||
"Stubby configuration moved to services.stubby.settings.")) [
|
"Stubby configuration moved to services.stubby.settings.")) [
|
||||||
"authenticationMode"
|
"authenticationMode"
|
||||||
|
@ -49,10 +51,22 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
debugLogging = mkOption {
|
logLevel = let
|
||||||
default = false;
|
logLevels = {
|
||||||
type = types.bool;
|
emerg = 0;
|
||||||
description = lib.mdDoc "Enable or disable debug level logging.";
|
alert = 1;
|
||||||
|
crit = 2;
|
||||||
|
error = 3;
|
||||||
|
warning = 4;
|
||||||
|
notice = 5;
|
||||||
|
info = 6;
|
||||||
|
debug = 7;
|
||||||
|
};
|
||||||
|
in mkOption {
|
||||||
|
default = null;
|
||||||
|
type = types.nullOr (types.enum (attrNames logLevels ++ attrValues logLevels));
|
||||||
|
apply = v: if isString v then logLevels.${v} else v;
|
||||||
|
description = lib.mdDoc "Log verbosity (syslog keyword or level).";
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
@ -80,7 +94,7 @@ in {
|
||||||
Type = "notify";
|
Type = "notify";
|
||||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||||
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
|
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
|
||||||
ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}";
|
ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString (cfg.logLevel != null) "-v ${toString cfg.logLevel}"}";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
CacheDirectory = "stubby";
|
CacheDirectory = "stubby";
|
||||||
};
|
};
|
||||||
|
|
195
third_party/nixpkgs/nixos/modules/services/networking/tayga.nix
vendored
Normal file
195
third_party/nixpkgs/nixos/modules/services/networking/tayga.nix
vendored
Normal file
|
@ -0,0 +1,195 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.services.tayga;
|
||||||
|
|
||||||
|
# Converts an address set to a string
|
||||||
|
strAddr = addr: "${addr.address}/${toString addr.prefixLength}";
|
||||||
|
|
||||||
|
configFile = pkgs.writeText "tayga.conf" ''
|
||||||
|
tun-device ${cfg.tunDevice}
|
||||||
|
|
||||||
|
ipv4-addr ${cfg.ipv4.address}
|
||||||
|
${optionalString (cfg.ipv6.address != null) "ipv6-addr ${cfg.ipv6.address}"}
|
||||||
|
|
||||||
|
prefix ${strAddr cfg.ipv6.pool}
|
||||||
|
dynamic-pool ${strAddr cfg.ipv4.pool}
|
||||||
|
data-dir ${cfg.dataDir}
|
||||||
|
'';
|
||||||
|
|
||||||
|
addrOpts = v:
|
||||||
|
assert v == 4 || v == 6;
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = lib.mdDoc "IPv${toString v} address.";
|
||||||
|
};
|
||||||
|
|
||||||
|
prefixLength = mkOption {
|
||||||
|
type = types.addCheck types.int (n: n >= 0 && n <= (if v == 4 then 32 else 128));
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Subnet mask of the interface, specified as the number of
|
||||||
|
bits in the prefix ("${if v == 4 then "24" else "64"}").
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
versionOpts = v: {
|
||||||
|
options = {
|
||||||
|
router = {
|
||||||
|
address = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = lib.mdDoc "The IPv${toString v} address of the router.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
address = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = lib.mdDoc "The source IPv${toString v} address of the TAYGA server.";
|
||||||
|
};
|
||||||
|
|
||||||
|
pool = mkOption {
|
||||||
|
type = with types; nullOr (submodule (addrOpts v));
|
||||||
|
description = lib.mdDoc "The pool of IPv${toString v} addresses which are used for translation.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
services.tayga = {
|
||||||
|
enable = mkEnableOption (lib.mdDoc "Tayga");
|
||||||
|
|
||||||
|
package = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs.tayga;
|
||||||
|
defaultText = lib.literalMD "pkgs.tayga";
|
||||||
|
description = lib.mdDoc "This option specifies the TAYGA package to use.";
|
||||||
|
};
|
||||||
|
|
||||||
|
ipv4 = mkOption {
|
||||||
|
type = types.submodule (versionOpts 4);
|
||||||
|
description = lib.mdDoc "IPv4-specific configuration.";
|
||||||
|
example = literalExpression ''
|
||||||
|
{
|
||||||
|
address = "192.0.2.0";
|
||||||
|
router = {
|
||||||
|
address = "192.0.2.1";
|
||||||
|
};
|
||||||
|
pool = {
|
||||||
|
address = "192.0.2.1";
|
||||||
|
prefixLength = 24;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
ipv6 = mkOption {
|
||||||
|
type = types.submodule (versionOpts 6);
|
||||||
|
description = lib.mdDoc "IPv6-specific configuration.";
|
||||||
|
example = literalExpression ''
|
||||||
|
{
|
||||||
|
address = "2001:db8::1";
|
||||||
|
router = {
|
||||||
|
address = "64:ff9b::1";
|
||||||
|
};
|
||||||
|
pool = {
|
||||||
|
address = "64:ff9b::";
|
||||||
|
prefixLength = 96;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
dataDir = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = "/var/lib/tayga";
|
||||||
|
description = lib.mdDoc "Directory for persistent data";
|
||||||
|
};
|
||||||
|
|
||||||
|
tunDevice = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "nat64";
|
||||||
|
description = lib.mdDoc "Name of the nat64 tun device";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
networking.interfaces."${cfg.tunDevice}" = {
|
||||||
|
virtual = true;
|
||||||
|
virtualType = "tun";
|
||||||
|
virtualOwner = mkIf config.networking.useNetworkd "";
|
||||||
|
ipv4 = {
|
||||||
|
addresses = [
|
||||||
|
{ address = cfg.ipv4.router.address; prefixLength = 32; }
|
||||||
|
];
|
||||||
|
routes = [
|
||||||
|
cfg.ipv4.pool
|
||||||
|
];
|
||||||
|
};
|
||||||
|
ipv6 = {
|
||||||
|
addresses = [
|
||||||
|
{ address = cfg.ipv6.router.address; prefixLength = 128; }
|
||||||
|
];
|
||||||
|
routes = [
|
||||||
|
cfg.ipv6.pool
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.tayga = {
|
||||||
|
description = "Stateless NAT64 implementation";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${cfg.package}/bin/tayga -d --nodetach --config ${configFile}";
|
||||||
|
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
|
||||||
|
Restart = "always";
|
||||||
|
|
||||||
|
# Hardening Score:
|
||||||
|
# - nixos-scripts: 2.1
|
||||||
|
# - systemd-networkd: 1.6
|
||||||
|
ProtectHome = true;
|
||||||
|
SystemCallFilter = [
|
||||||
|
"@network-io"
|
||||||
|
"@system-service"
|
||||||
|
"~@privileged"
|
||||||
|
"~@resources"
|
||||||
|
];
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
AmbientCapabilities = [
|
||||||
|
"CAP_NET_ADMIN"
|
||||||
|
];
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
RestrictAddressFamilies = [
|
||||||
|
"AF_INET"
|
||||||
|
"AF_INET6"
|
||||||
|
"AF_NETLINK"
|
||||||
|
];
|
||||||
|
StateDirectory = "tayga";
|
||||||
|
DynamicUser = mkIf config.networking.useNetworkd true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
PrivateTmp = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
ProtectSystem = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,10 +5,47 @@ with lib;
|
||||||
let
|
let
|
||||||
cfg = config.services.opensnitch;
|
cfg = config.services.opensnitch;
|
||||||
format = pkgs.formats.json {};
|
format = pkgs.formats.json {};
|
||||||
|
|
||||||
|
predefinedRules = flip mapAttrs cfg.rules (name: cfg: {
|
||||||
|
file = pkgs.writeText "rule" (builtins.toJSON cfg);
|
||||||
|
});
|
||||||
|
|
||||||
in {
|
in {
|
||||||
options = {
|
options = {
|
||||||
services.opensnitch = {
|
services.opensnitch = {
|
||||||
enable = mkEnableOption (lib.mdDoc "Opensnitch application firewall");
|
enable = mkEnableOption (mdDoc "Opensnitch application firewall");
|
||||||
|
|
||||||
|
rules = mkOption {
|
||||||
|
default = {};
|
||||||
|
example = literalExpression ''
|
||||||
|
{
|
||||||
|
"tor" = {
|
||||||
|
"name" = "tor";
|
||||||
|
"enabled" = true;
|
||||||
|
"action" = "allow";
|
||||||
|
"duration" = "always";
|
||||||
|
"operator" = {
|
||||||
|
"type" ="simple";
|
||||||
|
"sensitive" = false;
|
||||||
|
"operand" = "process.path";
|
||||||
|
"data" = "''${lib.getBin pkgs.tor}/bin/tor";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
'';
|
||||||
|
|
||||||
|
description = mdDoc ''
|
||||||
|
Declarative configuration of firewall rules.
|
||||||
|
All rules will be stored in `/var/lib/opensnitch/rules`.
|
||||||
|
See [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Rules)
|
||||||
|
for available options.
|
||||||
|
'';
|
||||||
|
|
||||||
|
type = types.submodule {
|
||||||
|
freeformType = format.type;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
settings = mkOption {
|
settings = mkOption {
|
||||||
type = types.submodule {
|
type = types.submodule {
|
||||||
freeformType = format.type;
|
freeformType = format.type;
|
||||||
|
@ -18,7 +55,7 @@ in {
|
||||||
|
|
||||||
Address = mkOption {
|
Address = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is
|
Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is
|
||||||
mandatory) or TCP socket (192.168.1.100:50051).
|
mandatory) or TCP socket (192.168.1.100:50051).
|
||||||
'';
|
'';
|
||||||
|
@ -26,7 +63,7 @@ in {
|
||||||
|
|
||||||
LogFile = mkOption {
|
LogFile = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
File to write logs to (use /dev/stdout to write logs to standard
|
File to write logs to (use /dev/stdout to write logs to standard
|
||||||
output).
|
output).
|
||||||
'';
|
'';
|
||||||
|
@ -36,7 +73,7 @@ in {
|
||||||
|
|
||||||
DefaultAction = mkOption {
|
DefaultAction = mkOption {
|
||||||
type = types.enum [ "allow" "deny" ];
|
type = types.enum [ "allow" "deny" ];
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Default action whether to block or allow application internet
|
Default action whether to block or allow application internet
|
||||||
access.
|
access.
|
||||||
'';
|
'';
|
||||||
|
@ -46,28 +83,28 @@ in {
|
||||||
type = types.enum [
|
type = types.enum [
|
||||||
"once" "always" "until restart" "30s" "5m" "15m" "30m" "1h"
|
"once" "always" "until restart" "30s" "5m" "15m" "30m" "1h"
|
||||||
];
|
];
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Default duration of firewall rule.
|
Default duration of firewall rule.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
InterceptUnknown = mkOption {
|
InterceptUnknown = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Wheter to intercept spare connections.
|
Wheter to intercept spare connections.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
ProcMonitorMethod = mkOption {
|
ProcMonitorMethod = mkOption {
|
||||||
type = types.enum [ "ebpf" "proc" "ftrace" "audit" ];
|
type = types.enum [ "ebpf" "proc" "ftrace" "audit" ];
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Which process monitoring method to use.
|
Which process monitoring method to use.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
LogLevel = mkOption {
|
LogLevel = mkOption {
|
||||||
type = types.enum [ 0 1 2 3 4 ];
|
type = types.enum [ 0 1 2 3 4 ];
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Default log level from 0 to 4 (debug, info, important, warning,
|
Default log level from 0 to 4 (debug, info, important, warning,
|
||||||
error).
|
error).
|
||||||
'';
|
'';
|
||||||
|
@ -75,7 +112,7 @@ in {
|
||||||
|
|
||||||
Firewall = mkOption {
|
Firewall = mkOption {
|
||||||
type = types.enum [ "iptables" "nftables" ];
|
type = types.enum [ "iptables" "nftables" ];
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Which firewall backend to use.
|
Which firewall backend to use.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -84,14 +121,14 @@ in {
|
||||||
|
|
||||||
MaxEvents = mkOption {
|
MaxEvents = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Max events to send to the GUI.
|
Max events to send to the GUI.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
MaxStats = mkOption {
|
MaxStats = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
Max stats per item to keep in backlog.
|
Max stats per item to keep in backlog.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -99,9 +136,8 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
description = lib.mdDoc ''
|
description = mdDoc ''
|
||||||
opensnitchd configuration. Refer to
|
opensnitchd configuration. Refer to [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Configurations)
|
||||||
<https://github.com/evilsocket/opensnitch/wiki/Configurations>
|
|
||||||
for details on supported values.
