Project import generated by Copybara.
GitOrigin-RevId: 48d63e924a2666baf37f4f14a18f19347fbd54a2
This commit is contained in:
parent
e14cfe989c
commit
81047829ea
2465 changed files with 44949 additions and 32581 deletions
4
third_party/nixpkgs/.editorconfig
vendored
4
third_party/nixpkgs/.editorconfig
vendored
|
@ -67,10 +67,6 @@ indent_style = unset
|
|||
insert_final_newline = unset
|
||||
trim_trailing_whitespace = unset
|
||||
|
||||
[pkgs/build-support/upstream-updater/**]
|
||||
indent_style = unset
|
||||
trim_trailing_whitespace = unset
|
||||
|
||||
[pkgs/development/compilers/elm/registry.dat]
|
||||
end_of_line = unset
|
||||
insert_final_newline = unset
|
||||
|
|
|
@ -13,10 +13,10 @@ assignees: ''
|
|||
<!-- Note that these are hard requirements -->
|
||||
|
||||
<!--
|
||||
You can use the "Go to file" functionality on github to find the package
|
||||
You can use the "Go to file" functionality on GitHub to find the package
|
||||
Then you can go to the history for this package
|
||||
Find the latest "package_name: old_version -> new_version" commit
|
||||
The "new_version" is the the current version of the package
|
||||
The "new_version" is the current version of the package
|
||||
-->
|
||||
- [ ] Checked the [nixpkgs master branch](https://github.com/NixOS/nixpkgs)
|
||||
<!--
|
||||
|
@ -29,7 +29,7 @@ There's a high chance that you'll have the new version right away while helping
|
|||
###### Project name
|
||||
`nix search` name:
|
||||
<!--
|
||||
The current version can be found easily with the same process than above for checking the master branch
|
||||
The current version can be found easily with the same process as above for checking the master branch
|
||||
If an open PR is present for the package, take this version as the current one and link to the PR
|
||||
-->
|
||||
current version:
|
||||
|
|
|
@ -21,7 +21,7 @@ jobs:
|
|||
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||||
git config user.name "github-actions[bot]"
|
||||
pushd pkgs/applications/networking/cluster/terraform-providers
|
||||
./update-all-providers
|
||||
./update-all-providers --no-build
|
||||
git commit -m "${{ steps.setup.outputs.title }}" providers.json
|
||||
popd
|
||||
- name: create PR
|
||||
|
|
|
@ -319,10 +319,14 @@ For information about how to run the updates, execute `nix-shell maintainers/scr
|
|||
|
||||
## Phases {#sec-stdenv-phases}
|
||||
|
||||
The generic builder has a number of *phases*. Package builds are split into phases to make it easier to override specific parts of the build (e.g., unpacking the sources or installing the binaries). Furthermore, it allows a nicer presentation of build logs in the Nix build farm.
|
||||
`stdenv.mkDerivation` sets the Nix [derivation](https://nixos.org/manual/nix/stable/expressions/derivations.html#derivations)'s builder to a script that loads the stdenv `setup.sh` bash library and calls `genericBuild`. Most packaging functions rely on this default builder.
|
||||
|
||||
This generic command invokes a number of *phases*. Package builds are split into phases to make it easier to override specific parts of the build (e.g., unpacking the sources or installing the binaries).
|
||||
|
||||
Each phase can be overridden in its entirety either by setting the environment variable `namePhase` to a string containing some shell commands to be executed, or by redefining the shell function `namePhase`. The former is convenient to override a phase from the derivation, while the latter is convenient from a build script. However, typically one only wants to *add* some commands to a phase, e.g. by defining `postInstall` or `preFixup`, as skipping some of the default actions may have unexpected consequences. The default script for each phase is defined in the file `pkgs/stdenv/generic/setup.sh`.
|
||||
|
||||
While inside an interactive `nix-shell`, if you wanted to run all phases in the order they would be run in an actual build, you can invoke `genericBuild` yourself.
|
||||
|
||||
### Controlling phases {#ssec-controlling-phases}
|
||||
|
||||
There are a number of variables that control what phases are executed and in what order:
|
||||
|
|
28
third_party/nixpkgs/flake.nix
vendored
28
third_party/nixpkgs/flake.nix
vendored
|
@ -21,35 +21,13 @@
|
|||
|
||||
nixos = import ./nixos/lib { lib = final; };
|
||||
|
||||
nixosSystem = { modules, ... } @ args:
|
||||
nixosSystem = args:
|
||||
import ./nixos/lib/eval-config.nix (args // {
|
||||
modules =
|
||||
let
|
||||
moduleDeclarationFile =
|
||||
let
|
||||
# Even though `modules` is a mandatory argument for `nixosSystem`, it doesn't
|
||||
# mean that the evaluator always keeps track of its position. If there
|
||||
# are too many levels of indirection, the position gets lost at some point.
|
||||
intermediatePos = builtins.unsafeGetAttrPos "modules" args;
|
||||
in
|
||||
if intermediatePos == null then null else intermediatePos.file;
|
||||
|
||||
# Add the invoking file as error message location for modules
|
||||
# that don't have their own locations; presumably inline modules.
|
||||
addModuleDeclarationFile =
|
||||
m: if moduleDeclarationFile == null then m else {
|
||||
_file = moduleDeclarationFile;
|
||||
imports = [ m ];
|
||||
};
|
||||
|
||||
in
|
||||
map addModuleDeclarationFile modules ++ [
|
||||
{
|
||||
modules = args.modules ++ [ {
|
||||
system.nixos.versionSuffix =
|
||||
".${final.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}.${self.shortRev or "dirty"}";
|
||||
system.nixos.revision = final.mkIf (self ? rev) self.rev;
|
||||
}
|
||||
];
|
||||
} ];
|
||||
});
|
||||
});
|
||||
|
||||
|
|
2
third_party/nixpkgs/lib/attrsets.nix
vendored
2
third_party/nixpkgs/lib/attrsets.nix
vendored
|
@ -276,7 +276,7 @@ rec {
|
|||
|
||||
|
||||
/* Like `mapAttrsRecursive', but it takes an additional predicate
|
||||
function that tells it whether to recursive into an attribute
|
||||
function that tells it whether to recurse into an attribute
|
||||
set. If it returns false, `mapAttrsRecursiveCond' does not
|
||||
recurse, but does apply the map function. If it returns true, it
|
||||
does recurse, and does not apply the map function.
|
||||
|
|
4
third_party/nixpkgs/lib/default.nix
vendored
4
third_party/nixpkgs/lib/default.nix
vendored
|
@ -111,8 +111,8 @@ let
|
|||
cleanSource sourceByRegex sourceFilesBySuffices
|
||||
commitIdFromGitRepo cleanSourceWith pathHasContext
|
||||
canCleanSource pathIsRegularFile pathIsGitRepo;
|
||||
inherit (self.modules) evalModules unifyModuleSyntax
|
||||
applyIfFunction mergeModules
|
||||
inherit (self.modules) evalModules setDefaultModuleLocation
|
||||
unifyModuleSyntax applyIfFunction mergeModules
|
||||
mergeModules' mergeOptionDecls evalOptionValue mergeDefinitions
|
||||
pushDownProperties dischargeProperties filterOverrides
|
||||
sortProperties fixupOptionType mkIf mkAssert mkMerge mkOverride
|
||||
|
|
10
third_party/nixpkgs/lib/licenses.nix
vendored
10
third_party/nixpkgs/lib/licenses.nix
vendored
|
@ -465,6 +465,11 @@ in mkLicense lset) ({
|
|||
spdxId = "imagemagick";
|
||||
};
|
||||
|
||||
imlib2 = {
|
||||
spdxId = "Imlib2";
|
||||
fullName = "Imlib2 License";
|
||||
};
|
||||
|
||||
inria-compcert = {
|
||||
fullName = "INRIA Non-Commercial License Agreement for the CompCert verified compiler";
|
||||
url = "https://compcert.org/doc/LICENSE.txt";
|
||||
|
@ -592,6 +597,11 @@ in mkLicense lset) ({
|
|||
fullName = "MIT License";
|
||||
};
|
||||
|
||||
mitAdvertising = {
|
||||
spdxId = "MIT-advertising";
|
||||
fullName = "Enlightenment License (e16)";
|
||||
};
|
||||
|
||||
mpl10 = {
|
||||
spdxId = "MPL-1.0";
|
||||
fullName = "Mozilla Public License 1.0";
|
||||
|
|
12
third_party/nixpkgs/lib/modules.nix
vendored
12
third_party/nixpkgs/lib/modules.nix
vendored
|
@ -334,6 +334,10 @@ rec {
|
|||
in modulesPath: initialModules: args:
|
||||
filterModules modulesPath (collectStructuredModules unknownModule "" initialModules args);
|
||||
|
||||
/* Wrap a module with a default location for reporting errors. */
|
||||
setDefaultModuleLocation = file: m:
|
||||
{ _file = file; imports = [ m ]; };
|
||||
|
||||
/* Massage a module into canonical form, that is, a set consisting
|
||||
of ‘options’, ‘config’ and ‘imports’ attributes. */
|
||||
unifyModuleSyntax = file: key: m:
|
||||
|
@ -534,11 +538,9 @@ rec {
|
|||
correspond to the definition of 'loc' in 'opt.file'. */
|
||||
mergeOptionDecls =
|
||||
let
|
||||
packSubmodule = file: m:
|
||||
{ _file = file; imports = [ m ]; };
|
||||
coerceOption = file: opt:
|
||||
if isFunction opt then packSubmodule file opt
|
||||
else packSubmodule file { options = opt; };
|
||||
if isFunction opt then setDefaultModuleLocation file opt
|
||||
else setDefaultModuleLocation file { options = opt; };
|
||||
in loc: opts:
|
||||
foldl' (res: opt:
|
||||
let t = res.type;
|
||||
|
@ -568,7 +570,7 @@ rec {
|
|||
|
||||
getSubModules = opt.options.type.getSubModules or null;
|
||||
submodules =
|
||||
if getSubModules != null then map (packSubmodule opt._file) getSubModules ++ res.options
|
||||
if getSubModules != null then map (setDefaultModuleLocation opt._file) getSubModules ++ res.options
|
||||
else if opt.options ? options then map (coerceOption opt._file) options' ++ res.options
|
||||
else res.options;
|
||||
in opt.options // res //
|
||||
|
|
103
third_party/nixpkgs/lib/sources.nix
vendored
103
third_party/nixpkgs/lib/sources.nix
vendored
|
@ -20,17 +20,26 @@ let
|
|||
readFile
|
||||
;
|
||||
|
||||
# Returns the type of a path: regular (for file), symlink, or directory
|
||||
pathType = p: getAttr (baseNameOf p) (readDir (dirOf p));
|
||||
/*
|
||||
Returns the type of a path: regular (for file), symlink, or directory.
|
||||
*/
|
||||
pathType = path: getAttr (baseNameOf path) (readDir (dirOf path));
|
||||
|
||||
# Returns true if the path exists and is a directory, false otherwise
|
||||
pathIsDirectory = p: if pathExists p then (pathType p) == "directory" else false;
|
||||
/*
|
||||
Returns true if the path exists and is a directory, false otherwise.
|
||||
*/
|
||||
pathIsDirectory = path: if pathExists path then (pathType path) == "directory" else false;
|
||||
|
||||
# Returns true if the path exists and is a regular file, false otherwise
|
||||
pathIsRegularFile = p: if pathExists p then (pathType p) == "regular" else false;
|
||||
/*
|
||||
Returns true if the path exists and is a regular file, false otherwise.
|
||||
*/
|
||||
pathIsRegularFile = path: if pathExists path then (pathType path) == "regular" else false;
|
||||
|
||||
# Bring in a path as a source, filtering out all Subversion and CVS
|
||||
# directories, as well as backup files (*~).
|
||||
/*
|
||||
A basic filter for `cleanSourceWith` that removes
|
||||
directories of version control system, backup files (*~)
|
||||
and some generated files.
|
||||
*/
|
||||
cleanSourceFilter = name: type: let baseName = baseNameOf (toString name); in ! (
|
||||
# Filter out version control software files/directories
|
||||
(baseName == ".git" || type == "directory" && (baseName == ".svn" || baseName == "CVS" || baseName == ".hg")) ||
|
||||
|
@ -48,43 +57,48 @@ let
|
|||
(type == "unknown")
|
||||
);
|
||||
|
||||
# Filters a source tree removing version control files and directories using cleanSourceWith
|
||||
#
|
||||
# Example:
|
||||
# cleanSource ./.
|
||||
/*
|
||||
Filters a source tree removing version control files and directories using cleanSourceFilter.
|
||||
|
||||
Example:
|
||||
cleanSource ./.
|
||||
*/
|
||||
cleanSource = src: cleanSourceWith { filter = cleanSourceFilter; inherit src; };
|
||||
|
||||
# Like `builtins.filterSource`, except it will compose with itself,
|
||||
# allowing you to chain multiple calls together without any
|
||||
# intermediate copies being put in the nix store.
|
||||
#
|
||||
# lib.cleanSourceWith {
|
||||
# filter = f;
|
||||
# src = lib.cleanSourceWith {
|
||||
# filter = g;
|
||||
# src = ./.;
|
||||
# };
|
||||
# }
|
||||
# # Succeeds!
|
||||
#
|
||||
# builtins.filterSource f (builtins.filterSource g ./.)
|
||||
# # Fails!
|
||||
#
|
||||
# Parameters:
|
||||
#
|
||||
# src: A path or cleanSourceWith result to filter and/or rename.
|
||||
#
|
||||
# filter: A function (path -> type -> bool)
|
||||
/*
|
||||
Like `builtins.filterSource`, except it will compose with itself,
|
||||
allowing you to chain multiple calls together without any
|
||||
intermediate copies being put in the nix store.
|
||||
|
||||
Example:
|
||||
lib.cleanSourceWith {
|
||||
filter = f;
|
||||
src = lib.cleanSourceWith {
|
||||
filter = g;
|
||||
src = ./.;
|
||||
};
|
||||
}
|
||||
# Succeeds!
|
||||
|
||||
builtins.filterSource f (builtins.filterSource g ./.)
|
||||
# Fails!
|
||||
|
||||
*/
|
||||
cleanSourceWith =
|
||||
{
|
||||
# A path or cleanSourceWith result to filter and/or rename.
|
||||
src,
|
||||
# Optional with default value: constant true (include everything)
|
||||
# The function will be combined with the && operator such
|
||||
# that src.filter is called lazily.
|
||||
# For implementing a filter, see
|
||||
# https://nixos.org/nix/manual/#builtin-filterSource
|
||||
#
|
||||
# name: Optional name to use as part of the store path.
|
||||
# Type: A function (path -> type -> bool)
|
||||
filter ? _path: _type: true,
|
||||
# Optional name to use as part of the store path.
|
||||
# This defaults to `src.name` or otherwise `"source"`.
|
||||
#
|
||||
cleanSourceWith = { filter ? _path: _type: true, src, name ? null }:
|
||||
name ? null
|
||||
}:
|
||||
let
|
||||
orig = toSourceAttributes src;
|
||||
in fromSourceAttributes {
|
||||
|
@ -116,9 +130,11 @@ let
|
|||
satisfiesSubpathInvariant = src ? satisfiesSubpathInvariant && src.satisfiesSubpathInvariant;
|
||||
};
|
||||
|
||||
# Filter sources by a list of regular expressions.
|
||||
#
|
||||
# E.g. `src = sourceByRegex ./my-subproject [".*\.py$" "^database.sql$"]`
|
||||
/*
|
||||
Filter sources by a list of regular expressions.
|
||||
|
||||
Example: src = sourceByRegex ./my-subproject [".*\.py$" "^database.sql$"]
|
||||
*/
|
||||
sourceByRegex = src: regexes:
|
||||
let
|
||||
isFiltered = src ? _isLibCleanSourceWith;
|
||||
|
@ -153,8 +169,11 @@ let
|
|||
|
||||
pathIsGitRepo = path: (tryEval (commitIdFromGitRepo path)).success;
|
||||
|
||||
# Get the commit id of a git repo
|
||||
# Example: commitIdFromGitRepo <nixpkgs/.git>
|
||||
/*
|
||||
Get the commit id of a git repo.
|
||||
|
||||
Example: commitIdFromGitRepo <nixpkgs/.git>
|
||||
*/
|
||||
commitIdFromGitRepo =
|
||||
let readCommitFromFile = file: path:
|
||||
let fileName = toString path + "/" + file;
|
||||
|
|
10
third_party/nixpkgs/lib/trivial.nix
vendored
10
third_party/nixpkgs/lib/trivial.nix
vendored
|
@ -61,11 +61,11 @@ rec {
|
|||
pipe = val: functions:
|
||||
let reverseApply = x: f: f x;
|
||||
in builtins.foldl' reverseApply val functions;
|
||||
/* note please don’t add a function like `compose = flip pipe`.
|
||||
This would confuse users, because the order of the functions
|
||||
in the list is not clear. With pipe, it’s obvious that it
|
||||
goes first-to-last. With `compose`, not so much.
