Project import generated by Copybara.

GitOrigin-RevId: 48d63e924a2666baf37f4f14a18f19347fbd54a2
This commit is contained in:
Default email 2022-02-10 15:34:41 -05:00
parent e14cfe989c
commit 81047829ea
2465 changed files with 44949 additions and 32581 deletions

View file

@ -67,10 +67,6 @@ indent_style = unset
insert_final_newline = unset
trim_trailing_whitespace = unset
[pkgs/build-support/upstream-updater/**]
indent_style = unset
trim_trailing_whitespace = unset
[pkgs/development/compilers/elm/registry.dat]
end_of_line = unset
insert_final_newline = unset

View file

@ -13,10 +13,10 @@ assignees: ''
<!-- Note that these are hard requirements -->
<!--
You can use the "Go to file" functionality on github to find the package
You can use the "Go to file" functionality on GitHub to find the package
Then you can go to the history for this package
Find the latest "package_name: old_version -> new_version" commit
The "new_version" is the the current version of the package
The "new_version" is the current version of the package
-->
- [ ] Checked the [nixpkgs master branch](https://github.com/NixOS/nixpkgs)
<!--
@ -29,7 +29,7 @@ There's a high chance that you'll have the new version right away while helping
###### Project name
`nix search` name:
<!--
The current version can be found easily with the same process than above for checking the master branch
The current version can be found easily with the same process as above for checking the master branch
If an open PR is present for the package, take this version as the current one and link to the PR
-->
current version:

View file

@ -21,7 +21,7 @@ jobs:
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config user.name "github-actions[bot]"
pushd pkgs/applications/networking/cluster/terraform-providers
./update-all-providers
./update-all-providers --no-build
git commit -m "${{ steps.setup.outputs.title }}" providers.json
popd
- name: create PR

View file

@ -319,10 +319,14 @@ For information about how to run the updates, execute `nix-shell maintainers/scr
## Phases {#sec-stdenv-phases}
The generic builder has a number of *phases*. Package builds are split into phases to make it easier to override specific parts of the build (e.g., unpacking the sources or installing the binaries). Furthermore, it allows a nicer presentation of build logs in the Nix build farm.
`stdenv.mkDerivation` sets the Nix [derivation](https://nixos.org/manual/nix/stable/expressions/derivations.html#derivations)'s builder to a script that loads the stdenv `setup.sh` bash library and calls `genericBuild`. Most packaging functions rely on this default builder.
This generic command invokes a number of *phases*. Package builds are split into phases to make it easier to override specific parts of the build (e.g., unpacking the sources or installing the binaries).
Each phase can be overridden in its entirety either by setting the environment variable `namePhase` to a string containing some shell commands to be executed, or by redefining the shell function `namePhase`. The former is convenient to override a phase from the derivation, while the latter is convenient from a build script. However, typically one only wants to *add* some commands to a phase, e.g. by defining `postInstall` or `preFixup`, as skipping some of the default actions may have unexpected consequences. The default script for each phase is defined in the file `pkgs/stdenv/generic/setup.sh`.
While inside an interactive `nix-shell`, if you wanted to run all phases in the order they would be run in an actual build, you can invoke `genericBuild` yourself.
### Controlling phases {#ssec-controlling-phases}
There are a number of variables that control what phases are executed and in what order:

View file

@ -21,35 +21,13 @@
nixos = import ./nixos/lib { lib = final; };
nixosSystem = { modules, ... } @ args:
nixosSystem = args:
import ./nixos/lib/eval-config.nix (args // {
modules =
let
moduleDeclarationFile =
let
# Even though `modules` is a mandatory argument for `nixosSystem`, it doesn't
# mean that the evaluator always keeps track of its position. If there
# are too many levels of indirection, the position gets lost at some point.
intermediatePos = builtins.unsafeGetAttrPos "modules" args;
in
if intermediatePos == null then null else intermediatePos.file;
# Add the invoking file as error message location for modules
# that don't have their own locations; presumably inline modules.
addModuleDeclarationFile =
m: if moduleDeclarationFile == null then m else {
_file = moduleDeclarationFile;
imports = [ m ];
};
in
map addModuleDeclarationFile modules ++ [
{
modules = args.modules ++ [ {
system.nixos.versionSuffix =
".${final.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}.${self.shortRev or "dirty"}";
system.nixos.revision = final.mkIf (self ? rev) self.rev;
}
];
} ];
});
});

View file

@ -276,7 +276,7 @@ rec {
/* Like `mapAttrsRecursive', but it takes an additional predicate
function that tells it whether to recursive into an attribute
function that tells it whether to recurse into an attribute
set. If it returns false, `mapAttrsRecursiveCond' does not
recurse, but does apply the map function. If it returns true, it
does recurse, and does not apply the map function.

View file

@ -111,8 +111,8 @@ let
cleanSource sourceByRegex sourceFilesBySuffices
commitIdFromGitRepo cleanSourceWith pathHasContext
canCleanSource pathIsRegularFile pathIsGitRepo;
inherit (self.modules) evalModules unifyModuleSyntax
applyIfFunction mergeModules
inherit (self.modules) evalModules setDefaultModuleLocation
unifyModuleSyntax applyIfFunction mergeModules
mergeModules' mergeOptionDecls evalOptionValue mergeDefinitions
pushDownProperties dischargeProperties filterOverrides
sortProperties fixupOptionType mkIf mkAssert mkMerge mkOverride

View file

@ -465,6 +465,11 @@ in mkLicense lset) ({
spdxId = "imagemagick";
};
imlib2 = {
spdxId = "Imlib2";
fullName = "Imlib2 License";
};
inria-compcert = {
fullName = "INRIA Non-Commercial License Agreement for the CompCert verified compiler";
url = "https://compcert.org/doc/LICENSE.txt";
@ -592,6 +597,11 @@ in mkLicense lset) ({
fullName = "MIT License";
};
mitAdvertising = {
spdxId = "MIT-advertising";
fullName = "Enlightenment License (e16)";
};
mpl10 = {
spdxId = "MPL-1.0";
fullName = "Mozilla Public License 1.0";

View file

@ -334,6 +334,10 @@ rec {
in modulesPath: initialModules: args:
filterModules modulesPath (collectStructuredModules unknownModule "" initialModules args);
/* Wrap a module with a default location for reporting errors. */
setDefaultModuleLocation = file: m:
{ _file = file; imports = [ m ]; };
/* Massage a module into canonical form, that is, a set consisting
of options, config and imports attributes. */
unifyModuleSyntax = file: key: m:
@ -534,11 +538,9 @@ rec {
correspond to the definition of 'loc' in 'opt.file'. */
mergeOptionDecls =
let
packSubmodule = file: m:
{ _file = file; imports = [ m ]; };
coerceOption = file: opt:
if isFunction opt then packSubmodule file opt
else packSubmodule file { options = opt; };
if isFunction opt then setDefaultModuleLocation file opt
else setDefaultModuleLocation file { options = opt; };
in loc: opts:
foldl' (res: opt:
let t = res.type;
@ -568,7 +570,7 @@ rec {
getSubModules = opt.options.type.getSubModules or null;
submodules =
if getSubModules != null then map (packSubmodule opt._file) getSubModules ++ res.options
if getSubModules != null then map (setDefaultModuleLocation opt._file) getSubModules ++ res.options
else if opt.options ? options then map (coerceOption opt._file) options' ++ res.options
else res.options;
in opt.options // res //

View file

@ -20,17 +20,26 @@ let
readFile
;
# Returns the type of a path: regular (for file), symlink, or directory
pathType = p: getAttr (baseNameOf p) (readDir (dirOf p));
/*
Returns the type of a path: regular (for file), symlink, or directory.
*/
pathType = path: getAttr (baseNameOf path) (readDir (dirOf path));
# Returns true if the path exists and is a directory, false otherwise
pathIsDirectory = p: if pathExists p then (pathType p) == "directory" else false;
/*
Returns true if the path exists and is a directory, false otherwise.
*/
pathIsDirectory = path: if pathExists path then (pathType path) == "directory" else false;
# Returns true if the path exists and is a regular file, false otherwise
pathIsRegularFile = p: if pathExists p then (pathType p) == "regular" else false;
/*
Returns true if the path exists and is a regular file, false otherwise.
*/
pathIsRegularFile = path: if pathExists path then (pathType path) == "regular" else false;
# Bring in a path as a source, filtering out all Subversion and CVS
# directories, as well as backup files (*~).
/*
A basic filter for `cleanSourceWith` that removes
directories of version control system, backup files (*~)
and some generated files.
*/
cleanSourceFilter = name: type: let baseName = baseNameOf (toString name); in ! (
# Filter out version control software files/directories
(baseName == ".git" || type == "directory" && (baseName == ".svn" || baseName == "CVS" || baseName == ".hg")) ||
@ -48,43 +57,48 @@ let
(type == "unknown")
);
# Filters a source tree removing version control files and directories using cleanSourceWith
#
# Example:
# cleanSource ./.
/*
Filters a source tree removing version control files and directories using cleanSourceFilter.
Example:
cleanSource ./.
*/
cleanSource = src: cleanSourceWith { filter = cleanSourceFilter; inherit src; };
# Like `builtins.filterSource`, except it will compose with itself,
# allowing you to chain multiple calls together without any
# intermediate copies being put in the nix store.
#
# lib.cleanSourceWith {
# filter = f;
# src = lib.cleanSourceWith {
# filter = g;
# src = ./.;
# };
# }
# # Succeeds!
#
# builtins.filterSource f (builtins.filterSource g ./.)
# # Fails!
#
# Parameters:
#
# src: A path or cleanSourceWith result to filter and/or rename.
#
# filter: A function (path -> type -> bool)
/*
Like `builtins.filterSource`, except it will compose with itself,
allowing you to chain multiple calls together without any
intermediate copies being put in the nix store.
Example:
lib.cleanSourceWith {
filter = f;
src = lib.cleanSourceWith {
filter = g;
src = ./.;
};
}
# Succeeds!
builtins.filterSource f (builtins.filterSource g ./.)
# Fails!
*/
cleanSourceWith =
{
# A path or cleanSourceWith result to filter and/or rename.
src,
# Optional with default value: constant true (include everything)
# The function will be combined with the && operator such
# that src.filter is called lazily.
# For implementing a filter, see
# https://nixos.org/nix/manual/#builtin-filterSource
#
# name: Optional name to use as part of the store path.
# Type: A function (path -> type -> bool)
filter ? _path: _type: true,
# Optional name to use as part of the store path.
# This defaults to `src.name` or otherwise `"source"`.
#
cleanSourceWith = { filter ? _path: _type: true, src, name ? null }:
name ? null
}:
let
orig = toSourceAttributes src;
in fromSourceAttributes {
@ -116,9 +130,11 @@ let
satisfiesSubpathInvariant = src ? satisfiesSubpathInvariant && src.satisfiesSubpathInvariant;
};
# Filter sources by a list of regular expressions.
#
# E.g. `src = sourceByRegex ./my-subproject [".*\.py$" "^database.sql$"]`
/*
Filter sources by a list of regular expressions.
Example: src = sourceByRegex ./my-subproject [".*\.py$" "^database.sql$"]
*/
sourceByRegex = src: regexes:
let
isFiltered = src ? _isLibCleanSourceWith;
@ -153,8 +169,11 @@ let
pathIsGitRepo = path: (tryEval (commitIdFromGitRepo path)).success;
# Get the commit id of a git repo
# Example: commitIdFromGitRepo <nixpkgs/.git>
/*
Get the commit id of a git repo.
Example: commitIdFromGitRepo <nixpkgs/.git>
*/
commitIdFromGitRepo =
let readCommitFromFile = file: path:
let fileName = toString path + "/" + file;

View file

@ -61,11 +61,11 @@ rec {
pipe = val: functions:
let reverseApply = x: f: f x;
in builtins.foldl' reverseApply val functions;
/* note please dont add a function like `compose = flip pipe`.
This would confuse users, because the order of the functions
in the list is not clear. With pipe, its obvious that it
goes first-to-last. With `compose`, not so much.
*/
# note please dont add a function like `compose = flip pipe`.
# This would confuse users, because the order of the functions
# in the list is not clear. With pipe, its obvious that it
# goes first-to-last. With `compose`, not so much.
## Named versions corresponding to some builtin operators.

View file

@ -513,12 +513,6 @@
githubId = 38869148;
name = "Alex Eyre";
};
algorith = {
email = "dries_van_daele@telenet.be";
github = "DriesVanDaele";
githubId = 1141488;
name = "Dries Van Daele";
};
alibabzo = {
email = "alistair.bill@gmail.com";
github = "alibabzo";
@ -1185,14 +1179,14 @@
name = "Artturi N";
};
azahi = {
email = "azahi@teknik.io";
matrix = "@azahi:matrix.org";
name = "Azat Bahawi";
email = "azat@bahawi.net";
matrix = "@azahi:azahi.cc";
github = "azahi";
githubId = 22211000;
name = "Azat Bahawi";
keys = [{
longkeyid = "rsa2048/0xB40FCB6608BBE3B6";
fingerprint = "E9F3 483F 31C7 29B4 4CA2 7C38 B40F CB66 08BB E3B6";
longkeyid = "rsa4096/0xC8C6BDDB3847F72B";
fingerprint = "2688 0377 C31D 9E81 9BDF 83A8 C8C6 BDDB 3847 F72B";
}];
};
ayazhafiz = {
@ -2309,6 +2303,13 @@
githubId = 5561189;
name = "Cody Opel";
};
Cogitri = {
email = "oss@cogitri.dev";
github = "Cogitri";
githubId = 8766773;
matrix = "@cogitri:cogitri.dev";
name = "Rasmus Thomsen";
};
cohei = {
email = "a.d.xvii.kal.mai@gmail.com";
github = "cohei";
@ -2381,6 +2382,13 @@
githubId = 11145016;
name = "J.C.";
};
congee = {
email = "changshengwu@pm.me";
matrix = "@congeec:matrix.org";
github = "congee";
name = "Changsheng Wu";
githubId = 2083950;
};
contrun = {
email = "uuuuuu@protonmail.com";
github = "contrun";
@ -3735,6 +3743,12 @@
githubId = 222467;
name = "Dmitry Ivanov";
};
Etjean = {
email = "et.jean@outlook.fr";
github = "Etjean";
githubId = 32169529;
name = "Etienne Jean";
};
etu = {
email = "elis@hirwing.se";
matrix = "@etu:semi.social";
@ -4395,6 +4409,12 @@
githubId = 27668;
name = "Tobias Pflug";
};
gin66 = {
email = "jochen@kiemes.de";
github = "gin66";
githubId = 5549373;
name = "Jochen Kiemes";
};
giogadi = {
email = "lgtorres42@gmail.com";
github = "giogadi";
@ -4474,7 +4494,7 @@
gordias = {
name = "Gordias";
email = "gordias@disroot.org";
github = "NotGordias";
github = "gordiasdot";
githubId = 94724133;
keys = [{
longkeyid = "ed25519/0x5D47284830FAA4FA";
@ -5455,6 +5475,12 @@
githubId = 221929;
name = "Jean-Baptiste Giraudeau";
};
jc = {
name = "Josh Cooper";
email = "josh@cooper.is";
github = "joshua-cooper";
githubId = 35612334;
};
jceb = {
name = "jceb";
email = "jceb@e-jc.de";
@ -5583,6 +5609,16 @@
githubId = 143075;
name = "James Felix Black";
};
jfchevrette = {
email = "jfchevrette@gmail.com";
github = "jfchevrette";
githubId = 3001;
name = "Jean-Francois Chevrette";
keys = [{
longkeyid = "rsa4096/0x67A0585801290DC6";
fingerprint = "B612 96A9 498E EECD D5E9 C0F0 67A0 5858 0129 0DC6";
}];
};
jflanglois = {
email = "yourstruly@julienlanglois.me";
github = "jflanglois";
@ -6536,6 +6572,12 @@
githubId = 787421;
name = "Kevin Quick";
};
kradalby = {
name = "Kristoffer Dalby";
email = "kristoffer@dalby.cc";
github = "kradalby";
githubId = 98431;
};
kraem = {
email = "me@kraem.xyz";
github = "kraem";
@ -7516,16 +7558,6 @@
githubId = 29855073;
name = "Michael Colicchia";
};
matdsoupe = {
github = "matdsoupe";
githubId = 44469426;
name = "Matheus de Souza Pessanha";
email = "matheus_pessanha2001@outlook.com";
keys = [{
longkeyid = "rsa4096/0x2671964AB1E06A08";
fingerprint = "2F32 CFEF E11A D73B A740 FA47 2671 964A B1E0 6A08";
}];
};
matejc = {
email = "cotman.matej@gmail.com";
github = "matejc";
@ -7926,6 +7958,12 @@
fingerprint = "FEF0 AE2D 5449 3482 5F06 40AA 186A 1EDA C5C6 3F83";
}];
};
mihnea-s = {
email = "mihn.stn@gmail.com";
github = "mihnea-s";
githubId = 43088426;
name = "Mihnea Stoian";
};
mikefaille = {
email = "michael@faille.io";
github = "mikefaille";
@ -8552,6 +8590,12 @@
githubId = 3747396;
name = "Nathan Isom";
};
nelsonjeppesen = {
email = "nix@jeppesen.io";
github = "NelsonJeppesen";
githubId = 50854675;
name = "Nelson Jeppesen";
};
neonfuz = {
email = "neonfuz@gmail.com";
github = "neonfuz";
@ -11564,6 +11608,13 @@
githubId = 2666479;
name = "Y Nguyen";
};
superherointj = {
name = "Sérgio G.";
email = "5861043+superherointj@users.noreply.github.com";
matrix = "@superherointj:matrix.org";
github = "superherointj";
githubId = 5861043;
};
SuperSandro2000 = {
email = "sandro.jaeckel@gmail.com";
matrix = "@sandro:supersandro.de";
@ -11804,6 +11855,13 @@
githubId = 863327;
name = "Tyler Benster";
};
tboerger = {
email = "thomas@webhippie.de";
matrix = "@tboerger:matrix.org";
github = "tboerger";
githubId = 156964;
name = "Thomas Boerger";
};
tcbravo = {
email = "tomas.bravo@protonmail.ch";
github = "tcbravo";
@ -12163,6 +12221,7 @@
};
toastal = {
email = "toastal+nix@posteo.net";
matrix = "@toastal:matrix.org";
github = "toastal";
githubId = 561087;
name = "toastal";
@ -13612,10 +13671,10 @@
github = "nagisa";
githubId = 679122;
};
yevhenshymotiuk = {
yshym = {
name = "Yevhen Shymotiuk";
email = "yevhenshymotiuk@gmail.com";
github = "yevhenshymotiuk";
email = "yshym@pm.me";
github = "yshym";
githubId = 44244245;
};
hmenke = {
@ -13739,6 +13798,16 @@
github = "zeri42";
githubId = 68825133;
};
zoedsoupe = {
github = "zoedsoupe";
githubId = 44469426;
name = "Zoey de Souza Pessanha";
email = "zoey.spessanha@outlook.com";
keys = [{
longkeyid = "rsa4096/0x1E1E889CDBD6A315";
fingerprint = "EAA1 51DB 472B 0122 109A CB17 1E1E 889C DBD6 A315";
}];
};
zombiezen = {
name = "Ross Light";
email = "ross@zombiezen.com";
@ -13802,4 +13871,16 @@
fingerprint = "3586 3350 BFEA C101 DB1A 4AF0 1F81 112D 62A9 ADCE";
}];
};
ameer = {
name = "Ameer Taweel";
email = "ameertaweel2002@gmail.com";
github = "AmeerTaweel";
githubId = 20538273;
};
nigelgbanks = {
name = "Nigel Banks";
email = "nigel.g.banks@gmail.com";
github = "nigelgbanks";
githubId = 487373;
};
}