|
for details on supported values.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -118,6 +154,25 @@ in {
|
||||||
services.opensnitchd.wantedBy = [ "multi-user.target" ];
|
services.opensnitchd.wantedBy = [ "multi-user.target" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.opensnitchd.preStart = mkIf (cfg.rules != {}) (let
|
||||||
|
rules = flip mapAttrsToList predefinedRules (file: content: {
|
||||||
|
inherit (content) file;
|
||||||
|
local = "/var/lib/opensnitch/rules/${file}.json";
|
||||||
|
});
|
||||||
|
in ''
|
||||||
|
# Remove all firewall rules from `/var/lib/opensnitch/rules` that are symlinks to a store-path,
|
||||||
|
# but aren't declared in `cfg.rules` (i.e. all networks that were "removed" from
|
||||||
|
# `cfg.rules`).
|
||||||
|
find /var/lib/opensnitch/rules -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) ''
|
||||||
|
-not \( ${concatMapStringsSep " -o " ({ local, ... }:
|
||||||
|
"-name '${baseNameOf local}*'")
|
||||||
|
rules} \) \
|
||||||
|
''} -delete
|
||||||
|
${concatMapStrings ({ file, local }: ''
|
||||||
|
ln -sf '${file}' "${local}"
|
||||||
|
'') rules}
|
||||||
|
'');
|
||||||
|
|
||||||
environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings;
|
environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings;
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
|
@ -57,6 +57,14 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
muteKernelMessages = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Disable kernel messages on console while physlock is running.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
lockOn = {
|
lockOn = {
|
||||||
|
|
||||||
suspend = mkOption {
|
suspend = mkOption {
|
||||||
|
@ -116,7 +124,7 @@ in
|
||||||
++ cfg.lockOn.extraTargets;
|
++ cfg.lockOn.extraTargets;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "forking";
|
Type = "forking";
|
||||||
ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}${optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""}";
|
ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.muteKernelMessages "m"}${optionalString cfg.disableSysRq "s"}${optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -138,7 +138,8 @@ in
|
||||||
StateDirectory = mkIf defaultStateDir "changedetection-io";
|
StateDirectory = mkIf defaultStateDir "changedetection-io";
|
||||||
StateDirectoryMode = mkIf defaultStateDir "0750";
|
StateDirectoryMode = mkIf defaultStateDir "0750";
|
||||||
WorkingDirectory = cfg.datastorePath;
|
WorkingDirectory = cfg.datastorePath;
|
||||||
Environment = lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}"
|
Environment = [ "HIDE_REFERER=true" ]
|
||||||
|
++ lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}"
|
||||||
++ lib.optional cfg.behindProxy "USE_X_SETTINGS=1"
|
++ lib.optional cfg.behindProxy "USE_X_SETTINGS=1"
|
||||||
++ lib.optional cfg.webDriverSupport "WEBDRIVER_URL=http://127.0.0.1:${toString cfg.chromePort}/wd/hub"
|
++ lib.optional cfg.webDriverSupport "WEBDRIVER_URL=http://127.0.0.1:${toString cfg.chromePort}/wd/hub"
|
||||||
++ lib.optional cfg.playwrightSupport "PLAYWRIGHT_DRIVER_URL=ws://127.0.0.1:${toString cfg.chromePort}/?stealth=1&--disable-web-security=true";
|
++ lib.optional cfg.playwrightSupport "PLAYWRIGHT_DRIVER_URL=ws://127.0.0.1:${toString cfg.chromePort}/?stealth=1&--disable-web-security=true";
|
||||||
|
|
|
@ -19,9 +19,9 @@ let
|
||||||
# We only want to create a database if we're actually going to connect to it.
|
# We only want to create a database if we're actually going to connect to it.
|
||||||
databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == null;
|
databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == null;
|
||||||
|
|
||||||
tlsEnabled = (cfg.enableACME
|
tlsEnabled = cfg.enableACME
|
||||||
|| cfg.sslCertificate != null
|
|| cfg.sslCertificate != null
|
||||||
|| cfg.sslCertificateKey != null);
|
|| cfg.sslCertificateKey != null;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = {
|
options = {
|
||||||
|
|
|
@ -327,7 +327,7 @@ in
|
||||||
)) eachSite;
|
)) eachSite;
|
||||||
|
|
||||||
systemd.services =
|
systemd.services =
|
||||||
(mapAttrs' (hostName: cfg: (
|
mapAttrs' (hostName: cfg: (
|
||||||
nameValuePair "invoiceplane-cron-${hostName}" (mkIf cfg.cron.enable {
|
nameValuePair "invoiceplane-cron-${hostName}" (mkIf cfg.cron.enable {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
|
@ -335,7 +335,7 @@ in
|
||||||
ExecStart = "${pkgs.curl}/bin/curl --header 'Host: ${hostName}' http://localhost/invoices/cron/recur/${cfg.cron.key}";
|
ExecStart = "${pkgs.curl}/bin/curl --header 'Host: ${hostName}' http://localhost/invoices/cron/recur/${cfg.cron.key}";
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
)) eachSite);
|
)) eachSite;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -63,6 +63,28 @@ in {
|
||||||
|
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = 1;
|
RestartSec = 1;
|
||||||
|
|
||||||
|
# Hardening
|
||||||
|
CapabilityBoundingSet = [ "" ];
|
||||||
|
DeviceAllow = [ "" ];
|
||||||
|
LockPersonality = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProcSubset = "pid";
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
|
||||||
|
UMask = "0077";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -372,17 +372,19 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
user = lib.mkOption {
|
user = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.str;
|
||||||
|
default = null;
|
||||||
|
example = "mastodon@example.com";
|
||||||
description = lib.mdDoc "SMTP login name.";
|
description = lib.mdDoc "SMTP login name.";
|
||||||
type = lib.types.str;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
passwordFile = lib.mkOption {
|
passwordFile = lib.mkOption {
|
||||||
|
type = lib.types.nullOr lib.types.path;
|
||||||
|
default = null;
|
||||||
|
example = "/var/lib/mastodon/secrets/smtp-password";
|
||||||
description = lib.mdDoc ''
|
description = lib.mdDoc ''
|
||||||
Path to file containing the SMTP password.
|
Path to file containing the SMTP password.
|
||||||
'';
|
'';
|
||||||
default = "/var/lib/mastodon/secrets/smtp-password";
|
|
||||||
example = "/run/keys/mastodon-smtp-password";
|
|
||||||
type = lib.types.str;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -467,6 +469,20 @@ in {
|
||||||
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user);
|
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user);
|
||||||
message = ''For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user and services.mastodon.database.user must be identical.'';
|
message = ''For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user and services.mastodon.database.user must be identical.'';
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
assertion = cfg.smtp.authenticate -> (cfg.smtp.user != null);
|
||||||
|
message = ''
|
||||||
|
<option>services.mastodon.smtp.user</option> needs to be set if
|
||||||
|
<option>services.mastodon.smtp.authenticate</option> is enabled.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
{
|
||||||
|
assertion = cfg.smtp.authenticate -> (cfg.smtp.passwordFile != null);
|
||||||
|
message = ''
|
||||||
|
<option>services.mastodon.smtp.passwordFile</option> needs to be set if
|
||||||
|
<option>services.mastodon.smtp.authenticate</option> is enabled.
|
||||||
|
'';
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.services.mastodon-init-dirs = {
|
systemd.services.mastodon-init-dirs = {
|
||||||
|
|
|
@ -9,6 +9,10 @@ let
|
||||||
name = "configuration.py";
|
name = "configuration.py";
|
||||||
text = ''
|
text = ''
|
||||||
STATIC_ROOT = '${staticDir}'
|
STATIC_ROOT = '${staticDir}'
|
||||||
|
MEDIA_ROOT = '${cfg.dataDir}/media'
|
||||||
|
REPORTS_ROOT = '${cfg.dataDir}/reports'
|
||||||
|
SCRIPTS_ROOT = '${cfg.dataDir}/scripts'
|
||||||
|
|
||||||
ALLOWED_HOSTS = ['*']
|
ALLOWED_HOSTS = ['*']
|
||||||
DATABASE = {
|
DATABASE = {
|
||||||
'NAME': 'netbox',
|
'NAME': 'netbox',
|
||||||
|
@ -42,11 +46,10 @@ let
|
||||||
installPhase = old.installPhase + ''
|
installPhase = old.installPhase + ''
|
||||||
ln -s ${configFile} $out/opt/netbox/netbox/netbox/configuration.py
|
ln -s ${configFile} $out/opt/netbox/netbox/netbox/configuration.py
|
||||||
'' + optionalString cfg.enableLdap ''
|
'' + optionalString cfg.enableLdap ''
|
||||||
ln -s ${ldapConfigPath} $out/opt/netbox/netbox/netbox/ldap_config.py
|
ln -s ${cfg.ldapConfigPath} $out/opt/netbox/netbox/netbox/ldap_config.py
|
||||||
'';
|
'';
|
||||||
})).override {
|
})).override {
|
||||||
plugins = ps: ((cfg.plugins ps)
|
inherit (cfg) plugins;
|
||||||
++ optionals cfg.enableLdap [ ps.django-auth-ldap ]);
|
|
||||||
};
|
};
|
||||||
netboxManageScript = with pkgs; (writeScriptBin "netbox-manage" ''
|
netboxManageScript = with pkgs; (writeScriptBin "netbox-manage" ''
|
||||||
#!${stdenv.shell}
|
#!${stdenv.shell}
|
||||||
|
@ -139,6 +142,8 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
services.netbox.plugins = mkIf cfg.enableLdap (ps: [ ps.django-auth-ldap ]);
|
||||||
|
|
||||||
services.redis.servers.netbox.enable = true;
|
services.redis.servers.netbox.enable = true;
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
|
|
|
@ -192,6 +192,14 @@ let
|
||||||
|
|
||||||
server_tokens ${if cfg.serverTokens then "on" else "off"};
|
server_tokens ${if cfg.serverTokens then "on" else "off"};
|
||||||
|
|
||||||
|
${optionalString (cfg.proxyCache.enable) ''
|
||||||
|
proxy_cache_path /var/cache/nginx keys_zone=${cfg.proxyCache.keysZoneName}:${cfg.proxyCache.keysZoneSize}
|
||||||
|
levels=${cfg.proxyCache.levels}
|
||||||
|
use_temp_path=${if cfg.proxyCache.useTempPath then "on" else "off"}
|
||||||
|
inactive=${cfg.proxyCache.inactive}
|
||||||
|
max_size=${cfg.proxyCache.maxSize};
|
||||||
|
''}
|
||||||
|
|
||||||
${cfg.commonHttpConfig}
|
${cfg.commonHttpConfig}
|
||||||
|
|
||||||
${vhosts}
|
${vhosts}
|
||||||
|
@ -707,6 +715,72 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
proxyCache = mkOption {
|
||||||
|
type = types.submodule {
|
||||||
|
options = {
|
||||||
|
enable = mkEnableOption (lib.mdDoc "Enable proxy cache");
|
||||||
|
|
||||||
|
keysZoneName = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "cache";
|
||||||
|
example = "my_cache";
|
||||||
|
description = lib.mdDoc "Set name to shared memory zone.";
|
||||||
|
};
|
||||||
|
|
||||||
|
keysZoneSize = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "10m";
|
||||||
|
example = "32m";
|
||||||
|
description = lib.mdDoc "Set size to shared memory zone.";
|
||||||
|
};
|
||||||
|
|
||||||
|
levels = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "1:2";
|
||||||
|
example = "1:2:2";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The levels parameter defines structure of subdirectories in cache: from
|
||||||
|
1 to 3, each level accepts values 1 or 2. Сan be used any combination of
|
||||||
|
1 and 2 in these formats: x, x:x and x:x:x.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
useTempPath = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
example = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Nginx first writes files that are destined for the cache to a temporary
|
||||||
|
storage area, and the use_temp_path=off directive instructs Nginx to
|
||||||
|
write them to the same directories where they will be cached. Recommended
|
||||||
|
that you set this parameter to off to avoid unnecessary copying of data
|
||||||
|
between file systems.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
inactive = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "10m";
|
||||||
|
example = "1d";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Cached data that has not been accessed for the time specified by
|
||||||
|
the inactive parameter is removed from the cache, regardless of
|
||||||
|
its freshness.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
maxSize = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "1g";
|
||||||
|
example = "2048m";
|
||||||
|
description = lib.mdDoc "Set maximum cache size";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
default = {};
|
||||||
|
description = lib.mdDoc "Configure proxy cache";
|
||||||
|
};
|
||||||
|
|
||||||
resolver = mkOption {
|
resolver = mkOption {
|
||||||
type = types.submodule {
|
type = types.submodule {
|
||||||
options = {
|
options = {
|
||||||
|
|
|
@ -172,10 +172,10 @@ in
|
||||||
sound-theme-freedesktop
|
sound-theme-freedesktop
|
||||||
nixos-artwork.wallpapers.simple-dark-gray
|
nixos-artwork.wallpapers.simple-dark-gray
|
||||||
mint-artwork
|
mint-artwork
|
||||||
|
mint-cursor-themes
|
||||||
mint-themes
|
mint-themes
|
||||||
mint-x-icons
|
mint-x-icons
|
||||||
mint-y-icons
|
mint-y-icons
|
||||||
vanilla-dmz
|
|
||||||
] config.environment.cinnamon.excludePackages);
|
] config.environment.cinnamon.excludePackages);
|
||||||
|
|
||||||
xdg.mime.enable = true;
|
xdg.mime.enable = true;
|
||||||
|
|
|
@ -7,6 +7,9 @@ with lib;
|
||||||
###### interface
|
###### interface
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
|
boot.modprobeConfig.enable = mkEnableOption (lib.mdDoc "modprobe config. This is useful for systemds like containers which do not require a kernel.") // {
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
|
||||||
boot.blacklistedKernelModules = mkOption {
|
boot.blacklistedKernelModules = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
|
@ -38,7 +41,7 @@ with lib;
|
||||||
|
|
||||||
###### implementation
|
###### implementation
|
||||||
|
|
||||||
config = mkIf (!config.boot.isContainer) {
|
config = mkIf config.boot.modprobeConfig.enable {
|
||||||
|
|
||||||
environment.etc."modprobe.d/ubuntu.conf".source = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf";
|
environment.etc."modprobe.d/ubuntu.conf".source = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf";
