Project import generated by Copybara.

GitOrigin-RevId: ac718d02867a84b42522a0ece52d841188208f2c
This commit is contained in:
Default email 2023-03-15 17:39:30 +01:00
parent e0ebec161a
commit 83405b6dd2
3567 changed files with 46874 additions and 24147 deletions

View file

@ -237,6 +237,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/pkgs/applications/editors/vim/plugins @figsoda @jonringer
# VsCode Extensions
/pkgs/applications/editors/vscode @superherointj
/pkgs/applications/editors/vscode/extensions @jonringer
# Prometheus exporter modules and tests

View file

@ -0,0 +1,21 @@
name: "Check that maintainer list is sorted"
on:
pull_request:
paths:
- 'maintainers/maintainer-list.nix'
permissions:
contents: read
jobs:
nixos:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@v3
- uses: cachix/install-nix-action@v19
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true
- name: Check that maintainer-list.nix is sorted
run: nix-instantiate --eval maintainers/scripts/check-maintainers-sorted.nix

View file

@ -71,6 +71,7 @@ The main difference between `fetchurl` and `fetchzip` is in how they store the c
- `relative`: Similar to using `git-diff`'s `--relative` flag, only keep changes inside the specified directory, making paths relative to it.
- `stripLen`: Remove the first `stripLen` components of pathnames in the patch.
- `decode`: Pipe the downloaded data through this command before processing it as a patch.
- `extraPrefix`: Prefix pathnames by this string.
- `excludes`: Exclude files matching these patterns (applies after the above arguments).
- `includes`: Include only files matching these patterns (applies after the above arguments).

View file

@ -116,10 +116,6 @@ For convenience, it also adds `dconf.lib` for a GIO module implementing a GSetti
- []{#ssec-gnome-hooks-gobject-introspection} `gobject-introspection` setup hook populates `GI_TYPELIB_PATH` variable with `lib/girepository-1.0` directories of dependencies, which is then added to wrapper by `wrapGAppsHook`. It also adds `share` directories of dependencies to `XDG_DATA_DIRS`, which is intended to promote GIR files but it also [pollutes the closures](https://github.com/NixOS/nixpkgs/issues/32790) of packages using `wrapGAppsHook`.
::: {.warning}
The setup hook [currently](https://github.com/NixOS/nixpkgs/issues/56943) does not work in expressions with `strictDeps` enabled, like Python packages. In those cases, you will need to disable it with `strictDeps = false;`.
:::
- []{#ssec-gnome-hooks-gst-grl-plugins} Setup hooks of `gst_all_1.gstreamer` and `grilo` will populate the `GST_PLUGIN_SYSTEM_PATH_1_0` and `GRL_PLUGIN_PATH` variables, respectively, which will then be added to the wrapper by `wrapGAppsHook`.
You can also pass additional arguments to `makeWrapper` using `gappsWrapperArgs` in `preFixup` hook:

View file

@ -71,8 +71,10 @@ $ nix-env -f '<nixpkgs>' -qaP -A haskell.compiler
haskell.compiler.ghc810 ghc-8.10.7
haskell.compiler.ghc88 ghc-8.8.4
haskell.compiler.ghc90 ghc-9.0.2
haskell.compiler.ghc92 ghc-9.2.4
haskell.compiler.ghc924 ghc-9.2.4
haskell.compiler.ghc925 ghc-9.2.5
haskell.compiler.ghc926 ghc-9.2.6
haskell.compiler.ghc92 ghc-9.2.7
haskell.compiler.ghc942 ghc-9.4.2
haskell.compiler.ghc943 ghc-9.4.3
haskell.compiler.ghc94 ghc-9.4.4
@ -86,13 +88,15 @@ haskell.compiler.ghc924Binary ghc-binary-9.2.4
haskell.compiler.ghc924BinaryMinimal ghc-binary-9.2.4
haskell.compiler.integer-simple.ghc810 ghc-integer-simple-8.10.7
haskell.compiler.integer-simple.ghc8107 ghc-integer-simple-8.10.7
haskell.compiler.integer-simple.ghc884 ghc-integer-simple-8.8.4
haskell.compiler.integer-simple.ghc88 ghc-integer-simple-8.8.4
haskell.compiler.integer-simple.ghc884 ghc-integer-simple-8.8.4
haskell.compiler.native-bignum.ghc90 ghc-native-bignum-9.0.2
haskell.compiler.native-bignum.ghc902 ghc-native-bignum-9.0.2
haskell.compiler.native-bignum.ghc92 ghc-native-bignum-9.2.4
haskell.compiler.native-bignum.ghc924 ghc-native-bignum-9.2.4
haskell.compiler.native-bignum.ghc925 ghc-native-bignum-9.2.5
haskell.compiler.native-bignum.ghc926 ghc-native-bignum-9.2.6
haskell.compiler.native-bignum.ghc92 ghc-native-bignum-9.2.7
haskell.compiler.native-bignum.ghc927 ghc-native-bignum-9.2.7
haskell.compiler.native-bignum.ghc942 ghc-native-bignum-9.4.2
haskell.compiler.native-bignum.ghc943 ghc-native-bignum-9.4.3
haskell.compiler.native-bignum.ghc94 ghc-native-bignum-9.4.4
@ -105,15 +109,15 @@ Each of those compiler versions has a corresponding attribute set built using
it. However, the non-standard package sets are not tested regularly and, as a
result, contain fewer working packages. The corresponding package set for GHC
9.4.4 is `haskell.packages.ghc944`. In fact `haskellPackages` is just an alias
for `haskell.packages.ghc924`:
for `haskell.packages.ghc927`:
```console
$ nix-env -f '<nixpkgs>' -qaP -A haskell.packages.ghc924
haskell.packages.ghc924.a50 a50-0.5
haskell.packages.ghc924.AAI AAI-0.2.0.1
haskell.packages.ghc924.aasam aasam-0.2.0.0
haskell.packages.ghc924.abacate abacate-0.0.0.0
haskell.packages.ghc924.abc-puzzle abc-puzzle-0.2.1
$ nix-env -f '<nixpkgs>' -qaP -A haskell.packages.ghc927
haskell.packages.ghc927.a50 a50-0.5
haskell.packages.ghc927.AAI AAI-0.2.0.1
haskell.packages.ghc927.aasam aasam-0.2.0.0
haskell.packages.ghc927.abacate abacate-0.0.0.0
haskell.packages.ghc927.abc-puzzle abc-puzzle-0.2.1
```

View file

@ -13,7 +13,7 @@ into your `configuration.nix` or bring them into scope with `nix-shell -p rustc
For other versions such as daily builds (beta and nightly),
use either `rustup` from nixpkgs (which will manage the rust installation in your home directory),
or use a community maintained [Rust overlay](#using-community-rust-overlays).
or use [community maintained Rust toolchains](#using-community-maintained-rust-toolchains).
## `buildRustPackage`: Compiling Rust applications with Cargo {#compiling-rust-applications-with-cargo}
@ -686,31 +686,61 @@ $ cargo build
$ cargo test
```
### Controlling Rust Version Inside `nix-shell` {#controlling-rust-version-inside-nix-shell}
## Using community maintained Rust toolchains {#using-community-maintained-rust-toolchains}
To control your rust version (i.e. use nightly) from within `shell.nix` (or
other nix expressions) you can use the following `shell.nix`
::: {.note}
Note: The following projects cannot be used within nixpkgs since [IFD](#ssec-import-from-derivation) is disallowed.
To package things that require Rust nightly, `RUSTC_BOOTSTRAP = true;` can sometimes be used as a hack.
:::
There are two community maintained approaches to Rust toolchain management:
- [oxalica's Rust overlay](https://github.com/oxalica/rust-overlay)
- [fenix](https://github.com/nix-community/fenix)
Despite their names, both projects provides a similar set of packages and overlays under different APIs.
Oxalica's overlay allows you to select a particular Rust version without you providing a hash or a flake input,
but comes with a larger git repository than fenix.
Fenix also provides rust-analyzer nightly in addition to the Rust toolchains.
Both oxalica's overlay and fenix better integrate with nix and cache optimizations.
Because of this and ergonomics, either of those community projects
should be preferred to the Mozilla's Rust overlay ([nixpkgs-mozilla](https://github.com/mozilla/nixpkgs-mozilla)).
The following documentation demonstrates examples using fenix and oxalica's Rust overlay
with `nix-shell` and building derivations. More advanced usages like flake usage
are documented in their own repositories.
### Using Rust nightly with `nix-shell` {#using-rust-nightly-with-nix-shell}
Here is a simple `shell.nix` that provides Rust nightly (default profile) using fenix:
```nix
# Latest Nightly
with import <nixpkgs> {};
let src = fetchFromGitHub {
owner = "mozilla";
repo = "nixpkgs-mozilla";
# commit from: 2019-05-15
rev = "9f35c4b09fd44a77227e79ff0c1b4b6a69dff533";
hash = "sha256-18h0nvh55b5an4gmlgfbvwbyqj91bklf1zymis6lbdh75571qaz0=";
};
with import <nixpkgs> { };
let
fenix = callPackage
(fetchFromGitHub {
owner = "nix-community";
repo = "fenix";
# commit from: 2023-03-03
rev = "e2ea04982b892263c4d939f1cc3bf60a9c4deaa1";
hash = "sha256-AsOim1A8KKtMWIxG+lXh5Q4P2bhOZjoUhFWJ1EuZNNk=";
})
{ };
in
with import "${src.out}/rust-overlay.nix" pkgs pkgs;
stdenv.mkDerivation {
mkShell {
name = "rust-env";
buildInputs = [
# Note: to use stable, just replace `nightly` with `stable`
latest.rustChannels.nightly.rust
nativeBuildInputs = [
# Note: to use stable, just replace `default` with `stable`
fenix.default.toolchain
# Add some extra dependencies from `pkgs`
pkg-config openssl
# Example Build-time Additional Dependencies
pkg-config
];
buildInputs = [
# Example Run-time Additional Dependencies
openssl
];
# Set Environment Variables
@ -718,116 +748,66 @@ stdenv.mkDerivation {
}
```
Now run:
Save this to `shell.nix`, then run:
```ShellSession
$ rustc --version
rustc 1.26.0-nightly (188e693b3 2018-03-26)
rustc 1.69.0-nightly (13471d3b2 2023-03-02)
```
To see that you are using nightly.
## Using community Rust overlays {#using-community-rust-overlays}
Oxalica's Rust overlay has more complete examples of `shell.nix` (and cross compilation) under its
[`examples` directory](https://github.com/oxalica/rust-overlay/tree/e53e8853aa7b0688bc270e9e6a681d22e01cf299/examples).
There are two community maintained approaches to Rust toolchain management:
- [oxalica's Rust overlay](https://github.com/oxalica/rust-overlay)
- [fenix](https://github.com/nix-community/fenix)
### Using Rust nightly in a derivation with `buildRustPackage` {#using-rust-nightly-in-a-derivation-with-buildrustpackage}
Oxalica's overlay allows you to select a particular Rust version and components.
See [their documentation](https://github.com/oxalica/rust-overlay#rust-overlay) for more
detailed usage.
You can also use Rust nightly to build rust packages using `makeRustPlatform`.
The below snippet demonstrates invoking `buildRustPackage` with a Rust toolchain from oxalica's overlay:
Fenix is an alternative to `rustup` and can also be used as an overlay.
Both oxalica's overlay and fenix better integrate with nix and cache optimizations.
Because of this and ergonomics, either of those community projects
should be preferred to the Mozilla's Rust overlay (`nixpkgs-mozilla`).
### How to select a specific `rustc` and toolchain version {#how-to-select-a-specific-rustc-and-toolchain-version}
You can consume the oxalica overlay and use it to grab a specific Rust toolchain version.
Here is an example `shell.nix` showing how to grab the current stable toolchain:
```nix
{ pkgs ? import <nixpkgs> {
overlays = [
(import (fetchTarball "https://github.com/oxalica/rust-overlay/archive/master.tar.gz"))
];
}
}:
pkgs.mkShell {
nativeBuildInputs = with pkgs; [
pkg-config
rust-bin.stable.latest.minimal
];
}
```
You can try this out by:
1. Saving that to `shell.nix`
2. Executing `nix-shell --pure --command 'rustc --version'`
As of writing, this prints out `rustc 1.56.0 (09c42c458 2021-10-18)`.
### How to use an overlay toolchain in a derivation {#how-to-use-an-overlay-toolchain-in-a-derivation}
You can also use an overlay's Rust toolchain with `buildRustPackage`.
The below snippet demonstrates invoking `buildRustPackage` with an oxalica overlay selected Rust toolchain:
```nix
with import <nixpkgs> {
with import <nixpkgs>
{
overlays = [
(import (fetchTarball "https://github.com/oxalica/rust-overlay/archive/master.tar.gz"))
];
};
let
rustPlatform = makeRustPlatform {
cargo = rust-bin.stable.latest.minimal;
rustc = rust-bin.stable.latest.minimal;
};
in
rustPlatform.buildRustPackage rec {
pname = "ripgrep";
version = "12.1.1";
nativeBuildInputs = [
rust-bin.stable.latest.minimal
];
src = fetchFromGitHub {
owner = "BurntSushi";
repo = "ripgrep";
rev = version;
hash = "sha256-1hqps7l5qrjh9f914r5i6kmcz6f1yb951nv4lby0cjnp5l253kps=";
hash = "sha256-+s5RBC3XSgb8omTbUNLywZnP6jSxZBKSS1BmXOjRF8M=";
};
cargoSha256 = "03wf9r2csi6jpa7v5sw5lpxkrk4wfzwmzx7k3991q3bdjzcwnnwp";
cargoHash = "sha256-l1vL2ZdtDRxSGvP0X/l3nMw8+6WF67KPutJEzUROjg8=";
doCheck = false;
meta = with lib; {
description = "A fast line-oriented regex search tool, similar to ag and ack";
homepage = "https://github.com/BurntSushi/ripgrep";
license = licenses.unlicense;
maintainers = [ maintainers.tailhook ];
license = with licenses; [ mit unlicense ];
maintainers = with maintainers; [ tailhook ];
};
}
```
Follow the below steps to try that snippet.
1. create a new directory
1. save the above snippet as `default.nix` in that directory
1. cd into that directory and run `nix-build`
2. cd into that directory and run `nix-build`
### Rust overlay installation {#rust-overlay-installation}
You can use this overlay by either changing your local nixpkgs configuration,
or by adding the overlay declaratively in a nix expression, e.g. in `configuration.nix`.
For more information see [the manual on installing overlays](#sec-overlays-install).
### Declarative Rust overlay installation {#declarative-rust-overlay-installation}
This snippet shows how to use oxalica's Rust overlay.
Add the following to your `configuration.nix`, `home-configuration.nix`, `shell.nix`, or similar:
```nix
{ pkgs ? import <nixpkgs> {
overlays = [
(import (builtins.fetchTarball "https://github.com/oxalica/rust-overlay/archive/master.tar.gz"))
# Further overlays go here
];
};
};
```
Note that this will fetch the latest overlay version when rebuilding your system.
Fenix also has examples with `buildRustPackage`,
[crane](https://github.com/ipetkov/crane),
[naersk](https://github.com/nix-community/naersk),
and cross compilation in its [Examples](https://github.com/nix-community/fenix#examples) section.

View file

@ -333,6 +333,66 @@ rec {
) (attrNames set)
);
/*
Like builtins.foldl' but for attribute sets.
Iterates over every name-value pair in the given attribute set.
The result of the callback function is often called `acc` for accumulator. It is passed between callbacks from left to right and the final `acc` is the return value of `foldlAttrs`.
Attention:
There is a completely different function
`lib.foldAttrs`
which has nothing to do with this function, despite the similar name.
Example:
foldlAttrs
(acc: name: value: {
sum = acc.sum + value;
names = acc.names ++ [name];
})
{ sum = 0; names = []; }
{
foo = 1;
bar = 10;
}
->
{
sum = 11;
names = ["bar" "foo"];
}
foldlAttrs
(throw "function not needed")
123
{};
->
123
foldlAttrs
(_: _: v: v)
(throw "initial accumulator not needed")
{ z = 3; a = 2; };
->
3
The accumulator doesn't have to be an attrset.
It can be as simple as a number or string.
foldlAttrs
(acc: _: v: acc * 10 + v)
1
{ z = 1; a = 2; };
->
121
Type:
foldlAttrs :: ( a -> String -> b -> a ) -> a -> { ... :: b } -> a
*/
foldlAttrs = f: init: set:
foldl'
(acc: name: f acc name set.${name})
init
(attrNames set);
/* Apply fold functions to values grouped by key.
Example:

View file

@ -78,7 +78,7 @@ let
composeManyExtensions makeExtensible makeExtensibleWithCustomName;
inherit (self.attrsets) attrByPath hasAttrByPath setAttrByPath
getAttrFromPath attrVals attrValues getAttrs catAttrs filterAttrs
filterAttrsRecursive foldAttrs collect nameValuePair mapAttrs
filterAttrsRecursive foldlAttrs foldAttrs collect nameValuePair mapAttrs
mapAttrs' mapAttrsToList concatMapAttrs mapAttrsRecursive mapAttrsRecursiveCond
genAttrs isDerivation toDerivation optionalAttrs
zipAttrsWithNames zipAttrsWith zipAttrs recursiveUpdateUntil

View file

@ -21,6 +21,7 @@ let
isBool
isFunction
isList
isPath
isString
length
mapAttrs
@ -45,6 +46,9 @@ let
showOption
unknownModule
;
inherit (lib.strings)
isConvertibleWithToString
;
showDeclPrefix = loc: decl: prefix:
" - option(s) with prefix `${showOption (loc ++ [prefix])}' in module `${decl._file}'";
@ -403,7 +407,7 @@ rec {
key = module.key;
module = module;
modules = collectedImports.modules;
disabled = module.disabledModules ++ collectedImports.disabled;
disabled = (if module.disabledModules != [] then [{ file = module._file; disabled = module.disabledModules; }] else []) ++ collectedImports.disabled;
}) initialModules);
# filterModules :: String -> { disabled, modules } -> [ Module ]
@ -412,10 +416,30 @@ rec {
# modules recursively. It returns the final list of unique-by-key modules
filterModules = modulesPath: { disabled, modules }:
let
moduleKey = m: if isString m && (builtins.substring 0 1 m != "/")
then toString modulesPath + "/" + m
else toString m;
disabledKeys = map moduleKey disabled;
moduleKey = file: m:
if isString m
then
if builtins.substring 0 1 m == "/"
then m
else toString modulesPath + "/" + m
else if isConvertibleWithToString m
then
if m?key && m.key != toString m
then
throw "Module `${file}` contains a disabledModules item that is an attribute set that can be converted to a string (${toString m}) but also has a `.key` attribute (${m.key}) with a different value. This makes it ambiguous which module should be disabled."
else
toString m
else if m?key
then
m.key
else if isAttrs m
then throw "Module `${file}` contains a disabledModules item that is an attribute set, presumably a module, that does not have a `key` attribute. This means that the module system doesn't have any means to identify the module that should be disabled. Make sure that you've put the correct value in disabledModules: a string path relative to modulesPath, a path value, or an attribute set with a `key` attribute."
else throw "Each disabledModules item must be a path, string, or a attribute set with a key attribute, or a value supported by toString. However, one of the disabledModules items in `${toString file}` is none of that, but is of type ${builtins.typeOf m}.";
disabledKeys = concatMap ({ file, disabled }: map (moduleKey file) disabled) disabled;
keyFilter = filter (attrs: ! elem attrs.key disabledKeys);
in map (attrs: attrs.module) (builtins.genericClosure {
startSet = keyFilter modules;

View file

@ -15,6 +15,9 @@ let
last
genList
elemAt
all
concatMap
foldl'
;
inherit (lib.strings)
@ -190,6 +193,80 @@ in /* No rec! Add dependencies on this file at the top. */ {
subpathInvalidReason value == null;
/* Join subpath strings together using `/`, returning a normalised subpath string.