View file

@ -278,6 +278,13 @@ with lib.maintainers; {
scope = "Maintain SageMath and the dependencies that are likely to break it.";
};
sphinx = {
members = [
SuperSandro2000
];
scope = "Maintain Sphinx related packages.";
};
serokell = {
# Verify additions by approval of an already existing member of the team.
members = [

View file

@ -79,6 +79,12 @@
<link linkend="opt-services.filebeat.enable">services.filebeat</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/linux-apfs/linux-apfs-rw">apfs</link>,
a kernel module for mounting the Apple File System (APFS).
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://frrouting.org/">FRRouting</link>, a
@ -162,6 +168,13 @@
<link linkend="opt-services.baget.enable">services.baget</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://moosefs.com">moosefs</link>, fault
tolerant petabyte distributed file system. Available as
<link linkend="opt-services.moosefs">moosefs</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/ThomasLeister/prosody-filer">prosody-filer</link>,
@ -169,6 +182,13 @@
<link linkend="opt-services.prosody-filer.enable">services.prosody-filer</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/audreyt/ethercalc">ethercalc</link>,
an online collaborative spreadsheet. Available as
<link xlink:href="options.html#opt-services.ethercalc.enable">services.ethercalc</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://timetagger.app">timetagger</link>,
@ -185,6 +205,15 @@
<link xlink:href="options.html#opt-services.rstudio-server.enable">services.rstudio-server</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/juanfont/headscale">headscale</link>,
an Open Source implementation of the
<link xlink:href="https://tailscale.io">Tailscale</link>
Control Server. Available as
<link xlink:href="options.html#opt-services.headscale.enable">services.headscale</link>
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.05-incompatibilities">
@ -211,6 +240,19 @@
<literal>haskellPackages.callPackage</literal>).
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.ghc.withPackages</literal> as well as
<literal>haskellPackages.ghcWithPackages</literal> etc. now
needs be overridden directly, as opposed to overriding the
result of calling it. Additionally, the
<literal>withLLVM</literal> parameter has been renamed to
<literal>useLLVM</literal>. So instead of
<literal>(ghc.withPackages (p: [])).override { withLLVM = true; }</literal>,
one needs to use
<literal>(ghc.withPackages.override { useLLVM = true; }) (p: [])</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.emacsPackages.orgPackages</literal> is removed
@ -228,6 +270,23 @@
removed due to it being an outdated version.
</para>
</listitem>
<listitem>
<para>
The DHCP server (<literal>services.dhcpd4</literal>,
<literal>services.dhcpd6</literal>) has been hardened. The
service is now using the systemds
<literal>DynamicUser</literal> mechanism to run as an
unprivileged dynamically-allocated user with limited
capabilities. The dhcpd state files are now always stored in
<literal>/var/lib/dhcpd{4,6}</literal> and the
<literal>services.dhcpd4.stateDir</literal> and
<literal>service.dhcpd6.stateDir</literal> options have been
removed. If you were depending on root privileges or
set{uid,gid,cap} binaries in dhcpd shell hooks, you may give
dhcpd more capabilities with e.g.
<literal>systemd.services.dhcpd6.serviceConfig.AmbientCapabilities</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>mailpile</literal> email webclient
@ -271,6 +330,22 @@
<literal>writers.writePyPy2</literal> needs to be used.
</para>
</listitem>
<listitem>
<para>
<literal>buildGoModule</literal> was updated to use
<literal>go_1_17</literal>, third party derivations that
specify &gt;= go 1.17 in the main <literal>go.mod</literal>
will need to regenerate their <literal>vendorSha256</literal>
hash.
</para>
</listitem>
<listitem>
<para>
The <literal>gnome-passwordsafe</literal> package updated to
<link xlink:href="https://gitlab.gnome.org/World/secrets/-/tags/6.0">version
6.x</link> and renamed to <literal>gnome-secrets</literal>.
</para>
</listitem>
<listitem>
<para>
If you previously used
@ -382,6 +457,11 @@
unmaintained
</para>
</listitem>
<listitem>
<para>
<literal>tilp2</literal> was removed together with its module
</para>
</listitem>
<listitem>
<para>
The options
@ -428,6 +508,20 @@
directly.
</para>
</listitem>
<listitem>
<para>
The existing <literal>pkgs.opentelemetry-collector</literal>
has been moved to
<literal>pkgs.opentelemetry-collector-contrib</literal> to
match the actual source being the <quote>contrib</quote>
edition. <literal>pkgs.opentelemetry-collector</literal> is
now the actual core release of opentelemetry-collector. If you
use the community contributions you should change the package
you refer to. If you dont need them update your commands from
<literal>otelcontribcol</literal> to
<literal>otelcorecol</literal> and enjoy a 7x smaller binary.
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.noto-fonts-cjk</literal> is now deprecated in
@ -515,6 +609,14 @@
wrapper for <literal>assert</literal> conditions.
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.vimPlugins.onedark-nvim</literal> now refers to
<link xlink:href="https://github.com/navarasu/onedark.nvim">navarasu/onedark.nvim</link>
(formerly refers to
<link xlink:href="https://github.com/olimorris/onedarkpro.nvim">olimorris/onedarkpro.nvim</link>).
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.05-notable-changes">
@ -700,6 +802,13 @@
loaded in the initrd.
</para>
</listitem>
<listitem>
<para>
<literal>nixos-generate-config</literal> now puts the dhcp
configuration in <literal>hardware-configuration.nix</literal>
instead of <literal>configuration.nix</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>fetchFromSourcehut</literal> now allows fetching
@ -732,6 +841,14 @@
0042</link> configuration.
</para>
</listitem>
<listitem>
<para>
The default value for
<literal>programs.spacefm.settings.graphical_su</literal> got
unset. It previously pointed to <literal>gksu</literal> which
has been removed.
</para>
</listitem>
<listitem>
<para>
A new module was added for the
@ -784,6 +901,17 @@
warning.
</para>
</listitem>
<listitem>
<para>
The option
<link linkend="opt-services.networking.networkmanager.enableFccUnlock">services.networking.networkmanager.enableFccUnlock</link>
was added to support FCC unlock procedures. Since release
1.18.4, the ModemManager daemon no longer automatically
performs the FCC unlock procedure by default. See
<link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the
docs</link> for more details.
</para>
</listitem>
<listitem>
<para>
<literal>programs.tmux</literal> has a new option

View file

@ -27,6 +27,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html), a lightweight shipper for forwarding and centralizing log data. Available as [services.filebeat](#opt-services.filebeat.enable).
- [apfs](https://github.com/linux-apfs/linux-apfs-rw), a kernel module for mounting the Apple File System (APFS).
- [FRRouting](https://frrouting.org/), a popular suite of Internet routing protocol daemons (BGP, BFD, OSPF, IS-IS, VVRP and others). Available as [services.frr](#opt-services.ffr.babel.enable)
- [heisenbridge](https://github.com/hifi/heisenbridge), a bouncer-style Matrix IRC bridge. Available as [services.heisenbridge](options.html#opt-services.heisenbridge.enable).
@ -49,12 +51,20 @@ In addition to numerous new and upgraded packages, this release has the followin
- [BaGet](https://loic-sharma.github.io/BaGet/), a lightweight NuGet and symbol server. Available at [services.baget](#opt-services.baget.enable).
- [moosefs](https://moosefs.com), fault tolerant petabyte distributed file system.
Available as [moosefs](#opt-services.moosefs).
- [prosody-filer](https://github.com/ThomasLeister/prosody-filer), a server for handling XMPP HTTP Upload requests. Available at [services.prosody-filer](#opt-services.prosody-filer.enable).
- [ethercalc](https://github.com/audreyt/ethercalc), an online collaborative
spreadsheet. Available as [services.ethercalc](options.html#opt-services.ethercalc.enable).
- [timetagger](https://timetagger.app), an open source time-tracker with an intuitive user experience and powerful reporting. [services.timetagger](options.html#opt-services.timetagger.enable).
- [rstudio-server](https://www.rstudio.com/products/rstudio/#rstudio-server), a browser-based version of the RStudio IDE for the R programming language. Available as [services.rstudio-server](options.html#opt-services.rstudio-server.enable).
- [headscale](https://github.com/juanfont/headscale), an Open Source implementation of the [Tailscale](https://tailscale.io) Control Server. Available as [services.headscale](options.html#opt-services.headscale.enable)
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
@ -71,6 +81,12 @@ In addition to numerous new and upgraded packages, this release has the followin
instead to ensure cross compilation keeps working (or switch to
`haskellPackages.callPackage`).
- `pkgs.ghc.withPackages` as well as `haskellPackages.ghcWithPackages` etc.
now needs be overridden directly, as opposed to overriding the result of
calling it. Additionally, the `withLLVM` parameter has been renamed to
`useLLVM`. So instead of `(ghc.withPackages (p: [])).override { withLLVM = true; }`,
one needs to use `(ghc.withPackages.override { useLLVM = true; }) (p: [])`.
- `pkgs.emacsPackages.orgPackages` is removed because org elpa is deprecated.
The packages in the top level of `pkgs.emacsPackages`, such as org and
org-contrib, refer to the ones in `pkgs.emacsPackages.elpaPackages` and
@ -78,6 +94,11 @@ In addition to numerous new and upgraded packages, this release has the followin
- `services.kubernetes.addons.dashboard` was removed due to it being an outdated version.
- The DHCP server (`services.dhcpd4`, `services.dhcpd6`) has been hardened.
The service is now using the systemd's `DynamicUser` mechanism to run as an unprivileged dynamically-allocated user with limited capabilities.
The dhcpd state files are now always stored in `/var/lib/dhcpd{4,6}` and the `services.dhcpd4.stateDir` and `service.dhcpd6.stateDir` options have been removed.
If you were depending on root privileges or set{uid,gid,cap} binaries in dhcpd shell hooks, you may give dhcpd more capabilities with e.g. `systemd.services.dhcpd6.serviceConfig.AmbientCapabilities`.
- The `mailpile` email webclient (`services.mailpile`) has been removed due to its reliance on python2.
- The MoinMoin wiki engine (`services.moinmoin`) has been removed, because Python 2 is being retired from nixpkgs.
@ -90,6 +111,10 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `writers.writePython2` and corresponding `writers.writePython2Bin` convenience functions to create executable Python 2 scripts in the store were removed in preparation of removal of the Python 2 interpreter.
Scripts have to be converted to Python 3 for use with `writers.writePython3` or `writers.writePyPy2` needs to be used.
- `buildGoModule` was updated to use `go_1_17`, third party derivations that specify >= go 1.17 in the main `go.mod` will need to regenerate their `vendorSha256` hash.
- The `gnome-passwordsafe` package updated to [version 6.x](https://gitlab.gnome.org/World/secrets/-/tags/6.0) and renamed to `gnome-secrets`.
- If you previously used `/etc/docker/daemon.json`, you need to incorporate the changes into the new option `virtualisation.docker.daemon.settings`.
- The backward compatibility in `services.wordpress` to configure sites with
@ -126,15 +151,26 @@ In addition to numerous new and upgraded packages, this release has the followin
- `pkgs.docbookrx` was removed since it's unmaintained
- `tilp2` was removed together with its module
- The options `networking.interfaces.<name>.ipv4.routes` and `networking.interfaces.<name>.ipv6.routes` are no longer ignored when using networkd instead of the default scripted network backend by setting `networking.useNetworkd` to `true`.
- MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename `~/.local/share/multimc` to `~/.local/share/polymc`. The main config file's path has also moved from `~/.local/share/multimc/multimc.cfg` to `~/.local/share/polymc/polymc.cfg`.
- The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under
`$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>` (which mkProvider does).
This breaks back-compat so it's not possible to mix-and-match with previous versions of nixpkgs. In exchange, it now becomes possible to use the providers from [nixpkgs-terraform-providers-bin](https://github.com/numtide/nixpkgs-terraform-providers-bin) directly.
- The existing `pkgs.opentelemetry-collector` has been moved to
`pkgs.opentelemetry-collector-contrib` to match the actual source being the
"contrib" edition. `pkgs.opentelemetry-collector` is now the actual core
release of opentelemetry-collector. If you use the community contributions
you should change the package you refer to. If you don't need them update your
commands from `otelcontribcol` to `otelcorecol` and enjoy a 7x smaller binary.
- `pkgs.noto-fonts-cjk` is now deprecated in favor of `pkgs.noto-fonts-cjk-sans`
and `pkgs.noto-fonts-cjk-serif` because they each have different release
schedules. To maintain compatibility with prior releases of Nixpkgs,
@ -157,6 +193,9 @@ In addition to numerous new and upgraded packages, this release has the followin
- `lib.assertMsg` and `lib.assertOneOf` no longer return `false` if the passed condition is `false`, `throw`ing the given error message instead (which makes the resulting error message less cluttered). This will not impact the behaviour of code using these functions as intended, namely as top-level wrapper for `assert` conditions.
- `pkgs.vimPlugins.onedark-nvim` now refers to [navarasu/onedark.nvim](https://github.com/navarasu/onedark.nvim)
(formerly refers to [olimorris/onedarkpro.nvim](https://github.com/olimorris/onedarkpro.nvim)).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Other Notable Changes {#sec-release-22.05-notable-changes}
@ -235,6 +274,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- A new option `boot.initrd.extraModprobeConfig` has been added which can be used to configure kernel modules that are loaded in the initrd.
- `nixos-generate-config` now puts the dhcp configuration in `hardware-configuration.nix` instead of `configuration.nix`.
- `fetchFromSourcehut` now allows fetching repositories recursively
using `fetchgit` or `fetchhg` if the argument `fetchSubmodules`
is set to `true`.
@ -245,6 +286,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `services.mbpfan` module was converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.
- The default value for `programs.spacefm.settings.graphical_su` got unset. It previously pointed to `gksu` which has been removed.
- A new module was added for the [Starship](https://starship.rs/) shell prompt,
providing the options `programs.starship.enable` and `programs.starship.settings`.
@ -260,6 +303,12 @@ In addition to numerous new and upgraded packages, this release has the followin
Reason is that the old name has been deprecated upstream.
Using the old option name will still work, but produce a warning.
- The option
[services.networking.networkmanager.enableFccUnlock](#opt-services.networking.networkmanager.enableFccUnlock)
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager
daemon no longer automatically performs the FCC unlock procedure by default. See
[the docs](https://modemmanager.org/docs/modemmanager/fcc-unlock/) for more details.
- `programs.tmux` has a new option `plugins` that accepts a list of packages from the `tmuxPlugins` group. The specified packages are added to the system and loaded by `tmux`.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