|
||||||
|
|
||||||
|
|
|
@ -68,7 +68,7 @@ fi
|
||||||
# like squashfs.
|
# like squashfs.
|
||||||
chown -f 0:30000 /nix/store
|
chown -f 0:30000 /nix/store
|
||||||
chmod -f 1775 /nix/store
|
chmod -f 1775 /nix/store
|
||||||
if [ -n "@readOnlyStore@" ]; then
|
if [ -n "@readOnlyNixStore@" ]; then
|
||||||
if ! [[ "$(findmnt --noheadings --output OPTIONS /nix/store)" =~ ro(,|$) ]]; then
|
if ! [[ "$(findmnt --noheadings --output OPTIONS /nix/store)" =~ ro(,|$) ]]; then
|
||||||
if [ -z "$container" ]; then
|
if [ -z "$container" ]; then
|
||||||
mount --bind /nix/store /nix/store
|
mount --bind /nix/store /nix/store
|
||||||
|
|
|
@ -10,9 +10,8 @@ let
|
||||||
src = ./stage-2-init.sh;
|
src = ./stage-2-init.sh;
|
||||||
shellDebug = "${pkgs.bashInteractive}/bin/bash";
|
shellDebug = "${pkgs.bashInteractive}/bin/bash";
|
||||||
shell = "${pkgs.bash}/bin/bash";
|
shell = "${pkgs.bash}/bin/bash";
|
||||||
inherit (config.boot) systemdExecutable extraSystemdUnitPaths;
|
inherit (config.boot) readOnlyNixStore systemdExecutable extraSystemdUnitPaths;
|
||||||
isExecutable = true;
|
isExecutable = true;
|
||||||
inherit (config.nix) readOnlyStore;
|
|
||||||
inherit useHostResolvConf;
|
inherit useHostResolvConf;
|
||||||
inherit (config.system.build) earlyMountScript;
|
inherit (config.system.build) earlyMountScript;
|
||||||
path = lib.makeBinPath ([
|
path = lib.makeBinPath ([
|
||||||
|
@ -42,6 +41,17 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
readOnlyNixStore = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
If set, NixOS will enforce the immutability of the Nix store
|
||||||
|
by making {file}`/nix/store` a read-only bind
|
||||||
|
mount. Nix will automatically make the store writable when
|
||||||
|
needed.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
systemdExecutable = mkOption {
|
systemdExecutable = mkOption {
|
||||||
default = "/run/current-system/systemd/lib/systemd/systemd";
|
default = "/run/current-system/systemd/lib/systemd/systemd";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
|
|
@ -612,6 +612,10 @@ in
|
||||||
|
|
||||||
boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0";
|
boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0";
|
||||||
|
|
||||||
|
# Avoid potentially degraded system state due to
|
||||||
|
# "Userspace Out-Of-Memory (OOM) Killer was skipped because of a failed condition check (ConditionControlGroupController=v2)."
|
||||||
|
systemd.services.systemd-oomd.enable = mkIf (!cfg.enableUnifiedCgroupHierarchy) false;
|
||||||
|
|
||||||
services.logrotate.settings = {
|
services.logrotate.settings = {
|
||||||
"/var/log/btmp" = mapAttrs (_: mkDefault) {
|
"/var/log/btmp" = mapAttrs (_: mkDefault) {
|
||||||
frequency = "monthly";
|
frequency = "monthly";
|
||||||
|
|
|
@ -33,7 +33,7 @@ let
|
||||||
mountPoint = mkOption {
|
mountPoint = mkOption {
|
||||||
example = "/mnt/usb";
|
example = "/mnt/usb";
|
||||||
type = nonEmptyWithoutTrailingSlash;
|
type = nonEmptyWithoutTrailingSlash;
|
||||||
description = lib.mdDoc "Location of the mounted the file system.";
|
description = lib.mdDoc "Location of the mounted file system.";
|
||||||
};
|
};
|
||||||
|
|
||||||
device = mkOption {
|
device = mkOption {
|
||||||
|
|
|
@ -1411,9 +1411,10 @@ in
|
||||||
# Set the host and domain names in the activation script. Don't
|
# Set the host and domain names in the activation script. Don't
|
||||||
# clear it if it's not configured in the NixOS configuration,
|
# clear it if it's not configured in the NixOS configuration,
|
||||||
# since it may have been set by dhcpcd in the meantime.
|
# since it may have been set by dhcpcd in the meantime.
|
||||||
system.activationScripts.hostname =
|
system.activationScripts.hostname = let
|
||||||
optionalString (cfg.hostName != "") ''
|
effectiveHostname = config.boot.kernel.sysctl."kernel.hostname" or cfg.hostName;
|
||||||
hostname "${cfg.hostName}"
|
in optionalString (effectiveHostname != "") ''
|
||||||
|
hostname "${effectiveHostname}"
|
||||||
'';
|
'';
|
||||||
system.activationScripts.domain =
|
system.activationScripts.domain =
|
||||||
optionalString (cfg.domain != null) ''
|
optionalString (cfg.domain != null) ''
|
||||||
|
|
|
@ -488,5 +488,53 @@ let self = {
|
||||||
"22.05".us-west-1.aarch64-linux.hvm-ebs = "ami-0f96be48071c13ab2";
|
"22.05".us-west-1.aarch64-linux.hvm-ebs = "ami-0f96be48071c13ab2";
|
||||||
"22.05".us-west-2.aarch64-linux.hvm-ebs = "ami-084bc5d777585adfb";
|
"22.05".us-west-2.aarch64-linux.hvm-ebs = "ami-084bc5d777585adfb";
|
||||||
|
|
||||||
latest = self."22.05";
|
# 22.11.466.596a8e828c5
|
||||||
|
|
||||||
|
"22.11".eu-west-1.x86_64-linux.hvm-ebs = "ami-01aafe08a4e74bd9a";
|
||||||
|
"22.11".af-south-1.x86_64-linux.hvm-ebs = "ami-0d937fc7bf7b8c2ed";
|
||||||
|
"22.11".ap-east-1.x86_64-linux.hvm-ebs = "ami-020e59f6affef2732";
|
||||||
|
"22.11".ap-northeast-1.x86_64-linux.hvm-ebs = "ami-04a7bd7a969506a87";
|
||||||
|
"22.11".ap-northeast-2.x86_64-linux.hvm-ebs = "ami-007b9209171e2dcdd";
|
||||||
|
"22.11".ap-northeast-3.x86_64-linux.hvm-ebs = "ami-0c4d0b584cd570584";
|
||||||
|
"22.11".ap-south-1.x86_64-linux.hvm-ebs = "ami-02aa47f84c215d593";
|
||||||
|
"22.11".ap-southeast-1.x86_64-linux.hvm-ebs = "ami-067a7fca4a01c4dda";
|
||||||
|
"22.11".ap-southeast-2.x86_64-linux.hvm-ebs = "ami-0638db75ba113c635";
|
||||||
|
"22.11".ap-southeast-3.x86_64-linux.hvm-ebs = "ami-08dcda749c59e8747";
|
||||||
|
"22.11".ca-central-1.x86_64-linux.hvm-ebs = "ami-09b007688e369f794";
|
||||||
|
"22.11".eu-central-1.x86_64-linux.hvm-ebs = "ami-05df1b211df600977";
|
||||||
|
"22.11".eu-north-1.x86_64-linux.hvm-ebs = "ami-0427d0897b928e191";
|
||||||
|
"22.11".eu-south-1.x86_64-linux.hvm-ebs = "ami-051beda489f0dd109";
|
||||||
|
"22.11".eu-west-2.x86_64-linux.hvm-ebs = "ami-0c2090b73fc610ac3";
|
||||||
|
"22.11".eu-west-3.x86_64-linux.hvm-ebs = "ami-0d03a150cf6c07022";
|
||||||
|
"22.11".me-south-1.x86_64-linux.hvm-ebs = "ami-0443b1af94bff9e3d";
|
||||||
|
"22.11".sa-east-1.x86_64-linux.hvm-ebs = "ami-07b2ce95ba17b6bc1";
|
||||||
|
"22.11".us-east-1.x86_64-linux.hvm-ebs = "ami-0508167db03652cc4";
|
||||||
|
"22.11".us-east-2.x86_64-linux.hvm-ebs = "ami-0e41ac272a7d67029";
|
||||||
|
"22.11".us-west-1.x86_64-linux.hvm-ebs = "ami-02f3fb062ee9af563";
|
||||||
|
"22.11".us-west-2.x86_64-linux.hvm-ebs = "ami-06b260b3a958948a0";
|
||||||
|
|
||||||
|
"22.11".eu-west-1.aarch64-linux.hvm-ebs = "ami-0c4132540cabbc7df";
|
||||||
|
"22.11".af-south-1.aarch64-linux.hvm-ebs = "ami-0f12780247b337357";
|
||||||
|
"22.11".ap-east-1.aarch64-linux.hvm-ebs = "ami-04789617e858da6fb";
|
||||||
|
"22.11".ap-northeast-1.aarch64-linux.hvm-ebs = "ami-0f4d8517ab163b274";
|
||||||
|
"22.11".ap-northeast-2.aarch64-linux.hvm-ebs = "ami-051a06893bcc696c1";
|
||||||
|
"22.11".ap-northeast-3.aarch64-linux.hvm-ebs = "ami-05a086610680a7d8b";
|
||||||
|
"22.11".ap-south-1.aarch64-linux.hvm-ebs = "ami-04cd79197824124cd";
|
||||||
|
"22.11".ap-southeast-1.aarch64-linux.hvm-ebs = "ami-0437f330961467257";
|
||||||
|
"22.11".ap-southeast-2.aarch64-linux.hvm-ebs = "ami-000c2ecbc430c36d7";
|
||||||
|
"22.11".ap-southeast-3.aarch64-linux.hvm-ebs = "ami-062e917296b5087c0";
|
||||||
|
"22.11".ca-central-1.aarch64-linux.hvm-ebs = "ami-0c91995b735d1b8b6";
|
||||||
|
"22.11".eu-central-1.aarch64-linux.hvm-ebs = "ami-0537d704b177a676b";
|
||||||
|
"22.11".eu-north-1.aarch64-linux.hvm-ebs = "ami-05f1f532f90d8e16c";
|
||||||
|
"22.11".eu-south-1.aarch64-linux.hvm-ebs = "ami-097fe290eafff61ad";
|
||||||
|
"22.11".eu-west-2.aarch64-linux.hvm-ebs = "ami-053b6cc7a3394891a";
|
||||||
|
"22.11".eu-west-3.aarch64-linux.hvm-ebs = "ami-0a5b6d023afde63c3";
|
||||||
|
"22.11".me-south-1.aarch64-linux.hvm-ebs = "ami-024fcb01f8638ed08";
|
||||||
|
"22.11".sa-east-1.aarch64-linux.hvm-ebs = "ami-06d72c6e930037236";
|
||||||
|
"22.11".us-east-1.aarch64-linux.hvm-ebs = "ami-0b33ffb684d6b07b5";
|
||||||
|
"22.11".us-east-2.aarch64-linux.hvm-ebs = "ami-033ff64078c59f378";
|
||||||
|
"22.11".us-west-1.aarch64-linux.hvm-ebs = "ami-052d52b9e30a18562";
|
||||||
|
"22.11".us-west-2.aarch64-linux.hvm-ebs = "ami-07418b6a4782c9521";
|
||||||
|
|
||||||
|
latest = self."22.11";
|
||||||
}; in self
|
}; in self
|
||||||
|
|
|
@ -8,7 +8,9 @@ with lib;
|
||||||
|
|
||||||
# Disable some features that are not useful in a container.
|
# Disable some features that are not useful in a container.
|
||||||
|
|
||||||
|
# containers don't have a kernel
|
||||||
boot.kernel.enable = false;
|
boot.kernel.enable = false;
|
||||||
|
boot.modprobeConfig.enable = false;
|
||||||
|
|
||||||
console.enable = mkDefault false;
|
console.enable = mkDefault false;
|
||||||
|
|
||||||
|
|
|
@ -88,6 +88,16 @@ in
|
||||||
};
|
};
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
privilegedContainer = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Whether this LXC container will be running as a privileged container or not. If set to `true` then
|
||||||
|
additional configuration will be applied to the `systemd` instance running within the container as
|
||||||
|
recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/).
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -146,12 +156,31 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
# Add the overrides from lxd distrobuilder
|
# Add the overrides from lxd distrobuilder
|
||||||
systemd.extraConfig = ''
|
# https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630
|
||||||
|
systemd.packages = [
|
||||||
|
(pkgs.writeTextFile {
|
||||||
|
name = "systemd-lxc-service-overrides";
|
||||||
|
destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf";
|
||||||
|
text = ''
|
||||||
[Service]
|
[Service]
|
||||||
|
ProcSubset=all
|
||||||
ProtectProc=default
|
ProtectProc=default
|
||||||
ProtectControlGroups=no
|
ProtectControlGroups=no
|
||||||
ProtectKernelTunables=no
|
ProtectKernelTunables=no
|
||||||
|
NoNewPrivileges=no
|
||||||
|
LoadCredential=
|
||||||
|
'' + optionalString cfg.privilegedContainer ''
|
||||||
|
# Additional settings for privileged containers
|
||||||
|
ProtectHome=no
|
||||||
|
ProtectSystem=no
|
||||||
|
PrivateDevices=no
|
||||||
|
PrivateTmp=no
|
||||||
|
ProtectKernelLogs=no
|
||||||
|
ProtectKernelModules=no
|
||||||
|
ReadWritePaths=
|
||||||
'';
|
'';
|
||||||
|
})
|
||||||
|
];
|
||||||
|
|
||||||
# Allow the user to login as root without password.
|
# Allow the user to login as root without password.
|
||||||
users.users.root.initialHashedPassword = mkOverride 150 "";
|
users.users.root.initialHashedPassword = mkOverride 150 "";
|
||||||
|
|
|
@ -129,8 +129,15 @@ in {
|
||||||
description = "LXD Container Management Daemon";
|
description = "LXD Container Management Daemon";
|
||||||
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "network-online.target" "lxcfs.service" ];
|
after = [
|
||||||
requires = [ "network-online.target" "lxd.socket" "lxcfs.service" ];
|
"network-online.target"
|
||||||
|
(mkIf config.virtualisation.lxc.lxcfs.enable "lxcfs.service")
|
||||||
|
];
|
||||||
|
requires = [
|
||||||
|
"network-online.target"
|
||||||
|
"lxd.socket"
|
||||||
|
(mkIf config.virtualisation.lxc.lxcfs.enable "lxcfs.service")
|
||||||
|
];
|
||||||
documentation = [ "man:lxd(1)" ];
|
documentation = [ "man:lxd(1)" ];
|
||||||
|
|
||||||
path = optional cfg.zfsSupport config.boot.zfs.package;
|
path = optional cfg.zfsSupport config.boot.zfs.package;
|
||||||
|
|
|
@ -858,7 +858,8 @@ in
|
||||||
# If the disk image appears to be empty, run mke2fs to
|
# If the disk image appears to be empty, run mke2fs to
|
||||||
# initialise.
|
# initialise.
|
||||||
FSTYPE=$(blkid -o value -s TYPE ${cfg.bootDevice} || true)
|
FSTYPE=$(blkid -o value -s TYPE ${cfg.bootDevice} || true)
|
||||||
if test -z "$FSTYPE"; then
|
PARTTYPE=$(blkid -o value -s PTTYPE ${cfg.bootDevice} || true)
|
||||||
|
if test -z "$FSTYPE" -a -z "$PARTTYPE"; then
|
||||||
mke2fs -t ext4 ${cfg.bootDevice}
|
mke2fs -t ext4 ${cfg.bootDevice}
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
|
|
73
third_party/nixpkgs/nixos/modules/virtualisation/rosetta.nix
vendored
Normal file
73
third_party/nixpkgs/nixos/modules/virtualisation/rosetta.nix
vendored
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.virtualisation.rosetta;
|
||||||
|
inherit (lib) types;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
virtualisation.rosetta.enable = lib.mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
Whether to enable [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) support.