Like `concatStringsSep "/"` but safer, specifically:
- All elements must be valid subpath strings, see `lib.path.subpath.isValid`
- The result gets normalised, see `lib.path.subpath.normalise`
- The edge case of an empty list gets properly handled by returning the neutral subpath `"./."`
Laws:
- Associativity:
subpath.join [ x (subpath.join [ y z ]) ] == subpath.join [ (subpath.join [ x y ]) z ]
- Identity - `"./."` is the neutral element for normalised paths:
subpath.join [ ] == "./."
subpath.join [ (subpath.normalise p) "./." ] == subpath.normalise p
subpath.join [ "./." (subpath.normalise p) ] == subpath.normalise p
- Normalisation - the result is normalised according to `lib.path.subpath.normalise`:
subpath.join ps == subpath.normalise (subpath.join ps)
- For non-empty lists, the implementation is equivalent to normalising the result of `concatStringsSep "/"`.
Note that the above laws can be derived from this one.
ps != [] -> subpath.join ps == subpath.normalise (concatStringsSep "/" ps)
Type:
subpath.join :: [ String ] -> String
Example:
subpath.join [ "foo" "bar/baz" ]
=> "./foo/bar/baz"
# normalise the result
subpath.join [ "./foo" "." "bar//./baz/" ]
=> "./foo/bar/baz"
# passing an empty list results in the current directory
subpath.join [ ]
=> "./."
# elements must be valid subpath strings
subpath.join [ /foo ]
=> <error>
subpath.join [ "" ]
=> <error>
subpath.join [ "/foo" ]
=> <error>
subpath.join [ "../foo" ]
=> <error>
*/
subpath.join =
# The list of subpaths to join together
subpaths:
# Fast in case all paths are valid
if all isValid subpaths
then joinRelPath (concatMap splitRelPath subpaths)
else
# Otherwise we take our time to gather more info for a better error message
# Strictly go through each path, throwing on the first invalid one
# Tracks the list index in the fold accumulator
foldl' (i: path:
if isValid path
then i + 1
else throw ''
lib.path.subpath.join: Element at index ${toString i} is not a valid subpath string:
${subpathInvalidReason path}''
) 0 subpaths;
/* Normalise a subpath. Throw an error if the subpath isn't valid, see
`lib.path.subpath.isValid`

View file

@ -107,6 +107,36 @@ let
expected = true;
};
# Test examples from the lib.path.subpath.join documentation
testSubpathJoinExample1 = {
expr = subpath.join [ "foo" "bar/baz" ];
expected = "./foo/bar/baz";
};
testSubpathJoinExample2 = {
expr = subpath.join [ "./foo" "." "bar//./baz/" ];
expected = "./foo/bar/baz";
};
testSubpathJoinExample3 = {
expr = subpath.join [ ];
expected = "./.";
};
testSubpathJoinExample4 = {
expr = (builtins.tryEval (subpath.join [ /foo ])).success;
expected = false;
};
testSubpathJoinExample5 = {
expr = (builtins.tryEval (subpath.join [ "" ])).success;
expected = false;
};
testSubpathJoinExample6 = {
expr = (builtins.tryEval (subpath.join [ "/foo" ])).success;
expected = false;
};
testSubpathJoinExample7 = {
expr = (builtins.tryEval (subpath.join [ "../foo" ])).success;
expected = false;
};
# Test examples from the lib.path.subpath.normalise documentation
testSubpathNormaliseExample1 = {
expr = subpath.normalise "foo//bar";

View file

@ -140,6 +140,7 @@ rec {
qemuArch =
if final.isAarch32 then "arm"
else if final.isS390 && !final.isS390x then null
else if final.isx86_64 then "x86_64"
else if final.isx86 then "i386"
else final.uname.processor;
@ -193,7 +194,7 @@ rec {
then "${pkgs.runtimeShell} -c '\"$@\"' --"
else if final.isWindows
then "${wine}/bin/wine${lib.optionalString (final.parsed.cpu.bits == 64) "64"}"
else if final.isLinux && pkgs.stdenv.hostPlatform.isLinux
else if final.isLinux && pkgs.stdenv.hostPlatform.isLinux && final.qemuArch != null
then "${qemu-user}/bin/qemu-${final.qemuArch}"
else if final.isWasi
then "${pkgs.wasmtime}/bin/wasmtime"

View file

@ -22,7 +22,7 @@ let
"x86_64-solaris"
# JS
"js-ghcjs"
"javascript-ghcjs"
# Linux
"aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux"

View file

@ -329,6 +329,9 @@ rec {
# Ghcjs
ghcjs = {
config = "js-unknown-ghcjs";
# This triple is special to GHC/Cabal/GHCJS and not recognized by autotools
# See: https://gitlab.haskell.org/ghc/ghc/-/commit/6636b670233522f01d002c9b97827d00289dbf5c
# https://github.com/ghcjs/ghcjs/issues/53
config = "javascript-unknown-ghcjs";
};
}

View file

@ -49,7 +49,7 @@ rec {
isM68k = { cpu = { family = "m68k"; }; };
isS390 = { cpu = { family = "s390"; }; };
isS390x = { cpu = { family = "s390"; bits = 64; }; };
isJavaScript = { cpu = cpuTypes.js; };
isJavaScript = { cpu = cpuTypes.javascript; };
is32bit = { cpu = { bits = 32; }; };
is64bit = { cpu = { bits = 64; }; };

View file

@ -131,7 +131,7 @@ rec {
or1k = { bits = 32; significantByte = bigEndian; family = "or1k"; };
js = { bits = 32; significantByte = littleEndian; family = "js"; };
javascript = { bits = 32; significantByte = littleEndian; family = "javascript"; };
};
# GNU build systems assume that older NetBSD architectures are using a.out.

View file

@ -533,6 +533,37 @@ runTests {
};
};
# code from example
testFoldlAttrs = {
expr = {
example = foldlAttrs
(acc: name: value: {
sum = acc.sum + value;
names = acc.names ++ [ name ];
})
{ sum = 0; names = [ ]; }
{
foo = 1;
bar = 10;
};
# should just return the initial value
emptySet = foldlAttrs (throw "function not needed") 123 { };
# should just evaluate to the last value
accNotNeeded = foldlAttrs (_acc: _name: v: v) (throw "accumulator not needed") { z = 3; a = 2; };
# the accumulator doesnt have to be an attrset it can be as trivial as being just a number or string
trivialAcc = foldlAttrs (acc: _name: v: acc * 10 + v) 1 { z = 1; a = 2; };
};
expected = {
example = {
sum = 11;
names = [ "bar" "foo" ];
};
emptySet = 123;
accNotNeeded = 3;
trivialAcc = 121;
};
};
# code from the example
testRecursiveUpdateUntil = {
expr = recursiveUpdateUntil (path: l: r: path == ["foo"]) {

View file

@ -141,6 +141,14 @@ checkConfigError "The option .*enable.* does not exist. Definition values:\n\s*-
checkConfigError "attribute .*enable.* in selection path .*config.enable.* not found" "$@" ./disable-define-enable.nix ./disable-declare-enable.nix
checkConfigError "attribute .*enable.* in selection path .*config.enable.* not found" "$@" ./disable-enable-modules.nix
checkConfigOutput '^true$' 'config.positive.enable' ./disable-module-with-key.nix
checkConfigOutput '^false$' 'config.negative.enable' ./disable-module-with-key.nix
checkConfigError 'Module ..*disable-module-bad-key.nix. contains a disabledModules item that is an attribute set, presumably a module, that does not have a .key. attribute. .*' 'config.enable' ./disable-module-bad-key.nix
# Not sure if we want to keep supporting module keys that aren't strings, paths or v?key, but we shouldn't remove support accidentally.
checkConfigOutput '^true$' 'config.positive.enable' ./disable-module-with-toString-key.nix
checkConfigOutput '^false$' 'config.negative.enable' ./disable-module-with-toString-key.nix
# Check _module.args.
set -- config.enable ./declare-enable.nix ./define-enable-with-custom-arg.nix
checkConfigError 'while evaluating the module argument .*custom.* in .*define-enable-with-custom-arg.nix.*:' "$@"
@ -358,6 +366,10 @@ checkConfigOutput '^"The option `a\.b. defined in `.*/doRename-warnings\.nix. ha
config.result \
./doRename-warnings.nix
# Anonymous modules get deduplicated by key
checkConfigOutput '^"pear"$' config.once.raw ./merge-module-with-key.nix
checkConfigOutput '^"pear\\npear"$' config.twice.raw ./merge-module-with-key.nix
cat <<EOF
====== module tests ======
$pass Pass

View file

@ -0,0 +1,16 @@
{ lib, ... }:
let
inherit (lib) mkOption types;
moduleWithKey = { config, ... }: {
config = {
enable = true;
};
};
in
{
imports = [
./declare-enable.nix
];
disabledModules = [ { } ];
}

View file

@ -0,0 +1,34 @@
{ lib, ... }:
let
inherit (lib) mkOption types;
moduleWithKey = {
key = "disable-module-with-key.nix#moduleWithKey";
config = {
enable = true;
};
};
in
{
options = {
positive = mkOption {
type = types.submodule {
imports = [
./declare-enable.nix
moduleWithKey
];
};
default = {};
};
negative = mkOption {
type = types.submodule {
imports = [
./declare-enable.nix
moduleWithKey
];
disabledModules = [ moduleWithKey ];
};
default = {};
};
};
}

View file

@ -0,0 +1,34 @@
{ lib, ... }:
let
inherit (lib) mkOption types;
moduleWithKey = {
key = 123;
config = {
enable = true;
};
};
in
{
options = {
positive = mkOption {
type = types.submodule {
imports = [
./declare-enable.nix
moduleWithKey
];
};
default = {};
};
negative = mkOption {
type = types.submodule {
imports = [
./declare-enable.nix
moduleWithKey
];
disabledModules = [ 123 ];
};
default = {};
};
};
}

View file

@ -0,0 +1,49 @@
{ lib, ... }:
let
inherit (lib) mkOption types;
moduleWithoutKey = {
config = {
raw = "pear";
};
};
moduleWithKey = {
key = __curPos.file + "#moduleWithKey";
config = {
raw = "pear";
};
};
decl = {
options = {
raw = mkOption {
type = types.lines;
};
};
};
in
{
options = {
once = mkOption {
type = types.submodule {
imports = [
decl
moduleWithKey
moduleWithKey
];
};
default = {};
};
twice = mkOption {
type = types.submodule {
imports = [
decl
moduleWithoutKey
moduleWithoutKey
];
};
default = {};
};
};
}

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,57 @@
let
lib = import ../../lib;
inherit (lib)
add attrNames elemAt foldl' genList length replaceStrings sort toLower trace;
maintainers = import ../maintainer-list.nix;
simplify = replaceStrings [ "-" "_" ] [ "" "" ];
compare = a: b: simplify (toLower a) < simplify (toLower b);
namesSorted =
sort
(a: b: a.key < b.key)
(map
(n: let pos = builtins.unsafeGetAttrPos n maintainers;
in assert pos == null -> throw "maintainers entry ${n} is malformed";
{ name = n; line = pos.line; key = toLower (simplify n); })
(attrNames maintainers));
before = { name, line, key }:
foldl'
(acc: n: if n.key < key && (acc == null || n.key > acc.key) then n else acc)
null
namesSorted;
errors = foldl' add 0
(map
(i: let a = elemAt namesSorted i;
b = elemAt namesSorted (i + 1);
lim = let t = before a; in if t == null then "the initial {" else t.name;
in if a.line >= b.line
then trace
("maintainer ${a.name} (line ${toString a.line}) should be listed "
+ "after ${lim}, not after ${b.name} (line ${toString b.line})")
1
else 0)
(genList (i: i) (length namesSorted - 1)));
in
assert errors == 0; "all good!"
# generate edit commands to sort the list.
# may everything following the last current entry (closing } ff) in the wrong place
# with lib;
# concatStringsSep
# "\n"
# (let first = foldl' (acc: n: if n.line < acc then n.line else acc) 999999999 namesSorted;
# commands = map
# (i: let e = elemAt namesSorted i;
# begin = foldl'
# (acc: n: if n.line < e.line && n.line > acc then n.line else acc)
# 1
# namesSorted;
# end =
# foldl' (acc: n: if n.line > e.line && n.line < acc then n.line else acc)
# 999999999
# namesSorted;
# in "${toString e.line},${toString (end - 1)} p")
# (genList (i: i) (length namesSorted));
# in map
# (c: "sed -ne '${c}' maintainers/maintainer-list.nix")
# ([ "1,${toString (first - 1)} p" ] ++ commands))

View file

@ -328,6 +328,7 @@ platformIcon (Platform x) = case x of
"x86_64-linux" -> ":penguin:"
"aarch64-linux" -> ":iphone:"
"x86_64-darwin" -> ":apple:"
"aarch64-darwin" -> ":green_apple:"
_ -> x
data BuildResult = BuildResult {state :: BuildState, id :: Int} deriving (Show, Eq, Ord)
@ -488,7 +489,8 @@ printBuildSummary eval@Eval{id} fetchTime summary topBrokenRdeps =
if' (isNothing maintainedJob) "No `maintained` job found." <>
if' (Unfinished > maybe Success worstState mergeableJob) "`mergeable` jobset failed." <>
if' (outstandingJobs (Platform "x86_64-linux") > 100) "Too many outstanding jobs on x86_64-linux." <>
if' (outstandingJobs (Platform "aarch64-linux") > 100) "Too many outstanding jobs on aarch64-linux."
if' (outstandingJobs (Platform "aarch64-linux") > 100) "Too many outstanding jobs on aarch64-linux." <>
if' (outstandingJobs (Platform "aarch64-darwin") > 100) "Too many outstanding jobs on aarch64-darwin."
if' p e = if p then [e] else mempty
outstandingJobs platform | Table m <- numSummary = Map.findWithDefault 0 (platform, Unfinished) m
maintainedJob = Map.lookup "maintained" summary

View file

@ -142,6 +142,7 @@ with lib.maintainers; {
# gares has no entry in the maintainers list
siraben
vbgl
alizter
];
scope = "Maintain the Coq theorem prover and related packages.";
shortName = "Coq";

View file

@ -8,8 +8,15 @@ the system on a stable release.
`disabledModules` is a top level attribute like `imports`, `options` and
`config`. It contains a list of modules that will be disabled. This can
either be the full path to the module or a string with the filename
relative to the modules path (eg. \<nixpkgs/nixos/modules> for nixos).
either be:
- the full path to the module,
- or a string with the filename relative to the modules path (eg. \<nixpkgs/nixos/modules> for nixos),
- or an attribute set containing a specific `key` attribute.
The latter allows some modules to be disabled, despite them being distributed
via attributes instead of file paths. The `key` should be globally unique, so
it is recommended to include a file path in it, or rely on a framework to do it
for you.
This example will replace the existing postgresql module with the
version defined in the nixos-unstable channel while keeping the rest of

View file

@ -33,6 +33,9 @@ In addition to numerous new and upgraded packages, this release has the followin
- [Cloudlog](https://www.magicbug.co.uk/cloudlog/), a web-based Amateur Radio logging application. Available as [services.cloudlog](#opt-services.cloudlog.enable).
- [fzf](https://github.com/junegunn/fzf), a command line fuzzyfinder. Available as [programs.fzf](#opt-programs.fzf.fuzzyCompletion).
- [readarr](https://github.com/Readarr/Readarr), Book Manager and Automation (Sonarr for Ebooks). Available as [services.readarr](options.html#opt-services.readarr.enable).
- [gemstash](https://github.com/rubygems/gemstash), a RubyGems.org cache and private gem server. Available as [services.gemstash](#opt-services.gemstash.enable).
- [gmediarender](https://github.com/hzeller/gmrender-resurrect), a simple, headless UPnP/DLNA renderer. Available as [services.gmediarender](options.html#opt-services.gmediarender.enable).
@ -58,12 +61,20 @@ In addition to numerous new and upgraded packages, this release has the followin
- [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable).
- [jellyseerr](https://github.com/Fallenbagel/jellyseerr), a web-based requests manager for Jellyfin, forked from Overseerr. Available as [services.jellyseerr](#opt-services.jellyseerr.enable).
- [photoprism](https://photoprism.app/), a AI-Powered Photos App for the Decentralized Web. Available as [services.photoprism](options.html#opt-services.photoprism.enable).
- [autosuspend](https://github.com/languitar/autosuspend), a python daemon that suspends a system if certain conditions are met, or not met.
- [sharing](https://github.com/parvardegr/sharing), a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as [programs.sharing](#opt-programs.sharing.enable).
- [nimdow](https://github.com/avahe-kellenberger/nimdow), a window manager written in Nim, inspired by dwm.
- [woodpecker-agent](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-agent](#opt-services.woodpecker-agent.enable).
- [woodpecker-server](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable).
## Backward Incompatibilities {#sec-release-23.05-incompatibilities}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@ -82,6 +93,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `git-bug` has been updated to at least version 0.8.0, which includes backwards incompatible changes. The `git-bug-migration` package can be used to upgrade existing repositories.
- `nushell` has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as `old-alias` but it is recommended you migrate to the new format. See [Reworked aliases](https://www.nushell.sh/blog/2023-03-14-nushell_0_77.html#reworked-aliases-breaking-changes-kubouch).
- `keepassx` and `keepassx2` have been removed, due to upstream [stopping development](https://www.keepassx.org/index.html%3Fp=636.html). Consider [KeePassXC](https://keepassxc.org) as a maintained alternative.
- The `services.kubo.settings` option is now no longer stateful. If you changed any of the options in `services.kubo.settings` in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update.
@ -115,6 +128,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- Calling `makeSetupHook` without passing a `name` argument is deprecated.
- `lib.systems.examples.ghcjs` and consequently `pkgsCross.ghcjs` now use the target triplet `javascript-unknown-ghcjs` instead of `js-unknown-ghcjs`. This has been done to match an [upstream decision](https://gitlab.haskell.org/ghc/ghc/-/commit/6636b670233522f01d002c9b97827d00289dbf5c) to follow Cabal's platform naming more closely. Nixpkgs will also reject `js` as an architecture name.
- The `cosmoc` package has been removed. The upstream scripts in `cosmocc` should be used instead.
- Qt 5.12 and 5.14 have been removed, as the corresponding branches have been EOL upstream for a long time. This affected under 10 packages in nixpkgs, largely unmaintained upstream as well, however, out-of-tree package expressions may need to be updated manually.
@ -191,6 +206,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- To reduce closure size in `nixos/modules/profiles/minimal.nix` profile disabled installation documentations and manuals. Also disabled `logrotate` and `udisks2` services.
- To reduce closure size in `nixos/modules/installer/netboot/netboot-minimal.nix` profile disabled load linux firmwares, pre-installing the complete stdenv and `networking.wireless` service.
- The minimal ISO image now uses the `nixos/modules/profiles/minimal.nix` profile.
- The `ghcWithPackages` and `ghcWithHoogle` wrappers will now also symlink GHC's

View file

@ -61,7 +61,7 @@ with lib;
pinentry = super.pinentry.override { enabledFlavors = [ "curses" "tty" "emacs" ]; withLibsecret = false; };
qemu = super.qemu.override { gtkSupport = false; spiceSupport = false; sdlSupport = false; };
qrencode = super.qrencode.overrideAttrs (_: { doCheck = false; });
qt5 = super.qt5.overrideScope' (const (super': {
qt5 = super.qt5.overrideScope (const (super': {
qtbase = super'.qtbase.override { withGtk3 = false; };
}));
stoken = super.stoken.override { withGTK3 = false; };

View file

@ -9,4 +9,7 @@
];
documentation.man.enable = lib.mkOverride 500 true;
hardware.enableRedistributableFirmware = lib.mkOverride 70 false;
system.extraDependencies = lib.mkOverride 70 [];
networking.wireless.enable = lib.mkOverride 500 false;
}

View file

@ -127,9 +127,6 @@ if (-e "/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors") {
push @kernelModules, "kvm-intel" if hasCPUFeature "vmx";
push @kernelModules, "kvm-amd" if hasCPUFeature "svm";
push @attrs, "hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "AuthenticAMD";
push @attrs, "hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "GenuineIntel";
# Look at the PCI devices and add necessary modules. Note that most
# modules are auto-detected so we don't need to list them here.
@ -324,11 +321,15 @@ if ($virt eq "systemd-nspawn") {
}
# Provide firmware for devices that are not detected by this script,
# unless we're in a VM/container.
push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")"
if $virt eq "none";
# Check if we're on bare metal, not in a VM/container.
if ($virt eq "none") {
# Provide firmware for devices that are not detected by this script.
push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")";
# Update the microcode.
push @attrs, "hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "AuthenticAMD";
push @attrs, "hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "GenuineIntel";
}
# For a device name like /dev/sda1, find a more stable path like
# /dev/disk/by-uuid/X or /dev/disk/by-label/Y.

View file

@ -377,6 +377,8 @@
./services/continuous-integration/jenkins/default.nix
./services/continuous-integration/jenkins/job-builder.nix
./services/continuous-integration/jenkins/slave.nix
./services/continuous-integration/woodpecker/agent.nix
./services/continuous-integration/woodpecker/server.nix
./services/databases/aerospike.nix
./services/databases/cassandra.nix
./services/databases/clickhouse.nix
@ -440,6 +442,7 @@
./services/development/blackfire.nix
./services/development/bloop.nix
./services/development/distccd.nix
./services/development/gemstash.nix
./services/development/hoogle.nix
./services/development/jupyter/default.nix
./services/development/jupyterhub/default.nix
@ -624,6 +627,7 @@
./services/misc/irkerd.nix
./services/misc/jackett.nix
./services/misc/jellyfin.nix
./services/misc/jellyseerr.nix
./services/misc/klipper.nix
./services/misc/languagetool.nix
./services/misc/leaps.nix
@ -663,6 +667,7 @@
./services/misc/prowlarr.nix
./services/misc/pykms.nix
./services/misc/radarr.nix
./services/misc/readarr.nix
./services/misc/redmine.nix
./services/misc/ripple-data-api.nix
./services/misc/rippled.nix
@ -801,6 +806,7 @@
./services/networking/bitlbee.nix
./services/networking/blockbook-frontend.nix
./services/networking/blocky.nix
./services/networking/cgit.nix
./services/networking/charybdis.nix
./services/networking/chisel-server.nix
./services/networking/cjdns.nix
@ -1129,6 +1135,7 @@
./services/web-apps/baget.nix
./services/web-apps/bookstack.nix
./services/web-apps/calibre-web.nix
./services/web-apps/coder.nix
./services/web-apps/changedetection-io.nix
./services/web-apps/cloudlog.nix
./services/web-apps/code-server.nix
@ -1268,6 +1275,7 @@
./services/x11/window-managers/bspwm.nix
./services/x11/window-managers/katriawm.nix
./services/x11/window-managers/metacity.nix
./services/x11/window-managers/nimdow.nix
./services/x11/window-managers/none.nix
./services/x11/window-managers/twm.nix
./services/x11/window-managers/windowlab.nix

View file

@ -1,5 +1,5 @@
# This module defines the software packages included in the "minimal"
# installation CD. It might be useful elsewhere.
# installation CD. It might be useful elsewhere.
{ config, lib, pkgs, ... }:
@ -17,7 +17,6 @@
pkgs.ddrescue
pkgs.ccrypt
pkgs.cryptsetup # needed for dm-crypt volumes
pkgs.mkpasswd # for generating password files
# Some text editors.
(pkgs.vim.customize {
@ -32,7 +31,6 @@
pkgs.fuse
pkgs.fuse3
pkgs.sshfs-fuse
pkgs.rsync
pkgs.socat
pkgs.screen
pkgs.tcpdump
@ -45,22 +43,14 @@
pkgs.usbutils
pkgs.nvme-cli
# Tools to create / manipulate filesystems.
pkgs.ntfsprogs # for resizing NTFS partitions
pkgs.dosfstools
pkgs.mtools
pkgs.xfsprogs.bin
pkgs.jfsutils
pkgs.f2fs-tools
# Some compression/archiver tools.
pkgs.unzip
pkgs.zip
];
# Include support for various filesystems.
# Include support for various filesystems and tools to create / manipulate them.
boot.supportedFilesystems =
[ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "ntfs" "cifs" ] ++
[ "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs" ] ++
lib.optional (lib.meta.availableOn pkgs.stdenv.hostPlatform config.boot.zfs.package) "zfs";
# Configure host id for ZFS to work

View file

@ -151,6 +151,8 @@ in
if ! ${pkgs.diffutils}/bin/cmp -s "$logfile" "$logfile".new
then
${pkgs.coreutils}/bin/mv -v -f "$logfile".new "$logfile"
else
${pkgs.coreutils}/bin/rm -f "$logfile".new
fi
done
'';

View file

@ -8,7 +8,6 @@ with lib;
let
cfg = config.programs.java;
in
{
options = {
@ -40,12 +39,35 @@ in
type = types.package;
};
binfmt = mkEnableOption (lib.mdDoc "binfmt to execute java jar's and classes");
};
};
config = mkIf cfg.enable {
boot.binfmt.registrations = mkIf cfg.binfmt {
java-class = {
recognitionType = "extension";
magicOrExtension = "class";
interpreter = pkgs.writeShellScript "java-class-wrapper" ''
test -e ${cfg.package}/nix-support/setup-hook && source ${cfg.package}/nix-support/setup-hook
classpath=$(dirname "$1")
class=$(basename "''${1%%.class}")
$JAVA_HOME/bin/java -classpath "$classpath" "$class" "''${@:2}"
'';
};
java-jar = {
recognitionType = "extension";
magicOrExtension = "jar";
interpreter = pkgs.writeShellScript "java-jar-wrapper" ''
test -e ${cfg.package}/nix-support/setup-hook && source ${cfg.package}/nix-support/setup-hook
$JAVA_HOME/bin/java -jar "$@"
'';
};
};
environment.systemPackages = [ cfg.package ];
environment.shellInit = ''

View file

@ -47,7 +47,12 @@ let
then [ "${name} ${value}" ]
else concatLists (mapAttrsToList (genSection name) value);
addDefaults = settings: { backend = "btrfs-progs-sudo"; } // settings;
sudo_doas =
if config.security.sudo.enable then "sudo"
else if config.security.doas.enable then "doas"
else throw "The btrbk nixos module needs either sudo or doas enabled in the configuration";
addDefaults = settings: { backend = "btrfs-progs-${sudo_doas}"; } // settings;
mkConfigFile = name: settings: pkgs.writeTextFile {
name = "btrbk-${name}.conf";
@ -152,20 +157,41 @@ in
};
config = mkIf (sshEnabled || serviceEnabled) {
environment.systemPackages = [ pkgs.btrbk ] ++ cfg.extraPackages;
security.sudo.extraRules = [
{
users = [ "btrbk" ];
commands = [
{ command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; }
{ command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; }
{ command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; }
# for ssh, they are not the same than the one hard coded in ${pkgs.btrbk}
{ command = "/run/current-system/bin/btrfs"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }
security.sudo = mkIf (sudo_doas == "sudo") {
extraRules = [
{
users = [ "btrbk" ];
commands = [
{ command = "${pkgs.btrfs-progs}/bin/btrfs"; options = [ "NOPASSWD" ]; }
{ command = "${pkgs.coreutils}/bin/mkdir"; options = [ "NOPASSWD" ]; }
{ command = "${pkgs.coreutils}/bin/readlink"; options = [ "NOPASSWD" ]; }
# for ssh, they are not the same than the one hard coded in ${pkgs.btrbk}
{ command = "/run/current-system/bin/btrfs"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/mkdir"; options = [ "NOPASSWD" ]; }
{ command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }
];
}
];
};
security.doas = mkIf (sudo_doas == "doas") {
extraRules = let
doasCmdNoPass = cmd: { users = [ "btrbk" ]; cmd = cmd; noPass = true; };
in
[
(doasCmdNoPass "${pkgs.btrfs-progs}/bin/btrfs")
(doasCmdNoPass "${pkgs.coreutils}/bin/mkdir")
(doasCmdNoPass "${pkgs.coreutils}/bin/readlink")
# for ssh, they are not the same than the one hard coded in ${pkgs.btrbk}
(doasCmdNoPass "/run/current-system/bin/btrfs")
(doasCmdNoPass "/run/current-system/sw/bin/mkdir")
(doasCmdNoPass "/run/current-system/sw/bin/readlink")
# doas matches command, not binary
(doasCmdNoPass "btrfs")
(doasCmdNoPass "mkdir")
(doasCmdNoPass "readlink")
];
}
];
};
users.users.btrbk = {
isSystemUser = true;
# ssh needs a home directory
@ -183,8 +209,9 @@ in
"best-effort" = 2;
"realtime" = 1;
}.${cfg.ioSchedulingClass};
sudo_doas_flag = "--${sudo_doas}";
in
''command="${pkgs.util-linux}/bin/ionice -t -c ${toString ioniceClass} ${optionalString (cfg.niceness >= 1) "${pkgs.coreutils}/bin/nice -n ${toString cfg.niceness}"} ${pkgs.btrbk}/share/btrbk/scripts/ssh_filter_btrbk.sh --sudo ${options}" ${v.key}''
''command="${pkgs.util-linux}/bin/ionice -t -c ${toString ioniceClass} ${optionalString (cfg.niceness >= 1) "${pkgs.coreutils}/bin/nice -n ${toString cfg.niceness}"} ${pkgs.btrbk}/share/btrbk/scripts/ssh_filter_btrbk.sh ${sudo_doas_flag} ${options}" ${v.key}''
)
cfg.sshAccess;
};

View file

@ -5,11 +5,95 @@ let
cfg = config.services.hadoop;
hadoopConf = "${import ./conf.nix { inherit cfg pkgs lib; }}/";
mkIfNotNull = x: mkIf (x != null) x;
# generic hbase role options
hbaseRoleOption = name: extraOpts: {
enable = mkEnableOption (mdDoc "HBase ${name}");
openFirewall = mkOption {
type = types.bool;
default = false;
description = mdDoc "Open firewall ports for HBase ${name}.";
};
restartIfChanged = mkOption {
type = types.bool;
default = false;
description = mdDoc "Restart ${name} con config change.";
};
extraFlags = mkOption {
type = with types; listOf str;
default = [];
example = literalExpression ''[ "--backup" ]'';
description = mdDoc "Extra flags for the ${name} service.";
};
environment = mkOption {
type = with types; attrsOf str;
default = {};
example = literalExpression ''
{
HBASE_MASTER_OPTS = "-Dcom.sun.management.jmxremote.ssl=true";
}
'';
description = mdDoc "Environment variables passed to ${name}.";
};
} // extraOpts;
# generic hbase role configs
hbaseRoleConfig = name: ports: (mkIf cfg.hbase."${name}".enable {
services.hadoop.gatewayRole = {
enable = true;
enableHbaseCli = mkDefault true;
};
systemd.services."hbase-${toLower name}" = {
description = "HBase ${name}";
wantedBy = [ "multi-user.target" ];
path = with cfg; [ hbase.package ] ++ optional
(with cfg.hbase.master; enable && initHDFS) package;
preStart = mkIf (with cfg.hbase.master; enable && initHDFS)
(concatStringsSep "\n" (
map (x: "HADOOP_USER_NAME=hdfs hdfs --config /etc/hadoop-conf ${x}")[
"dfsadmin -safemode wait"
"dfs -mkdir -p ${cfg.hbase.rootdir}"
"dfs -chown hbase ${cfg.hbase.rootdir}"
]
));
inherit (cfg.hbase."${name}") environment;
script = concatStringsSep " " (
[
"hbase --config /etc/hadoop-conf/"
"${toLower name} start"
]
++ cfg.hbase."${name}".extraFlags
++ map (x: "--${toLower x} ${toString cfg.hbase.${name}.${x}}")
(filter (x: hasAttr x cfg.hbase.${name}) ["port" "infoPort"])
);
serviceConfig = {
User = "hbase";
SyslogIdentifier = "hbase-${toLower name}";
Restart = "always";
};
};
services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir;
networking = {
firewall.allowedTCPPorts = mkIf cfg.hbase."${name}".openFirewall ports;
hosts = mkIf (with cfg.hbase.regionServer; enable && overrideHosts) {
"127.0.0.2" = mkForce [ ];
"::1" = mkForce [ ];
};
};
});
in
{
options.services.hadoop = {
gatewayRole.enableHbaseCli = mkEnableOption (lib.mdDoc "HBase CLI tools");
gatewayRole.enableHbaseCli = mkEnableOption (mdDoc "HBase CLI tools");
hbaseSiteDefault = mkOption {
default = {
@ -21,7 +105,7 @@ in
"hbase.cluster.distributed" = "true";
};
type = types.attrsOf types.anything;
description = lib.mdDoc ''
description = mdDoc ''
Default options for hbase-site.xml
'';
};
@ -29,8 +113,12 @@ in
default = {};
type = with types; attrsOf anything;
example = literalExpression ''
{
"hbase.hregion.max.filesize" = 20*1024*1024*1024;
"hbase.table.normalization.enabled" = "true";
}
'';
description = lib.mdDoc ''
description = mdDoc ''
Additional options and overrides for hbase-site.xml
<https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml>
'';
@ -39,7 +127,7 @@ in
default = {};
type = with types; attrsOf anything;
internal = true;
description = lib.mdDoc ''
description = mdDoc ''
Internal option to add configs to hbase-site.xml based on module options
'';
};
@ -50,11 +138,11 @@ in
type = types.package;
default = pkgs.hbase;
defaultText = literalExpression "pkgs.hbase";
description = lib.mdDoc "HBase package";
description = mdDoc "HBase package";
};
rootdir = mkOption {
description = lib.mdDoc ''
description = mdDoc ''
This option will set "hbase.rootdir" in hbase-site.xml and determine
the directory shared by region servers and into which HBase persists.
The URL should be 'fully-qualified' to include the filesystem scheme.
@ -68,7 +156,7 @@ in
default = "/hbase";
};
zookeeperQuorum = mkOption {
description = lib.mdDoc ''
description = mdDoc ''
This option will set "hbase.zookeeper.quorum" in hbase-site.xml.
Comma separated list of servers in the ZooKeeper ensemble.
'';
@ -76,107 +164,36 @@ in
example = "zk1.internal,zk2.internal,zk3.internal";
default = null;
};
master = {
enable = mkEnableOption (lib.mdDoc "HBase Master");
initHDFS = mkEnableOption (lib.mdDoc "initialization of the hbase directory on HDFS");
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Open firewall ports for HBase master.
'';
} // (let
ports = port: infoPort: {
port = mkOption {
type = types.int;
default = port;
description = mdDoc "RPC port";
};
infoPort = mkOption {
type = types.int;
default = infoPort;
description = mdDoc "web UI port";
};
};
regionServer = {
enable = mkEnableOption (lib.mdDoc "HBase RegionServer");
overrideHosts = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Remove /etc/hosts entries for "127.0.0.2" and "::1" defined in nixos/modules/config/networking.nix
Regionservers must be able to resolve their hostnames to their IP addresses, through PTR records
or /etc/hosts entries.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Open firewall ports for HBase master.
'';
};
in mapAttrs hbaseRoleOption {
master.initHDFS = mkEnableOption (mdDoc "initialization of the hbase directory on HDFS");
regionServer.overrideHosts = mkOption {
type = types.bool;
default = true;
description = mdDoc ''
Remove /etc/hosts entries for "127.0.0.2" and "::1" defined in nixos/modules/config/networking.nix
Regionservers must be able to resolve their hostnames to their IP addresses, through PTR records
or /etc/hosts entries.
'';
};
};
thrift = ports 9090 9095;
rest = ports 8080 8085;
});
};
config = mkMerge [
(mkIf cfg.hbase.master.enable {
services.hadoop.gatewayRole = {
enable = true;
enableHbaseCli = mkDefault true;
};
systemd.services.hbase-master = {
description = "HBase master";
wantedBy = [ "multi-user.target" ];
preStart = mkIf cfg.hbase.master.initHDFS ''
HADOOP_USER_NAME=hdfs ${cfg.package}/bin/hdfs --config ${hadoopConf} dfsadmin -safemode wait
HADOOP_USER_NAME=hdfs ${cfg.package}/bin/hdfs --config ${hadoopConf} dfs -mkdir -p ${cfg.hbase.rootdir}
HADOOP_USER_NAME=hdfs ${cfg.package}/bin/hdfs --config ${hadoopConf} dfs -chown hbase ${cfg.hbase.rootdir}
'';
serviceConfig = {
User = "hbase";
SyslogIdentifier = "hbase-master";
ExecStart = "${cfg.hbase.package}/bin/hbase --config ${hadoopConf} " +
"master start";
Restart = "always";
};
};
services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir;
networking.firewall.allowedTCPPorts = mkIf cfg.hbase.master.openFirewall [
16000 16010
];
})
(mkIf cfg.hbase.regionServer.enable {
services.hadoop.gatewayRole = {
enable = true;
enableHbaseCli = mkDefault true;
};
systemd.services.hbase-regionserver = {
description = "HBase RegionServer";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "hbase";
SyslogIdentifier = "hbase-regionserver";
ExecStart = "${cfg.hbase.package}/bin/hbase --config /etc/hadoop-conf/ " +
"regionserver start";
Restart = "always";
};
};
services.hadoop.hbaseSiteInternal."hbase.rootdir" = cfg.hbase.rootdir;
networking = {
firewall.allowedTCPPorts = mkIf cfg.hbase.regionServer.openFirewall [
16020 16030
];
hosts = mkIf cfg.hbase.regionServer.overrideHosts {
"127.0.0.2" = mkForce [ ];
"::1" = mkForce [ ];
};
};
})
config = mkMerge ([
(mkIf cfg.gatewayRole.enable {
@ -192,5 +209,10 @@ in
isSystemUser = true;
};
})
];
] ++ (mapAttrsToList hbaseRoleConfig {
master = [ 16000 16010 ];
regionServer = [ 16020 16030 ];
thrift = with cfg.hbase.thrift; [ port infoPort ];
rest = with cfg.hbase.rest; [ port infoPort ];
}));
}

View file

@ -3,7 +3,7 @@
with lib;
let
version = "1.7.1";
version = "1.10.1";
cfg = config.services.kubernetes.addons.dns;
ports = {
dns = 10053;
@ -59,9 +59,9 @@ in {
type = types.attrs;
default = {
imageName = "coredns/coredns";
imageDigest = "sha256:4a6e0769130686518325b21b0c1d0688b54e7c79244d48e1b15634e98e40c6ef";
imageDigest = "sha256:a0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e";
finalImageTag = version;
sha256 = "02r440xcdsgi137k5lmmvp0z5w5fmk8g9mysq5pnysq1wl8sj6mw";
sha256 = "0wg696920smmal7552a2zdhfncndn5kfammfa8bk8l7dz9bhk0y1";
};
};
@ -136,6 +136,11 @@ in {
resources = [ "nodes" ];
verbs = [ "get" ];
}
{
apiGroups = [ "discovery.k8s.io" ];
resources = [ "endpointslices" ];
verbs = [ "list" "watch" ];
}
];
};

View file

@ -398,7 +398,7 @@ in
systemd.services.hydra-evaluator =
{ wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" "network.target" ];
after = [ "hydra-init.service" "network.target" "network-online.target" ];
path = with pkgs; [ hydra-package nettools jq ];
restartTriggers = [ hydraConf ];
environment = env // {

View file

@ -0,0 +1,99 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.services.woodpecker-agent;
in
{
meta.maintainers = [ lib.maintainers.janik ];
options = {
services.woodpecker-agent = {
enable = lib.mkEnableOption (lib.mdDoc "the Woodpecker-Agent, Agents execute tasks generated by a Server, every install will need one server and at least one agent");
package = lib.mkPackageOptionMD pkgs "woodpecker-agent" { };
environment = lib.mkOption {
default = { };
type = lib.types.attrsOf lib.types.str;
example = lib.literalExpression ''
{
WOODPECKER_SERVER = "localhost:9000";
WOODPECKER_BACKEND = "docker";
DOCKER_HOST = "unix:///run/podman/podman.sock";
}
'';
description = lib.mdDoc "woodpecker-agent config envrionment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/agent-config)";
};
extraGroups = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.listOf lib.types.str);
example = [ "podman" ];
description = lib.mdDoc ''
Additional groups for the systemd service.
'';
};
environmentFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
example = "/root/woodpecker-agent.env";
description = lib.mdDoc ''
File to load environment variables
from. This is helpful for specifying secrets.
Example content of environmentFile:
```
WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here
```
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services = {
woodpecker-agent = {
description = "Woodpecker-Agent Service";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
DynamicUser = true;
SupplementaryGroups = lib.optionals (cfg.extraGroups != null) cfg.extraGroups;
EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
ExecStart = "${cfg.package}/bin/woodpecker-agent";
Restart = "on-failure";
RestartSec = 15;
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
inherit (cfg) environment;
};
};
};
}

View file

@ -0,0 +1,98 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.services.woodpecker-server;
in
{
meta.maintainers = [ lib.maintainers.janik ];
options = {
services.woodpecker-server = {
enable = lib.mkEnableOption (lib.mdDoc "the Woodpecker-Server, a CI/CD application for automatic builds, deployments and tests");
package = lib.mkPackageOptionMD pkgs "woodpecker-server" { };
environment = lib.mkOption {
default = { };
type = lib.types.attrsOf lib.types.str;
example = lib.literalExpression
''
{
WOODPECKER_HOST = "https://woodpecker.example.com";
WOODPECKER_OPEN = "true";
WOODPECKER_GITEA = "true";
WOODPECKER_GITEA_CLIENT = "ffffffff-ffff-ffff-ffff-ffffffffffff";
WOODPECKER_GITEA_URL = "https://git.example.com";
}
'';
description = lib.mdDoc "woodpecker-server config envrionment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/server-config)";
};
environmentFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
example = "/root/woodpecker-server.env";
description = lib.mdDoc ''
File to load environment variables
from. This is helpful for specifying secrets.
Example content of environmentFile:
```
WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here
WOODPECKER_GITEA_SECRET=gto_**************************************
```
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services = {
woodpecker-server = {
description = "Woodpecker-Server Service";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
DynamicUser = true;
WorkingDirectory = "%S/woodpecker-server";
StateDirectory = "woodpecker-server";
StateDirectoryMode = "0700";
UMask = "0007";
ConfigurationDirectory = "woodpecker-server";
EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
ExecStart = "${cfg.package}/bin/woodpecker-server";
Restart = "on-failure";
RestartSec = 15;
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
inherit (cfg) environment;
};
};
};
}

View file

@ -0,0 +1,103 @@
{ lib, pkgs, config, ... }:
with lib;
let
settingsFormat = pkgs.formats.yaml { };
# gemstash uses a yaml config where the keys are ruby symbols,
# which means they start with ':'. This would be annoying to use
# on the nix side, so we rewrite plain names instead.
prefixColon = s: listToAttrs (map
(attrName: {
name = ":${attrName}";
value =
if isAttrs s.${attrName}
then prefixColon s."${attrName}"
else s."${attrName}";
})
(attrNames s));
# parse the port number out of the tcp://ip:port bind setting string
parseBindPort = bind: strings.toInt (last (strings.splitString ":" bind));
cfg = config.services.gemstash;
in
{
options.services.gemstash = {
enable = mkEnableOption (lib.mdDoc "gemstash service");
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to open the firewall for the port in {option}`services.gemstash.bind`.
'';
};
settings = mkOption {
default = {};
description = lib.mdDoc ''
Configuration for Gemstash. The details can be found at in
[gemstash documentation](https://github.com/rubygems/gemstash/blob/master/man/gemstash-configuration.5.md).
Each key set here is automatically prefixed with ":" to match the gemstash expectations.
'';
type = types.submodule {
freeformType = settingsFormat.type;
options = {
base_path = mkOption {
type = types.path;
default = "/var/lib/gemstash";
description = lib.mdDoc "Path to store the gem files and the sqlite database. If left unchanged, the directory will be created.";
};
bind = mkOption {
type = types.str;
default = "tcp://0.0.0.0:9292";
description = lib.mdDoc "Host and port combination for the server to listen on.";
};
db_adapter = mkOption {
type = types.nullOr (types.enum [ "sqlite3" "postgres" "mysql" "mysql2" ]);
default = null;
description = lib.mdDoc "Which database type to use. For choices other than sqlite3, the dbUrl has to be specified as well.";
};
db_url = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc "The database to connect to when using postgres, mysql, or mysql2.";
};
};
};
};
};
config =
mkIf cfg.enable {
users = {
users.gemstash = {
group = "gemstash";
isSystemUser = true;
};
groups.gemstash = { };
};
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ (parseBindPort cfg.settings.bind) ];
systemd.services.gemstash = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = mkMerge [
{
ExecStart = "${pkgs.gemstash}/bin/gemstash start --no-daemonize --config-file ${settingsFormat.generate "gemstash.yaml" (prefixColon cfg.settings)}";
NoNewPrivileges = true;
User = "gemstash";
Group = "gemstash";
PrivateTmp = true;
RestrictSUIDSGID = true;
LockPersonality = true;
}
(mkIf (cfg.settings.base_path == "/var/lib/gemstash") {
StateDirectory = "gemstash";
})
];
};
};
}

View file

@ -18,6 +18,12 @@ let
fwupd = cfg.daemonSettings;
};
};
"fwupd/uefi_capsule.conf" = {
source = format.generate "uefi_capsule.conf" {
uefi_capsule = cfg.uefiCapsuleSettings;
};
};
};
originalEtc =
@ -138,6 +144,16 @@ in {
Configurations for the fwupd daemon.
'';
};
uefiCapsuleSettings = mkOption {
type = types.submodule {
freeformType = format.type.nestedTypes.elemType;
};
default = {};
description = lib.mdDoc ''
UEFI capsule configurations for the fwupd daemon.
'';
};
};
};

View file

@ -89,11 +89,6 @@ let
};
};
pagesArgs = [
"-pages-domain" gitlabConfig.production.pages.host
"-pages-root" "${gitlabConfig.production.shared.path}/pages"
] ++ cfg.pagesExtraArgs;
gitlabConfig = {
# These are the default settings from config/gitlab.example.yml
production = flip recursiveUpdate cfg.extraConfig {
@ -161,6 +156,12 @@ let
};
extra = {};
uploads.storage_path = cfg.statePath;
pages = {
enabled = cfg.pages.enable;
port = 8090;
host = cfg.pages.settings.pages-domain;
secret_file = cfg.pages.settings.api-secret-key;
};
};
};
@ -246,6 +247,7 @@ in {
(mkRenamedOptionModule [ "services" "gitlab" "backupPath" ] [ "services" "gitlab" "backup" "path" ])
(mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "")
(mkRemovedOptionModule [ "services" "gitlab" "logrotate" "extraConfig" ] "Modify services.logrotate.settings.gitlab directly instead")
(mkRemovedOptionModule [ "services" "gitlab" "pagesExtraArgs" ] "Use services.gitlab.pages.settings instead")
];
options = {
@ -667,10 +669,127 @@ in {
};
};
pagesExtraArgs = mkOption {
type = types.listOf types.str;
default = [ "-listen-proxy" "127.0.0.1:8090" ];
description = lib.mdDoc "Arguments to pass to the gitlab-pages daemon";
pages.enable = mkEnableOption (lib.mdDoc "the GitLab Pages service");
pages.settings = mkOption {
example = literalExpression ''
{
pages-domain = "example.com";
auth-client-id = "generated-id-xxxxxxx";
auth-client-secret = { _secret = "/var/keys/auth-client-secret"; };
auth-redirect-uri = "https://projects.example.com/auth";
auth-secret = { _secret = "/var/keys/auth-secret"; };
auth-server = "https://gitlab.example.com";
}
'';
description = lib.mdDoc ''
Configuration options to set in the GitLab Pages config
file.
Options containing secret data should be set to an attribute
set containing the attribute `_secret` - a string pointing
to a file containing the value the option should be set
to. See the example to get a better picture of this: in the
resulting configuration file, the `auth-client-secret` and
`auth-secret` keys will be set to the contents of the
{file}`/var/keys/auth-client-secret` and
{file}`/var/keys/auth-secret` files respectively.
'';
type = types.submodule {
freeformType = with types; attrsOf (nullOr (oneOf [ str int bool attrs ]));
options = {
listen-http = mkOption {
type = with types; listOf str;
apply = x: if x == [] then null else lib.concatStringsSep "," x;
default = [];
description = lib.mdDoc ''
The address(es) to listen on for HTTP requests.
'';
};
listen-https = mkOption {
type = with types; listOf str;
apply = x: if x == [] then null else lib.concatStringsSep "," x;
default = [];
description = lib.mdDoc ''
The address(es) to listen on for HTTPS requests.
'';
};
listen-proxy = mkOption {
type = with types; listOf str;
apply = x: if x == [] then null else lib.concatStringsSep "," x;
default = [ "127.0.0.1:8090" ];
description = lib.mdDoc ''
The address(es) to listen on for proxy requests.
'';
};
artifacts-server = mkOption {
type = with types; nullOr str;
default = "http${optionalString cfg.https "s"}://${cfg.host}/api/v4";
defaultText = "http(s)://<services.gitlab.host>/api/v4";
example = "https://gitlab.example.com/api/v4";
description = lib.mdDoc ''
API URL to proxy artifact requests to.
'';
};
gitlab-server = mkOption {
type = with types; nullOr str;
default = "http${optionalString cfg.https "s"}://${cfg.host}";
defaultText = "http(s)://<services.gitlab.host>";
example = "https://gitlab.example.com";
description = lib.mdDoc ''
Public GitLab server URL.
'';
};
internal-gitlab-server = mkOption {
type = with types; nullOr str;
default = null;
defaultText = "http(s)://<services.gitlab.host>";
example = "https://gitlab.example.internal";
description = lib.mdDoc ''
Internal GitLab server used for API requests, useful
if you want to send that traffic over an internal load
balancer. By default, the value of
`services.gitlab.pages.settings.gitlab-server` is
used.
'';
};
api-secret-key = mkOption {
type = with types; nullOr str;
default = "${cfg.statePath}/gitlab_pages_secret";
internal = true;
description = lib.mdDoc ''
File with secret key used to authenticate with the
GitLab API.
'';
};
pages-domain = mkOption {
type = with types; nullOr str;
example = "example.com";
description = lib.mdDoc ''
The domain to serve static pages on.
'';
};
pages-root = mkOption {
type = types.str;
default = "${gitlabConfig.production.shared.path}/pages";
defaultText = literalExpression ''config.${opt.extraConfig}.production.shared.path + "/pages"'';
description = lib.mdDoc ''
The directory where pages are stored.
'';
};
};
};
};
secrets.secretFile = mkOption {
@ -1210,6 +1329,9 @@ in {
umask u=rwx,g=,o=
openssl rand -hex 32 > ${cfg.statePath}/gitlab_shell_secret
${optionalString cfg.pages.enable ''
openssl rand -base64 32 > ${cfg.pages.settings.api-secret-key}
''}
rm -f '${cfg.statePath}/config/database.yml'
@ -1359,28 +1481,66 @@ in {
};
};
systemd.services.gitlab-pages = mkIf (gitlabConfig.production.pages.enabled or false) {
description = "GitLab static pages daemon";
after = [ "network.target" "gitlab-config.service" ];
bindsTo = [ "gitlab-config.service" ];
wantedBy = [ "gitlab.target" ];
partOf = [ "gitlab.target" ];
path = [ pkgs.unzip ];
serviceConfig = {
Type = "simple";
TimeoutSec = "infinity";
Restart = "on-failure";
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.packages.pages}/bin/gitlab-pages ${escapeShellArgs pagesArgs}";
WorkingDirectory = gitlabEnv.HOME;
};
services.gitlab.pages.settings = {
api-secret-key = "${cfg.statePath}/gitlab_pages_secret";
};
systemd.services.gitlab-pages =
let
filteredConfig = filterAttrs (_: v: v != null) cfg.pages.settings;
isSecret = v: isAttrs v && v ? _secret && isString v._secret;
mkPagesKeyValue = lib.generators.toKeyValue {
mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" rec {
mkValueString = v:
if isInt v then toString v
else if isString v then v
else if true == v then "true"
else if false == v then "false"
else if isSecret v then builtins.hashString "sha256" v._secret
else throw "unsupported type ${builtins.typeOf v}: ${(lib.generators.toPretty {}) v}";
};
};
secretPaths = lib.catAttrs "_secret" (lib.collect isSecret filteredConfig);
mkSecretReplacement = file: ''
replace-secret ${lib.escapeShellArgs [ (builtins.hashString "sha256" file) file "/run/gitlab-pages/gitlab-pages.conf" ]}
'';
secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
configFile = pkgs.writeText "gitlab-pages.conf" (mkPagesKeyValue filteredConfig);
in
mkIf cfg.pages.enable {
description = "GitLab static pages daemon";
after = [ "network.target" "gitlab-config.service" "gitlab.service" ];
bindsTo = [ "gitlab-config.service" "gitlab.service" ];
wantedBy = [ "gitlab.target" ];
partOf = [ "gitlab.target" ];
path = with pkgs; [
unzip
replace-secret
];
serviceConfig = {
Type = "simple";
TimeoutSec = "infinity";
Restart = "on-failure";
User = cfg.user;
Group = cfg.group;
ExecStartPre = pkgs.writeShellScript "gitlab-pages-pre-start" ''
set -o errexit -o pipefail -o nounset
shopt -s dotglob nullglob inherit_errexit
install -m u=rw ${configFile} /run/gitlab-pages/gitlab-pages.conf
${secretReplacements}
'';
ExecStart = "${cfg.packages.pages}/bin/gitlab-pages -config=/run/gitlab-pages/gitlab-pages.conf";
WorkingDirectory = gitlabEnv.HOME;
RuntimeDirectory = "gitlab-pages";
RuntimeDirectoryMode = "0700";
};
};
systemd.services.gitlab-workhorse = {
after = [ "network.target" ];
wantedBy = [ "gitlab.target" ];

View file

@ -0,0 +1,62 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.jellyseerr;
in
{
meta.maintainers = [ maintainers.camillemndn ];
options.services.jellyseerr = {
enable = mkEnableOption (mdDoc ''Jellyseerr, a requests manager for Jellyfin'');
openFirewall = mkOption {
type = types.bool;
default = false;
description = mdDoc ''Open port in the firewall for the Jellyseerr web interface.'';
};
port = mkOption {
type = types.port;
default = 5055;
description = mdDoc ''The port which the Jellyseerr web UI should listen to.'';
};
};
config = mkIf cfg.enable {
systemd.services.jellyseerr = {
description = "Jellyseerr, a requests manager for Jellyfin";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment.PORT = toString cfg.port;
serviceConfig = {
Type = "exec";
StateDirectory = "jellyseerr";
WorkingDirectory = "${pkgs.jellyseerr}/libexec/jellyseerr/deps/jellyseerr";
DynamicUser = true;
ExecStart = "${pkgs.jellyseerr}/bin/jellyseerr";
BindPaths = [ "/var/lib/jellyseerr/:${pkgs.jellyseerr}/libexec/jellyseerr/deps/jellyseerr/config/" ];
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ];
};
};
}

View file

@ -0,0 +1,88 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.readarr;
in
{
options = {
services.readarr = {
enable = mkEnableOption (lib.mdDoc "Readarr");
dataDir = mkOption {
type = types.str;
default = "/var/lib/readarr/";
description = lib.mdDoc "The directory where Readarr stores its data files.";
};
package = mkOption {
type = types.package;
default = pkgs.readarr;
defaultText = literalExpression "pkgs.readarr";
description = lib.mdDoc "The Readarr package to use";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Open ports in the firewall for Readarr
'';
};
user = mkOption {
type = types.str;
default = "readarr";
description = lib.mdDoc ''
User account under which Readarr runs.
'';
};
group = mkOption {
type = types.str;
default = "readarr";
description = lib.mdDoc ''
Group under which Readarr runs.
'';
};
};
};
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
];
systemd.services.readarr = {
description = "Readarr";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/Readarr -nobrowser -data='${cfg.dataDir}'";
Restart = "on-failure";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ 8787 ];
};
users.users = mkIf (cfg.user == "readarr") {
readarr = {
description = "Readarr service";
home = cfg.dataDir;
group = cfg.group;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "readarr") {
readarr = { };
};
};
}

View file

@ -283,7 +283,8 @@ in {
phpfpm = lib.mkIf useNginx {
pools.zoneminder = {
inherit user group;
phpPackage = pkgs.php.withExtensions ({ enabled, all }: enabled ++ [ all.apcu ]);
phpPackage = pkgs.php.withExtensions (
{ enabled, all }: enabled ++ [ all.apcu all.sysvsem ]);
phpOptions = ''
date.timezone = "${config.time.timeZone}"
'';
@ -326,6 +327,15 @@ in {
fi
${zoneminder}/bin/zmupdate.pl -nointeractive
${zoneminder}/bin/zmupdate.pl --nointeractive -f
# Update ZM's Nix store path in the configuration table. Do nothing if the config doesn't
# contain ZM's Nix store path.
${config.services.mysql.package}/bin/mysql -u zoneminder zm << EOF
UPDATE Config
SET Value = REGEXP_REPLACE(Value, "^/nix/store/[^-/]+-zoneminder-[^/]+", "${pkgs.zoneminder}")
WHERE Name = "ZM_FONT_FILE_LOCATION";
EOF
'';
serviceConfig = {
User = user;

View file

@ -1300,7 +1300,7 @@ in {
SystemCallFilter = [
"@system-service"
"~@privileged"
] ++ lib.optional (cfg.settings.server.protocol == "socket") [ "@chown" ];
] ++ lib.optionals (cfg.settings.server.protocol == "socket") [ "@chown" ];
UMask = "0027";
};
preStart = ''

View file

@ -31,7 +31,7 @@ let
if checkConfigEnabled then
pkgs.runCommandLocal
"${name}-${replaceStrings [" "] [""] what}-checked"
{ buildInputs = [ cfg.package ]; } ''
{ buildInputs = [ cfg.package.cli ]; } ''
ln -s ${file} $out
promtool ${what} $out
'' else file;
@ -1408,7 +1408,7 @@ let
'';
action =
mkDefOpt (types.enum [ "replace" "keep" "drop" "hashmod" "labelmap" "labeldrop" "labelkeep" ]) "replace" ''
mkDefOpt (types.enum [ "replace" "lowercase" "uppercase" "keep" "drop" "hashmod" "labelmap" "labeldrop" "labelkeep" ]) "replace" ''
Action to perform based on regex matching.
'';
};

View file

@ -0,0 +1,203 @@
{ config, lib, pkgs, ...}:
with lib;
let
cfgs = config.services.cgit;
settingType = with types; oneOf [ bool int str ];
genAttrs' = names: f: listToAttrs (map f names);
regexEscape =
let
# taken from https://github.com/python/cpython/blob/05cb728d68a278d11466f9a6c8258d914135c96c/Lib/re.py#L251-L266
special = [
"(" ")" "[" "]" "{" "}" "?" "*" "+" "-" "|" "^" "$" "\\" "." "&" "~"
"#" " " "\t" "\n" "\r" "\v" "\f"
];
in
replaceStrings special (map (c: "\\${c}") special);
stripLocation = cfg: removeSuffix "/" cfg.nginx.location;
regexLocation = cfg: regexEscape (stripLocation cfg);
mkFastcgiPass = cfg: ''
${if cfg.nginx.location == "/" then ''
fastcgi_param PATH_INFO $uri;
'' else ''
fastcgi_split_path_info ^(${regexLocation cfg})(/.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
''
}fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
'';
cgitrcLine = name: value: "${name}=${
if value == true then
"1"
else if value == false then
"0"
else
toString value
}";
mkCgitrc = cfg: pkgs.writeText "cgitrc" ''
# global settings
${concatStringsSep "\n" (
mapAttrsToList
cgitrcLine
({ virtual-root = cfg.nginx.location; } // cfg.settings)
)
}
${optionalString (cfg.scanPath != null) (cgitrcLine "scan-path" cfg.scanPath)}
# repository settings
${concatStrings (
mapAttrsToList
(url: settings: ''
${cgitrcLine "repo.url" url}
${concatStringsSep "\n" (
mapAttrsToList (name: cgitrcLine "repo.${name}") settings
)
}
'')
cfg.repos
)
}
# extra config
${cfg.extraConfig}
'';
mkCgitReposDir = cfg:
if cfg.scanPath != null then
cfg.scanPath
else
pkgs.runCommand "cgit-repos" {
preferLocalBuild = true;
allowSubstitutes = false;
} ''
mkdir -p "$out"
${
concatStrings (
mapAttrsToList
(name: value: ''
ln -s ${escapeShellArg value.path} "$out"/${escapeShellArg name}
'')
cfg.repos
)
}
'';
in
{
options = {
services.cgit = mkOption {
description = mdDoc "Configure cgit instances.";
default = {};
type = types.attrsOf (types.submodule ({ config, ... }: {
options = {
enable = mkEnableOption (mdDoc "cgit");
package = mkPackageOptionMD pkgs "cgit" {};
nginx.virtualHost = mkOption {
description = mdDoc "VirtualHost to serve cgit on, defaults to the attribute name.";
type = types.str;
default = config._module.args.name;
example = "git.example.com";
};
nginx.location = mkOption {
description = mdDoc "Location to serve cgit under.";
type = types.str;
default = "/";
example = "/git/";
};
repos = mkOption {
description = mdDoc "cgit repository settings, see cgitrc(5)";
type = with types; attrsOf (attrsOf settingType);
default = {};
example = {
blah = {
path = "/var/lib/git/example";
desc = "An example repository";
};
};
};
scanPath = mkOption {
description = mdDoc "A path which will be scanned for repositories.";
type = types.nullOr types.path;
default = null;
example = "/var/lib/git";
};
settings = mkOption {
description = mdDoc "cgit configuration, see cgitrc(5)";
type = types.attrsOf settingType;
default = {};
example = literalExpression ''
{
enable-follow-links = true;
source-filter = "''${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
}
'';
};
extraConfig = mkOption {
description = mdDoc "These lines go to the end of cgitrc verbatim.";
type = types.lines;
default = "";
};
};
}));
};
};
config = mkIf (any (cfg: cfg.enable) (attrValues cfgs)) {
assertions = mapAttrsToList (vhost: cfg: {
assertion = !cfg.enable || (cfg.scanPath == null) != (cfg.repos == {});
message = "Exactly one of services.cgit.${vhost}.scanPath or services.cgit.${vhost}.repos must be set.";
}) cfgs;
services.fcgiwrap.enable = true;
services.nginx.enable = true;
services.nginx.virtualHosts = mkMerge (mapAttrsToList (_: cfg: {
${cfg.nginx.virtualHost} = {
locations = (
genAttrs'
[ "cgit.css" "cgit.png" "favicon.ico" "robots.txt" ]
(name: nameValuePair "= ${stripLocation cfg}/${name}" {
extraConfig = ''
alias ${cfg.package}/cgit/${name};
'';
})
) // {
"~ ${regexLocation cfg}/.+/(info/refs|git-upload-pack)" = {
fastcgiParams = rec {
SCRIPT_FILENAME = "${pkgs.git}/libexec/git-core/git-http-backend";
GIT_HTTP_EXPORT_ALL = "1";
GIT_PROJECT_ROOT = mkCgitReposDir cfg;
HOME = GIT_PROJECT_ROOT;
};
extraConfig = mkFastcgiPass cfg;
};
"${stripLocation cfg}/" = {
fastcgiParams = {
SCRIPT_FILENAME = "${cfg.package}/cgit/cgit.cgi";
QUERY_STRING = "$args";
HTTP_HOST = "$server_name";
CGIT_CONFIG = mkCgitrc cfg;
};
extraConfig = mkFastcgiPass cfg;
};
};
};
}) cfgs);
};
}

View file

@ -3,8 +3,11 @@
with lib;
let
cfg = config.services.networkd-dispatcher;
in {
options = {
services.networkd-dispatcher = {
@ -14,14 +17,49 @@ in {
for usage.
'');
scriptDir = mkOption {
type = types.path;
default = "/var/lib/networkd-dispatcher";
description = mdDoc ''
This directory is used for keeping various scripts read and run by
networkd-dispatcher. See [https://gitlab.com/craftyguy/networkd-dispatcher](upstream instructions)
for directory structure and script usage.
rules = mkOption {
default = {};
example = lib.literalExpression ''
{ "restart-tor" = {
onState = ["routable" "off"];
script = '''
#!''${pkgs.runtimeShell}
if [[ $IFACE == "wlan0" && $AdministrativeState == "configured" ]]; then
echo "Restarting Tor ..."
systemctl restart tor
fi
exit 0
''';
};
};
'';
description = lib.mdDoc ''
Declarative configuration of networkd-dispatcher rules. See
[https://gitlab.com/craftyguy/networkd-dispatcher](upstream instructions)
for an introduction and example scripts.
'';
type = types.attrsOf (types.submodule {
options = {
onState = mkOption {
type = types.listOf (types.enum [
"routable" "dormant" "no-carrier" "off" "carrier" "degraded"
"configuring" "configured"
]);
default = null;
description = lib.mdDoc ''
List of names of the systemd-networkd operational states which
should trigger the script. See <https://www.freedesktop.org/software/systemd/man/networkctl.html>
for a description of the specific state type.
'';
};
script = mkOption {
type = types.lines;
description = lib.mdDoc ''
Shell commands executed on specified operational states.
'';
};
};
});
};
};
@ -30,34 +68,31 @@ in {
config = mkIf cfg.enable {
systemd = {
packages = [ pkgs.networkd-dispatcher ];
services.networkd-dispatcher = {
wantedBy = [ "multi-user.target" ];
# Override existing ExecStart definition
serviceConfig.ExecStart = [
serviceConfig.ExecStart = let
scriptDir = pkgs.symlinkJoin {
name = "networkd-dispatcher-script-dir";
paths = lib.mapAttrsToList (name: cfg:
(map(state:
pkgs.writeTextFile {
inherit name;
text = cfg.script;
destination = "/${state}.d/${name}";
executable = true;
}
) cfg.onState)
) cfg.rules;
};
in [
""
"${pkgs.networkd-dispatcher}/bin/networkd-dispatcher -v --script-dir ${cfg.scriptDir} $networkd_dispatcher_args"
"${pkgs.networkd-dispatcher}/bin/networkd-dispatcher -v --script-dir ${scriptDir} $networkd_dispatcher_args"
];
};
# Directory structure required according to upstream instructions
# https://gitlab.com/craftyguy/networkd-dispatcher
tmpfiles.rules = [
"d '${cfg.scriptDir}' 0750 root root - -"
"d '${cfg.scriptDir}/routable.d' 0750 root root - -"
"d '${cfg.scriptDir}/dormant.d' 0750 root root - -"
"d '${cfg.scriptDir}/no-carrier.d' 0750 root root - -"
"d '${cfg.scriptDir}/off.d' 0750 root root - -"
"d '${cfg.scriptDir}/carrier.d' 0750 root root - -"
"d '${cfg.scriptDir}/degraded.d' 0750 root root - -"
"d '${cfg.scriptDir}/configuring.d' 0750 root root - -"
"d '${cfg.scriptDir}/configured.d' 0750 root root - -"
];
};
};
}

View file

@ -203,7 +203,7 @@ in
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "chown" ] ++ lib.optional pkgs.stdenv.hostPlatform.isAarch64 "fchownat";
SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "@clock" "@setuid" "capset" "@chown" ];
};
};
};

View file

@ -25,7 +25,7 @@ in
compressionLevel = mkOption {
type = types.nullOr types.int;
description = lib.mdDoc "The compression level for XZ compression (between 0 and 9)";
description = lib.mdDoc "The compression level for ZSTD compression (between 0 and 16)";
default = null;
};

View file

@ -0,0 +1,217 @@
{ config, lib, options, pkgs, ... }:
with lib;
let
cfg = config.services.coder;
name = "coder";
in {
options = {
services.coder = {
enable = mkEnableOption (lib.mdDoc "Coder service");
user = mkOption {
type = types.str;
default = "coder";
description = lib.mdDoc ''
User under which the coder service runs.
::: {.note}
If left as the default value this user will automatically be created
on system activation, otherwise it needs to be configured manually.
:::
'';
};
group = mkOption {
type = types.str;
default = "coder";
description = lib.mdDoc ''
Group under which the coder service runs.
::: {.note}
If left as the default value this group will automatically be created
on system activation, otherwise it needs to be configured manually.
:::
'';
};
package = mkOption {
type = types.package;
default = pkgs.coder;
description = lib.mdDoc ''
Package to use for the service.
'';
defaultText = literalExpression "pkgs.coder";
};
homeDir = mkOption {
type = types.str;
description = lib.mdDoc ''
Home directory for coder user.
'';
default = "/var/lib/coder";
};
listenAddress = mkOption {
type = types.str;
description = lib.mdDoc ''
Listen address.
'';
default = "127.0.0.1:3000";
};
accessUrl = mkOption {
type = types.nullOr types.str;
description = lib.mdDoc ''
Access URL should be a external IP address or domain with DNS records pointing to Coder.
'';
default = null;
example = "https://coder.example.com";
};
wildcardAccessUrl = mkOption {
type = types.nullOr types.str;
description = lib.mdDoc ''
If you are providing TLS certificates directly to the Coder server, you must use a single certificate for the root and wildcard domains.
'';
default = null;
example = "*.coder.example.com";
};
database = {
createLocally = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Create the database and database user locally.
'';
};
host = mkOption {
type = types.str;
default = "/run/postgresql";
description = lib.mdDoc ''
Hostname hosting the database.
'';
};
database = mkOption {
type = types.str;
default = "coder";
description = lib.mdDoc ''
Name of database.
'';
};
username = mkOption {
type = types.str;
default = "coder";
description = lib.mdDoc ''
Username for accessing the database.
'';
};
password = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
Password for accessing the database.
'';
};
sslmode = mkOption {
type = types.nullOr types.str;
default = "disable";
description = lib.mdDoc ''
Password for accessing the database.
'';
};
};
tlsCert = mkOption {
type = types.nullOr types.path;
description = lib.mdDoc ''
The path to the TLS certificate.
'';
default = null;
};
tlsKey = mkOption {
type = types.nullOr types.path;
description = lib.mdDoc ''
The path to the TLS key.
'';
default = null;
};
};
};
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.username == name;
message = "services.coder.database.username must be set to ${user} if services.coder.database.createLocally is set true";
}
];
systemd.services.coder = {
description = "Coder - Self-hosted developer workspaces on your infra";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
CODER_ACCESS_URL = cfg.accessUrl;
CODER_WILDCARD_ACCESS_URL = cfg.wildcardAccessUrl;
CODER_PG_CONNECTION_URL = "user=${cfg.database.username} ${optionalString (cfg.database.password != null) "password=${cfg.database.password}"} database=${cfg.database.database} host=${cfg.database.host} ${optionalString (cfg.database.sslmode != null) "sslmode=${cfg.database.sslmode}"}";
CODER_ADDRESS = cfg.listenAddress;
CODER_TLS_ENABLE = optionalString (cfg.tlsCert != null) "1";
CODER_TLS_CERT_FILE = cfg.tlsCert;
CODER_TLS_KEY_FILE = cfg.tlsKey;
};
serviceConfig = {
ProtectSystem = "full";
PrivateTmp = "yes";
PrivateDevices = "yes";
SecureBits = "keep-caps";
AmbientCapabilities = "CAP_IPC_LOCK CAP_NET_BIND_SERVICE";
CacheDirectory = "coder";
CapabilityBoundingSet = "CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE";
KillSignal = "SIGINT";
KillMode = "mixed";
NoNewPrivileges = "yes";
Restart = "on-failure";
ExecStart = "${cfg.package}/bin/coder server";
User = cfg.user;
Group = cfg.group;
};
};
services.postgresql = lib.mkIf cfg.database.createLocally {
enable = true;
ensureDatabases = [
cfg.database.database
];
ensureUsers = [{
name = cfg.database.username;
ensurePermissions = {
"DATABASE \"${cfg.database.database}\"" = "ALL PRIVILEGES";
};
}
];
};
users.groups = optionalAttrs (cfg.group == name) {
"${cfg.group}" = {};
};
users.users = optionalAttrs (cfg.user == name) {
${name} = {
description = "Coder service user";
group = cfg.group;
home = cfg.homeDir;
createHome = true;
isSystemUser = true;
};
};
};
}

View file

@ -173,7 +173,7 @@ in
systemd.services.phosh = {
wantedBy = [ "graphical.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/phosh";
ExecStart = "${cfg.package}/bin/phosh-session";
User = cfg.user;
Group = cfg.group;
PAMName = "login";

View file

@ -448,6 +448,7 @@ in
kio-extras
];
optionalPackages = [
ark
elisa
gwenview
okular

View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.xserver.windowManager.nimdow;
in
{
options = {
services.xserver.windowManager.nimdow.enable = mkEnableOption (lib.mdDoc "nimdow");
};
config = mkIf cfg.enable {
services.xserver.windowManager.session = singleton {
name = "nimdow";
start = ''
${pkgs.nimdow}/bin/nimdow &
waitPID=$!
'';
};
environment.systemPackages = [ pkgs.nimdow ];
};
}

View file

@ -592,7 +592,8 @@ in
|| dmConf.sddm.enable
|| dmConf.xpra.enable
|| dmConf.sx.enable
|| dmConf.startx.enable);
|| dmConf.startx.enable
|| config.services.greetd.enable);
in mkIf (default) (mkDefault true);
# so that the service won't be enabled when only startx is used

View file

@ -130,6 +130,13 @@ let
pkgs.replaceDependency { inherit oldDependency newDependency drv; }
) baseSystemAssertWarn config.system.replaceRuntimeDependencies;
systemWithBuildDeps = system.overrideAttrs (o: {
systemBuildClosure = pkgs.closureInfo { rootPaths = [ system.drvPath ]; };
buildCommand = o.buildCommand + ''
ln -sn $systemBuildClosure $out/build-closure
'';
});
in
{
@ -306,6 +313,27 @@ in
'';
};
system.includeBuildDependencies = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to include the build closure of the whole system in
its runtime closure. This can be useful for making changes
fully offline, as it includes all sources, patches, and
intermediate outputs required to build all the derivations
that the system depends on.
Note that this includes _all_ the derivations, down from the
included applications to their sources, the compilers used to
build them, and even the bootstrap compiler used to compile
the compilers. This increases the size of the system and the
time needed to download its dependencies drastically: a
minimal configuration with no extra services enabled grows
from ~670MiB in size to 13.5GiB, and takes proportionally
longer to download.
'';
};
};
@ -336,7 +364,7 @@ in
]; };
};
system.build.toplevel = system;
system.build.toplevel = if config.system.includeBuildDependencies then systemWithBuildDeps else system;
};

View file

@ -134,11 +134,11 @@ let
mask = ''\xff\xff\xff\xff'';
};
x86_64-windows = {
magicOrExtension = ".exe";
magicOrExtension = "exe";
recognitionType = "extension";
};
i686-windows = {
magicOrExtension = ".exe";
magicOrExtension = "exe";
recognitionType = "extension";
};
};

View file

@ -450,8 +450,9 @@ sub addEntry {
# Include second initrd with secrets
if (-e -x "$path/append-initrd-secrets") {
my $initrdName = basename($initrd);
my $initrdSecretsPath = "$bootPath/kernels/$initrdName-secrets";
# Name the initrd secrets after the system from which they're derived.
my $systemName = basename(Cwd::abs_path("$path"));
my $initrdSecretsPath = "$bootPath/kernels/$systemName-secrets";
mkpath(dirname($initrdSecretsPath), 0, 0755);
my $oldUmask = umask;
@ -470,7 +471,7 @@ sub addEntry {
if (-e $initrdSecretsPathTemp && ! -z _) {
rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place: $!\n";
$copied{$initrdSecretsPath} = 1;
$initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$initrdName-secrets";
$initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$systemName-secrets";
} else {
unlink $initrdSecretsPathTemp;
rmdir dirname($initrdSecretsPathTemp);

View file

@ -85,18 +85,18 @@ def copy_from_profile(profile: Optional[str], generation: int, specialisation: O
return efi_file_path
def describe_generation(generation_dir: str) -> str:
def describe_generation(profile: Optional[str], generation: int, specialisation: Optional[str]) -> str:
try:
with open("%s/nixos-version" % generation_dir) as f:
with open(profile_path(profile, generation, specialisation, "nixos-version")) as f:
nixos_version = f.read()
except IOError:
nixos_version = "Unknown"
kernel_dir = os.path.dirname(os.path.realpath("%s/kernel" % generation_dir))
kernel_dir = os.path.dirname(profile_path(profile, generation, specialisation, "kernel"))
module_dir = glob.glob("%s/lib/modules/*" % kernel_dir)[0]
kernel_version = os.path.basename(module_dir)
build_time = int(os.path.getctime(generation_dir))
build_time = int(os.path.getctime(system_dir(profile, generation, specialisation)))
build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F')
description = "@distroName@ {}, Linux Kernel {}, Built on {}".format(
@ -131,11 +131,10 @@ def write_entry(profile: Optional[str], generation: int, specialisation: Optiona
"or renamed a file in `boot.initrd.secrets`", file=sys.stderr)
entry_file = "@efiSysMountPoint@/loader/entries/%s" % (
generation_conf_filename(profile, generation, specialisation))
generation_dir = os.readlink(system_dir(profile, generation, specialisation))
tmp_path = "%s.tmp" % (entry_file)
kernel_params = "init=%s/init " % generation_dir
kernel_params = "init=%s " % profile_path(profile, generation, specialisation, "init")
with open("%s/kernel-params" % (generation_dir)) as params_file:
with open(profile_path(profile, generation, specialisation, "kernel-params")) as params_file:
kernel_params = kernel_params + params_file.read()
with open(tmp_path, 'w') as f:
f.write(BOOT_ENTRY.format(title=title,
@ -143,7 +142,7 @@ def write_entry(profile: Optional[str], generation: int, specialisation: Optiona
kernel=kernel,
initrd=initrd,
kernel_params=kernel_params,
description=describe_generation(generation_dir)))
description=describe_generation(profile, generation, specialisation)))
if machine_id is not None:
f.write("machine-id %s\n" % machine_id)
os.rename(tmp_path, entry_file)
@ -296,7 +295,7 @@ def main() -> None:
remove_old_entries(gens)
for gen in gens:
try:
is_default = os.readlink(system_dir(*gen)) == args.default_config
is_default = os.path.dirname(profile_path(*gen, "init")) == args.default_config
write_entry(*gen, machine_id, current=is_default)
for specialisation in get_specialisations(*gen):
write_entry(*specialisation, machine_id, current=is_default)

View file

@ -614,7 +614,7 @@ in
# Avoid potentially degraded system state due to
# "Userspace Out-Of-Memory (OOM) Killer was skipped because of a failed condition check (ConditionControlGroupController=v2)."
systemd.services.systemd-oomd.enable = mkIf (!cfg.enableUnifiedCgroupHierarchy) false;
systemd.oomd.enable = mkIf (!cfg.enableUnifiedCgroupHierarchy) false;
services.logrotate.settings = {
"/var/log/btmp" = mapAttrs (_: mkDefault) {

View file

@ -158,6 +158,16 @@ in {
'';
};
managerEnvironment = mkOption {
type = with types; attrsOf (nullOr (oneOf [ str path package ]));
default = {};
example = { SYSTEMD_LOG_LEVEL = "debug"; };
description = lib.mdDoc ''
Environment variables of PID 1. These variables are
*not* passed to started units.
'';
};
contents = mkOption {
description = lib.mdDoc "Set of files that have to be linked into the initrd";
example = literalExpression ''
@ -355,8 +365,11 @@ in {
less = "${pkgs.less}/bin/less";
mount = "${cfg.package.util-linux}/bin/mount";
umount = "${cfg.package.util-linux}/bin/umount";
fsck = "${cfg.package.util-linux}/bin/fsck";
};
managerEnvironment.PATH = "/bin:/sbin";
contents = {
"/init".source = "${cfg.package}/lib/systemd/systemd";
"/etc/systemd/system".source = stage1Units;
@ -365,6 +378,7 @@ in {
[Manager]
DefaultEnvironment=PATH=/bin:/sbin ${optionalString (isBool cfg.emergencyAccess && cfg.emergencyAccess) "SYSTEMD_SULOGIN_FORCE=1"}
${cfg.extraConfig}
ManagerEnvironment=${lib.concatStringsSep " " (lib.mapAttrsToList (n: v: "${n}=${lib.escapeShellArg v}") cfg.managerEnvironment)}
'';
"/lib/modules".source = "${modulesClosure}/lib/modules";
@ -444,21 +458,6 @@ in {
(v: let n = escapeSystemdPath v.where;
in nameValuePair "${n}.automount" (automountToUnit n v)) cfg.automounts);
# The unit in /run/systemd/generator shadows the unit in
# /etc/systemd/system, but will still apply drop-ins from
# /etc/systemd/system/foo.service.d/
#
# We need IgnoreOnIsolate, otherwise the Requires dependency of
# a mount unit on its makefs unit causes it to be unmounted when
# we isolate for switch-root. Use a dummy package so that
# generateUnits will generate drop-ins instead of unit files.
packages = [(pkgs.runCommand "dummy" {} ''
mkdir -p $out/etc/systemd/system
touch $out/etc/systemd/system/systemd-{makefs,growfs}@.service
'')];
services."systemd-makefs@" = lib.mkIf needMakefs { unitConfig.IgnoreOnIsolate = true; };
services."systemd-growfs@" = lib.mkIf needGrowfs { unitConfig.IgnoreOnIsolate = true; };
# make sure all the /dev nodes are set up
services.systemd-tmpfiles-setup-dev.wantedBy = ["sysinit.target"];

View file

@ -140,7 +140,10 @@ let
else if config.fsType == "reiserfs" then "-q"
else null;
in {
options = mkIf config.autoResize [ "x-nixos.autoresize" ];
options = mkMerge [
(mkIf config.autoResize [ "x-nixos.autoresize" ])
(mkIf (utils.fsNeededForBoot config) [ "x-initrd.mount" ])
];
formatOptions = mkIf (defaultFormatOptions != null) (mkDefault defaultFormatOptions);
};
@ -155,27 +158,54 @@ let
makeFstabEntries =
let
fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "nfs4" "vboxsf" "glusterfs" "apfs" "9p" "cifs" "prl_fs" "vmhgfs" ];
fsToSkipCheck = [
"none"
"auto"
"overlay"
"iso9660"
"bindfs"
"udf"
"btrfs"
"zfs"
"tmpfs"
"bcachefs"
"nfs"
"nfs4"
"nilfs2"
"vboxsf"
"squashfs"
"glusterfs"
"apfs"
"9p"
"cifs"
"prl_fs"
"vmhgfs"
] ++ lib.optionals (!config.boot.initrd.checkJournalingFS) [
"ext3"
"ext4"
"reiserfs"
"xfs"
"jfs"
"f2fs"
];
isBindMount = fs: builtins.elem "bind" fs.options;
skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck || isBindMount fs;
# https://wiki.archlinux.org/index.php/fstab#Filepath_spaces
escape = string: builtins.replaceStrings [ " " "\t" ] [ "\\040" "\\011" ] string;
in fstabFileSystems: { rootPrefix ? "", excludeChecks ? false, extraOpts ? (fs: []) }: concatMapStrings (fs:
in fstabFileSystems: { rootPrefix ? "", extraOpts ? (fs: []) }: concatMapStrings (fs:
(optionalString (isBindMount fs) (escape rootPrefix))
+ (if fs.device != null then escape fs.device
else if fs.label != null then "/dev/disk/by-label/${escape fs.label}"
else throw "No device specified for mount point ${fs.mountPoint}.")
+ " " + escape (rootPrefix + fs.mountPoint)
+ " " + escape fs.mountPoint
+ " " + fs.fsType
+ " " + escape (builtins.concatStringsSep "," (fs.options ++ (extraOpts fs)))
+ " " + (optionalString (!excludeChecks)
("0 " + (if skipCheck fs then "0" else if fs.mountPoint == "/" then "1" else "2")))
+ " 0 " + (if skipCheck fs then "0" else if fs.mountPoint == "/" then "1" else "2")
+ "\n"
) fstabFileSystems;
initrdFstab = pkgs.writeText "initrd-fstab" (makeFstabEntries (filter utils.fsNeededForBoot fileSystems) {
rootPrefix = "/sysroot";
excludeChecks = true;
extraOpts = fs:
(optional fs.autoResize "x-systemd.growfs")
++ (optional fs.autoFormat "x-systemd.makefs");
@ -328,7 +358,9 @@ in
)}
'';
boot.initrd.systemd.contents."/etc/fstab".source = initrdFstab;
boot.initrd.systemd.storePaths = [initrdFstab];
boot.initrd.systemd.managerEnvironment.SYSTEMD_SYSROOT_FSTAB = initrdFstab;
boot.initrd.systemd.services.initrd-parse-etc.environment.SYSTEMD_SYSROOT_FSTAB = initrdFstab;
# Provide a target that pulls in all filesystems.
systemd.targets.fs =

View file

@ -11,7 +11,7 @@ in
{
config = mkIf (any (fs: fs == "vfat") config.boot.supportedFilesystems) {
system.fsPackages = [ pkgs.dosfstools ];
system.fsPackages = [ pkgs.dosfstools pkgs.mtools ];
boot.initrd.kernelModules = mkIf inInitrd [ "vfat" "nls_cp437" "nls_iso8859-1" ];

View file

@ -55,10 +55,9 @@ done
echo "getting EC2 instance metadata..."
get_imds() {
# Intentionally no --fail here, so that we proceed even if e.g. a
# 404 was returned (but we still fail if we can't reach the IMDS
# server).
curl --silent --show-error --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@"
# --fail to avoid populating missing files with 404 HTML response body
# || true to allow the script to continue even when encountering a 404
curl --silent --show-error --fail --header "X-aws-ec2-metadata-token: $IMDS_TOKEN" "$@" || true
}
get_imds -o "$metaDir/ami-manifest-path" http://169.254.169.254/1.0/meta-data/ami-manifest-path

View file

@ -152,9 +152,11 @@ let
${lib.optionalString cfg.useBootLoader
''
# Create a writable copy/snapshot of the boot disk.
# A writable boot disk can be booted from automatically.
${qemu}/bin/qemu-img create -f qcow2 -F qcow2 -b ${bootDisk}/disk.img "$TMPDIR/disk.img"
if ${if !cfg.persistBootDevice then "true" else "! test -e $TMPDIR/disk.img"}; then
# Create a writable copy/snapshot of the boot disk.
# A writable boot disk can be booted from automatically.
${qemu}/bin/qemu-img create -f qcow2 -F qcow2 -b ${bootDisk}/disk.img "$TMPDIR/disk.img"
fi
NIX_EFI_VARS=$(readlink -f "''${NIX_EFI_VARS:-${cfg.efiVars}}")
@ -370,6 +372,17 @@ in
'';
};
virtualisation.persistBootDevice =
mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc ''
If useBootLoader is specified, whether to recreate the boot device
on each instantiaton or allow it to persist.
'';
};
virtualisation.emptyDiskImages =
mkOption {
type = types.listOf types.ints.positive;
@ -853,6 +866,8 @@ in
# * The disks are attached in `virtualisation.qemu.drives`.
# Their order makes them appear as devices `a`, `b`, etc.
# * `fileSystems."/boot"` is adjusted to be on device `b`.
# * The disk.img is recreated each time the VM is booted unless
# virtualisation.persistBootDevice is set.
# If `useBootLoader`, GRUB goes to the second disk, see
# note [Disk layout with `useBootLoader`].
@ -895,7 +910,7 @@ in
${optionalString cfg.writableStore ''
echo "mounting overlay filesystem on /nix/store..."
mkdir -p 0755 $targetRoot/nix/.rw-store/store $targetRoot/nix/.rw-store/work $targetRoot/nix/store
mkdir -p -m 0755 $targetRoot/nix/.rw-store/store $targetRoot/nix/.rw-store/work $targetRoot/nix/store
mount -t overlay overlay $targetRoot/nix/store \
-o lowerdir=$targetRoot/nix/.ro-store,upperdir=$targetRoot/nix/.rw-store/store,workdir=$targetRoot/nix/.rw-store/work || fail
''}
@ -1086,18 +1101,20 @@ in
what = "overlay";
type = "overlay";
options = "lowerdir=/sysroot/nix/.ro-store,upperdir=/sysroot/nix/.rw-store/store,workdir=/sysroot/nix/.rw-store/work";
wantedBy = ["local-fs.target"];
before = ["local-fs.target"];
requires = ["sysroot-nix-.ro\\x2dstore.mount" "sysroot-nix-.rw\\x2dstore.mount" "rw-store.service"];
after = ["sysroot-nix-.ro\\x2dstore.mount" "sysroot-nix-.rw\\x2dstore.mount" "rw-store.service"];
unitConfig.IgnoreOnIsolate = true;
wantedBy = ["initrd-fs.target"];
before = ["initrd-fs.target"];
requires = ["rw-store.service"];
after = ["rw-store.service"];
unitConfig.RequiresMountsFor = "/sysroot/nix/.ro-store";
}];
services.rw-store = {
after = ["sysroot-nix-.rw\\x2dstore.mount"];
unitConfig.DefaultDependencies = false;
unitConfig = {
DefaultDependencies = false;
RequiresMountsFor = "/sysroot/nix/.rw-store";
};
serviceConfig = {
Type = "oneshot";
ExecStart = "/bin/mkdir -p 0755 /sysroot/nix/.rw-store/store /sysroot/nix/.rw-store/work /sysroot/nix/store";
ExecStart = "/bin/mkdir -p -m 0755 /sysroot/nix/.rw-store/store /sysroot/nix/.rw-store/work /sysroot/nix/store";
};
};
};

View file

@ -108,6 +108,7 @@ in {
breitbandmessung = handleTest ./breitbandmessung.nix {};
brscan5 = handleTest ./brscan5.nix {};
btrbk = handleTest ./btrbk.nix {};
btrbk-doas = handleTest ./btrbk-doas.nix {};
btrbk-no-timer = handleTest ./btrbk-no-timer.nix {};
btrbk-section-order = handleTest ./btrbk-section-order.nix {};
buildbot = handleTest ./buildbot.nix {};
@ -125,6 +126,7 @@ in {
ceph-single-node-bluestore = handleTestOn ["x86_64-linux"] ./ceph-single-node-bluestore.nix {};
certmgr = handleTest ./certmgr.nix {};
cfssl = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cfssl.nix {};
cgit = handleTest ./cgit.nix {};
charliecloud = handleTest ./charliecloud.nix {};
chromium = (handleTestOn ["aarch64-linux" "x86_64-linux"] ./chromium.nix {}).stable or {};
chrony-ptp = handleTestOn ["aarch64-linux" "x86_64-linux"] ./chrony-ptp.nix {};
@ -137,6 +139,7 @@ in {
cntr = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cntr.nix {};
cockpit = handleTest ./cockpit.nix {};
cockroachdb = handleTestOn ["x86_64-linux"] ./cockroachdb.nix {};
coder = handleTest ./coder.nix {};
collectd = handleTest ./collectd.nix {};
connman = handleTest ./connman.nix {};
consul = handleTest ./consul.nix {};
@ -235,9 +238,11 @@ in {
freshrss-pgsql = handleTest ./freshrss-pgsql.nix {};
frr = handleTest ./frr.nix {};
fsck = handleTest ./fsck.nix {};
fsck-systemd-stage-1 = handleTest ./fsck.nix { systemdStage1 = true; };
ft2-clone = handleTest ./ft2-clone.nix {};
mimir = handleTest ./mimir.nix {};
garage = handleTest ./garage {};
gemstash = handleTest ./gemstash.nix {};
gerrit = handleTest ./gerrit.nix {};
geth = handleTest ./geth.nix {};
ghostunnel = handleTest ./ghostunnel.nix {};
@ -308,6 +313,7 @@ in {
initrd-network-ssh = handleTest ./initrd-network-ssh {};
initrdNetwork = handleTest ./initrd-network.nix {};
initrd-secrets = handleTest ./initrd-secrets.nix {};
initrd-secrets-changing = handleTest ./initrd-secrets-changing.nix {};
input-remapper = handleTest ./input-remapper.nix {};
inspircd = handleTest ./inspircd.nix {};
installer = handleTest ./installer.nix {};
@ -580,6 +586,7 @@ in {
radarr = handleTest ./radarr.nix {};
radicale = handleTest ./radicale.nix {};
rasdaemon = handleTest ./rasdaemon.nix {};
readarr = handleTest ./readarr.nix {};
redis = handleTest ./redis.nix {};
redmine = handleTest ./redmine.nix {};
restartByActivationScript = handleTest ./restart-by-activation-script.nix {};
@ -687,6 +694,7 @@ in {
terminal-emulators = handleTest ./terminal-emulators.nix {};
tiddlywiki = handleTest ./tiddlywiki.nix {};
tigervnc = handleTest ./tigervnc.nix {};
timescaledb = handleTest ./timescaledb.nix {};
timezone = handleTest ./timezone.nix {};
tinc = handleTest ./tinc {};
tinydns = handleTest ./tinydns.nix {};

View file

@ -0,0 +1,114 @@
import ./make-test-python.nix ({ pkgs, ... }:
let
privateKey = ''
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrwAAAJB+cF5HfnBe
RwAAAAtzc2gtZWQyNTUxOQAAACBx8UB04Q6Q/fwDFjakHq904PYFzG9pU2TJ9KXpaPMcrw
AAAEBN75NsJZSpt63faCuaD75Unko0JjlSDxMhYHAPJk2/xXHxQHThDpD9/AMWNqQer3Tg
9gXMb2lTZMn0pelo8xyvAAAADXJzY2h1ZXR6QGt1cnQ=
-----END OPENSSH PRIVATE KEY-----
'';
publicKey = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHHxQHThDpD9/AMWNqQer3Tg9gXMb2lTZMn0pelo8xyv
'';
in
{
name = "btrbk-doas";
meta = with pkgs.lib; {
maintainers = with maintainers; [ symphorien tu-maurice ];
};
nodes = {
archive = { ... }: {
security.sudo.enable = false;
security.doas.enable = true;
environment.systemPackages = with pkgs; [ btrfs-progs ];
# note: this makes the privateKey world readable.
# don't do it with real ssh keys.
environment.etc."btrbk_key".text = privateKey;
services.btrbk = {
extraPackages = [ pkgs.lz4 ];
instances = {
remote = {
onCalendar = "minutely";
settings = {
ssh_identity = "/etc/btrbk_key";
ssh_user = "btrbk";
stream_compress = "lz4";
volume = {
"ssh://main/mnt" = {
target = "/mnt";
snapshot_dir = "btrbk/remote";
subvolume = "to_backup";
};
};
};
};
};
};
};
main = { ... }: {
security.sudo.enable = false;
security.doas.enable = true;
environment.systemPackages = with pkgs; [ btrfs-progs ];
services.openssh = {
enable = true;
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
};
services.btrbk = {
extraPackages = [ pkgs.lz4 ];
sshAccess = [
{
key = publicKey;
roles = [ "source" "send" "info" "delete" ];
}
];
instances = {
local = {
onCalendar = "minutely";
settings = {
volume = {
"/mnt" = {
snapshot_dir = "btrbk/local";
subvolume = "to_backup";
};
};
};
};
};
};
};
};
testScript = ''
start_all()
# create btrfs partition at /mnt
for machine in (archive, main):
machine.succeed("dd if=/dev/zero of=/data_fs bs=120M count=1")
machine.succeed("mkfs.btrfs /data_fs")
machine.succeed("mkdir /mnt")
machine.succeed("mount /data_fs /mnt")
# what to backup and where
main.succeed("btrfs subvolume create /mnt/to_backup")
main.succeed("mkdir -p /mnt/btrbk/{local,remote}")
# check that local snapshots work
with subtest("local"):
main.succeed("echo foo > /mnt/to_backup/bar")
main.wait_until_succeeds("cat /mnt/btrbk/local/*/bar | grep foo")
main.succeed("echo bar > /mnt/to_backup/bar")
main.succeed("cat /mnt/btrbk/local/*/bar | grep foo")
# check that btrfs send/receive works and ssh access works
with subtest("remote"):
archive.wait_until_succeeds("cat /mnt/*/bar | grep bar")
main.succeed("echo baz > /mnt/to_backup/bar")
archive.succeed("cat /mnt/*/bar | grep bar")
'';
})

View file

@ -0,0 +1,73 @@
import ./make-test-python.nix ({ pkgs, ... }:
let
robotsTxt = pkgs.writeText "cgit-robots.txt" ''
User-agent: *
Disallow: /
'';
in {
name = "cgit";
meta = with pkgs.lib.maintainers; {
maintainers = [ schnusch ];
};
nodes = {
server = { ... }: {
services.cgit."localhost" = {
enable = true;
package = pkgs.cgit.overrideAttrs ({ postInstall, ... }: {
postInstall = ''
${postInstall}
cp ${robotsTxt} "$out/cgit/robots.txt"
'';
});
nginx.location = "/(c)git/";
repos = {
some-repo = {
path = "/srv/git/some-repo";
desc = "some-repo description";
};
};
};
environment.systemPackages = [ pkgs.git ];
};
};
testScript = { nodes, ... }: ''
start_all()
server.wait_for_unit("nginx.service")
server.wait_for_unit("network.target")
server.wait_for_open_port(80)
server.succeed("curl -fsS http://localhost/%28c%29git/cgit.css")
server.succeed("curl -fsS http://localhost/%28c%29git/robots.txt | diff -u - ${robotsTxt}")
server.succeed(
"curl -fsS http://localhost/%28c%29git/ | grep -F 'some-repo description'"
)
server.fail("curl -fsS http://localhost/robots.txt")
server.succeed("${pkgs.writeShellScript "setup-cgit-test-repo" ''
set -e
git init --bare -b master /srv/git/some-repo
git init -b master reference
cd reference
git remote add origin /srv/git/some-repo
date > date.txt
git add date.txt
git -c user.name=test -c user.email=test@localhost commit -m 'add date'
git push -u origin master
''}")
server.succeed(
"curl -fsS 'http://localhost/%28c%29git/some-repo/plain/date.txt?id=master' | diff -u reference/date.txt -"
)
server.succeed(
"git clone http://localhost/%28c%29git/some-repo && diff -u reference/date.txt some-repo/date.txt"
)
'';
})

View file

@ -0,0 +1,24 @@
import ./make-test-python.nix ({ pkgs, ... }: {
name = "coder";
meta = with pkgs.lib.maintainers; {
maintainers = [ shyim ghuntley ];
};
nodes.machine =
{ pkgs, ... }:
{
services.coder = {
enable = true;
accessUrl = "http://localhost:3000";
};
};
testScript = ''
machine.start()
machine.wait_for_unit("postgresql.service")
machine.wait_for_unit("coder.service")
machine.wait_for_open_port(3000)
machine.succeed("curl --fail http://localhost:3000")
'';
})

View file

@ -1,6 +1,52 @@
# this test creates a simple GNU image with docker tools and sees if it executes
import ./make-test-python.nix ({ pkgs, ... }: {
import ./make-test-python.nix ({ pkgs, ... }:
let
# nixpkgs#214434: dockerTools.buildImage fails to unpack base images
# containing duplicate layers when those duplicate tarballs
# appear under the manifest's 'Layers'. Docker can generate images
# like this even though dockerTools does not.
repeatedLayerTestImage =
let
# Rootfs diffs for layers 1 and 2 are identical (and empty)
layer1 = pkgs.dockerTools.buildImage { name = "empty"; };
layer2 = layer1.overrideAttrs (_: { fromImage = layer1; });
repeatedRootfsDiffs = pkgs.runCommandNoCC "image-with-links.tar" {
nativeBuildInputs = [pkgs.jq];
} ''
mkdir contents
tar -xf "${layer2}" -C contents
cd contents
first_rootfs=$(jq -r '.[0].Layers[0]' manifest.json)
second_rootfs=$(jq -r '.[0].Layers[1]' manifest.json)
target_rootfs=$(sha256sum "$first_rootfs" | cut -d' ' -f 1).tar
# Replace duplicated rootfs diffs with symlinks to one tarball
chmod -R ug+w .
mv "$first_rootfs" "$target_rootfs"
rm "$second_rootfs"
ln -s "../$target_rootfs" "$first_rootfs"
ln -s "../$target_rootfs" "$second_rootfs"
# Update manifest's layers to use the symlinks' target
cat manifest.json | \
jq ".[0].Layers[0] = \"$target_rootfs\"" |
jq ".[0].Layers[1] = \"$target_rootfs\"" > manifest.json.new
mv manifest.json.new manifest.json
tar --sort=name --hard-dereference -cf $out .
'';
in pkgs.dockerTools.buildImage {
fromImage = repeatedRootfsDiffs;
name = "repeated-layer-test";
tag = "latest";
copyToRoot = pkgs.bash;
# A runAsRoot script is required to force previous layers to be unpacked
runAsRoot = ''
echo 'runAsRoot has run.'
'';
};
in {
name = "docker-tools";
meta = with pkgs.lib.maintainers; {
maintainers = [ lnl7 roberth ];
@ -221,6 +267,12 @@ import ./make-test-python.nix ({ pkgs, ... }: {
"docker run --rm ${examples.layersUnpackOrder.imageName} cat /layer-order"
)
with subtest("Ensure repeated base layers handled by buildImage"):
docker.succeed(
"docker load --input='${repeatedLayerTestImage}'",
"docker run --rm ${repeatedLayerTestImage.imageName} /bin/bash -c 'exit 0'"
)
with subtest("Ensure environment variables are correctly inherited"):
docker.succeed(
"docker load --input='${examples.environmentVariables}'"

View file

@ -1,3 +1,9 @@
{ system ? builtins.currentSystem
, config ? {}
, pkgs ? import ../.. { inherit system config; }
, systemdStage1 ? false
}:
import ./make-test-python.nix {
name = "fsck";
@ -11,13 +17,17 @@ import ./make-test-python.nix {
autoFormat = true;
};
};
boot.initrd.systemd.enable = systemdStage1;
};
testScript = ''
machine.wait_for_unit("default.target")
with subtest("root fs is fsckd"):
machine.succeed("journalctl -b | grep 'fsck.ext4.*/dev/vda'")
machine.succeed("journalctl -b | grep '${if systemdStage1
then "fsck.*vda.*clean"
else "fsck.ext4.*/dev/vda"}'")
with subtest("mnt fs is fsckd"):
machine.succeed("journalctl -b | grep 'fsck.*/dev/vdb.*clean'")

View file

@ -49,5 +49,5 @@ in
})
{}
[
"0_8_0"
"0_8"
]

View file

@ -0,0 +1,51 @@
{ system ? builtins.currentSystem, config ? { }
, pkgs ? import ../.. { inherit system config; } }:
with import ../lib/testing-python.nix { inherit system pkgs; };
with pkgs.lib;
let common_meta = { maintainers = [ maintainers.viraptor ]; };
in
{
gemstash_works = makeTest {
name = "gemstash-works";
meta = common_meta;
nodes.machine = { config, pkgs, ... }: {
services.gemstash = {
enable = true;
};
};
# gemstash responds to http requests
testScript = ''
machine.wait_for_unit("gemstash.service")
machine.wait_for_file("/var/lib/gemstash")
machine.wait_for_open_port(9292)
machine.succeed("curl http://localhost:9292")
'';
};
gemstash_custom_port = makeTest {
name = "gemstash-custom-port";
meta = common_meta;
nodes.machine = { config, pkgs, ... }: {
services.gemstash = {
enable = true;
openFirewall = true;
settings = {
bind = "tcp://0.0.0.0:12345";
};
};
};
# gemstash responds to http requests
testScript = ''
machine.wait_for_unit("gemstash.service")
machine.wait_for_file("/var/lib/gemstash")
machine.wait_for_open_port(12345)
machine.succeed("curl http://localhost:12345")
'';
};
}

View file

@ -69,6 +69,10 @@ in {
databasePasswordFile = pkgs.writeText "dbPassword" "xo0daiF4";
initialRootPasswordFile = pkgs.writeText "rootPassword" initialRootPassword;
smtp.enable = true;
pages = {
enable = true;
settings.pages-domain = "localhost";
};
extraConfig = {
incoming_email = {
enabled = true;
@ -79,11 +83,6 @@ in {
host = "localhost";
port = 143;
};
# https://github.com/NixOS/nixpkgs/issues/132295
# pages = {
# enabled = true;
# host = "localhost";
# };
};
secrets = {
secretFile = pkgs.writeText "secret" "Aig5zaic";
@ -171,10 +170,9 @@ in {
waitForServices = ''
gitlab.wait_for_unit("gitaly.service")
gitlab.wait_for_unit("gitlab-workhorse.service")
# https://github.com/NixOS/nixpkgs/issues/132295
# gitlab.wait_for_unit("gitlab-pages.service")
gitlab.wait_for_unit("gitlab-mailroom.service")
gitlab.wait_for_unit("gitlab.service")
gitlab.wait_for_unit("gitlab-pages.service")
gitlab.wait_for_unit("gitlab-sidekiq.service")
gitlab.wait_for_file("${nodes.gitlab.config.services.gitlab.statePath}/tmp/sockets/gitlab.socket")
gitlab.wait_until_succeeds("curl -sSf http://gitlab/users/sign_in")

View file

@ -53,6 +53,24 @@ with pkgs.lib;
};
};
};
thrift = { ... }:{
services.hadoop = {
inherit coreSite;
hbase = {
inherit zookeeperQuorum;
thrift = defOpts;
};
};
};
rest = { ... }:{
services.hadoop = {
inherit coreSite;
hbase = {
inherit zookeeperQuorum;
rest = defOpts;
};
};
};
};
testScript = ''
@ -80,5 +98,12 @@ with pkgs.lib;
assert "1 active master, 0 backup masters, 1 servers" in master.succeed("echo status | HADOOP_USER_NAME=hbase hbase shell -n")
regionserver.wait_until_succeeds("echo \"create 't1','f1'\" | HADOOP_USER_NAME=hbase hbase shell -n")
assert "NAME => 'f1'" in regionserver.succeed("echo \"describe 't1'\" | HADOOP_USER_NAME=hbase hbase shell -n")
rest.wait_for_open_port(8080)
assert "${hbase.version}" in regionserver.succeed("curl http://rest:8080/version/cluster")
thrift.wait_for_open_port(9090)
'';
meta.maintainers = with maintainers; [ illustris ];
})

View file

@ -0,0 +1,58 @@
{ system ? builtins.currentSystem
, config ? {}
, pkgs ? import ../.. { inherit system config; }
, lib ? pkgs.lib
, testing ? import ../lib/testing-python.nix { inherit system pkgs; }
}:
let
secret1InStore = pkgs.writeText "topsecret" "iamasecret1";
secret2InStore = pkgs.writeText "topsecret" "iamasecret2";
in
testing.makeTest {
name = "initrd-secrets-changing";
nodes.machine = { ... }: {
virtualisation.useBootLoader = true;
virtualisation.persistBootDevice = true;
boot.loader.grub.device = "/dev/vda";
boot.initrd.secrets = {
"/test" = secret1InStore;
"/run/keys/test" = secret1InStore;
};
boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs";
specialisation.secrets2System.configuration = {
boot.initrd.secrets = lib.mkForce {
"/test" = secret2InStore;
"/run/keys/test" = secret2InStore;
};
};
};
testScript = ''
start_all()
machine.wait_for_unit("multi-user.target")
print(machine.succeed("cat /run/keys/test"))
machine.succeed(
"cmp ${secret1InStore} /secret-from-initramfs",
"cmp ${secret1InStore} /run/keys/test",
)
# Select the second boot entry corresponding to the specialisation secrets2System.
machine.succeed("grub-reboot 1")
machine.shutdown()
with subtest("Check that the specialisation's secrets are distinct despite identical kernels"):
machine.wait_for_unit("multi-user.target")
print(machine.succeed("cat /run/keys/test"))
machine.succeed(
"cmp ${secret2InStore} /secret-from-initramfs",
"cmp ${secret2InStore} /run/keys/test",
)
machine.shutdown()
'';
}

View file

@ -77,9 +77,9 @@ let
let iface = if grubVersion == 1 then "ide" else "virtio";
isEfi = bootLoader == "systemd-boot" || (bootLoader == "grub" && grubUseEfi);
bios = if pkgs.stdenv.isAarch64 then "QEMU_EFI.fd" else "OVMF.fd";
in if !isEfi && !pkgs.stdenv.hostPlatform.isx86 then
throw "Non-EFI boot methods are only supported on i686 / x86_64"
else ''
in if !isEfi && !pkgs.stdenv.hostPlatform.isx86 then ''
machine.succeed("true")
'' else ''
def assemble_qemu_flags():
flags = "-cpu max"
${if (system == "x86_64-linux" || system == "i686-linux")

View file

@ -1,3 +1,10 @@
# This test verifies DHCPv4 interaction between a client and a router.
# For successful DHCP allocations a dynamic update request is sent
# towards a nameserver to allocate a name in the lan.nixos.test zone.
# We then verify whether client and router can ping each other, and
# that the nameserver can resolve the clients fqdn to the correct IP
# address.
import ./make-test-python.nix ({ pkgs, lib, ...}: {
meta.maintainers = with lib.maintainers; [ hexa ];
@ -8,17 +15,17 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
virtualisation.vlans = [ 1 ];
networking = {
useNetworkd = true;
useDHCP = false;
firewall.allowedUDPPorts = [ 67 ];
};
systemd.network = {
enable = true;
networks = {
"01-eth1" = {
name = "eth1";
networkConfig = {
Address = "10.0.0.1/30";
Address = "10.0.0.1/29";
};
};
};
@ -45,13 +52,115 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
};
subnet4 = [ {
subnet = "10.0.0.0/30";
subnet = "10.0.0.0/29";
pools = [ {
pool = "10.0.0.2 - 10.0.0.2";
pool = "10.0.0.3 - 10.0.0.3";
} ];
} ];
# Enable communication between dhcp4 and a local dhcp-ddns
# instance.
# https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html#ddns-for-dhcpv4
dhcp-ddns = {
enable-updates = true;
};
ddns-send-updates = true;
ddns-qualifying-suffix = "lan.nixos.test.";
};
};
services.kea.dhcp-ddns = {
enable = true;
settings = {
forward-ddns = {
# Configure updates of a forward zone named `lan.nixos.test`
# hosted at the nameserver at 10.0.0.2
# https://kea.readthedocs.io/en/kea-2.2.0/arm/ddns.html#adding-forward-dns-servers
ddns-domains = [ {
name = "lan.nixos.test.";
# Use a TSIG key in production!
key-name = "";
dns-servers = [ {
ip-address = "10.0.0.2";
port = 53;
} ];
} ];
};
};
};
};
nameserver = { config, pkgs, ... }: {
virtualisation.vlans = [ 1 ];
networking = {
useDHCP = false;
firewall.allowedUDPPorts = [ 53 ];
};
systemd.network = {
enable = true;
networks = {
"01-eth1" = {
name = "eth1";
networkConfig = {
Address = "10.0.0.2/29";
};
};
};
};
services.resolved.enable = false;
# Set up an authoritative nameserver, serving the `lan.nixos.test`
# zone and configure an ACL that allows dynamic updates from
# the router's ip address.
# This ACL is likely insufficient for production usage. Please
# use TSIG keys.
services.knot = let
zone = pkgs.writeTextDir "lan.nixos.test.zone" ''
@ SOA ns.nixos.test nox.nixos.test 0 86400 7200 3600000 172800
@ NS nameserver
nameserver A 10.0.0.3
router A 10.0.0.1
'';
zonesDir = pkgs.buildEnv {
name = "knot-zones";
paths = [ zone ];
};
in {
enable = true;
extraArgs = [
"-v"
];
extraConfig = ''
server:
listen: 0.0.0.0@53
log:
- target: syslog
any: debug
acl:
- id: dhcp_ddns
address: 10.0.0.1
action: update
template:
- id: default
storage: ${zonesDir}
zonefile-sync: -1
zonefile-load: difference-no-serial
journal-content: all
zone:
- domain: lan.nixos.test
file: lan.nixos.test.zone
acl: [dhcp_ddns]
'';
};
};
client = { config, pkgs, ... }: {
@ -70,6 +179,7 @@ import ./make-test-python.nix ({ pkgs, lib, ...}: {
router.wait_for_unit("kea-dhcp4-server.service")
client.wait_for_unit("systemd-networkd-wait-online.service")
client.wait_until_succeeds("ping -c 5 10.0.0.1")
router.wait_until_succeeds("ping -c 5 10.0.0.2")
router.wait_until_succeeds("ping -c 5 10.0.0.3")
nameserver.wait_until_succeeds("kdig +short client.lan.nixos.test @10.0.0.2 | grep -q 10.0.0.3")
'';
})

View file

@ -31,7 +31,7 @@ let
# DO NOT USE pkgs.writeText IN PRODUCTION. This put secrets in the nix store!
tsigFile = pkgs.writeText "tsig.conf" ''
key:
- id: slave_key
- id: xfr_key
algorithm: hmac-sha256
secret: zOYgOgnzx3TGe5J5I/0kxd7gTcxXhLYMEq3Ek3fY37s=
'';
@ -43,7 +43,7 @@ in {
nodes = {
master = { lib, ... }: {
primary = { lib, ... }: {
imports = [ common ];
# trigger sched_setaffinity syscall
@ -64,22 +64,17 @@ in {
server:
listen: 0.0.0.0@53
listen: ::@53
acl:
- id: slave_acl
address: 192.168.0.2
key: slave_key
action: transfer
automatic-acl: true
remote:
- id: slave
- id: secondary
address: 192.168.0.2@53
key: xfr_key
template:
- id: default
storage: ${knotZonesEnv}
notify: [slave]
acl: [slave_acl]
notify: [secondary]
dnssec-signing: on
# Input-only zone files
# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
@ -105,7 +100,7 @@ in {
'';
};
slave = { lib, ... }: {
secondary = { lib, ... }: {
imports = [ common ];
networking.interfaces.eth1 = {
ipv4.addresses = lib.mkForce [
@ -122,21 +117,16 @@ in {
server:
listen: 0.0.0.0@53
listen: ::@53
acl:
- id: notify_from_master
address: 192.168.0.1
action: notify
automatic-acl: true
remote:
- id: master
- id: primary
address: 192.168.0.1@53
key: slave_key
key: xfr_key
template:
- id: default
master: master
acl: [notify_from_master]
master: primary
# zonefileless setup
# https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2
zonefile-sync: -1
@ -174,19 +164,19 @@ in {
};
testScript = { nodes, ... }: let
master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address;
master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address;
primary4 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv4.addresses).address;
primary6 = (lib.head nodes.primary.config.networking.interfaces.eth1.ipv6.addresses).address;
slave4 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv4.addresses).address;
slave6 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv6.addresses).address;
secondary4 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv4.addresses).address;
secondary6 = (lib.head nodes.secondary.config.networking.interfaces.eth1.ipv6.addresses).address;
in ''
import re
start_all()
client.wait_for_unit("network.target")
master.wait_for_unit("knot.service")
slave.wait_for_unit("knot.service")
primary.wait_for_unit("knot.service")
secondary.wait_for_unit("knot.service")
def test(host, query_type, query, pattern):
@ -195,7 +185,7 @@ in {
assert re.search(pattern, out), f'Did not match "{pattern}"'
for host in ("${master4}", "${master6}", "${slave4}", "${slave6}"):
for host in ("${primary4}", "${primary6}", "${secondary4}", "${secondary6}"):
with subtest(f"Interrogate {host}"):
test(host, "SOA", "example.com", r"start of authority.*noc\.example\.com\.")
test(host, "A", "example.com", r"has no [^ ]+ record")
@ -211,6 +201,6 @@ in {
test(host, "RRSIG", "www.example.com", r"RR set signature is")
test(host, "DNSKEY", "example.com", r"DNSSEC key is")
master.log(master.succeed("systemd-analyze security knot.service | grep -v ''"))
primary.log(primary.succeed("systemd-analyze security knot.service | grep -v ''"))
'';
})

View file

@ -107,7 +107,10 @@ import ../make-test-python.nix (
client = { pkgs, ... }: {
environment.systemPackages = [
(pkgs.writers.writePython3Bin "create_management_room_and_invite_mjolnir"
{ libraries = [ pkgs.python3Packages.matrix-nio ]; } ''
{ libraries = with pkgs.python3Packages; [
matrix-nio
] ++ matrix-nio.optional-dependencies.e2e;
} ''
import asyncio
from nio import (

View file

@ -30,12 +30,10 @@ let
virtualisation.additionalPaths = [
pkgs.hello
pkgs.figlet
# This includes build dependencies all the way down. Not efficient,
# but we do need build deps to an *arbitrary* depth, which is hard to
# determine.
(allDrvOutputs nodes.server.config.system.build.toplevel)
];
# TODO: make this efficient, https://github.com/NixOS/nixpkgs/issues/180529
system.includeBuildDependencies = true;
};
server = { lib, ... }: {
imports = [ ./legacy/base-configuration.nix ];

View file

@ -118,7 +118,7 @@ in {
};
};
testScript = { nodes, ... }: let
specializations = "${nodes.machine.config.system.build.toplevel}/specialisation";
specializations = "${nodes.machine.system.build.toplevel}/specialisation";
changeRootPw = ''
dn: olcDatabase={1}mdb,cn=config
changetype: modify

View file

@ -0,0 +1,18 @@
import ./make-test-python.nix ({ lib, ... }:
with lib;
{
name = "readarr";
meta.maintainers = with maintainers; [ jocelynthode ];
nodes.machine =
{ pkgs, ... }:
{ services.readarr.enable = true; };
testScript = ''
machine.wait_for_unit("readarr.service")
machine.wait_for_open_port(8787)
machine.succeed("curl --fail http://localhost:8787/")
'';
})

View file

@ -0,0 +1,93 @@
# mostly copied from ./postgresql.nix as it seemed unapproriate to
# test additional extensions for postgresql there.
{ system ? builtins.currentSystem
, config ? { }
, pkgs ? import ../.. { inherit system config; }
}:
with import ../lib/testing-python.nix { inherit system pkgs; };
with pkgs.lib;
let
postgresql-versions = import ../../pkgs/servers/sql/postgresql pkgs;
test-sql = pkgs.writeText "postgresql-test" ''
CREATE EXTENSION timescaledb;
CREATE EXTENSION timescaledb_toolkit;
CREATE TABLE sth (
time TIMESTAMPTZ NOT NULL,
value DOUBLE PRECISION
);
SELECT create_hypertable('sth', 'time');
INSERT INTO sth (time, value) VALUES
('2003-04-12 04:05:06 America/New_York', 1.0),
('2003-04-12 04:05:07 America/New_York', 2.0),
('2003-04-12 04:05:08 America/New_York', 3.0),
('2003-04-12 04:05:09 America/New_York', 4.0),
('2003-04-12 04:05:10 America/New_York', 5.0)
;
WITH t AS (
SELECT
time_bucket('1 day'::interval, time) AS dt,
stats_agg(value) AS stats
FROM sth
GROUP BY time_bucket('1 day'::interval, time)
)
SELECT
average(stats)
FROM t;
'';
make-postgresql-test = postgresql-name: postgresql-package: makeTest {
name = postgresql-name;
meta = with pkgs.lib.maintainers; {
maintainers = [ typetetris ];
};
nodes.machine = { ... }:
{
services.postgresql = {
enable = true;
package = postgresql-package;
extraPlugins = with postgresql-package.pkgs; [
timescaledb
timescaledb_toolkit
];
settings = { shared_preload_libraries = "timescaledb, timescaledb_toolkit"; };
};
};
testScript = ''
def check_count(statement, lines):
return 'test $(sudo -u postgres psql postgres -tAc "{}"|wc -l) -eq {}'.format(
statement, lines
)
machine.start()
machine.wait_for_unit("postgresql")
with subtest("Postgresql with extensions timescaledb and timescaledb_toolkit is available just after unit start"):
machine.succeed(
"sudo -u postgres psql -f ${test-sql}"
)
machine.fail(check_count("SELECT * FROM sth;", 3))
machine.succeed(check_count("SELECT * FROM sth;", 5))
machine.fail(check_count("SELECT * FROM sth;", 4))
machine.shutdown()
'';
};
applicablePostgresqlVersions = filterAttrs (_: value: versionAtLeast value.version "12") postgresql-versions;
in
mapAttrs'
(name: package: {
inherit name;
value = make-postgresql-test name package;
})
applicablePostgresqlVersions

View file

@ -24,11 +24,11 @@
stdenv.mkDerivation rec {
pname = "bitwig-studio";
version = "4.4.6";
version = "4.4.8";
src = fetchurl {
url = "https://downloads.bitwig.com/stable/${version}/${pname}-${version}.deb";
sha256 = "sha256-VcK74JrVH81sgNeh1FDvCO1jtgkVeLpx5IqlXuzH27A=";
sha256 = "sha256-qdqRvCmp6Q7lcTdOIEHeQKAAOLtJxs867gapopyeHuc=";
};
nativeBuildInputs = [ dpkg makeWrapper wrapGAppsHook ];

View file

@ -31,13 +31,13 @@ python3Packages.buildPythonApplication rec {
pkg-config
wrapGAppsHook4
desktop-file-utils
gobject-introspection
];
buildInputs = [
glib
gtk4
libadwaita
gobject-introspection
gst_all_1.gstreamer
gst_all_1.gst-plugins-base
gst_all_1.gst-plugins-good
@ -48,9 +48,6 @@ python3Packages.buildPythonApplication rec {
pygobject3
];
# Broken with gobject-introspection setup hook
# https://github.com/NixOS/nixpkgs/issues/56943
strictDeps = false;
format = "other";
postPatch = ''

View file

@ -1,25 +1,38 @@
{ lib, stdenv, fetchFromGitHub, alsa-lib, file, fluidsynth, jack2,
liblo, libpulseaudio, libsndfile, pkg-config, python3Packages,
which, withFrontend ? true,
withQt ? true, qtbase ? null, wrapQtAppsHook ? null,
withGtk2 ? true, gtk2 ? null,
withGtk3 ? true, gtk3 ? null }:
{ lib
, stdenv
, fetchFromGitHub
, alsa-lib
, file
, fluidsynth
, jack2
, liblo
, libpulseaudio
, libsndfile
, pkg-config
, python3Packages
, which
, gtk2 ? null
, gtk3 ? null
, qtbase ? null
, withFrontend ? true
, withGtk2 ? true
, withGtk3 ? true
, withQt ? true
, wrapQtAppsHook ? null
}:
assert withFrontend -> python3Packages ? pyqt5;
assert withQt -> qtbase != null;
assert withQt -> wrapQtAppsHook != null;
assert withGtk2 -> gtk2 != null;
assert withGtk3 -> gtk3 != null;
stdenv.mkDerivation rec {
pname = "carla";
version = "2.5.1";
version = "2.5.3";
src = fetchFromGitHub {
owner = "falkTX";
repo = pname;
rev = "v${version}";
sha256 = "sha256-SN+9Q5v0bv+kQcYLBJmSCd9WIGSeQuOZze8LVwF20EA=";
hash = "sha256-J0C3GLdlLMkm3LHl6l3OI2rA73A6z5MMcNJ1I1T0pbI=";
};
nativeBuildInputs = [
@ -60,7 +73,6 @@ stdenv.mkDerivation rec {
patchPythonScript "$f"
done
patchPythonScript "$out/share/carla/carla_settings.py"
patchPythonScript "$out/share/carla/carla_database.py"
for program in $out/bin/*; do
wrapQtApp "$program" \

View file

@ -24,11 +24,6 @@ python3Packages.buildPythonApplication rec {
pname = "cozy";
version = "1.2.1";
# Temporary fix
# See https://github.com/NixOS/nixpkgs/issues/57029
# and https://github.com/NixOS/nixpkgs/issues/56943
strictDeps = false;
src = fetchFromGitHub {
owner = "geigi";
repo = pname;

View file

@ -37,13 +37,13 @@
stdenv.mkDerivation rec {
pname = "easyeffects";
version = "7.0.0";
version = "7.0.1";
src = fetchFromGitHub {
owner = "wwmm";
repo = "easyeffects";
rev = "v${version}";
sha256 = "sha256-SjhJj5kClPd8DT1vzbSdqJ9AJw0XiX9Q8/R8SDnxGPQ=";
sha256 = "sha256-PI29TJSYa/dARlSHe4mO4ejV+muhGFhwVvhA10jziTA=";
};
nativeBuildInputs = [
@ -107,6 +107,5 @@ stdenv.mkDerivation rec {
license = licenses.gpl3Plus;
maintainers = with maintainers; [ jtojnar ];
platforms = platforms.linux;
badPlatforms = [ "aarch64-linux" ];
};
}

View file

@ -10,13 +10,13 @@
# gcc only supports objc on darwin
buildGoModule.override { stdenv = clangStdenv; } rec {
pname = "go-musicfox";
version = "3.7.2";
version = "3.7.3";
src = fetchFromGitHub {
owner = "anhoder";
repo = pname;
rev = "v${version}";
hash = "sha256-Wc9HFvBSLQA7jT+LJj+tyHzRbszhR2XD1/3C+SdrAGA=";
hash = "sha256-aM7IJGRRY2V2Rovj042ctg5254EUw1bTuoRCp9Za1FY=";
};
deleteVendor = true;
@ -45,6 +45,6 @@ buildGoModule.override { stdenv = clangStdenv; } rec {
homepage = "https://github.com/anhoder/go-musicfox";
license = licenses.mit;
mainProgram = "musicfox";
maintainers = with maintainers; [ zendo ];
maintainers = with maintainers; [ zendo Ruixi-rebirth ];
};
}

View file

@ -27,17 +27,12 @@ python3Packages.buildPythonApplication rec {
intltool
wrapGAppsHook
glibcLocales
gobject-introspection
];
# as of 2021-07, the gobject-introspection setup hook does not
# work with `strictDeps` enabled, thus for proper `wrapGAppsHook`
# it needs to be disabled explicitly. https://github.com/NixOS/nixpkgs/issues/56943
strictDeps = false;
buildInputs = [
python3
gtk3
gobject-introspection
gnome.adwaita-icon-theme
];

View file

@ -5,25 +5,26 @@
, stdenv
, openssl
, libiconv
, sqlite
, Security }:
rustPlatform.buildRustPackage rec {
pname = "listenbrainz-mpd";
version = "2.0.2";
version = "2.1.0";
src = fetchFromGitea {
domain = "codeberg.org";
owner = "elomatreb";
repo = "listenbrainz-mpd";
rev = "v${version}";
hash = "sha256-DO7YUqaJZyVWjiAZ9WIVNTTvOU0qdsI2ct7aT/6O5dQ=";
hash = "sha256-AalZTlizaw93KlVffFDjGNoKkCHUFQTiElZgJo64shs=";
};
cargoHash = "sha256-MiAalxe0drRHrST3maVvi8GM2y3d0z4Zl7R7Zx8VjEM=";
cargoHash = "sha256-n24P56ZrF8qEpM45uIFr7bJhlzuAexNr6siEsF219uA=";
nativeBuildInputs = [ pkg-config ];
buildInputs = if stdenv.isDarwin then [ libiconv Security ] else [ openssl ];
buildInputs = [ sqlite ] ++ (if stdenv.isDarwin then [ libiconv Security ] else [ openssl ]);
meta = with lib; {
homepage = "https://codeberg.org/elomatreb/listenbrainz-mpd";

View file

@ -52,13 +52,13 @@
mkDerivation rec {
pname = "mixxx";
version = "2.3.3";
version = "2.3.4";
src = fetchFromGitHub {
owner = "mixxxdj";
repo = "mixxx";
rev = version;
sha256 = "sha256-NRtrEobdJMFgDXrEeb2t1zeVN8pQP7+pda2DSU/yNX8=";
sha256 = "sha256-1hOMU/Mdk1vT0GQipn/WX2fm9ddN0mPIq7kf2i2w3xQ=";
};
nativeBuildInputs = [ cmake pkg-config ];
@ -116,7 +116,7 @@ mkDerivation rec {
# mixxx installs udev rules to DATADIR instead of SYSCONFDIR
# let's disable this and install udev rules manually via postInstall
# see https://github.com/mixxxdj/mixxx/blob/2.3.3/CMakeLists.txt#L1381-L1392
# see https://github.com/mixxxdj/mixxx/blob/2.3.4/CMakeLists.txt#L1381-L1392
cmakeFlags = [
"-DINSTALL_USER_UDEV_RULES=OFF"
];

View file

@ -70,9 +70,9 @@ stdenv.mkDerivation rec {
Cocoa SystemConfiguration
] ++ lib.optionals coreaudioSupport [
CoreAudio
] ++ lib.optional sndioSupport [
] ++ lib.optionals sndioSupport [
sndio
] ++ lib.optional pipewireSupport [
] ++ lib.optionals pipewireSupport [
pipewire
];
@ -80,7 +80,7 @@ stdenv.mkDerivation rec {
"-DDISABLE_STRIP=true"
];
postFixup = lib.optionals stdenv.isDarwin ''
postFixup = lib.optionalString stdenv.isDarwin ''
install_name_tool -add_rpath $out/share/${pname} $out/share/${pname}/${pname}
install_name_tool -add_rpath $out/share/${pname} $out/share/${pname}/${pname}d
'';

View file

@ -16,13 +16,13 @@
stdenv.mkDerivation rec {
pname = "mympd";
version = "10.2.4";
version = "10.2.5";
src = fetchFromGitHub {
owner = "jcorporation";
repo = "myMPD";
rev = "v${version}";
sha256 = "sha256-12hCIAwrLQkwiU9t9nNPBdIiHfMidfErSWOA0FPfhBQ=";
sha256 = "sha256-ZxGMvbm9GKhhfCNZdeIYUh2FF4c3vXtvRdu24u3Zrtg=";
};
nativeBuildInputs = [

View file

@ -7,16 +7,16 @@
rustPlatform.buildRustPackage rec {
pname = "ncspot";
version = "0.12.0";
version = "0.13.0";
src = fetchFromGitHub {
owner = "hrkfdn";
repo = "ncspot";
rev = "v${version}";
sha256 = "sha256-kqGYBaXmGeGuGJ5fcc4OQzHISU8fVuQNGwiD8nyPa/0=";
hash = "sha256-YWA8chp33SkMdo+XT/7qikIkgwt8pozC9wMFpY8Dv8Q=";
};
cargoSha256 = "sha256-gVXH2pFtyMfYkCqda9NrqOgczvmxiWHe0zArJfnnrgE=";
cargoHash = "sha256-DB3r6pPtustEQG8QXM6qT1hkd7msC//46bhVP/HMxnY=";
nativeBuildInputs = [ pkg-config ];

View file

@ -3,13 +3,13 @@
stdenv.mkDerivation rec {
pname = "opustags";
version = "1.7.0";
version = "1.8.0";
src = fetchFromGitHub {
owner = "fmang";
repo = "opustags";
rev = version;
sha256 = "sha256-vGMRzw46X3DNRIvlI9XEKoDwiJsVL0v9Nfn8pbszRbw=";
sha256 = "sha256-qxtTJ4Hl2ccL+rhONeoOfV6ZyJaWaVDPMsXYJkXCWkY=";
};
buildInputs = [ libogg ];

Some files were not shown because too many files have changed in this diff Show more