|
||||
*/
|
||||
|
||||
# note please don’t add a function like `compose = flip pipe`.
|
||||
# This would confuse users, because the order of the functions
|
||||
# in the list is not clear. With pipe, it’s obvious that it
|
||||
# goes first-to-last. With `compose`, not so much.
|
||||
|
||||
## Named versions corresponding to some builtin operators.
|
||||
|
||||
|
|
131
third_party/nixpkgs/maintainers/maintainer-list.nix
vendored
131
third_party/nixpkgs/maintainers/maintainer-list.nix
vendored
|
@ -513,12 +513,6 @@
|
|||
githubId = 38869148;
|
||||
name = "Alex Eyre";
|
||||
};
|
||||
algorith = {
|
||||
email = "dries_van_daele@telenet.be";
|
||||
github = "DriesVanDaele";
|
||||
githubId = 1141488;
|
||||
name = "Dries Van Daele";
|
||||
};
|
||||
alibabzo = {
|
||||
email = "alistair.bill@gmail.com";
|
||||
github = "alibabzo";
|
||||
|
@ -1185,14 +1179,14 @@
|
|||
name = "Artturi N";
|
||||
};
|
||||
azahi = {
|
||||
email = "azahi@teknik.io";
|
||||
matrix = "@azahi:matrix.org";
|
||||
name = "Azat Bahawi";
|
||||
email = "azat@bahawi.net";
|
||||
matrix = "@azahi:azahi.cc";
|
||||
github = "azahi";
|
||||
githubId = 22211000;
|
||||
name = "Azat Bahawi";
|
||||
keys = [{
|
||||
longkeyid = "rsa2048/0xB40FCB6608BBE3B6";
|
||||
fingerprint = "E9F3 483F 31C7 29B4 4CA2 7C38 B40F CB66 08BB E3B6";
|
||||
longkeyid = "rsa4096/0xC8C6BDDB3847F72B";
|
||||
fingerprint = "2688 0377 C31D 9E81 9BDF 83A8 C8C6 BDDB 3847 F72B";
|
||||
}];
|
||||
};
|
||||
ayazhafiz = {
|
||||
|
@ -2309,6 +2303,13 @@
|
|||
githubId = 5561189;
|
||||
name = "Cody Opel";
|
||||
};
|
||||
Cogitri = {
|
||||
email = "oss@cogitri.dev";
|
||||
github = "Cogitri";
|
||||
githubId = 8766773;
|
||||
matrix = "@cogitri:cogitri.dev";
|
||||
name = "Rasmus Thomsen";
|
||||
};
|
||||
cohei = {
|
||||
email = "a.d.xvii.kal.mai@gmail.com";
|
||||
github = "cohei";
|
||||
|
@ -2381,6 +2382,13 @@
|
|||
githubId = 11145016;
|
||||
name = "J.C.";
|
||||
};
|
||||
congee = {
|
||||
email = "changshengwu@pm.me";
|
||||
matrix = "@congeec:matrix.org";
|
||||
github = "congee";
|
||||
name = "Changsheng Wu";
|
||||
githubId = 2083950;
|
||||
};
|
||||
contrun = {
|
||||
email = "uuuuuu@protonmail.com";
|
||||
github = "contrun";
|
||||
|
@ -3735,6 +3743,12 @@
|
|||
githubId = 222467;
|
||||
name = "Dmitry Ivanov";
|
||||
};
|
||||
Etjean = {
|
||||
email = "et.jean@outlook.fr";
|
||||
github = "Etjean";
|
||||
githubId = 32169529;
|
||||
name = "Etienne Jean";
|
||||
};
|
||||
etu = {
|
||||
email = "elis@hirwing.se";
|
||||
matrix = "@etu:semi.social";
|
||||
|
@ -4395,6 +4409,12 @@
|
|||
githubId = 27668;
|
||||
name = "Tobias Pflug";
|
||||
};
|
||||
gin66 = {
|
||||
email = "jochen@kiemes.de";
|
||||
github = "gin66";
|
||||
githubId = 5549373;
|
||||
name = "Jochen Kiemes";
|
||||
};
|
||||
giogadi = {
|
||||
email = "lgtorres42@gmail.com";
|
||||
github = "giogadi";
|
||||
|
@ -4474,7 +4494,7 @@
|
|||
gordias = {
|
||||
name = "Gordias";
|
||||
email = "gordias@disroot.org";
|
||||
github = "NotGordias";
|
||||
github = "gordiasdot";
|
||||
githubId = 94724133;
|
||||
keys = [{
|
||||
longkeyid = "ed25519/0x5D47284830FAA4FA";
|
||||
|
@ -5455,6 +5475,12 @@
|
|||
githubId = 221929;
|
||||
name = "Jean-Baptiste Giraudeau";
|
||||
};
|
||||
jc = {
|
||||
name = "Josh Cooper";
|
||||
email = "josh@cooper.is";
|
||||
github = "joshua-cooper";
|
||||
githubId = 35612334;
|
||||
};
|
||||
jceb = {
|
||||
name = "jceb";
|
||||
email = "jceb@e-jc.de";
|
||||
|
@ -5583,6 +5609,16 @@
|
|||
githubId = 143075;
|
||||
name = "James Felix Black";
|
||||
};
|
||||
jfchevrette = {
|
||||
email = "jfchevrette@gmail.com";
|
||||
github = "jfchevrette";
|
||||
githubId = 3001;
|
||||
name = "Jean-Francois Chevrette";
|
||||
keys = [{
|
||||
longkeyid = "rsa4096/0x67A0585801290DC6";
|
||||
fingerprint = "B612 96A9 498E EECD D5E9 C0F0 67A0 5858 0129 0DC6";
|
||||
}];
|
||||
};
|
||||
jflanglois = {
|
||||
email = "yourstruly@julienlanglois.me";
|
||||
github = "jflanglois";
|
||||
|
@ -6536,6 +6572,12 @@
|
|||
githubId = 787421;
|
||||
name = "Kevin Quick";
|
||||
};
|
||||
kradalby = {
|
||||
name = "Kristoffer Dalby";
|
||||
email = "kristoffer@dalby.cc";
|
||||
github = "kradalby";
|
||||
githubId = 98431;
|
||||
};
|
||||
kraem = {
|
||||
email = "me@kraem.xyz";
|
||||
github = "kraem";
|
||||
|
@ -7516,16 +7558,6 @@
|
|||
githubId = 29855073;
|
||||
name = "Michael Colicchia";
|
||||
};
|
||||
matdsoupe = {
|
||||
github = "matdsoupe";
|
||||
githubId = 44469426;
|
||||
name = "Matheus de Souza Pessanha";
|
||||
email = "matheus_pessanha2001@outlook.com";
|
||||
keys = [{
|
||||
longkeyid = "rsa4096/0x2671964AB1E06A08";
|
||||
fingerprint = "2F32 CFEF E11A D73B A740 FA47 2671 964A B1E0 6A08";
|
||||
}];
|
||||
};
|
||||
matejc = {
|
||||
email = "cotman.matej@gmail.com";
|
||||
github = "matejc";
|
||||
|
@ -7926,6 +7958,12 @@
|
|||
fingerprint = "FEF0 AE2D 5449 3482 5F06 40AA 186A 1EDA C5C6 3F83";
|
||||
}];
|
||||
};
|
||||
mihnea-s = {
|
||||
email = "mihn.stn@gmail.com";
|
||||
github = "mihnea-s";
|
||||
githubId = 43088426;
|
||||
name = "Mihnea Stoian";
|
||||
};
|
||||
mikefaille = {
|
||||
email = "michael@faille.io";
|
||||
github = "mikefaille";
|
||||
|
@ -8552,6 +8590,12 @@
|
|||
githubId = 3747396;
|
||||
name = "Nathan Isom";
|
||||
};
|
||||
nelsonjeppesen = {
|
||||
email = "nix@jeppesen.io";
|
||||
github = "NelsonJeppesen";
|
||||
githubId = 50854675;
|
||||
name = "Nelson Jeppesen";
|
||||
};
|
||||
neonfuz = {
|
||||
email = "neonfuz@gmail.com";
|
||||
github = "neonfuz";
|
||||
|
@ -11564,6 +11608,13 @@
|
|||
githubId = 2666479;
|
||||
name = "Y Nguyen";
|
||||
};
|
||||
superherointj = {
|
||||
name = "Sérgio G.";
|
||||
email = "5861043+superherointj@users.noreply.github.com";
|
||||
matrix = "@superherointj:matrix.org";
|
||||
github = "superherointj";
|
||||
githubId = 5861043;
|
||||
};
|
||||
SuperSandro2000 = {
|
||||
email = "sandro.jaeckel@gmail.com";
|
||||
matrix = "@sandro:supersandro.de";
|
||||
|
@ -11804,6 +11855,13 @@
|
|||
githubId = 863327;
|
||||
name = "Tyler Benster";
|
||||
};
|
||||
tboerger = {
|
||||
email = "thomas@webhippie.de";
|
||||
matrix = "@tboerger:matrix.org";
|
||||
github = "tboerger";
|
||||
githubId = 156964;
|
||||
name = "Thomas Boerger";
|
||||
};
|
||||
tcbravo = {
|
||||
email = "tomas.bravo@protonmail.ch";
|
||||
github = "tcbravo";
|
||||
|
@ -12163,6 +12221,7 @@
|
|||
};
|
||||
toastal = {
|
||||
email = "toastal+nix@posteo.net";
|
||||
matrix = "@toastal:matrix.org";
|
||||
github = "toastal";
|
||||
githubId = 561087;
|
||||
name = "toastal";
|
||||
|
@ -13612,10 +13671,10 @@
|
|||
github = "nagisa";
|
||||
githubId = 679122;
|
||||
};
|
||||
yevhenshymotiuk = {
|
||||
yshym = {
|
||||
name = "Yevhen Shymotiuk";
|
||||
email = "yevhenshymotiuk@gmail.com";
|
||||
github = "yevhenshymotiuk";
|
||||
email = "yshym@pm.me";
|
||||
github = "yshym";
|
||||
githubId = 44244245;
|
||||
};
|
||||
hmenke = {
|
||||
|
@ -13739,6 +13798,16 @@
|
|||
github = "zeri42";
|
||||
githubId = 68825133;
|
||||
};
|
||||
zoedsoupe = {
|
||||
github = "zoedsoupe";
|
||||
githubId = 44469426;
|
||||
name = "Zoey de Souza Pessanha";
|
||||
email = "zoey.spessanha@outlook.com";
|
||||
keys = [{
|
||||
longkeyid = "rsa4096/0x1E1E889CDBD6A315";
|
||||
fingerprint = "EAA1 51DB 472B 0122 109A CB17 1E1E 889C DBD6 A315";
|
||||
}];
|
||||
};
|
||||
zombiezen = {
|
||||
name = "Ross Light";
|
||||
email = "ross@zombiezen.com";
|
||||
|
@ -13802,4 +13871,16 @@
|
|||
fingerprint = "3586 3350 BFEA C101 DB1A 4AF0 1F81 112D 62A9 ADCE";
|
||||
}];
|
||||
};
|
||||
ameer = {
|
||||
name = "Ameer Taweel";
|
||||
email = "ameertaweel2002@gmail.com";
|
||||
github = "AmeerTaweel";
|
||||
githubId = 20538273;
|
||||
};
|
||||
nigelgbanks = {
|
||||
name = "Nigel Banks";
|
||||
email = "nigel.g.banks@gmail.com";
|
||||
github = "nigelgbanks";
|
||||
githubId = 487373;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -278,6 +278,13 @@ with lib.maintainers; {
|
|||
scope = "Maintain SageMath and the dependencies that are likely to break it.";
|
||||
};
|
||||
|
||||
sphinx = {
|
||||
members = [
|
||||
SuperSandro2000
|
||||
];
|
||||
scope = "Maintain Sphinx related packages.";
|
||||
};
|
||||
|
||||
serokell = {
|
||||
# Verify additions by approval of an already existing member of the team.
|
||||
members = [
|
||||
|
|
|
@ -79,6 +79,12 @@
|
|||
<link linkend="opt-services.filebeat.enable">services.filebeat</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>,
|
||||
a kernel module for mounting the Apple File System (APFS).
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://frrouting.org/">FRRouting</link>, a
|
||||
|
@ -162,6 +168,13 @@
|
|||
<link linkend="opt-services.baget.enable">services.baget</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://moosefs.com">moosefs</link>, fault
|
||||
tolerant petabyte distributed file system. Available as
|
||||
<link linkend="opt-services.moosefs">moosefs</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/ThomasLeister/prosody-filer">prosody-filer</link>,
|
||||
|
@ -169,6 +182,13 @@
|
|||
<link linkend="opt-services.prosody-filer.enable">services.prosody-filer</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>,
|
||||
an online collaborative spreadsheet. Available as
|
||||
<link xlink:href="options.html#opt-services.ethercalc.enable">services.ethercalc</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://timetagger.app">timetagger</link>,
|
||||
|
@ -185,6 +205,15 @@
|
|||
<link xlink:href="options.html#opt-services.rstudio-server.enable">services.rstudio-server</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/juanfont/headscale">headscale</link>,
|
||||
an Open Source implementation of the
|
||||
<link xlink:href="https://tailscale.io">Tailscale</link>
|
||||
Control Server. Available as
|
||||
<link xlink:href="options.html#opt-services.headscale.enable">services.headscale</link>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="sec-release-22.05-incompatibilities">
|
||||
|
@ -211,6 +240,19 @@
|
|||
<literal>haskellPackages.callPackage</literal>).
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>pkgs.ghc.withPackages</literal> as well as
|
||||
<literal>haskellPackages.ghcWithPackages</literal> etc. now
|
||||
needs be overridden directly, as opposed to overriding the
|
||||
result of calling it. Additionally, the
|
||||
<literal>withLLVM</literal> parameter has been renamed to
|
||||
<literal>useLLVM</literal>. So instead of
|
||||
<literal>(ghc.withPackages (p: [])).override { withLLVM = true; }</literal>,
|
||||
one needs to use
|
||||
<literal>(ghc.withPackages.override { useLLVM = true; }) (p: [])</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>pkgs.emacsPackages.orgPackages</literal> is removed
|
||||
|
@ -228,6 +270,23 @@
|
|||
removed due to it being an outdated version.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The DHCP server (<literal>services.dhcpd4</literal>,
|
||||
<literal>services.dhcpd6</literal>) has been hardened. The
|
||||
service is now using the systemd’s
|
||||
<literal>DynamicUser</literal> mechanism to run as an
|
||||
unprivileged dynamically-allocated user with limited
|
||||
capabilities. The dhcpd state files are now always stored in
|
||||
<literal>/var/lib/dhcpd{4,6}</literal> and the
|
||||
<literal>services.dhcpd4.stateDir</literal> and
|
||||
<literal>service.dhcpd6.stateDir</literal> options have been
|
||||
removed. If you were depending on root privileges or
|
||||
set{uid,gid,cap} binaries in dhcpd shell hooks, you may give
|
||||
dhcpd more capabilities with e.g.
|
||||
<literal>systemd.services.dhcpd6.serviceConfig.AmbientCapabilities</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>mailpile</literal> email webclient
|
||||
|
@ -271,6 +330,22 @@
|
|||
<literal>writers.writePyPy2</literal> needs to be used.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>buildGoModule</literal> was updated to use
|
||||
<literal>go_1_17</literal>, third party derivations that
|
||||
specify >= go 1.17 in the main <literal>go.mod</literal>
|
||||
will need to regenerate their <literal>vendorSha256</literal>
|
||||
hash.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>gnome-passwordsafe</literal> package updated to
|
||||
<link xlink:href="https://gitlab.gnome.org/World/secrets/-/tags/6.0">version
|
||||
6.x</link> and renamed to <literal>gnome-secrets</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
If you previously used
|
||||
|
@ -382,6 +457,11 @@
|
|||
unmaintained
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>tilp2</literal> was removed together with its module
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The options
|
||||
|
@ -428,6 +508,20 @@
|
|||
directly.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The existing <literal>pkgs.opentelemetry-collector</literal>
|
||||
has been moved to
|
||||
<literal>pkgs.opentelemetry-collector-contrib</literal> to
|
||||
match the actual source being the <quote>contrib</quote>
|
||||
edition. <literal>pkgs.opentelemetry-collector</literal> is
|
||||
now the actual core release of opentelemetry-collector. If you
|
||||
use the community contributions you should change the package
|
||||
you refer to. If you don’t need them update your commands from
|
||||
<literal>otelcontribcol</literal> to
|
||||
<literal>otelcorecol</literal> and enjoy a 7x smaller binary.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>pkgs.noto-fonts-cjk</literal> is now deprecated in
|
||||
|
@ -515,6 +609,14 @@
|
|||
wrapper for <literal>assert</literal> conditions.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>pkgs.vimPlugins.onedark-nvim</literal> now refers to
|
||||
<link xlink:href="https://github.com/navarasu/onedark.nvim">navarasu/onedark.nvim</link>
|
||||
(formerly refers to
|
||||
<link xlink:href="https://github.com/olimorris/onedarkpro.nvim">olimorris/onedarkpro.nvim</link>).
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="sec-release-22.05-notable-changes">
|
||||
|
@ -700,6 +802,13 @@
|
|||
loaded in the initrd.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>nixos-generate-config</literal> now puts the dhcp
|
||||
configuration in <literal>hardware-configuration.nix</literal>
|
||||
instead of <literal>configuration.nix</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>fetchFromSourcehut</literal> now allows fetching
|
||||
|
@ -732,6 +841,14 @@
|
|||
0042</link> configuration.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The default value for
|
||||
<literal>programs.spacefm.settings.graphical_su</literal> got
|
||||
unset. It previously pointed to <literal>gksu</literal> which
|
||||
has been removed.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
A new module was added for the
|
||||
|
@ -784,6 +901,17 @@
|
|||
warning.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The option
|
||||
<link linkend="opt-services.networking.networkmanager.enableFccUnlock">services.networking.networkmanager.enableFccUnlock</link>
|
||||
was added to support FCC unlock procedures. Since release
|
||||
1.18.4, the ModemManager daemon no longer automatically
|
||||
performs the FCC unlock procedure by default. See
|
||||
<link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the
|
||||
docs</link> for more details.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>programs.tmux</literal> has a new option
|
||||
|
|
|
@ -27,6 +27,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable).
|
||||
|
||||
- [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS).
|
||||
|
||||
- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as [services.frr](#opt-services.ffr.babel.enable)
|
||||
|
||||
- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable).
|
||||
|
@ -49,12 +51,20 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable).
|
||||
|
||||
- [moosefs](https://moosefs.com), fault tolerant petabyte distributed file system.
|
||||
Available as [moosefs](#opt-services.moosefs).
|
||||
|
||||
- [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable).
|
||||
|
||||
- [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative
|
||||
spreadsheet. Available as [services.ethercalc](options.html#opt-services.ethercalc.enable).
|
||||
|
||||
- [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable).
|
||||
|
||||
- [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](options.html#opt-services.rstudio-server.enable).
|
||||
|
||||
- [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](options.html#opt-services.headscale.enable)
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
||||
## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
|
||||
|
@ -71,6 +81,12 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
instead to ensure cross compilation keeps working (or switch to
|
||||
`haskellPackages.callPackage`).
|
||||
|
||||
- `pkgs.ghc.withPackages` as well as `haskellPackages.ghcWithPackages` etc.
|
||||
now needs be overridden directly, as opposed to overriding the result of
|
||||
calling it. Additionally, the `withLLVM` parameter has been renamed to
|
||||
`useLLVM`. So instead of `(ghc.withPackages (p: [])).override { withLLVM = true; }`,
|
||||
one needs to use `(ghc.withPackages.override { useLLVM = true; }) (p: [])`.
|
||||
|
||||
- `pkgs.emacsPackages.orgPackages` is removed because org elpa is deprecated.
|
||||
The packages in the top level of `pkgs.emacsPackages`, such as org and
|
||||
org-contrib, refer to the ones in `pkgs.emacsPackages.elpaPackages` and
|
||||
|
@ -78,6 +94,11 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- `services.kubernetes.addons.dashboard` was removed due to it being an outdated version.
|
||||
|
||||
- The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened.
|
||||
The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities.
|
||||
The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed.
|
||||
If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g. `systemd.services.dhcpd6.serviceConfig.AmbientCapabilities`.
|
||||
|
||||
- The `mailpile` email webclient (`services.mailpile`) has been removed due to its reliance on python2.
|
||||
|
||||
- The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs.
|
||||
|
@ -90,6 +111,10 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
- The `writers.writePython2` and corresponding `writers.writePython2Bin` convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter.
|
||||
Scripts have to be converted to Python 3 for use with `writers.writePython3` or `writers.writePyPy2` needs to be used.
|
||||
|
||||
- `buildGoModule` was updated to use `go_1_17`, third party derivations that specify >= go 1.17 in the main `go.mod` will need to regenerate their `vendorSha256` hash.
|
||||
|
||||
- The `gnome-passwordsafe` package updated to [version 6.x](https://gitlab.gnome.org/World/secrets/-/tags/6.0) and renamed to `gnome-secrets`.
|
||||
|
||||
- If you previously used `/etc/docker/daemon.json`, you need to incorporate the changes into the new option `virtualisation.docker.daemon.settings`.
|
||||
|
||||
- The backward compatibility in `services.wordpress` to configure sites with
|
||||
|
@ -126,15 +151,26 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- `pkgs.docbookrx` was removed since it's unmaintained
|
||||
|
||||
- `tilp2` was removed together with its module
|
||||
|
||||
- The options `networking.interfaces.<name>.ipv4.routes` and `networking.interfaces.<name>.ipv6.routes` are no longer ignored when using networkd instead of the default scripted network backend by setting `networking.useNetworkd` to `true`.
|
||||
|
||||
- MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename `~/.local/share/multimc` to `~/.local/share/polymc`. The main config file's path has also moved from `~/.local/share/multimc/multimc.cfg` to `~/.local/share/polymc/polymc.cfg`.
|
||||
|
||||
|
||||
- The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under
|
||||
`$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>` (which mkProvider does).
|
||||
|
||||
This breaks back-compat so it's not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from [nixpkgs-terraform-providers-bin](https://github.com/numtide/nixpkgs-terraform-providers-bin) directly.
|
||||
|
||||
- The existing `pkgs.opentelemetry-collector` has been moved to
|
||||
`pkgs.opentelemetry-collector-contrib` to match the actual source being the
|
||||
"contrib" edition. `pkgs.opentelemetry-collector` is now the actual core
|
||||
release of opentelemetry-collector. If you use the community contributions
|
||||
you should change the package you refer to. If you don't need them update your
|
||||
commands from `otelcontribcol` to `otelcorecol` and enjoy a 7x smaller binary.
|
||||
|
||||
|
||||
- `pkgs.noto-fonts-cjk` is now deprecated in favor of `pkgs.noto-fonts-cjk-sans`
|
||||
and `pkgs.noto-fonts-cjk-serif` because they each have different release
|
||||
schedules. To maintain compatibility with prior releases of Nixpkgs,
|
||||
|
@ -157,6 +193,9 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- `lib.assertMsg` and `lib.assertOneOf` no longer return `false` if the passed condition is `false`, `throw`ing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper for `assert` conditions.
|
||||
|
||||
- `pkgs.vimPlugins.onedark-nvim` now refers to [navarasu/onedark.nvim](https://github.com/navarasu/onedark.nvim)
|
||||
(formerly refers to [olimorris/onedarkpro.nvim](https://github.com/olimorris/onedarkpro.nvim)).
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
||||
## Other Notable Changes {#sec-release-22.05-notable-changes}
|
||||
|
@ -235,6 +274,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- A new option `boot.initrd.extraModprobeConfig` has been added which can be used to configure kernel modules that are loaded in the initrd.
|
||||
|
||||
- `nixos-generate-config` now puts the dhcp configuration in `hardware-configuration.nix` instead of `configuration.nix`.
|
||||
|
||||
- `fetchFromSourcehut` now allows fetching repositories recursively
|
||||
using `fetchgit` or `fetchhg` if the argument `fetchSubmodules`
|
||||
is set to `true`.
|
||||
|
@ -245,6 +286,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- The `services.mbpfan` module was converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.
|
||||
|
||||
- The default value for `programs.spacefm.settings.graphical_su` got unset. It previously pointed to `gksu` which has been removed.
|
||||
|
||||
- A new module was added for the [Starship](https://starship.rs/) shell prompt,
|
||||
providing the options `programs.starship.enable` and `programs.starship.settings`.
|
||||
|
||||
|
@ -260,6 +303,12 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
Reason is that the old name has been deprecated upstream.
|
||||
Using the old option name will still work, but produce a warning.
|
||||
|
||||
- The option
|
||||
[services.networking.networkmanager.enableFccUnlock](#opt-services.networking.networkmanager.enableFccUnlock)
|
||||
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
|
||||
daemon no longer automatically performs the FCC unlock procedure by default. See
|
||||
[the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) for more details.
|
||||
|
||||
- `programs.tmux` has a new option `plugins` that accepts a list of packages from the `tmuxPlugins` group. The specified packages are added to the system and loaded by `tmux`.
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
|
14
third_party/nixpkgs/nixos/lib/eval-config.nix
vendored
14
third_party/nixpkgs/nixos/lib/eval-config.nix
vendored
|
@ -21,6 +21,7 @@ evalConfigArgs@
|
|||
, # !!! See comment about args in lib/modules.nix
|
||||
specialArgs ? {}
|
||||
, modules
|
||||
, modulesLocation ? (builtins.unsafeGetAttrPos "modules" evalConfigArgs).file or null
|
||||
, # !!! See comment about check in lib/modules.nix
|
||||
check ? true
|
||||
, prefix ? []
|
||||
|
@ -74,7 +75,18 @@ let
|
|||
_module.check = lib.mkDefault check;
|
||||
};
|
||||
};
|
||||
allUserModules = modules ++ legacyModules;
|
||||
|
||||
allUserModules =
|
||||
let
|
||||
# Add the invoking file (or specified modulesLocation) as error message location
|
||||
# for modules that don't have their own locations; presumably inline modules.
|
||||
locatedModules =
|
||||
if modulesLocation == null then
|
||||
modules
|
||||
else
|
||||
map (lib.setDefaultModuleLocation modulesLocation) modules;
|
||||
in
|
||||
locatedModules ++ legacyModules;
|
||||
|
||||
noUserModules = evalModulesMinimal ({
|
||||
inherit prefix specialArgs;
|
||||
|
|
|
@ -22,7 +22,7 @@ rec {
|
|||
else throw "Unknown QEMU serial device for system '${pkgs.stdenv.hostPlatform.system}'";
|
||||
|
||||
qemuBinary = qemuPkg: {
|
||||
x86_64-linux = "${qemuPkg}/bin/qemu-kvm -cpu qemu64";
|
||||
x86_64-linux = "${qemuPkg}/bin/qemu-kvm -cpu max";
|
||||
armv7l-linux = "${qemuPkg}/bin/qemu-system-arm -enable-kvm -machine virt -cpu host";
|
||||
aarch64-linux = "${qemuPkg}/bin/qemu-system-aarch64 -enable-kvm -machine virt,gic-version=host -cpu host";
|
||||
powerpc64le-linux = "${qemuPkg}/bin/qemu-system-ppc64 -machine powernv";
|
||||
|
|
|
@ -11,6 +11,9 @@ in rec {
|
|||
|
||||
mkPathSafeName = lib.replaceChars ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""];
|
||||
|
||||
# a type for options that take a unit name
|
||||
unitNameType = types.strMatching "[a-zA-Z0-9@%:_.\\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)";
|
||||
|
||||
makeUnit = name: unit:
|
||||
if unit.enable then
|
||||
pkgs.runCommand "unit-${mkPathSafeName name}"
|
||||
|
|
|
@ -45,7 +45,7 @@ in rec {
|
|||
|
||||
requiredBy = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
Units that require (i.e. depend on and need to go down with)
|
||||
this unit. The discussion under <literal>wantedBy</literal>
|
||||
|
@ -56,7 +56,7 @@ in rec {
|
|||
|
||||
wantedBy = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
Units that want (i.e. depend on) this unit. The standard way
|
||||
to make a unit start by default at boot is to set this option
|
||||
|
@ -73,7 +73,7 @@ in rec {
|
|||
|
||||
aliases = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = "Aliases of that unit.";
|
||||
};
|
||||
|
||||
|
@ -110,7 +110,7 @@ in rec {
|
|||
|
||||
requires = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
Start the specified units when this unit is started, and stop
|
||||
this unit when the specified units are stopped or fail.
|
||||
|
@ -119,7 +119,7 @@ in rec {
|
|||
|
||||
wants = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
Start the specified units when this unit is started.
|
||||
'';
|
||||
|
@ -127,7 +127,7 @@ in rec {
|
|||
|
||||
after = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
If the specified units are started at the same time as
|
||||
this unit, delay this unit until they have started.
|
||||
|
@ -136,7 +136,7 @@ in rec {
|
|||
|
||||
before = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
If the specified units are started at the same time as
|
||||
this unit, delay them until this unit has started.
|
||||
|
@ -145,7 +145,7 @@ in rec {
|
|||
|
||||
bindsTo = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
Like ‘requires’, but in addition, if the specified units
|
||||
unexpectedly disappear, this unit will be stopped as well.
|
||||
|
@ -154,7 +154,7 @@ in rec {
|
|||
|
||||
partOf = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
If the specified units are stopped or restarted, then this
|
||||
unit is stopped or restarted as well.
|
||||
|
@ -163,7 +163,7 @@ in rec {
|
|||
|
||||
conflicts = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
If the specified units are started, then this unit is stopped
|
||||
and vice versa.
|
||||
|
@ -172,7 +172,7 @@ in rec {
|
|||
|
||||
requisite = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
Similar to requires. However if the units listed are not started,
|
||||
they will not be started and the transaction will fail.
|
||||
|
@ -203,7 +203,7 @@ in rec {
|
|||
|
||||
onFailure = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
type = types.listOf unitNameType;
|
||||
description = ''
|
||||
A list of one or more units that are activated when
|
||||
this unit enters the "failed" state.
|
||||
|
|
|
@ -543,11 +543,11 @@ class Machine:
|
|||
|
||||
Should only be used during test development, not in the production test."""
|
||||
self.connect()
|
||||
self.log("Terminal is ready (there is no prompt):")
|
||||
self.log("Terminal is ready (there is no initial prompt):")
|
||||
|
||||
assert self.shell
|
||||
subprocess.run(
|
||||
["socat", "READLINE", f"FD:{self.shell.fileno()}"],
|
||||
["socat", "READLINE,prompt=$ ", f"FD:{self.shell.fileno()}"],
|
||||
pass_fds=[self.shell.fileno()],
|
||||
)
|
||||
|
||||
|
|
9
third_party/nixpkgs/nixos/lib/utils.nix
vendored
9
third_party/nixpkgs/nixos/lib/utils.nix
vendored
|
@ -149,10 +149,16 @@ rec {
|
|||
if [[ -h '${output}' ]]; then
|
||||
rm '${output}'
|
||||
fi
|
||||
|
||||
inherit_errexit_restore=$(shopt -p inherit_errexit)
|
||||
shopt -s inherit_errexit
|
||||
''
|
||||
+ concatStringsSep
|
||||
"\n"
|
||||
(imap1 (index: name: "export secret${toString index}=$(<'${secrets.${name}}')")
|
||||
(imap1 (index: name: ''
|
||||
secret${toString index}=$(<'${secrets.${name}}')
|
||||
export secret${toString index}
|
||||
'')
|
||||
(attrNames secrets))
|
||||
+ "\n"
|
||||
+ "${pkgs.jq}/bin/jq >'${output}' '"
|
||||
|
@ -164,6 +170,7 @@ rec {
|
|||
' <<'EOF'
|
||||
${builtins.toJSON set}
|
||||
EOF
|
||||
$inherit_errexit_restore
|
||||
'';
|
||||
|
||||
systemdUtils = {
|
||||
|
|
|
@ -449,16 +449,10 @@ in {
|
|||
imports = [
|
||||
(mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ])
|
||||
(mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ])
|
||||
(mkChangedOptionModule
|
||||
[ "security" "initialRootPassword" ]
|
||||
[ "users" "users" "root" "initialHashedPassword" ]
|
||||
(cfg: if cfg.security.initialRootPassword == "!"
|
||||
then null
|
||||
else cfg.security.initialRootPassword))
|
||||
(mkRenamedOptionModule ["security" "initialRootPassword"] ["users" "users" "root" "initialHashedPassword"])
|
||||
];
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
|
||||
users.mutableUsers = mkOption {
|
||||
|
@ -526,6 +520,17 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
|
||||
users.allowNoPasswordLogin = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Disable checking that at least the <literal>root</literal> user or a user in the <literal>wheel</literal> group can log in using
|
||||
a password or an SSH key.
|
||||
|
||||
WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
|
@ -540,6 +545,7 @@ in {
|
|||
home = "/root";
|
||||
shell = mkDefault cfg.defaultUserShell;
|
||||
group = "root";
|
||||
initialHashedPassword = mkDefault "!";
|
||||
};
|
||||
nobody = {
|
||||
uid = ids.uids.nobody;
|
||||
|
@ -616,9 +622,11 @@ in {
|
|||
# there is at least one "privileged" account that has a
|
||||
# password or an SSH authorized key. Privileged accounts are
|
||||
# root and users in the wheel group.
|
||||
assertion = !cfg.mutableUsers ->
|
||||
any id ((mapAttrsToList (_: cfg:
|
||||
(cfg.name == "root"
|
||||
# The check does not apply when users.disableLoginPossibilityAssertion
|
||||
# The check does not apply when users.mutableUsers
|
||||
assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin ->
|
||||
any id (mapAttrsToList (name: cfg:
|
||||
(name == "root"
|
||||
|| cfg.group == "wheel"
|
||||
|| elem "wheel" cfg.extraGroups)
|
||||
&&
|
||||
|
@ -627,12 +635,16 @@ in {
|
|||
|| cfg.passwordFile != null
|
||||
|| cfg.openssh.authorizedKeys.keys != []
|
||||
|| cfg.openssh.authorizedKeys.keyFiles != [])
|
||||
) cfg.users) ++ [
|
||||
) cfg.users ++ [
|
||||
config.security.googleOsLogin.enable
|
||||
]);
|
||||
message = ''
|
||||
Neither the root account nor any wheel user has a password or SSH authorized key.
|
||||
You must set one to prevent being locked out of your system.'';
|
||||
You must set one to prevent being locked out of your system.
|
||||
If you really want to be locked out of your system, set users.allowNoPasswordLogin = true;
|
||||
However you are most probably better off by setting users.mutableUsers = true; and
|
||||
manually running passwd root to set the root password.
|
||||
'';
|
||||
}
|
||||
] ++ flatten (flip mapAttrsToList cfg.users (name: user:
|
||||
[
|
||||
|
|
|
@ -57,7 +57,6 @@ in {
|
|||
rtl8723bs-firmware
|
||||
rtl8761b-firmware
|
||||
rtw88-firmware
|
||||
rtw89-firmware
|
||||
zd1211fw
|
||||
alsa-firmware
|
||||
sof-firmware
|
||||
|
@ -65,6 +64,8 @@ in {
|
|||
] ++ optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) raspberrypiWirelessFirmware
|
||||
++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [
|
||||
rtl8723bs-firmware
|
||||
] ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "5.16") [
|
||||
rtw89-firmware
|
||||
];
|
||||
hardware.wirelessRegulatoryDatabase = true;
|
||||
})
|
||||
|
|
|
@ -178,11 +178,6 @@ in
|
|||
igpuBusId = if pCfg.intelBusId != "" then pCfg.intelBusId else pCfg.amdgpuBusId;
|
||||
in mkIf enabled {
|
||||
assertions = [
|
||||
{
|
||||
assertion = with config.services.xserver.displayManager; (gdm.enable && gdm.nvidiaWayland) -> cfg.modesetting.enable;
|
||||
message = "You cannot use wayland with GDM without modesetting enabled for NVIDIA drivers, set `hardware.nvidia.modesetting.enable = true`";
|
||||
}
|
||||
|
||||
{
|
||||
assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == "";
|
||||
message = ''
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
x86_64-linux = "/nix/store/hapw7q1fkjxvprnkcgw9ppczavg4daj2-nix-2.4";
|
||||
i686-linux = "/nix/store/8qlvh8pp5j8wgrzj3is2jlbhgrwgsiy9-nix-2.4";
|
||||
aarch64-linux = "/nix/store/h48lkygcqj4hdibbdnpl67q7ks6vkrd6-nix-2.4";
|
||||
x86_64-darwin = "/nix/store/c3mvzszvyzakvcp9spnjvsb8m2bpjk7m-nix-2.4";
|
||||
aarch64-darwin = "/nix/store/hbfqs62r0hga2yr4zi5kc7fzhf71bq9n-nix-2.4";
|
||||
x86_64-linux = "/nix/store/67amfijcvhqfgz4bwf2izsvbnklwjbvk-nix-2.6.0";
|
||||
i686-linux = "/nix/store/kinl99f619b2xsma4qnzhidbp65axyzm-nix-2.6.0";
|
||||
aarch64-linux = "/nix/store/8zpm63nn7k4n1alp9a0fcilpgc8j014z-nix-2.6.0";
|
||||
x86_64-darwin = "/nix/store/hw5v03wnc0k1pwgiyhblwlxb1fx5zyx8-nix-2.6.0";
|
||||
aarch64-darwin = "/nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0";
|
||||
}
|
||||
|
|
|
@ -279,7 +279,7 @@ if (`lsblk -o TYPE` =~ "lvm") {
|
|||
push @initrdKernelModules, "dm-snapshot";
|
||||
}
|
||||
|
||||
my $virt = `systemd-detect-virt`;
|
||||
my $virt = `@detectvirt@`;
|
||||
chomp $virt;
|
||||
|
||||
|
||||
|
@ -398,7 +398,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
|
|||
# Maybe this is a bind-mount of a filesystem we saw earlier?
|
||||
if (defined $fsByDev{$fields[2]}) {
|
||||
# Make sure this isn't a btrfs subvolume.
|
||||
my $msg = `btrfs subvol show $rootDir$mountPoint`;
|
||||
my $msg = `@btrfs@ subvol show $rootDir$mountPoint`;
|
||||
if ($? != 0 || $msg =~ /ERROR:/s) {
|
||||
my $path = $fields[3]; $path = "" if $path eq "/";
|
||||
my $base = $fsByDev{$fields[2]};
|
||||
|
@ -436,7 +436,7 @@ EOF
|
|||
|
||||
# Is this a btrfs filesystem?
|
||||
if ($fsType eq "btrfs") {
|
||||
my ($status, @info) = runCommand("btrfs subvol show $rootDir$mountPoint");
|
||||
my ($status, @info) = runCommand("@btrfs@ subvol show $rootDir$mountPoint");
|
||||
if ($status != 0 || join("", @info) =~ /ERROR:/) {
|
||||
die "Failed to retrieve subvolume info for $mountPoint\n";
|
||||
}
|
||||
|
@ -558,6 +558,8 @@ if (!$noFilesystems) {
|
|||
$fsAndSwap .= "swapDevices =" . multiLineList(" ", @swapDevices) . ";\n";
|
||||
}
|
||||
|
||||
my $networkingDhcpConfig = generateNetworkingDhcpConfig();
|
||||
|
||||
my $hwConfig = <<EOF;
|
||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
|
@ -572,6 +574,7 @@ my $hwConfig = <<EOF;
|
|||
boot.kernelModules = [$kernelModules ];
|
||||
boot.extraModulePackages = [$modulePackages ];
|
||||
$fsAndSwap
|
||||
$networkingDhcpConfig
|
||||
${\join "", (map { " $_\n" } (uniq @attrs))}}
|
||||
EOF
|
||||
|
||||
|
@ -580,13 +583,13 @@ sub generateNetworkingDhcpConfig {
|
|||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = false;
|
||||
networking.useDHCP = lib.mkDefault false;
|
||||
EOF
|
||||
|
||||
foreach my $path (glob "/sys/class/net/*") {
|
||||
my $dev = basename($path);
|
||||
if ($dev ne "lo") {
|
||||
$config .= " networking.interfaces.$dev.useDHCP = true;\n";
|
||||
$config .= " networking.interfaces.$dev.useDHCP = lib.mkDefault true;\n";
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -33,8 +33,9 @@ let
|
|||
nixos-generate-config = makeProg {
|
||||
name = "nixos-generate-config";
|
||||
src = ./nixos-generate-config.pl;
|
||||
path = lib.optionals (lib.elem "btrfs" config.boot.supportedFilesystems) [ pkgs.btrfs-progs ];
|
||||
perl = "${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl";
|
||||
detectvirt = "${pkgs.systemd}/bin/systemd-detect-virt";
|
||||
btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
|
||||
inherit (config.system.nixos-generate-config) configuration desktopConfiguration;
|
||||
xserverEnabled = config.services.xserver.enable;
|
||||
};
|
||||
|
@ -133,12 +134,13 @@ in
|
|||
|
||||
$bootLoaderConfig
|
||||
# networking.hostName = "nixos"; # Define your hostname.
|
||||
# Pick only one of the below networking options.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||||
|
||||
# Set your time zone.
|
||||
# time.timeZone = "Europe/Amsterdam";
|
||||
|
||||
$networkingDhcpConfig
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password\@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
@ -148,6 +150,7 @@ in
|
|||
# console = {
|
||||
# font = "Lat2-Terminus16";
|
||||
# keyMap = "us";
|
||||
# useXkbConfig = true; # use xkbOptions in tty.
|
||||
# };
|
||||
|
||||
$xserverConfig
|
||||
|
@ -155,7 +158,10 @@ in
|
|||
$desktopConfiguration
|
||||
# Configure keymap in X11
|
||||
# services.xserver.layout = "us";
|
||||
# services.xserver.xkbOptions = "eurosign:e";
|
||||
# services.xserver.xkbOptions = {
|
||||
# "eurosign:e";
|
||||
# "caps:escape" # map caps to escape.
|
||||
# };
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
# services.printing.enable = true;
|
||||
|
|
|
@ -203,7 +203,6 @@
|
|||
./programs/sway.nix
|
||||
./programs/system-config-printer.nix
|
||||
./programs/thefuck.nix
|
||||
./programs/tilp2.nix
|
||||
./programs/tmux.nix
|
||||
./programs/traceroute.nix
|
||||
./programs/tsm-client.nix
|
||||
|
@ -357,7 +356,6 @@
|
|||
./services/desktops/cpupower-gui.nix
|
||||
./services/desktops/dleyna-renderer.nix
|
||||
./services/desktops/dleyna-server.nix
|
||||
./services/desktops/pantheon/files.nix
|
||||
./services/desktops/espanso.nix
|
||||
./services/desktops/flatpak.nix
|
||||
./services/desktops/geoclue2.nix
|
||||
|
@ -684,6 +682,7 @@
|
|||
./services/network-filesystems/litestream/default.nix
|
||||
./services/network-filesystems/netatalk.nix
|
||||
./services/network-filesystems/nfsd.nix
|
||||
./services/network-filesystems/moosefs.nix
|
||||
./services/network-filesystems/openafs/client.nix
|
||||
./services/network-filesystems/openafs/server.nix
|
||||
./services/network-filesystems/orangefs/server.nix
|
||||
|
@ -764,6 +763,7 @@
|
|||
./services/networking/gvpe.nix
|
||||
./services/networking/hans.nix
|
||||
./services/networking/haproxy.nix
|
||||
./services/networking/headscale.nix
|
||||
./services/networking/hostapd.nix
|
||||
./services/networking/htpdate.nix
|
||||
./services/networking/hylafax/default.nix
|
||||
|
@ -914,6 +914,7 @@
|
|||
./services/networking/vsftpd.nix
|
||||
./services/networking/wasabibackend.nix
|
||||
./services/networking/websockify.nix
|
||||
./services/networking/wg-netmanager.nix
|
||||
./services/networking/wg-quick.nix
|
||||
./services/networking/wireguard.nix
|
||||
./services/networking/wpa_supplicant.nix
|
||||
|
@ -1005,6 +1006,7 @@
|
|||
./services/web-apps/documize.nix
|
||||
./services/web-apps/dokuwiki.nix
|
||||
./services/web-apps/engelsystem.nix
|
||||
./services/web-apps/ethercalc.nix
|
||||
./services/web-apps/fluidd.nix
|
||||
./services/web-apps/galene.nix
|
||||
./services/web-apps/gerrit.nix
|
||||
|
@ -1073,7 +1075,6 @@
|
|||
./services/web-servers/phpfpm/default.nix
|
||||
./services/web-servers/pomerium.nix
|
||||
./services/web-servers/unit/default.nix
|
||||
./services/web-servers/shellinabox.nix
|
||||
./services/web-servers/tomcat.nix
|
||||
./services/web-servers/traefik.nix
|
||||
./services/web-servers/trafficserver/default.nix
|
||||
|
@ -1156,12 +1157,13 @@
|
|||
./system/boot/systemd-nspawn.nix
|
||||
./system/boot/timesyncd.nix
|
||||
./system/boot/tmp.nix
|
||||
./system/etc/etc.nix
|
||||
./system/etc/etc-activation.nix
|
||||
./tasks/auto-upgrade.nix
|
||||
./tasks/bcache.nix
|
||||
./tasks/cpu-freq.nix
|
||||
./tasks/encrypted-devices.nix
|
||||
./tasks/filesystems.nix
|
||||
./tasks/filesystems/apfs.nix
|
||||
./tasks/filesystems/bcachefs.nix
|
||||
./tasks/filesystems/btrfs.nix
|
||||
./tasks/filesystems/cifs.nix
|
||||
|
|
|
@ -14,6 +14,8 @@ in {
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
programs.dconf.enable = true;
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.calls
|
||||
];
|
||||
|
|
|
@ -21,11 +21,24 @@ my $res = $dbh->selectall_arrayref(
|
|||
"select package from Programs where system = ? and name = ?",
|
||||
{ Slice => {} }, $system, $program);
|
||||
|
||||
if (!defined $res || scalar @$res == 0) {
|
||||
my $len = !defined $res ? 0 : scalar @$res;
|
||||
|
||||
if ($len == 0) {
|
||||
print STDERR "$program: command not found\n";
|
||||
} elsif (scalar @$res == 1) {
|
||||
} elsif ($len == 1) {
|
||||
my $package = @$res[0]->{package};
|
||||
if ($ENV{"NIX_AUTO_RUN"} // "") {
|
||||
if ($ENV{"NIX_AUTO_RUN_INTERACTIVE"} // "") {
|
||||
while (1) {
|
||||
print STDERR "'$program' from package '$package' will be run, confirm? [yn]: ";
|
||||
chomp(my $comfirm = <STDIN>);
|
||||
if (lc $comfirm eq "n") {
|
||||
exit 0;
|
||||
} elsif (lc $comfirm eq "y") {
|
||||
last;
|
||||
}
|
||||
}
|
||||
}
|
||||
exec("nix-shell", "-p", $package, "--run", shell_quote("exec", @ARGV));
|
||||
} else {
|
||||
print STDERR <<EOF;
|
||||
|
@ -34,6 +47,24 @@ ephemeral shell by typing:
|
|||
nix-shell -p $package
|
||||
EOF
|
||||
}
|
||||
} else {
|
||||
if ($ENV{"NIX_AUTO_RUN"} // "") {
|
||||
print STDERR "Select a package that provides '$program':\n";
|
||||
for my $i (0 .. $len - 1) {
|
||||
print STDERR " [", $i + 1, "]: @$res[$i]->{package}\n";
|
||||
}
|
||||
my $choice = 0;
|
||||
while (1) { # exec will break this loop
|
||||
no warnings "numeric";
|
||||
print STDERR "Your choice [1-${len}]: ";
|
||||
# 0 can be invalid user input like non-number string
|
||||
# so we start from 1
|
||||
$choice = <STDIN> + 0;
|
||||
if (1 <= $choice && $choice <= $len) {
|
||||
exec("nix-shell", "-p", @$res[$choice - 1]->{package},
|
||||
"--run", shell_quote("exec", @ARGV));
|
||||
}
|
||||
}
|
||||
} else {
|
||||
print STDERR <<EOF;
|
||||
The program '$program' is not in your PATH. It is provided by several packages.
|
||||
|
@ -41,5 +72,6 @@ You can make it available in an ephemeral shell by typing one of the following:
|
|||
EOF
|
||||
print STDERR " nix-shell -p $_->{package}\n" foreach @$res;
|
||||
}
|
||||
}
|
||||
|
||||
exit 127;
|
||||
|
|
|
@ -60,7 +60,7 @@ in
|
|||
environment.systemPackages = [ pkgs.dconf ];
|
||||
|
||||
# Needed for unwrapped applications
|
||||
environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ];
|
||||
environment.sessionVariables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ];
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -27,13 +27,11 @@ in
|
|||
default = {
|
||||
tmp_dir = "/tmp";
|
||||
terminal_su = "${pkgs.sudo}/bin/sudo";
|
||||
graphical_su = "${pkgs.gksu}/bin/gksu";
|
||||
};
|
||||
defaultText = literalExpression ''
|
||||
{
|
||||
tmp_dir = "/tmp";
|
||||
terminal_su = "''${pkgs.sudo}/bin/sudo";
|
||||
graphical_su = "''${pkgs.gksu}/bin/gksu";
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
|
|
|
@ -1,28 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.programs.tilp2;
|
||||
|
||||
in {
|
||||
options.programs.tilp2 = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable tilp2 and udev rules for supported calculators.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.udev.packages = [
|
||||
pkgs.libticables2
|
||||
];
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.tilp2
|
||||
];
|
||||
};
|
||||
}
|
6
third_party/nixpkgs/nixos/modules/rename.nix
vendored
6
third_party/nixpkgs/nixos/modules/rename.nix
vendored
|
@ -32,6 +32,7 @@ with lib;
|
|||
'')
|
||||
(mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.")
|
||||
(mkRemovedOptionModule [ "networking" "wicd" ] "The corresponding package was removed from nixpkgs.")
|
||||
(mkRemovedOptionModule [ "programs" "tilp2" ] "The corresponding package was removed from nixpkgs.")
|
||||
(mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " +
|
||||
"https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html"))
|
||||
(mkRemovedOptionModule [ "security" "hideProcessInformation" ] ''
|
||||
|
@ -59,6 +60,9 @@ with lib;
|
|||
(mkRemovedOptionModule [ "services" "moinmoin" ] "The corresponding package was removed from nixpkgs.")
|
||||
(mkRemovedOptionModule [ "services" "mwlib" ] "The corresponding package was removed from nixpkgs.")
|
||||
(mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed")
|
||||
(mkRemovedOptionModule [ "services" "pantheon" "files" ] ''
|
||||
This module was removed, please add pkgs.pantheon.elementary-files to environment.systemPackages directly.
|
||||
'')
|
||||
(mkRemovedOptionModule [ "services" "prey" ] ''
|
||||
prey-bash-client is deprecated upstream
|
||||
'')
|
||||
|
@ -84,6 +88,8 @@ with lib;
|
|||
The racoon module has been removed, because the software project was abandoned upstream.
|
||||
'')
|
||||
|
||||
(mkRemovedOptionModule [ "services" "shellinabox" ] "The corresponding package was removed from nixpkgs.")
|
||||
|
||||
# Do NOT add any option renames here, see top of the file
|
||||
];
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@ with lib;
|
|||
let
|
||||
|
||||
cfg = config.security.googleOsLogin;
|
||||
package = pkgs.google-compute-engine-oslogin;
|
||||
package = pkgs.google-guest-oslogin;
|
||||
|
||||
in
|
||||
|
||||
|
@ -17,7 +17,7 @@ in
|
|||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable Google OS Login
|
||||
Whether to enable Google OS Login.
|
||||
|
||||
The OS Login package enables the following components:
|
||||
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
|
||||
|
@ -36,7 +36,7 @@ in
|
|||
security.pam.services.sshd = {
|
||||
makeHomeDir = true;
|
||||
googleOsLoginAccountVerification = true;
|
||||
# disabled for now: googleOsLoginAuthentication = true;
|
||||
googleOsLoginAuthentication = true;
|
||||
};
|
||||
|
||||
security.sudo.extraConfig = ''
|
||||
|
@ -47,6 +47,9 @@ in
|
|||
"d /var/google-users.d 750 root root -"
|
||||
];
|
||||
|
||||
systemd.packages = [ package ];
|
||||
systemd.timers.google-oslogin-cache.wantedBy = [ "timers.target" ];
|
||||
|
||||
# enable the nss module, so user lookups etc. work
|
||||
system.nssModules = [ package ];
|
||||
system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ];
|
||||
|
|
|
@ -444,15 +444,15 @@ let
|
|||
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
|
||||
'' +
|
||||
optionalString cfg.googleOsLoginAccountVerification ''
|
||||
account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
|
||||
account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
|
||||
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
|
||||
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
|
||||
'' +
|
||||
''
|
||||
|
||||
# Authentication management.
|
||||
'' +
|
||||
optionalString cfg.googleOsLoginAuthentication ''
|
||||
auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
|
||||
auth [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
|
||||
'' +
|
||||
optionalString cfg.rootOK ''
|
||||
auth sufficient pam_rootok.so
|
||||
|
@ -1091,11 +1091,11 @@ in
|
|||
mr ${pam_ccreds}/lib/security/pam_ccreds.so,
|
||||
'' +
|
||||
optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
|
||||
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
|
||||
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,
|
||||
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
|
||||
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so,
|
||||
'' +
|
||||
optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''
|
||||
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
|
||||
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
|
||||
'' +
|
||||
optionalString (config.security.pam.enableSSHAgentAuth
|
||||
&& isEnabled (cfg: cfg.sshAgentAuth)) ''
|
||||
|
|
|
@ -362,6 +362,7 @@ in
|
|||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "systemd-tmpfiles-clean.service" ];
|
||||
requires = [ "network.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
|
@ -371,12 +372,12 @@ in
|
|||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
LimitMEMLOCK = "infinity";
|
||||
};
|
||||
|
||||
preStart = ''
|
||||
mkdir -p /var/spool
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = mkIf cfg.client.enable [
|
||||
"d /var/spool/slurmd 755 root root -"
|
||||
];
|
||||
|
||||
services.openssh.forwardX11 = mkIf cfg.client.enable (mkDefault true);
|
||||
|
||||
systemd.services.slurmctld = mkIf (cfg.server.enable) {
|
||||
|
|
|
@ -208,6 +208,7 @@ in
|
|||
token=$(< "$STATE_DIRECTORY"/${newConfigTokenFilename})
|
||||
RUNNER_ROOT="$STATE_DIRECTORY" ${cfg.package}/bin/config.sh \
|
||||
--unattended \
|
||||
--disableupdate \
|
||||
--work "$RUNTIME_DIRECTORY" \
|
||||
--url ${escapeShellArg cfg.url} \
|
||||
--token "$token" \
|
||||
|
|
|
@ -38,7 +38,7 @@ with lib;
|
|||
|
||||
systemd.packages = [ pkgs.glib-networking ];
|
||||
|
||||
environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.glib-networking.out}/lib/gio/modules" ];
|
||||
environment.sessionVariables.GIO_EXTRA_MODULES = [ "${pkgs.glib-networking.out}/lib/gio/modules" ];
|
||||
|
||||
};
|
||||
|
||||
|
|
|
@ -57,7 +57,7 @@ in
|
|||
services.udev.packages = [ pkgs.libmtp.out ];
|
||||
|
||||
# Needed for unwrapped applications
|
||||
environment.variables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ];
|
||||
environment.sessionVariables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ];
|
||||
|
||||
};
|
||||
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
# pantheon files daemon.
|
||||
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
|
||||
imports = [
|
||||
(mkRemovedOptionModule [ "services" "pantheon" "files" "enable" ] "Use `environment.systemPackages [ pkgs.pantheon.elementary-files ];`")
|
||||
];
|
||||
|
||||
}
|
|
@ -20,6 +20,9 @@ in
|
|||
###### implementation
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# Load the i2c-dev module
|
||||
boot.kernelModules = [ "i2c_dev" ];
|
||||
|
||||
# Give users access to the "gddccontrol" tool
|
||||
environment.systemPackages = [
|
||||
pkgs.ddccontrol
|
||||
|
|
|
@ -317,7 +317,8 @@ in
|
|||
(isYes "NET")
|
||||
];
|
||||
|
||||
boot.extraModprobeConfig = "options firmware_class path=${config.hardware.firmware}/lib/firmware";
|
||||
# We don't place this into `extraModprobeConfig` so that stage-1 ramdisk doesn't bloat.
|
||||
environment.etc."modprobe.d/firmware.conf".text = "options firmware_class path=${config.hardware.firmware}/lib/firmware";
|
||||
|
||||
system.activationScripts.udevd =
|
||||
''
|
||||
|
|
|
@ -155,8 +155,8 @@ in
|
|||
default = 1200;
|
||||
description = ''
|
||||
When <literal>usePercentageForPolicy</literal> is
|
||||
<literal>false</literal>, the time remaining at which UPower will
|
||||
consider the battery low.
|
||||
<literal>false</literal>, the time remaining in seconds at which
|
||||
UPower will consider the battery low.
|
||||
|
||||
If any value (of <literal>timeLow</literal>,
|
||||
<literal>timeCritical</literal> and <literal>timeAction</literal>) is
|
||||
|
@ -169,8 +169,8 @@ in
|
|||
default = 300;
|
||||
description = ''
|
||||
When <literal>usePercentageForPolicy</literal> is
|
||||
<literal>false</literal>, the time remaining at which UPower will
|
||||
consider the battery critical.
|
||||
<literal>false</literal>, the time remaining in seconds at which
|
||||
UPower will consider the battery critical.
|
||||
|
||||
If any value (of <literal>timeLow</literal>,
|
||||
<literal>timeCritical</literal> and <literal>timeAction</literal>) is
|
||||
|
@ -183,8 +183,8 @@ in
|
|||
default = 120;
|
||||
description = ''
|
||||
When <literal>usePercentageForPolicy</literal> is
|
||||
<literal>false</literal>, the time remaining at which UPower will
|
||||
take action for the critical battery level.
|
||||
<literal>false</literal>, the time remaining in seconds at which
|
||||
UPower will take action for the critical battery level.
|
||||
|
||||
If any value (of <literal>timeLow</literal>,
|
||||
<literal>timeCritical</literal> and <literal>timeAction</literal>) is
|
||||
|
|
|
@ -45,7 +45,7 @@ in {
|
|||
Restart = "on-failure";
|
||||
TimeoutStopSec = 10;
|
||||
|
||||
ExecStart = "${pkgs.grafana-loki}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}";
|
||||
ExecStart = "${pkgs.promtail}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}";
|
||||
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
|
|
|
@ -43,6 +43,7 @@ in {
|
|||
ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = false;
|
||||
KillMode = "process";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1131,8 +1131,8 @@ in {
|
|||
|
||||
ExecStartPre = let
|
||||
preStartFullPrivileges = ''
|
||||
shopt -s dotglob nullglob
|
||||
set -eu
|
||||
set -o errexit -o pipefail -o nounset
|
||||
shopt -s dotglob nullglob inherit_errexit
|
||||
|
||||
chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/*
|
||||
if [[ -n "$(ls -A '${cfg.statePath}'/config/)" ]]; then
|
||||
|
@ -1142,7 +1142,8 @@ in {
|
|||
in "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}";
|
||||
|
||||
ExecStart = pkgs.writeShellScript "gitlab-config" ''
|
||||
set -eu
|
||||
set -o errexit -o pipefail -o nounset
|
||||
shopt -s inherit_errexit
|
||||
|
||||
umask u=rwx,g=rx,o=
|
||||
|
||||
|
@ -1171,7 +1172,8 @@ in {
|
|||
rm -f '${cfg.statePath}/config/database.yml'
|
||||
|
||||
${if cfg.databasePasswordFile != null then ''
|
||||
export db_password="$(<'${cfg.databasePasswordFile}')"
|
||||
db_password="$(<'${cfg.databasePasswordFile}')"
|
||||
export db_password
|
||||
|
||||
if [[ -z "$db_password" ]]; then
|
||||
>&2 echo "Database password was an empty string!"
|
||||
|
@ -1195,10 +1197,11 @@ in {
|
|||
|
||||
rm -f '${cfg.statePath}/config/secrets.yml'
|
||||
|
||||
export secret="$(<'${cfg.secrets.secretFile}')"
|
||||
export db="$(<'${cfg.secrets.dbFile}')"
|
||||
export otp="$(<'${cfg.secrets.otpFile}')"
|
||||
export jws="$(<'${cfg.secrets.jwsFile}')"
|
||||
secret="$(<'${cfg.secrets.secretFile}')"
|
||||
db="$(<'${cfg.secrets.dbFile}')"
|
||||
otp="$(<'${cfg.secrets.otpFile}')"
|
||||
jws="$(<'${cfg.secrets.jwsFile}')"
|
||||
export secret db otp jws
|
||||
jq -n '{production: {secret_key_base: $ENV.secret,
|
||||
otp_key_base: $ENV.otp,
|
||||
db_key_base: $ENV.db,
|
||||
|
@ -1232,7 +1235,8 @@ in {
|
|||
RemainAfterExit = true;
|
||||
|
||||
ExecStart = pkgs.writeShellScript "gitlab-db-config" ''
|
||||
set -eu
|
||||
set -o errexit -o pipefail -o nounset
|
||||
shopt -s inherit_errexit
|
||||
umask u=rwx,g=rx,o=
|
||||
|
||||
initial_root_password="$(<'${cfg.initialRootPasswordFile}')"
|
||||
|
|
|
@ -329,7 +329,7 @@ in {
|
|||
"zwave_js"
|
||||
];
|
||||
in {
|
||||
ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'";
|
||||
ExecStart = "${package}/bin/hass --config '${cfg.configDir}'";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
User = "hass";
|
||||
Group = "hass";
|
||||
|
|
|
@ -86,6 +86,15 @@ in
|
|||
and is set to be read only.
|
||||
'';
|
||||
};
|
||||
global.database_backend = mkOption {
|
||||
type = types.enum [ "sqlite" "rocksdb" ];
|
||||
default = "sqlite";
|
||||
example = "rocksdb";
|
||||
description = ''
|
||||
The database backend for the service. Switching it on an existing
|
||||
instance will require manual migration of data.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
default = {};
|
||||
|
|
|
@ -217,7 +217,6 @@ in {
|
|||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
example = literalExpression "pkgs.mediatomb";
|
||||
default = pkgs.gerbera;
|
||||
defaultText = literalExpression "pkgs.gerbera";
|
||||
description = ''
|
||||
|
|
|
@ -89,7 +89,7 @@ let
|
|||
requireSignedBinaryCaches = "require-sigs";
|
||||
trustedUsers = "trusted-users";
|
||||
allowedUsers = "allowed-users";
|
||||
systemFeatures = "system-feature";
|
||||
systemFeatures = "system-features";
|
||||
};
|
||||
|
||||
semanticConfType = with types;
|
||||
|
|
|
@ -13,7 +13,7 @@ let
|
|||
(iniFmt.generate "PackageKit.conf" (recursiveUpdate
|
||||
{
|
||||
Daemon = {
|
||||
DefaultBackend = "test_nop";
|
||||
DefaultBackend = "nix";
|
||||
KeepCache = false;
|
||||
};
|
||||
}
|
||||
|
@ -35,7 +35,7 @@ let
|
|||
in
|
||||
{
|
||||
imports = [
|
||||
(mkRemovedOptionModule [ "services" "packagekit" "backend" ] "The only backend that doesn't blow up is `test_nop`.")
|
||||
(mkRemovedOptionModule [ "services" "packagekit" "backend" ] "Always set to Nix.")
|
||||
];
|
||||
|
||||
options.services.packagekit = {
|
||||
|
@ -62,6 +62,8 @@ in
|
|||
|
||||
services.dbus.packages = with pkgs; [ packagekit ];
|
||||
|
||||
environment.systemPackages = with pkgs; [ packagekit ];
|
||||
|
||||
systemd.packages = with pkgs; [ packagekit ];
|
||||
|
||||
environment.etc = listToAttrs (map
|
||||
|
|
|
@ -6,6 +6,10 @@ let
|
|||
cfg = config.services.plex;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
(mkRemovedOptionModule [ "services" "plex" "managePlugins" ] "Please omit or define the option: `services.plex.extraPlugins' instead.")
|
||||
];
|
||||
|
||||
options = {
|
||||
services.plex = {
|
||||
enable = mkEnableOption "Plex Media Server";
|
||||
|
@ -42,16 +46,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
managePlugins = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
If set to true, this option will cause all of the symlinks in Plex's
|
||||
plugin directory to be removed and symlinks for paths specified in
|
||||
<option>extraPlugins</option> to be added.
|
||||
'';
|
||||
};
|
||||
|
||||
extraPlugins = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
|
@ -59,9 +53,7 @@ in
|
|||
A list of paths to extra plugin bundles to install in Plex's plugin
|
||||
directory. Every time the systemd unit for Plex starts up, all of the
|
||||
symlinks in Plex's plugin directory will be cleared and this module
|
||||
will symlink all of the paths specified here to that directory. If
|
||||
this behavior is undesired, set <option>managePlugins</option> to
|
||||
false.
|
||||
will symlink all of the paths specified here to that directory.
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
@ -42,11 +42,11 @@ in {
|
|||
serviceOpts = {
|
||||
serviceConfig = {
|
||||
AmbientCapabilities = [
|
||||
"CAP_RAW_SYSIO"
|
||||
"CAP_SYS_RAWIO"
|
||||
"CAP_SYS_ADMIN"
|
||||
];
|
||||
CapabilityBoundingSet = [
|
||||
"CAP_RAW_SYSIO"
|
||||
"CAP_SYS_RAWIO"
|
||||
"CAP_SYS_ADMIN"
|
||||
];
|
||||
DevicePolicy = "closed";
|
||||
|
|
|
@ -181,8 +181,8 @@ in
|
|||
|
||||
rgwMimeTypesFile = mkOption {
|
||||
type = with types; nullOr path;
|
||||
default = "${pkgs.mime-types}/etc/mime.types";
|
||||
defaultText = literalExpression ''"''${pkgs.mime-types}/etc/mime.types"'';
|
||||
default = "${pkgs.mailcap}/etc/mime.types";
|
||||
defaultText = literalExpression ''"''${pkgs.mailcap}/etc/mime.types"'';
|
||||
description = ''
|
||||
Path to mime types used by radosgw.
|
||||
'';
|
||||
|
|
|
@ -260,24 +260,17 @@ in
|
|||
ipfs --offline config Mounts.IPNS ${cfg.ipnsMountDir}
|
||||
'' + optionalString cfg.autoMigrate ''
|
||||
${pkgs.ipfs-migrator}/bin/fs-repo-migrations -y
|
||||
'' + concatStringsSep "\n" (collect
|
||||
isString
|
||||
(mapAttrsRecursive
|
||||
(path: value:
|
||||
# Using heredoc below so that the value is never improperly quoted
|
||||
''
|
||||
read value <<EOF
|
||||
${builtins.toJSON value}
|
||||
EOF
|
||||
ipfs --offline config --json "${concatStringsSep "." path}" "$value"
|
||||
'')
|
||||
({
|
||||
'' + ''
|
||||
ipfs --offline config show \
|
||||
| ${pkgs.jq}/bin/jq '. * $extraConfig' --argjson extraConfig ${
|
||||
escapeShellArg (builtins.toJSON ({
|
||||
Addresses.API = cfg.apiAddress;
|
||||
Addresses.Gateway = cfg.gatewayAddress;
|
||||
Addresses.Swarm = cfg.swarmAddress;
|
||||
} //
|
||||
cfg.extraConfig))
|
||||
);
|
||||
} // cfg.extraConfig))
|
||||
} \
|
||||
| ipfs --offline config replace -
|
||||
'';
|
||||
serviceConfig = {
|
||||
ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ];
|
||||
User = cfg.user;
|
||||
|
|
249
third_party/nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix
vendored
Normal file
249
third_party/nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix
vendored
Normal file
|
@ -0,0 +1,249 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.moosefs;
|
||||
|
||||
mfsUser = if cfg.runAsUser then "moosefs" else "root";
|
||||
|
||||
settingsFormat = let
|
||||
listSep = " ";
|
||||
allowedTypes = with types; [ bool int float str ];
|
||||
valueToString = val:
|
||||
if isList val then concatStringsSep listSep (map (x: valueToString x) val)
|
||||
else if isBool val then (if val then "1" else "0")
|
||||
else toString val;
|
||||
|
||||
in {
|
||||
type = with types; let
|
||||
valueType = oneOf ([
|
||||
(listOf valueType)
|
||||
] ++ allowedTypes) // {
|
||||
description = "Flat key-value file";
|
||||
};
|
||||
in attrsOf valueType;
|
||||
|
||||
generate = name: value:
|
||||
pkgs.writeText name ( lib.concatStringsSep "\n" (
|
||||
lib.mapAttrsToList (key: val: "${key} = ${valueToString val}") value ));
|
||||
};
|
||||
|
||||
|
||||
initTool = pkgs.writeShellScriptBin "mfsmaster-init" ''
|
||||
if [ ! -e ${cfg.master.settings.DATA_PATH}/metadata.mfs ]; then
|
||||
cp ${pkgs.moosefs}/var/mfs/metadata.mfs.empty ${cfg.master.settings.DATA_PATH}
|
||||
chmod +w ${cfg.master.settings.DATA_PATH}/metadata.mfs.empty
|
||||
${pkgs.moosefs}/bin/mfsmaster -a -c ${masterCfg} start
|
||||
${pkgs.moosefs}/bin/mfsmaster -c ${masterCfg} stop
|
||||
rm ${cfg.master.settings.DATA_PATH}/metadata.mfs.empty
|
||||
fi
|
||||
'';
|
||||
|
||||
# master config file
|
||||
masterCfg = settingsFormat.generate
|
||||
"mfsmaster.cfg" cfg.master.settings;
|
||||
|
||||
# metalogger config file
|
||||
metaloggerCfg = settingsFormat.generate
|
||||
"mfsmetalogger.cfg" cfg.metalogger.settings;
|
||||
|
||||
# chunkserver config file
|
||||
chunkserverCfg = settingsFormat.generate
|
||||
"mfschunkserver.cfg" cfg.chunkserver.settings;
|
||||
|
||||
# generic template for all deamons
|
||||
systemdService = name: extraConfig: configFile: {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network.target" "network-online.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
ExecStart = "${pkgs.moosefs}/bin/mfs${name} -c ${configFile} start";
|
||||
ExecStop = "${pkgs.moosefs}/bin/mfs${name} -c ${configFile} stop";
|
||||
ExecReload = "${pkgs.moosefs}/bin/mfs${name} -c ${configFile} reload";
|
||||
PIDFile = "${cfg."${name}".settings.DATA_PATH}/.mfs${name}.lock";
|
||||
} // extraConfig;
|
||||
};
|
||||
|
||||
in {
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
services.moosefs = {
|
||||
masterHost = mkOption {
|
||||
type = types.str;
|
||||
default = null;
|
||||
description = "IP or DNS name of master host.";
|
||||
};
|
||||
|
||||
runAsUser = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
example = true;
|
||||
description = "Run daemons as user moosefs instead of root.";
|
||||
};
|
||||
|
||||
client.enable = mkEnableOption "Moosefs client.";
|
||||
|
||||
master = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Enable Moosefs master daemon.
|
||||
|
||||
You need to run <literal>mfsmaster-init</literal> on a freshly installed master server to
|
||||
initialize the <literal>DATA_PATH</literal> direcory.
|
||||
'';
|
||||
default = false;
|
||||
};
|
||||
|
||||
exports = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = null;
|
||||
description = "Paths to export (see mfsexports.cfg).";
|
||||
example = [
|
||||
"* / rw,alldirs,admin,maproot=0:0"
|
||||
"* . rw"
|
||||
];
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
description = "Whether to automatically open the necessary ports in the firewall.";
|
||||
default = false;
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type = types.submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
|
||||
options.DATA_PATH = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/mfs";
|
||||
description = "Data storage directory.";
|
||||
};
|
||||
};
|
||||
|
||||
description = "Contents of config file (mfsmaster.cfg).";
|
||||
};
|
||||
};
|
||||
|
||||
metalogger = {
|
||||
enable = mkEnableOption "Moosefs metalogger daemon.";
|
||||
|
||||
settings = mkOption {
|
||||
type = types.submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
|
||||
options.DATA_PATH = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/mfs";
|
||||
description = "Data storage directory";
|
||||
};
|
||||
};
|
||||
|
||||
description = "Contents of metalogger config file (mfsmetalogger.cfg).";
|
||||
};
|
||||
};
|
||||
|
||||
chunkserver = {
|
||||
enable = mkEnableOption "Moosefs chunkserver daemon.";
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
description = "Whether to automatically open the necessary ports in the firewall.";
|
||||
default = false;
|
||||
};
|
||||
|
||||
hdds = mkOption {
|
||||
type = with types; listOf str;
|
||||
default = null;
|
||||
description = "Mount points to be used by chunkserver for storage (see mfshdd.cfg).";
|
||||
example = [ "/mnt/hdd1" ];
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type = types.submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
|
||||
options.DATA_PATH = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/mfs";
|
||||
description = "Directory for lock file.";
|
||||
};
|
||||
};
|
||||
|
||||
description = "Contents of chunkserver config file (mfschunkserver.cfg).";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf ( cfg.client.enable || cfg.master.enable || cfg.metalogger.enable || cfg.chunkserver.enable ) {
|
||||
|
||||
warnings = [ ( mkIf (!cfg.runAsUser) "Running moosefs services as root is not recommended.") ];
|
||||
|
||||
# Service settings
|
||||
services.moosefs = {
|
||||
master.settings = mkIf cfg.master.enable {
|
||||
WORKING_USER = mfsUser;
|
||||
EXPORTS_FILENAME = toString ( pkgs.writeText "mfsexports.cfg"
|
||||
(concatStringsSep "\n" cfg.master.exports));
|
||||
};
|
||||
|
||||
metalogger.settings = mkIf cfg.metalogger.enable {
|
||||
WORKING_USER = mfsUser;
|
||||
MASTER_HOST = cfg.masterHost;
|
||||
};
|
||||
|
||||
chunkserver.settings = mkIf cfg.chunkserver.enable {
|
||||
WORKING_USER = mfsUser;
|
||||
MASTER_HOST = cfg.masterHost;
|
||||
HDD_CONF_FILENAME = toString ( pkgs.writeText "mfshdd.cfg"
|
||||
(concatStringsSep "\n" cfg.chunkserver.hdds));
|
||||
};
|
||||
};
|
||||
|
||||
# Create system user account for daemons
|
||||
users = mkIf ( cfg.runAsUser && ( cfg.master.enable || cfg.metalogger.enable || cfg.chunkserver.enable ) ) {
|
||||
users.moosefs = {
|
||||
isSystemUser = true;
|
||||
description = "moosefs daemon user";
|
||||
group = "moosefs";
|
||||
};
|
||||
groups.moosefs = {};
|
||||
};
|
||||
|
||||
environment.systemPackages =
|
||||
(lib.optional cfg.client.enable pkgs.moosefs) ++
|
||||
(lib.optional cfg.master.enable initTool);
|
||||
|
||||
networking.firewall.allowedTCPPorts =
|
||||
(lib.optionals cfg.master.openFirewall [ 9419 9420 9421 ]) ++
|
||||
(lib.optional cfg.chunkserver.openFirewall 9422);
|
||||
|
||||
# Ensure storage directories exist
|
||||
systemd.tmpfiles.rules =
|
||||
optional cfg.master.enable "d ${cfg.master.settings.DATA_PATH} 0700 ${mfsUser} ${mfsUser}"
|
||||
++ optional cfg.metalogger.enable "d ${cfg.metalogger.settings.DATA_PATH} 0700 ${mfsUser} ${mfsUser}"
|
||||
++ optional cfg.chunkserver.enable "d ${cfg.chunkserver.settings.DATA_PATH} 0700 ${mfsUser} ${mfsUser}";
|
||||
|
||||
# Service definitions
|
||||
systemd.services.mfs-master = mkIf cfg.master.enable
|
||||
( systemdService "master" {
|
||||
TimeoutStartSec = 1800;
|
||||
TimeoutStopSec = 1800;
|
||||
Restart = "no";
|
||||
} masterCfg );
|
||||
|
||||
systemd.services.mfs-metalogger = mkIf cfg.metalogger.enable
|
||||
( systemdService "metalogger" { Restart = "on-abnormal"; } metaloggerCfg );
|
||||
|
||||
systemd.services.mfs-chunkserver = mkIf cfg.chunkserver.enable
|
||||
( systemdService "chunkserver" { Restart = "on-abnormal"; } chunkserverCfg );
|
||||
};
|
||||
}
|
|
@ -79,7 +79,7 @@ in {
|
|||
in {
|
||||
services.rsync = {
|
||||
enable = !cfg.socketActivated;
|
||||
aliases = [ "rsyncd" ];
|
||||
aliases = [ "rsyncd.service" ];
|
||||
|
||||
description = "fast remote file copy program daemon";
|
||||
after = [ "network.target" ];
|
||||
|
|
|
@ -127,7 +127,7 @@ in {
|
|||
description = "ConnMan VPN service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "syslog.target" ];
|
||||
before = [ "connman" ];
|
||||
before = [ "connman.service" ];
|
||||
serviceConfig = {
|
||||
Type = "dbus";
|
||||
BusName = "net.connman.vpn";
|
||||
|
@ -140,7 +140,7 @@ in {
|
|||
description = "D-BUS Service";
|
||||
serviceConfig = {
|
||||
Name = "net.connman.vpn";
|
||||
before = [ "connman" ];
|
||||
before = [ "connman.service" ];
|
||||
ExecStart = "${cfg.package}/sbin/connman-vpnd -n";
|
||||
User = "root";
|
||||
SystemdService = "connman-vpn.service";
|
||||
|
|
|
@ -183,6 +183,20 @@ in
|
|||
|
||||
config = mkIf enableDHCP {
|
||||
|
||||
assertions = [ {
|
||||
# dhcpcd doesn't start properly with malloc ∉ [ libc scudo ]
|
||||
# see https://github.com/NixOS/nixpkgs/issues/151696
|
||||
assertion =
|
||||
dhcpcd.enablePrivSep
|
||||
-> elem config.environment.memoryAllocator.provider [ "libc" "scudo" ];
|
||||
message = ''
|
||||
dhcpcd with privilege separation is incompatible with chosen system malloc.
|
||||
Currently only the `libc` and `scudo` allocators are known to work.
|
||||
To disable dhcpcd's privilege separation, overlay Nixpkgs and override dhcpcd
|
||||
to set `enablePrivSep = false`.
|
||||
'';
|
||||
} ];
|
||||
|
||||
systemd.services.dhcpcd = let
|
||||
cfgN = config.networking;
|
||||
hasDefaultGatewaySet = (cfgN.defaultGateway != null && cfgN.defaultGateway.address != "")
|
||||
|
|
|
@ -28,34 +28,41 @@ let
|
|||
}
|
||||
'';
|
||||
|
||||
dhcpdService = postfix: cfg: optionalAttrs cfg.enable {
|
||||
dhcpdService = postfix: cfg:
|
||||
let
|
||||
configFile =
|
||||
if cfg.configFile != null
|
||||
then cfg.configFile
|
||||
else writeConfig cfg;
|
||||
leaseFile = "/var/lib/dhcpd${postfix}/dhcpd.leases";
|
||||
args = [
|
||||
"@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}"
|
||||
"-pf" "/run/dhcpd${postfix}/dhcpd.pid"
|
||||
"-cf" configFile
|
||||
"-lf" leaseFile
|
||||
] ++ cfg.extraFlags
|
||||
++ cfg.interfaces;
|
||||
in
|
||||
optionalAttrs cfg.enable {
|
||||
"dhcpd${postfix}" = {
|
||||
description = "DHCPv${postfix} server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
preStart = ''
|
||||
mkdir -m 755 -p ${cfg.stateDir}
|
||||
chown dhcpd:nogroup ${cfg.stateDir}
|
||||
touch ${cfg.stateDir}/dhcpd.leases
|
||||
'';
|
||||
|
||||
serviceConfig =
|
||||
let
|
||||
configFile = if cfg.configFile != null then cfg.configFile else writeConfig cfg;
|
||||
args = [ "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}"
|
||||
"-pf" "/run/dhcpd${postfix}/dhcpd.pid"
|
||||
"-cf" "${configFile}"
|
||||
"-lf" "${cfg.stateDir}/dhcpd.leases"
|
||||
"-user" "dhcpd" "-group" "nogroup"
|
||||
] ++ cfg.extraFlags
|
||||
++ cfg.interfaces;
|
||||
|
||||
in {
|
||||
preStart = "touch ${leaseFile}";
|
||||
serviceConfig = {
|
||||
ExecStart = concatMapStringsSep " " escapeShellArg args;
|
||||
Type = "forking";
|
||||
Restart = "always";
|
||||
RuntimeDirectory = [ "dhcpd${postfix}" ];
|
||||
DynamicUser = true;
|
||||
User = "dhcpd";
|
||||
Group = "dhcpd";
|
||||
AmbientCapabilities = [
|
||||
"CAP_NET_RAW" # to send ICMP messages
|
||||
"CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
|
||||
];
|
||||
StateDirectory = "dhcpd${postfix}";
|
||||
RuntimeDirectory = "dhcpd${postfix}";
|
||||
PIDFile = "/run/dhcpd${postfix}/dhcpd.pid";
|
||||
};
|
||||
};
|
||||
|
@ -102,15 +109,6 @@ let
|
|||
'';
|
||||
};
|
||||
|
||||
stateDir = mkOption {
|
||||
type = types.path;
|
||||
# We use /var/lib/dhcp for DHCPv4 to save backwards compatibility.
|
||||
default = "/var/lib/dhcp${if postfix == "4" then "" else postfix}";
|
||||
description = ''
|
||||
State directory for the DHCP server.
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
|
@ -194,7 +192,13 @@ in
|
|||
|
||||
imports = [
|
||||
(mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ])
|
||||
];
|
||||
] ++ flip map [ "4" "6" ] (postfix:
|
||||
mkRemovedOptionModule [ "services" "dhcpd${postfix}" "stateDir" ] ''
|
||||
The DHCP server state directory is now managed with the systemd's DynamicUser mechanism.
|
||||
This means the directory is named after the service (dhcpd${postfix}), created under
|
||||
/var/lib/private/ and symlinked to /var/lib/.
|
||||
''
|
||||
);
|
||||
|
||||
###### interface
|
||||
|
||||
|
@ -210,15 +214,6 @@ in
|
|||
|
||||
config = mkIf (cfg4.enable || cfg6.enable) {
|
||||
|
||||
users = {
|
||||
users.dhcpd = {
|
||||
isSystemUser = true;
|
||||
group = "dhcpd";
|
||||
description = "DHCP daemon user";
|
||||
};
|
||||
groups.dhcpd = {};
|
||||
};
|
||||
|
||||
systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6;
|
||||
|
||||
};
|
||||
|
|
|
@ -326,7 +326,7 @@ in
|
|||
type = types.package;
|
||||
default = pkgs.iptables;
|
||||
defaultText = literalExpression "pkgs.iptables";
|
||||
example = literalExpression "pkgs.iptables-nftables-compat";
|
||||
example = literalExpression "pkgs.iptables-legacy";
|
||||
description =
|
||||
''
|
||||
The iptables package to use for running the firewall service."
|
||||
|
|
490
third_party/nixpkgs/nixos/modules/services/networking/headscale.nix
vendored
Normal file
490
third_party/nixpkgs/nixos/modules/services/networking/headscale.nix
vendored
Normal file
|
@ -0,0 +1,490 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.headscale;
|
||||
|
||||
dataDir = "/var/lib/headscale";
|
||||
runDir = "/run/headscale";
|
||||
|
||||
settingsFormat = pkgs.formats.yaml { };
|
||||
configFile = settingsFormat.generate "headscale.yaml" cfg.settings;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.headscale = {
|
||||
enable = mkEnableOption "headscale, Open Source coordination server for Tailscale";
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.headscale;
|
||||
defaultText = literalExpression "pkgs.headscale";
|
||||
description = ''
|
||||
Which headscale package to use for the running server.
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
default = "headscale";
|
||||
type = types.str;
|
||||
description = ''
|
||||
User account under which headscale runs.
|
||||
<note><para>
|
||||
If left as the default value this user will automatically be created
|
||||
on system activation, otherwise you are responsible for
|
||||
ensuring the user exists before the headscale service starts.
|
||||
</para></note>
|
||||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
default = "headscale";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Group under which headscale runs.
|
||||
<note><para>
|
||||
If left as the default value this group will automatically be created
|
||||
on system activation, otherwise you are responsible for
|
||||
ensuring the user exists before the headscale service starts.
|
||||
</para></note>
|
||||
'';
|
||||
};
|
||||
|
||||
serverUrl = mkOption {
|
||||
type = types.str;
|
||||
default = "http://127.0.0.1:8080";
|
||||
description = ''
|
||||
The url clients will connect to.
|
||||
'';
|
||||
example = "https://myheadscale.example.com:443";
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
default = "127.0.0.1";
|
||||
description = ''
|
||||
Listening address of headscale.
|
||||
'';
|
||||
example = "0.0.0.0";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 8080;
|
||||
description = ''
|
||||
Listening port of headscale.
|
||||
'';
|
||||
example = 443;
|
||||
};
|
||||
|
||||
privateKeyFile = mkOption {
|
||||
type = types.path;
|
||||
default = "${dataDir}/private.key";
|
||||
description = ''
|
||||
Path to private key file, generated automatically if it does not exist.
|
||||
'';
|
||||
};
|
||||
|
||||
derp = {
|
||||
urls = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "https://controlplane.tailscale.com/derpmap/default" ];
|
||||
description = ''
|
||||
List of urls containing DERP maps.
|
||||
See <link xlink:href="https://tailscale.com/blog/how-tailscale-works/">How Tailscale works</link> for more information on DERP maps.
|
||||
'';
|
||||
};
|
||||
|
||||
paths = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [ ];
|
||||
description = ''
|
||||
List of file paths containing DERP maps.
|
||||
See <link xlink:href="https://tailscale.com/blog/how-tailscale-works/">How Tailscale works</link> for more information on DERP maps.
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
autoUpdate = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to automatically update DERP maps on a set frequency.
|
||||
'';
|
||||
example = false;
|
||||
};
|
||||
|
||||
updateFrequency = mkOption {
|
||||
type = types.str;
|
||||
default = "24h";
|
||||
description = ''
|
||||
Frequency to update DERP maps.
|
||||
'';
|
||||
example = "5m";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
ephemeralNodeInactivityTimeout = mkOption {
|
||||
type = types.str;
|
||||
default = "30m";
|
||||
description = ''
|
||||
Time before an inactive ephemeral node is deleted.
|
||||
'';
|
||||
example = "5m";
|
||||
};
|
||||
|
||||
database = {
|
||||
type = mkOption {
|
||||
type = types.enum [ "sqlite3" "postgres" ];
|
||||
example = "postgres";
|
||||
default = "sqlite3";
|
||||
description = "Database engine to use.";
|
||||
};
|
||||
|
||||
host = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "127.0.0.1";
|
||||
description = "Database host address.";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.nullOr types.port;
|
||||
default = null;
|
||||
example = 3306;
|
||||
description = "Database host port.";
|
||||
};
|
||||
|
||||
name = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "headscale";
|
||||
description = "Database name.";
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "headscale";
|
||||
description = "Database user.";
|
||||
};
|
||||
|
||||
passwordFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
example = "/run/keys/headscale-dbpassword";
|
||||
description = ''
|
||||
A file containing the password corresponding to
|
||||
<option>database.user</option>.
|
||||
'';
|
||||
};
|
||||
|
||||
path = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "${dataDir}/db.sqlite";
|
||||
description = "Path to the sqlite3 database file.";
|
||||
};
|
||||
};
|
||||
|
||||
logLevel = mkOption {
|
||||
type = types.str;
|
||||
default = "info";
|
||||
description = ''
|
||||
headscale log level.
|
||||
'';
|
||||
example = "debug";
|
||||
};
|
||||
|
||||
dns = {
|
||||
nameservers = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ "1.1.1.1" ];
|
||||
description = ''
|
||||
List of nameservers to pass to Tailscale clients.
|
||||
'';
|
||||
};
|
||||
|
||||
domains = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
description = ''
|
||||
Search domains to inject to Tailscale clients.
|
||||
'';
|
||||
example = [ "mydomain.internal" ];
|
||||
};
|
||||
|
||||
magicDns = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
|
||||
Only works if there is at least a nameserver defined.
|
||||
'';
|
||||
example = false;
|
||||
};
|
||||
|
||||
baseDomain = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
Defines the base domain to create the hostnames for MagicDNS.
|
||||
<option>baseDomain</option> must be a FQDNs, without the trailing dot.
|
||||
The FQDN of the hosts will be
|
||||
<literal>hostname.namespace.base_domain</literal> (e.g.
|
||||
<literal>myhost.mynamespace.example.com</literal>).
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
openIdConnect = {
|
||||
issuer = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
URL to OpenID issuer.
|
||||
'';
|
||||
example = "https://openid.example.com";
|
||||
};
|
||||
|
||||
clientId = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
OpenID Connect client ID.
|
||||
'';
|
||||
};
|
||||
|
||||
clientSecretFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to OpenID Connect client secret file.
|
||||
'';
|
||||
};
|
||||
|
||||
domainMap = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = { };
|
||||
description = ''
|
||||
Domain map is used to map incomming users (by their email) to
|
||||
a namespace. The key can be a string, or regex.
|
||||
'';
|
||||
example = {
|
||||
".*" = "default-namespace";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
tls = {
|
||||
letsencrypt = {
|
||||
hostname = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "";
|
||||
description = ''
|
||||
Domain name to request a TLS certificate for.
|
||||
'';
|
||||
};
|
||||
challengeType = mkOption {
|
||||
type = types.enum [ "TLS_ALPN-01" "HTTP-01" ];
|
||||
default = "HTTP-01";
|
||||
description = ''
|
||||
Type of ACME challenge to use, currently supported types:
|
||||
<literal>HTTP-01</literal> or <literal>TLS_ALPN-01</literal>.
|
||||
'';
|
||||
};
|
||||
httpListen = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = ":http";
|
||||
description = ''
|
||||
When HTTP-01 challenge is chosen, letsencrypt must set up a
|
||||
verification endpoint, and it will be listening on:
|
||||
<literal>:http = port 80</literal>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
certFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to already created certificate.
|
||||
'';
|
||||
};
|
||||
keyFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to key for already created certificate.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
aclPolicyFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a file containg ACL policies.
|
||||
'';
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type = settingsFormat.type;
|
||||
default = { };
|
||||
description = ''
|
||||
Overrides to <filename>config.yaml</filename> as a Nix attribute set.
|
||||
This option is ideal for overriding settings not exposed as Nix options.
|
||||
Check the <link xlink:href="https://github.com/juanfont/headscale/blob/main/config-example.yaml">example config</link>
|
||||
for possible options.
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
services.headscale.settings = {
|
||||
server_url = mkDefault cfg.serverUrl;
|
||||
listen_addr = mkDefault "${cfg.address}:${toString cfg.port}";
|
||||
|
||||
private_key_path = mkDefault cfg.privateKeyFile;
|
||||
|
||||
derp = {
|
||||
urls = mkDefault cfg.derp.urls;
|
||||
paths = mkDefault cfg.derp.paths;
|
||||
auto_update_enable = mkDefault cfg.derp.autoUpdate;
|
||||
update_frequency = mkDefault cfg.derp.updateFrequency;
|
||||
};
|
||||
|
||||
# Turn off update checks since the origin of our package
|
||||
# is nixpkgs and not Github.
|
||||
disable_check_updates = true;
|
||||
|
||||
ephemeral_node_inactivity_timeout = mkDefault cfg.ephemeralNodeInactivityTimeout;
|
||||
|
||||
db_type = mkDefault cfg.database.type;
|
||||
db_path = mkDefault cfg.database.path;
|
||||
|
||||
log_level = mkDefault cfg.logLevel;
|
||||
|
||||
dns_config = {
|
||||
nameservers = mkDefault cfg.dns.nameservers;
|
||||
domains = mkDefault cfg.dns.domains;
|
||||
magic_dns = mkDefault cfg.dns.magicDns;
|
||||
base_domain = mkDefault cfg.dns.baseDomain;
|
||||
};
|
||||
|
||||
unix_socket = "${runDir}/headscale.sock";
|
||||
|
||||
# OpenID Connect
|
||||
oidc = {
|
||||
issuer = mkDefault cfg.openIdConnect.issuer;
|
||||
client_id = mkDefault cfg.openIdConnect.clientId;
|
||||
domain_map = mkDefault cfg.openIdConnect.domainMap;
|
||||
};
|
||||
|
||||
tls_letsencrypt_cache_dir = "${dataDir}/.cache";
|
||||
|
||||
} // optionalAttrs (cfg.database.host != null) {
|
||||
db_host = mkDefault cfg.database.host;
|
||||
} // optionalAttrs (cfg.database.port != null) {
|
||||
db_port = mkDefault cfg.database.port;
|
||||
} // optionalAttrs (cfg.database.name != null) {
|
||||
db_name = mkDefault cfg.database.name;
|
||||
} // optionalAttrs (cfg.database.user != null) {
|
||||
db_user = mkDefault cfg.database.user;
|
||||
} // optionalAttrs (cfg.tls.letsencrypt.hostname != null) {
|
||||
tls_letsencrypt_hostname = mkDefault cfg.tls.letsencrypt.hostname;
|
||||
} // optionalAttrs (cfg.tls.letsencrypt.challengeType != null) {
|
||||
tls_letsencrypt_challenge_type = mkDefault cfg.tls.letsencrypt.challengeType;
|
||||
} // optionalAttrs (cfg.tls.letsencrypt.httpListen != null) {
|
||||
tls_letsencrypt_listen = mkDefault cfg.tls.letsencrypt.httpListen;
|
||||
} // optionalAttrs (cfg.tls.certFile != null) {
|
||||
tls_cert_path = mkDefault cfg.tls.certFile;
|
||||
} // optionalAttrs (cfg.tls.keyFile != null) {
|
||||
tls_key_path = mkDefault cfg.tls.keyFile;
|
||||
} // optionalAttrs (cfg.aclPolicyFile != null) {
|
||||
acl_policy_path = mkDefault cfg.aclPolicyFile;
|
||||
};
|
||||
|
||||
# Setup the headscale configuration in a known path in /etc to
|
||||
# allow both the Server and the Client use it to find the socket
|
||||
# for communication.
|
||||
environment.etc."headscale/config.yaml".source = configFile;
|
||||
|
||||
users.groups.headscale = mkIf (cfg.group == "headscale") { };
|
||||
|
||||
users.users.headscale = mkIf (cfg.user == "headscale") {
|
||||
description = "headscale user";
|
||||
home = dataDir;
|
||||
group = cfg.group;
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
systemd.services.headscale = {
|
||||
description = "headscale coordination server for Tailscale";
|
||||
after = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
restartTriggers = [ configFile ];
|
||||
|
||||
script = ''
|
||||
${optionalString (cfg.database.passwordFile != null) ''
|
||||
export HEADSCALE_DB_PASS="$(head -n1 ${escapeShellArg cfg.database.passwordFile})"
|
||||
''}
|
||||
|
||||
export HEADSCALE_OIDC_CLIENT_SECRET="$(head -n1 ${escapeShellArg cfg.openIdConnect.clientSecretFile})"
|
||||
exec ${cfg.package}/bin/headscale serve
|
||||
'';
|
||||
|
||||
serviceConfig =
|
||||
let
|
||||
capabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port < 1024) "CAP_NET_BIND_SERVICE";
|
||||
in
|
||||
{
|
||||
Restart = "always";
|
||||
Type = "simple";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
|
||||
# Hardening options
|
||||
RuntimeDirectory = "headscale";
|
||||
# Allow headscale group access so users can be added and use the CLI.
|
||||
RuntimeDirectoryMode = "0750";
|
||||
|
||||
StateDirectory = "headscale";
|
||||
StateDirectoryMode = "0750";
|
||||
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectControlGroups = true;
|
||||
RestrictSUIDSGID = true;
|
||||
PrivateMounts = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectProc = "invisible";
|
||||
ProcSubset = "pid";
|
||||
RestrictNamespaces = true;
|
||||
RemoveIPC = true;
|
||||
UMask = "0077";
|
||||
|
||||
CapabilityBoundingSet = capabilityBoundingSet;
|
||||
AmbientCapabilities = capabilityBoundingSet;
|
||||
NoNewPrivileges = true;
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
SystemCallFilter = [ "@system-service" "~@priviledged" "@chown" ];
|
||||
SystemCallArchitectures = "native";
|
||||
RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ kradalby ];
|
||||
}
|
|
@ -222,14 +222,12 @@ let
|
|||
in concatStringsSep "\n" inTunOpts))];
|
||||
in pkgs.writeText "i2pd-tunnels.conf" opts;
|
||||
|
||||
i2pdSh = pkgs.writeScriptBin "i2pd" ''
|
||||
#!/bin/sh
|
||||
exec ${cfg.package}/bin/i2pd \
|
||||
${if cfg.address == null then "" else "--host="+cfg.address} \
|
||||
--service \
|
||||
--conf=${i2pdConf} \
|
||||
--tunconf=${tunnelConf}
|
||||
'';
|
||||
i2pdFlags = concatStringsSep " " (
|
||||
optional (cfg.address != null) ("--host=" + cfg.address) ++ [
|
||||
"--service"
|
||||
("--conf=" + i2pdConf)
|
||||
("--tunconf=" + tunnelConf)
|
||||
]);
|
||||
|
||||
in
|
||||
|
||||
|
@ -686,7 +684,7 @@ in
|
|||
User = "i2pd";
|
||||
WorkingDirectory = homeDir;
|
||||
Restart = "on-abort";
|
||||
ExecStart = "${i2pdSh}/bin/i2pd";
|
||||
ExecStart = "${cfg.package}/bin/i2pd ${i2pdFlags}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -384,6 +384,17 @@ in {
|
|||
so you don't need to to that yourself.
|
||||
'';
|
||||
};
|
||||
|
||||
enableFccUnlock = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer
|
||||
automatically performs the FCC unlock procedure by default. See
|
||||
<link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the docs</link>
|
||||
for more details.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -438,6 +449,12 @@ in {
|
|||
|
||||
"NetworkManager/VPN/nm-sstp-service.name".source =
|
||||
"${networkmanager-sstp}/lib/NetworkManager/VPN/nm-sstp-service.name";
|
||||
|
||||
}
|
||||
// optionalAttrs cfg.enableFccUnlock
|
||||
{
|
||||
"ModemManager/fcc-unlock.d".source =
|
||||
"${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/*";
|
||||
}
|
||||
// optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != [])
|
||||
{
|
||||
|
|
|
@ -25,9 +25,10 @@ in
|
|||
for more information.
|
||||
|
||||
There are other programs that use iptables internally too, such as
|
||||
libvirt.
|
||||
libvirt. For information on how the two firewalls interact, see [2].
|
||||
|
||||
[1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273
|
||||
[2]: https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F
|
||||
'';
|
||||
};
|
||||
networking.nftables.ruleset = mkOption {
|
||||
|
@ -118,20 +119,11 @@ in
|
|||
flush ruleset
|
||||
include "${cfg.rulesetFile}"
|
||||
'';
|
||||
checkScript = pkgs.writeScript "nftables-check" ''
|
||||
#! ${pkgs.runtimeShell} -e
|
||||
if $(${pkgs.kmod}/bin/lsmod | grep -q ip_tables); then
|
||||
echo "Unload ip_tables before using nftables!" 1>&2
|
||||
exit 1
|
||||
else
|
||||
${rulesScript}
|
||||
fi
|
||||
'';
|
||||
in {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = checkScript;
|
||||
ExecReload = checkScript;
|
||||
ExecStart = rulesScript;
|
||||
ExecReload = rulesScript;
|
||||
ExecStop = "${pkgs.nftables}/bin/nft flush ruleset";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
python = pkgs.python3Packages.python;
|
||||
cfg = config.services.seafile;
|
||||
settingsFormat = pkgs.formats.ini { };
|
||||
|
||||
|
@ -221,9 +220,7 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
seahub = let
|
||||
penv = (pkgs.python3.withPackages (ps: with ps; [ gunicorn seahub ]));
|
||||
in {
|
||||
seahub = {
|
||||
description = "Seafile Server Web Frontend";
|
||||
wantedBy = [ "seafile.target" ];
|
||||
partOf = [ "seafile.target" ];
|
||||
|
@ -231,8 +228,7 @@ in {
|
|||
requires = [ "seaf-server.service" ];
|
||||
restartTriggers = [ seahubSettings ];
|
||||
environment = {
|
||||
PYTHONPATH =
|
||||
"${pkgs.python3Packages.seahub}/thirdpart:${pkgs.python3Packages.seahub}:${penv}/${python.sitePackages}";
|
||||
PYTHONPATH = "${pkgs.seahub.pythonPath}:${pkgs.seahub}/thirdpart:${pkgs.seahub}";
|
||||
DJANGO_SETTINGS_MODULE = "seahub.settings";
|
||||
CCNET_CONF_DIR = ccnetDir;
|
||||
SEAFILE_CONF_DIR = dataDir;
|
||||
|
@ -249,7 +245,7 @@ in {
|
|||
LogsDirectory = "seafile";
|
||||
ConfigurationDirectory = "seafile";
|
||||
ExecStart = ''
|
||||
${penv}/bin/gunicorn seahub.wsgi:application \
|
||||
${pkgs.seahub.python.pkgs.gunicorn}/bin/gunicorn seahub.wsgi:application \
|
||||
--name seahub \
|
||||
--workers ${toString cfg.workers} \
|
||||
--log-level=info \
|
||||
|
@ -262,27 +258,27 @@ in {
|
|||
preStart = ''
|
||||
mkdir -p ${seahubDir}/media
|
||||
# Link all media except avatars
|
||||
for m in `find ${pkgs.python3Packages.seahub}/media/ -maxdepth 1 -not -name "avatars"`; do
|
||||
for m in `find ${pkgs.seahub}/media/ -maxdepth 1 -not -name "avatars"`; do
|
||||
ln -sf $m ${seahubDir}/media/
|
||||
done
|
||||
if [ ! -e "${seafRoot}/.seahubSecret" ]; then
|
||||
${penv}/bin/python ${pkgs.python3Packages.seahub}/tools/secret_key_generator.py > ${seafRoot}/.seahubSecret
|
||||
${pkgs.seahub.python}/bin/python ${pkgs.seahub}/tools/secret_key_generator.py > ${seafRoot}/.seahubSecret
|
||||
chmod 400 ${seafRoot}/.seahubSecret
|
||||
fi
|
||||
if [ ! -f "${seafRoot}/seahub-setup" ]; then
|
||||
# avatars directory should be writable
|
||||
install -D -t ${seahubDir}/media/avatars/ ${pkgs.python3Packages.seahub}/media/avatars/default.png
|
||||
install -D -t ${seahubDir}/media/avatars/groups ${pkgs.python3Packages.seahub}/media/avatars/groups/default.png
|
||||
install -D -t ${seahubDir}/media/avatars/ ${pkgs.seahub}/media/avatars/default.png
|
||||
install -D -t ${seahubDir}/media/avatars/groups ${pkgs.seahub}/media/avatars/groups/default.png
|
||||
# init database
|
||||
${pkgs.python3Packages.seahub}/manage.py migrate
|
||||
${pkgs.seahub}/manage.py migrate
|
||||
# create admin account
|
||||
${pkgs.expect}/bin/expect -c 'spawn ${pkgs.python3Packages.seahub}/manage.py createsuperuser --email=${cfg.adminEmail}; expect "Password: "; send "${cfg.initialAdminPassword}\r"; expect "Password (again): "; send "${cfg.initialAdminPassword}\r"; expect "Superuser created successfully."'
|
||||
echo "${pkgs.python3Packages.seahub.version}-sqlite" > "${seafRoot}/seahub-setup"
|
||||
${pkgs.expect}/bin/expect -c 'spawn ${pkgs.seahub}/manage.py createsuperuser --email=${cfg.adminEmail}; expect "Password: "; send "${cfg.initialAdminPassword}\r"; expect "Password (again): "; send "${cfg.initialAdminPassword}\r"; expect "Superuser created successfully."'
|
||||
echo "${pkgs.seahub.version}-sqlite" > "${seafRoot}/seahub-setup"
|
||||
fi
|
||||
if [ $(cat "${seafRoot}/seahub-setup" | cut -d"-" -f1) != "${pkgs.python3Packages.seahub.version}" ]; then
|
||||
if [ $(cat "${seafRoot}/seahub-setup" | cut -d"-" -f1) != "${pkgs.seahub.version}" ]; then
|
||||
# update database
|
||||
${pkgs.python3Packages.seahub}/manage.py migrate
|
||||
echo "${pkgs.python3Packages.seahub.version}-sqlite" > "${seafRoot}/seahub-setup"
|
||||
${pkgs.seahub}/manage.py migrate
|
||||
echo "${pkgs.seahub.version}-sqlite" > "${seafRoot}/seahub-setup"
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
|
42
third_party/nixpkgs/nixos/modules/services/networking/wg-netmanager.nix
vendored
Normal file
42
third_party/nixpkgs/nixos/modules/services/networking/wg-netmanager.nix
vendored
Normal file
|
@ -0,0 +1,42 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.wg-netmanager;
|
||||
in
|
||||
{
|
||||
|
||||
options = {
|
||||
services.wg-netmanager = {
|
||||
enable = mkEnableOption "Wireguard network manager";
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkIf cfg.enable {
|
||||
# NOTE: wg-netmanager runs as root
|
||||
systemd.services.wg-netmanager = {
|
||||
description = "Wireguard network manager";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
path = with pkgs; [ wireguard-tools iproute2 wireguard-go ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
Restart = "on-failure";
|
||||
ExecStart = "${pkgs.wg-netmanager}/bin/wg_netmanager";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
ExecStop = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
|
||||
ReadWritePaths = [
|
||||
"/tmp" # wg-netmanager creates files in /tmp before deleting them after use
|
||||
];
|
||||
};
|
||||
unitConfig = {
|
||||
ConditionPathExists = ["/etc/wg_netmanager/network.yaml" "/etc/wg_netmanager/peer.yaml"];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ gin66 ];
|
||||
}
|
|
@ -10,14 +10,45 @@ let
|
|||
cfg = config.networking.wireless;
|
||||
opt = options.networking.wireless;
|
||||
|
||||
wpa3Protocols = [ "SAE" "FT-SAE" ];
|
||||
hasMixedWPA = opts:
|
||||
let
|
||||
hasWPA3 = !mutuallyExclusive opts.authProtocols wpa3Protocols;
|
||||
others = subtractLists wpa3Protocols opts.authProtocols;
|
||||
in hasWPA3 && others != [];
|
||||
|
||||
# Gives a WPA3 network higher priority
|
||||
increaseWPA3Priority = opts:
|
||||
opts // optionalAttrs (hasMixedWPA opts)
|
||||
{ priority = if opts.priority == null
|
||||
then 1
|
||||
else opts.priority + 1;
|
||||
};
|
||||
|
||||
# Creates a WPA2 fallback network
|
||||
mkWPA2Fallback = opts:
|
||||
opts // { authProtocols = subtractLists wpa3Protocols opts.authProtocols; };
|
||||
|
||||
# Networks attrset as a list
|
||||
networkList = mapAttrsToList (ssid: opts: opts // { inherit ssid; })
|
||||
cfg.networks;
|
||||
|
||||
# List of all networks (normal + generated fallbacks)
|
||||
allNetworks =
|
||||
if cfg.fallbackToWPA2
|
||||
then map increaseWPA3Priority networkList
|
||||
++ map mkWPA2Fallback (filter hasMixedWPA networkList)
|
||||
else networkList;
|
||||
|
||||
# Content of wpa_supplicant.conf
|
||||
generatedConfig = concatStringsSep "\n" (
|
||||
(mapAttrsToList mkNetwork cfg.networks)
|
||||
(map mkNetwork allNetworks)
|
||||
++ optional cfg.userControlled.enable (concatStringsSep "\n"
|
||||
[ "ctrl_interface=/run/wpa_supplicant"
|
||||
"ctrl_interface_group=${cfg.userControlled.group}"
|
||||
"update_config=1"
|
||||
])
|
||||
++ [ "pmf=1" ]
|
||||
++ optional cfg.scanOnLowSignal ''bgscan="simple:30:-70:3600"''
|
||||
++ optional (cfg.extraConfig != "") cfg.extraConfig);
|
||||
|
||||
|
@ -33,7 +64,7 @@ let
|
|||
finalConfig = ''"$RUNTIME_DIRECTORY"/wpa_supplicant.conf'';
|
||||
|
||||
# Creates a network block for wpa_supplicant.conf
|
||||
mkNetwork = ssid: opts:
|
||||
mkNetwork = opts:
|
||||
let
|
||||
quote = x: ''"${x}"'';
|
||||
indent = x: " " + x;
|
||||
|
@ -43,7 +74,7 @@ let
|
|||
else opts.pskRaw;
|
||||
|
||||
options = [
|
||||
"ssid=${quote ssid}"
|
||||
"ssid=${quote opts.ssid}"
|
||||
(if pskString != null || opts.auth != null
|
||||
then "key_mgmt=${concatStringsSep " " opts.authProtocols}"
|
||||
else "key_mgmt=NONE")
|
||||
|
@ -175,6 +206,18 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
fallbackToWPA2 = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to fall back to WPA2 authentication protocols if WPA3 failed.
|
||||
This allows old wireless cards (that lack recent features required by
|
||||
WPA3) to connect to mixed WPA2/WPA3 access points.
|
||||
|
||||
To avoid possible downgrade attacks, disable this options.
|
||||
'';
|
||||
};
|
||||
|
||||
environmentFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
|
|
|
@ -84,7 +84,6 @@ in {
|
|||
interface eth0
|
||||
{
|
||||
AdvSendAdvert on;
|
||||
AdvDefaultLifetime 0;
|
||||
prefix ${prefix}::/64 {
|
||||
AdvOnLink on;
|
||||
AdvAutonomous on;
|
||||
|
|
|
@ -143,6 +143,17 @@ in
|
|||
example = lib.literalExpression "[ pkgs.elasticsearchPlugins.discovery-ec2 ]";
|
||||
};
|
||||
|
||||
restartIfChanged = mkOption {
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Automatically restart the service on config change.
|
||||
This can be set to false to defer restarts on a server or cluster.
|
||||
Please consider the security implications of inadvertently running an older version,
|
||||
and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.
|
||||
'';
|
||||
default = true;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
@ -153,6 +164,7 @@ in
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
path = [ pkgs.inetutils ];
|
||||
inherit (cfg) restartIfChanged;
|
||||
environment = {
|
||||
ES_HOME = cfg.dataDir;
|
||||
ES_JAVA_OPTS = toString cfg.extraJavaOptions;
|
||||
|
@ -163,6 +175,8 @@ in
|
|||
User = "elasticsearch";
|
||||
PermissionsStartOnly = true;
|
||||
LimitNOFILE = "1024000";
|
||||
Restart = "always";
|
||||
TimeoutStartSec = "infinity";
|
||||
};
|
||||
preStart = ''
|
||||
${optionalString (!config.boot.isContainer) ''
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, options, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
|
@ -11,7 +11,16 @@ in {
|
|||
dataDir = mkOption {
|
||||
default = "/var/lib/cfssl";
|
||||
type = types.path;
|
||||
description = "Cfssl work directory.";
|
||||
description = ''
|
||||
The work directory for CFSSL.
|
||||
|
||||
<note><para>
|
||||
If left as the default value this directory will automatically be
|
||||
created before the CFSSL server starts, otherwise you are
|
||||
responsible for ensuring the directory exists with appropriate
|
||||
ownership and permissions.
|
||||
</para></note>
|
||||
'';
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
|
@ -22,7 +31,7 @@ in {
|
|||
|
||||
port = mkOption {
|
||||
default = 8888;
|
||||
type = types.ints.u16;
|
||||
type = types.port;
|
||||
description = "Port to bind.";
|
||||
};
|
||||
|
||||
|
@ -147,13 +156,12 @@ in {
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.extraGroups.cfssl = {
|
||||
users.groups.cfssl = {
|
||||
gid = config.ids.gids.cfssl;
|
||||
};
|
||||
|
||||
users.extraUsers.cfssl = {
|
||||
users.users.cfssl = {
|
||||
description = "cfssl user";
|
||||
createHome = true;
|
||||
home = cfg.dataDir;
|
||||
group = "cfssl";
|
||||
uid = config.ids.uids.cfssl;
|
||||
|
@ -164,12 +172,12 @@ in {
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
serviceConfig = lib.mkMerge [
|
||||
{
|
||||
WorkingDirectory = cfg.dataDir;
|
||||
StateDirectory = cfg.dataDir;
|
||||
StateDirectoryMode = 700;
|
||||
Restart = "always";
|
||||
User = "cfssl";
|
||||
Group = "cfssl";
|
||||
|
||||
ExecStart = with cfg; let
|
||||
opt = n: v: optionalString (v != null) ''-${n}="${v}"'';
|
||||
|
@ -198,7 +206,12 @@ in {
|
|||
(opt "db-config" dbConfig)
|
||||
(opt "loglevel" (toString logLevel))
|
||||
];
|
||||
};
|
||||
}
|
||||
(mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) {
|
||||
StateDirectory = baseNameOf cfg.dataDir;
|
||||
StateDirectoryMode = 700;
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
services.cfssl = {
|
||||
|
|
|
@ -3,12 +3,10 @@
|
|||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.services.haveged;
|
||||
|
||||
in
|
||||
|
||||
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
@ -17,14 +15,11 @@ in
|
|||
|
||||
services.haveged = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable to haveged entropy daemon, which refills
|
||||
/dev/random when low.
|
||||
enable = mkEnableOption ''
|
||||
haveged entropy daemon, which refills /dev/random when low.
|
||||
NOTE: does nothing on kernels newer than 5.6.
|
||||
'';
|
||||
};
|
||||
# source for the note https://github.com/jirka-h/haveged/issues/57
|
||||
|
||||
refill_threshold = mkOption {
|
||||
type = types.int;
|
||||
|
@ -39,29 +34,44 @@ in
|
|||
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
systemd.services.haveged =
|
||||
{ description = "Entropy Harvesting Daemon";
|
||||
unitConfig.Documentation = "man:haveged(8)";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
path = [ pkgs.haveged ];
|
||||
# https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service
|
||||
systemd.services.haveged = {
|
||||
description = "Entropy Daemon based on the HAVEGE algorithm";
|
||||
unitConfig = {
|
||||
Documentation = "man:haveged(8)";
|
||||
DefaultDependencies = false;
|
||||
ConditionKernelVersion = "<5.6";
|
||||
};
|
||||
wantedBy = [ "sysinit.target" ];
|
||||
after = [ "systemd-tmpfiles-setup-dev.service" ];
|
||||
before = [ "sysinit.target" "shutdown.target" "systemd-journald.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.haveged}/bin/haveged -F -w ${toString cfg.refill_threshold} -v 1";
|
||||
SuccessExitStatus = 143;
|
||||
PrivateTmp = true;
|
||||
ExecStart = "${pkgs.haveged}/bin/haveged -w ${toString cfg.refill_threshold} --Foreground -v 1";
|
||||
Restart = "always";
|
||||
SuccessExitStatus = "137 143";
|
||||
SecureBits = "noroot-locked";
|
||||
CapabilityBoundingSet = [ "CAP_SYS_ADMIN" "CAP_SYS_CHROOT" ];
|
||||
# We can *not* set PrivateTmp=true as it can cause an ordering cycle.
|
||||
PrivateTmp = false;
|
||||
PrivateDevices = true;
|
||||
PrivateNetwork = true;
|
||||
ProtectSystem = "full";
|
||||
ProtectHome = true;
|
||||
};
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [ "@system-service" "newuname" "~@mount" ];
|
||||
SystemCallErrorNumber = "EPERM";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -131,7 +131,7 @@ in {
|
|||
users.groups.vaultwarden = { };
|
||||
|
||||
systemd.services.vaultwarden = {
|
||||
aliases = [ "bitwarden_rs" ];
|
||||
aliases = [ "bitwarden_rs.service" ];
|
||||
after = [ "network.target" ];
|
||||
path = with pkgs; [ openssl ];
|
||||
serviceConfig = {
|
||||
|
|
|
@ -52,11 +52,22 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
network.enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Allow the cloud-init service to configure network interfaces
|
||||
through systemd-networkd.
|
||||
'';
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
type = types.str;
|
||||
default = ''
|
||||
system_info:
|
||||
distro: nixos
|
||||
network:
|
||||
renderers: [ 'networkd' ]
|
||||
users:
|
||||
- root
|
||||
|
||||
|
@ -109,9 +120,12 @@ in
|
|||
|
||||
environment.etc."cloud/cloud.cfg".text = cfg.config;
|
||||
|
||||
systemd.network.enable = cfg.network.enable;
|
||||
|
||||
systemd.services.cloud-init-local =
|
||||
{ description = "Initial cloud-init job (pre-networking)";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
before = ["systemd-networkd.service"];
|
||||
path = path;
|
||||
serviceConfig =
|
||||
{ Type = "oneshot";
|
||||
|
|
|
@ -126,6 +126,8 @@ in
|
|||
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.services.self-deploy = {
|
||||
inherit (cfg) startAt;
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
requires = lib.mkIf (!(isPathType cfg.repository)) [ "network-online.target" ];
|
||||
|
@ -138,8 +140,7 @@ in
|
|||
path = with pkgs; [
|
||||
git
|
||||
nix
|
||||
systemd
|
||||
];
|
||||
] ++ lib.optionals (cfg.switchCommand == "boot") [ systemd ];
|
||||
|
||||
script = ''
|
||||
if [ ! -e ${repositoryDirectory} ]; then
|
||||
|
|
|
@ -385,13 +385,13 @@ in {
|
|||
else if isString v then v
|
||||
else if true == v then "true"
|
||||
else if false == v then "false"
|
||||
else if isSecret v then v._secret
|
||||
else if isSecret v then hashString "sha256" v._secret
|
||||
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
|
||||
};
|
||||
};
|
||||
secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config);
|
||||
mkSecretReplacement = file: ''
|
||||
replace-secret ${escapeShellArgs [ file file "${cfg.dataDir}/.env" ]}
|
||||
replace-secret ${escapeShellArgs [ (builtins.hashString "sha256" file) file "${cfg.dataDir}/.env" ]}
|
||||
'';
|
||||
secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
|
||||
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ {} null ])) cfg.config;
|
||||
|
|
62
third_party/nixpkgs/nixos/modules/services/web-apps/ethercalc.nix
vendored
Normal file
62
third_party/nixpkgs/nixos/modules/services/web-apps/ethercalc.nix
vendored
Normal file
|
@ -0,0 +1,62 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.ethercalc;
|
||||
in {
|
||||
options = {
|
||||
services.ethercalc = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
ethercalc, an online collaborative spreadsheet server.
|
||||
|
||||
Persistent state will be maintained under
|
||||
<filename>/var/lib/ethercalc</filename>. Upstream supports using a
|
||||
redis server for storage and recommends the redis backend for
|
||||
intensive use; however, the Nix module doesn't currently support
|
||||
redis.
|
||||
|
||||
Note that while ethercalc is a good and robust project with an active
|
||||
issue tracker, there haven't been new commits since the end of 2020.
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
default = pkgs.ethercalc;
|
||||
defaultText = literalExpression "pkgs.ethercalc";
|
||||
type = types.package;
|
||||
description = "Ethercalc package to use.";
|
||||
};
|
||||
|
||||
host = mkOption {
|
||||
type = types.str;
|
||||
default = "0.0.0.0";
|
||||
description = "Address to listen on (use 0.0.0.0 to allow access from any address).";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 8000;
|
||||
description = "Port to bind to.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.ethercalc = {
|
||||
description = "Ethercalc service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
ExecStart = "${cfg.package}/bin/ethercalc --host ${cfg.host} --port ${toString cfg.port}";
|
||||
Restart = "always";
|
||||
StateDirectory = "ethercalc";
|
||||
WorkingDirectory = "/var/lib/ethercalc";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -4,6 +4,8 @@ with lib;
|
|||
let
|
||||
cfg = config.services.miniflux;
|
||||
|
||||
defaultAddress = "localhost:8080";
|
||||
|
||||
dbUser = "miniflux";
|
||||
dbPassword = "miniflux";
|
||||
dbHost = "localhost";
|
||||
|
@ -31,7 +33,7 @@ in
|
|||
{
|
||||
options = {
|
||||
services.miniflux = {
|
||||
enable = mkEnableOption "miniflux";
|
||||
enable = mkEnableOption "miniflux and creates a local postgres database for it";
|
||||
|
||||
config = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
|
@ -45,6 +47,9 @@ in
|
|||
Configuration for Miniflux, refer to
|
||||
<link xlink:href="https://miniflux.app/docs/configuration.html"/>
|
||||
for documentation on the supported values.
|
||||
|
||||
Correct configuration for the database is already provided.
|
||||
By default, listens on ${defaultAddress}.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -64,7 +69,7 @@ in
|
|||
config = mkIf cfg.enable {
|
||||
|
||||
services.miniflux.config = {
|
||||
LISTEN_ADDR = mkDefault "localhost:8080";
|
||||
LISTEN_ADDR = mkDefault defaultAddress;
|
||||
DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable";
|
||||
RUN_MIGRATIONS = "1";
|
||||
CREATE_ADMIN = "1";
|
||||
|
|
|
@ -10,8 +10,7 @@ in {
|
|||
enable = mkEnableOption "plausible";
|
||||
|
||||
releaseCookiePath = mkOption {
|
||||
default = null;
|
||||
type = with types; nullOr (either str path);
|
||||
type = with types; either str path;
|
||||
description = ''
|
||||
The path to the file with release cookie. (used for remote connection to the running node).
|
||||
'';
|
||||
|
@ -235,6 +234,8 @@ in {
|
|||
script = ''
|
||||
export CONFIG_DIR=$CREDENTIALS_DIRECTORY
|
||||
|
||||
export RELEASE_COOKIE="$(< $CREDENTIALS_DIRECTORY/RELEASE_COOKIE )"
|
||||
|
||||
# setup
|
||||
${pkgs.plausible}/createdb.sh
|
||||
${pkgs.plausible}/migrate.sh
|
||||
|
@ -243,10 +244,8 @@ in {
|
|||
psql -d plausible <<< "UPDATE users SET email_verified=true;"
|
||||
fi
|
||||
''}
|
||||
${optionalString (cfg.releaseCookiePath != null) ''
|
||||
export RELEASE_COOKIE="$(< $CREDENTIALS_DIRECTORY/RELEASE_COOKIE )"
|
||||
''}
|
||||
plausible start
|
||||
|
||||
exec plausible start
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
|
@ -257,8 +256,8 @@ in {
|
|||
LoadCredential = [
|
||||
"ADMIN_USER_PWD:${cfg.adminUser.passwordFile}"
|
||||
"SECRET_KEY_BASE:${cfg.server.secretKeybaseFile}"
|
||||
] ++ lib.optionals (cfg.mail.smtp.passwordFile != null) [ "SMTP_USER_PWD:${cfg.mail.smtp.passwordFile}"]
|
||||
++ lib.optionals (cfg.releaseCookiePath != null) [ "RELEASE_COOKIE:${cfg.releaseCookiePath}"];
|
||||
"RELEASE_COOKIE:${cfg.releaseCookiePath}"
|
||||
] ++ lib.optionals (cfg.mail.smtp.passwordFile != null) [ "SMTP_USER_PWD:${cfg.mail.smtp.passwordFile}"];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -924,7 +924,7 @@ in
|
|||
PrivateMounts = true;
|
||||
# System Call Filtering
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ];
|
||||
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ];
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,122 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.services.shellinabox;
|
||||
|
||||
# If a certificate file is specified, shellinaboxd requires
|
||||
# a file descriptor to retrieve it
|
||||
fd = "3";
|
||||
createFd = optionalString (cfg.certFile != null) "${fd}<${cfg.certFile}";
|
||||
|
||||
# Command line arguments for the shellinabox daemon
|
||||
args = [ "--background" ]
|
||||
++ optional (! cfg.enableSSL) "--disable-ssl"
|
||||
++ optional (cfg.certFile != null) "--cert-fd=${fd}"
|
||||
++ optional (cfg.certDirectory != null) "--cert=${cfg.certDirectory}"
|
||||
++ cfg.extraOptions;
|
||||
|
||||
# Command to start shellinaboxd
|
||||
cmd = "${pkgs.shellinabox}/bin/shellinaboxd ${concatStringsSep " " args}";
|
||||
|
||||
# Command to start shellinaboxd if certFile is specified
|
||||
wrappedCmd = "${pkgs.bash}/bin/bash -c 'exec ${createFd} && ${cmd}'";
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
services.shellinabox = {
|
||||
enable = mkEnableOption "shellinabox daemon";
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
description = ''
|
||||
User to run shellinaboxd as. If started as root, the server drops
|
||||
privileges by changing to nobody, unless overridden by the
|
||||
<literal>--user</literal> option.
|
||||
'';
|
||||
};
|
||||
|
||||
enableSSL = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether or not to enable SSL (https) support.
|
||||
'';
|
||||
};
|
||||
|
||||
certDirectory = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
example = "/var/certs";
|
||||
description = ''
|
||||
The daemon will look in this directory far any certificates.
|
||||
If the browser negotiated a Server Name Identification the daemon
|
||||
will look for a matching certificate-SERVERNAME.pem file. If no SNI
|
||||
handshake takes place, it will fall back on using the certificate in the
|
||||
certificate.pem file.
|
||||
|
||||
If no suitable certificate is installed, shellinaboxd will attempt to
|
||||
create a new self-signed certificate. This will only succeed if, after
|
||||
dropping privileges, shellinaboxd has write permissions for this
|
||||
directory.
|
||||
'';
|
||||
};
|
||||
|
||||
certFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
example = "/var/certificate.pem";
|
||||
description = "Path to server SSL certificate.";
|
||||
};
|
||||
|
||||
extraOptions = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "--port=443" "--service /:LOGIN" ];
|
||||
description = ''
|
||||
A list of strings to be appended to the command line arguments
|
||||
for shellinaboxd. Please see the manual page
|
||||
<link xlink:href="https://code.google.com/p/shellinabox/wiki/shellinaboxd_man"/>
|
||||
for a full list of available arguments.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
assertions =
|
||||
[ { assertion = cfg.enableSSL == true
|
||||
-> cfg.certDirectory != null || cfg.certFile != null;
|
||||
message = "SSL is enabled for shellinabox, but no certDirectory or certFile has been specefied."; }
|
||||
{ assertion = ! (cfg.certDirectory != null && cfg.certFile != null);
|
||||
message = "Cannot set both certDirectory and certFile for shellinabox."; }
|
||||
];
|
||||
|
||||
systemd.services.shellinaboxd = {
|
||||
description = "Shellinabox Web Server Daemon";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "sshd.service" ];
|
||||
after = [ "sshd.service" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
User = "${cfg.user}";
|
||||
ExecStart = "${if cfg.certFile == null then "${cmd}" else "${wrappedCmd}"}";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -19,7 +19,7 @@ in
|
|||
# E.g., if Plasma 5 is enabled, it supersedes xterm.
|
||||
imports = [
|
||||
./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix
|
||||
./lxqt.nix ./enlightenment.nix ./gnome.nix ./kodi.nix
|
||||
./lxqt.nix ./enlightenment.nix ./gnome.nix ./retroarch.nix ./kodi.nix
|
||||
./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix
|
||||
./cinnamon.nix
|
||||
];
|
||||
|
|
|
@ -569,6 +569,7 @@ in
|
|||
atomix
|
||||
five-or-more
|
||||
four-in-a-row
|
||||
pkgs.gnome-2048
|
||||
gnome-chess
|
||||
gnome-klotski
|
||||
gnome-mahjongg
|
||||
|
|
|
@ -249,14 +249,5 @@ services.xserver.desktopManager.gnome = {
|
|||
See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/56342">this issue.</link>
|
||||
</para>
|
||||
</section>
|
||||
|
||||
<section xml:id="sec-gnome-faq-nixos-rebuild-switch-kills-session">
|
||||
<title>Why does <literal>nixos-rebuild switch</literal> sometimes kill my session?</title>
|
||||
|
||||
<para>
|
||||
This is a known <link xlink:href="https://github.com/NixOS/nixpkgs/issues/44344">issue</link> without any workarounds.
|
||||
If you are doing a fairly large upgrade, it is probably safer to use <literal>nixos-rebuild boot</literal>.
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
||||
</chapter>
|
||||
|
|
|
@ -135,6 +135,7 @@ in
|
|||
services.bamf.enable = true;
|
||||
services.colord.enable = mkDefault true;
|
||||
services.fwupd.enable = mkDefault true;
|
||||
services.packagekit.enable = mkDefault true;
|
||||
services.touchegg.enable = mkDefault true;
|
||||
services.touchegg.package = pkgs.pantheon.touchegg;
|
||||
services.tumbler.enable = mkDefault true;
|
||||
|
@ -224,7 +225,6 @@ in
|
|||
programs.file-roller.package = pkgs.pantheon.file-roller;
|
||||
|
||||
# Settings from elementary-default-settings
|
||||
environment.sessionVariables.GTK_CSD = "1";
|
||||
environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini";
|
||||
|
||||
xdg.portal.extraPortals = with pkgs.pantheon; [
|
||||
|
@ -273,7 +273,7 @@ in
|
|||
})
|
||||
|
||||
(mkIf serviceCfg.apps.enable {
|
||||
environment.systemPackages = (with pkgs.pantheon; pkgs.gnome.removePackagesByName [
|
||||
environment.systemPackages = with pkgs.pantheon; pkgs.gnome.removePackagesByName ([
|
||||
elementary-calculator
|
||||
elementary-calendar
|
||||
elementary-camera
|
||||
|
@ -287,7 +287,11 @@ in
|
|||
elementary-terminal
|
||||
elementary-videos
|
||||
epiphany
|
||||
] config.environment.pantheon.excludePackages);
|
||||
] ++ lib.optionals config.services.flatpak.enable [
|
||||
# Only install appcenter if flatpak is enabled before
|
||||
# https://github.com/NixOS/nixpkgs/issues/15932 is resolved.
|
||||
appcenter
|
||||
]) config.environment.pantheon.excludePackages;
|
||||
|
||||
# needed by screenshot
|
||||
fonts.fonts = [
|
||||
|
|
|
@ -105,10 +105,10 @@ switchboard-with-plugs.override {
|
|||
</term>
|
||||
<listitem>
|
||||
<para>
|
||||
AppCenter has been available since 20.03, but it is of little use. This is because there is no functioning PackageKit backend for Nix 2.0. Starting from 21.11, the Flatpak backend should work so you can install some Flatpak applications using it. See this <link xlink:href="https://github.com/NixOS/nixpkgs/issues/70214">issue</link>.
|
||||
AppCenter has been available since 20.03. Starting from 21.11, the Flatpak backend should work so you can install some Flatpak applications using it. However, due to missing appstream metadata, the Packagekit backend does not function currently. See this <link xlink:href="https://github.com/NixOS/nixpkgs/issues/15932">issue</link>.
|
||||
</para>
|
||||
<para>
|
||||
To use AppCenter on NixOS, add <literal>pantheon.appcenter</literal> to <xref linkend="opt-environment.systemPackages" />, <link linkend="module-services-flatpak">enable Flatpak support</link> and optionally add the <literal>appcenter</literal> Flatpak remote:
|
||||
If you are using Pantheon, AppCenter should be installed by default if you have <link linkend="module-services-flatpak">Flatpak support</link> enabled. If you also wish to add the <literal>appcenter</literal> Flatpak remote:
|
||||
</para>
|
||||
<screen>
|
||||
<prompt>$ </prompt>flatpak remote-add --if-not-exists appcenter https://flatpak.elementary.io/repo.flatpakrepo
|
||||
|
|
40
third_party/nixpkgs/nixos/modules/services/x11/desktop-managers/retroarch.nix
vendored
Normal file
40
third_party/nixpkgs/nixos/modules/services/x11/desktop-managers/retroarch.nix
vendored
Normal file
|
@ -0,0 +1,40 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.services.xserver.desktopManager.retroarch;
|
||||
|
||||
in {
|
||||
options.services.xserver.desktopManager.retroarch = {
|
||||
enable = mkEnableOption "RetroArch";
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.retroarch;
|
||||
defaultText = literalExpression "pkgs.retroarch";
|
||||
example = literalExpression "pkgs.retroarch-full";
|
||||
description = "RetroArch package to use.";
|
||||
};
|
||||
|
||||
extraArgs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "--verbose" "--host" ];
|
||||
description = "Extra arguments to pass to RetroArch.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.xserver.desktopManager.session = [{
|
||||
name = "RetroArch";
|
||||
start = ''
|
||||
${cfg.package}/bin/retroarch -f ${escapeShellArgs cfg.extraArgs} &
|
||||
waitPID=$!
|
||||
'';
|
||||
}];
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ j0hax ];
|
||||
}
|
|
@ -53,6 +53,8 @@ in
|
|||
"autoLogin"
|
||||
"user"
|
||||
])
|
||||
|
||||
(mkRemovedOptionModule [ "services" "xserver" "displayManager" "gdm" "nvidiaWayland" ] "We defer to GDM whether Wayland should be enabled.")
|
||||
];
|
||||
|
||||
meta = {
|
||||
|
@ -83,17 +85,6 @@ in
|
|||
default = true;
|
||||
description = ''
|
||||
Allow GDM to run on Wayland instead of Xserver.
|
||||
Note to enable Wayland with Nvidia the <option>nvidiaWayland</option>
|
||||
must not be disabled.
|
||||
'';
|
||||
};
|
||||
|
||||
nvidiaWayland = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to allow wayland to be used with the proprietary
|
||||
NVidia graphics driver.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -149,7 +140,8 @@ in
|
|||
environment = {
|
||||
GDM_X_SERVER_EXTRA_ARGS = toString
|
||||
(filter (arg: arg != "-terminate") cfg.xserverArgs);
|
||||
XDG_DATA_DIRS = "${cfg.sessionData.desktops}/share/";
|
||||
# GDM is needed for gnome-login.session
|
||||
XDG_DATA_DIRS = "${gdm}/share:${cfg.sessionData.desktops}/share";
|
||||
} // optionalAttrs (xSessionWrapper != null) {
|
||||
# Make GDM use this wrapper before running the session, which runs the
|
||||
# configured setupCommands. This relies on a patched GDM which supports
|
||||
|
@ -230,19 +222,6 @@ in
|
|||
|
||||
services.dbus.packages = [ gdm ];
|
||||
|
||||
# We duplicate upstream's udev rules manually to make wayland with nvidia configurable
|
||||
services.udev.extraRules = ''
|
||||
# disable Wayland on Cirrus chipsets
|
||||
ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false"
|
||||
# disable Wayland on Hi1710 chipsets
|
||||
ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false"
|
||||
${optionalString (!cfg.gdm.nvidiaWayland) ''
|
||||
DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false"
|
||||
''}
|
||||
# disable Wayland when modesetting is disabled
|
||||
IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false"
|
||||
'';
|
||||
|
||||
systemd.user.services.dbus.wantedBy = [ "default.target" ];
|
||||
|
||||
programs.dconf.profiles.gdm =
|
||||
|
|
|
@ -282,6 +282,9 @@ checkFS() {
|
|||
# Don't check resilient COWs as they validate the fs structures at mount time
|
||||
if [ "$fsType" = btrfs -o "$fsType" = zfs -o "$fsType" = bcachefs ]; then return 0; fi
|
||||
|
||||
# Skip fsck for apfs as the fsck utility does not support repairing the filesystem (no -a option)
|
||||
if [ "$fsType" = apfs ]; then return 0; fi
|
||||
|
||||
# Skip fsck for nilfs2 - not needed by design and no fsck tool for this filesystem.
|
||||
if [ "$fsType" = nilfs2 ]; then return 0; fi
|
||||
|
||||
|
|
|
@ -350,6 +350,9 @@ let
|
|||
'';
|
||||
symlink = "/etc/modprobe.d/ubuntu.conf";
|
||||
}
|
||||
{ object = config.environment.etc."modprobe.d/nixos.conf".source;
|
||||
symlink = "/etc/modprobe.d/nixos.conf";
|
||||
}
|
||||
{ object = pkgs.kmod-debian-aliases;
|
||||
symlink = "/etc/modprobe.d/debian.conf";
|
||||
}
|
||||
|
|
|
@ -25,9 +25,11 @@ let
|
|||
"nss-lookup.target"
|
||||
"nss-user-lookup.target"
|
||||
"time-sync.target"
|
||||
] ++ (optionals cfg.package.withCryptsetup [
|
||||
"cryptsetup.target"
|
||||
"cryptsetup-pre.target"
|
||||
"remote-cryptsetup.target"
|
||||
]) ++ [
|
||||
"sigpwr.target"
|
||||
"timers.target"
|
||||
"paths.target"
|
||||
|
|
12
third_party/nixpkgs/nixos/modules/system/etc/etc-activation.nix
vendored
Normal file
12
third_party/nixpkgs/nixos/modules/system/etc/etc-activation.nix
vendored
Normal file
|
@ -0,0 +1,12 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
inherit (lib) stringAfter;
|
||||
in {
|
||||
|
||||
imports = [ ./etc.nix ];
|
||||
|
||||
config = {
|
||||
system.activationScripts.etc =
|
||||
stringAfter [ "users" "groups" ] config.system.build.etcActivationCommands;
|
||||
};
|
||||
}
|
|
@ -66,6 +66,8 @@ in
|
|||
|
||||
{
|
||||
|
||||
imports = [ ../build.nix ];
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
|
@ -188,14 +190,12 @@ in
|
|||
config = {
|
||||
|
||||
system.build.etc = etc;
|
||||
|
||||
system.activationScripts.etc = stringAfter [ "users" "groups" ]
|
||||
system.build.etcActivationCommands =
|
||||
''
|
||||
# Set up the statically computed bits of /etc.
|
||||
echo "setting up /etc..."
|
||||
${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl ${./setup-etc.pl} ${etc}/etc
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
|
70
third_party/nixpkgs/nixos/modules/system/etc/test.nix
vendored
Normal file
70
third_party/nixpkgs/nixos/modules/system/etc/test.nix
vendored
Normal file
|
@ -0,0 +1,70 @@
|
|||
{ lib
|
||||
, coreutils
|
||||
, fakechroot
|
||||
, fakeroot
|
||||
, evalMinimalConfig
|
||||
, pkgsModule
|
||||
, runCommand
|
||||
, util-linux
|
||||
, vmTools
|
||||
, writeText
|
||||
}:
|
||||
let
|
||||
node = evalMinimalConfig ({ config, ... }: {
|
||||
imports = [ pkgsModule ../etc/etc.nix ];
|
||||
environment.etc."passwd" = {
|
||||
text = passwdText;
|
||||
};
|
||||
environment.etc."hosts" = {
|
||||
text = hostsText;
|
||||
mode = "0751";
|
||||
};
|
||||
});
|
||||
passwdText = ''
|
||||
root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash
|
||||
'';
|
||||
hostsText = ''
|
||||
127.0.0.1 localhost
|
||||
::1 localhost
|
||||
# testing...
|
||||
'';
|
||||
in
|
||||
lib.recurseIntoAttrs {
|
||||
test-etc-vm =
|
||||
vmTools.runInLinuxVM (runCommand "test-etc-vm" { } ''
|
||||
mkdir -p /etc
|
||||
${node.config.system.build.etcActivationCommands}
|
||||
set -x
|
||||
[[ -L /etc/passwd ]]
|
||||
diff /etc/passwd ${writeText "expected-passwd" passwdText}
|
||||
[[ 751 = $(stat --format %a /etc/hosts) ]]
|
||||
diff /etc/hosts ${writeText "expected-hosts" hostsText}
|
||||
set +x
|
||||
touch $out
|
||||
'');
|
||||
|
||||
# fakeroot is behaving weird
|
||||
test-etc-fakeroot =
|
||||
runCommand "test-etc"
|
||||
{
|
||||
nativeBuildInputs = [
|
||||
fakeroot
|
||||
fakechroot
|
||||
# for chroot
|
||||
coreutils
|
||||
# fakechroot needs getopt, which is provided by util-linux
|
||||
util-linux
|
||||
];
|
||||
fakeRootCommands = ''
|
||||
mkdir -p /etc
|
||||
${node.config.system.build.etcActivationCommands}
|
||||
diff /etc/hosts ${writeText "expected-hosts" hostsText}
|
||||
touch $out
|
||||
'';
|
||||
} ''
|
||||
mkdir fake-root
|
||||
export FAKECHROOT_EXCLUDE_PATH=/dev:/proc:/sys:${builtins.storeDir}:$out
|
||||
fakechroot fakeroot chroot $PWD/fake-root bash -c 'source $stdenv/setup; eval "$fakeRootCommands"'
|
||||
'';
|
||||
|
||||
}
|
|
@ -250,7 +250,7 @@ in
|
|||
|
||||
environment.etc.fstab.text =
|
||||
let
|
||||
fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" ];
|
||||
fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" "apfs" ];
|
||||
skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck;
|
||||
# https://wiki.archlinux.org/index.php/fstab#Filepath_spaces
|
||||
escape = string: builtins.replaceStrings [ " " "\t" ] [ "\\040" "\\011" ] string;
|
||||
|
|
22
third_party/nixpkgs/nixos/modules/tasks/filesystems/apfs.nix
vendored
Normal file
22
third_party/nixpkgs/nixos/modules/tasks/filesystems/apfs.nix
vendored
Normal file
|
@ -0,0 +1,22 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
inInitrd = any (fs: fs == "apfs") config.boot.initrd.supportedFilesystems;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
config = mkIf (any (fs: fs == "apfs") config.boot.supportedFilesystems) {
|
||||
|
||||
system.fsPackages = [ pkgs.apfsprogs ];
|
||||
|
||||
boot.extraModulePackages = [ config.boot.kernelPackages.apfs ];
|
||||
|
||||
boot.initrd.kernelModules = mkIf inInitrd [ "apfs" ];
|
||||
|
||||
# Don't copy apfsck into the initramfs since it does not support repairing the filesystem
|
||||
};
|
||||
}
|
|
@ -305,7 +305,7 @@ let
|
|||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Wether to enable wol on this interface.";
|
||||
description = "Whether to enable wol on this interface.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -109,6 +109,10 @@ in
|
|||
# Allow very slow start
|
||||
DefaultTimeoutStartSec=300
|
||||
'';
|
||||
systemd.user.extraConfig = ''
|
||||
# Allow very slow start
|
||||
DefaultTimeoutStartSec=300
|
||||
'';
|
||||
|
||||
boot.consoleLogLevel = 7;
|
||||
|
||||
|
|
|
@ -155,7 +155,7 @@ in
|
|||
systemd.services."serial-getty@ttyS0".enable = true;
|
||||
|
||||
# Creates symlinks for block device names.
|
||||
services.udev.packages = [ pkgs.ec2-utils ];
|
||||
services.udev.packages = [ pkgs.amazon-ec2-utils ];
|
||||
|
||||
# Force getting the hostname from EC2.
|
||||
networking.hostName = mkDefault "";
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue