Project import generated by Copybara.

GitOrigin-RevId: b72b8b94cf0c012b0252a9100a636cad69696666
This commit is contained in:
Default email 2022-12-02 08:20:57 +00:00
parent 980a2be55c
commit 7d542a9f98
898 changed files with 20409 additions and 30829 deletions

View file

@ -22,7 +22,7 @@ For new packages please briefly describe the package or provide a link to its ho
- made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [22.11 Release Notes (or backporting 22.05 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2211-release-notes)
- [23.05 Release Notes (or backporting 22.11 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2305-release-notes)
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [ ] (Module updates) Added a release notes entry if the change is significant
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module

View file

@ -26,7 +26,7 @@ jobs:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Create backport PRs
uses: zeebe-io/backport-action@v0.0.8
uses: zeebe-io/backport-action@v0.0.9
with:
# Config README: https://github.com/zeebe-io/backport-action#backport-action
github_token: ${{ secrets.GITHUB_TOKEN }}

View file

@ -98,17 +98,17 @@ git push origin feature --force-with-lease
Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches).
You can add a label such as `backport release-22.05` to a PR, so that merging it will
You can add a label such as `backport release-22.11` to a PR, so that merging it will
automatically create a backport (via [a GitHub Action](.github/workflows/backport.yml)).
This also works for PR's that have already been merged, and might take a couple of minutes to trigger.
You can also create the backport manually:
1. Take note of the commits in which the change was introduced into `master` branch.
2. Check out the target _release branch_, e.g. `release-22.05`. Do not use a _channel branch_ like `nixos-22.05` or `nixpkgs-22.05-darwin`.
2. Check out the target _release branch_, e.g. `release-22.11`. Do not use a _channel branch_ like `nixos-22.11` or `nixpkgs-22.11-darwin`.
3. Create a branch for your change, e.g. `git checkout -b backport`.
4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe <original commit>` and add a reason. Otherwise use `git cherry-pick -x <original commit>`. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar. Please also ensure the commits exists on the master branch; in the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-22.05`) as the target branch of the pull request, and link to the pull request in which the original change was comitted to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[22.05]`.
5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-22.11`) as the target branch of the pull request, and link to the pull request in which the original change was comitted to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[22.11]`.
6. When the backport pull request is merged and you have the necessary privileges you can also replace the label `9.needs: port to stable` with `8.has: port to stable` on the original pull request. This way maintainers can keep track of missing backports easier.
## Criteria for Backporting changes
@ -120,15 +120,15 @@ Anything that does not cause user or downstream dependency regressions can be ba
- Services which require a client to be up-to-date regardless. (E.g. `spotify`, `steam`, or `discord`)
- Security critical applications (E.g. `firefox`)
## Generating 22.11 Release Notes
## Generating 23.05 Release Notes
Documentation in nixpkgs is transitioning to a markdown-centric workflow. Release notes now require a translation step to convert from markdown to a compatible docbook document.
Steps for updating 22.11 Release notes:
Steps for updating 23.05 Release notes:
1. Edit `nixos/doc/manual/release-notes/rl-2211.section.md` with the desired changes
2. Run `./nixos/doc/manual/md-to-db.sh` to render `nixos/doc/manual/from_md/release-notes/rl-2211.section.xml`
3. Include changes to `rl-2211.section.md` and `rl-2211.section.xml` in the same commit.
1. Edit `nixos/doc/manual/release-notes/rl-2305.section.md` with the desired changes
2. Run `./nixos/doc/manual/md-to-db.sh` to render `nixos/doc/manual/from_md/release-notes/rl-2305.section.xml`
3. Include changes to `rl-2305.section.md` and `rl-2305.section.xml` in the same commit.
## Reviewing contributions

View file

@ -51,9 +51,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration
system, [Hydra](https://hydra.nixos.org/).
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
* [Continuous package builds for the NixOS 22.05 release](https://hydra.nixos.org/jobset/nixos/release-22.05)
* [Continuous package builds for the NixOS 22.11 release](https://hydra.nixos.org/jobset/nixos/release-22.11)
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
* [Tests for the NixOS 22.05 release](https://hydra.nixos.org/job/nixos/release-22.05/tested#tabs-constituents)
* [Tests for the NixOS 22.11 release](https://hydra.nixos.org/job/nixos/release-22.11/tested#tabs-constituents)
Artifacts successfully built with Hydra are published to cache at
https://cache.nixos.org/. When successful build and test criteria are

View file

@ -310,16 +310,16 @@ For this to work fully, you must also have this script sourced when you are logg
```ShellSession
#!/bin/sh
if [ -d $HOME/.nix-profile/etc/profile.d ]; then
for i in $HOME/.nix-profile/etc/profile.d/*.sh; do
if [ -r $i ]; then
. $i
if [ -d "${HOME}/.nix-profile/etc/profile.d" ]; then
for i in "${HOME}/.nix-profile/etc/profile.d/"*.sh; do
if [ -r "$i" ]; then
. "$i"
fi
done
fi
```
Now just run `source $HOME/.profile` and you can starting loading man pages from your environment.
Now just run `. "${HOME}/.profile"` and you can start loading man pages from your environment.
### GNU info setup {#sec-gnu-info-setup}

View file

@ -1071,6 +1071,12 @@
githubId = 56009;
name = "Arcadio Rubio García";
};
archer-65 = {
email = "mario.liguori.056@gmail.com";
github = "archer-65";
githubId = 76066109;
name = "Mario Liguori";
};
archseer = {
email = "blaz@mxxn.io";
github = "archseer";
@ -3294,6 +3300,15 @@
fingerprint = "4E35 F2E5 2132 D654 E815 A672 DB2C BC24 2868 6000";
}];
};
deejayem = {
email = "nixpkgs.bu5hq@simplelogin.com";
github = "deejayem";
githubId = 2564003;
name = "David Morgan";
keys = [{
fingerprint = "9B43 6B14 77A8 79C2 6CDB 6604 C171 2510 02C2 00F2";
}];
};
deepfire = {
email = "_deepfire@feelingofgreen.ru";
github = "deepfire";
@ -5896,6 +5911,13 @@
githubId = 40234257;
name = "ilkecan bozdogan";
};
imincik = {
email = "ivan.mincik@gmail.com";
matrix = "@imincik:matrix.org";
github = "imincik";
githubId = 476346;
name = "Ivan Mincik";
};
not-my-segfault = {
email = "michal@tar.black";
matrix = "@michal:tar.black";
@ -8771,6 +8793,12 @@
githubId = 4141584;
name = "Maxime Daniel";
};
maxwell-lt = {
email = "maxwell.lt@live.com";
github = "maxwell-lt";
githubId = 17859747;
name = "Maxwell L-T";
};
maxxk = {
email = "maxim.krivchikov@gmail.com";
github = "maxxk";
@ -9647,6 +9675,12 @@
githubId = 43796009;
name = "Max Wilson";
};
myaats = {
email = "mats@mats.sh";
github = "Myaats";
githubId = 6295090;
name = "Mats";
};
myrl = {
email = "myrl.0xf@gmail.com";
github = "Myrl";
@ -9665,6 +9699,15 @@
githubId = 6783654;
name = "Nadrieril Feneanar";
};
nagy = {
email = "danielnagy@posteo.de";
github = "nagy";
githubId = 692274;
name = "Daniel Nagy";
keys = [{
fingerprint = "F6AE 2C60 9196 A1BC ECD8 7108 1B8E 8DCB 576F B671";
}];
};
nalbyuites = {
email = "ashijit007@gmail.com";
github = "nalbyuites";
@ -12701,6 +12744,13 @@
githubId = 4294323;
name = "Langston Barrett";
};
sielicki = {
name = "Nicholas Sielicki";
email = "nix@opensource.nslick.com";
github = "sielicki";
githubId = 4522995;
matrix = "@sielicki:matrix.org";
};
siers = {
email = "veinbahs+nixpkgs@gmail.com";
github = "siers";
@ -14216,6 +14266,13 @@
github = "twitchyliquid64";
githubId = 6328589;
};
tylerjl = {
email = "tyler+nixpkgs@langlois.to";
github = "tylerjl";
githubId = 1733846;
matrix = "@ty:tjll.net";
name = "Tyler Langlois";
};
typetetris = {
email = "ericwolf42@mail.com";
github = "typetetris";
@ -15745,7 +15802,7 @@
};
portothree = {
name = "Gustavo Porto";
email = "gustavoporto@ya.ru";
email = "gus@p8s.co";
github = "portothree";
githubId = 3718120;
};

View file

@ -1,4 +1,4 @@
#!/bin/sh
#!/usr/bin/env bash
# Download patches from debian project
# Usage $0 debian-patches.txt debian-patches.nix

View file

@ -1,4 +1,4 @@
#! /bin/sh
#!/usr/bin/env bash
if [[ -z "$VERBOSE" ]]; then
echo "You may set VERBOSE=1 to see debug output or to any other non-empty string to make this script completely silent"

View file

@ -1,4 +1,4 @@
#!/bin/sh
#!/usr/bin/env bash
set -e
: ${NIXOS_CHANNELS:=https://nixos.org/channels/}

View file

@ -265,6 +265,15 @@ with lib.maintainers; {
shortName = "GCC";
};
geospatial = {
members = [
imincik
sikmir
];
scope = "Maintain geospatial packages.";
shortName = "Geospatial";
};
golang = {
members = [
c00w

View file

@ -12,7 +12,7 @@
<listitem>
<para>
<emphasis>Stable channels</emphasis>, such as
<link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.05</literal></link>.
<link xlink:href="https://nixos.org/channels/nixos-22.05"><literal>nixos-22.11</literal></link>.
These only get conservative bug fixes and package upgrades. For
instance, a channel update may cause the Linux kernel on your
system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix),
@ -33,7 +33,7 @@
<listitem>
<para>
<emphasis>Small channels</emphasis>, such as
<link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.05-small</literal></link>
<link xlink:href="https://nixos.org/channels/nixos-22.05-small"><literal>nixos-22.11-small</literal></link>
or
<link xlink:href="https://nixos.org/channels/nixos-unstable-small"><literal>nixos-unstable-small</literal></link>.
These are identical to the stable and unstable channels
@ -60,8 +60,8 @@
<para>
When you first install NixOS, youre automatically subscribed to the
NixOS channel that corresponds to your installation source. For
instance, if you installed from a 22.05 ISO, you will be subscribed
to the <literal>nixos-22.05</literal> channel. To see which NixOS
instance, if you installed from a 22.11 ISO, you will be subscribed
to the <literal>nixos-22.11</literal> channel. To see which NixOS
channel youre subscribed to, run the following as root:
</para>
<programlisting>
@ -76,17 +76,17 @@ nixos https://nixos.org/channels/nixos-unstable
</programlisting>
<para>
(Be sure to include the <literal>nixos</literal> parameter at the
end.) For instance, to use the NixOS 22.05 stable channel:
end.) For instance, to use the NixOS 22.11 stable channel:
</para>
<programlisting>
# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos
# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
</programlisting>
<para>
If you have a server, you may want to use the <quote>small</quote>
channel instead:
</para>
<programlisting>
# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos
# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos
</programlisting>
<para>
And if you want to live on the bleeding edge:
@ -146,7 +146,7 @@ system.autoUpgrade.allowReboot = true;
also specify a channel explicitly, e.g.
</para>
<programlisting language="bash">
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05;
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11;
</programlisting>
</section>
</chapter>

View file

@ -13,7 +13,9 @@
<itemizedlist spacing="compact">
<listitem>
<para>
Create the first release note entry in this section!
Cinnamon has been updated to 5.6, see
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204">the
pull request</link> for what is changed.
</para>
</listitem>
</itemizedlist>
@ -56,6 +58,16 @@
<literal>fetch-ec2-metadata.service</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.sourcehut.dispatch</literal> and the
corresponding package
(<literal>sourcehut.dispatchsrht</literal>) have been removed
due to
<link xlink:href="https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/">upstream
deprecation</link>.
</para>
</listitem>
<listitem>
<para>
The EC2 image module previously detected and automatically
@ -76,14 +88,37 @@
relying on this should provide their own implementation.
</para>
</listitem>
<listitem>
<para>
The <literal>nix.readOnlyStore</literal> option has been
renamed to <literal>boot.readOnlyNixStore</literal> to clarify
that it configures the NixOS boot process, not the Nix daemon.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-23.05-notable-changes">
<title>Other Notable Changes</title>
<itemizedlist spacing="compact">
<itemizedlist>
<listitem>
<para>
Create the first release note entry in this section!
The module for the application firewall
<literal>opensnitch</literal> got the ability to configure
rules. Available as
<link linkend="opt-services.opensnitch.rules">services.opensnitch.rules</link>
</para>
</listitem>
<listitem>
<para>
A new <literal>virtualisation.rosetta</literal> module was
added to allow running <literal>x86_64</literal> binaries
through
<link xlink:href="https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment">Rosetta</link>
inside virtualised NixOS guests on Apple silicon. This feature
works by default with the
<link xlink:href="https://docs.getutm.app/">UTM</link>
virtualisation
<link xlink:href="https://search.nixos.org/packages?channel=unstable&amp;show=utm&amp;from=0&amp;size=1&amp;sort=relevance&amp;type=packages&amp;query=utm">package</link>.
</para>
</listitem>
</itemizedlist>

View file

@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated
automatically from NixOS's Git repository after certain tests have
passed and all packages have been built. These channels are:
- *Stable channels*, such as [`nixos-22.05`](https://nixos.org/channels/nixos-22.05).
- *Stable channels*, such as [`nixos-22.11`](https://nixos.org/channels/nixos-22.05).
These only get conservative bug fixes and package upgrades. For
instance, a channel update may cause the Linux kernel on your system
to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@ -19,7 +19,7 @@ passed and all packages have been built. These channels are:
radical changes between channel updates. It's not recommended for
production systems.
- *Small channels*, such as [`nixos-22.05-small`](https://nixos.org/channels/nixos-22.05-small)
- *Small channels*, such as [`nixos-22.11-small`](https://nixos.org/channels/nixos-22.05-small)
or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small).
These are identical to the stable and unstable channels described above,
except that they contain fewer binary packages. This means they get updated
@ -38,8 +38,8 @@ newest supported stable release.
When you first install NixOS, you're automatically subscribed to the
NixOS channel that corresponds to your installation source. For
instance, if you installed from a 22.05 ISO, you will be subscribed to
the `nixos-22.05` channel. To see which NixOS channel you're subscribed
instance, if you installed from a 22.11 ISO, you will be subscribed to
the `nixos-22.11` channel. To see which NixOS channel you're subscribed
to, run the following as root:
```ShellSession
@ -54,16 +54,16 @@ To switch to a different NixOS channel, do
```
(Be sure to include the `nixos` parameter at the end.) For instance, to
use the NixOS 22.05 stable channel:
use the NixOS 22.11 stable channel:
```ShellSession
# nix-channel --add https://nixos.org/channels/nixos-22.05 nixos
# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
```
If you have a server, you may want to use the "small" channel instead:
```ShellSession
# nix-channel --add https://nixos.org/channels/nixos-22.05-small nixos
# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos
```
And if you want to live on the bleeding edge:
@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel
modules. You can also specify a channel explicitly, e.g.
```nix
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.05;
system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11;
```