|
||||||
|
|
||||||
|
This feature requires the system to be a virtualised guest on an Apple silicon host.
|
||||||
|
|
||||||
|
The default settings are suitable for the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).
|
||||||
|
Make sure to select 'Apple Virtualization' as the virtualisation engine and then tick the 'Enable Rosetta' option.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.rosetta.mountPoint = lib.mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/run/rosetta";
|
||||||
|
internal = true;
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The mount point for the Rosetta runtime inside the guest system.
|
||||||
|
|
||||||
|
The proprietary runtime is exposed through a VirtioFS directory share and then mounted at this directory.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.rosetta.mountTag = lib.mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "rosetta";
|
||||||
|
description = lib.mdDoc ''
|
||||||
|
The VirtioFS mount tag for the Rosetta runtime, exposed by the host's virtualisation software.
|
||||||
|
|
||||||
|
If supported, your virtualisation software should provide instructions on how register the Rosetta runtime inside Linux guests.
|
||||||
|
These instructions should mention the name of the mount tag used for the VirtioFS directory share that contains the Rosetta runtime.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
assertions = [
|
||||||
|
{
|
||||||
|
assertion = pkgs.stdenv.hostPlatform.isAarch64;
|
||||||
|
message = "Rosetta is only supported on aarch64 systems";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
fileSystems."${cfg.mountPoint}" = {
|
||||||
|
device = cfg.mountTag;
|
||||||
|
fsType = "virtiofs";
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.binfmt.registrations.rosetta = {
|
||||||
|
interpreter = "${cfg.mountPoint}/rosetta";
|
||||||
|
|
||||||
|
# The required flags for binfmt are documented by Apple:
|
||||||
|
# https://developer.apple.com/documentation/virtualization/running_intel_binaries_in_linux_vms_with_rosetta
|
||||||
|
magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
|
||||||
|
mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
|
||||||
|
fixBinary = true;
|
||||||
|
matchCredentials = true;
|
||||||
|
preserveArgvZero = false;
|
||||||
|
|
||||||
|
# Remove the shell wrapper and call the runtime directly
|
||||||
|
wrapInterpreterInShell = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -213,6 +213,7 @@ in {
|
||||||
fluentd = handleTest ./fluentd.nix {};
|
fluentd = handleTest ./fluentd.nix {};
|
||||||
fluidd = handleTest ./fluidd.nix {};
|
fluidd = handleTest ./fluidd.nix {};
|
||||||
fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};
|
fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};
|
||||||
|
freenet = handleTest ./freenet.nix {};
|
||||||
freeswitch = handleTest ./freeswitch.nix {};
|
freeswitch = handleTest ./freeswitch.nix {};
|
||||||
freshrss = handleTest ./freshrss.nix {};
|
freshrss = handleTest ./freshrss.nix {};
|
||||||
frr = handleTest ./frr.nix {};
|
frr = handleTest ./frr.nix {};
|
||||||
|
@ -586,6 +587,7 @@ in {
|
||||||
sourcehut = handleTest ./sourcehut.nix {};
|
sourcehut = handleTest ./sourcehut.nix {};
|
||||||
spacecookie = handleTest ./spacecookie.nix {};
|
spacecookie = handleTest ./spacecookie.nix {};
|
||||||
spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {};
|
spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {};
|
||||||
|
sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {};
|
||||||
sslh = handleTest ./sslh.nix {};
|
sslh = handleTest ./sslh.nix {};
|
||||||
sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {};
|
sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {};
|
||||||
sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {};
|
sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {};
|
||||||
|
@ -636,6 +638,7 @@ in {
|
||||||
systemd-misc = handleTest ./systemd-misc.nix {};
|
systemd-misc = handleTest ./systemd-misc.nix {};
|
||||||
tandoor-recipes = handleTest ./tandoor-recipes.nix {};
|
tandoor-recipes = handleTest ./tandoor-recipes.nix {};
|
||||||
taskserver = handleTest ./taskserver.nix {};
|
taskserver = handleTest ./taskserver.nix {};
|
||||||
|
tayga = handleTest ./tayga.nix {};
|
||||||
teeworlds = handleTest ./teeworlds.nix {};
|
teeworlds = handleTest ./teeworlds.nix {};
|
||||||
telegraf = handleTest ./telegraf.nix {};
|
telegraf = handleTest ./telegraf.nix {};
|
||||||
teleport = handleTest ./teleport.nix {};
|
teleport = handleTest ./teleport.nix {};
|
||||||
|
|
19
third_party/nixpkgs/nixos/tests/freenet.nix
vendored
Normal file
19
third_party/nixpkgs/nixos/tests/freenet.nix
vendored
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
import ./make-test-python.nix ({ pkgs, ... }: {
|
||||||
|
name = "freenet";
|
||||||
|
meta = with pkgs.lib.maintainers; {
|
||||||
|
maintainers = [ nagy ];
|
||||||
|
};
|
||||||
|
|
||||||
|
nodes = {
|
||||||
|
machine = { ... }: {
|
||||||
|
services.freenet.enable = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
machine.wait_for_unit("freenet.service")
|
||||||
|
machine.wait_for_open_port(8888)
|
||||||
|
machine.wait_until_succeeds("curl -sfL http://localhost:8888/ | grep Freenet")
|
||||||
|
machine.succeed("systemctl stop freenet")
|
||||||
|
'';
|
||||||
|
})
|
|
@ -69,6 +69,10 @@ in
|
||||||
# Wait until the export dialogue appears.
|
# Wait until the export dialogue appears.
|
||||||
machine.wait_for_window("Export")
|
machine.wait_for_window("Export")
|
||||||
machine.screenshot("MuseScore1")
|
machine.screenshot("MuseScore1")
|
||||||
|
machine.send_key("shift-tab")
|
||||||
|
machine.sleep(1)
|
||||||
|
machine.send_key("shift-tab")
|
||||||
|
machine.sleep(1)
|
||||||
machine.send_key("ret")
|
machine.send_key("ret")
|
||||||
machine.sleep(1)
|
machine.sleep(1)
|
||||||
machine.send_key("ret")
|
machine.send_key("ret")
|
||||||
|
|
16
third_party/nixpkgs/nixos/tests/php/pcre.nix
vendored
16
third_party/nixpkgs/nixos/tests/php/pcre.nix
vendored
|
@ -1,7 +1,7 @@
|
||||||
let
|
let
|
||||||
testString = "can-use-subgroups";
|
testString = "can-use-subgroups";
|
||||||
in
|
in
|
||||||
import ../make-test-python.nix ({ lib, php, ... }: {
|
import ../make-test-python.nix ({ pkgs, lib, php, ... }: {
|
||||||
name = "php-${php.version}-httpd-pcre-jit-test";
|
name = "php-${php.version}-httpd-pcre-jit-test";
|
||||||
meta.maintainers = lib.teams.php.members;
|
meta.maintainers = lib.teams.php.members;
|
||||||
|
|
||||||
|
@ -31,12 +31,22 @@ import ../make-test-python.nix ({ lib, php, ... }: {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
testScript = { ... }:
|
testScript = let
|
||||||
''
|
# PCRE JIT SEAlloc feature does not play well with fork()
|
||||||
|
# The feature needs to either be disabled or PHP configured correctly
|
||||||
|
# More information in https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630
|
||||||
|
pcreJitSeallocForkIssue = pkgs.writeText "pcre-jit-sealloc-issue.php" ''
|
||||||
|
<?php
|
||||||
|
preg_match('/nixos/', 'nixos');
|
||||||
|
$pid = pcntl_fork();
|
||||||
|
pcntl_wait($pid);
|
||||||
|
'';
|
||||||
|
in ''
|
||||||
machine.wait_for_unit("httpd.service")
|
machine.wait_for_unit("httpd.service")
|
||||||
# Ensure php evaluation by matching on the var_dump syntax
|
# Ensure php evaluation by matching on the var_dump syntax
|
||||||
response = machine.succeed("curl -fvvv -s http://127.0.0.1:80/index.php")
|
response = machine.succeed("curl -fvvv -s http://127.0.0.1:80/index.php")
|
||||||
expected = 'string(${toString (builtins.stringLength testString)}) "${testString}"'
|
expected = 'string(${toString (builtins.stringLength testString)}) "${testString}"'
|
||||||
assert expected in response, "Does not appear to be able to use subgroups."
|
assert expected in response, "Does not appear to be able to use subgroups."
|
||||||
|
machine.succeed("${php}/bin/php -f ${pcreJitSeallocForkIssue}")
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
|
57
third_party/nixpkgs/nixos/tests/pinnwand.nix
vendored
57
third_party/nixpkgs/nixos/tests/pinnwand.nix
vendored
|
@ -1,27 +1,7 @@
|
||||||
import ./make-test-python.nix ({ pkgs, ...}:
|
import ./make-test-python.nix ({ pkgs, ...}:
|
||||||
let
|
let
|
||||||
pythonEnv = pkgs.python3.withPackages (py: with py; [ appdirs toml ]);
|
|
||||||
|
|
||||||
port = 8000;
|
port = 8000;
|
||||||
baseUrl = "http://server:${toString port}";
|
baseUrl = "http://server:${toString port}";
|
||||||
|
|
||||||
configureSteck = pkgs.writeScript "configure.py" ''
|
|
||||||
#!${pythonEnv.interpreter}
|
|
||||||
import appdirs
|
|
||||||
import toml
|
|
||||||
import os
|
|
||||||
|
|
||||||
CONFIG = {
|
|
||||||
"base": "${baseUrl}/",
|
|
||||||
"confirm": False,
|
|
||||||
"magic": True,
|
|
||||||
"ignore": True
|
|
||||||
}
|
|
||||||
|
|
||||||
os.makedirs(appdirs.user_config_dir('steck'))
|
|
||||||
with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd:
|
|
||||||
toml.dump(CONFIG, fd)
|
|
||||||
'';
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
name = "pinnwand";
|
name = "pinnwand";
|
||||||
|
@ -44,7 +24,32 @@ in
|
||||||
|
|
||||||
client = { pkgs, ... }:
|
client = { pkgs, ... }:
|
||||||
{
|
{
|
||||||
environment.systemPackages = [ pkgs.steck ];
|
environment.systemPackages = [
|
||||||
|
pkgs.steck
|
||||||
|
|
||||||
|
(pkgs.writers.writePython3Bin "setup-steck.py" {
|
||||||
|
libraries = with pkgs.python3.pkgs; [ appdirs toml ];
|
||||||
|
flakeIgnore = [
|
||||||
|
"E501"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
''
|
||||||
|
import appdirs
|
||||||
|
import toml
|
||||||
|
import os
|
||||||
|
|
||||||
|
CONFIG = {
|
||||||
|
"base": "${baseUrl}/",
|
||||||
|
"confirm": False,
|
||||||
|
"magic": True,
|
||||||
|
"ignore": True
|
||||||
|
}
|
||||||
|
|
||||||
|
os.makedirs(appdirs.user_config_dir('steck'))
|
||||||
|
with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd:
|
||||||
|
toml.dump(CONFIG, fd)
|
||||||
|
'')
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -55,7 +60,7 @@ in
|
||||||
client.wait_for_unit("network.target")
|
client.wait_for_unit("network.target")
|
||||||
|
|
||||||
# create steck.toml config file
|
# create steck.toml config file
|
||||||
client.succeed("${configureSteck}")
|
client.succeed("setup-steck.py")
|
||||||
|
|
||||||
# wait until the server running pinnwand is reachable
|
# wait until the server running pinnwand is reachable
|
||||||
client.wait_until_succeeds("ping -c1 server")
|
client.wait_until_succeeds("ping -c1 server")
|
||||||
|
@ -75,12 +80,6 @@ in
|
||||||
if line.startswith("Removal link:"):
|
if line.startswith("Removal link:"):
|
||||||
removal_link = line.split(":", 1)[1]
|
removal_link = line.split(":", 1)[1]
|
||||||
|
|
||||||
|
|
||||||
# start the reaper, it shouldn't do anything meaningful here
|
|
||||||
server.systemctl("start pinnwand-reaper.service")
|
|
||||||
server.wait_until_fails("systemctl is-active -q pinnwand-reaper.service")
|
|
||||||
server.log(server.execute("journalctl -u pinnwand-reaper -e --no-pager")[1])
|
|
||||||
|
|
||||||
# check whether paste matches what we sent
|
# check whether paste matches what we sent
|
||||||
client.succeed(f"curl {raw_url} > /tmp/machine-id")
|
client.succeed(f"curl {raw_url} > /tmp/machine-id")
|
||||||
client.succeed("diff /tmp/machine-id /etc/machine-id")
|
client.succeed("diff /tmp/machine-id /etc/machine-id")
|
||||||
|
@ -89,6 +88,6 @@ in
|
||||||
client.succeed(f"curl {removal_link}")
|
client.succeed(f"curl {removal_link}")
|
||||||
client.fail(f"curl --fail {raw_url}")
|
client.fail(f"curl --fail {raw_url}")
|
||||||
|
|
||||||
server.log(server.succeed("systemd-analyze security pinnwand"))
|
server.log(server.execute("systemd-analyze security pinnwand | grep '✗'")[1])
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
|
62
third_party/nixpkgs/nixos/tests/restic.nix
vendored
62
third_party/nixpkgs/nixos/tests/restic.nix
vendored
|
@ -2,9 +2,8 @@ import ./make-test-python.nix (
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
password = "some_password";
|
remoteRepository = "/tmp/restic-backup";
|
||||||
repository = "/tmp/restic-backup";
|
remoteFromFileRepository = "/tmp/restic-backup-from-file";
|
||||||
repositoryFile = "${pkgs.writeText "repositoryFile" "/tmp/restic-backup-from-file"}";
|
|
||||||
rcloneRepository = "rclone:local:/tmp/restic-rclone-backup";
|
rcloneRepository = "rclone:local:/tmp/restic-rclone-backup";
|
||||||
|
|
||||||
backupPrepareCommand = ''
|
backupPrepareCommand = ''
|
||||||
|
@ -18,7 +17,6 @@ import ./make-test-python.nix (
|
||||||
'';
|
'';
|
||||||
|
|
||||||
passwordFile = "${pkgs.writeText "password" "correcthorsebatterystaple"}";
|
passwordFile = "${pkgs.writeText "password" "correcthorsebatterystaple"}";
|
||||||
initialize = true;
|
|
||||||
paths = [ "/opt" ];
|
paths = [ "/opt" ];
|
||||||
pruneOpts = [
|
pruneOpts = [
|
||||||
"--keep-daily 2"
|
"--keep-daily 2"
|
||||||
|
@ -40,12 +38,18 @@ import ./make-test-python.nix (
|
||||||
{
|
{
|
||||||
services.restic.backups = {
|
services.restic.backups = {
|
||||||
remotebackup = {
|
remotebackup = {
|
||||||
inherit repository passwordFile initialize paths pruneOpts backupPrepareCommand backupCleanupCommand;
|
inherit passwordFile paths pruneOpts backupPrepareCommand backupCleanupCommand;
|
||||||
|
repository = remoteRepository;
|
||||||
|
initialize = true;
|
||||||
};
|
};
|
||||||
remotebackup-from-file = {
|
remote-from-file-backup = {
|
||||||
inherit repositoryFile passwordFile initialize paths pruneOpts;
|
inherit passwordFile paths pruneOpts;
|
||||||
|
initialize = true;
|
||||||
|
repositoryFile = pkgs.writeText "repositoryFile" remoteFromFileRepository;
|
||||||
};
|
};
|
||||||
rclonebackup = {
|
rclonebackup = {
|
||||||
|
inherit passwordFile paths pruneOpts;
|
||||||
|
initialize = true;
|
||||||
repository = rcloneRepository;
|
repository = rcloneRepository;
|
||||||
rcloneConfig = {
|
rcloneConfig = {
|
||||||
type = "local";
|
type = "local";
|
||||||
|
@ -57,14 +61,15 @@ import ./make-test-python.nix (
|
||||||
[local]
|
[local]
|
||||||
type=ftp
|
type=ftp
|
||||||
'';
|
'';
|
||||||
inherit passwordFile initialize paths pruneOpts;
|
|
||||||
};
|
};
|
||||||
remoteprune = {
|
remoteprune = {
|
||||||
inherit repository passwordFile;
|
inherit passwordFile;
|
||||||
|
repository = remoteRepository;
|
||||||
pruneOpts = [ "--keep-last 1" ];
|
pruneOpts = [ "--keep-last 1" ];
|
||||||
};
|
};
|
||||||
custompackage = {
|
custompackage = {
|
||||||
inherit repository passwordFile paths;
|
inherit passwordFile paths;
|
||||||
|
repository = "some-fake-repository";
|
||||||
package = pkgs.writeShellScriptBin "restic" ''
|
package = pkgs.writeShellScriptBin "restic" ''
|
||||||
echo "$@" >> /tmp/fake-restic.log;
|
echo "$@" >> /tmp/fake-restic.log;
|
||||||
'';
|
'';
|
||||||
|
@ -82,50 +87,69 @@ import ./make-test-python.nix (
|
||||||
server.start()
|
server.start()
|
||||||
server.wait_for_unit("dbus.socket")
|
server.wait_for_unit("dbus.socket")
|
||||||
server.fail(
|
server.fail(
|
||||||
"${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots",
|
"${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots",
|
||||||
'${pkgs.restic}/bin/restic --repository-file ${repositoryFile} -p ${passwordFile} snapshots"',
|
'${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots"',
|
||||||
"${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots",
|
"${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots",
|
||||||
"grep 'backup .* /opt' /tmp/fake-restic.log",
|
"grep 'backup .* /opt' /tmp/fake-restic.log",
|
||||||
)
|
)
|
||||||
server.succeed(
|
server.succeed(
|
||||||
|
# set up
|
||||||
"mkdir -p /opt",
|
"mkdir -p /opt",
|
||||||
"touch /opt/some_file",
|
"touch /opt/some_file",
|
||||||
"mkdir -p /tmp/restic-rclone-backup",
|
"mkdir -p /tmp/restic-rclone-backup",
|
||||||
|
|
||||||
|
# test that remotebackup runs custom commands and produces a snapshot
|
||||||
"timedatectl set-time '2016-12-13 13:45'",
|
"timedatectl set-time '2016-12-13 13:45'",
|
||||||
"systemctl start restic-backups-remotebackup.service",
|
"systemctl start restic-backups-remotebackup.service",
|
||||||
"rm /opt/backupCleanupCommand",
|
"rm /opt/backupCleanupCommand",
|
||||||
"systemctl start restic-backups-remotebackup-from-file.service",
|
'${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
|
||||||
|
|
||||||
|
# test that remote-from-file-backup produces a snapshot
|
||||||
|
"systemctl start restic-backups-remote-from-file-backup.service",
|
||||||
|
'${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
|
||||||
|
|
||||||
|
# test that rclonebackup produces a snapshot
|
||||||
"systemctl start restic-backups-rclonebackup.service",
|
"systemctl start restic-backups-rclonebackup.service",
|
||||||
'${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"',
|
'${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
|
||||||
'${pkgs.restic}/bin/restic --repository-file ${repositoryFile} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"',
|
|
||||||
'${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"',
|
# test that custompackage runs both `restic backup` and `restic check` with reasonable commandlines
|
||||||
"systemctl start restic-backups-custompackage.service",
|
"systemctl start restic-backups-custompackage.service",
|
||||||
"grep 'backup .* /opt' /tmp/fake-restic.log",
|
"grep 'backup .* /opt' /tmp/fake-restic.log",
|
||||||
"grep 'check .* --some-check-option' /tmp/fake-restic.log",
|
"grep 'check .* --some-check-option' /tmp/fake-restic.log",
|
||||||
|
|
||||||
|
# test that we can create four snapshots in remotebackup and rclonebackup
|
||||||
"timedatectl set-time '2017-12-13 13:45'",
|
"timedatectl set-time '2017-12-13 13:45'",
|
||||||
"systemctl start restic-backups-remotebackup.service",
|
"systemctl start restic-backups-remotebackup.service",
|
||||||
"rm /opt/backupCleanupCommand",
|
"rm /opt/backupCleanupCommand",
|
||||||
"systemctl start restic-backups-rclonebackup.service",
|
"systemctl start restic-backups-rclonebackup.service",
|
||||||
|
|
||||||
"timedatectl set-time '2018-12-13 13:45'",
|
"timedatectl set-time '2018-12-13 13:45'",
|
||||||
"systemctl start restic-backups-remotebackup.service",
|
"systemctl start restic-backups-remotebackup.service",
|
||||||
"rm /opt/backupCleanupCommand",
|
"rm /opt/backupCleanupCommand",
|
||||||
"systemctl start restic-backups-rclonebackup.service",
|
"systemctl start restic-backups-rclonebackup.service",
|
||||||
|
|
||||||
"timedatectl set-time '2018-12-14 13:45'",
|
"timedatectl set-time '2018-12-14 13:45'",
|
||||||
"systemctl start restic-backups-remotebackup.service",
|
"systemctl start restic-backups-remotebackup.service",
|
||||||
"rm /opt/backupCleanupCommand",
|
"rm /opt/backupCleanupCommand",
|
||||||
"systemctl start restic-backups-rclonebackup.service",
|
"systemctl start restic-backups-rclonebackup.service",
|
||||||
|
|
||||||
"timedatectl set-time '2018-12-15 13:45'",
|
"timedatectl set-time '2018-12-15 13:45'",
|
||||||
"systemctl start restic-backups-remotebackup.service",
|
"systemctl start restic-backups-remotebackup.service",
|
||||||
"rm /opt/backupCleanupCommand",
|
"rm /opt/backupCleanupCommand",
|
||||||
"systemctl start restic-backups-rclonebackup.service",
|
"systemctl start restic-backups-rclonebackup.service",
|
||||||
|
|
||||||
"timedatectl set-time '2018-12-16 13:45'",
|
"timedatectl set-time '2018-12-16 13:45'",
|
||||||
"systemctl start restic-backups-remotebackup.service",
|
"systemctl start restic-backups-remotebackup.service",
|
||||||
"rm /opt/backupCleanupCommand",
|
"rm /opt/backupCleanupCommand",
|
||||||
"systemctl start restic-backups-rclonebackup.service",
|
"systemctl start restic-backups-rclonebackup.service",
|
||||||
'${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"',
|
|
||||||
'${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"',
|
'${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"',
|
||||||
|
'${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"',
|
||||||
|
|
||||||
|
# test that remoteprune brings us back to 1 snapshot in remotebackup
|
||||||
"systemctl start restic-backups-remoteprune.service",
|
"systemctl start restic-backups-remoteprune.service",
|
||||||
'${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"',
|
'${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
|
||||||
|
|
||||||
)
|
)
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
65
third_party/nixpkgs/nixos/tests/sqlite3-to-mysql.nix
vendored
Normal file
65
third_party/nixpkgs/nixos/tests/sqlite3-to-mysql.nix
vendored
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
import ./make-test-python.nix ({ pkgs, lib, ... }:
|
||||||
|
|
||||||
|
/*
|
||||||
|
This test suite replaces the typical pytestCheckHook function in
|
||||||
|
sqlite3-to-mysql due to the need of a running mysql instance.
|
||||||
|
*/
|
||||||
|
|
||||||
|
{
|
||||||
|
name = "sqlite3-to-mysql";
|
||||||
|
meta.maintainers = with lib.maintainers; [ gador ];
|
||||||
|
|
||||||
|
nodes.machine = { pkgs, ... }: {
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
sqlite3-to-mysql
|
||||||
|
# create one coherent python environment
|
||||||
|
(python3.withPackages
|
||||||
|
(ps: sqlite3-to-mysql.propagatedBuildInputs ++
|
||||||
|
[
|
||||||
|
python3Packages.pytest
|
||||||
|
python3Packages.pytest-mock
|
||||||
|
python3Packages.pytest-timeout
|
||||||
|
python3Packages.factory_boy
|
||||||
|
python3Packages.docker # only needed so import does not fail
|
||||||
|
sqlite3-to-mysql
|
||||||
|
])
|
||||||
|
)
|
||||||
|
];
|
||||||
|
services.mysql = {
|
||||||
|
package = pkgs.mariadb;
|
||||||
|
enable = true;
|
||||||
|
# from https://github.com/techouse/sqlite3-to-mysql/blob/master/tests/conftest.py
|
||||||
|
# and https://github.com/techouse/sqlite3-to-mysql/blob/master/.github/workflows/test.yml
|
||||||
|
initialScript = pkgs.writeText "mysql-init.sql" ''
|
||||||
|
create database test_db DEFAULT CHARACTER SET utf8mb4;
|
||||||
|
create user tester identified by 'testpass';
|
||||||
|
grant all on test_db.* to tester;
|
||||||
|
create user tester@localhost identified by 'testpass';
|
||||||
|
grant all on test_db.* to tester@localhost;
|
||||||
|
'';
|
||||||
|
settings = {
|
||||||
|
mysqld = {
|
||||||
|
character-set-server = "utf8mb4";
|
||||||
|
collation-server = "utf8mb4_unicode_ci";
|
||||||
|
log_warnings = 1;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
machine.wait_for_unit("mysql")
|
||||||
|
|
||||||
|
machine.succeed(
|
||||||
|
"sqlite3mysql --version | grep ${pkgs.sqlite3-to-mysql.version}"
|
||||||
|
)