View file

@ -21,6 +21,7 @@ evalConfigArgs@
, # !!! See comment about args in lib/modules.nix
specialArgs ? {}
, modules
, modulesLocation ? (builtins.unsafeGetAttrPos "modules" evalConfigArgs).file or null
, # !!! See comment about check in lib/modules.nix
check ? true
, prefix ? []
@ -74,7 +75,18 @@ let
_module.check = lib.mkDefault check;
};
};
allUserModules = modules ++ legacyModules;
allUserModules =
let
# Add the invoking file (or specified modulesLocation) as error message location
# for modules that don't have their own locations; presumably inline modules.
locatedModules =
if modulesLocation == null then
modules
else
map (lib.setDefaultModuleLocation modulesLocation) modules;
in
locatedModules ++ legacyModules;
noUserModules = evalModulesMinimal ({
inherit prefix specialArgs;

View file

@ -22,7 +22,7 @@ rec {
else throw "Unknown QEMU serial device for system '${pkgs.stdenv.hostPlatform.system}'";
qemuBinary = qemuPkg: {
x86_64-linux = "${qemuPkg}/bin/qemu-kvm -cpu qemu64";
x86_64-linux = "${qemuPkg}/bin/qemu-kvm -cpu max";
armv7l-linux = "${qemuPkg}/bin/qemu-system-arm -enable-kvm -machine virt -cpu host";
aarch64-linux = "${qemuPkg}/bin/qemu-system-aarch64 -enable-kvm -machine virt,gic-version=host -cpu host";
powerpc64le-linux = "${qemuPkg}/bin/qemu-system-ppc64 -machine powernv";

View file

@ -11,6 +11,9 @@ in rec {
mkPathSafeName = lib.replaceChars ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""];
# a type for options that take a unit name
unitNameType = types.strMatching "[a-zA-Z0-9@%:_.\\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)";
makeUnit = name: unit:
if unit.enable then
pkgs.runCommand "unit-${mkPathSafeName name}"

View file

@ -45,7 +45,7 @@ in rec {
requiredBy = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
Units that require (i.e. depend on and need to go down with)
this unit. The discussion under <literal>wantedBy</literal>
@ -56,7 +56,7 @@ in rec {
wantedBy = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
Units that want (i.e. depend on) this unit. The standard way
to make a unit start by default at boot is to set this option
@ -73,7 +73,7 @@ in rec {
aliases = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = "Aliases of that unit.";
};
@ -110,7 +110,7 @@ in rec {
requires = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
Start the specified units when this unit is started, and stop
this unit when the specified units are stopped or fail.
@ -119,7 +119,7 @@ in rec {
wants = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
Start the specified units when this unit is started.
'';
@ -127,7 +127,7 @@ in rec {
after = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
If the specified units are started at the same time as
this unit, delay this unit until they have started.
@ -136,7 +136,7 @@ in rec {
before = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
If the specified units are started at the same time as
this unit, delay them until this unit has started.
@ -145,7 +145,7 @@ in rec {
bindsTo = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
Like requires, but in addition, if the specified units
unexpectedly disappear, this unit will be stopped as well.
@ -154,7 +154,7 @@ in rec {
partOf = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
If the specified units are stopped or restarted, then this
unit is stopped or restarted as well.
@ -163,7 +163,7 @@ in rec {
conflicts = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
If the specified units are started, then this unit is stopped
and vice versa.
@ -172,7 +172,7 @@ in rec {
requisite = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
Similar to requires. However if the units listed are not started,
they will not be started and the transaction will fail.
@ -203,7 +203,7 @@ in rec {
onFailure = mkOption {
default = [];
type = types.listOf types.str;
type = types.listOf unitNameType;
description = ''
A list of one or more units that are activated when
this unit enters the "failed" state.

View file

@ -543,11 +543,11 @@ class Machine:
Should only be used during test development, not in the production test."""
self.connect()
self.log("Terminal is ready (there is no prompt):")
self.log("Terminal is ready (there is no initial prompt):")
assert self.shell
subprocess.run(
["socat", "READLINE", f"FD:{self.shell.fileno()}"],
["socat", "READLINE,prompt=$ ", f"FD:{self.shell.fileno()}"],
pass_fds=[self.shell.fileno()],
)

View file

@ -149,10 +149,16 @@ rec {
if [[ -h '${output}' ]]; then
rm '${output}'
fi
inherit_errexit_restore=$(shopt -p inherit_errexit)
shopt -s inherit_errexit
''
+ concatStringsSep
"\n"
(imap1 (index: name: "export secret${toString index}=$(<'${secrets.${name}}')")
(imap1 (index: name: ''
secret${toString index}=$(<'${secrets.${name}}')
export secret${toString index}
'')
(attrNames secrets))
+ "\n"
+ "${pkgs.jq}/bin/jq >'${output}' '"
@ -164,6 +170,7 @@ rec {
' <<'EOF'
${builtins.toJSON set}
EOF
$inherit_errexit_restore
'';
systemdUtils = {

View file

@ -449,16 +449,10 @@ in {
imports = [
(mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ])
(mkAliasOptionModule [ "users" "extraGroups" ] [ "users" "groups" ])
(mkChangedOptionModule
[ "security" "initialRootPassword" ]
[ "users" "users" "root" "initialHashedPassword" ]
(cfg: if cfg.security.initialRootPassword == "!"
then null
else cfg.security.initialRootPassword))
(mkRenamedOptionModule ["security" "initialRootPassword"] ["users" "users" "root" "initialHashedPassword"])
];
###### interface
options = {
users.mutableUsers = mkOption {
@ -526,6 +520,17 @@ in {
'';
};
users.allowNoPasswordLogin = mkOption {
type = types.bool;
default = false;
description = ''
Disable checking that at least the <literal>root</literal> user or a user in the <literal>wheel</literal> group can log in using
a password or an SSH key.
WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing.
'';
};
};
@ -540,6 +545,7 @@ in {
home = "/root";
shell = mkDefault cfg.defaultUserShell;
group = "root";
initialHashedPassword = mkDefault "!";
};
nobody = {
uid = ids.uids.nobody;
@ -616,9 +622,11 @@ in {
# there is at least one "privileged" account that has a
# password or an SSH authorized key. Privileged accounts are
# root and users in the wheel group.
assertion = !cfg.mutableUsers ->
any id ((mapAttrsToList (_: cfg:
(cfg.name == "root"
# The check does not apply when users.disableLoginPossibilityAssertion
# The check does not apply when users.mutableUsers
assertion = !cfg.mutableUsers -> !cfg.allowNoPasswordLogin ->
any id (mapAttrsToList (name: cfg:
(name == "root"
|| cfg.group == "wheel"
|| elem "wheel" cfg.extraGroups)
&&
@ -627,12 +635,16 @@ in {
|| cfg.passwordFile != null
|| cfg.openssh.authorizedKeys.keys != []
|| cfg.openssh.authorizedKeys.keyFiles != [])
) cfg.users) ++ [
) cfg.users ++ [
config.security.googleOsLogin.enable
]);
message = ''
Neither the root account nor any wheel user has a password or SSH authorized key.
You must set one to prevent being locked out of your system.'';
You must set one to prevent being locked out of your system.
If you really want to be locked out of your system, set users.allowNoPasswordLogin = true;
However you are most probably better off by setting users.mutableUsers = true; and
manually running passwd root to set the root password.
'';
}
] ++ flatten (flip mapAttrsToList cfg.users (name: user:
[

View file

@ -57,7 +57,6 @@ in {
rtl8723bs-firmware
rtl8761b-firmware
rtw88-firmware
rtw89-firmware
zd1211fw
alsa-firmware
sof-firmware
@ -65,6 +64,8 @@ in {
] ++ optional (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) raspberrypiWirelessFirmware
++ optionals (versionOlder config.boot.kernelPackages.kernel.version "4.13") [
rtl8723bs-firmware
] ++ optionals (versionOlder config.boot.kernelPackages.kernel.version "5.16") [
rtw89-firmware
];
hardware.wirelessRegulatoryDatabase = true;
})

View file

@ -178,11 +178,6 @@ in
igpuBusId = if pCfg.intelBusId != "" then pCfg.intelBusId else pCfg.amdgpuBusId;
in mkIf enabled {
assertions = [
{
assertion = with config.services.xserver.displayManager; (gdm.enable && gdm.nvidiaWayland) -> cfg.modesetting.enable;
message = "You cannot use wayland with GDM without modesetting enabled for NVIDIA drivers, set `hardware.nvidia.modesetting.enable = true`";
}
{
assertion = primeEnabled -> pCfg.intelBusId == "" || pCfg.amdgpuBusId == "";
message = ''

View file

@ -1,7 +1,7 @@
{
x86_64-linux = "/nix/store/hapw7q1fkjxvprnkcgw9ppczavg4daj2-nix-2.4";
i686-linux = "/nix/store/8qlvh8pp5j8wgrzj3is2jlbhgrwgsiy9-nix-2.4";
aarch64-linux = "/nix/store/h48lkygcqj4hdibbdnpl67q7ks6vkrd6-nix-2.4";
x86_64-darwin = "/nix/store/c3mvzszvyzakvcp9spnjvsb8m2bpjk7m-nix-2.4";
aarch64-darwin = "/nix/store/hbfqs62r0hga2yr4zi5kc7fzhf71bq9n-nix-2.4";
x86_64-linux = "/nix/store/67amfijcvhqfgz4bwf2izsvbnklwjbvk-nix-2.6.0";
i686-linux = "/nix/store/kinl99f619b2xsma4qnzhidbp65axyzm-nix-2.6.0";
aarch64-linux = "/nix/store/8zpm63nn7k4n1alp9a0fcilpgc8j014z-nix-2.6.0";
x86_64-darwin = "/nix/store/hw5v03wnc0k1pwgiyhblwlxb1fx5zyx8-nix-2.6.0";
aarch64-darwin = "/nix/store/669p1vjnzi56fib98qczwlaglcwcnip4-nix-2.6.0";
}

View file

@ -279,7 +279,7 @@ if (`lsblk -o TYPE` =~ "lvm") {
push @initrdKernelModules, "dm-snapshot";
}
my $virt = `systemd-detect-virt`;
my $virt = `@detectvirt@`;
chomp $virt;
@ -398,7 +398,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
# Maybe this is a bind-mount of a filesystem we saw earlier?
if (defined $fsByDev{$fields[2]}) {
# Make sure this isn't a btrfs subvolume.
my $msg = `btrfs subvol show $rootDir$mountPoint`;
my $msg = `@btrfs@ subvol show $rootDir$mountPoint`;
if ($? != 0 || $msg =~ /ERROR:/s) {
my $path = $fields[3]; $path = "" if $path eq "/";
my $base = $fsByDev{$fields[2]};
@ -436,7 +436,7 @@ EOF
# Is this a btrfs filesystem?
if ($fsType eq "btrfs") {
my ($status, @info) = runCommand("btrfs subvol show $rootDir$mountPoint");
my ($status, @info) = runCommand("@btrfs@ subvol show $rootDir$mountPoint");
if ($status != 0 || join("", @info) =~ /ERROR:/) {
die "Failed to retrieve subvolume info for $mountPoint\n";
}
@ -558,6 +558,8 @@ if (!$noFilesystems) {
$fsAndSwap .= "swapDevices =" . multiLineList(" ", @swapDevices) . ";\n";
}
my $networkingDhcpConfig = generateNetworkingDhcpConfig();
my $hwConfig = <<EOF;
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
@ -572,6 +574,7 @@ my $hwConfig = <<EOF;
boot.kernelModules = [$kernelModules ];
boot.extraModulePackages = [$modulePackages ];
$fsAndSwap
$networkingDhcpConfig
${\join "", (map { " $_\n" } (uniq @attrs))}}
EOF
@ -580,13 +583,13 @@ sub generateNetworkingDhcpConfig {
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.useDHCP = lib.mkDefault false;
EOF
foreach my $path (glob "/sys/class/net/*") {
my $dev = basename($path);
if ($dev ne "lo") {
$config .= " networking.interfaces.$dev.useDHCP = true;\n";
$config .= " networking.interfaces.$dev.useDHCP = lib.mkDefault true;\n";
}
}

View file

@ -33,8 +33,9 @@ let
nixos-generate-config = makeProg {
name = "nixos-generate-config";
src = ./nixos-generate-config.pl;
path = lib.optionals (lib.elem "btrfs" config.boot.supportedFilesystems) [ pkgs.btrfs-progs ];
perl = "${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl";
detectvirt = "${pkgs.systemd}/bin/systemd-detect-virt";
btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
inherit (config.system.nixos-generate-config) configuration desktopConfiguration;
xserverEnabled = config.services.xserver.enable;
};
@ -133,12 +134,13 @@ in
$bootLoaderConfig
# networking.hostName = "nixos"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
$networkingDhcpConfig
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password\@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
@ -148,6 +150,7 @@ in
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkbOptions in tty.
# };
$xserverConfig
@ -155,7 +158,10 @@ in
$desktopConfiguration
# Configure keymap in X11
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# services.xserver.xkbOptions = {
# "eurosign:e";
# "caps:escape" # map caps to escape.
# };
# Enable CUPS to print documents.
# services.printing.enable = true;

View file

@ -203,7 +203,6 @@
./programs/sway.nix
./programs/system-config-printer.nix
./programs/thefuck.nix
./programs/tilp2.nix
./programs/tmux.nix
./programs/traceroute.nix
./programs/tsm-client.nix
@ -357,7 +356,6 @@
./services/desktops/cpupower-gui.nix
./services/desktops/dleyna-renderer.nix
./services/desktops/dleyna-server.nix
./services/desktops/pantheon/files.nix
./services/desktops/espanso.nix
./services/desktops/flatpak.nix
./services/desktops/geoclue2.nix
@ -684,6 +682,7 @@
./services/network-filesystems/litestream/default.nix
./services/network-filesystems/netatalk.nix
./services/network-filesystems/nfsd.nix
./services/network-filesystems/moosefs.nix
./services/network-filesystems/openafs/client.nix
./services/network-filesystems/openafs/server.nix
./services/network-filesystems/orangefs/server.nix
@ -764,6 +763,7 @@
./services/networking/gvpe.nix
./services/networking/hans.nix
./services/networking/haproxy.nix
./services/networking/headscale.nix
./services/networking/hostapd.nix
./services/networking/htpdate.nix
./services/networking/hylafax/default.nix
@ -914,6 +914,7 @@
./services/networking/vsftpd.nix
./services/networking/wasabibackend.nix
./services/networking/websockify.nix
./services/networking/wg-netmanager.nix
./services/networking/wg-quick.nix
./services/networking/wireguard.nix
./services/networking/wpa_supplicant.nix
@ -1005,6 +1006,7 @@
./services/web-apps/documize.nix
./services/web-apps/dokuwiki.nix
./services/web-apps/engelsystem.nix
./services/web-apps/ethercalc.nix
./services/web-apps/fluidd.nix
./services/web-apps/galene.nix
./services/web-apps/gerrit.nix
@ -1073,7 +1075,6 @@
./services/web-servers/phpfpm/default.nix
./services/web-servers/pomerium.nix
./services/web-servers/unit/default.nix
./services/web-servers/shellinabox.nix
./services/web-servers/tomcat.nix
./services/web-servers/traefik.nix
./services/web-servers/trafficserver/default.nix
@ -1156,12 +1157,13 @@
./system/boot/systemd-nspawn.nix
./system/boot/timesyncd.nix
./system/boot/tmp.nix
./system/etc/etc.nix
./system/etc/etc-activation.nix
./tasks/auto-upgrade.nix
./tasks/bcache.nix
./tasks/cpu-freq.nix
./tasks/encrypted-devices.nix
./tasks/filesystems.nix
./tasks/filesystems/apfs.nix
./tasks/filesystems/bcachefs.nix
./tasks/filesystems/btrfs.nix
./tasks/filesystems/cifs.nix

View file

@ -14,6 +14,8 @@ in {
};
config = mkIf cfg.enable {
programs.dconf.enable = true;
environment.systemPackages = [
pkgs.calls
];

View file

@ -21,11 +21,24 @@ my $res = $dbh->selectall_arrayref(
"select package from Programs where system = ? and name = ?",
{ Slice => {} }, $system, $program);
if (!defined $res || scalar @$res == 0) {
my $len = !defined $res ? 0 : scalar @$res;
if ($len == 0) {
print STDERR "$program: command not found\n";
} elsif (scalar @$res == 1) {
} elsif ($len == 1) {
my $package = @$res[0]->{package};
if ($ENV{"NIX_AUTO_RUN"} // "") {
if ($ENV{"NIX_AUTO_RUN_INTERACTIVE"} // "") {
while (1) {
print STDERR "'$program' from package '$package' will be run, confirm? [yn]: ";
chomp(my $comfirm = <STDIN>);
if (lc $comfirm eq "n") {
exit 0;
} elsif (lc $comfirm eq "y") {
last;
}
}
}
exec("nix-shell", "-p", $package, "--run", shell_quote("exec", @ARGV));
} else {
print STDERR <<EOF;
@ -35,11 +48,30 @@ ephemeral shell by typing:
EOF
}
} else {
if ($ENV{"NIX_AUTO_RUN"} // "") {
print STDERR "Select a package that provides '$program':\n";
for my $i (0 .. $len - 1) {
print STDERR " [", $i + 1, "]: @$res[$i]->{package}\n";
}
my $choice = 0;
while (1) { # exec will break this loop
no warnings "numeric";
print STDERR "Your choice [1-${len}]: ";
# 0 can be invalid user input like non-number string
# so we start from 1
$choice = <STDIN> + 0;
if (1 <= $choice && $choice <= $len) {
exec("nix-shell", "-p", @$res[$choice - 1]->{package},
"--run", shell_quote("exec", @ARGV));
}
}
} else {
print STDERR <<EOF;
The program '$program' is not in your PATH. It is provided by several packages.
You can make it available in an ephemeral shell by typing one of the following:
EOF
print STDERR " nix-shell -p $_->{package}\n" foreach @$res;
}
}
exit 127;

View file

@ -60,7 +60,7 @@ in
environment.systemPackages = [ pkgs.dconf ];
# Needed for unwrapped applications
environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ];
environment.sessionVariables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.dconf.lib}/lib/gio/modules" ];
};
}

View file

@ -27,13 +27,11 @@ in
default = {
tmp_dir = "/tmp";
terminal_su = "${pkgs.sudo}/bin/sudo";
graphical_su = "${pkgs.gksu}/bin/gksu";
};
defaultText = literalExpression ''
{
tmp_dir = "/tmp";
terminal_su = "''${pkgs.sudo}/bin/sudo";
graphical_su = "''${pkgs.gksu}/bin/gksu";
}
'';
description = ''

View file

@ -1,28 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.programs.tilp2;
in {
options.programs.tilp2 = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable tilp2 and udev rules for supported calculators.
'';
};
};
config = mkIf cfg.enable {
services.udev.packages = [
pkgs.libticables2
];
environment.systemPackages = [
pkgs.tilp2
];
};
}

View file

@ -32,6 +32,7 @@ with lib;
'')
(mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.")
(mkRemovedOptionModule [ "networking" "wicd" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "programs" "tilp2" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " +
"https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html"))
(mkRemovedOptionModule [ "security" "hideProcessInformation" ] ''
@ -59,6 +60,9 @@ with lib;
(mkRemovedOptionModule [ "services" "moinmoin" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "mwlib" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed")
(mkRemovedOptionModule [ "services" "pantheon" "files" ] ''
This module was removed, please add pkgs.pantheon.elementary-files to environment.systemPackages directly.
'')
(mkRemovedOptionModule [ "services" "prey" ] ''
prey-bash-client is deprecated upstream
'')
@ -84,6 +88,8 @@ with lib;
The racoon module has been removed, because the software project was abandoned upstream.
'')
(mkRemovedOptionModule [ "services" "shellinabox" ] "The corresponding package was removed from nixpkgs.")
# Do NOT add any option renames here, see top of the file
];
}

View file

@ -5,7 +5,7 @@ with lib;
let
cfg = config.security.googleOsLogin;
package = pkgs.google-compute-engine-oslogin;
package = pkgs.google-guest-oslogin;
in
@ -17,7 +17,7 @@ in
type = types.bool;
default = false;
description = ''
Whether to enable Google OS Login
Whether to enable Google OS Login.
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
@ -36,7 +36,7 @@ in
security.pam.services.sshd = {
makeHomeDir = true;
googleOsLoginAccountVerification = true;
# disabled for now: googleOsLoginAuthentication = true;
googleOsLoginAuthentication = true;
};
security.sudo.extraConfig = ''
@ -47,6 +47,9 @@ in
"d /var/google-users.d 750 root root -"
];
systemd.packages = [ package ];
systemd.timers.google-oslogin-cache.wantedBy = [ "timers.target" ];
# enable the nss module, so user lookups etc. work
system.nssModules = [ package ];
system.nssDatabases.passwd = [ "cache_oslogin" "oslogin" ];

View file

@ -444,15 +444,15 @@ let
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
'' +
optionalString cfg.googleOsLoginAccountVerification ''
account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
'' +
''
# Authentication management.
'' +
optionalString cfg.googleOsLoginAuthentication ''
auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
auth [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
'' +
optionalString cfg.rootOK ''
auth sufficient pam_rootok.so
@ -1091,11 +1091,11 @@ in
mr ${pam_ccreds}/lib/security/pam_ccreds.so,
'' +
optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so,
'' +
optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
'' +
optionalString (config.security.pam.enableSSHAgentAuth
&& isEnabled (cfg: cfg.sshAgentAuth)) ''

View file

@ -362,6 +362,7 @@ in
wantedBy = [ "multi-user.target" ];
after = [ "systemd-tmpfiles-clean.service" ];
requires = [ "network.target" ];
serviceConfig = {
Type = "forking";
@ -371,12 +372,12 @@ in
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
LimitMEMLOCK = "infinity";
};
preStart = ''
mkdir -p /var/spool
'';
};
systemd.tmpfiles.rules = mkIf cfg.client.enable [
"d /var/spool/slurmd 755 root root -"
];
services.openssh.forwardX11 = mkIf cfg.client.enable (mkDefault true);
systemd.services.slurmctld = mkIf (cfg.server.enable) {

View file

@ -208,6 +208,7 @@ in
token=$(< "$STATE_DIRECTORY"/${newConfigTokenFilename})
RUNNER_ROOT="$STATE_DIRECTORY" ${cfg.package}/bin/config.sh \
--unattended \
--disableupdate \
--work "$RUNTIME_DIRECTORY" \
--url ${escapeShellArg cfg.url} \
--token "$token" \

View file

@ -38,7 +38,7 @@ with lib;
systemd.packages = [ pkgs.glib-networking ];
environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.glib-networking.out}/lib/gio/modules" ];
environment.sessionVariables.GIO_EXTRA_MODULES = [ "${pkgs.glib-networking.out}/lib/gio/modules" ];
};

View file

@ -57,7 +57,7 @@ in
services.udev.packages = [ pkgs.libmtp.out ];
# Needed for unwrapped applications
environment.variables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ];
environment.sessionVariables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ];
};

View file

@ -1,13 +0,0 @@
# pantheon files daemon.
{ config, pkgs, lib, ... }:
with lib;
{
imports = [
(mkRemovedOptionModule [ "services" "pantheon" "files" "enable" ] "Use `environment.systemPackages [ pkgs.pantheon.elementary-files ];`")
];
}

View file

@ -20,6 +20,9 @@ in
###### implementation
config = lib.mkIf cfg.enable {
# Load the i2c-dev module
boot.kernelModules = [ "i2c_dev" ];
# Give users access to the "gddccontrol" tool
environment.systemPackages = [
pkgs.ddccontrol

View file

@ -317,7 +317,8 @@ in
(isYes "NET")
];
boot.extraModprobeConfig = "options firmware_class path=${config.hardware.firmware}/lib/firmware";
# We don't place this into `extraModprobeConfig` so that stage-1 ramdisk doesn't bloat.
environment.etc."modprobe.d/firmware.conf".text = "options firmware_class path=${config.hardware.firmware}/lib/firmware";
system.activationScripts.udevd =
''

View file

@ -155,8 +155,8 @@ in
default = 1200;
description = ''
When <literal>usePercentageForPolicy</literal> is
<literal>false</literal>, the time remaining at which UPower will
consider the battery low.
<literal>false</literal>, the time remaining in seconds at which
UPower will consider the battery low.
If any value (of <literal>timeLow</literal>,
<literal>timeCritical</literal> and <literal>timeAction</literal>) is
@ -169,8 +169,8 @@ in
default = 300;
description = ''
When <literal>usePercentageForPolicy</literal> is
<literal>false</literal>, the time remaining at which UPower will
consider the battery critical.
<literal>false</literal>, the time remaining in seconds at which
UPower will consider the battery critical.
If any value (of <literal>timeLow</literal>,
<literal>timeCritical</literal> and <literal>timeAction</literal>) is
@ -183,8 +183,8 @@ in
default = 120;
description = ''
When <literal>usePercentageForPolicy</literal> is
<literal>false</literal>, the time remaining at which UPower will
take action for the critical battery level.
<literal>false</literal>, the time remaining in seconds at which
UPower will take action for the critical battery level.
If any value (of <literal>timeLow</literal>,
<literal>timeCritical</literal> and <literal>timeAction</literal>) is

View file

@ -45,7 +45,7 @@ in {
Restart = "on-failure";
TimeoutStopSec = 10;
ExecStart = "${pkgs.grafana-loki}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}";
ExecStart = "${pkgs.promtail}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}";
ProtectSystem = "strict";
ProtectHome = true;

View file

@ -43,6 +43,7 @@ in {
ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default ${cfg.defaultTarget}";
Type = "oneshot";
RemainAfterExit = false;
KillMode = "process";
};
};

View file

@ -1131,8 +1131,8 @@ in {
ExecStartPre = let
preStartFullPrivileges = ''
shopt -s dotglob nullglob
set -eu
set -o errexit -o pipefail -o nounset
shopt -s dotglob nullglob inherit_errexit
chown --no-dereference '${cfg.user}':'${cfg.group}' '${cfg.statePath}'/*
if [[ -n "$(ls -A '${cfg.statePath}'/config/)" ]]; then
@ -1142,7 +1142,8 @@ in {
in "+${pkgs.writeShellScript "gitlab-pre-start-full-privileges" preStartFullPrivileges}";
ExecStart = pkgs.writeShellScript "gitlab-config" ''
set -eu
set -o errexit -o pipefail -o nounset
shopt -s inherit_errexit
umask u=rwx,g=rx,o=
@ -1171,7 +1172,8 @@ in {
rm -f '${cfg.statePath}/config/database.yml'
${if cfg.databasePasswordFile != null then ''
export db_password="$(<'${cfg.databasePasswordFile}')"
db_password="$(<'${cfg.databasePasswordFile}')"
export db_password
if [[ -z "$db_password" ]]; then
>&2 echo "Database password was an empty string!"
@ -1195,10 +1197,11 @@ in {
rm -f '${cfg.statePath}/config/secrets.yml'
export secret="$(<'${cfg.secrets.secretFile}')"
export db="$(<'${cfg.secrets.dbFile}')"
export otp="$(<'${cfg.secrets.otpFile}')"
export jws="$(<'${cfg.secrets.jwsFile}')"
secret="$(<'${cfg.secrets.secretFile}')"
db="$(<'${cfg.secrets.dbFile}')"
otp="$(<'${cfg.secrets.otpFile}')"
jws="$(<'${cfg.secrets.jwsFile}')"
export secret db otp jws
jq -n '{production: {secret_key_base: $ENV.secret,
otp_key_base: $ENV.otp,
db_key_base: $ENV.db,
@ -1232,7 +1235,8 @@ in {
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "gitlab-db-config" ''
set -eu
set -o errexit -o pipefail -o nounset
shopt -s inherit_errexit
umask u=rwx,g=rx,o=
initial_root_password="$(<'${cfg.initialRootPasswordFile}')"

View file

@ -329,7 +329,7 @@ in {
"zwave_js"
];
in {
ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'";
ExecStart = "${package}/bin/hass --config '${cfg.configDir}'";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "hass";
Group = "hass";

View file

@ -86,6 +86,15 @@ in
and is set to be read only.
'';
};
global.database_backend = mkOption {
type = types.enum [ "sqlite" "rocksdb" ];
default = "sqlite";
example = "rocksdb";
description = ''
The database backend for the service. Switching it on an existing
instance will require manual migration of data.
'';
};
};
};
default = {};

View file

@ -217,7 +217,6 @@ in {
package = mkOption {
type = types.package;
example = literalExpression "pkgs.mediatomb";
default = pkgs.gerbera;
defaultText = literalExpression "pkgs.gerbera";
description = ''

View file

@ -89,7 +89,7 @@ let
requireSignedBinaryCaches = "require-sigs";
trustedUsers = "trusted-users";
allowedUsers = "allowed-users";
systemFeatures = "system-feature";
systemFeatures = "system-features";
};
semanticConfType = with types;

View file

@ -13,7 +13,7 @@ let
(iniFmt.generate "PackageKit.conf" (recursiveUpdate
{
Daemon = {
DefaultBackend = "test_nop";
DefaultBackend = "nix";
KeepCache = false;
};
}
@ -35,7 +35,7 @@ let
in
{
imports = [
(mkRemovedOptionModule [ "services" "packagekit" "backend" ] "The only backend that doesn't blow up is `test_nop`.")
(mkRemovedOptionModule [ "services" "packagekit" "backend" ] "Always set to Nix.")
];
options.services.packagekit = {
@ -62,6 +62,8 @@ in
services.dbus.packages = with pkgs; [ packagekit ];
environment.systemPackages = with pkgs; [ packagekit ];
systemd.packages = with pkgs; [ packagekit ];
environment.etc = listToAttrs (map

View file

@ -6,6 +6,10 @@ let
cfg = config.services.plex;
in
{
imports = [
(mkRemovedOptionModule [ "services" "plex" "managePlugins" ] "Please omit or define the option: `services.plex.extraPlugins' instead.")
];
options = {
services.plex = {
enable = mkEnableOption "Plex Media Server";
@ -42,16 +46,6 @@ in
'';
};
managePlugins = mkOption {
type = types.bool;
default = true;
description = ''
If set to true, this option will cause all of the symlinks in Plex's
plugin directory to be removed and symlinks for paths specified in
<option>extraPlugins</option> to be added.
'';
};
extraPlugins = mkOption {
type = types.listOf types.path;
default = [];
@ -59,9 +53,7 @@ in
A list of paths to extra plugin bundles to install in Plex's plugin
directory. Every time the systemd unit for Plex starts up, all of the
symlinks in Plex's plugin directory will be cleared and this module
will symlink all of the paths specified here to that directory. If
this behavior is undesired, set <option>managePlugins</option> to
false.
will symlink all of the paths specified here to that directory.
'';
};

View file

@ -42,11 +42,11 @@ in {
serviceOpts = {
serviceConfig = {
AmbientCapabilities = [
"CAP_RAW_SYSIO"
"CAP_SYS_RAWIO"
"CAP_SYS_ADMIN"
];
CapabilityBoundingSet = [
"CAP_RAW_SYSIO"
"CAP_SYS_RAWIO"
"CAP_SYS_ADMIN"
];
DevicePolicy = "closed";

View file

@ -181,8 +181,8 @@ in
rgwMimeTypesFile = mkOption {
type = with types; nullOr path;
default = "${pkgs.mime-types}/etc/mime.types";
defaultText = literalExpression ''"''${pkgs.mime-types}/etc/mime.types"'';
default = "${pkgs.mailcap}/etc/mime.types";
defaultText = literalExpression ''"''${pkgs.mailcap}/etc/mime.types"'';
description = ''
Path to mime types used by radosgw.
'';

View file

@ -260,24 +260,17 @@ in
ipfs --offline config Mounts.IPNS ${cfg.ipnsMountDir}
'' + optionalString cfg.autoMigrate ''
${pkgs.ipfs-migrator}/bin/fs-repo-migrations -y
'' + concatStringsSep "\n" (collect
isString
(mapAttrsRecursive
(path: value:
# Using heredoc below so that the value is never improperly quoted
''
read value <<EOF
${builtins.toJSON value}
EOF
ipfs --offline config --json "${concatStringsSep "." path}" "$value"
'')
({
'' + ''
ipfs --offline config show \
| ${pkgs.jq}/bin/jq '. * $extraConfig' --argjson extraConfig ${
escapeShellArg (builtins.toJSON ({
Addresses.API = cfg.apiAddress;
Addresses.Gateway = cfg.gatewayAddress;
Addresses.Swarm = cfg.swarmAddress;
} //
cfg.extraConfig))
);
} // cfg.extraConfig))
} \
| ipfs --offline config replace -
'';
serviceConfig = {
ExecStart = [ "" "${cfg.package}/bin/ipfs daemon ${ipfsFlags}" ];
User = cfg.user;

View file

@ -0,0 +1,249 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.moosefs;
mfsUser = if cfg.runAsUser then "moosefs" else "root";
settingsFormat = let
listSep = " ";
allowedTypes = with types; [ bool int float str ];
valueToString = val:
if isList val then concatStringsSep listSep (map (x: valueToString x) val)
else if isBool val then (if val then "1" else "0")
else toString val;
in {
type = with types; let
valueType = oneOf ([
(listOf valueType)
] ++ allowedTypes) // {
description = "Flat key-value file";
};
in attrsOf valueType;
generate = name: value:
pkgs.writeText name ( lib.concatStringsSep "\n" (
lib.mapAttrsToList (key: val: "${key} = ${valueToString val}") value ));
};
initTool = pkgs.writeShellScriptBin "mfsmaster-init" ''
if [ ! -e ${cfg.master.settings.DATA_PATH}/metadata.mfs ]; then
cp ${pkgs.moosefs}/var/mfs/metadata.mfs.empty ${cfg.master.settings.DATA_PATH}
chmod +w ${cfg.master.settings.DATA_PATH}/metadata.mfs.empty
${pkgs.moosefs}/bin/mfsmaster -a -c ${masterCfg} start
${pkgs.moosefs}/bin/mfsmaster -c ${masterCfg} stop
rm ${cfg.master.settings.DATA_PATH}/metadata.mfs.empty
fi
'';
# master config file
masterCfg = settingsFormat.generate
"mfsmaster.cfg" cfg.master.settings;
# metalogger config file
metaloggerCfg = settingsFormat.generate
"mfsmetalogger.cfg" cfg.metalogger.settings;
# chunkserver config file
chunkserverCfg = settingsFormat.generate
"mfschunkserver.cfg" cfg.chunkserver.settings;
# generic template for all deamons
systemdService = name: extraConfig: configFile: {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
serviceConfig = {
Type = "forking";
ExecStart = "${pkgs.moosefs}/bin/mfs${name} -c ${configFile} start";
ExecStop = "${pkgs.moosefs}/bin/mfs${name} -c ${configFile} stop";
ExecReload = "${pkgs.moosefs}/bin/mfs${name} -c ${configFile} reload";
PIDFile = "${cfg."${name}".settings.DATA_PATH}/.mfs${name}.lock";
} // extraConfig;
};
in {
###### interface
options = {
services.moosefs = {
masterHost = mkOption {
type = types.str;
default = null;
description = "IP or DNS name of master host.";
};
runAsUser = mkOption {
type = types.bool;
default = true;
example = true;
description = "Run daemons as user moosefs instead of root.";
};
client.enable = mkEnableOption "Moosefs client.";
master = {
enable = mkOption {
type = types.bool;
description = ''
Enable Moosefs master daemon.
You need to run <literal>mfsmaster-init</literal> on a freshly installed master server to
initialize the <literal>DATA_PATH</literal> direcory.
'';
default = false;
};
exports = mkOption {
type = with types; listOf str;
default = null;
description = "Paths to export (see mfsexports.cfg).";
example = [
"* / rw,alldirs,admin,maproot=0:0"
"* . rw"
];
};
openFirewall = mkOption {
type = types.bool;
description = "Whether to automatically open the necessary ports in the firewall.";
default = false;
};
settings = mkOption {
type = types.submodule {
freeformType = settingsFormat.type;
options.DATA_PATH = mkOption {
type = types.str;
default = "/var/lib/mfs";
description = "Data storage directory.";
};
};
description = "Contents of config file (mfsmaster.cfg).";
};
};
metalogger = {
enable = mkEnableOption "Moosefs metalogger daemon.";
settings = mkOption {
type = types.submodule {
freeformType = settingsFormat.type;
options.DATA_PATH = mkOption {
type = types.str;
default = "/var/lib/mfs";
description = "Data storage directory";
};
};
description = "Contents of metalogger config file (mfsmetalogger.cfg).";
};
};
chunkserver = {
enable = mkEnableOption "Moosefs chunkserver daemon.";
openFirewall = mkOption {
type = types.bool;
description = "Whether to automatically open the necessary ports in the firewall.";
default = false;
};
hdds = mkOption {
type = with types; listOf str;
default = null;
description = "Mount points to be used by chunkserver for storage (see mfshdd.cfg).";
example = [ "/mnt/hdd1" ];
};
settings = mkOption {
type = types.submodule {
freeformType = settingsFormat.type;
options.DATA_PATH = mkOption {
type = types.str;
default = "/var/lib/mfs";
description = "Directory for lock file.";
};
};
description = "Contents of chunkserver config file (mfschunkserver.cfg).";
};
};
};
};
###### implementation
config = mkIf ( cfg.client.enable || cfg.master.enable || cfg.metalogger.enable || cfg.chunkserver.enable ) {
warnings = [ ( mkIf (!cfg.runAsUser) "Running moosefs services as root is not recommended.") ];
# Service settings
services.moosefs = {
master.settings = mkIf cfg.master.enable {
WORKING_USER = mfsUser;
EXPORTS_FILENAME = toString ( pkgs.writeText "mfsexports.cfg"
(concatStringsSep "\n" cfg.master.exports));
};
metalogger.settings = mkIf cfg.metalogger.enable {
WORKING_USER = mfsUser;
MASTER_HOST = cfg.masterHost;
};
chunkserver.settings = mkIf cfg.chunkserver.enable {
WORKING_USER = mfsUser;
MASTER_HOST = cfg.masterHost;
HDD_CONF_FILENAME = toString ( pkgs.writeText "mfshdd.cfg"
(concatStringsSep "\n" cfg.chunkserver.hdds));
};
};
# Create system user account for daemons
users = mkIf ( cfg.runAsUser && ( cfg.master.enable || cfg.metalogger.enable || cfg.chunkserver.enable ) ) {
users.moosefs = {
isSystemUser = true;
description = "moosefs daemon user";
group = "moosefs";
};
groups.moosefs = {};
};
environment.systemPackages =
(lib.optional cfg.client.enable pkgs.moosefs) ++
(lib.optional cfg.master.enable initTool);
networking.firewall.allowedTCPPorts =
(lib.optionals cfg.master.openFirewall [ 9419 9420 9421 ]) ++
(lib.optional cfg.chunkserver.openFirewall 9422);
# Ensure storage directories exist
systemd.tmpfiles.rules =
optional cfg.master.enable "d ${cfg.master.settings.DATA_PATH} 0700 ${mfsUser} ${mfsUser}"
++ optional cfg.metalogger.enable "d ${cfg.metalogger.settings.DATA_PATH} 0700 ${mfsUser} ${mfsUser}"
++ optional cfg.chunkserver.enable "d ${cfg.chunkserver.settings.DATA_PATH} 0700 ${mfsUser} ${mfsUser}";
# Service definitions
systemd.services.mfs-master = mkIf cfg.master.enable
( systemdService "master" {
TimeoutStartSec = 1800;
TimeoutStopSec = 1800;
Restart = "no";
} masterCfg );
systemd.services.mfs-metalogger = mkIf cfg.metalogger.enable
( systemdService "metalogger" { Restart = "on-abnormal"; } metaloggerCfg );
systemd.services.mfs-chunkserver = mkIf cfg.chunkserver.enable
( systemdService "chunkserver" { Restart = "on-abnormal"; } chunkserverCfg );
};
}

View file

@ -79,7 +79,7 @@ in {
in {
services.rsync = {
enable = !cfg.socketActivated;
aliases = [ "rsyncd" ];
aliases = [ "rsyncd.service" ];
description = "fast remote file copy program daemon";
after = [ "network.target" ];

View file

@ -127,7 +127,7 @@ in {
description = "ConnMan VPN service";
wantedBy = [ "multi-user.target" ];
after = [ "syslog.target" ];
before = [ "connman" ];
before = [ "connman.service" ];
serviceConfig = {
Type = "dbus";
BusName = "net.connman.vpn";
@ -140,7 +140,7 @@ in {
description = "D-BUS Service";
serviceConfig = {
Name = "net.connman.vpn";
before = [ "connman" ];
before = [ "connman.service" ];
ExecStart = "${cfg.package}/sbin/connman-vpnd -n";
User = "root";
SystemdService = "connman-vpn.service";

View file

@ -183,6 +183,20 @@ in
config = mkIf enableDHCP {
assertions = [ {
# dhcpcd doesn't start properly with malloc ∉ [ libc scudo ]
# see https://github.com/NixOS/nixpkgs/issues/151696
assertion =
dhcpcd.enablePrivSep
-> elem config.environment.memoryAllocator.provider [ "libc" "scudo" ];
message = ''
dhcpcd with privilege separation is incompatible with chosen system malloc.
Currently only the `libc` and `scudo` allocators are known to work.
To disable dhcpcd's privilege separation, overlay Nixpkgs and override dhcpcd
to set `enablePrivSep = false`.
'';
} ];
systemd.services.dhcpcd = let
cfgN = config.networking;
hasDefaultGatewaySet = (cfgN.defaultGateway != null && cfgN.defaultGateway.address != "")

View file

@ -28,34 +28,41 @@ let
}
'';
dhcpdService = postfix: cfg: optionalAttrs cfg.enable {
dhcpdService = postfix: cfg:
let
configFile =
if cfg.configFile != null
then cfg.configFile
else writeConfig cfg;
leaseFile = "/var/lib/dhcpd${postfix}/dhcpd.leases";
args = [
"@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}"
"-pf" "/run/dhcpd${postfix}/dhcpd.pid"
"-cf" configFile
"-lf" leaseFile
] ++ cfg.extraFlags
++ cfg.interfaces;
in
optionalAttrs cfg.enable {
"dhcpd${postfix}" = {
description = "DHCPv${postfix} server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
preStart = ''
mkdir -m 755 -p ${cfg.stateDir}
chown dhcpd:nogroup ${cfg.stateDir}
touch ${cfg.stateDir}/dhcpd.leases
'';
serviceConfig =
let
configFile = if cfg.configFile != null then cfg.configFile else writeConfig cfg;
args = [ "@${pkgs.dhcp}/sbin/dhcpd" "dhcpd${postfix}" "-${postfix}"
"-pf" "/run/dhcpd${postfix}/dhcpd.pid"
"-cf" "${configFile}"
"-lf" "${cfg.stateDir}/dhcpd.leases"
"-user" "dhcpd" "-group" "nogroup"
] ++ cfg.extraFlags
++ cfg.interfaces;
in {
preStart = "touch ${leaseFile}";
serviceConfig = {
ExecStart = concatMapStringsSep " " escapeShellArg args;
Type = "forking";
Restart = "always";
RuntimeDirectory = [ "dhcpd${postfix}" ];
DynamicUser = true;
User = "dhcpd";
Group = "dhcpd";
AmbientCapabilities = [
"CAP_NET_RAW" # to send ICMP messages
"CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
];
StateDirectory = "dhcpd${postfix}";
RuntimeDirectory = "dhcpd${postfix}";
PIDFile = "/run/dhcpd${postfix}/dhcpd.pid";
};
};
@ -102,15 +109,6 @@ let
'';
};
stateDir = mkOption {
type = types.path;
# We use /var/lib/dhcp for DHCPv4 to save backwards compatibility.
default = "/var/lib/dhcp${if postfix == "4" then "" else postfix}";
description = ''
State directory for the DHCP server.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
@ -194,7 +192,13 @@ in
imports = [
(mkRenamedOptionModule [ "services" "dhcpd" ] [ "services" "dhcpd4" ])
];
] ++ flip map [ "4" "6" ] (postfix:
mkRemovedOptionModule [ "services" "dhcpd${postfix}" "stateDir" ] ''
The DHCP server state directory is now managed with the systemd's DynamicUser mechanism.
This means the directory is named after the service (dhcpd${postfix}), created under
/var/lib/private/ and symlinked to /var/lib/.
''
);
###### interface
@ -210,15 +214,6 @@ in
config = mkIf (cfg4.enable || cfg6.enable) {
users = {
users.dhcpd = {
isSystemUser = true;
group = "dhcpd";
description = "DHCP daemon user";
};
groups.dhcpd = {};
};
systemd.services = dhcpdService "4" cfg4 // dhcpdService "6" cfg6;
};

View file

@ -326,7 +326,7 @@ in
type = types.package;
default = pkgs.iptables;
defaultText = literalExpression "pkgs.iptables";
example = literalExpression "pkgs.iptables-nftables-compat";
example = literalExpression "pkgs.iptables-legacy";
description =
''
The iptables package to use for running the firewall service."

View file

@ -0,0 +1,490 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.headscale;
dataDir = "/var/lib/headscale";
runDir = "/run/headscale";
settingsFormat = pkgs.formats.yaml { };
configFile = settingsFormat.generate "headscale.yaml" cfg.settings;
in
{
options = {
services.headscale = {
enable = mkEnableOption "headscale, Open Source coordination server for Tailscale";
package = mkOption {
type = types.package;
default = pkgs.headscale;
defaultText = literalExpression "pkgs.headscale";
description = ''
Which headscale package to use for the running server.
'';
};
user = mkOption {
default = "headscale";
type = types.str;
description = ''
User account under which headscale runs.
<note><para>
If left as the default value this user will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the headscale service starts.
</para></note>
'';
};
group = mkOption {
default = "headscale";
type = types.str;
description = ''
Group under which headscale runs.
<note><para>
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the headscale service starts.
</para></note>
'';
};
serverUrl = mkOption {
type = types.str;
default = "http://127.0.0.1:8080";
description = ''
The url clients will connect to.
'';
example = "https://myheadscale.example.com:443";
};
address = mkOption {
type = types.str;
default = "127.0.0.1";
description = ''
Listening address of headscale.
'';
example = "0.0.0.0";
};
port = mkOption {
type = types.port;
default = 8080;
description = ''
Listening port of headscale.
'';
example = 443;
};
privateKeyFile = mkOption {
type = types.path;
default = "${dataDir}/private.key";
description = ''
Path to private key file, generated automatically if it does not exist.
'';
};
derp = {
urls = mkOption {
type = types.listOf types.str;
default = [ "https://controlplane.tailscale.com/derpmap/default" ];
description = ''
List of urls containing DERP maps.
See <link xlink:href="https://tailscale.com/blog/how-tailscale-works/">How Tailscale works</link> for more information on DERP maps.
'';
};
paths = mkOption {
type = types.listOf types.path;
default = [ ];
description = ''
List of file paths containing DERP maps.
See <link xlink:href="https://tailscale.com/blog/how-tailscale-works/">How Tailscale works</link> for more information on DERP maps.
'';
};
autoUpdate = mkOption {
type = types.bool;
default = true;
description = ''
Whether to automatically update DERP maps on a set frequency.
'';
example = false;
};
updateFrequency = mkOption {
type = types.str;
default = "24h";
description = ''
Frequency to update DERP maps.
'';
example = "5m";
};
};
ephemeralNodeInactivityTimeout = mkOption {
type = types.str;
default = "30m";
description = ''
Time before an inactive ephemeral node is deleted.
'';
example = "5m";
};
database = {
type = mkOption {
type = types.enum [ "sqlite3" "postgres" ];
example = "postgres";
default = "sqlite3";
description = "Database engine to use.";
};
host = mkOption {
type = types.nullOr types.str;
default = null;
example = "127.0.0.1";
description = "Database host address.";
};
port = mkOption {
type = types.nullOr types.port;
default = null;
example = 3306;
description = "Database host port.";
};
name = mkOption {
type = types.nullOr types.str;
default = null;
example = "headscale";
description = "Database name.";
};
user = mkOption {
type = types.nullOr types.str;
default = null;
example = "headscale";
description = "Database user.";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/headscale-dbpassword";
description = ''
A file containing the password corresponding to
<option>database.user</option>.
'';
};
path = mkOption {
type = types.nullOr types.str;
default = "${dataDir}/db.sqlite";
description = "Path to the sqlite3 database file.";
};
};
logLevel = mkOption {
type = types.str;
default = "info";
description = ''
headscale log level.
'';
example = "debug";
};
dns = {
nameservers = mkOption {
type = types.listOf types.str;
default = [ "1.1.1.1" ];
description = ''
List of nameservers to pass to Tailscale clients.
'';
};
domains = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Search domains to inject to Tailscale clients.
'';
example = [ "mydomain.internal" ];
};
magicDns = mkOption {
type = types.bool;
default = true;
description = ''
Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
Only works if there is at least a nameserver defined.
'';
example = false;
};
baseDomain = mkOption {
type = types.str;
default = "";
description = ''
Defines the base domain to create the hostnames for MagicDNS.
<option>baseDomain</option> must be a FQDNs, without the trailing dot.
The FQDN of the hosts will be
<literal>hostname.namespace.base_domain</literal> (e.g.
<literal>myhost.mynamespace.example.com</literal>).
'';
};
};
openIdConnect = {
issuer = mkOption {
type = types.str;
default = "";
description = ''
URL to OpenID issuer.
'';
example = "https://openid.example.com";
};
clientId = mkOption {
type = types.str;
default = "";
description = ''
OpenID Connect client ID.
'';
};
clientSecretFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to OpenID Connect client secret file.
'';
};
domainMap = mkOption {
type = types.attrsOf types.str;
default = { };
description = ''
Domain map is used to map incomming users (by their email) to
a namespace. The key can be a string, or regex.
'';
example = {
".*" = "default-namespace";
};
};
};
tls = {
letsencrypt = {
hostname = mkOption {
type = types.nullOr types.str;
default = "";
description = ''
Domain name to request a TLS certificate for.
'';
};
challengeType = mkOption {
type = types.enum [ "TLS_ALPN-01" "HTTP-01" ];
default = "HTTP-01";
description = ''
Type of ACME challenge to use, currently supported types:
<literal>HTTP-01</literal> or <literal>TLS_ALPN-01</literal>.
'';
};
httpListen = mkOption {
type = types.nullOr types.str;
default = ":http";
description = ''
When HTTP-01 challenge is chosen, letsencrypt must set up a
verification endpoint, and it will be listening on:
<literal>:http = port 80</literal>.
'';
};
};
certFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to already created certificate.
'';
};
keyFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to key for already created certificate.
'';
};
};
aclPolicyFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to a file containg ACL policies.
'';
};
settings = mkOption {
type = settingsFormat.type;
default = { };
description = ''
Overrides to <filename>config.yaml</filename> as a Nix attribute set.
This option is ideal for overriding settings not exposed as Nix options.
Check the <link xlink:href="https://github.com/juanfont/headscale/blob/main/config-example.yaml">example config</link>
for possible options.
'';
};
};
};
config = mkIf cfg.enable {
services.headscale.settings = {
server_url = mkDefault cfg.serverUrl;
listen_addr = mkDefault "${cfg.address}:${toString cfg.port}";
private_key_path = mkDefault cfg.privateKeyFile;
derp = {
urls = mkDefault cfg.derp.urls;
paths = mkDefault cfg.derp.paths;
auto_update_enable = mkDefault cfg.derp.autoUpdate;
update_frequency = mkDefault cfg.derp.updateFrequency;
};
# Turn off update checks since the origin of our package
# is nixpkgs and not Github.
disable_check_updates = true;
ephemeral_node_inactivity_timeout = mkDefault cfg.ephemeralNodeInactivityTimeout;
db_type = mkDefault cfg.database.type;
db_path = mkDefault cfg.database.path;
log_level = mkDefault cfg.logLevel;
dns_config = {
nameservers = mkDefault cfg.dns.nameservers;
domains = mkDefault cfg.dns.domains;
magic_dns = mkDefault cfg.dns.magicDns;
base_domain = mkDefault cfg.dns.baseDomain;
};
unix_socket = "${runDir}/headscale.sock";
# OpenID Connect
oidc = {
issuer = mkDefault cfg.openIdConnect.issuer;
client_id = mkDefault cfg.openIdConnect.clientId;
domain_map = mkDefault cfg.openIdConnect.domainMap;
};
tls_letsencrypt_cache_dir = "${dataDir}/.cache";
} // optionalAttrs (cfg.database.host != null) {
db_host = mkDefault cfg.database.host;
} // optionalAttrs (cfg.database.port != null) {
db_port = mkDefault cfg.database.port;
} // optionalAttrs (cfg.database.name != null) {
db_name = mkDefault cfg.database.name;
} // optionalAttrs (cfg.database.user != null) {
db_user = mkDefault cfg.database.user;
} // optionalAttrs (cfg.tls.letsencrypt.hostname != null) {
tls_letsencrypt_hostname = mkDefault cfg.tls.letsencrypt.hostname;
} // optionalAttrs (cfg.tls.letsencrypt.challengeType != null) {
tls_letsencrypt_challenge_type = mkDefault cfg.tls.letsencrypt.challengeType;
} // optionalAttrs (cfg.tls.letsencrypt.httpListen != null) {
tls_letsencrypt_listen = mkDefault cfg.tls.letsencrypt.httpListen;
} // optionalAttrs (cfg.tls.certFile != null) {
tls_cert_path = mkDefault cfg.tls.certFile;
} // optionalAttrs (cfg.tls.keyFile != null) {
tls_key_path = mkDefault cfg.tls.keyFile;
} // optionalAttrs (cfg.aclPolicyFile != null) {
acl_policy_path = mkDefault cfg.aclPolicyFile;
};
# Setup the headscale configuration in a known path in /etc to
# allow both the Server and the Client use it to find the socket
# for communication.
environment.etc."headscale/config.yaml".source = configFile;
users.groups.headscale = mkIf (cfg.group == "headscale") { };
users.users.headscale = mkIf (cfg.user == "headscale") {
description = "headscale user";
home = dataDir;
group = cfg.group;
isSystemUser = true;
};
systemd.services.headscale = {
description = "headscale coordination server for Tailscale";
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ configFile ];
script = ''
${optionalString (cfg.database.passwordFile != null) ''
export HEADSCALE_DB_PASS="$(head -n1 ${escapeShellArg cfg.database.passwordFile})"
''}
export HEADSCALE_OIDC_CLIENT_SECRET="$(head -n1 ${escapeShellArg cfg.openIdConnect.clientSecretFile})"
exec ${cfg.package}/bin/headscale serve
'';
serviceConfig =
let
capabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port < 1024) "CAP_NET_BIND_SERVICE";
in
{
Restart = "always";
Type = "simple";
User = cfg.user;
Group = cfg.group;
# Hardening options
RuntimeDirectory = "headscale";
# Allow headscale group access so users can be added and use the CLI.
RuntimeDirectoryMode = "0750";
StateDirectory = "headscale";
StateDirectoryMode = "0750";
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectHostname = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RestrictNamespaces = true;
RemoveIPC = true;
UMask = "0077";
CapabilityBoundingSet = capabilityBoundingSet;
AmbientCapabilities = capabilityBoundingSet;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
SystemCallFilter = [ "@system-service" "~@priviledged" "@chown" ];
SystemCallArchitectures = "native";
RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
};
};
};
meta.maintainers = with maintainers; [ kradalby ];
}

View file

@ -222,14 +222,12 @@ let
in concatStringsSep "\n" inTunOpts))];
in pkgs.writeText "i2pd-tunnels.conf" opts;
i2pdSh = pkgs.writeScriptBin "i2pd" ''
#!/bin/sh
exec ${cfg.package}/bin/i2pd \
${if cfg.address == null then "" else "--host="+cfg.address} \
--service \
--conf=${i2pdConf} \
--tunconf=${tunnelConf}
'';
i2pdFlags = concatStringsSep " " (
optional (cfg.address != null) ("--host=" + cfg.address) ++ [
"--service"
("--conf=" + i2pdConf)
("--tunconf=" + tunnelConf)
]);
in
@ -686,7 +684,7 @@ in
User = "i2pd";
WorkingDirectory = homeDir;
Restart = "on-abort";
ExecStart = "${i2pdSh}/bin/i2pd";
ExecStart = "${cfg.package}/bin/i2pd ${i2pdFlags}";
};
};
};

View file

@ -294,7 +294,7 @@ in
systemd.services.murmur = {
description = "Murmur Chat Service";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target "];
after = [ "network-online.target" ];
preStart = ''
${pkgs.envsubst}/bin/envsubst \
-o /run/murmur/murmurd.ini \

View file

@ -384,6 +384,17 @@ in {
so you don't need to to that yourself.
'';
};
enableFccUnlock = mkOption {
type = types.bool;
default = false;
description = ''
Enable FCC unlock procedures. Since release 1.18.4, the ModemManager daemon no longer
automatically performs the FCC unlock procedure by default. See
<link xlink:href="https://modemmanager.org/docs/modemmanager/fcc-unlock/">the docs</link>
for more details.
'';
};
};
};
@ -438,6 +449,12 @@ in {
"NetworkManager/VPN/nm-sstp-service.name".source =
"${networkmanager-sstp}/lib/NetworkManager/VPN/nm-sstp-service.name";
}
// optionalAttrs cfg.enableFccUnlock
{
"ModemManager/fcc-unlock.d".source =
"${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/*";
}
// optionalAttrs (cfg.appendNameservers != [] || cfg.insertNameservers != [])
{

View file

@ -25,9 +25,10 @@ in
for more information.
There are other programs that use iptables internally too, such as
libvirt.
libvirt. For information on how the two firewalls interact, see [2].
[1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273
[2]: https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F
'';
};
networking.nftables.ruleset = mkOption {
@ -118,20 +119,11 @@ in
flush ruleset
include "${cfg.rulesetFile}"
'';
checkScript = pkgs.writeScript "nftables-check" ''
#! ${pkgs.runtimeShell} -e
if $(${pkgs.kmod}/bin/lsmod | grep -q ip_tables); then
echo "Unload ip_tables before using nftables!" 1>&2
exit 1
else
${rulesScript}
fi
'';
in {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = checkScript;
ExecReload = checkScript;
ExecStart = rulesScript;
ExecReload = rulesScript;
ExecStop = "${pkgs.nftables}/bin/nft flush ruleset";
};
};

View file

@ -1,7 +1,6 @@
{ config, lib, pkgs, ... }:
with lib;
let
python = pkgs.python3Packages.python;
cfg = config.services.seafile;
settingsFormat = pkgs.formats.ini { };
@ -221,9 +220,7 @@ in {
'';
};
seahub = let
penv = (pkgs.python3.withPackages (ps: with ps; [ gunicorn seahub ]));
in {
seahub = {
description = "Seafile Server Web Frontend";
wantedBy = [ "seafile.target" ];
partOf = [ "seafile.target" ];
@ -231,8 +228,7 @@ in {
requires = [ "seaf-server.service" ];
restartTriggers = [ seahubSettings ];
environment = {
PYTHONPATH =
"${pkgs.python3Packages.seahub}/thirdpart:${pkgs.python3Packages.seahub}:${penv}/${python.sitePackages}";
PYTHONPATH = "${pkgs.seahub.pythonPath}:${pkgs.seahub}/thirdpart:${pkgs.seahub}";
DJANGO_SETTINGS_MODULE = "seahub.settings";
CCNET_CONF_DIR = ccnetDir;
SEAFILE_CONF_DIR = dataDir;
@ -249,7 +245,7 @@ in {
LogsDirectory = "seafile";
ConfigurationDirectory = "seafile";
ExecStart = ''
${penv}/bin/gunicorn seahub.wsgi:application \
${pkgs.seahub.python.pkgs.gunicorn}/bin/gunicorn seahub.wsgi:application \
--name seahub \
--workers ${toString cfg.workers} \
--log-level=info \
@ -262,27 +258,27 @@ in {
preStart = ''
mkdir -p ${seahubDir}/media
# Link all media except avatars
for m in `find ${pkgs.python3Packages.seahub}/media/ -maxdepth 1 -not -name "avatars"`; do
for m in `find ${pkgs.seahub}/media/ -maxdepth 1 -not -name "avatars"`; do
ln -sf $m ${seahubDir}/media/
done
if [ ! -e "${seafRoot}/.seahubSecret" ]; then
${penv}/bin/python ${pkgs.python3Packages.seahub}/tools/secret_key_generator.py > ${seafRoot}/.seahubSecret
${pkgs.seahub.python}/bin/python ${pkgs.seahub}/tools/secret_key_generator.py > ${seafRoot}/.seahubSecret
chmod 400 ${seafRoot}/.seahubSecret
fi
if [ ! -f "${seafRoot}/seahub-setup" ]; then
# avatars directory should be writable
install -D -t ${seahubDir}/media/avatars/ ${pkgs.python3Packages.seahub}/media/avatars/default.png
install -D -t ${seahubDir}/media/avatars/groups ${pkgs.python3Packages.seahub}/media/avatars/groups/default.png
install -D -t ${seahubDir}/media/avatars/ ${pkgs.seahub}/media/avatars/default.png
install -D -t ${seahubDir}/media/avatars/groups ${pkgs.seahub}/media/avatars/groups/default.png
# init database
${pkgs.python3Packages.seahub}/manage.py migrate
${pkgs.seahub}/manage.py migrate
# create admin account
${pkgs.expect}/bin/expect -c 'spawn ${pkgs.python3Packages.seahub}/manage.py createsuperuser --email=${cfg.adminEmail}; expect "Password: "; send "${cfg.initialAdminPassword}\r"; expect "Password (again): "; send "${cfg.initialAdminPassword}\r"; expect "Superuser created successfully."'
echo "${pkgs.python3Packages.seahub.version}-sqlite" > "${seafRoot}/seahub-setup"
${pkgs.expect}/bin/expect -c 'spawn ${pkgs.seahub}/manage.py createsuperuser --email=${cfg.adminEmail}; expect "Password: "; send "${cfg.initialAdminPassword}\r"; expect "Password (again): "; send "${cfg.initialAdminPassword}\r"; expect "Superuser created successfully."'
echo "${pkgs.seahub.version}-sqlite" > "${seafRoot}/seahub-setup"
fi
if [ $(cat "${seafRoot}/seahub-setup" | cut -d"-" -f1) != "${pkgs.python3Packages.seahub.version}" ]; then
if [ $(cat "${seafRoot}/seahub-setup" | cut -d"-" -f1) != "${pkgs.seahub.version}" ]; then
# update database
${pkgs.python3Packages.seahub}/manage.py migrate
echo "${pkgs.python3Packages.seahub.version}-sqlite" > "${seafRoot}/seahub-setup"
${pkgs.seahub}/manage.py migrate
echo "${pkgs.seahub.version}-sqlite" > "${seafRoot}/seahub-setup"
fi
'';
};

View file

@ -68,7 +68,7 @@ in
systemd.services.syncplay = {
description = "Syncplay Service";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target "];
after = [ "network-online.target" ];
serviceConfig = {
ExecStart = "${pkgs.syncplay}/bin/syncplay-server ${escapeShellArgs cmdArgs}";

View file

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.wg-netmanager;
in
{
options = {
services.wg-netmanager = {
enable = mkEnableOption "Wireguard network manager";
};
};
###### implementation
config = mkIf cfg.enable {
# NOTE: wg-netmanager runs as root
systemd.services.wg-netmanager = {
description = "Wireguard network manager";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = with pkgs; [ wireguard-tools iproute2 wireguard-go ];
serviceConfig = {
Type = "simple";
Restart = "on-failure";
ExecStart = "${pkgs.wg-netmanager}/bin/wg_netmanager";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStop = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ReadWritePaths = [
"/tmp" # wg-netmanager creates files in /tmp before deleting them after use
];
};
unitConfig = {
ConditionPathExists = ["/etc/wg_netmanager/network.yaml" "/etc/wg_netmanager/peer.yaml"];
};
};
};
meta.maintainers = with maintainers; [ gin66 ];
}

View file

@ -10,14 +10,45 @@ let
cfg = config.networking.wireless;
opt = options.networking.wireless;
wpa3Protocols = [ "SAE" "FT-SAE" ];
hasMixedWPA = opts:
let
hasWPA3 = !mutuallyExclusive opts.authProtocols wpa3Protocols;
others = subtractLists wpa3Protocols opts.authProtocols;
in hasWPA3 && others != [];
# Gives a WPA3 network higher priority
increaseWPA3Priority = opts:
opts // optionalAttrs (hasMixedWPA opts)
{ priority = if opts.priority == null
then 1
else opts.priority + 1;
};
# Creates a WPA2 fallback network
mkWPA2Fallback = opts:
opts // { authProtocols = subtractLists wpa3Protocols opts.authProtocols; };
# Networks attrset as a list
networkList = mapAttrsToList (ssid: opts: opts // { inherit ssid; })
cfg.networks;
# List of all networks (normal + generated fallbacks)
allNetworks =
if cfg.fallbackToWPA2
then map increaseWPA3Priority networkList
++ map mkWPA2Fallback (filter hasMixedWPA networkList)
else networkList;
# Content of wpa_supplicant.conf
generatedConfig = concatStringsSep "\n" (
(mapAttrsToList mkNetwork cfg.networks)
(map mkNetwork allNetworks)
++ optional cfg.userControlled.enable (concatStringsSep "\n"
[ "ctrl_interface=/run/wpa_supplicant"
"ctrl_interface_group=${cfg.userControlled.group}"
"update_config=1"
])
++ [ "pmf=1" ]
++ optional cfg.scanOnLowSignal ''bgscan="simple:30:-70:3600"''
++ optional (cfg.extraConfig != "") cfg.extraConfig);
@ -33,7 +64,7 @@ let
finalConfig = ''"$RUNTIME_DIRECTORY"/wpa_supplicant.conf'';
# Creates a network block for wpa_supplicant.conf
mkNetwork = ssid: opts:
mkNetwork = opts:
let
quote = x: ''"${x}"'';
indent = x: " " + x;
@ -43,7 +74,7 @@ let
else opts.pskRaw;
options = [
"ssid=${quote ssid}"
"ssid=${quote opts.ssid}"
(if pskString != null || opts.auth != null
then "key_mgmt=${concatStringsSep " " opts.authProtocols}"
else "key_mgmt=NONE")
@ -175,6 +206,18 @@ in {
'';
};
fallbackToWPA2 = mkOption {
type = types.bool;
default = true;
description = ''
Whether to fall back to WPA2 authentication protocols if WPA3 failed.
This allows old wireless cards (that lack recent features required by
WPA3) to connect to mixed WPA2/WPA3 access points.
To avoid possible downgrade attacks, disable this options.
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;

View file

@ -84,7 +84,6 @@ in {
interface eth0
{
AdvSendAdvert on;
AdvDefaultLifetime 0;
prefix ${prefix}::/64 {
AdvOnLink on;
AdvAutonomous on;

View file

@ -143,6 +143,17 @@ in
example = lib.literalExpression "[ pkgs.elasticsearchPlugins.discovery-ec2 ]";
};
restartIfChanged = mkOption {
type = types.bool;
description = ''
Automatically restart the service on config change.
This can be set to false to defer restarts on a server or cluster.
Please consider the security implications of inadvertently running an older version,
and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.
'';
default = true;
};
};
###### implementation
@ -153,6 +164,7 @@ in
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = [ pkgs.inetutils ];
inherit (cfg) restartIfChanged;
environment = {
ES_HOME = cfg.dataDir;
ES_JAVA_OPTS = toString cfg.extraJavaOptions;
@ -163,6 +175,8 @@ in
User = "elasticsearch";
PermissionsStartOnly = true;
LimitNOFILE = "1024000";
Restart = "always";
TimeoutStartSec = "infinity";
};
preStart = ''
${optionalString (!config.boot.isContainer) ''

View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, options, lib, pkgs, ... }:
with lib;
@ -11,7 +11,16 @@ in {
dataDir = mkOption {
default = "/var/lib/cfssl";
type = types.path;
description = "Cfssl work directory.";
description = ''
The work directory for CFSSL.
<note><para>
If left as the default value this directory will automatically be
created before the CFSSL server starts, otherwise you are
responsible for ensuring the directory exists with appropriate
ownership and permissions.
</para></note>
'';
};
address = mkOption {
@ -22,7 +31,7 @@ in {
port = mkOption {
default = 8888;
type = types.ints.u16;
type = types.port;
description = "Port to bind.";
};
@ -147,13 +156,12 @@ in {
};
config = mkIf cfg.enable {
users.extraGroups.cfssl = {
users.groups.cfssl = {
gid = config.ids.gids.cfssl;
};
users.extraUsers.cfssl = {
users.users.cfssl = {
description = "cfssl user";
createHome = true;
home = cfg.dataDir;
group = "cfssl";
uid = config.ids.uids.cfssl;
@ -164,12 +172,12 @@ in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
serviceConfig = lib.mkMerge [
{
WorkingDirectory = cfg.dataDir;
StateDirectory = cfg.dataDir;
StateDirectoryMode = 700;
Restart = "always";
User = "cfssl";
Group = "cfssl";
ExecStart = with cfg; let
opt = n: v: optionalString (v != null) ''-${n}="${v}"'';
@ -198,7 +206,12 @@ in {
(opt "db-config" dbConfig)
(opt "loglevel" (toString logLevel))
];
};
}
(mkIf (cfg.dataDir == options.services.cfssl.dataDir.default) {
StateDirectory = baseNameOf cfg.dataDir;
StateDirectoryMode = 700;
})
];
};
services.cfssl = {

View file

@ -3,12 +3,10 @@
with lib;
let
cfg = config.services.haveged;
in
{
###### interface
@ -17,14 +15,11 @@ in
services.haveged = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable to haveged entropy daemon, which refills
/dev/random when low.
enable = mkEnableOption ''
haveged entropy daemon, which refills /dev/random when low.
NOTE: does nothing on kernels newer than 5.6.
'';
};
# source for the note https://github.com/jirka-h/haveged/issues/57
refill_threshold = mkOption {
type = types.int;
@ -39,29 +34,44 @@ in
};
###### implementation
config = mkIf cfg.enable {
systemd.services.haveged =
{ description = "Entropy Harvesting Daemon";
unitConfig.Documentation = "man:haveged(8)";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.haveged ];
# https://github.com/jirka-h/haveged/blob/a4b69d65a8dfc5a9f52ff8505c7f58dcf8b9234f/contrib/Fedora/haveged.service
systemd.services.haveged = {
description = "Entropy Daemon based on the HAVEGE algorithm";
unitConfig = {
Documentation = "man:haveged(8)";
DefaultDependencies = false;
ConditionKernelVersion = "<5.6";
};
wantedBy = [ "sysinit.target" ];
after = [ "systemd-tmpfiles-setup-dev.service" ];
before = [ "sysinit.target" "shutdown.target" "systemd-journald.service" ];
serviceConfig = {
ExecStart = "${pkgs.haveged}/bin/haveged -F -w ${toString cfg.refill_threshold} -v 1";
SuccessExitStatus = 143;
PrivateTmp = true;
ExecStart = "${pkgs.haveged}/bin/haveged -w ${toString cfg.refill_threshold} --Foreground -v 1";
Restart = "always";
SuccessExitStatus = "137 143";
SecureBits = "noroot-locked";
CapabilityBoundingSet = [ "CAP_SYS_ADMIN" "CAP_SYS_CHROOT" ];
# We can *not* set PrivateTmp=true as it can cause an ordering cycle.
PrivateTmp = false;
PrivateDevices = true;
PrivateNetwork = true;
ProtectSystem = "full";
ProtectHome = true;
};
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
RestrictNamespaces = true;
RestrictRealtime = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "newuname" "~@mount" ];
SystemCallErrorNumber = "EPERM";
};
};
};
}

View file

@ -131,7 +131,7 @@ in {
users.groups.vaultwarden = { };
systemd.services.vaultwarden = {
aliases = [ "bitwarden_rs" ];
aliases = [ "bitwarden_rs.service" ];
after = [ "network.target" ];
path = with pkgs; [ openssl ];
serviceConfig = {

View file

@ -52,11 +52,22 @@ in
'';
};
network.enable = mkOption {
type = types.bool;
default = false;
description = ''
Allow the cloud-init service to configure network interfaces
through systemd-networkd.
'';
};
config = mkOption {
type = types.str;
default = ''
system_info:
distro: nixos
network:
renderers: [ 'networkd' ]
users:
- root
@ -109,9 +120,12 @@ in
environment.etc."cloud/cloud.cfg".text = cfg.config;
systemd.network.enable = cfg.network.enable;
systemd.services.cloud-init-local =
{ description = "Initial cloud-init job (pre-networking)";
wantedBy = [ "multi-user.target" ];
before = ["systemd-networkd.service"];
path = path;
serviceConfig =
{ Type = "oneshot";
@ -129,7 +143,7 @@ in
"sshd.service" "sshd-keygen.service" ];
after = [ "network-online.target" "cloud-init-local.service" ];
before = [ "sshd.service" "sshd-keygen.service" ];
requires = [ "network.target "];
requires = [ "network.target"];
path = path;
serviceConfig =
{ Type = "oneshot";

View file

@ -126,6 +126,8 @@ in
config = lib.mkIf cfg.enable {
systemd.services.self-deploy = {
inherit (cfg) startAt;
wantedBy = [ "multi-user.target" ];
requires = lib.mkIf (!(isPathType cfg.repository)) [ "network-online.target" ];
@ -138,8 +140,7 @@ in
path = with pkgs; [
git
nix
systemd
];
] ++ lib.optionals (cfg.switchCommand == "boot") [ systemd ];
script = ''
if [ ! -e ${repositoryDirectory} ]; then

View file

@ -385,13 +385,13 @@ in {
else if isString v then v
else if true == v then "true"
else if false == v then "false"
else if isSecret v then v._secret
else if isSecret v then hashString "sha256" v._secret
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
};
};
secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config);
mkSecretReplacement = file: ''
replace-secret ${escapeShellArgs [ file file "${cfg.dataDir}/.env" ]}
replace-secret ${escapeShellArgs [ (builtins.hashString "sha256" file) file "${cfg.dataDir}/.env" ]}
'';
secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ {} null ])) cfg.config;

View file

@ -0,0 +1,62 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.ethercalc;
in {
options = {
services.ethercalc = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
ethercalc, an online collaborative spreadsheet server.
Persistent state will be maintained under
<filename>/var/lib/ethercalc</filename>. Upstream supports using a
redis server for storage and recommends the redis backend for
intensive use; however, the Nix module doesn't currently support
redis.
Note that while ethercalc is a good and robust project with an active
issue tracker, there haven't been new commits since the end of 2020.
'';
};
package = mkOption {
default = pkgs.ethercalc;
defaultText = literalExpression "pkgs.ethercalc";
type = types.package;
description = "Ethercalc package to use.";
};
host = mkOption {
type = types.str;
default = "0.0.0.0";
description = "Address to listen on (use 0.0.0.0 to allow access from any address).";
};
port = mkOption {
type = types.port;
default = 8000;
description = "Port to bind to.";
};
};
};
config = mkIf cfg.enable {
systemd.services.ethercalc = {
description = "Ethercalc service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
DynamicUser = true;
ExecStart = "${cfg.package}/bin/ethercalc --host ${cfg.host} --port ${toString cfg.port}";
Restart = "always";
StateDirectory = "ethercalc";
WorkingDirectory = "/var/lib/ethercalc";
};
};
};
}

View file

@ -4,6 +4,8 @@ with lib;
let
cfg = config.services.miniflux;
defaultAddress = "localhost:8080";
dbUser = "miniflux";
dbPassword = "miniflux";
dbHost = "localhost";
@ -31,7 +33,7 @@ in
{
options = {
services.miniflux = {
enable = mkEnableOption "miniflux";
enable = mkEnableOption "miniflux and creates a local postgres database for it";
config = mkOption {
type = types.attrsOf types.str;
@ -45,6 +47,9 @@ in
Configuration for Miniflux, refer to
<link xlink:href="https://miniflux.app/docs/configuration.html"/>
for documentation on the supported values.
Correct configuration for the database is already provided.
By default, listens on ${defaultAddress}.
'';
};
@ -64,7 +69,7 @@ in
config = mkIf cfg.enable {
services.miniflux.config = {
LISTEN_ADDR = mkDefault "localhost:8080";
LISTEN_ADDR = mkDefault defaultAddress;
DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable";
RUN_MIGRATIONS = "1";
CREATE_ADMIN = "1";

View file

@ -10,8 +10,7 @@ in {
enable = mkEnableOption "plausible";
releaseCookiePath = mkOption {
default = null;
type = with types; nullOr (either str path);
type = with types; either str path;
description = ''
The path to the file with release cookie. (used for remote connection to the running node).
'';
@ -235,6 +234,8 @@ in {
script = ''
export CONFIG_DIR=$CREDENTIALS_DIRECTORY
export RELEASE_COOKIE="$(< $CREDENTIALS_DIRECTORY/RELEASE_COOKIE )"
# setup
${pkgs.plausible}/createdb.sh
${pkgs.plausible}/migrate.sh
@ -243,10 +244,8 @@ in {
psql -d plausible <<< "UPDATE users SET email_verified=true;"
fi
''}
${optionalString (cfg.releaseCookiePath != null) ''
export RELEASE_COOKIE="$(< $CREDENTIALS_DIRECTORY/RELEASE_COOKIE )"
''}
plausible start
exec plausible start
'';
serviceConfig = {
@ -257,8 +256,8 @@ in {
LoadCredential = [
"ADMIN_USER_PWD:${cfg.adminUser.passwordFile}"
"SECRET_KEY_BASE:${cfg.server.secretKeybaseFile}"
] ++ lib.optionals (cfg.mail.smtp.passwordFile != null) [ "SMTP_USER_PWD:${cfg.mail.smtp.passwordFile}"]
++ lib.optionals (cfg.releaseCookiePath != null) [ "RELEASE_COOKIE:${cfg.releaseCookiePath}"];
"RELEASE_COOKIE:${cfg.releaseCookiePath}"
] ++ lib.optionals (cfg.mail.smtp.passwordFile != null) [ "SMTP_USER_PWD:${cfg.mail.smtp.passwordFile}"];
};
};
}

View file

@ -924,7 +924,7 @@ in
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid @mincore" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ];
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ] ++ optionals (cfg.package != pkgs.tengine) [ "~@ipc" ];
};
};

View file

@ -1,122 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.shellinabox;
# If a certificate file is specified, shellinaboxd requires
# a file descriptor to retrieve it
fd = "3";
createFd = optionalString (cfg.certFile != null) "${fd}<${cfg.certFile}";
# Command line arguments for the shellinabox daemon
args = [ "--background" ]
++ optional (! cfg.enableSSL) "--disable-ssl"
++ optional (cfg.certFile != null) "--cert-fd=${fd}"
++ optional (cfg.certDirectory != null) "--cert=${cfg.certDirectory}"
++ cfg.extraOptions;
# Command to start shellinaboxd
cmd = "${pkgs.shellinabox}/bin/shellinaboxd ${concatStringsSep " " args}";
# Command to start shellinaboxd if certFile is specified
wrappedCmd = "${pkgs.bash}/bin/bash -c 'exec ${createFd} && ${cmd}'";
in
{
###### interface
options = {
services.shellinabox = {
enable = mkEnableOption "shellinabox daemon";
user = mkOption {
type = types.str;
default = "root";
description = ''
User to run shellinaboxd as. If started as root, the server drops
privileges by changing to nobody, unless overridden by the
<literal>--user</literal> option.
'';
};
enableSSL = mkOption {
type = types.bool;
default = false;
description = ''
Whether or not to enable SSL (https) support.
'';
};
certDirectory = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/certs";
description = ''
The daemon will look in this directory far any certificates.
If the browser negotiated a Server Name Identification the daemon
will look for a matching certificate-SERVERNAME.pem file. If no SNI
handshake takes place, it will fall back on using the certificate in the
certificate.pem file.
If no suitable certificate is installed, shellinaboxd will attempt to
create a new self-signed certificate. This will only succeed if, after
dropping privileges, shellinaboxd has write permissions for this
directory.
'';
};
certFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/certificate.pem";
description = "Path to server SSL certificate.";
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "--port=443" "--service /:LOGIN" ];
description = ''
A list of strings to be appended to the command line arguments
for shellinaboxd. Please see the manual page
<link xlink:href="https://code.google.com/p/shellinabox/wiki/shellinaboxd_man"/>
for a full list of available arguments.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
assertions =
[ { assertion = cfg.enableSSL == true
-> cfg.certDirectory != null || cfg.certFile != null;
message = "SSL is enabled for shellinabox, but no certDirectory or certFile has been specefied."; }
{ assertion = ! (cfg.certDirectory != null && cfg.certFile != null);
message = "Cannot set both certDirectory and certFile for shellinabox."; }
];
systemd.services.shellinaboxd = {
description = "Shellinabox Web Server Daemon";
wantedBy = [ "multi-user.target" ];
requires = [ "sshd.service" ];
after = [ "sshd.service" ];
serviceConfig = {
Type = "forking";
User = "${cfg.user}";
ExecStart = "${if cfg.certFile == null then "${cmd}" else "${wrappedCmd}"}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
};
};
};
}

View file

@ -19,7 +19,7 @@ in
# E.g., if Plasma 5 is enabled, it supersedes xterm.
imports = [
./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix
./lxqt.nix ./enlightenment.nix ./gnome.nix ./kodi.nix
./lxqt.nix ./enlightenment.nix ./gnome.nix ./retroarch.nix ./kodi.nix
./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix
./cinnamon.nix
];

View file

@ -569,6 +569,7 @@ in
atomix
five-or-more
four-in-a-row
pkgs.gnome-2048
gnome-chess
gnome-klotski
gnome-mahjongg

View file

@ -249,14 +249,5 @@ services.xserver.desktopManager.gnome = {
See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/56342">this issue.</link>
</para>
</section>
<section xml:id="sec-gnome-faq-nixos-rebuild-switch-kills-session">
<title>Why does <literal>nixos-rebuild switch</literal> sometimes kill my session?</title>
<para>
This is a known <link xlink:href="https://github.com/NixOS/nixpkgs/issues/44344">issue</link> without any workarounds.
If you are doing a fairly large upgrade, it is probably safer to use <literal>nixos-rebuild boot</literal>.
</para>
</section>
</section>
</chapter>

View file

@ -135,6 +135,7 @@ in
services.bamf.enable = true;
services.colord.enable = mkDefault true;
services.fwupd.enable = mkDefault true;
services.packagekit.enable = mkDefault true;
services.touchegg.enable = mkDefault true;
services.touchegg.package = pkgs.pantheon.touchegg;
services.tumbler.enable = mkDefault true;
@ -224,7 +225,6 @@ in
programs.file-roller.package = pkgs.pantheon.file-roller;
# Settings from elementary-default-settings
environment.sessionVariables.GTK_CSD = "1";
environment.etc."gtk-3.0/settings.ini".source = "${pkgs.pantheon.elementary-default-settings}/etc/gtk-3.0/settings.ini";
xdg.portal.extraPortals = with pkgs.pantheon; [
@ -273,7 +273,7 @@ in
})
(mkIf serviceCfg.apps.enable {
environment.systemPackages = (with pkgs.pantheon; pkgs.gnome.removePackagesByName [
environment.systemPackages = with pkgs.pantheon; pkgs.gnome.removePackagesByName ([
elementary-calculator
elementary-calendar
elementary-camera
@ -287,7 +287,11 @@ in
elementary-terminal
elementary-videos
epiphany
] config.environment.pantheon.excludePackages);
] ++ lib.optionals config.services.flatpak.enable [
# Only install appcenter if flatpak is enabled before
# https://github.com/NixOS/nixpkgs/issues/15932 is resolved.
appcenter
]) config.environment.pantheon.excludePackages;
# needed by screenshot
fonts.fonts = [

View file

@ -105,10 +105,10 @@ switchboard-with-plugs.override {
</term>
<listitem>
<para>
AppCenter has been available since 20.03, but it is of little use. This is because there is no functioning PackageKit backend for Nix 2.0. Starting from 21.11, the Flatpak backend should work so you can install some Flatpak applications using it. See this <link xlink:href="https://github.com/NixOS/nixpkgs/issues/70214">issue</link>.
AppCenter has been available since 20.03. Starting from 21.11, the Flatpak backend should work so you can install some Flatpak applications using it. However, due to missing appstream metadata, the Packagekit backend does not function currently. See this <link xlink:href="https://github.com/NixOS/nixpkgs/issues/15932">issue</link>.
</para>
<para>
To use AppCenter on NixOS, add <literal>pantheon.appcenter</literal> to <xref linkend="opt-environment.systemPackages" />, <link linkend="module-services-flatpak">enable Flatpak support</link> and optionally add the <literal>appcenter</literal> Flatpak remote:
If you are using Pantheon, AppCenter should be installed by default if you have <link linkend="module-services-flatpak">Flatpak support</link> enabled. If you also wish to add the <literal>appcenter</literal> Flatpak remote:
</para>
<screen>
<prompt>$ </prompt>flatpak remote-add --if-not-exists appcenter https://flatpak.elementary.io/repo.flatpakrepo

View file

@ -0,0 +1,40 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.services.xserver.desktopManager.retroarch;
in {
options.services.xserver.desktopManager.retroarch = {
enable = mkEnableOption "RetroArch";
package = mkOption {
type = types.package;
default = pkgs.retroarch;
defaultText = literalExpression "pkgs.retroarch";
example = literalExpression "pkgs.retroarch-full";
description = "RetroArch package to use.";
};
extraArgs = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "--verbose" "--host" ];
description = "Extra arguments to pass to RetroArch.";
};
};
config = mkIf cfg.enable {
services.xserver.desktopManager.session = [{
name = "RetroArch";
start = ''
${cfg.package}/bin/retroarch -f ${escapeShellArgs cfg.extraArgs} &
waitPID=$!
'';
}];
environment.systemPackages = [ cfg.package ];
};
meta.maintainers = with maintainers; [ j0hax ];
}

View file

@ -53,6 +53,8 @@ in
"autoLogin"
"user"
])
(mkRemovedOptionModule [ "services" "xserver" "displayManager" "gdm" "nvidiaWayland" ] "We defer to GDM whether Wayland should be enabled.")
];
meta = {
@ -83,17 +85,6 @@ in
default = true;
description = ''
Allow GDM to run on Wayland instead of Xserver.
Note to enable Wayland with Nvidia the <option>nvidiaWayland</option>
must not be disabled.
'';
};
nvidiaWayland = mkOption {
type = types.bool;
default = true;
description = ''
Whether to allow wayland to be used with the proprietary
NVidia graphics driver.
'';
};
@ -149,7 +140,8 @@ in
environment = {
GDM_X_SERVER_EXTRA_ARGS = toString
(filter (arg: arg != "-terminate") cfg.xserverArgs);
XDG_DATA_DIRS = "${cfg.sessionData.desktops}/share/";
# GDM is needed for gnome-login.session
XDG_DATA_DIRS = "${gdm}/share:${cfg.sessionData.desktops}/share";
} // optionalAttrs (xSessionWrapper != null) {
# Make GDM use this wrapper before running the session, which runs the
# configured setupCommands. This relies on a patched GDM which supports
@ -230,19 +222,6 @@ in
services.dbus.packages = [ gdm ];
# We duplicate upstream's udev rules manually to make wayland with nvidia configurable
services.udev.extraRules = ''
# disable Wayland on Cirrus chipsets
ATTR{vendor}=="0x1013", ATTR{device}=="0x00b8", ATTR{subsystem_vendor}=="0x1af4", ATTR{subsystem_device}=="0x1100", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false"
# disable Wayland on Hi1710 chipsets
ATTR{vendor}=="0x19e5", ATTR{device}=="0x1711", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false"
${optionalString (!cfg.gdm.nvidiaWayland) ''
DRIVER=="nvidia", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false"
''}
# disable Wayland when modesetting is disabled
IMPORT{cmdline}="nomodeset", RUN+="${gdm}/libexec/gdm-runtime-config set daemon WaylandEnable false"
'';
systemd.user.services.dbus.wantedBy = [ "default.target" ];
programs.dconf.profiles.gdm =

View file

@ -282,6 +282,9 @@ checkFS() {
# Don't check resilient COWs as they validate the fs structures at mount time
if [ "$fsType" = btrfs -o "$fsType" = zfs -o "$fsType" = bcachefs ]; then return 0; fi
# Skip fsck for apfs as the fsck utility does not support repairing the filesystem (no -a option)
if [ "$fsType" = apfs ]; then return 0; fi
# Skip fsck for nilfs2 - not needed by design and no fsck tool for this filesystem.
if [ "$fsType" = nilfs2 ]; then return 0; fi

View file

@ -350,6 +350,9 @@ let
'';
symlink = "/etc/modprobe.d/ubuntu.conf";
}
{ object = config.environment.etc."modprobe.d/nixos.conf".source;
symlink = "/etc/modprobe.d/nixos.conf";
}
{ object = pkgs.kmod-debian-aliases;
symlink = "/etc/modprobe.d/debian.conf";
}

View file

@ -25,9 +25,11 @@ let
"nss-lookup.target"
"nss-user-lookup.target"
"time-sync.target"
] ++ (optionals cfg.package.withCryptsetup [
"cryptsetup.target"
"cryptsetup-pre.target"
"remote-cryptsetup.target"
]) ++ [
"sigpwr.target"
"timers.target"
"paths.target"

View file

@ -0,0 +1,12 @@
{ config, lib, ... }:
let
inherit (lib) stringAfter;
in {
imports = [ ./etc.nix ];
config = {
system.activationScripts.etc =
stringAfter [ "users" "groups" ] config.system.build.etcActivationCommands;
};
}

View file

@ -66,6 +66,8 @@ in
{
imports = [ ../build.nix ];
###### interface
options = {
@ -188,14 +190,12 @@ in
config = {
system.build.etc = etc;
system.activationScripts.etc = stringAfter [ "users" "groups" ]
system.build.etcActivationCommands =
''
# Set up the statically computed bits of /etc.
echo "setting up /etc..."
${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl ${./setup-etc.pl} ${etc}/etc
'';
};
}

View file

@ -0,0 +1,70 @@
{ lib
, coreutils
, fakechroot
, fakeroot
, evalMinimalConfig
, pkgsModule
, runCommand
, util-linux
, vmTools
, writeText
}:
let
node = evalMinimalConfig ({ config, ... }: {
imports = [ pkgsModule ../etc/etc.nix ];
environment.etc."passwd" = {
text = passwdText;
};
environment.etc."hosts" = {
text = hostsText;
mode = "0751";
};
});
passwdText = ''
root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash
'';
hostsText = ''
127.0.0.1 localhost
::1 localhost
# testing...
'';
in
lib.recurseIntoAttrs {
test-etc-vm =
vmTools.runInLinuxVM (runCommand "test-etc-vm" { } ''
mkdir -p /etc
${node.config.system.build.etcActivationCommands}
set -x
[[ -L /etc/passwd ]]
diff /etc/passwd ${writeText "expected-passwd" passwdText}
[[ 751 = $(stat --format %a /etc/hosts) ]]
diff /etc/hosts ${writeText "expected-hosts" hostsText}
set +x
touch $out
'');
# fakeroot is behaving weird
test-etc-fakeroot =
runCommand "test-etc"
{
nativeBuildInputs = [
fakeroot
fakechroot
# for chroot
coreutils
# fakechroot needs getopt, which is provided by util-linux
util-linux
];
fakeRootCommands = ''
mkdir -p /etc
${node.config.system.build.etcActivationCommands}
diff /etc/hosts ${writeText "expected-hosts" hostsText}
touch $out
'';
} ''
mkdir fake-root
export FAKECHROOT_EXCLUDE_PATH=/dev:/proc:/sys:${builtins.storeDir}:$out
fakechroot fakeroot chroot $PWD/fake-root bash -c 'source $stdenv/setup; eval "$fakeRootCommands"'
'';
}

View file

@ -250,7 +250,7 @@ in
environment.etc.fstab.text =
let
fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" ];
fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" "apfs" ];
skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck;
# https://wiki.archlinux.org/index.php/fstab#Filepath_spaces
escape = string: builtins.replaceStrings [ " " "\t" ] [ "\\040" "\\011" ] string;

View file

@ -0,0 +1,22 @@
{ config, lib, pkgs, ... }:
with lib;
let
inInitrd = any (fs: fs == "apfs") config.boot.initrd.supportedFilesystems;
in
{
config = mkIf (any (fs: fs == "apfs") config.boot.supportedFilesystems) {
system.fsPackages = [ pkgs.apfsprogs ];
boot.extraModulePackages = [ config.boot.kernelPackages.apfs ];
boot.initrd.kernelModules = mkIf inInitrd [ "apfs" ];
# Don't copy apfsck into the initramfs since it does not support repairing the filesystem
};
}

View file

@ -305,7 +305,7 @@ let
enable = mkOption {
type = types.bool;
default = false;
description = "Wether to enable wol on this interface.";
description = "Whether to enable wol on this interface.";
};
};
};

Some files were not shown because too many files have changed in this diff Show more