View file

@ -1,27 +1,53 @@
# Release 22.11 (“Raccoon”, 2022.11/??) {#sec-release-22.11}
# Release 22.11 (“Raccoon”, 2022.11/30) {#sec-release-22.11}
Support is planned until the end of June 2023, handing over to 23.05.
The NixOS release team is happy to announce a new version of NixOS 22.11. NixOS is both a Linux distribution, and a set of packages usable on other Linux systems and macOS.
This release is supported until the end of June 2023, handing over to NixOS 23.05.
To upgrade to the latest release follow the [upgrade chapter](#sec-upgrading).
## Highlights {#sec-release-22.11-highlights}
In addition to numerous new and upgraded packages, this release has the following highlights:
In addition to numerous new and upgraded packages, this release includes the following highlights:
- GNOME has been upgraded to 43. Please take a look at their [Release
Notes](https://release.gnome.org/43/) for details.
- Software that uses the `crypt` password hashing API is now using the implementation provided by [`libxcrypt`](https://github.com/besser82/libxcrypt) instead of glibc's, which enables support for more secure algorithms.
- Support for algorithms that `libxcrypt` [does not consider strong](https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41) are **deprecated** as of this release, and will be removed in NixOS 23.05.
- This includes system login passwords. Given this, we **strongly encourage** all users to update their system passwords, as you will be unable to login if password hashes are not migrated by the time their support is removed.
- When using `users.users.<name>.hashedPassword` to configure user passwords, run `mkpasswd`, and use the yescrypt hash that is provided as the new value.
- On the other hand, for interactively configured user passwords, simply re-set the passwords for all users with `passwd`.
- This release introduces warnings for the use of deprecated hash algorithms for both methods of configuring passwords. To make sure you migrated correctly, run `nixos-rebuild switch`.
- During cross-compilation, tests are now executed if the test suite can be executed
by the build platform. This is the case when doing “native” cross-compilation
where the build and host platforms are largely the same, but the nixpkgs' cross
compilation infrastructure is used, e.g. `pkgsStatic` and `pkgsLLVM`. Another
possibility is that the build platform is a superset of the host platform, e.g. when
cross-compiling from `x86_64-unknown-linux` to `i686-unknown-linux`.
The predicate gating test suite execution is the newly added `canExecute`
predicate: You can e.g. check if `stdenv.buildPlatform` can execute binaries
built for `stdenv.hostPlatform` (i.e. produced by `stdenv.cc`) by evaluating
`stdenv.buildPlatform.canExecute stdenv.hostPlatform`.
- The NixOS documentation is now generated from markdown. While docbook is still part of the documentation build process, it's a big step towards the full migration.
- The `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options have been added.
These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options.
- `aarch64-linux` is now included in the `nixos-22.11` and `nixos-22.11-small` channels. This means that when those channel update, both `x86_64-linux` and `aarch64-linux` will be available in the binary cache.
- `aarch64-linux` ISOs are now available on the [downloads page](https://nixos.org/download.html).
- `nsncd` is now available as a replacement of `nscd`.
`nscd` is responsible for resolving hostnames, users and more in NixOS and has been a long standing source of bugs, such as sporadic network freezes.
More context in this [issue](https://github.com/NixOS/nixpkgs/issues/135888).
Help us test the new implementation by setting `services.nscd.enableNsncd` to `true`.
We plan to use `nsncd` by default in NixOS 23.05.
- Linode cloud images are now supported by importing `${modulesPath}/virtualisation/linode-image.nix` and accessing `system.build.linodeImage` on the output.
- `hardware.nvidia` has a new option, `hardware.nvidia.open`, that can be used to enable the usage of NVIDIA's open-source kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [the release announcement](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for more information.
- The `emacs` package now makes use of native compilation which means:
- Emacs packages from Nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine;
- Emacs packages from somewhere else, e.g. `package-install`, will perform asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still benefiting from native compilation for packages from Nixpkgs.
## Internal changes {#sec-release-22.11-internal}
- Haskell `ghcWithPackages` is now up to 15 times faster to evaluate, thanks to changing `lib.closePropagation` from a quadratic to linear complexity. Please see backward incompatibilities notes below. <https://github.com/NixOS/nixpkgs/pull/194391>
- For cross-compilation targets that can also run on the building machine, we now run tests. This, for example, is the case for the `pkgsStatic` and `pkgsLLVM` package sets or i686 packages on `x86_64` machines.
- To simplify cross-compilation in NixOS, this release introduces the `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options. These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options.
- `hostPlatform` is the platform or "`system`" string of the NixOS system
described by the configuration.
@ -38,132 +64,24 @@ In addition to numerous new and upgraded packages, this release has the followin
for a transition period so that in time the ecosystem can switch without
breaking compatibility with any supported NixOS release.
- `emacs` enables native compilation which means:
- emacs packages from nixpkgs, builtin or not, will do native compilation ahead of time so you can enjoy the benefit of native compilation without compiling them on you machine;
- emacs packages from somewhere else, e.g. `package-install`, will do asynchronously deferred native compilation. If you do not want this, maybe to avoid CPU consumption for compilation, you can use `(setq native-comp-deferred-compilation nil)` to disable it while still enjoy the benefit of native compilation for packages from nixpkgs.
## Notable version updates {#sec-release-22.11-version-updates}
- `nixos-generate-config` now generates configurations that can be built in pure
mode. This is achieved by setting the new `nixpkgs.hostPlatform` option.
You may have to unset the `system` parameter in `lib.nixosSystem`, or similarly
remove definitions of the `nixpkgs.{system,localSystem,crossSystem}` options.
Alternatively, you can remove the `hostPlatform` line and use NixOS like you
would in NixOS 22.05 and earlier.
- PHP now defaults to PHP 8.1, updated from 8.0.
- PHP is now built `NTS` (Non-Thread Safe) style by default, for Apache and
`mod_php` usage we still enable `ZTS` (Zend Thread Safe). This has been a
common practice for a long time in other distributions.
- PHP 8.2.0 RC 6 is available.
- `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it.
- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default.
- Improved performances of `lib.closePropagation` which was previously quadratic. This is used in e.g. `ghcWithPackages`. Please see backward incompatibilities notes below.
- Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to
blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream.
- Nix has been upgraded from v2.8.1 to v2.11.0. For more information, please see the release notes for [2.9](https://nixos.org/manual/nix/stable/release-notes/rl-2.9.html), [2.10](https://nixos.org/manual/nix/stable/release-notes/rl-2.10.html) and [2.11](https://nixos.org/manual/nix/stable/release-notes/rl-2.11.html).
- OpenSSL now defaults to OpenSSL 3, updated from 1.1.1.
- An image configuration and generator has been added for Linode images, largely based on the present GCE configuration and image.
- GNOME has been upgraded to version 43. Please see the [release notes](https://release.gnome.org/43/) for details.
- `hardware.nvidia` has a new option `open` that can be used to opt in the opensource version of NVIDIA kernel driver. Note that the driver's support for GeForce and Workstation GPUs is still alpha quality, see [NVIDIA Releases Open-Source GPU Kernel Modules](https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/) for the official announcement.
- KDE Plasma has been upgraded from v5.24 to v5.26. Please see the release notes for [v5.25](https://kde.org/announcements/plasma/5/5.25.0/) and [v5.26](https://kde.org/announcements/plasma/5/5.26.0/) for more details on the included changes.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Cinnamon has been updated to 5.4, and the Cinnamon module now defaults to
Blueman as the Bluetooth manager and slick-greeter as the LightDM greeter, to match upstream.
## New Services {#sec-release-22.11-new-services}
- PHP now defaults to PHP 8.1, updated from 8.0.
- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable).
- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default.
- [automatic-timezoned](https://github.com/maxbrunet/automatic-timezoned). a Linux daemon to automatically update the system timezone based on location. Available as [services.automatic-timezoned](#opt-services.automatic-timezoned.enable).
- [xray] (https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable).
- [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable).
- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable).
- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable).
- [Tandoor Recipes](https://tandoor.dev), a self-hosted multi-tenant recipe collection. Available as [services.tandoor-recipes](options.html#opt-services.tandoor-recipes.enable).
- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).
- [Please](https://github.com/edneville/please), a Sudo clone written in Rust. Available as [security.please](#opt-security.please.enable)
- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable).
- [EVCC](https://evcc.io) is an EV charge controller with PV integration. It supports a multitude of chargers, meters, vehicle APIs and more and ties that together with a well-tested backend and a lightweight web frontend. Available as [services.evcc](#opt-services.evcc.enable).
- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle.
Available as [services.infnoise](options.html#opt-services.infnoise.enable).
- [kthxbye](https://github.com/prymitive/kthxbye), an alert acknowledgement management daemon for Prometheus Alertmanager. Available as [services.kthxbye](options.html#opt-services.kthxbye.enable)
- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization.
Available as [services.kanata](options.html#opt-services.kanata.enable).
- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable)
- [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker.
Available as [services.languagetool](options.html#opt-services.languagetool.enable).
- [OpenRGB](https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master), a FOSS tool for controlling RGB lighting. Available as [services.hardware.openrgb.enable](options.html#opt-services-hardware-openrgb-enable).
- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable).
- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable)
- [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable).
- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable).
- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable).
- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable).
- [netbird](https://netbird.io), a zero configuration VPN.
Available as [services.netbird](options.html#opt-services.netbird.enable).
- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable).
- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable).
- [Dolibarr](https://www.dolibarr.org/), an enterprise resource planning and customer relationship manager. Enable using [services.dolibarr](#opt-services.dolibarr.enable).
- [FreshRSS](https://freshrss.org/), a free, self-hostable RSS feed aggregator. Available as [services.freshrss](#opt-services.freshrss.enable).
- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable).
- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable)
- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable).
- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable).
- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).
- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable).
- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul.
Available as [services.patroni](options.html#opt-services.patroni.enable).
- [Prometheus IPMI exporter](https://github.com/prometheus-community/ipmi_exporter), an IPMI exporter for Prometheus. Available as [services.prometheus.exporters.ipmi](#opt-services.prometheus.exporters.ipmi.enable).
- [WriteFreely](https://writefreely.org), a simple blogging platform with ActivityPub support. Available as [services.writefreely](options.html#opt-services.writefreely.enable).
- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable).
- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable).
- [Mepo](https://mepo.milesalan.com), a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as [programs.mepo.enable](#opt-programs.mepo.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Python now defaults to 3.10, updated from 3.9.
## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
@ -172,18 +90,17 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `isCompatible` predicate checking CPU compatibility is no longer exposed
by the platform sets generated using `lib.systems.elaborate`. In most cases
you will want to use the new `canExecute` predicate instead which also
considers the kernel / syscall interface. It is briefly described in the
release's [highlights section](#sec-release-22.11-highlights).
takes the kernel / syscall interface into account.
`lib.systems.parse.isCompatible` still exists, but has changed semantically:
Architectures with differing endianness modes are *no longer considered compatible*.
- `ngrok` has been upgraded from 2.3.40 to 3.0.4. Please see [the upgrade guide](https://ngrok.com/docs/guides/upgrade-v2-v3)
and [changelog](https://ngrok.com/docs/ngrok-agent/changelog). Notably, breaking changes are that the config file format has
changed and support for single hypen arguments was dropped.
changed and support for single hyphen arguments was dropped.
- `i18n.supportedLocales` is now by default only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`.
This got partially copied over from the minimal profile and reduces the final system size by up to 200MB.
If you require all locales installed set the option to ``[ "all" ]``.
- `i18n.supportedLocales` is now only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`.
- This reduces the final system closure size by up to 200MB.
- If you require all locales installed, set the option to ``[ "all" ]``.
- Deprecated settings `logrotate.paths` and `logrotate.extraConfig` have
been removed. Please convert any uses to
@ -195,7 +112,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `fetchgit` fetcher supports sparse checkouts via the `sparseCheckout` option. This used to accept a multi-line string with directories/patterns to check out, but now requires a list of strings.
- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins
- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins.
- `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`.
@ -208,11 +125,11 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead.
- The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if
- The OpenSSL extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if
[](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html)
don't lose access to their files.
In any other case it's safe to use OpenSSL 3 for PHP's openssl extension. This can be done by setting
In any other case, it's safe to use OpenSSL 3 for PHP's OpenSSL extension. This can be done by setting
[](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`.
- The `coq` package and versioned variants starting at `coq_8_14` no
@ -231,7 +148,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
Users who still wish to remain using GTK can do so by using `emacs-gtk`.
- `kanidm` has been updated to 1.1.0-alpha.10 and now requires a tls certificate and key. It will always start an https and if enabled an ldaps server and no http and ldap server anymore.
- `kanidm` has been updated to 1.1.0-alpha.10 and now requires a TLS certificate and key. It will always start `https` and--if enabled--an LDAPS server and no HTTP and LDAP server anymore.
- riak package removed along with `services.riak` module, due to lack of maintainer to update the package.
@ -298,7 +215,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `zrepl` package has been updated from 0.5.0 to 0.6.0. See the [changelog](https://zrepl.github.io/changelog.html) for details.
- `k3s` no longer supports docker as runtime due to upstream dropping support.
- `k3s` no longer supports Docker as runtime due to upstream dropping support.
- `cassandra_2_1` and `cassandra_2_2` have been removed. Please update to `cassandra_3_11` or `cassandra_3_0`. See the [changelog](https://github.com/apache/cassandra/blob/cassandra-3.11.14/NEWS.txt) for more information about the upgrade process.
@ -322,7 +239,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
For further information, please read the upstream changelogs.
- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides, use `features` instead, which defaults to `[ "lua54" "luau" ]`.
- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides. Use `features` instead, which defaults to `[ "lua54" "luau" ]`.
- `ocamlPackages.ocaml_extlib` has been renamed to `ocamlPackages.extlib`.
@ -347,23 +264,29 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
## Other Notable Changes {#sec-release-22.11-notable-changes}
- `firefox`, `thunderbird` and `librewolf` come with enabled Wayland support by default. The `firefox-wayland`, `firefox-esr-wayland`, `thunderbird-wayland` and `librewolf-wayland` attributes are obsolete and have been aliased to their generic attribute.
- PHP is now built in `NTS` (Non-Thread Safe) mode by default.
- For Apache and `mod_php` usage, we enable `ZTS` (Zend Thread Safe) mode. This has been a
common practice for a long time in other distributions.
- `firefox`, `thunderbird` and `librewolf` now come with Wayland support by default. The `firefox-wayland`, `firefox-esr-wayland`, `thunderbird-wayland` and `librewolf-wayland` attributes are obsolete and have been aliased to their generic attribute.
- The `xplr` package has been updated from 0.18.0 to 0.19.0, which brings some breaking changes. See the [upstream release notes](https://github.com/sayanarijit/xplr/releases/tag/v0.19.0) for more details.
- Configuring multiple GitHub runners is now possible through `services.github-runners.<name>`. The option `services.github-runner` remains.
- Configuring multiple GitHub runners is now possible through `services.github-runners.<name>`. The options under `services.github-runner` remain, to configure a single runner.
- `github-runner` gained support for ephemeral runners and registrations using a personal access token (PAT) instead of a registration token. See `services.github-runner.ephemeral` and `services.github-runner.tokenFile` for details.
- A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
- A new module was added to provide hardware support for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
- ZFS module will not allow hibernation by default, this is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). Use the `boot.zfs.allowHibernation` option to configure this behaviour.
- ZFS module will no longer allow hibernation by default.
- This is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842).
- Use the `boot.zfs.allowHibernation` option to configure this behaviour.
- `mastodon` now automatically removes remote media attachments older than 30 days. This is configurable through `services.mastodon.mediaAutoRemove`.
- Mastodon now automatically removes remote media attachments older than 30 days. This is configurable through `services.mastodon.mediaAutoRemove`.
- The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default.
- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.
- Neo4j was updated from version 3 to version 4. See upstream's [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) for information on how to migrate your instance.
- The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark.
@ -373,9 +296,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `polymc` package has been removed due to a rogue maintainer. It has been
replaced by `prismlauncher`, a fork by the rest of the maintainers. For more
details, see [the pull request that made this
change](https://github.com/NixOS/nixpkgs/pull/196624) and [this issue
detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460).
details, see [the PR that made this change](https://github.com/NixOS/nixpkgs/pull/196624) and
[the issue detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460).
Users with existing installations should rename `~/.local/share/polymc` to
`~/.local/share/PrismLauncher`. The main config file's path has also moved
from `~/.local/share/polymc/polymc.cfg` to
@ -383,7 +305,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `bloat` package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See [this upstream commit message](https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73) for details.
- The `services.matrix-synapse` systemd unit has been hardened.
- Synapse's systemd unit has been hardened.
- The module `services.grafana` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed:
- The newly introduced option [](#opt-services.grafana.settings) is an attribute-set that
@ -448,7 +370,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `services.grafana.provision.alerting` option was added. It includes suboptions for every alerting-related objects (with the exception of `notifiers`), which means it's now possible to configure modern Grafana alerting declaratively.
- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
- Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
- The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details.
@ -456,7 +378,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `netlify-cli` package has been updated from 6.13.2 to 12.2.4, see the [changelog](https://github.com/netlify/cli/releases) for more details.
- `dockerTools.buildImage` deprecates the misunderstood `contents` parameter, in favor of `copyToRoot`.
- `dockerTools.buildImage`'s `contents` parameter has been deprecated in favor of `copyToRoot`.
Use `copyToRoot = buildEnv { ... };` or similar if you intend to add packages to `/bin`.
- The `proxmox.qemuConf.bios` option was added, it corresponds to `Hardware->BIOS` field in Proxmox web interface. Use `"ovmf"` value to build UEFI image, default value remains `"bios"`. New option `proxmox.partitionTableType` defaults to either `"legacy"` or `"efi"`, depending on the `bios` value. Setting `partitionTableType` to `"hybrid"` results in an image, which supports both methods (`"bios"` and `"ovmf"`), thereby remaining bootable after change to Proxmox `Hardware->BIOS` field.
@ -467,7 +389,9 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `documentation.nixos.options.allowDocBook` option was added to ease the transition to CommonMark option documentation. Setting this option to `false` causes an error for every option included in the manual that uses DocBook documentation; it defaults to `true` to preserve the previous behavior and will be removed once the transition to CommonMark is complete.
- The redis module now persists each instance's configuration file in the state directory, in order to support some more advanced use cases like sentinel.
- The Redis module now persists each instance's configuration file in the state directory, in order to support some more advanced use cases like Sentinel.
- `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it.
- The udisks2 service, available at `services.udisks2.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.
This also means that polkit will now actually be disabled by default. The default for `security.polkit.enable` was already flipped in the previous release, but udisks2 being enabled by default re-enabled it.
@ -476,22 +400,12 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
for Nextcloud in NixOS:
- For Nextcloud **>=24**, the default PHP version is 8.1.
- Nextcloud **23** has been removed since it will reach its [end of life in December 2022](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d).
- For `system.stateVersion` being **>=22.11**, Nextcloud 25 will be installed by default. For older versions,
- If `system.stateVersion` is **>=22.11**, Nextcloud 25 will be installed by default. For older versions,
Nextcloud 24 will be installed.
- Please ensure that you only upgrade on major release at a time! Nextcloud doesn't support
- Please ensure that you only upgrade one major release at a time! Nextcloud doesn't support
upgrades across multiple versions, i.e. an upgrade from **23** to **25** is only possible
when upgrading to **24** first.
- Add udev rules for the Teensy family of microcontrollers.
- The Qt QML disk cache is now disabled by default. This fixes a
long-standing issue where updating Qt/KDE apps would sometimes cause
them to crash or behave strangely without explanation. Those concerned
about the small (~10%) performance hit to application startup can
re-enable the cache (and expose themselves to gremlins) by setting the
envrionment variable `QML_FORCE_DISK_CACHE` to `1` using e.g. the
`environment.sessionVariables` NixOS option.
- systemd-oomd is enabled by default. Depending on which systemd units have
`ManagedOOMSwap=kill` or `ManagedOOMMemoryPressure=kill`, systemd-oomd will
SIGKILL all the processes under the appropriate descendant cgroups when the
@ -505,25 +419,23 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API.
- There is a new module for AMD SEV CPU functionality, which grants access to the hardware.
- The Wordpress module got support for installing language packs through `services.wordpress.sites.<site>.languages`.
- The Wordpress module now has support for installing language packs through a new option, `services.wordpress.sites.<site>.languages`.
- The default package for `services.mullvad-vpn.package` was changed to `pkgs.mullvad`, allowing cross-platform usage of Mullvad. `pkgs.mullvad` only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to `pkgs.mullvad-vpn`, or add `pkgs.mullvad-vpn` to their environment.
- PowerDNS has been updated from `4.6.x` to `4.7.x`. Please be sure to review the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master) provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the gsql database backends, which has to be manually applied.
- PowerDNS has been updated from v4.6.2 to v4.7.2. Please be sure to review the [Upgrade Notes](https://doc.powerdns.com/authoritative/upgrading.html#to-4-7-0-or-master) provided by upstream before upgrading. Worth specifically noting is that the new Catalog Zones feature comes with a mandatory schema change for the GSQL database backends, which has to be manually applied.
- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed.
- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and may be removed in a future release.
- There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service.
- There is a new module for `xfconf` (the Xfce configuration storage system), which has a dbus service.
- The Mastodon package got upgraded from the major version 3 to 4. See the [v4.0.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.0.0) for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended.
- The Mastodon package has been upgraded to v4.0.0. See the [v4.0.0 release notes](https://github.com/mastodon/mastodon/releases/tag/v4.0.0) for a list of changes. On standard setups, no manual migration steps are required. Nevertheless, a database backup is recommended.
- The `nomad` package now defaults to 1.3, which no longer has a downgrade path to releases 1.2 or older.
- The `nomad` package now defaults to v1.3, which no longer has a downgrade path to v1.2 or older.
- The `nodePackages` package set now defaults to the LTS release in the `nodejs` package again, instead of being pinned to `nodejs-14_x`. Several updates to node2nix have been made for compatibility with newer Node.js and npm versions and a new `postRebuild` hook has been added for packages to perform extra build steps before the npm install step prunes dev dependencies.
- `boot.kernel.sysctl` is defined as a freeformType and adds a custom merge option for "net.core.rmem_max" (taking the highest value defined to avoid conflicts between 2 services trying to set that value).
- `boot.kernel.sysctl` is defined as a freeformType and adds a custom merge option for `net.core.rmem_max` (taking the highest value defined to avoid conflicts between 2 services trying to set that value).
- The `mame` package does not ship with its tools anymore in the default output. They were moved to a separate `tools` output instead. For convenience, `mame-tools` package was added for those who want to use it.
@ -531,8 +443,94 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The option `services.picom.experimentalBackends` was removed since it is now the default and the option will cause `picom` to quit instead.
- `haskellPackage.callHackage` is not always invalidated if `all-cabal-hashes` changes, leading to less rebuilds of haskell dependencies.
- `haskellPackages.callHackage` is not always invalidated if `all-cabal-hashes` changes, leading to less rebuilds of haskell dependencies.
- `haskellPackages.callHackage` and `haskellPackages.callCabal2nix` (and related functions) no longer keep a reference to the `cabal2nix` call used to generate them. As a result, they will be garbage collected more often.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## New Services {#sec-release-22.11-new-services}
- [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable).
- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable).
- [AusweisApp2](https://www.ausweisapp.bund.de/), the authentication software for the German ID card. Available as [programs.ausweisapp](#opt-programs.ausweisapp.enable).
- [automatic-timezoned](https://github.com/maxbrunet/automatic-timezoned). a Linux daemon to automatically update the system timezone based on location. Available as [services.automatic-timezoned](#opt-services.automatic-timezoned.enable).
- [Dolibarr](https://www.dolibarr.org/), an enterprise resource planning and customer relationship manager. Enable using [services.dolibarr](#opt-services.dolibarr.enable).
- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable).
- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable).
- [endlessh](https://github.com/skeeto/endlessh), an SSH tarpit. Available as [services.endlessh](#opt-services.endlessh.enable).
- [EVCC](https://evcc.io) is an EV charge controller with PV integration. It supports a multitude of chargers, meters, vehicle APIs and more and ties that together with a well-tested backend and a lightweight web frontend. Available as [services.evcc](#opt-services.evcc.enable).
- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable).
- [FreshRSS](https://freshrss.org/), a free, self-hostable RSS feed aggregator. Available as [services.freshrss](#opt-services.freshrss.enable).
- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable).
- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable).
- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).
- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).
- [infnoise](https://github.com/leetronics/infnoise), a hardware True Random Number Generator dongle. Available as [services.infnoise](options.html#opt-services.infnoise.enable).
- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization. Available as [services.kanata](options.html#opt-services.kanata.enable).
- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable)
- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable).
- [kthxbye](https://github.com/prymitive/kthxbye), an alert acknowledgement management daemon for Prometheus Alertmanager. Available as [services.kthxbye](options.html#opt-services.kthxbye.enable)
- [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker. Available as [services.languagetool](options.html#opt-services.languagetool.enable).
- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable).
- [Mepo](https://mepo.milesalan.com), a fast, simple, hackable OSM map viewer for mobile and desktop Linux. Available as [programs.mepo.enable](#opt-programs.mepo.enable).
- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable)
- [netbird](https://netbird.io), a zero configuration VPN. Available as [services.netbird](options.html#opt-services.netbird.enable).
- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable)
- [OpenRGB](https://gitlab.com/CalcProgrammer1/OpenRGB/-/tree/master), a FOSS tool for controlling RGB lighting. Available as [services.hardware.openrgb.enable](options.html#opt-services.hardware.openrgb.enable).
- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable).
- [Patroni](https://github.com/zalando/patroni), a template for PostgreSQL HA with ZooKeeper, etcd or Consul. Available as [services.patroni](options.html#opt-services.patroni.enable).
- [persistent-evdev](https://github.com/aiberia/persistent-evdev), a daemon to add virtual proxy devices that mirror a physical input device but persist even if the underlying hardware is hot-plugged. Available as [services.persistent-evdev](#opt-services.persistent-evdev.enable).
- [Please](https://github.com/edneville/please), a Sudo clone written in Rust. Available as [security.please](#opt-security.please.enable).
- [Prometheus IPMI exporter](https://github.com/prometheus-community/ipmi_exporter), an IPMI exporter for Prometheus. Available as [services.prometheus.exporters.ipmi](#opt-services.prometheus.exporters.ipmi.enable).
- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable).
- [schleuder](https://schleuder.org/), a mailing list manager with PGP support. Enable using [services.schleuder](#opt-services.schleuder.enable).
- [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable).
- [Tandoor Recipes](https://tandoor.dev), a self-hosted multi-tenant recipe collection. Available as [services.tandoor-recipes](options.html#opt-services.tandoor-recipes.enable).
- [TAYGA](http://www.litech.org/tayga/), an out-of-kernel stateless NAT64 implementation. Available as [services.tayga](#opt-services.tayga.enable).
- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable).
- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable).
- [WriteFreely](https://writefreely.org), a simple blogging platform with ActivityPub support. Available as [services.writefreely](options.html#opt-services.writefreely.enable).
- [xray](https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

View file

@ -8,7 +8,7 @@ In addition to numerous new and upgraded packages, this release has the followin
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Create the first release note entry in this section!
- Cinnamon has been updated to 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what is changed.
## New Services {#sec-release-23.05-new-services}
@ -25,12 +25,18 @@ In addition to numerous new and upgraded packages, this release has the followin
- The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services.
This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service`
- `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/).
- The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2.
- The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation.
- The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon.
## Other Notable Changes {#sec-release-23.05-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Create the first release note entry in this section!
- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)
- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).

View file

@ -618,7 +618,7 @@ in {
# Install all the user shells
environment.systemPackages = systemShells;
environment.etc = (mapAttrs' (_: { packages, name, ... }: {
environment.etc = mapAttrs' (_: { packages, name, ... }: {
name = "profiles/per-user/${name}";
value.source = pkgs.buildEnv {
name = "user-environment";
@ -626,7 +626,7 @@ in {
inherit (config.environment) pathsToLink extraOutputsToInstall;
inherit (config.system.path) ignoreCollisions postBuild;
};
}) (filterAttrs (_: u: u.packages != []) cfg.users));
}) (filterAttrs (_: u: u.packages != []) cfg.users);
environment.profiles = [
"$HOME/.nix-profile"

View file

@ -1,7 +1,7 @@
{
x86_64-linux = "/nix/store/nmq5zcd93qb1yskx42rs910ff0247nn2-nix-2.11.0";
i686-linux = "/nix/store/ja6im1sw9a8lzczi10lc0iddffl9kzmn-nix-2.11.0";
aarch64-linux = "/nix/store/myr6fcqa9y4y2fb83zz73dck52vcn81z-nix-2.11.0";
x86_64-darwin = "/nix/store/2pfjz9b22k9997gh7cb0hjk1qa4lxrvy-nix-2.11.0";
aarch64-darwin = "/nix/store/lr32i0bdarx1iqsch4sy24jj1jkfw9vf-nix-2.11.0";
x86_64-linux = "/nix/store/xdlpraypxdimjyfrr4k06narrv8nmfgh-nix-2.11.1";
i686-linux = "/nix/store/acghbpn3aaj2q64mz3ljipsgf9d9qxlp-nix-2.11.1";
aarch64-linux = "/nix/store/0lrf6danhdqjsrhala134ak8vn0b9ghj-nix-2.11.1";
x86_64-darwin = "/nix/store/60sx4c6xflgqk11gvijwzlsczbxgxgwh-nix-2.11.1";
aarch64-darwin = "/nix/store/dmk5m3nlqp1awaqrp1f06qhhkh3l102n-nix-2.11.1";
}

View file

@ -52,9 +52,13 @@ in
environment.systemPackages = [ cfg.package ];
environment.etc."man_db.conf".text =
let
mandbForBuild = if pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform then
cfg.package
else
pkgs.buildPackages.man-db;
manualCache = pkgs.runCommand "man-cache" { } ''
echo "MANDB_MAP ${cfg.manualPages}/share/man $out" > man.conf
${cfg.package}/bin/mandb -C man.conf -psc >/dev/null 2>&1
${mandbForBuild}/bin/mandb -C man.conf -psc >/dev/null 2>&1
'';
in
''

View file

@ -23,12 +23,12 @@ let
optionalAttrs (lhs ? packageOverrides) {
packageOverrides = pkgs:
optCall lhs.packageOverrides pkgs //
optCall (attrByPath ["packageOverrides"] ({}) rhs) pkgs;
optCall (attrByPath [ "packageOverrides" ] { } rhs) pkgs;
} //
optionalAttrs (lhs ? perlPackageOverrides) {
perlPackageOverrides = pkgs:
optCall lhs.perlPackageOverrides pkgs //
optCall (attrByPath ["perlPackageOverrides"] ({}) rhs) pkgs;
optCall (attrByPath [ "perlPackageOverrides" ] { } rhs) pkgs;
};
configType = mkOptionType {
@ -67,11 +67,6 @@ let
# Context for messages
hostPlatformLine = optionalString hasHostPlatform "${showOptionWithDefLocs opt.hostPlatform}";
buildPlatformLine = optionalString hasBuildPlatform "${showOptionWithDefLocs opt.buildPlatform}";
platformLines = optionalString hasPlatform ''
Your system configuration configures nixpkgs with platform parameters:
${hostPlatformLine
}${buildPlatformLine
}'';
legacyOptionsDefined =
optional (opt.localSystem.highestPrio < (mkDefault {}).priority) opt.system

View file

@ -46,6 +46,7 @@
./hardware/brillo.nix
./hardware/ckb-next.nix
./hardware/cpu/amd-microcode.nix
./hardware/cpu/amd-sev.nix
./hardware/cpu/intel-microcode.nix
./hardware/cpu/intel-sgx.nix
./hardware/corectrl.nix
@ -966,6 +967,7 @@
./services/networking/syncthing-relay.nix
./services/networking/syncplay.nix
./services/networking/tailscale.nix
./services/networking/tayga.nix
./services/networking/tcpcrypt.nix
./services/networking/teamspeak3.nix
./services/networking/tedicross.nix
@ -1329,6 +1331,7 @@
./virtualisation/parallels-guest.nix
./virtualisation/podman/default.nix
./virtualisation/qemu-guest-agent.nix
./virtualisation/rosetta.nix
./virtualisation/spice-usb-redirection.nix
./virtualisation/virtualbox-guest.nix
./virtualisation/virtualbox-host.nix

View file

@ -31,7 +31,7 @@ in
"pata_winbond"
# SCSI support (incomplete).
"3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr"
"3w-9xxx" "3w-xxxx" "aic79xx" "aic7xxx" "arcmsr" "hpsa"
# USB support, especially for booting from USB CD-ROM
# drives.

View file

@ -1,13 +1,12 @@
{ config, lib, pkgs, ... }:
with lib;
let inherit (pkgs) writeScript; in
let
pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
inherit (pkgs) writeScript;
in {
pkgs2storeContents = map (x: { object = x; symlink = "none"; });
in
{
# Docker image config.
imports = [
../installer/cd-dvd/channel.nix

View file

@ -13,6 +13,12 @@ in {
services.erigon = {
enable = mkEnableOption (lib.mdDoc "Ethereum implementation on the efficiency frontier");
extraArgs = mkOption {
type = types.listOf types.str;
description = lib.mdDoc "Additional arguments passed to Erigon";
default = [ ];
};
secretJwtPath = mkOption {
type = types.path;
description = lib.mdDoc ''
@ -86,7 +92,7 @@ in {
serviceConfig = {
LoadCredential = "ERIGON_JWT:${cfg.secretJwtPath}";
ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT";
ExecStart = "${pkgs.erigon}/bin/erigon --config ${configFile} --authrpc.jwtsecret=%d/ERIGON_JWT ${lib.escapeShellArgs cfg.extraArgs}";
DynamicUser = true;
Restart = "on-failure";
StateDirectory = "erigon";

View file

@ -141,9 +141,9 @@ in
services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir;
networking.firewall.allowedTCPPorts = (mkIf cfg.hbase.master.openFirewall [
networking.firewall.allowedTCPPorts = mkIf cfg.hbase.master.openFirewall [
16000 16010
]);
];
})
@ -168,9 +168,9 @@ in
services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir;
networking = {
firewall.allowedTCPPorts = (mkIf cfg.hbase.regionServer.openFirewall [
firewall.allowedTCPPorts = mkIf cfg.hbase.regionServer.openFirewall [
16020 16030
]);
];
hosts = mkIf cfg.hbase.regionServer.overrideHosts {
"127.0.0.2" = mkForce [ ];
"::1" = mkForce [ ];

View file

@ -10,7 +10,7 @@ let
python = cfg.package.pythonModule;
escapeStr = s: escape ["'"] s;
escapeStr = escape [ "'" ];
defaultMasterCfg = pkgs.writeText "master.cfg" ''
from buildbot.plugins import *
@ -245,9 +245,7 @@ in {
description = "Buildbot User.";
isNormalUser = true;
createHome = true;
home = cfg.home;
group = cfg.group;
extraGroups = cfg.extraGroups;
inherit (cfg) home group extraGroups;
useDefaultShell = true;
};
};

View file

@ -67,7 +67,7 @@ in {
'');
servers = mkOption {
type = with types; attrsOf (submodule ({config, name, ...}@args: {
type = with types; attrsOf (submodule ({ config, name, ... }: {
options = {
enable = mkEnableOption (lib.mdDoc ''
Redis server.
@ -271,14 +271,11 @@ in {
};
config.settings = mkMerge [
{
port = config.port;
inherit (config) port logfile databases maxclients appendOnly;
daemonize = false;
supervised = "systemd";
loglevel = config.logLevel;
logfile = config.logfile;
syslog-enabled = config.syslog;
databases = config.databases;
maxclients = config.maxclients;
save = if config.save == []
then ''""'' # Disable saving with `save = ""`
else map
@ -286,12 +283,11 @@ in {
config.save;
dbfilename = "dump.rdb";
dir = "/var/lib/${redisName name}";
appendOnly = config.appendOnly;
appendfsync = config.appendFsync;
slowlog-log-slower-than = config.slowLogLogSlowerThan;
slowlog-max-len = config.slowLogMaxLen;
}
(mkIf (config.bind != null) { bind = config.bind; })
(mkIf (config.bind != null) { inherit (config) bind; })
(mkIf (config.unixSocket != null) {
unixsocket = config.unixSocket;
unixsocketperm = toString config.unixSocketPerm;

View file

@ -119,7 +119,7 @@ in {
kernels = mkOption {
type = types.nullOr (types.attrsOf(types.submodule (import ./kernel-options.nix {
inherit lib;
inherit lib pkgs;
})));
default = null;

View file

@ -1,9 +1,11 @@
# Options that can be used for creating a jupyter kernel.
{lib }:
{ lib, pkgs }:
with lib;
{
freeformType = (pkgs.formats.json { }).type;
options = {
displayName = mkOption {
@ -40,6 +42,15 @@ with lib;
'';
};
env = mkOption {
type = types.attrsOf types.str;
default = { };
example = { OMP_NUM_THREADS = "1"; };
description = lib.mdDoc ''
Environment variables to set for the kernel.
'';
};
logo32 = mkOption {
type = types.nullOr types.path;
default = null;

View file

@ -119,7 +119,7 @@ in {
kernels = mkOption {
type = types.nullOr (types.attrsOf(types.submodule (import ../jupyter/kernel-options.nix {
inherit lib;
inherit lib pkgs;
})));
default = null;

View file

@ -131,9 +131,9 @@ in {
exp_table = "";
forbid = "";
metaserver2 = "";
motd = (fileContents "${cfg.package}/etc/crossfire/motd");
news = (fileContents "${cfg.package}/etc/crossfire/news");
rules = (fileContents "${cfg.package}/etc/crossfire/rules");
motd = fileContents "${cfg.package}/etc/crossfire/motd";
news = fileContents "${cfg.package}/etc/crossfire/news";
rules = fileContents "${cfg.package}/etc/crossfire/rules";
settings = "";
stat_bonus = "";
} // cfg.configFiles);

View file

@ -126,6 +126,15 @@ in
'';
};
hardware.sane.openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Open ports needed for discovery of scanners on the local network, e.g.
needed for Canon scanners (BJNP protocol).
'';
};
services.saned.enable = mkOption {
type = types.bool;
default = false;
@ -163,6 +172,7 @@ in
services.udev.packages = backends;
users.groups.scanner.gid = config.ids.gids.scanner;
networking.firewall.allowedUDPPorts = mkIf config.hardware.sane.openFirewall [ 8612 ];
})
(mkIf config.services.saned.enable {

View file

@ -45,8 +45,8 @@ let
initDBDir = "share/doc/gammu/examples/sql";
gammuPackage = with cfg.backend; (pkgs.gammu.override {
dbiSupport = (service == "sql" && sql.driver == "sqlite");
postgresSupport = (service == "sql" && sql.driver == "native_pgsql");
dbiSupport = service == "sql" && sql.driver == "sqlite";
postgresSupport = service == "sql" && sql.driver == "native_pgsql";
});
in {

View file

@ -483,7 +483,7 @@ in
description = "gitea";
after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service";
wantedBy = [ "multi-user.target" ];
path = [ gitea pkgs.git ];
path = [ gitea pkgs.git pkgs.gnupg ];
# In older versions the secret naming for JWT was kind of confusing.
# The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET

View file

@ -16,22 +16,6 @@ let
else
pkgs.postgresql_12;
# Git 2.36.1 seemingly contains a commit-graph related bug which is
# easily triggered through GitLab, so we downgrade it to 2.35.x
# until this issue is solved. See
# https://gitlab.com/gitlab-org/gitlab/-/issues/360783#note_992870101.
gitPackage =
let
version = "2.35.4";
in
pkgs.git.overrideAttrs (oldAttrs: rec {
inherit version;
src = pkgs.fetchurl {
url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz";
sha256 = "sha256-mv13OdNkXggeKQkJ+47QcJ6lYmcw6Qjri1ZJ2ETCTOk=";
};
});
gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket";
gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket";
pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url;
@ -60,7 +44,7 @@ let
prometheus_listen_addr = "localhost:9236"
[git]
bin_path = "${gitPackage}/bin/git"
bin_path = "${pkgs.git}/bin/git"
[gitaly-ruby]
dir = "${cfg.packages.gitaly.ruby}"
@ -157,7 +141,7 @@ let
};
workhorse.secret_file = "${cfg.statePath}/.gitlab_workhorse_secret";
gitlab_kas.secret_file = "${cfg.statePath}/.gitlab_kas_secret";
git.bin_path = "${gitPackage}/bin/git";
git.bin_path = "git";
monitoring = {
ip_whitelist = [ "127.0.0.0/8" "::1/128" ];
sidekiq_exporter = {
@ -1325,7 +1309,7 @@ in {
});
path = with pkgs; [
postgresqlPackage
gitPackage
git
ruby
openssh
nodejs
@ -1356,7 +1340,7 @@ in {
path = with pkgs; [
openssh
procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562
gitPackage
git
cfg.packages.gitaly.rubyEnv
cfg.packages.gitaly.rubyEnv.wrappedRuby
gzip
@ -1402,7 +1386,7 @@ in {
path = with pkgs; [
remarshal
exiftool
gitPackage
git
gnutar
gzip
openssh
@ -1475,7 +1459,7 @@ in {
environment = gitlabEnv;
path = with pkgs; [
postgresqlPackage
gitPackage
git
openssh
nodejs
procps

View file

@ -115,6 +115,7 @@ in
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; })
(mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; })
(mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; })
(mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; })
(mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.")
] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" oldConf ]; to = [ "nix" "settings" newConf ]; }) legacyConfMappings;
@ -366,17 +367,6 @@ in
'';
};
readOnlyStore = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
If set, NixOS will enforce the immutability of the Nix store
by making {file}`/nix/store` a read-only bind
mount. Nix will automatically make the store writable when
needed.
'';
};
nixPath = mkOption {
type = types.listOf types.str;
default = [
@ -414,6 +404,7 @@ in
str
int
bool
path
package
]);
in

View file

@ -17,7 +17,7 @@ let
cfgUpdate = pkgs.writeText "octoprint-config.yaml" (builtins.toJSON fullConfig);
pluginsEnv = package.python.withPackages (ps: [ps.octoprint] ++ (cfg.plugins ps));
pluginsEnv = package.python.withPackages (ps: [ ps.octoprint ] ++ (cfg.plugins ps));
package = pkgs.octoprint;
@ -47,6 +47,12 @@ in
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Open ports in the firewall for OctoPrint.";
};
user = mkOption {
type = types.str;
default = "octoprint";
@ -67,7 +73,7 @@ in
plugins = mkOption {
type = types.functionTo (types.listOf types.package);
default = plugins: [];
default = plugins: [ ];
defaultText = literalExpression "plugins: []";
example = literalExpression "plugins: with plugins; [ themeify stlviewer ]";
description = lib.mdDoc "Additional plugins to be used. Available plugins are passed through the plugins input.";
@ -75,7 +81,7 @@ in
extraConfig = mkOption {
type = types.attrs;
default = {};
default = { };
description = lib.mdDoc "Extra options which are added to OctoPrint's YAML configuration file.";
};
@ -128,6 +134,6 @@ in
};
};
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
};
}

View file

@ -19,29 +19,66 @@ in
};
settings = mkOption {
type = format.type;
default = {};
description = lib.mdDoc ''
Your {file}`pinnwand.toml` as a Nix attribute set. Look up
possible options in the [pinnwand.toml-example](https://github.com/supakeen/pinnwand/blob/master/pinnwand.toml-example).
possible options in the [documentation](https://pinnwand.readthedocs.io/en/v${pkgs.pinnwand.version}/configuration.html).
'';
default = {};
type = types.submodule {
freeformType = format.type;
options = {
database_uri = mkOption {
type = types.str;
default = "sqlite:////var/lib/pinnwand/pinnwand.db";
example = "sqlite:///:memory";
description = lib.mdDoc ''
Database URI compatible with [SQLAlchemyhttps://docs.sqlalchemy.org/en/14/core/engines.html#database-urls].
Additional packages may need to be introduced into the environment for certain databases.
'';
};
paste_size = mkOption {
type = types.ints.positive;
default = 262144;
example = 524288;
description = lib.mdDoc ''
Maximum size of a paste in bytes.
'';
};
paste_help = mkOption {
type = types.str;
default = ''
<p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p>
'';
description = lib.mdDoc ''
Raw HTML help text shown in the header area.
'';
};
footer = mkOption {
type = types.str;
default = ''
View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page.
'';
description = lib.mdDoc ''
The footer in raw HTML.
'';
};
};
};
};
};
config = mkIf cfg.enable {
services.pinnwand.settings = {
database_uri = mkDefault "sqlite:////var/lib/pinnwand/pinnwand.db";
paste_size = mkDefault 262144;
paste_help = mkDefault ''
<p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p>
'';
footer = mkDefault ''
View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page.
'';
};
systemd.services.pinnwand = {
description = "Pinnwannd HTTP Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
systemd.services = let
hardeningOptions = {
unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/";
serviceConfig = {
ExecStart = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile} http --port ${toString cfg.port}";
User = "pinnwand";
DynamicUser = true;
@ -72,32 +109,14 @@ in
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
command = "${pkgs.pinnwand}/bin/pinnwand --configuration-path ${configFile}";
in {
pinnwand = {
description = "Pinnwannd HTTP Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig.Documentation = "https://pinnwand.readthedocs.io/en/latest/";
serviceConfig = {
ExecStart = "${command} http --port ${toString(cfg.port)}";
} // hardeningOptions;
};
pinnwand-reaper = {
description = "Pinnwand Reaper";
startAt = "daily";
serviceConfig = {
ExecStart = "${command} -vvvv reap"; # verbosity increased to show number of deleted pastes
} // hardeningOptions;
};
};
};
meta.buildDocsInSandbox = false;
}

View file

@ -206,6 +206,57 @@ in
description = lib.mdDoc "Create the database and database user locally.";
};
};
components = {
subversion = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Subversion integration.";
};
mercurial = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Mercurial integration.";
};
git = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "git integration.";
};
cvs = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "cvs integration.";
};
breezy = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "bazaar integration.";
};
imagemagick = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Allows exporting Gant diagrams as PNG.";
};
ghostscript = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Allows exporting Gant diagrams as PDF.";
};
minimagick_font_path = mkOption {
type = types.str;
default = "";
description = lib.mdDoc "MiniMagick font path";
example = "/run/current-system/sw/share/X11/fonts/LiberationSans-Regular.ttf";
};
};
};
};
@ -225,16 +276,21 @@ in
{ assertion = cfg.database.createLocally -> cfg.database.host == "localhost";
message = "services.redmine.database.host must be set to localhost if services.redmine.database.createLocally is set to true";
}
{ assertion = cfg.components.imagemagick -> cfg.components.minimagick_font_path != "";
message = "services.redmine.components.minimagick_font_path must be configured with a path to a font file if services.redmine.components.imagemagick is set to true.";
}
];
services.redmine.settings = {
production = {
scm_subversion_command = "${pkgs.subversion}/bin/svn";
scm_mercurial_command = "${pkgs.mercurial}/bin/hg";
scm_git_command = "${pkgs.git}/bin/git";
scm_cvs_command = "${pkgs.cvs}/bin/cvs";
scm_bazaar_command = "${pkgs.breezy}/bin/bzr";
scm_darcs_command = "${pkgs.darcs}/bin/darcs";
scm_subversion_command = if cfg.components.subversion then "${pkgs.subversion}/bin/svn" else "";
scm_mercurial_command = if cfg.components.mercurial then "${pkgs.mercurial}/bin/hg" else "";
scm_git_command = if cfg.components.git then "${pkgs.git}/bin/git" else "";
scm_cvs_command = if cfg.components.cvs then "${pkgs.cvs}/bin/cvs" else "";
scm_bazaar_command = if cfg.components.breezy then "${pkgs.breezy}/bin/bzr" else "";
imagemagick_convert_command = if cfg.components.imagemagick then "${pkgs.imagemagick}/bin/convert" else "";
gs_command = if cfg.components.ghostscript then "${pkgs.ghostscript}/bin/gs" else "";
minimagick_font_path = "${cfg.components.minimagick_font_path}";
};
};
@ -296,14 +352,15 @@ in
environment.REDMINE_LANG = "en";
environment.SCHEMA = "${cfg.stateDir}/cache/schema.db";
path = with pkgs; [
imagemagick
breezy
cvs
darcs
git
mercurial
subversion
];
]
++ optional cfg.components.subversion subversion
++ optional cfg.components.mercurial mercurial
++ optional cfg.components.git git
++ optional cfg.components.cvs cvs
++ optional cfg.components.breezy breezy
++ optional cfg.components.imagemagick imagemagick
++ optional cfg.components.ghostscript ghostscript;
preStart = ''
rm -rf "${cfg.stateDir}/plugins/"*
rm -rf "${cfg.stateDir}/public/themes/"*

View file

@ -88,7 +88,6 @@ let
# Sourcehut services
srht
buildsrht
dispatchsrht
gitsrht
hgsrht
hubsrht
@ -109,13 +108,13 @@ in
{
options.services.sourcehut = {
enable = mkEnableOption (lib.mdDoc ''
sourcehut - git hosting, continuous integration, mailing list, ticket tracking,
task dispatching, wiki and account management services
sourcehut - git hosting, continuous integration, mailing list, ticket tracking, wiki
and account management services
'');
services = mkOption {
type = with types; listOf (enum
[ "builds" "dispatch" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]);
[ "builds" "git" "hg" "hub" "lists" "man" "meta" "pages" "paste" "todo" ]);
defaultText = "locally enabled services";
description = lib.mdDoc ''
Services that may be displayed as links in the title bar of the Web interface.
@ -301,32 +300,6 @@ in
};
};
options."dispatch.sr.ht" = commonServiceSettings "dispatch" // {
};
options."dispatch.sr.ht::github" = {
oauth-client-id = mkOptionNullOrStr "OAuth client id.";
oauth-client-secret = mkOptionNullOrStr "OAuth client secret.";
};
options."dispatch.sr.ht::gitlab" = {
enabled = mkEnableOption (lib.mdDoc "GitLab integration");
canonical-upstream = mkOption {
type = types.str;
description = lib.mdDoc "Canonical upstream.";
default = "gitlab.com";
};
repo-cache = mkOption {
type = types.str;
description = lib.mdDoc "Repository cache directory.";
default = "./repo-cache";
};
"gitlab.com" = mkOption {
type = with types; nullOr str;
description = lib.mdDoc "GitLab id and secret.";
default = null;
example = "GitLab:application id:secret";
};
};
options."builds.sr.ht" = commonServiceSettings "builds" // {
allow-free = mkEnableOption (lib.mdDoc "nonpaying users to submit builds");
redis = mkOption {
@ -1021,11 +994,6 @@ in
];
})
(import ./service.nix "dispatch" {
inherit configIniOfService;
port = 5005;
})
(import ./service.nix "git" (let
baseService = {
path = [ cfg.git.package ];
@ -1416,6 +1384,10 @@ in
(mkRenamedOptionModule [ "services" "sourcehut" "address" ]
[ "services" "sourcehut" "listenAddress" ])
(mkRemovedOptionModule [ "services" "sourcehut" "dispatch" ] ''
dispatch is deprecated. See https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/
for more information.
'')
];
meta.doc = ./sourcehut.xml;

View file

@ -10,7 +10,7 @@ let
text = "default:";
};
computedConfigFile = "${if cfg.configFile == null then emptyConfigFile else cfg.configFile}";
computedConfigFile = if cfg.configFile == null then emptyConfigFile else cfg.configFile;
in
{
port = 9221;
@ -100,6 +100,8 @@ in
};
serviceOpts = {
serviceConfig = {
DynamicUser = cfg.environmentFile == null;
LoadCredential = "configFile:${computedConfigFile}";
ExecStart = ''
${cfg.package}/bin/pve_exporter \
--${if cfg.collectors.status == true then "" else "no-"}collector.status \
@ -108,7 +110,7 @@ in
--${if cfg.collectors.cluster == true then "" else "no-"}collector.cluster \
--${if cfg.collectors.resources == true then "" else "no-"}collector.resources \
--${if cfg.collectors.config == true then "" else "no-"}collector.config \
${computedConfigFile} \
%d/configFile \
${toString cfg.port} ${cfg.listenAddress}
'';
} // optionalAttrs (cfg.environmentFile != null) {

View file

@ -84,13 +84,11 @@ let
''
) vrrpInstances);
virtualIpLine = (ip:
ip.addr
virtualIpLine = ip: ip.addr
+ optionalString (notNullOrEmpty ip.brd) " brd ${ip.brd}"
+ optionalString (notNullOrEmpty ip.dev) " dev ${ip.dev}"
+ optionalString (notNullOrEmpty ip.scope) " scope ${ip.scope}"
+ optionalString (notNullOrEmpty ip.label) " label ${ip.label}"
);
+ optionalString (notNullOrEmpty ip.label) " label ${ip.label}";
notNullOrEmpty = s: !(s == null || s == "");

View file

@ -263,7 +263,7 @@ let
if builtins.isString x then ''"${x}"''
else if builtins.isBool x then boolToString x
else if builtins.isInt x then toString x
else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }''
else if builtins.isList x then "{ ${lib.concatMapStringsSep ", " toLua x} }"
else throw "Invalid Lua value";
createSSLOptsStr = o: ''

View file

@ -5,7 +5,7 @@ with lib;
let
cfg = config.services.softether;
package = cfg.package.override { dataDir = cfg.dataDir; };
package = cfg.package.override { inherit (cfg) dataDir; };
in
{
@ -88,7 +88,7 @@ in
};
}
(mkIf (cfg.vpnserver.enable) {
(mkIf cfg.vpnserver.enable {
systemd.services.vpnserver = {
description = "SoftEther VPN Server";
after = [ "softether-init.service" ];
@ -109,7 +109,7 @@ in
};
})
(mkIf (cfg.vpnbridge.enable) {
(mkIf cfg.vpnbridge.enable {
systemd.services.vpnbridge = {
description = "SoftEther VPN Bridge";
after = [ "softether-init.service" ];
@ -130,7 +130,7 @@ in
};
})
(mkIf (cfg.vpnclient.enable) {
(mkIf cfg.vpnclient.enable {
systemd.services.vpnclient = {
description = "SoftEther VPN Client";
after = [ "softether-init.service" ];

View file

@ -7,7 +7,9 @@ let
settingsFormat = pkgs.formats.yaml { };
confFile = settingsFormat.generate "stubby.yml" cfg.settings;
in {
imports = map (x:
imports = [
(mkRemovedOptionModule [ "stubby" "debugLogging" ] "Use services.stubby.logLevel = \"debug\"; instead.")
] ++ map (x:
(mkRemovedOptionModule [ "services" "stubby" x ]
"Stubby configuration moved to services.stubby.settings.")) [
"authenticationMode"
@ -49,10 +51,22 @@ in {
'';
};
debugLogging = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc "Enable or disable debug level logging.";
logLevel = let
logLevels = {
emerg = 0;
alert = 1;
crit = 2;
error = 3;
warning = 4;
notice = 5;
info = 6;
debug = 7;
};
in mkOption {
default = null;
type = types.nullOr (types.enum (attrNames logLevels ++ attrValues logLevels));
apply = v: if isString v then logLevels.${v} else v;
description = lib.mdDoc "Log verbosity (syslog keyword or level).";
};
};
@ -80,7 +94,7 @@ in {
Type = "notify";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}";
ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString (cfg.logLevel != null) "-v ${toString cfg.logLevel}"}";
DynamicUser = true;
CacheDirectory = "stubby";
};

View file

@ -0,0 +1,195 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.tayga;
# Converts an address set to a string
strAddr = addr: "${addr.address}/${toString addr.prefixLength}";
configFile = pkgs.writeText "tayga.conf" ''
tun-device ${cfg.tunDevice}
ipv4-addr ${cfg.ipv4.address}
${optionalString (cfg.ipv6.address != null) "ipv6-addr ${cfg.ipv6.address}"}
prefix ${strAddr cfg.ipv6.pool}
dynamic-pool ${strAddr cfg.ipv4.pool}
data-dir ${cfg.dataDir}
'';
addrOpts = v:
assert v == 4 || v == 6;
{
options = {
address = mkOption {
type = types.str;
description = lib.mdDoc "IPv${toString v} address.";
};
prefixLength = mkOption {
type = types.addCheck types.int (n: n >= 0 && n <= (if v == 4 then 32 else 128));
description = lib.mdDoc ''
Subnet mask of the interface, specified as the number of
bits in the prefix ("${if v == 4 then "24" else "64"}").
'';
};
};
};
versionOpts = v: {
options = {
router = {
address = mkOption {
type = types.str;
description = lib.mdDoc "The IPv${toString v} address of the router.";
};
};
address = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc "The source IPv${toString v} address of the TAYGA server.";
};
pool = mkOption {
type = with types; nullOr (submodule (addrOpts v));
description = lib.mdDoc "The pool of IPv${toString v} addresses which are used for translation.";
};
};
};
in
{
options = {
services.tayga = {
enable = mkEnableOption (lib.mdDoc "Tayga");
package = mkOption {
type = types.package;
default = pkgs.tayga;
defaultText = lib.literalMD "pkgs.tayga";
description = lib.mdDoc "This option specifies the TAYGA package to use.";
};
ipv4 = mkOption {
type = types.submodule (versionOpts 4);
description = lib.mdDoc "IPv4-specific configuration.";
example = literalExpression ''
{
address = "192.0.2.0";
router = {
address = "192.0.2.1";
};
pool = {
address = "192.0.2.1";
prefixLength = 24;
};
}
'';
};
ipv6 = mkOption {
type = types.submodule (versionOpts 6);
description = lib.mdDoc "IPv6-specific configuration.";
example = literalExpression ''
{
address = "2001:db8::1";
router = {
address = "64:ff9b::1";
};
pool = {
address = "64:ff9b::";
prefixLength = 96;
};
}
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/tayga";
description = lib.mdDoc "Directory for persistent data";
};
tunDevice = mkOption {
type = types.str;
default = "nat64";
description = lib.mdDoc "Name of the nat64 tun device";
};
};
};
config = mkIf cfg.enable {
networking.interfaces."${cfg.tunDevice}" = {
virtual = true;
virtualType = "tun";
virtualOwner = mkIf config.networking.useNetworkd "";
ipv4 = {
addresses = [
{ address = cfg.ipv4.router.address; prefixLength = 32; }
];
routes = [
cfg.ipv4.pool
];
};
ipv6 = {
addresses = [
{ address = cfg.ipv6.router.address; prefixLength = 128; }
];
routes = [
cfg.ipv6.pool
];
};
};
systemd.services.tayga = {
description = "Stateless NAT64 implementation";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/tayga -d --nodetach --config ${configFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
Restart = "always";
# Hardening Score:
# - nixos-scripts: 2.1
# - systemd-networkd: 1.6
ProtectHome = true;
SystemCallFilter = [
"@network-io"
"@system-service"
"~@privileged"
"~@resources"
];
ProtectKernelLogs = true;
AmbientCapabilities = [
"CAP_NET_ADMIN"
];
CapabilityBoundingSet = "";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
StateDirectory = "tayga";
DynamicUser = mkIf config.networking.useNetworkd true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
NoNewPrivileges = true;
ProtectControlGroups = true;
SystemCallArchitectures = "native";
PrivateTmp = true;
LockPersonality = true;
ProtectSystem = true;
PrivateUsers = true;
ProtectProc = "invisible";
};
};
};
}

View file

@ -5,10 +5,47 @@ with lib;
let
cfg = config.services.opensnitch;
format = pkgs.formats.json {};
predefinedRules = flip mapAttrs cfg.rules (name: cfg: {
file = pkgs.writeText "rule" (builtins.toJSON cfg);
});
in {
options = {
services.opensnitch = {
enable = mkEnableOption (lib.mdDoc "Opensnitch application firewall");
enable = mkEnableOption (mdDoc "Opensnitch application firewall");
rules = mkOption {
default = {};
example = literalExpression ''
{
"tor" = {
"name" = "tor";
"enabled" = true;
"action" = "allow";
"duration" = "always";
"operator" = {
"type" ="simple";
"sensitive" = false;
"operand" = "process.path";
"data" = "''${lib.getBin pkgs.tor}/bin/tor";
};
};
};
'';
description = mdDoc ''
Declarative configuration of firewall rules.
All rules will be stored in `/var/lib/opensnitch/rules`.
See [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Rules)
for available options.
'';
type = types.submodule {
freeformType = format.type;
};
};
settings = mkOption {
type = types.submodule {
freeformType = format.type;
@ -18,7 +55,7 @@ in {
Address = mkOption {
type = types.str;
description = lib.mdDoc ''
description = mdDoc ''
Unix socket path (unix:///tmp/osui.sock, the "unix:///" part is
mandatory) or TCP socket (192.168.1.100:50051).
'';
@ -26,7 +63,7 @@ in {
LogFile = mkOption {
type = types.path;
description = lib.mdDoc ''
description = mdDoc ''
File to write logs to (use /dev/stdout to write logs to standard
output).
'';
@ -36,7 +73,7 @@ in {
DefaultAction = mkOption {
type = types.enum [ "allow" "deny" ];
description = lib.mdDoc ''
description = mdDoc ''
Default action whether to block or allow application internet
access.
'';
@ -46,28 +83,28 @@ in {
type = types.enum [
"once" "always" "until restart" "30s" "5m" "15m" "30m" "1h"
];
description = lib.mdDoc ''
description = mdDoc ''
Default duration of firewall rule.
'';
};
InterceptUnknown = mkOption {
type = types.bool;
description = lib.mdDoc ''
description = mdDoc ''
Wheter to intercept spare connections.
'';
};
ProcMonitorMethod = mkOption {
type = types.enum [ "ebpf" "proc" "ftrace" "audit" ];
description = lib.mdDoc ''
description = mdDoc ''
Which process monitoring method to use.
'';
};
LogLevel = mkOption {
type = types.enum [ 0 1 2 3 4 ];
description = lib.mdDoc ''
description = mdDoc ''
Default log level from 0 to 4 (debug, info, important, warning,
error).
'';
@ -75,7 +112,7 @@ in {
Firewall = mkOption {
type = types.enum [ "iptables" "nftables" ];
description = lib.mdDoc ''
description = mdDoc ''
Which firewall backend to use.
'';
};
@ -84,14 +121,14 @@ in {
MaxEvents = mkOption {
type = types.int;
description = lib.mdDoc ''
description = mdDoc ''
Max events to send to the GUI.
'';
};
MaxStats = mkOption {
type = types.int;
description = lib.mdDoc ''
description = mdDoc ''
Max stats per item to keep in backlog.
'';
};
@ -99,9 +136,8 @@ in {
};
};
};
description = lib.mdDoc ''
opensnitchd configuration. Refer to
<https://github.com/evilsocket/opensnitch/wiki/Configurations>
description = mdDoc ''
opensnitchd configuration. Refer to [upstream documentation](https://github.com/evilsocket/opensnitch/wiki/Configurations)
for details on supported values.
'';
};
@ -118,6 +154,25 @@ in {
services.opensnitchd.wantedBy = [ "multi-user.target" ];
};
systemd.services.opensnitchd.preStart = mkIf (cfg.rules != {}) (let
rules = flip mapAttrsToList predefinedRules (file: content: {
inherit (content) file;
local = "/var/lib/opensnitch/rules/${file}.json";
});
in ''
# Remove all firewall rules from `/var/lib/opensnitch/rules` that are symlinks to a store-path,
# but aren't declared in `cfg.rules` (i.e. all networks that were "removed" from
# `cfg.rules`).
find /var/lib/opensnitch/rules -type l -lname '${builtins.storeDir}/*' ${optionalString (rules != {}) ''
-not \( ${concatMapStringsSep " -o " ({ local, ... }:
"-name '${baseNameOf local}*'")
rules} \) \
''} -delete
${concatMapStrings ({ file, local }: ''
ln -sf '${file}' "${local}"
'') rules}
'');
environment.etc."opensnitchd/default-config.json".source = format.generate "default-config.json" cfg.settings;
};

View file

@ -57,6 +57,14 @@ in
'';
};
muteKernelMessages = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Disable kernel messages on console while physlock is running.
'';
};
lockOn = {
suspend = mkOption {
@ -116,7 +124,7 @@ in
++ cfg.lockOn.extraTargets;
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}${optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""}";
ExecStart = "${pkgs.physlock}/bin/physlock -d${optionalString cfg.muteKernelMessages "m"}${optionalString cfg.disableSysRq "s"}${optionalString (cfg.lockMessage != "") " -p \"${cfg.lockMessage}\""}";
};
};

View file

@ -138,7 +138,8 @@ in
StateDirectory = mkIf defaultStateDir "changedetection-io";
StateDirectoryMode = mkIf defaultStateDir "0750";
WorkingDirectory = cfg.datastorePath;
Environment = lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}"
Environment = [ "HIDE_REFERER=true" ]
++ lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}"
++ lib.optional cfg.behindProxy "USE_X_SETTINGS=1"
++ lib.optional cfg.webDriverSupport "WEBDRIVER_URL=http://127.0.0.1:${toString cfg.chromePort}/wd/hub"
++ lib.optional cfg.playwrightSupport "PLAYWRIGHT_DRIVER_URL=ws://127.0.0.1:${toString cfg.chromePort}/?stealth=1&--disable-web-security=true";

View file

@ -19,9 +19,9 @@ let
# We only want to create a database if we're actually going to connect to it.
databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == null;
tlsEnabled = (cfg.enableACME
tlsEnabled = cfg.enableACME
|| cfg.sslCertificate != null
|| cfg.sslCertificateKey != null);
|| cfg.sslCertificateKey != null;
in
{
options = {

View file

@ -327,7 +327,7 @@ in
)) eachSite;
systemd.services =
(mapAttrs' (hostName: cfg: (
mapAttrs' (hostName: cfg: (
nameValuePair "invoiceplane-cron-${hostName}" (mkIf cfg.cron.enable {
serviceConfig = {
Type = "oneshot";
@ -335,7 +335,7 @@ in
ExecStart = "${pkgs.curl}/bin/curl --header 'Host: ${hostName}' http://localhost/invoices/cron/recur/${cfg.cron.key}";
};
})
)) eachSite);
)) eachSite;
}

View file

@ -63,6 +63,28 @@ in {
Restart = "on-failure";
RestartSec = 1;
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
UMask = "0077";
};
};
};

View file

@ -372,17 +372,19 @@ in {
};
user = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "mastodon@example.com";
description = lib.mdDoc "SMTP login name.";
type = lib.types.str;
};
passwordFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
example = "/var/lib/mastodon/secrets/smtp-password";
description = lib.mdDoc ''
Path to file containing the SMTP password.
'';
default = "/var/lib/mastodon/secrets/smtp-password";
example = "/run/keys/mastodon-smtp-password";
type = lib.types.str;
};
};
@ -467,6 +469,20 @@ in {
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user);
message = ''For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user and services.mastodon.database.user must be identical.'';
}
{
assertion = cfg.smtp.authenticate -> (cfg.smtp.user != null);
message = ''
<option>services.mastodon.smtp.user</option> needs to be set if
<option>services.mastodon.smtp.authenticate</option> is enabled.
'';
}
{
assertion = cfg.smtp.authenticate -> (cfg.smtp.passwordFile != null);
message = ''
<option>services.mastodon.smtp.passwordFile</option> needs to be set if
<option>services.mastodon.smtp.authenticate</option> is enabled.
'';
}
];
systemd.services.mastodon-init-dirs = {

View file

@ -9,6 +9,10 @@ let
name = "configuration.py";
text = ''
STATIC_ROOT = '${staticDir}'
MEDIA_ROOT = '${cfg.dataDir}/media'
REPORTS_ROOT = '${cfg.dataDir}/reports'
SCRIPTS_ROOT = '${cfg.dataDir}/scripts'
ALLOWED_HOSTS = ['*']
DATABASE = {
'NAME': 'netbox',
@ -42,11 +46,10 @@ let
installPhase = old.installPhase + ''
ln -s ${configFile} $out/opt/netbox/netbox/netbox/configuration.py
'' + optionalString cfg.enableLdap ''
ln -s ${ldapConfigPath} $out/opt/netbox/netbox/netbox/ldap_config.py
ln -s ${cfg.ldapConfigPath} $out/opt/netbox/netbox/netbox/ldap_config.py
'';
})).override {
plugins = ps: ((cfg.plugins ps)
++ optionals cfg.enableLdap [ ps.django-auth-ldap ]);
inherit (cfg) plugins;
};
netboxManageScript = with pkgs; (writeScriptBin "netbox-manage" ''
#!${stdenv.shell}
@ -139,6 +142,8 @@ in {
};
config = mkIf cfg.enable {
services.netbox.plugins = mkIf cfg.enableLdap (ps: [ ps.django-auth-ldap ]);
services.redis.servers.netbox.enable = true;
services.postgresql = {

View file

@ -192,6 +192,14 @@ let
server_tokens ${if cfg.serverTokens then "on" else "off"};
${optionalString (cfg.proxyCache.enable) ''
proxy_cache_path /var/cache/nginx keys_zone=${cfg.proxyCache.keysZoneName}:${cfg.proxyCache.keysZoneSize}
levels=${cfg.proxyCache.levels}
use_temp_path=${if cfg.proxyCache.useTempPath then "on" else "off"}
inactive=${cfg.proxyCache.inactive}
max_size=${cfg.proxyCache.maxSize};
''}
${cfg.commonHttpConfig}
${vhosts}
@ -707,6 +715,72 @@ in
'';
};
proxyCache = mkOption {
type = types.submodule {
options = {
enable = mkEnableOption (lib.mdDoc "Enable proxy cache");
keysZoneName = mkOption {
type = types.str;
default = "cache";
example = "my_cache";
description = lib.mdDoc "Set name to shared memory zone.";
};
keysZoneSize = mkOption {
type = types.str;
default = "10m";
example = "32m";
description = lib.mdDoc "Set size to shared memory zone.";
};
levels = mkOption {
type = types.str;
default = "1:2";
example = "1:2:2";
description = lib.mdDoc ''
The levels parameter defines structure of subdirectories in cache: from
1 to 3, each level accepts values 1 or 2. Сan be used any combination of
1 and 2 in these formats: x, x:x and x:x:x.
'';
};
useTempPath = mkOption {
type = types.bool;
default = false;
example = true;
description = lib.mdDoc ''
Nginx first writes files that are destined for the cache to a temporary
storage area, and the use_temp_path=off directive instructs Nginx to
write them to the same directories where they will be cached. Recommended
that you set this parameter to off to avoid unnecessary copying of data
between file systems.
'';
};
inactive = mkOption {
type = types.str;
default = "10m";
example = "1d";
description = lib.mdDoc ''
Cached data that has not been accessed for the time specified by
the inactive parameter is removed from the cache, regardless of
its freshness.
'';
};
maxSize = mkOption {
type = types.str;
default = "1g";
example = "2048m";
description = lib.mdDoc "Set maximum cache size";
};
};
};
default = {};
description = lib.mdDoc "Configure proxy cache";
};
resolver = mkOption {
type = types.submodule {
options = {

View file

@ -172,10 +172,10 @@ in
sound-theme-freedesktop
nixos-artwork.wallpapers.simple-dark-gray
mint-artwork
mint-cursor-themes
mint-themes
mint-x-icons
mint-y-icons
vanilla-dmz
] config.environment.cinnamon.excludePackages);
xdg.mime.enable = true;

View file

@ -7,6 +7,9 @@ with lib;
###### interface
options = {
boot.modprobeConfig.enable = mkEnableOption (lib.mdDoc "modprobe config. This is useful for systemds like containers which do not require a kernel.") // {
default = true;
};
boot.blacklistedKernelModules = mkOption {
type = types.listOf types.str;
@ -38,7 +41,7 @@ with lib;
###### implementation
config = mkIf (!config.boot.isContainer) {
config = mkIf config.boot.modprobeConfig.enable {
environment.etc."modprobe.d/ubuntu.conf".source = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf";

View file

@ -68,7 +68,7 @@ fi
# like squashfs.
chown -f 0:30000 /nix/store
chmod -f 1775 /nix/store
if [ -n "@readOnlyStore@" ]; then
if [ -n "@readOnlyNixStore@" ]; then
if ! [[ "$(findmnt --noheadings --output OPTIONS /nix/store)" =~ ro(,|$) ]]; then
if [ -z "$container" ]; then
mount --bind /nix/store /nix/store

View file

@ -10,9 +10,8 @@ let
src = ./stage-2-init.sh;
shellDebug = "${pkgs.bashInteractive}/bin/bash";
shell = "${pkgs.bash}/bin/bash";
inherit (config.boot) systemdExecutable extraSystemdUnitPaths;
inherit (config.boot) readOnlyNixStore systemdExecutable extraSystemdUnitPaths;
isExecutable = true;
inherit (config.nix) readOnlyStore;
inherit useHostResolvConf;
inherit (config.system.build) earlyMountScript;
path = lib.makeBinPath ([
@ -42,6 +41,17 @@ in
'';
};
readOnlyNixStore = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
If set, NixOS will enforce the immutability of the Nix store
by making {file}`/nix/store` a read-only bind
mount. Nix will automatically make the store writable when
needed.
'';
};
systemdExecutable = mkOption {
default = "/run/current-system/systemd/lib/systemd/systemd";
type = types.str;

View file

@ -612,6 +612,10 @@ in
boot.kernelParams = optional (!cfg.enableUnifiedCgroupHierarchy) "systemd.unified_cgroup_hierarchy=0";
# Avoid potentially degraded system state due to
# "Userspace Out-Of-Memory (OOM) Killer was skipped because of a failed condition check (ConditionControlGroupController=v2)."
systemd.services.systemd-oomd.enable = mkIf (!cfg.enableUnifiedCgroupHierarchy) false;
services.logrotate.settings = {
"/var/log/btmp" = mapAttrs (_: mkDefault) {
frequency = "monthly";

View file

@ -33,7 +33,7 @@ let
mountPoint = mkOption {
example = "/mnt/usb";
type = nonEmptyWithoutTrailingSlash;
description = lib.mdDoc "Location of the mounted the file system.";
description = lib.mdDoc "Location of the mounted file system.";
};
device = mkOption {

View file

@ -1411,9 +1411,10 @@ in
# Set the host and domain names in the activation script. Don't
# clear it if it's not configured in the NixOS configuration,
# since it may have been set by dhcpcd in the meantime.
system.activationScripts.hostname =
optionalString (cfg.hostName != "") ''
hostname "${cfg.hostName}"
system.activationScripts.hostname = let
effectiveHostname = config.boot.kernel.sysctl."kernel.hostname" or cfg.hostName;
in optionalString (effectiveHostname != "") ''
hostname "${effectiveHostname}"
'';
system.activationScripts.domain =
optionalString (cfg.domain != null) ''

View file

@ -488,5 +488,53 @@ let self = {
"22.05".us-west-1.aarch64-linux.hvm-ebs = "ami-0f96be48071c13ab2";
"22.05".us-west-2.aarch64-linux.hvm-ebs = "ami-084bc5d777585adfb";
latest = self."22.05";
# 22.11.466.596a8e828c5
"22.11".eu-west-1.x86_64-linux.hvm-ebs = "ami-01aafe08a4e74bd9a";
"22.11".af-south-1.x86_64-linux.hvm-ebs = "ami-0d937fc7bf7b8c2ed";
"22.11".ap-east-1.x86_64-linux.hvm-ebs = "ami-020e59f6affef2732";
"22.11".ap-northeast-1.x86_64-linux.hvm-ebs = "ami-04a7bd7a969506a87";
"22.11".ap-northeast-2.x86_64-linux.hvm-ebs = "ami-007b9209171e2dcdd";
"22.11".ap-northeast-3.x86_64-linux.hvm-ebs = "ami-0c4d0b584cd570584";
"22.11".ap-south-1.x86_64-linux.hvm-ebs = "ami-02aa47f84c215d593";
"22.11".ap-southeast-1.x86_64-linux.hvm-ebs = "ami-067a7fca4a01c4dda";
"22.11".ap-southeast-2.x86_64-linux.hvm-ebs = "ami-0638db75ba113c635";
"22.11".ap-southeast-3.x86_64-linux.hvm-ebs = "ami-08dcda749c59e8747";
"22.11".ca-central-1.x86_64-linux.hvm-ebs = "ami-09b007688e369f794";
"22.11".eu-central-1.x86_64-linux.hvm-ebs = "ami-05df1b211df600977";
"22.11".eu-north-1.x86_64-linux.hvm-ebs = "ami-0427d0897b928e191";
"22.11".eu-south-1.x86_64-linux.hvm-ebs = "ami-051beda489f0dd109";
"22.11".eu-west-2.x86_64-linux.hvm-ebs = "ami-0c2090b73fc610ac3";
"22.11".eu-west-3.x86_64-linux.hvm-ebs = "ami-0d03a150cf6c07022";
"22.11".me-south-1.x86_64-linux.hvm-ebs = "ami-0443b1af94bff9e3d";
"22.11".sa-east-1.x86_64-linux.hvm-ebs = "ami-07b2ce95ba17b6bc1";
"22.11".us-east-1.x86_64-linux.hvm-ebs = "ami-0508167db03652cc4";
"22.11".us-east-2.x86_64-linux.hvm-ebs = "ami-0e41ac272a7d67029";
"22.11".us-west-1.x86_64-linux.hvm-ebs = "ami-02f3fb062ee9af563";
"22.11".us-west-2.x86_64-linux.hvm-ebs = "ami-06b260b3a958948a0";
"22.11".eu-west-1.aarch64-linux.hvm-ebs = "ami-0c4132540cabbc7df";
"22.11".af-south-1.aarch64-linux.hvm-ebs = "ami-0f12780247b337357";
"22.11".ap-east-1.aarch64-linux.hvm-ebs = "ami-04789617e858da6fb";
"22.11".ap-northeast-1.aarch64-linux.hvm-ebs = "ami-0f4d8517ab163b274";
"22.11".ap-northeast-2.aarch64-linux.hvm-ebs = "ami-051a06893bcc696c1";
"22.11".ap-northeast-3.aarch64-linux.hvm-ebs = "ami-05a086610680a7d8b";
"22.11".ap-south-1.aarch64-linux.hvm-ebs = "ami-04cd79197824124cd";
"22.11".ap-southeast-1.aarch64-linux.hvm-ebs = "ami-0437f330961467257";
"22.11".ap-southeast-2.aarch64-linux.hvm-ebs = "ami-000c2ecbc430c36d7";
"22.11".ap-southeast-3.aarch64-linux.hvm-ebs = "ami-062e917296b5087c0";
"22.11".ca-central-1.aarch64-linux.hvm-ebs = "ami-0c91995b735d1b8b6";
"22.11".eu-central-1.aarch64-linux.hvm-ebs = "ami-0537d704b177a676b";
"22.11".eu-north-1.aarch64-linux.hvm-ebs = "ami-05f1f532f90d8e16c";
"22.11".eu-south-1.aarch64-linux.hvm-ebs = "ami-097fe290eafff61ad";
"22.11".eu-west-2.aarch64-linux.hvm-ebs = "ami-053b6cc7a3394891a";
"22.11".eu-west-3.aarch64-linux.hvm-ebs = "ami-0a5b6d023afde63c3";
"22.11".me-south-1.aarch64-linux.hvm-ebs = "ami-024fcb01f8638ed08";
"22.11".sa-east-1.aarch64-linux.hvm-ebs = "ami-06d72c6e930037236";
"22.11".us-east-1.aarch64-linux.hvm-ebs = "ami-0b33ffb684d6b07b5";
"22.11".us-east-2.aarch64-linux.hvm-ebs = "ami-033ff64078c59f378";
"22.11".us-west-1.aarch64-linux.hvm-ebs = "ami-052d52b9e30a18562";
"22.11".us-west-2.aarch64-linux.hvm-ebs = "ami-07418b6a4782c9521";
latest = self."22.11";
}; in self

View file

@ -8,7 +8,9 @@ with lib;
# Disable some features that are not useful in a container.
# containers don't have a kernel
boot.kernel.enable = false;
boot.modprobeConfig.enable = false;
console.enable = mkDefault false;

View file

@ -88,6 +88,16 @@ in
};
'';
};
privilegedContainer = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether this LXC container will be running as a privileged container or not. If set to `true` then
additional configuration will be applied to the `systemd` instance running within the container as
recommended by [distrobuilder](https://linuxcontainers.org/distrobuilder/introduction/).
'';
};
};
};
@ -146,12 +156,31 @@ in
};
# Add the overrides from lxd distrobuilder
systemd.extraConfig = ''
# https://github.com/lxc/distrobuilder/blob/05978d0d5a72718154f1525c7d043e090ba7c3e0/distrobuilder/main.go#L630
systemd.packages = [
(pkgs.writeTextFile {
name = "systemd-lxc-service-overrides";
destination = "/etc/systemd/system/service.d/zzz-lxc-service.conf";
text = ''
[Service]
ProcSubset=all
ProtectProc=default
ProtectControlGroups=no
ProtectKernelTunables=no
NoNewPrivileges=no
LoadCredential=
'' + optionalString cfg.privilegedContainer ''
# Additional settings for privileged containers
ProtectHome=no
ProtectSystem=no
PrivateDevices=no
PrivateTmp=no
ProtectKernelLogs=no
ProtectKernelModules=no
ReadWritePaths=
'';
})
];
# Allow the user to login as root without password.
users.users.root.initialHashedPassword = mkOverride 150 "";

View file

@ -129,8 +129,15 @@ in {
description = "LXD Container Management Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "lxcfs.service" ];
requires = [ "network-online.target" "lxd.socket" "lxcfs.service" ];
after = [
"network-online.target"
(mkIf config.virtualisation.lxc.lxcfs.enable "lxcfs.service")
];
requires = [
"network-online.target"
"lxd.socket"
(mkIf config.virtualisation.lxc.lxcfs.enable "lxcfs.service")
];
documentation = [ "man:lxd(1)" ];
path = optional cfg.zfsSupport config.boot.zfs.package;

View file

@ -858,7 +858,8 @@ in
# If the disk image appears to be empty, run mke2fs to
# initialise.
FSTYPE=$(blkid -o value -s TYPE ${cfg.bootDevice} || true)
if test -z "$FSTYPE"; then
PARTTYPE=$(blkid -o value -s PTTYPE ${cfg.bootDevice} || true)
if test -z "$FSTYPE" -a -z "$PARTTYPE"; then
mke2fs -t ext4 ${cfg.bootDevice}
fi
'';

View file

@ -0,0 +1,73 @@
{ config, lib, pkgs, ... }:
let
cfg = config.virtualisation.rosetta;
inherit (lib) types;
in
{
options = {
virtualisation.rosetta.enable = lib.mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to enable [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) support.
This feature requires the system to be a virtualised guest on an Apple silicon host.
The default settings are suitable for the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).
Make sure to select 'Apple Virtualization' as the virtualisation engine and then tick the 'Enable Rosetta' option.
'';
};
virtualisation.rosetta.mountPoint = lib.mkOption {
type = types.str;
default = "/run/rosetta";
internal = true;
description = lib.mdDoc ''
The mount point for the Rosetta runtime inside the guest system.
The proprietary runtime is exposed through a VirtioFS directory share and then mounted at this directory.
'';
};
virtualisation.rosetta.mountTag = lib.mkOption {
type = types.str;
default = "rosetta";
description = lib.mdDoc ''
The VirtioFS mount tag for the Rosetta runtime, exposed by the host's virtualisation software.
If supported, your virtualisation software should provide instructions on how register the Rosetta runtime inside Linux guests.
These instructions should mention the name of the mount tag used for the VirtioFS directory share that contains the Rosetta runtime.
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = pkgs.stdenv.hostPlatform.isAarch64;
message = "Rosetta is only supported on aarch64 systems";
}
];
fileSystems."${cfg.mountPoint}" = {
device = cfg.mountTag;
fsType = "virtiofs";
};
boot.binfmt.registrations.rosetta = {
interpreter = "${cfg.mountPoint}/rosetta";
# The required flags for binfmt are documented by Apple:
# https://developer.apple.com/documentation/virtualization/running_intel_binaries_in_linux_vms_with_rosetta
magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
fixBinary = true;
matchCredentials = true;
preserveArgvZero = false;
# Remove the shell wrapper and call the runtime directly
wrapInterpreterInShell = false;
};
};
}

View file

@ -213,6 +213,7 @@ in {
fluentd = handleTest ./fluentd.nix {};
fluidd = handleTest ./fluidd.nix {};
fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};
freenet = handleTest ./freenet.nix {};
freeswitch = handleTest ./freeswitch.nix {};
freshrss = handleTest ./freshrss.nix {};
frr = handleTest ./frr.nix {};
@ -586,6 +587,7 @@ in {
sourcehut = handleTest ./sourcehut.nix {};
spacecookie = handleTest ./spacecookie.nix {};
spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {};
sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {};
sslh = handleTest ./sslh.nix {};
sssd = handleTestOn ["x86_64-linux"] ./sssd.nix {};
sssd-ldap = handleTestOn ["x86_64-linux"] ./sssd-ldap.nix {};
@ -636,6 +638,7 @@ in {
systemd-misc = handleTest ./systemd-misc.nix {};
tandoor-recipes = handleTest ./tandoor-recipes.nix {};
taskserver = handleTest ./taskserver.nix {};
tayga = handleTest ./tayga.nix {};
teeworlds = handleTest ./teeworlds.nix {};
telegraf = handleTest ./telegraf.nix {};
teleport = handleTest ./teleport.nix {};

View file

@ -0,0 +1,19 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "freenet";
meta = with pkgs.lib.maintainers; {
maintainers = [ nagy ];
};
nodes = {
machine = { ... }: {
services.freenet.enable = true;
};
};
testScript = ''
machine.wait_for_unit("freenet.service")
machine.wait_for_open_port(8888)
machine.wait_until_succeeds("curl -sfL http://localhost:8888/ | grep Freenet")
machine.succeed("systemctl stop freenet")
'';
})

View file

@ -69,6 +69,10 @@ in
# Wait until the export dialogue appears.
machine.wait_for_window("Export")
machine.screenshot("MuseScore1")
machine.send_key("shift-tab")
machine.sleep(1)
machine.send_key("shift-tab")
machine.sleep(1)
machine.send_key("ret")
machine.sleep(1)
machine.send_key("ret")

View file

@ -1,7 +1,7 @@
let
testString = "can-use-subgroups";
in
import ../make-test-python.nix ({ lib, php, ... }: {
import ../make-test-python.nix ({ pkgs, lib, php, ... }: {
name = "php-${php.version}-httpd-pcre-jit-test";
meta.maintainers = lib.teams.php.members;
@ -31,12 +31,22 @@ import ../make-test-python.nix ({ lib, php, ... }: {
'';
};
};
testScript = { ... }:
''
testScript = let
# PCRE JIT SEAlloc feature does not play well with fork()
# The feature needs to either be disabled or PHP configured correctly
# More information in https://bugs.php.net/bug.php?id=78927 and https://bugs.php.net/bug.php?id=78630
pcreJitSeallocForkIssue = pkgs.writeText "pcre-jit-sealloc-issue.php" ''
<?php
preg_match('/nixos/', 'nixos');
$pid = pcntl_fork();
pcntl_wait($pid);
'';
in ''
machine.wait_for_unit("httpd.service")
# Ensure php evaluation by matching on the var_dump syntax
response = machine.succeed("curl -fvvv -s http://127.0.0.1:80/index.php")
expected = 'string(${toString (builtins.stringLength testString)}) "${testString}"'
assert expected in response, "Does not appear to be able to use subgroups."
machine.succeed("${php}/bin/php -f ${pcreJitSeallocForkIssue}")
'';
})

View file

@ -1,27 +1,7 @@
import ./make-test-python.nix ({ pkgs, ...}:
let
pythonEnv = pkgs.python3.withPackages (py: with py; [ appdirs toml ]);
port = 8000;
baseUrl = "http://server:${toString port}";
configureSteck = pkgs.writeScript "configure.py" ''
#!${pythonEnv.interpreter}
import appdirs
import toml
import os
CONFIG = {
"base": "${baseUrl}/",
"confirm": False,
"magic": True,
"ignore": True
}
os.makedirs(appdirs.user_config_dir('steck'))
with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd:
toml.dump(CONFIG, fd)
'';
in
{
name = "pinnwand";
@ -44,7 +24,32 @@ in
client = { pkgs, ... }:
{
environment.systemPackages = [ pkgs.steck ];
environment.systemPackages = [
pkgs.steck
(pkgs.writers.writePython3Bin "setup-steck.py" {
libraries = with pkgs.python3.pkgs; [ appdirs toml ];
flakeIgnore = [
"E501"
];
}
''
import appdirs
import toml
import os
CONFIG = {
"base": "${baseUrl}/",
"confirm": False,
"magic": True,
"ignore": True
}
os.makedirs(appdirs.user_config_dir('steck'))
with open(os.path.join(appdirs.user_config_dir('steck'), 'steck.toml'), "w") as fd:
toml.dump(CONFIG, fd)
'')
];
};
};
@ -55,7 +60,7 @@ in
client.wait_for_unit("network.target")
# create steck.toml config file
client.succeed("${configureSteck}")
client.succeed("setup-steck.py")
# wait until the server running pinnwand is reachable
client.wait_until_succeeds("ping -c1 server")
@ -75,12 +80,6 @@ in
if line.startswith("Removal link:"):
removal_link = line.split(":", 1)[1]
# start the reaper, it shouldn't do anything meaningful here
server.systemctl("start pinnwand-reaper.service")
server.wait_until_fails("systemctl is-active -q pinnwand-reaper.service")
server.log(server.execute("journalctl -u pinnwand-reaper -e --no-pager")[1])
# check whether paste matches what we sent
client.succeed(f"curl {raw_url} > /tmp/machine-id")
client.succeed("diff /tmp/machine-id /etc/machine-id")
@ -89,6 +88,6 @@ in
client.succeed(f"curl {removal_link}")
client.fail(f"curl --fail {raw_url}")
server.log(server.succeed("systemd-analyze security pinnwand"))
server.log(server.execute("systemd-analyze security pinnwand | grep ''")[1])
'';
})

View file

@ -2,9 +2,8 @@ import ./make-test-python.nix (
{ pkgs, ... }:
let
password = "some_password";
repository = "/tmp/restic-backup";
repositoryFile = "${pkgs.writeText "repositoryFile" "/tmp/restic-backup-from-file"}";
remoteRepository = "/tmp/restic-backup";
remoteFromFileRepository = "/tmp/restic-backup-from-file";
rcloneRepository = "rclone:local:/tmp/restic-rclone-backup";
backupPrepareCommand = ''
@ -18,7 +17,6 @@ import ./make-test-python.nix (
'';
passwordFile = "${pkgs.writeText "password" "correcthorsebatterystaple"}";
initialize = true;
paths = [ "/opt" ];
pruneOpts = [
"--keep-daily 2"
@ -40,12 +38,18 @@ import ./make-test-python.nix (
{
services.restic.backups = {
remotebackup = {
inherit repository passwordFile initialize paths pruneOpts backupPrepareCommand backupCleanupCommand;
inherit passwordFile paths pruneOpts backupPrepareCommand backupCleanupCommand;
repository = remoteRepository;
initialize = true;
};
remotebackup-from-file = {
inherit repositoryFile passwordFile initialize paths pruneOpts;
remote-from-file-backup = {
inherit passwordFile paths pruneOpts;
initialize = true;
repositoryFile = pkgs.writeText "repositoryFile" remoteFromFileRepository;
};
rclonebackup = {
inherit passwordFile paths pruneOpts;
initialize = true;
repository = rcloneRepository;
rcloneConfig = {
type = "local";
@ -57,14 +61,15 @@ import ./make-test-python.nix (
[local]
type=ftp
'';
inherit passwordFile initialize paths pruneOpts;
};
remoteprune = {
inherit repository passwordFile;
inherit passwordFile;
repository = remoteRepository;
pruneOpts = [ "--keep-last 1" ];
};
custompackage = {
inherit repository passwordFile paths;
inherit passwordFile paths;
repository = "some-fake-repository";
package = pkgs.writeShellScriptBin "restic" ''
echo "$@" >> /tmp/fake-restic.log;
'';
@ -82,50 +87,69 @@ import ./make-test-python.nix (
server.start()
server.wait_for_unit("dbus.socket")
server.fail(
"${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots",
'${pkgs.restic}/bin/restic --repository-file ${repositoryFile} -p ${passwordFile} snapshots"',
"${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots",
'${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots"',
"${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots",
"grep 'backup .* /opt' /tmp/fake-restic.log",
)
server.succeed(
# set up
"mkdir -p /opt",
"touch /opt/some_file",
"mkdir -p /tmp/restic-rclone-backup",
# test that remotebackup runs custom commands and produces a snapshot
"timedatectl set-time '2016-12-13 13:45'",
"systemctl start restic-backups-remotebackup.service",
"rm /opt/backupCleanupCommand",
"systemctl start restic-backups-remotebackup-from-file.service",
'${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
# test that remote-from-file-backup produces a snapshot
"systemctl start restic-backups-remote-from-file-backup.service",
'${pkgs.restic}/bin/restic -r ${remoteFromFileRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
# test that rclonebackup produces a snapshot
"systemctl start restic-backups-rclonebackup.service",
'${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"',
'${pkgs.restic}/bin/restic --repository-file ${repositoryFile} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"',
'${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"',
'${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
# test that custompackage runs both `restic backup` and `restic check` with reasonable commandlines
"systemctl start restic-backups-custompackage.service",
"grep 'backup .* /opt' /tmp/fake-restic.log",
"grep 'check .* --some-check-option' /tmp/fake-restic.log",
# test that we can create four snapshots in remotebackup and rclonebackup
"timedatectl set-time '2017-12-13 13:45'",
"systemctl start restic-backups-remotebackup.service",
"rm /opt/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service",
"timedatectl set-time '2018-12-13 13:45'",
"systemctl start restic-backups-remotebackup.service",
"rm /opt/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service",
"timedatectl set-time '2018-12-14 13:45'",
"systemctl start restic-backups-remotebackup.service",
"rm /opt/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service",
"timedatectl set-time '2018-12-15 13:45'",
"systemctl start restic-backups-remotebackup.service",
"rm /opt/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service",
"timedatectl set-time '2018-12-16 13:45'",
"systemctl start restic-backups-remotebackup.service",
"rm /opt/backupCleanupCommand",
"systemctl start restic-backups-rclonebackup.service",
'${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"',
'${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots -c | grep -e "^4 snapshot"',
'${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"',
'${pkgs.restic}/bin/restic -r ${rcloneRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 4"',
# test that remoteprune brings us back to 1 snapshot in remotebackup
"systemctl start restic-backups-remoteprune.service",
'${pkgs.restic}/bin/restic -r ${repository} -p ${passwordFile} snapshots -c | grep -e "^1 snapshot"',
'${pkgs.restic}/bin/restic -r ${remoteRepository} -p ${passwordFile} snapshots --json | ${pkgs.jq}/bin/jq "length | . == 1"',
)
'';
}

View file

@ -0,0 +1,65 @@
import ./make-test-python.nix ({ pkgs, lib, ... }:
/*
This test suite replaces the typical pytestCheckHook function in
sqlite3-to-mysql due to the need of a running mysql instance.
*/
{
name = "sqlite3-to-mysql";
meta.maintainers = with lib.maintainers; [ gador ];
nodes.machine = { pkgs, ... }: {
environment.systemPackages = with pkgs; [
sqlite3-to-mysql
# create one coherent python environment
(python3.withPackages
(ps: sqlite3-to-mysql.propagatedBuildInputs ++
[
python3Packages.pytest
python3Packages.pytest-mock
python3Packages.pytest-timeout
python3Packages.factory_boy
python3Packages.docker # only needed so import does not fail
sqlite3-to-mysql
])
)
];
services.mysql = {
package = pkgs.mariadb;
enable = true;
# from https://github.com/techouse/sqlite3-to-mysql/blob/master/tests/conftest.py
# and https://github.com/techouse/sqlite3-to-mysql/blob/master/.github/workflows/test.yml
initialScript = pkgs.writeText "mysql-init.sql" ''
create database test_db DEFAULT CHARACTER SET utf8mb4;
create user tester identified by 'testpass';
grant all on test_db.* to tester;
create user tester@localhost identified by 'testpass';
grant all on test_db.* to tester@localhost;
'';
settings = {
mysqld = {
character-set-server = "utf8mb4";
collation-server = "utf8mb4_unicode_ci";
log_warnings = 1;
};
};
};
};
testScript = ''
machine.wait_for_unit("mysql")
machine.succeed(
"sqlite3mysql --version | grep ${pkgs.sqlite3-to-mysql.version}"
)
# invalid_database_name: assert '1045 (28000): Access denied' in "1044 (42000): Access denied [...]
# invalid_database_user: does not return non-zero exit for some reason
# test_version: has problems importing sqlite3_to_mysql and determining the version
machine.succeed(
"cd ${pkgs.sqlite3-to-mysql.src} \
&& pytest -v --no-docker -k \"not test_invalid_database_name and not test_invalid_database_user and not test_version\""
)
'';
})

View file

@ -26,8 +26,7 @@ import ../make-test-python.nix ({ pkgs, ... }:
# test rebinding encrypted pool
machine.succeed("stratis pool rebind keyring testpool testkey2")
# test restarting encrypted pool
uuid = machine.succeed("stratis pool list | grep -oE '[0-9a-fA-F-]{36}'").rstrip('\n')
machine.succeed(" stratis pool stop testpool")
machine.succeed(f"stratis pool start {uuid} --unlock-method keyring")
machine.succeed("stratis pool stop testpool")
machine.succeed("stratis pool start --name testpool --unlock-method keyring")
'';
})

View file

@ -0,0 +1,235 @@
# This test verifies that we can ping an IPv4-only server from an IPv6-only
# client via a NAT64 router. The hosts and networks are configured as follows:
#
# +------
# Client | eth1 Address: 2001:db8::2/64
# | | Route: 64:ff9b::/96 via 2001:db8::1
# +--|---
# | VLAN 3
# +--|---
# | eth2 Address: 2001:db8::1/64
# Router |
# | nat64 Address: 64:ff9b::1/128
# | Route: 64:ff9b::/96
# | Address: 192.0.2.0/32
# | Route: 192.0.2.0/24
# |
# | eth1 Address: 100.64.0.1/24
# +--|---
# | VLAN 2
# +--|---
# Server | eth1 Address: 100.64.0.2/24
# | Route: 192.0.2.0/24 via 100.64.0.1
# +------
import ./make-test-python.nix ({ pkgs, lib, ... }:
{
name = "tayga";
meta = with pkgs.lib.maintainers; {
maintainers = [ hax404 ];
};
nodes = {
# The server is configured with static IPv4 addresses. RFC 6052 Section 3.1
# disallows the mapping of non-global IPv4 addresses like RFC 1918 into the
# Well-Known Prefix 64:ff9b::/96. TAYGA also does not allow the mapping of
# documentation space (RFC 5737). To circumvent this, 100.64.0.2/24 from
# RFC 6589 (Carrier Grade NAT) is used here.
# To reach the IPv4 address pool of the NAT64 gateway, there is a static
# route configured. In normal cases, where the router would also source NAT
# the pool addresses to one IPv4 addresses, this would not be needed.
server = {
virtualisation.vlans = [
2 # towards router
];
networking = {
useDHCP = false;
interfaces.eth1 = lib.mkForce {};
};
systemd.network = {
enable = true;
networks."vlan1" = {
matchConfig.Name = "eth1";
address = [
"100.64.0.2/24"
];
routes = [
{ routeConfig = { Destination = "192.0.2.0/24"; Gateway = "100.64.0.1"; }; }
];
};
};
};
# The router is configured with static IPv4 addresses towards the server
# and IPv6 addresses towards the client. For NAT64, the Well-Known prefix
# 64:ff9b::/96 is used. NAT64 is done with TAYGA which provides the
# tun-interface nat64 and does the translation over it. The IPv6 packets
# are sent to this interfaces and received as IPv4 packets and vice versa.
# As TAYGA only translates IPv6 addresses to dedicated IPv4 addresses, it
# needs a pool of IPv4 addresses which must be at least as big as the
# expected amount of clients. In this test, the packets from the pool are
# directly routed towards the client. In normal cases, there would be a
# second source NAT44 to map all clients behind one IPv4 address.
router_systemd = {
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
virtualisation.vlans = [
2 # towards server
3 # towards client
];
networking = {
useDHCP = false;
useNetworkd = true;
firewall.enable = false;
interfaces.eth1 = lib.mkForce {
ipv4 = {
addresses = [ { address = "100.64.0.1"; prefixLength = 24; } ];
};
};
interfaces.eth2 = lib.mkForce {
ipv6 = {
addresses = [ { address = "2001:db8::1"; prefixLength = 64; } ];
};
};
};
services.tayga = {
enable = true;
ipv4 = {
address = "192.0.2.0";
router = {
address = "192.0.2.1";
};
pool = {
address = "192.0.2.0";
prefixLength = 24;
};
};
ipv6 = {
address = "2001:db8::1";
router = {
address = "64:ff9b::1";
};
pool = {
address = "64:ff9b::";
prefixLength = 96;
};
};
};
};
router_nixos = {
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
virtualisation.vlans = [
2 # towards server
3 # towards client
];
networking = {
useDHCP = false;
firewall.enable = false;
interfaces.eth1 = lib.mkForce {
ipv4 = {
addresses = [ { address = "100.64.0.1"; prefixLength = 24; } ];
};
};
interfaces.eth2 = lib.mkForce {
ipv6 = {
addresses = [ { address = "2001:db8::1"; prefixLength = 64; } ];
};
};
};
services.tayga = {
enable = true;
ipv4 = {
address = "192.0.2.0";
router = {
address = "192.0.2.1";
};
pool = {
address = "192.0.2.0";
prefixLength = 24;
};
};
ipv6 = {
address = "2001:db8::1";
router = {
address = "64:ff9b::1";
};
pool = {
address = "64:ff9b::";
prefixLength = 96;
};
};
};
};
# The client is configured with static IPv6 addresses. It has also a static
# route for the NAT64 IP space where the IPv4 addresses are mapped in. In
# normal cases, there would be only a default route.
client = {
virtualisation.vlans = [
3 # towards router
];
networking = {
useDHCP = false;
interfaces.eth1 = lib.mkForce {};
};
systemd.network = {
enable = true;
networks."vlan1" = {
matchConfig.Name = "eth1";
address = [
"2001:db8::2/64"
];
routes = [
{ routeConfig = { Destination = "64:ff9b::/96"; Gateway = "2001:db8::1"; }; }
];
};
};
environment.systemPackages = [ pkgs.mtr ];
};
};
testScript = ''
# start client and server
for machine in client, server:
machine.wait_for_unit("network-online.target")
machine.log(machine.execute("ip addr")[1])
machine.log(machine.execute("ip route")[1])
machine.log(machine.execute("ip -6 route")[1])
# test systemd-networkd and nixos-scripts based router
for router in router_systemd, router_nixos:
router.start()
router.wait_for_unit("network-online.target")
router.wait_for_unit("tayga.service")
router.log(machine.execute("ip addr")[1])
router.log(machine.execute("ip route")[1])
router.log(machine.execute("ip -6 route")[1])
with subtest("Wait for tayga"):
router.wait_for_unit("tayga.service")
with subtest("Test ICMP"):
client.wait_until_succeeds("ping -c 3 64:ff9b::100.64.0.2 >&2")
with subtest("Test ICMP and show a traceroute"):
client.wait_until_succeeds("mtr --show-ips --report-wide 64:ff9b::100.64.0.2 >&2")
router.log(router.execute("systemd-analyze security tayga.service")[1])
router.shutdown()
'';
})

View file

@ -21,7 +21,7 @@ with pkgs.lib;
type = "file";
inputs = [ "journald" ];
path = "/var/lib/vector/logs.log";
encoding = { codec = "ndjson"; };
encoding = { codec = "json"; };
};
};
};

View file

@ -28,8 +28,8 @@ let
messagebus:x:1:
EOF
"${pkgs.dbus.daemon}/bin/dbus-daemon" --fork \
--config-file="${pkgs.dbus.daemon}/share/dbus-1/system.conf"
"${pkgs.dbus}/bin/dbus-daemon" --fork \
--config-file="${pkgs.dbus}/share/dbus-1/system.conf"
${guestAdditions}/bin/VBoxService
${(attrs.vmScript or (const "")) pkgs}

View file

@ -0,0 +1,56 @@
{ coreutils
, fetchFromGitHub
, ffmpeg
, findutils
, gnugrep
, gnused
, jq
, lame
, lib
, makeWrapper
, mediainfo
, mp4v2
, stdenv
}:
let
runtimeInputs = [
coreutils
ffmpeg
findutils
gnugrep
gnused
jq
lame
mediainfo
mp4v2
];
in
stdenv.mkDerivation rec {
pname = "aaxtomp3";
version = "1.3";
src = fetchFromGitHub {
owner = "krumpetpirate";
repo = pname;
rev = "v${version}";
hash = "sha256-7a9ZVvobWH/gPxa3cFiPL+vlu8h1Dxtcq0trm3HzlQg=";
};
dontBuild = false;
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
install -Dm755 AAXtoMP3 $out/bin/aaxtomp3
wrapProgram $out/bin/aaxtomp3 --prefix PATH : ${lib.makeBinPath runtimeInputs}
install -Dm755 interactiveAAXtoMP3 $out/bin/interactiveaaxtomp3
wrapProgram $out/bin/interactiveaaxtomp3 --prefix PATH : ${lib.makeBinPath runtimeInputs}
'';
meta = with lib; {
description = "Convert Audible's .aax filetype to MP3, FLAC, M4A, or OPUS";
homepage = "https://krumpetpirate.github.io/AAXtoMP3";
license = licenses.wtfpl;
maintainers = with maintainers; [ urandom ];
};
}

View file

@ -18,7 +18,7 @@
stdenv.mkDerivation rec {
pname = "csound";
version = "6.17.0";
version = "6.18.1";
hardeningDisable = [ "format" ];
@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
owner = "csound";
repo = "csound";
rev = version;
sha256 = "sha256-O19jm3JxHg4TcQzWQZu1uFjfYN2FR41fCRq5YGnTGD0=";
sha256 = "sha256-O7s92N54+zIl07eIdK/puoSve/qJ3O01fTh0TP+VdZA=";
};
cmakeFlags = [ "-DBUILD_CSOUND_AC=0" ] # fails to find Score.hpp

View file

@ -0,0 +1,47 @@
{ buildGoModule
, cairo
, fetchFromGitHub
, gdk-pixbuf
, glib
, gobject-introspection
, graphene
, gtk4
, lib
, pango
, pkg-config
}:
buildGoModule rec {
pname = "gtkcord4";
version = "0.0.6";
src = fetchFromGitHub {
owner = "diamondburned";
repo = pname;
rev = "v${version}";
hash = "sha256-uEG1pAHMQT+C/E5rKByflvL0NNkC8SeSPMAXanzvhE4=";
};
nativeBuildInputs = [
gobject-introspection
pkg-config
];
buildInputs = [
cairo
gdk-pixbuf
glib
graphene
gtk4
pango
];
vendorHash = "sha256-QZSjSk1xu5ZcrNEra5TxnUVvlQWb5/h31fm5Nc7WMoI=";
meta = with lib; {
description = "GTK4 Discord client in Go, attempt #4.";
homepage = "https://github.com/diamondburned/gtkcord4";
license = licenses.gpl3Only;
maintainers = with maintainers; [ urandom ];
};
}

View file

@ -89,5 +89,7 @@ mkDerivation rec {
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
platforms = [ "x86_64-linux" ];
maintainers = with maintainers; [ lovesegfault ];
# src link returns 403
broken = true;
};
}

View file

@ -4,13 +4,13 @@
pythonPackages.buildPythonApplication rec {
pname = "mopidy";
version = "3.3.0";
version = "3.4.0";
src = fetchFromGitHub {
owner = "mopidy";
repo = "mopidy";
rev = "refs/tags/v${version}";
sha256 = "sha256-F0fIl9DrludZZdzsrl/xsp7TLMgTPbVGtGvMHyD52Yw=";
sha256 = "sha256-cr4v1ScrXLRjqlsCXTm0KvLc+jJbFX1HVKJLrDAtIw8=";
};
nativeBuildInputs = [ wrapGAppsHook ];

View file

@ -3,33 +3,20 @@
, mopidy
}:
let
python = python3.override {
packageOverrides = self: super: {
ytmusicapi = super.ytmusicapi.overridePythonAttrs (old: rec {
version = "0.22.0";
format = "setuptools";
src = old.src.override {
inherit version;
hash = "sha256-CZ4uoW4UHn5C+MckQXysTdydaApn99b0UCnF5RPb7DI=";
};
});
};
};
in python.pkgs.buildPythonApplication rec {
python3.pkgs.buildPythonApplication rec {
pname = "mopidy-ytmusic";
version = "0.3.7";
version = "0.3.8";
src = python.pkgs.fetchPypi {
src = python3.pkgs.fetchPypi {
inherit version;
pname = "Mopidy-YTMusic";
sha256 = "0gqjvi3nfzkqvbdhihzai241p1h5p037bj2475cc93xwzyyqxcrq";
pname = "mopidy_ytmusic";
sha256 = "6b4d8ff9c477dbdd30d0259a009494ebe104cad3f8b37241ae503e5bce4ec2e8";
};
propagatedBuildInputs = [
(mopidy.override { pythonPackages = python.pkgs; })
python.pkgs.ytmusicapi
python.pkgs.pytube
(mopidy.override { pythonPackages = python3.pkgs; })
python3.pkgs.ytmusicapi
python3.pkgs.pytube
];
pythonImportsCheck = [ "mopidy_ytmusic" ];
@ -38,6 +25,7 @@ in python.pkgs.buildPythonApplication rec {
doCheck = false;
meta = with lib; {
changelog = "https://github.com/OzymandiasTheGreat/mopidy-ytmusic/blob/v${version}/CHANGELOG.rst";
description = "Mopidy extension for playing music from YouTube Music";
homepage = "https://github.com/OzymandiasTheGreat/mopidy-ytmusic";
license = licenses.asl20;

View file

@ -2,13 +2,13 @@
rustPlatform.buildRustPackage rec {
pname = "netease-music-tui";
version = "0.1.4";
version = "0.1.5";
src = fetchFromGitHub {
owner = "betta-cyber";
repo = "netease-music-tui";
rev = "v${version}";
sha256 = "sha256-ILJkejRKG2DRXgR6O2tAFbrbd8HtnLZJmITq7hF41DQ=";
sha256 = "sha256-+zRXihWg65DtyX3yD04CsW8aXIvNph36PW2veeg36lg=";
};
cargoPatches = [ ./cargo-lock.patch ];
@ -16,7 +16,7 @@ rustPlatform.buildRustPackage rec {
nativeBuildInputs = [ pkg-config ];
buildInputs = [ alsa-lib openssl ];
cargoSha256 = "sha256-/JQDUtSSkuO9nrYVSkQOaZjps1BUuH8Bc1SMyDSSJS4=";
cargoSha256 = "sha256-i+W/KwnqdaHcrdaWYUuCUeFlRKekVuEvFh/pxDolPNU=";
meta = with lib; {
homepage = "https://github.com/betta-cyber/netease-music-tui";

View file

@ -2,21 +2,21 @@
buildNpmPackage rec {
pname = "open-stage-control";
version = "1.20.0";
version = "1.21.0";
src = fetchFromGitHub {
owner = "jean-emmanuel";
repo = "open-stage-control";
rev = "v${version}";
hash = "sha256-XgwlRdwUSl4gIRKqk6BnMAKarVvp291zk8vmNkuRWKo=";
hash = "sha256-6tRd8boVwWc8qGlklYqA/Kp76VOMvtUJlu/G/InvHkA=";
};
# Use generated package-lock.json since upstream does not provide one in releases
# Remove some Electron stuff from package.json
postPatch = ''
ln -sT ${./package-lock.json} ./package-lock.json
sed -i -e '/"electron"\|"electron-installer-debian"/d' package.json
'';
npmDepsHash = "sha256-5KZXZ4agHcAh3gai5w9YodETIEGJtDq/kyEZOHb9dOc=";
npmDepsHash = "sha256-M+6+zrxy8VpJQS0dG/xORMbflKEq8wO2DEOjGrA6OUw=";
nativeBuildInputs = [
copyDesktopItems

File diff suppressed because it is too large Load diff

View file

@ -14,7 +14,7 @@ nixeval() {
}
vendorhash() {
(nix --extra-experimental-features nix-command build --impure -f "$nixpkgs" --no-link "$1" 2>&1 >/dev/null | tail -n3 | grep -F got: | cut -d: -f2- | stripwhitespace) 2>/dev/null || true
(nix --extra-experimental-features nix-command build --impure --argstr nixpkgs "$nixpkgs" --argstr attr "$1" --expr '{ nixpkgs, attr }: let pkgs = import nixpkgs {}; in with pkgs.lib; (getAttrFromPath (splitString "." attr) pkgs).overrideAttrs (attrs: { outputHash = fakeHash; })' --no-link 2>&1 >/dev/null | tail -n3 | grep -F got: | cut -d: -f2- | stripwhitespace) 2>/dev/null || true
}
findpath() {
@ -32,7 +32,6 @@ attr="${UPDATE_NIX_ATTR_PATH:-open-stage-control}"
version="$(cd "$nixpkgs" && list-git-tags --pname="$(nixeval "$attr".pname)" --attr-path="$attr" | grep '^v' | sed -e 's|^v||' | sort -V | tail -n1)"
pkgpath="$(findpath "$attr")"
pkgdir="$(dirname "$pkgpath")"
updated="$(cd "$nixpkgs" && update-source-version "$attr" "$version" --file="$pkgpath" --print-changes | jq -r length)"
@ -41,14 +40,6 @@ if [ "$updated" -eq 0 ]; then
exit 0
fi
# Download package.json from the latest release
curl -sSL https://raw.githubusercontent.com/jean-emmanuel/open-stage-control/v"$version"/package.json | grep -v '"electron"\|"electron-installer-debian"' >"$pkgdir"/package.json
# Lock dependencies with npm
(cd "$pkgdir" && npm install --package-lock-only --ignore-scripts --legacy-peer-deps)
rm -f "$pkgdir"/package.json
# Update FOD hash
curhash="$(nixeval "$attr.npmDeps.outputHash")"
newhash="$(vendorhash "$attr.npmDeps")"

View file

@ -2,13 +2,13 @@
python3Packages.buildPythonApplication rec {
pname = "pyradio";
version = "0.8.9.28";
version = "0.8.9.31";
src = fetchFromGitHub {
owner = "coderholic";
repo = pname;
rev = "refs/tags/${version}";
sha256 = "sha256-0j0AQZk+WEkcRTL/peAxzRw23gThlGtMnqoms2aUCrc=";
sha256 = "sha256-9Fc42f0plduihXDDLXWBdt62maxDJ0cwumIvbiMcrGc=";
};
nativeBuildInputs = [ installShellFiles ];

View file

@ -1,21 +1,19 @@
{ lib, mkDerivation, fetchurl, cmake, pkg-config
, qtbase, qttools, qtmultimedia, qtx11extras
{ lib, stdenv, fetchurl, cmake, pkg-config
, qtbase, qttools, qtmultimedia, wrapQtAppsHook
# transports
, curl, libmms
# input plugins
, libmad, taglib, libvorbis, libogg, flac, libmpcdec, libmodplug, libsndfile
, libcdio, cdparanoia, libcddb, faad2, ffmpeg, wildmidi
, libcdio, cdparanoia, libcddb, faad2, ffmpeg, wildmidi, libbs2b, game-music-emu
# output plugins
, alsa-lib, libpulseaudio
, alsa-lib, libpulseaudio, pipewire
# effect plugins
, libsamplerate
}:
# Additional plugins that can be added:
# wavpack (https://www.wavpack.com/)
# gme (Game music support)
# Ogg Opus support
# BS2B effect plugin (http://bs2b.sourceforge.net/)
# JACK audio support
# ProjectM visualization plugin
@ -28,26 +26,27 @@
# Qmmp installs working .desktop file(s) all by itself, so we don't need to
# handle that.
mkDerivation rec {
stdenv.mkDerivation rec {
pname = "qmmp";
version = "1.4.4";
version = "2.1.2";
src = fetchurl {
url = "https://qmmp.ylsoftware.com/files/${pname}-${version}.tar.bz2";
sha256 = "sha256-sZRZVhCf2ceETuV4AULA0kVkuIMn3C+aYdKThqvPnVQ=";
url = "https://qmmp.ylsoftware.com/files/qmmp/2.1/${pname}-${version}.tar.bz2";
hash = "sha256-U86LoAkg6mBFVa/cgB8kpCa5KwdkR0PMQmAGvf/KAXo=";
};
nativeBuildInputs = [ cmake pkg-config ];
nativeBuildInputs = [ cmake pkg-config wrapQtAppsHook ];
buildInputs =
[ # basic requirements
qtbase qttools qtmultimedia qtx11extras
qtbase qttools qtmultimedia
# transports
curl libmms
# input plugins
libmad taglib libvorbis libogg flac libmpcdec libmodplug libsndfile
libcdio cdparanoia libcddb faad2 ffmpeg wildmidi
libcdio cdparanoia libcddb faad2 ffmpeg wildmidi libbs2b game-music-emu
# output plugins
alsa-lib libpulseaudio
alsa-lib libpulseaudio pipewire
# effect plugins
libsamplerate
];

View file

@ -119,7 +119,7 @@ python3.pkgs.buildPythonApplication rec {
LC_ALL = "en_US.UTF-8";
checkInputs = [
dbus.daemon
dbus
gdk-pixbuf
glibcLocales
hicolor-icon-theme
@ -154,7 +154,7 @@ python3.pkgs.buildPythonApplication rec {
runHook preCheck
xvfb-run -s '-screen 0 1920x1080x24' \
dbus-run-session --config-file=${dbus.daemon}/share/dbus-1/session.conf \
dbus-run-session --config-file=${dbus}/share/dbus-1/session.conf \
pytest $pytestFlags
runHook postCheck

View file

@ -9,6 +9,7 @@
, ffmpeg
, vlc
, xdg-utils
, xdotool
, which
, jackSupport ? true
@ -69,7 +70,7 @@ stdenv.mkDerivation rec {
# seem to have an effect for some plugins.
# We opt for wrapping the executable with LD_LIBRARY_PATH prefix.
wrapProgram $out/opt/REAPER/reaper \
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ lame ffmpeg vlc ]}"
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ lame ffmpeg vlc xdotool ]}"
mkdir $out/bin
ln -s $out/opt/REAPER/reaper $out/bin/

View file

@ -12,7 +12,7 @@
stdenv.mkDerivation rec {
pname = "soundtracker";
version = "1.0.2.1";
version = "1.0.3";
src = fetchurl {
# Past releases get moved to the "old releases" directory.
@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
# Nonetheless, only the name of the file seems to affect which file is
# downloaded, so this path should be fine both for old and current releases.
url = "mirror://sourceforge/soundtracker/soundtracker-${version}.tar.xz";
sha256 = "0nh0dwz8nldc040q6n06vlazhss8ms42r2dffhjcrqj3hbrvfx82";
sha256 = "sha256-k+TB1DIauOIeQSCVV5uYu69wwRx7vCRAlSCTAtDguKo=";
};
postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''

View file

@ -34,13 +34,13 @@ stdenv.mkDerivation {
pname = binName;
# versions are specified in `squeezelite.h`
# see https://github.com/ralph-irving/squeezelite/issues/29
version = "1.9.9.1411";
version = "1.9.9.1414";
src = fetchFromGitHub {
owner = "ralph-irving";
repo = "squeezelite";
rev = "ca44fc6e258bb413d6281d927063b25940f42e5c";
hash = "sha256-aZ+2nyy6tK3VwgTCWGoNaU4//kkHUzd6DZSfTEIgbvY=";
rev = "dbe69eb8aa88f644cfb46541d6cef72fa666570d";
hash = "sha256-BN6eBHMMecucfHwzmho3xi1l2O3YnYcBUE321Rl6xrc=";
};
buildInputs = [ flac libmad libvorbis mpg123 ]

View file

@ -25,13 +25,13 @@
stdenv.mkDerivation rec {
pname = "tauon";
version = "7.4.3";
version = "7.4.5";
src = fetchFromGitHub {
owner = "Taiko2k";
repo = "TauonMusicBox";
rev = "v${version}";
sha256 = "sha256-eB4fwW5UvylVslSEvDFdCVYcEK3M2H+8VJGHH13vvA0=";
sha256 = "sha256-fxmCLjnYO7ZblEiRoByxuFzw9xFHqbQvne1WNcFnnwI=";
};
postUnpack = ''
@ -131,6 +131,7 @@ stdenv.mkDerivation rec {
meta = with lib; {
description = "The Linux desktop music player from the future";
homepage = "https://tauonmusicbox.rocks/";
changelog = "https://github.com/Taiko2k/TauonMusicBox/releases/tag/v${version}";
license = licenses.gpl3;
maintainers = with maintainers; [ jansol ];
platforms = platforms.linux;

View file

@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
description = "A vi/vim inspired client for the Music Player Daemon (mpd)";
homepage = "https://github.com/boysetsfrog/vimpc";
license = licenses.gpl3;
platforms = platforms.linux;
platforms = platforms.unix;
maintainers = with maintainers; [ pSub ];
};
}

View file

@ -13,6 +13,8 @@ let
in
appimageTools.wrapType2 rec {
inherit pname version src;
extraPkgs = pkgs: (appimageTools.defaultFhsEnvArgs.multiPkgs pkgs)
++ [ pkgs.libappindicator ];
extraInstallCommands = ''
mv $out/bin/{${pname}-${version},${pname}}
@ -29,7 +31,7 @@ appimageTools.wrapType2 rec {
description = "Electron wrapper around YouTube Music";
homepage = "https://th-ch.github.io/youtube-music/";
license = licenses.mit;
sourceProvenance = with sourceTypes; [ fromSource ];
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
platforms = platforms.linux;
maintainers = [ maintainers.aacebedo ];
};

View file

@ -13,7 +13,7 @@
, libXrandr
, libXi
, gnome
, kdialog
, libsForQt5
}:
rustPlatform.buildRustPackage rec {
@ -71,7 +71,7 @@ rustPlatform.buildRustPackage rec {
in
''
patchelf --set-rpath "${libPath}" "$out/bin/$pname"
wrapProgram $out/bin/$pname --prefix PATH : ${lib.makeBinPath [ gnome.zenity kdialog ]}
wrapProgram $out/bin/$pname --prefix PATH : ${lib.makeBinPath [ gnome.zenity libsForQt5.kdialog ]}
'';

Some files were not shown because too many files have changed in this diff Show more