|
||||||
|
|
||||||
|
# invalid_database_name: assert '1045 (28000): Access denied' in "1044 (42000): Access denied [...]
|
||||||
|
# invalid_database_user: does not return non-zero exit for some reason
|
||||||
|
# test_version: has problems importing sqlite3_to_mysql and determining the version
|
||||||
|
machine.succeed(
|
||||||
|
"cd ${pkgs.sqlite3-to-mysql.src} \
|
||||||
|
&& pytest -v --no-docker -k \"not test_invalid_database_name and not test_invalid_database_user and not test_version\""
|
||||||
|
)
|
||||||
|
'';
|
||||||
|
})
|
|
@ -26,8 +26,7 @@ import ../make-test-python.nix ({ pkgs, ... }:
|
||||||
# test rebinding encrypted pool
|
# test rebinding encrypted pool
|
||||||
machine.succeed("stratis pool rebind keyring testpool testkey2")
|
machine.succeed("stratis pool rebind keyring testpool testkey2")
|
||||||
# test restarting encrypted pool
|
# test restarting encrypted pool
|
||||||
uuid = machine.succeed("stratis pool list | grep -oE '[0-9a-fA-F-]{36}'").rstrip('\n')
|
|
||||||
machine.succeed("stratis pool stop testpool")
|
machine.succeed("stratis pool stop testpool")
|
||||||
machine.succeed(f"stratis pool start {uuid} --unlock-method keyring")
|
machine.succeed("stratis pool start --name testpool --unlock-method keyring")
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
|
235
third_party/nixpkgs/nixos/tests/tayga.nix
vendored
Normal file
235
third_party/nixpkgs/nixos/tests/tayga.nix
vendored
Normal file
|
@ -0,0 +1,235 @@
|
||||||
|
# This test verifies that we can ping an IPv4-only server from an IPv6-only
|
||||||
|
# client via a NAT64 router. The hosts and networks are configured as follows:
|
||||||
|
#
|
||||||
|
# +------
|
||||||
|
# Client | eth1 Address: 2001:db8::2/64
|
||||||
|
# | | Route: 64:ff9b::/96 via 2001:db8::1
|
||||||
|
# +--|---
|
||||||
|
# | VLAN 3
|
||||||
|
# +--|---
|
||||||
|
# | eth2 Address: 2001:db8::1/64
|
||||||
|
# Router |
|
||||||
|
# | nat64 Address: 64:ff9b::1/128
|
||||||
|
# | Route: 64:ff9b::/96
|
||||||
|
# | Address: 192.0.2.0/32
|
||||||
|
# | Route: 192.0.2.0/24
|
||||||
|
# |
|
||||||
|
# | eth1 Address: 100.64.0.1/24
|
||||||
|
# +--|---
|
||||||
|
# | VLAN 2
|
||||||
|
# +--|---
|
||||||
|
# Server | eth1 Address: 100.64.0.2/24
|
||||||
|
# | Route: 192.0.2.0/24 via 100.64.0.1
|
||||||
|
# +------
|
||||||
|
|
||||||
|
import ./make-test-python.nix ({ pkgs, lib, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
name = "tayga";
|
||||||
|
meta = with pkgs.lib.maintainers; {
|
||||||
|
maintainers = [ hax404 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
nodes = {
|
||||||
|
# The server is configured with static IPv4 addresses. RFC 6052 Section 3.1
|
||||||
|
# disallows the mapping of non-global IPv4 addresses like RFC 1918 into the
|
||||||
|
# Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of
|
||||||
|
# documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from
|
||||||
|
# RFC 6589 (Carrier Grade NAT) is used here.
|
||||||
|
# To reach the IPv4 address pool of the NAT64 gateway, there is a static
|
||||||
|
# route configured. In normal cases, where the router would also source NAT
|
||||||
|
# the pool addresses to one IPv4 addresses, this would not be needed.
|
||||||
|
server = {
|
||||||
|
virtualisation.vlans = [
|
||||||
|
2 # towards router
|
||||||
|
];
|
||||||
|
networking = {
|
||||||
|
useDHCP = false;
|
||||||
|
interfaces.eth1 = lib.mkForce {};
|
||||||
|
};
|
||||||
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
networks."vlan1" = {
|
||||||
|
matchConfig.Name = "eth1";
|
||||||
|
address = [
|
||||||
|
"100.64.0.2/24"
|
||||||
|
];
|
||||||
|
routes = [
|
||||||
|
{ routeConfig = { Destination = "192.0.2.0/24"; Gateway = "100.64.0.1"; }; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# The router is configured with static IPv4 addresses towards the server
|
||||||
|
# and IPv6 addresses towards the client. For NAT64, the Well-Known prefix
|
||||||
|
# 64:ff9b::/96 is used. NAT64 is done with TAYGA which provides the
|
||||||
|
# tun-interface nat64 and does the translation over it. The IPv6 packets
|
||||||
|
# are sent to this interfaces and received as IPv4 packets and vice versa.
|
||||||
|
# As TAYGA only translates IPv6 addresses to dedicated IPv4 addresses, it
|
||||||
|
# needs a pool of IPv4 addresses which must be at least as big as the
|
||||||
|
# expected amount of clients. In this test, the packets from the pool are
|
||||||
|
# directly routed towards the client. In normal cases, there would be a
|
||||||
|
# second source NAT44 to map all clients behind one IPv4 address.
|
||||||
|
router_systemd = {
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
"net.ipv4.ip_forward" = 1;
|
||||||
|
"net.ipv6.conf.all.forwarding" = 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.vlans = [
|
||||||
|
2 # towards server
|
||||||
|
3 # towards client
|
||||||
|
];
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
useDHCP = false;
|
||||||
|
useNetworkd = true;
|
||||||
|
firewall.enable = false;
|
||||||
|
interfaces.eth1 = lib.mkForce {
|
||||||
|
ipv4 = {
|
||||||
|
addresses = [ { address = "100.64.0.1"; prefixLength = 24; } ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
interfaces.eth2 = lib.mkForce {
|
||||||
|
ipv6 = {
|
||||||
|
addresses = [ { address = "2001:db8::1"; prefixLength = 64; } ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.tayga = {
|
||||||
|
enable = true;
|
||||||
|
ipv4 = {
|
||||||
|
address = "192.0.2.0";
|
||||||
|
router = {
|
||||||
|
address = "192.0.2.1";
|
||||||
|
};
|
||||||
|
pool = {
|
||||||
|
address = "192.0.2.0";
|
||||||
|
prefixLength = 24;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ipv6 = {
|
||||||
|
address = "2001:db8::1";
|
||||||
|
router = {
|
||||||
|
address = "64:ff9b::1";
|
||||||
|
};
|
||||||
|
pool = {
|
||||||
|
address = "64:ff9b::";
|
||||||
|
prefixLength = 96;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
router_nixos = {
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
"net.ipv4.ip_forward" = 1;
|
||||||
|
"net.ipv6.conf.all.forwarding" = 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.vlans = [
|
||||||
|
2 # towards server
|
||||||
|
3 # towards client
|
||||||
|
];
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
useDHCP = false;
|
||||||
|
firewall.enable = false;
|
||||||
|
interfaces.eth1 = lib.mkForce {
|
||||||
|
ipv4 = {
|
||||||
|
addresses = [ { address = "100.64.0.1"; prefixLength = 24; } ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
interfaces.eth2 = lib.mkForce {
|
||||||
|
ipv6 = {
|
||||||
|
addresses = [ { address = "2001:db8::1"; prefixLength = 64; } ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.tayga = {
|
||||||
|
enable = true;
|
||||||
|
ipv4 = {
|
||||||
|
address = "192.0.2.0";
|
||||||
|
router = {
|
||||||
|
address = "192.0.2.1";
|
||||||
|
};
|
||||||
|
pool = {
|
||||||
|
address = "192.0.2.0";
|
||||||
|
prefixLength = 24;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ipv6 = {
|
||||||
|
address = "2001:db8::1";
|
||||||
|
router = {
|
||||||
|
address = "64:ff9b::1";
|
||||||
|
};
|
||||||
|
pool = {
|
||||||
|
address = "64:ff9b::";
|
||||||
|
prefixLength = 96;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# The client is configured with static IPv6 addresses. It has also a static
|
||||||
|
# route for the NAT64 IP space where the IPv4 addresses are mapped in. In
|
||||||
|
# normal cases, there would be only a default route.
|
||||||
|
client = {
|
||||||
|
virtualisation.vlans = [
|
||||||
|
3 # towards router
|
||||||
|
];
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
useDHCP = false;
|
||||||
|
interfaces.eth1 = lib.mkForce {};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
networks."vlan1" = {
|
||||||
|
matchConfig.Name = "eth1";
|
||||||
|
address = [
|
||||||
|
"2001:db8::2/64"
|
||||||
|
];
|
||||||
|
routes = [
|
||||||
|
{ routeConfig = { Destination = "64:ff9b::/96"; Gateway = "2001:db8::1"; }; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
environment.systemPackages = [ pkgs.mtr ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
# start client and server
|
||||||
|
for machine in client, server:
|
||||||
|
machine.wait_for_unit("network-online.target")
|
||||||
|
machine.log(machine.execute("ip addr")[1])
|
||||||
|
machine.log(machine.execute("ip route")[1])
|
||||||
|
machine.log(machine.execute("ip -6 route")[1])
|
||||||
|
|
||||||
|
# test systemd-networkd and nixos-scripts based router
|
||||||
|
for router in router_systemd, router_nixos:
|
||||||
|
router.start()
|
||||||
|
router.wait_for_unit("network-online.target")
|
||||||
|
router.wait_for_unit("tayga.service")
|
||||||
|
router.log(machine.execute("ip addr")[1])
|
||||||
|
router.log(machine.execute("ip route")[1])
|
||||||
|
router.log(machine.execute("ip -6 route")[1])
|
||||||
|
|
||||||
|
with subtest("Wait for tayga"):
|
||||||
|
router.wait_for_unit("tayga.service")
|
||||||
|
|
||||||
|
with subtest("Test ICMP"):
|
||||||
|
client.wait_until_succeeds("ping -c 3 64:ff9b::100.64.0.2 >&2")
|
||||||
|
|
||||||
|
with subtest("Test ICMP and show a traceroute"):
|
||||||
|
client.wait_until_succeeds("mtr --show-ips --report-wide 64:ff9b::100.64.0.2 >&2")
|
||||||
|
|
||||||
|
router.log(router.execute("systemd-analyze security tayga.service")[1])
|
||||||
|
router.shutdown()
|
||||||
|
'';
|
||||||
|
})
|
2
third_party/nixpkgs/nixos/tests/vector.nix
vendored
2
third_party/nixpkgs/nixos/tests/vector.nix
vendored
|
@ -21,7 +21,7 @@ with pkgs.lib;
|
||||||
type = "file";
|
type = "file";
|
||||||
inputs = [ "journald" ];
|
inputs = [ "journald" ];
|
||||||
path = "/var/lib/vector/logs.log";
|
path = "/var/lib/vector/logs.log";
|
||||||
encoding = { codec = "ndjson"; };
|
encoding = { codec = "json"; };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -28,8 +28,8 @@ let
|
||||||
messagebus:x:1:
|
messagebus:x:1:
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
"${pkgs.dbus.daemon}/bin/dbus-daemon" --fork \
|
"${pkgs.dbus}/bin/dbus-daemon" --fork \
|
||||||
--config-file="${pkgs.dbus.daemon}/share/dbus-1/system.conf"
|
--config-file="${pkgs.dbus}/share/dbus-1/system.conf"
|
||||||
|
|
||||||
${guestAdditions}/bin/VBoxService
|
${guestAdditions}/bin/VBoxService
|
||||||
${(attrs.vmScript or (const "")) pkgs}
|
${(attrs.vmScript or (const "")) pkgs}
|
||||||
|
|
56
third_party/nixpkgs/pkgs/applications/audio/aaxtomp3/default.nix
vendored
Normal file
56
third_party/nixpkgs/pkgs/applications/audio/aaxtomp3/default.nix
vendored
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
{ coreutils
|
||||||
|
, fetchFromGitHub
|
||||||
|
, ffmpeg
|
||||||
|
, findutils
|
||||||
|
, gnugrep
|
||||||
|
, gnused
|
||||||
|
, jq
|
||||||
|
, lame
|
||||||
|
, lib
|
||||||
|
, makeWrapper
|
||||||
|
, mediainfo
|
||||||
|
, mp4v2
|
||||||
|
, stdenv
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
runtimeInputs = [
|
||||||
|
coreutils
|
||||||
|
ffmpeg
|
||||||
|
findutils
|
||||||
|
gnugrep
|
||||||
|
gnused
|
||||||
|
jq
|
||||||
|
lame
|
||||||
|
mediainfo
|
||||||
|
mp4v2
|
||||||
|
];
|
||||||
|
in
|
||||||
|
stdenv.mkDerivation rec {
|
||||||
|
pname = "aaxtomp3";
|
||||||
|
version = "1.3";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "krumpetpirate";
|
||||||
|
repo = pname;
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-7a9ZVvobWH/gPxa3cFiPL+vlu8h1Dxtcq0trm3HzlQg=";
|
||||||
|
};
|
||||||
|
|
||||||
|
dontBuild = false;
|
||||||
|
|
||||||
|
nativeBuildInputs = [ makeWrapper ];
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
install -Dm755 AAXtoMP3 $out/bin/aaxtomp3
|
||||||
|
wrapProgram $out/bin/aaxtomp3 --prefix PATH : ${lib.makeBinPath runtimeInputs}
|
||||||
|
install -Dm755 interactiveAAXtoMP3 $out/bin/interactiveaaxtomp3
|
||||||
|
wrapProgram $out/bin/interactiveaaxtomp3 --prefix PATH : ${lib.makeBinPath runtimeInputs}
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "Convert Audible's .aax filetype to MP3, FLAC, M4A, or OPUS";
|
||||||
|
homepage = "https://krumpetpirate.github.io/AAXtoMP3";
|
||||||
|
license = licenses.wtfpl;
|
||||||
|
maintainers = with maintainers; [ urandom ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -18,7 +18,7 @@
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
pname = "csound";
|
pname = "csound";
|
||||||
version = "6.17.0";
|
version = "6.18.1";
|
||||||
|
|
||||||
hardeningDisable = [ "format" ];
|
hardeningDisable = [ "format" ];
|
||||||
|
|
||||||
|
@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
|
||||||
owner = "csound";
|
owner = "csound";
|
||||||
repo = "csound";
|
repo = "csound";
|
||||||
rev = version;
|
rev = version;
|
||||||
sha256 = "sha256-O19jm3JxHg4TcQzWQZu1uFjfYN2FR41fCRq5YGnTGD0=";
|
sha256 = "sha256-O7s92N54+zIl07eIdK/puoSve/qJ3O01fTh0TP+VdZA=";
|
||||||
};
|
};
|
||||||
|
|
||||||
cmakeFlags = [ "-DBUILD_CSOUND_AC=0" ] # fails to find Score.hpp
|
cmakeFlags = [ "-DBUILD_CSOUND_AC=0" ] # fails to find Score.hpp
|
||||||
|
|
47
third_party/nixpkgs/pkgs/applications/audio/gtkcord4/default.nix
vendored
Normal file
47
third_party/nixpkgs/pkgs/applications/audio/gtkcord4/default.nix
vendored
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
{ buildGoModule
|
||||||
|
, cairo
|
||||||
|
, fetchFromGitHub
|
||||||
|
, gdk-pixbuf
|
||||||
|
, glib
|
||||||
|
, gobject-introspection
|
||||||
|
, graphene
|
||||||
|
, gtk4
|
||||||
|
, lib
|
||||||
|
, pango
|
||||||
|
, pkg-config
|
||||||
|
}:
|
||||||
|
|
||||||
|
buildGoModule rec {
|
||||||
|
pname = "gtkcord4";
|
||||||
|
version = "0.0.6";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "diamondburned";
|
||||||
|
repo = pname;
|
||||||
|
rev = "v${version}";
|
||||||
|
hash = "sha256-uEG1pAHMQT+C/E5rKByflvL0NNkC8SeSPMAXanzvhE4=";
|
||||||
|
};
|
||||||
|
|
||||||
|
nativeBuildInputs = [
|
||||||
|
gobject-introspection
|
||||||
|
pkg-config
|
||||||
|
];
|
||||||
|
|
||||||
|
buildInputs = [
|
||||||
|
cairo
|
||||||
|
gdk-pixbuf
|
||||||
|
glib
|
||||||
|
graphene
|
||||||
|
gtk4
|
||||||
|
pango
|
||||||
|
];
|
||||||
|
|
||||||
|
vendorHash = "sha256-QZSjSk1xu5ZcrNEra5TxnUVvlQWb5/h31fm5Nc7WMoI=";
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "GTK4 Discord client in Go, attempt #4.";
|
||||||
|
homepage = "https://github.com/diamondburned/gtkcord4";
|
||||||
|
license = licenses.gpl3Only;
|
||||||
|
maintainers = with maintainers; [ urandom ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -89,5 +89,7 @@ mkDerivation rec {
|
||||||
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
|
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
|
||||||
platforms = [ "x86_64-linux" ];
|
platforms = [ "x86_64-linux" ];
|
||||||
maintainers = with maintainers; [ lovesegfault ];
|
maintainers = with maintainers; [ lovesegfault ];
|
||||||
|
# src link returns 403
|
||||||
|
broken = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,13 +4,13 @@
|
||||||
|
|
||||||
pythonPackages.buildPythonApplication rec {
|
pythonPackages.buildPythonApplication rec {
|
||||||
pname = "mopidy";
|
pname = "mopidy";
|
||||||
version = "3.3.0";
|
version = "3.4.0";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "mopidy";
|
owner = "mopidy";
|
||||||
repo = "mopidy";
|
repo = "mopidy";
|
||||||
rev = "refs/tags/v${version}";
|
rev = "refs/tags/v${version}";
|
||||||
sha256 = "sha256-F0fIl9DrludZZdzsrl/xsp7TLMgTPbVGtGvMHyD52Yw=";
|
sha256 = "sha256-cr4v1ScrXLRjqlsCXTm0KvLc+jJbFX1HVKJLrDAtIw8=";
|
||||||
};
|
};
|
||||||
|
|
||||||
nativeBuildInputs = [ wrapGAppsHook ];
|
nativeBuildInputs = [ wrapGAppsHook ];
|
||||||
|
|
|
@ -3,33 +3,20 @@
|
||||||
, mopidy
|
, mopidy
|
||||||
}:
|
}:
|
||||||
|
|
||||||
let
|
python3.pkgs.buildPythonApplication rec {
|
||||||
python = python3.override {
|
|
||||||
packageOverrides = self: super: {
|
|
||||||
ytmusicapi = super.ytmusicapi.overridePythonAttrs (old: rec {
|
|
||||||
version = "0.22.0";
|
|
||||||
format = "setuptools";
|
|
||||||
src = old.src.override {
|
|
||||||
inherit version;
|
|
||||||
hash = "sha256-CZ4uoW4UHn5C+MckQXysTdydaApn99b0UCnF5RPb7DI=";
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in python.pkgs.buildPythonApplication rec {
|
|
||||||
pname = "mopidy-ytmusic";
|
pname = "mopidy-ytmusic";
|
||||||
version = "0.3.7";
|
version = "0.3.8";
|
||||||
|
|
||||||
src = python.pkgs.fetchPypi {
|
src = python3.pkgs.fetchPypi {
|
||||||
inherit version;
|
inherit version;
|
||||||
pname = "Mopidy-YTMusic";
|
pname = "mopidy_ytmusic";
|
||||||
sha256 = "0gqjvi3nfzkqvbdhihzai241p1h5p037bj2475cc93xwzyyqxcrq";
|
sha256 = "6b4d8ff9c477dbdd30d0259a009494ebe104cad3f8b37241ae503e5bce4ec2e8";
|
||||||
};
|
};
|
||||||
|
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
(mopidy.override { pythonPackages = python.pkgs; })
|
(mopidy.override { pythonPackages = python3.pkgs; })
|
||||||
python.pkgs.ytmusicapi
|
python3.pkgs.ytmusicapi
|
||||||
python.pkgs.pytube
|
python3.pkgs.pytube
|
||||||
];
|
];
|
||||||
|
|
||||||
pythonImportsCheck = [ "mopidy_ytmusic" ];
|
pythonImportsCheck = [ "mopidy_ytmusic" ];
|
||||||
|
@ -38,6 +25,7 @@ in python.pkgs.buildPythonApplication rec {
|
||||||
doCheck = false;
|
doCheck = false;
|
||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
|
changelog = "https://github.com/OzymandiasTheGreat/mopidy-ytmusic/blob/v${version}/CHANGELOG.rst";
|
||||||
description = "Mopidy extension for playing music from YouTube Music";
|
description = "Mopidy extension for playing music from YouTube Music";
|
||||||
homepage = "https://github.com/OzymandiasTheGreat/mopidy-ytmusic";
|
homepage = "https://github.com/OzymandiasTheGreat/mopidy-ytmusic";
|
||||||
license = licenses.asl20;
|
license = licenses.asl20;
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -2,13 +2,13 @@
|
||||||
|
|
||||||
rustPlatform.buildRustPackage rec {
|
rustPlatform.buildRustPackage rec {
|
||||||
pname = "netease-music-tui";
|
pname = "netease-music-tui";
|
||||||
version = "0.1.4";
|
version = "0.1.5";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "betta-cyber";
|
owner = "betta-cyber";
|
||||||
repo = "netease-music-tui";
|
repo = "netease-music-tui";
|
||||||
rev = "v${version}";
|
rev = "v${version}";
|
||||||
sha256 = "sha256-ILJkejRKG2DRXgR6O2tAFbrbd8HtnLZJmITq7hF41DQ=";
|
sha256 = "sha256-+zRXihWg65DtyX3yD04CsW8aXIvNph36PW2veeg36lg=";
|
||||||
};
|
};
|
||||||
|
|
||||||
cargoPatches = [ ./cargo-lock.patch ];
|
cargoPatches = [ ./cargo-lock.patch ];
|
||||||
|
@ -16,7 +16,7 @@ rustPlatform.buildRustPackage rec {
|
||||||
nativeBuildInputs = [ pkg-config ];
|
nativeBuildInputs = [ pkg-config ];
|
||||||
buildInputs = [ alsa-lib openssl ];
|
buildInputs = [ alsa-lib openssl ];
|
||||||
|
|
||||||
cargoSha256 = "sha256-/JQDUtSSkuO9nrYVSkQOaZjps1BUuH8Bc1SMyDSSJS4=";
|
cargoSha256 = "sha256-i+W/KwnqdaHcrdaWYUuCUeFlRKekVuEvFh/pxDolPNU=";
|
||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
homepage = "https://github.com/betta-cyber/netease-music-tui";
|
homepage = "https://github.com/betta-cyber/netease-music-tui";
|
||||||
|
|
|
@ -2,21 +2,21 @@
|
||||||
|
|
||||||
buildNpmPackage rec {
|
buildNpmPackage rec {
|
||||||
pname = "open-stage-control";
|
pname = "open-stage-control";
|
||||||
version = "1.20.0";
|
version = "1.21.0";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "jean-emmanuel";
|
owner = "jean-emmanuel";
|
||||||
repo = "open-stage-control";
|
repo = "open-stage-control";
|
||||||
rev = "v${version}";
|
rev = "v${version}";
|
||||||
hash = "sha256-XgwlRdwUSl4gIRKqk6BnMAKarVvp291zk8vmNkuRWKo=";
|
hash = "sha256-6tRd8boVwWc8qGlklYqA/Kp76VOMvtUJlu/G/InvHkA=";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Use generated package-lock.json since upstream does not provide one in releases
|
# Remove some Electron stuff from package.json
|
||||||
postPatch = ''
|
postPatch = ''
|
||||||
ln -sT ${./package-lock.json} ./package-lock.json
|
sed -i -e '/"electron"\|"electron-installer-debian"/d' package.json
|
||||||
'';
|
'';
|
||||||
|
|
||||||
npmDepsHash = "sha256-5KZXZ4agHcAh3gai5w9YodETIEGJtDq/kyEZOHb9dOc=";
|
npmDepsHash = "sha256-M+6+zrxy8VpJQS0dG/xORMbflKEq8wO2DEOjGrA6OUw=";
|
||||||
|
|
||||||
nativeBuildInputs = [
|
nativeBuildInputs = [
|
||||||
copyDesktopItems
|
copyDesktopItems
|
||||||
|
|
18244
third_party/nixpkgs/pkgs/applications/audio/open-stage-control/package-lock.json
generated
vendored
18244
third_party/nixpkgs/pkgs/applications/audio/open-stage-control/package-lock.json
generated
vendored
File diff suppressed because it is too large
Load diff
|
@ -14,7 +14,7 @@ nixeval() {
|
||||||
}
|
}
|
||||||
|
|
||||||
vendorhash() {
|
vendorhash() {
|
||||||
(nix --extra-experimental-features nix-command build --impure -f "$nixpkgs" --no-link "$1" 2>&1 >/dev/null | tail -n3 | grep -F got: | cut -d: -f2- | stripwhitespace) 2>/dev/null || true
|
(nix --extra-experimental-features nix-command build --impure --argstr nixpkgs "$nixpkgs" --argstr attr "$1" --expr '{ nixpkgs, attr }: let pkgs = import nixpkgs {}; in with pkgs.lib; (getAttrFromPath (splitString "." attr) pkgs).overrideAttrs (attrs: { outputHash = fakeHash; })' --no-link 2>&1 >/dev/null | tail -n3 | grep -F got: | cut -d: -f2- | stripwhitespace) 2>/dev/null || true
|
||||||
}
|
}
|
||||||
|
|
||||||
findpath() {
|
findpath() {
|
||||||
|
@ -32,7 +32,6 @@ attr="${UPDATE_NIX_ATTR_PATH:-open-stage-control}"
|
||||||
version="$(cd "$nixpkgs" && list-git-tags --pname="$(nixeval "$attr".pname)" --attr-path="$attr" | grep '^v' | sed -e 's|^v||' | sort -V | tail -n1)"
|
version="$(cd "$nixpkgs" && list-git-tags --pname="$(nixeval "$attr".pname)" --attr-path="$attr" | grep '^v' | sed -e 's|^v||' | sort -V | tail -n1)"
|
||||||
|
|
||||||
pkgpath="$(findpath "$attr")"
|
pkgpath="$(findpath "$attr")"
|
||||||
pkgdir="$(dirname "$pkgpath")"
|
|
||||||
|
|
||||||
updated="$(cd "$nixpkgs" && update-source-version "$attr" "$version" --file="$pkgpath" --print-changes | jq -r length)"
|
updated="$(cd "$nixpkgs" && update-source-version "$attr" "$version" --file="$pkgpath" --print-changes | jq -r length)"
|
||||||
|
|
||||||
|
@ -41,14 +40,6 @@ if [ "$updated" -eq 0 ]; then
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Download package.json from the latest release
|
|
||||||
curl -sSL https://raw.githubusercontent.com/jean-emmanuel/open-stage-control/v"$version"/package.json | grep -v '"electron"\|"electron-installer-debian"' >"$pkgdir"/package.json
|
|
||||||
|
|
||||||
# Lock dependencies with npm
|
|
||||||
(cd "$pkgdir" && npm install --package-lock-only --ignore-scripts --legacy-peer-deps)
|
|
||||||
|
|
||||||
rm -f "$pkgdir"/package.json
|
|
||||||
|
|
||||||
# Update FOD hash
|
# Update FOD hash
|
||||||
curhash="$(nixeval "$attr.npmDeps.outputHash")"
|
curhash="$(nixeval "$attr.npmDeps.outputHash")"
|
||||||
newhash="$(vendorhash "$attr.npmDeps")"
|
newhash="$(vendorhash "$attr.npmDeps")"
|
||||||
|
|
|
@ -2,13 +2,13 @@
|
||||||
|
|
||||||
python3Packages.buildPythonApplication rec {
|
python3Packages.buildPythonApplication rec {
|
||||||
pname = "pyradio";
|
pname = "pyradio";
|
||||||
version = "0.8.9.28";
|
version = "0.8.9.31";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "coderholic";
|
owner = "coderholic";
|
||||||
repo = pname;
|
repo = pname;
|
||||||
rev = "refs/tags/${version}";
|
rev = "refs/tags/${version}";
|
||||||
sha256 = "sha256-0j0AQZk+WEkcRTL/peAxzRw23gThlGtMnqoms2aUCrc=";
|
sha256 = "sha256-9Fc42f0plduihXDDLXWBdt62maxDJ0cwumIvbiMcrGc=";
|
||||||
};
|
};
|
||||||
|
|
||||||
nativeBuildInputs = [ installShellFiles ];
|
nativeBuildInputs = [ installShellFiles ];
|
||||||
|
|
|
@ -1,21 +1,19 @@
|
||||||
{ lib, mkDerivation, fetchurl, cmake, pkg-config
|
{ lib, stdenv, fetchurl, cmake, pkg-config
|
||||||
, qtbase, qttools, qtmultimedia, qtx11extras
|
, qtbase, qttools, qtmultimedia, wrapQtAppsHook
|
||||||
# transports
|
# transports
|
||||||
, curl, libmms
|
, curl, libmms
|
||||||
# input plugins
|
# input plugins
|
||||||
, libmad, taglib, libvorbis, libogg, flac, libmpcdec, libmodplug, libsndfile
|
, libmad, taglib, libvorbis, libogg, flac, libmpcdec, libmodplug, libsndfile
|
||||||
, libcdio, cdparanoia, libcddb, faad2, ffmpeg, wildmidi
|
, libcdio, cdparanoia, libcddb, faad2, ffmpeg, wildmidi, libbs2b, game-music-emu
|
||||||
# output plugins
|
# output plugins
|
||||||
, alsa-lib, libpulseaudio
|
, alsa-lib, libpulseaudio, pipewire
|
||||||
# effect plugins
|
# effect plugins
|
||||||
, libsamplerate
|
, libsamplerate
|
||||||
}:
|
}:
|
||||||
|
|
||||||
# Additional plugins that can be added:
|
# Additional plugins that can be added:
|
||||||
# wavpack (https://www.wavpack.com/)
|
# wavpack (https://www.wavpack.com/)
|
||||||
# gme (Game music support)
|
|
||||||
# Ogg Opus support
|
# Ogg Opus support
|
||||||
# BS2B effect plugin (http://bs2b.sourceforge.net/)
|
|
||||||
# JACK audio support
|
# JACK audio support
|
||||||
# ProjectM visualization plugin
|
# ProjectM visualization plugin
|
||||||
|
|
||||||
|
@ -28,26 +26,27 @@
|
||||||
# Qmmp installs working .desktop file(s) all by itself, so we don't need to
|
# Qmmp installs working .desktop file(s) all by itself, so we don't need to
|
||||||
# handle that.
|
# handle that.
|
||||||
|
|
||||||
mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
pname = "qmmp";
|
pname = "qmmp";
|
||||||
version = "1.4.4";
|
version = "2.1.2";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
url = "https://qmmp.ylsoftware.com/files/${pname}-${version}.tar.bz2";
|
url = "https://qmmp.ylsoftware.com/files/qmmp/2.1/${pname}-${version}.tar.bz2";
|
||||||
sha256 = "sha256-sZRZVhCf2ceETuV4AULA0kVkuIMn3C+aYdKThqvPnVQ=";
|
hash = "sha256-U86LoAkg6mBFVa/cgB8kpCa5KwdkR0PMQmAGvf/KAXo=";
|
||||||
};
|
};
|
||||||
|
|
||||||
nativeBuildInputs = [ cmake pkg-config ];
|
nativeBuildInputs = [ cmake pkg-config wrapQtAppsHook ];
|
||||||
|
|
||||||
buildInputs =
|
buildInputs =
|
||||||
[ # basic requirements
|
[ # basic requirements
|
||||||
qtbase qttools qtmultimedia qtx11extras
|
qtbase qttools qtmultimedia
|
||||||
# transports
|
# transports
|
||||||
curl libmms
|
curl libmms
|
||||||
# input plugins
|
# input plugins
|
||||||
libmad taglib libvorbis libogg flac libmpcdec libmodplug libsndfile
|
libmad taglib libvorbis libogg flac libmpcdec libmodplug libsndfile
|
||||||
libcdio cdparanoia libcddb faad2 ffmpeg wildmidi
|
libcdio cdparanoia libcddb faad2 ffmpeg wildmidi libbs2b game-music-emu
|
||||||
# output plugins
|
# output plugins
|
||||||
alsa-lib libpulseaudio
|
alsa-lib libpulseaudio pipewire
|
||||||
# effect plugins
|
# effect plugins
|
||||||
libsamplerate
|
libsamplerate
|
||||||
];
|
];
|
||||||
|
|
|
@ -119,7 +119,7 @@ python3.pkgs.buildPythonApplication rec {
|
||||||
LC_ALL = "en_US.UTF-8";
|
LC_ALL = "en_US.UTF-8";
|
||||||
|
|
||||||
checkInputs = [
|
checkInputs = [
|
||||||
dbus.daemon
|
dbus
|
||||||
gdk-pixbuf
|
gdk-pixbuf
|
||||||
glibcLocales
|
glibcLocales
|
||||||
hicolor-icon-theme
|
hicolor-icon-theme
|
||||||
|
@ -154,7 +154,7 @@ python3.pkgs.buildPythonApplication rec {
|
||||||
runHook preCheck
|
runHook preCheck
|
||||||
|
|
||||||
xvfb-run -s '-screen 0 1920x1080x24' \
|
xvfb-run -s '-screen 0 1920x1080x24' \
|
||||||
dbus-run-session --config-file=${dbus.daemon}/share/dbus-1/session.conf \
|
dbus-run-session --config-file=${dbus}/share/dbus-1/session.conf \
|
||||||
pytest $pytestFlags
|
pytest $pytestFlags
|
||||||
|
|
||||||
runHook postCheck
|
runHook postCheck
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
, ffmpeg
|
, ffmpeg
|
||||||
, vlc
|
, vlc
|
||||||
, xdg-utils
|
, xdg-utils
|
||||||
|
, xdotool
|
||||||
, which
|
, which
|
||||||
|
|
||||||
, jackSupport ? true
|
, jackSupport ? true
|
||||||
|
@ -69,7 +70,7 @@ stdenv.mkDerivation rec {
|
||||||
# seem to have an effect for some plugins.
|
# seem to have an effect for some plugins.
|
||||||
# We opt for wrapping the executable with LD_LIBRARY_PATH prefix.
|
# We opt for wrapping the executable with LD_LIBRARY_PATH prefix.
|
||||||
wrapProgram $out/opt/REAPER/reaper \
|
wrapProgram $out/opt/REAPER/reaper \
|
||||||
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ lame ffmpeg vlc ]}"
|
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ lame ffmpeg vlc xdotool ]}"
|
||||||
|
|
||||||
mkdir $out/bin
|
mkdir $out/bin
|
||||||
ln -s $out/opt/REAPER/reaper $out/bin/
|
ln -s $out/opt/REAPER/reaper $out/bin/
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
pname = "soundtracker";
|
pname = "soundtracker";
|
||||||
version = "1.0.2.1";
|
version = "1.0.3";
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
# Past releases get moved to the "old releases" directory.
|
# Past releases get moved to the "old releases" directory.
|
||||||
|
@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
|
||||||
# Nonetheless, only the name of the file seems to affect which file is
|
# Nonetheless, only the name of the file seems to affect which file is
|
||||||
# downloaded, so this path should be fine both for old and current releases.
|
# downloaded, so this path should be fine both for old and current releases.
|
||||||
url = "mirror://sourceforge/soundtracker/soundtracker-${version}.tar.xz";
|
url = "mirror://sourceforge/soundtracker/soundtracker-${version}.tar.xz";
|
||||||
sha256 = "0nh0dwz8nldc040q6n06vlazhss8ms42r2dffhjcrqj3hbrvfx82";
|
sha256 = "sha256-k+TB1DIauOIeQSCVV5uYu69wwRx7vCRAlSCTAtDguKo=";
|
||||||
};
|
};
|
||||||
|
|
||||||
postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''
|
postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''
|
||||||
|
|
|
@ -34,13 +34,13 @@ stdenv.mkDerivation {
|
||||||
pname = binName;
|
pname = binName;
|
||||||
# versions are specified in `squeezelite.h`
|
# versions are specified in `squeezelite.h`
|
||||||
# see https://github.com/ralph-irving/squeezelite/issues/29
|
# see https://github.com/ralph-irving/squeezelite/issues/29
|
||||||
version = "1.9.9.1411";
|
version = "1.9.9.1414";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "ralph-irving";
|
owner = "ralph-irving";
|
||||||
repo = "squeezelite";
|
repo = "squeezelite";
|
||||||
rev = "ca44fc6e258bb413d6281d927063b25940f42e5c";
|
rev = "dbe69eb8aa88f644cfb46541d6cef72fa666570d";
|
||||||
hash = "sha256-aZ+2nyy6tK3VwgTCWGoNaU4//kkHUzd6DZSfTEIgbvY=";
|
hash = "sha256-BN6eBHMMecucfHwzmho3xi1l2O3YnYcBUE321Rl6xrc=";
|
||||||
};
|
};
|
||||||
|
|
||||||
buildInputs = [ flac libmad libvorbis mpg123 ]
|
buildInputs = [ flac libmad libvorbis mpg123 ]
|
||||||
|
|
|
@ -25,13 +25,13 @@
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
pname = "tauon";
|
pname = "tauon";
|
||||||
version = "7.4.3";
|
version = "7.4.5";
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
src = fetchFromGitHub {
|
||||||
owner = "Taiko2k";
|
owner = "Taiko2k";
|
||||||
repo = "TauonMusicBox";
|
repo = "TauonMusicBox";
|
||||||
rev = "v${version}";
|
rev = "v${version}";
|
||||||
sha256 = "sha256-eB4fwW5UvylVslSEvDFdCVYcEK3M2H+8VJGHH13vvA0=";
|
sha256 = "sha256-fxmCLjnYO7ZblEiRoByxuFzw9xFHqbQvne1WNcFnnwI=";
|
||||||
};
|
};
|
||||||
|
|
||||||
postUnpack = ''
|
postUnpack = ''
|
||||||
|
@ -131,6 +131,7 @@ stdenv.mkDerivation rec {
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
description = "The Linux desktop music player from the future";
|
description = "The Linux desktop music player from the future";
|
||||||
homepage = "https://tauonmusicbox.rocks/";
|
homepage = "https://tauonmusicbox.rocks/";
|
||||||
|
changelog = "https://github.com/Taiko2k/TauonMusicBox/releases/tag/v${version}";
|
||||||
license = licenses.gpl3;
|
license = licenses.gpl3;
|
||||||
maintainers = with maintainers; [ jansol ];
|
maintainers = with maintainers; [ jansol ];
|
||||||
platforms = platforms.linux;
|
platforms = platforms.linux;
|
||||||
|
|
|
@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
|
||||||
description = "A vi/vim inspired client for the Music Player Daemon (mpd)";
|
description = "A vi/vim inspired client for the Music Player Daemon (mpd)";
|
||||||
homepage = "https://github.com/boysetsfrog/vimpc";
|
homepage = "https://github.com/boysetsfrog/vimpc";
|
||||||
license = licenses.gpl3;
|
license = licenses.gpl3;
|
||||||
platforms = platforms.linux;
|
platforms = platforms.unix;
|
||||||
maintainers = with maintainers; [ pSub ];
|
maintainers = with maintainers; [ pSub ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,6 +13,8 @@ let
|
||||||
in
|
in
|
||||||
appimageTools.wrapType2 rec {
|
appimageTools.wrapType2 rec {
|
||||||
inherit pname version src;
|
inherit pname version src;
|
||||||
|
extraPkgs = pkgs: (appimageTools.defaultFhsEnvArgs.multiPkgs pkgs)
|
||||||
|
++ [ pkgs.libappindicator ];
|
||||||
|
|
||||||
extraInstallCommands = ''
|
extraInstallCommands = ''
|
||||||
mv $out/bin/{${pname}-${version},${pname}}
|
mv $out/bin/{${pname}-${version},${pname}}
|
||||||
|
@ -29,7 +31,7 @@ appimageTools.wrapType2 rec {
|
||||||
description = "Electron wrapper around YouTube Music";
|
description = "Electron wrapper around YouTube Music";
|
||||||
homepage = "https://th-ch.github.io/youtube-music/";
|
homepage = "https://th-ch.github.io/youtube-music/";
|
||||||
license = licenses.mit;
|
license = licenses.mit;
|
||||||
sourceProvenance = with sourceTypes; [ fromSource ];
|
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
|
||||||
platforms = platforms.linux;
|
platforms = platforms.linux;
|
||||||
maintainers = [ maintainers.aacebedo ];
|
maintainers = [ maintainers.aacebedo ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
, libXrandr
|
, libXrandr
|
||||||
, libXi
|
, libXi
|
||||||
, gnome
|
, gnome
|
||||||
, kdialog
|
, libsForQt5
|
||||||
}:
|
}:
|
||||||
|
|
||||||
rustPlatform.buildRustPackage rec {
|
rustPlatform.buildRustPackage rec {
|
||||||
|
@ -71,7 +71,7 @@ rustPlatform.buildRustPackage rec {
|
||||||
in
|
in
|
||||||
''
|
''
|
||||||
patchelf --set-rpath "${libPath}" "$out/bin/$pname"
|
patchelf --set-rpath "${libPath}" "$out/bin/$pname"
|
||||||
wrapProgram $out/bin/$pname --prefix PATH : ${lib.makeBinPath [ gnome.zenity kdialog ]}
|
wrapProgram $out/bin/$pname --prefix PATH : ${lib.makeBinPath [ gnome.zenity libsForQt5.kdialog ]}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue