Project import generated by Copybara.

GitOrigin-RevId: 412b9917cea092f3d39f9cd5dead4effd5bc4053
This commit is contained in:
Default email 2022-10-30 16:09:59 +01:00
parent 1d7a00e684
commit 92b3d6365d
1932 changed files with 73673 additions and 27974 deletions

View file

@ -187,6 +187,7 @@
/nixos/modules/services/networking/babeld.nix @mweinelt /nixos/modules/services/networking/babeld.nix @mweinelt
/nixos/modules/services/networking/kea.nix @mweinelt /nixos/modules/services/networking/kea.nix @mweinelt
/nixos/modules/services/networking/knot.nix @mweinelt /nixos/modules/services/networking/knot.nix @mweinelt
/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt
/nixos/tests/babeld.nix @mweinelt /nixos/tests/babeld.nix @mweinelt
/nixos/tests/kea.nix @mweinelt /nixos/tests/kea.nix @mweinelt
/nixos/tests/knot.nix @mweinelt /nixos/tests/knot.nix @mweinelt

View file

@ -20,7 +20,7 @@ jobs:
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- uses: cachix/install-nix-action@v18 - uses: cachix/install-nix-action@v18
- uses: cachix/cachix-action@v11 - uses: cachix/cachix-action@v12
with: with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci name: nixpkgs-ci

View file

@ -22,7 +22,7 @@ jobs:
with: with:
# explicitly enable sandbox # explicitly enable sandbox
extra_nix_config: sandbox = true extra_nix_config: sandbox = true
- uses: cachix/cachix-action@v11 - uses: cachix/cachix-action@v12
with: with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci name: nixpkgs-ci

View file

@ -22,7 +22,7 @@ jobs:
with: with:
# explicitly enable sandbox # explicitly enable sandbox
extra_nix_config: sandbox = true extra_nix_config: sandbox = true
- uses: cachix/cachix-action@v11 - uses: cachix/cachix-action@v12
with: with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci name: nixpkgs-ci

View file

@ -22,7 +22,7 @@ jobs:
with: with:
# explicitly enable sandbox # explicitly enable sandbox
extra_nix_config: sandbox = true extra_nix_config: sandbox = true
- uses: cachix/cachix-action@v11 - uses: cachix/cachix-action@v12
with: with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci name: nixpkgs-ci

View file

@ -1,2 +1,3 @@
Daniel Løvbrøtte Olsen <me@dandellion.xyz> <daniel.olsen99@gmail.com> Daniel Løvbrøtte Olsen <me@dandellion.xyz> <daniel.olsen99@gmail.com>
R. RyanTM <ryantm-bot@ryantm.com>
Sandro <sandro.jaeckel@gmail.com> Sandro <sandro.jaeckel@gmail.com>

View file

@ -0,0 +1,11 @@
--[[
Converts some HTML elements commonly used in Markdown to corresponding DocBook elements.
]]
function RawInline(elem)
if elem.format == 'html' and elem.text == '<kbd>' then
return pandoc.RawInline('docbook', '<keycap>')
elseif elem.format == 'html' and elem.text == '</kbd>' then
return pandoc.RawInline('docbook', '</keycap>')
end
end

View file

@ -302,6 +302,12 @@ Container system, boot system and library changes are some examples of the pull
It is possible for community members that have enough knowledge and experience on a special topic to contribute by merging pull requests. It is possible for community members that have enough knowledge and experience on a special topic to contribute by merging pull requests.
In case the PR is stuck waiting for the original author to apply a trivial
change (a typo, capitalisation change, etc.) and the author allowed the members
to modify the PR, consider applying it yourself. (or commit the existing review
suggestion) You should pay extra attention to make sure the addition doesn't go
against the idea of the original PR and would not be opposed by the author.
<!-- <!--
The following paragraphs about how to deal with unactive contributors is just a proposition and should be modified to what the community agrees to be the right policy. The following paragraphs about how to deal with unactive contributors is just a proposition and should be modified to what the community agrees to be the right policy.

View file

@ -244,12 +244,16 @@ The `master` branch is the main development branch. It should only see non-break
The `staging` branch is a development branch where mass-rebuilds go. Mass rebuilds are commits that cause rebuilds for many packages, like more than 500 (or perhaps, if it's 'light' packages, 1000). It should only see non-breaking mass-rebuild commits. That means it is not to be used for testing, and changes must have been well tested already. If the branch is already in a broken state, please refrain from adding extra new breakages. The `staging` branch is a development branch where mass-rebuilds go. Mass rebuilds are commits that cause rebuilds for many packages, like more than 500 (or perhaps, if it's 'light' packages, 1000). It should only see non-breaking mass-rebuild commits. That means it is not to be used for testing, and changes must have been well tested already. If the branch is already in a broken state, please refrain from adding extra new breakages.
During the process of a releasing a new NixOS version, this branch or the release-critical packages can be restricted to non-breaking changes.
### Staging-next branch {#submitting-changes-staging-next-branch} ### Staging-next branch {#submitting-changes-staging-next-branch}
The `staging-next` branch is for stabilizing mass-rebuilds submitted to the `staging` branch prior to merging them into `master`. Mass-rebuilds must go via the `staging` branch. It must only see non-breaking commits that are fixing issues blocking it from being merged into the `master` branch. The `staging-next` branch is for stabilizing mass-rebuilds submitted to the `staging` branch prior to merging them into `master`. Mass-rebuilds must go via the `staging` branch. It must only see non-breaking commits that are fixing issues blocking it from being merged into the `master` branch.
If the branch is already in a broken state, please refrain from adding extra new breakages. Stabilize it for a few days and then merge into master. If the branch is already in a broken state, please refrain from adding extra new breakages. Stabilize it for a few days and then merge into master.
During the process of a releasing a new NixOS version, this branch or the release-critical packages can be restricted to non-breaking changes.
### Stable release branches {#submitting-changes-stable-release-branches} ### Stable release branches {#submitting-changes-stable-release-branches}
The same staging workflow applies to stable release branches, but the main branch is called `release-*` instead of `master`. The same staging workflow applies to stable release branches, but the main branch is called `release-*` instead of `master`.

View file

@ -22,6 +22,7 @@ with pkgs; stdenv.mkDerivation {
docgen lists 'List manipulation functions' docgen lists 'List manipulation functions'
docgen debug 'Debugging functions' docgen debug 'Debugging functions'
docgen options 'NixOS / nixpkgs option handling' docgen options 'NixOS / nixpkgs option handling'
docgen filesystem 'Filesystem functions'
docgen sources 'Source filtering functions' docgen sources 'Source filtering functions'
''; '';
} }

View file

@ -26,5 +26,7 @@
<xi:include href="./library/generated/options.xml" /> <xi:include href="./library/generated/options.xml" />
<xi:include href="./library/generated/filesystem.xml" />
<xi:include href="./library/generated/sources.xml" /> <xi:include href="./library/generated/sources.xml" />
</section> </section>

View file

@ -200,7 +200,7 @@ luaposix = buildLuarocksPackage {
The `buildLuarocksPackage` delegates most tasks to luarocks: The `buildLuarocksPackage` delegates most tasks to luarocks:
* it adds `luarocks` as an unpacker for `src.rock` files (zip files really). * it adds `luarocks` as an unpacker for `src.rock` files (zip files really).
* configurePhase` writes a temporary luarocks configuration file which location * `configurePhase` writes a temporary luarocks configuration file which location
is exported via the environment variable `LUAROCKS_CONFIG`. is exported via the environment variable `LUAROCKS_CONFIG`.
* the `buildPhase` does nothing. * the `buildPhase` does nothing.
* `installPhase` calls `luarocks make --deps-mode=none --tree $out` to build and * `installPhase` calls `luarocks make --deps-mode=none --tree $out` to build and

View file

@ -45,6 +45,15 @@
}).nixos.manual.x86_64-linux; }).nixos.manual.x86_64-linux;
}; };
# The "legacy" in `legacyPackages` doesn't imply that the packages exposed
# through this attribute are "legacy" packages. Instead, `legacyPackages`
# is used here as a substitute attribute name for `packages`. The problem
# with `packages` is that it makes operations like `nix flake show
# nixpkgs` unusably slow due to the sheer number of packages the Nix CLI
# needs to evaluate. But when the Nix CLI sees a `legacyPackages`
# attribute it displays `omitted` instead of evaluating all packages,
# which keeps `nix flake show` on Nixpkgs reasonably fast, though less
# information rich.
legacyPackages = forAllSystems (system: import ./. { inherit system; }); legacyPackages = forAllSystems (system: import ./. { inherit system; });
nixosModules = { nixosModules = {

View file

@ -103,7 +103,7 @@ let
getName getVersion getName getVersion
nameFromURL enableFeature enableFeatureAs withFeature nameFromURL enableFeature enableFeatureAs withFeature
withFeatureAs fixedWidthString fixedWidthNumber isStorePath withFeatureAs fixedWidthString fixedWidthNumber isStorePath
toInt readPathsFromFile fileContents; toInt toIntBase10 readPathsFromFile fileContents;
inherit (self.stringsWithDeps) textClosureList textClosureMap inherit (self.stringsWithDeps) textClosureList textClosureMap
noDepEntry fullDepEntry packEntry stringAfter; noDepEntry fullDepEntry packEntry stringAfter;
inherit (self.customisation) overrideDerivation makeOverridable inherit (self.customisation) overrideDerivation makeOverridable

View file

@ -157,7 +157,36 @@ rec {
} }
); );
closePropagation = list: (uniqList {inputList = (innerClosePropagation [] list);}); closePropagationSlow = list: (uniqList {inputList = (innerClosePropagation [] list);});
# This is an optimisation of lib.closePropagation which avoids the O(n^2) behavior
# Using a list of derivations, it generates the full closure of the propagatedXXXBuildInputs
# The ordering / sorting / comparison is done based on the `outPath`
# attribute of each derivation.
# On some benchmarks, it performs up to 15 times faster than lib.closePropagation.
# See https://github.com/NixOS/nixpkgs/pull/194391 for details.
closePropagationFast = list:
builtins.map (x: x.val) (builtins.genericClosure {
startSet = builtins.map (x: {
key = x.outPath;
val = x;
}) (builtins.filter (x: x != null) list);
operator = item:
if !builtins.isAttrs item.val then
[ ]
else
builtins.concatMap (x:
if x != null then [{
key = x.outPath;
val = x;
}] else
[ ]) ((item.val.propagatedBuildInputs or [ ])
++ (item.val.propagatedNativeBuildInputs or [ ]));
});
closePropagation = if builtins ? genericClosure
then closePropagationFast
else closePropagationSlow;
# calls a function (f attr value ) for each record item. returns a list # calls a function (f attr value ) for each record item. returns a list
mapAttrsFlatten = f: r: map (attr: f attr r.${attr}) (attrNames r); mapAttrsFlatten = f: r: map (attr: f attr r.${attr}) (attrNames r);

View file

@ -1,9 +1,23 @@
# Functions for copying sources to the Nix store.
{ lib }: { lib }:
{ # haskellPathsInDir : Path -> Map String Path
# A map of all haskell packages defined in the given path, let
# identified by having a cabal file with the same name as the inherit (lib.strings)
# directory itself. hasPrefix
haskellPathsInDir = root: ;
in
{
/*
A map of all haskell packages defined in the given path,
identified by having a cabal file with the same name as the
directory itself.
Type: Path -> Map String Path
*/
haskellPathsInDir =
# The directory within to search
root:
let # Files in the root let # Files in the root
root-files = builtins.attrNames (builtins.readDir root); root-files = builtins.attrNames (builtins.readDir root);
# Files with their full paths # Files with their full paths
@ -17,15 +31,18 @@
builtins.pathExists (value + "/${name}.cabal") builtins.pathExists (value + "/${name}.cabal")
) root-files-with-paths; ) root-files-with-paths;
in builtins.listToAttrs cabal-subdirs; in builtins.listToAttrs cabal-subdirs;
# locateDominatingFile : RegExp /*
# -> Path Find the first directory containing a file matching 'pattern'
# -> Nullable { path : Path; upward from a given 'file'.
# matches : [ MatchResults ]; Returns 'null' if no directories contain a file matching 'pattern'.
# }
# Find the first directory containing a file matching 'pattern' Type: RegExp -> Path -> Nullable { path : Path; matches : [ MatchResults ]; }
# upward from a given 'file'. */
# Returns 'null' if no directories contain a file matching 'pattern'. locateDominatingFile =
locateDominatingFile = pattern: file: # The pattern to search for
pattern:
# The file to start searching upward from
file:
let go = path: let go = path:
let files = builtins.attrNames (builtins.readDir path); let files = builtins.attrNames (builtins.readDir path);
matches = builtins.filter (match: match != null) matches = builtins.filter (match: match != null)
@ -44,10 +61,15 @@
in go (if isDir then file else parent); in go (if isDir then file else parent);
# listFilesRecursive: Path -> [ Path ] /*
# Given a directory, return a flattened list of all files within it recursively.
# Given a directory, return a flattened list of all files within it recursively.
listFilesRecursive = dir: lib.flatten (lib.mapAttrsToList (name: type: Type: Path -> [ Path ]
*/
listFilesRecursive =
# The path to recursively list
dir:
lib.flatten (lib.mapAttrsToList (name: type:
if type == "directory" then if type == "directory" then
lib.filesystem.listFilesRecursive (dir + "/${name}") lib.filesystem.listFilesRecursive (dir + "/${name}")
else else

View file

@ -378,7 +378,7 @@ rec {
attr = let attrFilter = name: value: name != "_module" && value != null; attr = let attrFilter = name: value: name != "_module" && value != null;
in ind: x: libStr.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList in ind: x: libStr.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList
(name: value: lib.optional (attrFilter name value) [ (name: value: lib.optionals (attrFilter name value) [
(key "\t${ind}" name) (key "\t${ind}" name)
(expr "\t${ind}" value) (expr "\t${ind}" value)
]) x)); ]) x));

View file

@ -193,7 +193,7 @@ rec {
normalizePath "/a//b///c/" normalizePath "/a//b///c/"
=> "/a/b/c/" => "/a/b/c/"
*/ */
normalizePath = s: (builtins.foldl' (x: y: if y == "/" && hasSuffix "/" x then x else x+y) "" (splitString "" s)); normalizePath = s: (builtins.foldl' (x: y: if y == "/" && hasSuffix "/" x then x else x+y) "" (stringToCharacters s));
/* Depending on the boolean `cond', return either the given string /* Depending on the boolean `cond', return either the given string
or the empty string. Useful to concatenate against a bigger string. or the empty string. Useful to concatenate against a bigger string.
@ -783,24 +783,105 @@ rec {
else else
false; false;
/* Parse a string as an int. /* Parse a string as an int. Does not support parsing of integers with preceding zero due to
ambiguity between zero-padded and octal numbers. See toIntBase10.
Type: string -> int Type: string -> int
Example: Example:
toInt "1337" toInt "1337"
=> 1337 => 1337
toInt "-4" toInt "-4"
=> -4 => -4
toInt " 123 "
=> 123
toInt "00024"
=> error: Ambiguity in interpretation of 00024 between octal and zero padded integer.
toInt "3.14" toInt "3.14"
=> error: floating point JSON numbers are not supported => error: floating point JSON numbers are not supported
*/ */
# Obviously, it is a bit hacky to use fromJSON this way.
toInt = str: toInt = str:
let may_be_int = fromJSON str; in let
if isInt may_be_int # RegEx: Match any leading whitespace, then any digits, and finally match any trailing
then may_be_int # whitespace.
else throw "Could not convert ${str} to int."; strippedInput = match "[[:space:]]*([[:digit:]]+)[[:space:]]*" str;
# RegEx: Match a leading '0' then one or more digits.
isLeadingZero = match "0[[:digit:]]+" (head strippedInput) == [];
# Attempt to parse input
parsedInput = fromJSON (head strippedInput);
generalError = "toInt: Could not convert ${escapeNixString str} to int.";
octalAmbigError = "toInt: Ambiguity in interpretation of ${escapeNixString str}"
+ " between octal and zero padded integer.";
in
# Error on presence of non digit characters.
if strippedInput == null
then throw generalError
# Error on presence of leading zero/octal ambiguity.
else if isLeadingZero
then throw octalAmbigError
# Error if parse function fails.
else if !isInt parsedInput
then throw generalError
# Return result.
else parsedInput;
/* Parse a string as a base 10 int. This supports parsing of zero-padded integers.
Type: string -> int
Example:
toIntBase10 "1337"
=> 1337
toIntBase10 "-4"
=> -4
toIntBase10 " 123 "
=> 123
toIntBase10 "00024"
=> 24
toIntBase10 "3.14"
=> error: floating point JSON numbers are not supported
*/
toIntBase10 = str:
let
# RegEx: Match any leading whitespace, then match any zero padding, capture any remaining
# digits after that, and finally match any trailing whitespace.
strippedInput = match "[[:space:]]*0*([[:digit:]]+)[[:space:]]*" str;
# RegEx: Match at least one '0'.
isZero = match "0+" (head strippedInput) == [];
# Attempt to parse input
parsedInput = fromJSON (head strippedInput);
generalError = "toIntBase10: Could not convert ${escapeNixString str} to int.";
in
# Error on presence of non digit characters.
if strippedInput == null
then throw generalError
# In the special case zero-padded zero (00000), return early.
else if isZero
then 0
# Error if parse function fails.
else if !isInt parsedInput
then throw generalError
# Return result.
else parsedInput;
/* Read a list of paths from `file`, relative to the `rootPath`. /* Read a list of paths from `file`, relative to the `rootPath`.
Lines beginning with `#` are treated as comments and ignored. Lines beginning with `#` are treated as comments and ignored.

View file

@ -327,6 +327,77 @@ runTests {
expected = "Hello\\x20World"; expected = "Hello\\x20World";
}; };
testToInt = testAllTrue [
# Naive
(123 == toInt "123")
(0 == toInt "0")
# Whitespace Padding
(123 == toInt " 123")
(123 == toInt "123 ")
(123 == toInt " 123 ")
(123 == toInt " 123 ")
(0 == toInt " 0")
(0 == toInt "0 ")
(0 == toInt " 0 ")
];
testToIntFails = testAllTrue [
( builtins.tryEval (toInt "") == { success = false; value = false; } )
( builtins.tryEval (toInt "123 123") == { success = false; value = false; } )
( builtins.tryEval (toInt "0 123") == { success = false; value = false; } )
( builtins.tryEval (toInt " 0d ") == { success = false; value = false; } )
( builtins.tryEval (toInt " 1d ") == { success = false; value = false; } )
( builtins.tryEval (toInt " d0 ") == { success = false; value = false; } )
( builtins.tryEval (toInt "00") == { success = false; value = false; } )
( builtins.tryEval (toInt "01") == { success = false; value = false; } )
( builtins.tryEval (toInt "002") == { success = false; value = false; } )
( builtins.tryEval (toInt " 002 ") == { success = false; value = false; } )
( builtins.tryEval (toInt " foo ") == { success = false; value = false; } )
( builtins.tryEval (toInt " foo 123 ") == { success = false; value = false; } )
( builtins.tryEval (toInt " foo123 ") == { success = false; value = false; } )
];
testToIntBase10 = testAllTrue [
# Naive
(123 == toIntBase10 "123")
(0 == toIntBase10 "0")
# Whitespace Padding
(123 == toIntBase10 " 123")
(123 == toIntBase10 "123 ")
(123 == toIntBase10 " 123 ")
(123 == toIntBase10 " 123 ")
(0 == toIntBase10 " 0")
(0 == toIntBase10 "0 ")
(0 == toIntBase10 " 0 ")
# Zero Padding
(123 == toIntBase10 "0123")
(123 == toIntBase10 "0000123")
(0 == toIntBase10 "000000")
# Whitespace and Zero Padding
(123 == toIntBase10 " 0123")
(123 == toIntBase10 "0123 ")
(123 == toIntBase10 " 0123 ")
(123 == toIntBase10 " 0000123")
(123 == toIntBase10 "0000123 ")
(123 == toIntBase10 " 0000123 ")
(0 == toIntBase10 " 000000")
(0 == toIntBase10 "000000 ")
(0 == toIntBase10 " 000000 ")
];
testToIntBase10Fails = testAllTrue [
( builtins.tryEval (toIntBase10 "") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 "123 123") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 "0 123") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " 0d ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " 1d ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " d0 ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " foo ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " foo 123 ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " foo 00123 ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " foo00123 ") == { success = false; value = false; } )
];
# LISTS # LISTS
testFilter = { testFilter = {

View file

@ -162,7 +162,7 @@ checkConfigError 'A definition for option .* is not.*string or signed integer co
# Check coerced value with unsound coercion # Check coerced value with unsound coercion
checkConfigOutput '^12$' config.value ./declare-coerced-value-unsound.nix checkConfigOutput '^12$' config.value ./declare-coerced-value-unsound.nix
checkConfigError 'A definition for option .* is not of type .*. Definition values:\n\s*- In .*: "1000"' config.value ./declare-coerced-value-unsound.nix ./define-value-string-bigint.nix checkConfigError 'A definition for option .* is not of type .*. Definition values:\n\s*- In .*: "1000"' config.value ./declare-coerced-value-unsound.nix ./define-value-string-bigint.nix
checkConfigError 'json.exception.parse_error' config.value ./declare-coerced-value-unsound.nix ./define-value-string-arbitrary.nix checkConfigError 'toInt: Could not convert .* to int' config.value ./declare-coerced-value-unsound.nix ./define-value-string-arbitrary.nix
# Check mkAliasOptionModule. # Check mkAliasOptionModule.
checkConfigOutput '^true$' config.enable ./alias-with-priority.nix checkConfigOutput '^true$' config.enable ./alias-with-priority.nix

View file

@ -5698,6 +5698,12 @@
githubId = 3661115; githubId = 3661115;
name = "Ingo Blechschmidt"; name = "Ingo Blechschmidt";
}; };
icewind1991 = {
name = "Robin Appelman";
email = "robin@icewind.nl";
github = "icewind1991";
githubId = 1283854;
};
icy-thought = { icy-thought = {
name = "Icy-Thought"; name = "Icy-Thought";
email = "gilganyx@pm.me"; email = "gilganyx@pm.me";
@ -5994,6 +6000,12 @@
github = "j0hax"; github = "j0hax";
githubId = 3802620; githubId = 3802620;
}; };
j0lol = {
name = "Jo";
email = "me@j0.lol";
github = "j0lol";
githubId = 24716467;
};
j4m3s = { j4m3s = {
name = "James Landrein"; name = "James Landrein";
email = "github@j4m3s.eu"; email = "github@j4m3s.eu";
@ -6221,6 +6233,12 @@
githubId = 117874; githubId = 117874;
name = "Jeroen de Haas"; name = "Jeroen de Haas";
}; };
jdelStrother = {
email = "me@delstrother.com";
github = "jdelStrother";
githubId = 2377;
name = "Jonathan del Strother";
};
jdreaver = { jdreaver = {
email = "johndreaver@gmail.com"; email = "johndreaver@gmail.com";
github = "jdreaver"; github = "jdreaver";
@ -7363,6 +7381,12 @@
githubId = 2037002; githubId = 2037002;
name = "Konstantinos"; name = "Konstantinos";
}; };
kototama = {
email = "kototama@posteo.jp";
github = "kototama";
githubId = 128620;
name = "Kototama";
};
kouyk = { kouyk = {
email = "skykinetic@stevenkou.xyz"; email = "skykinetic@stevenkou.xyz";
github = "kouyk"; github = "kouyk";
@ -7516,6 +7540,8 @@
}; };
laalsaas = { laalsaas = {
email = "laalsaas@systemli.org"; email = "laalsaas@systemli.org";
github = "laalsaas";
githubId = 43275254;
name = "laalsaas"; name = "laalsaas";
}; };
lach = { lach = {
@ -8797,7 +8823,7 @@
email = "megoettlinger@gmail.com"; email = "megoettlinger@gmail.com";
github = "mgttlinger"; github = "mgttlinger";
githubId = 5120487; githubId = 5120487;
name = "Merlin Göttlinger"; name = "Merlin Humml";
}; };
mguentner = { mguentner = {
email = "code@klandest.in"; email = "code@klandest.in";
@ -9439,6 +9465,12 @@
githubId = 772914; githubId = 772914;
name = "Mikael Voss"; name = "Mikael Voss";
}; };
mwolfe = {
email = "corp@m0rg.dev";
github = "m0rg-dev";
githubId = 38578268;
name = "Morgan Wolfe";
};
maxwilson = { maxwilson = {
email = "nixpkgs@maxwilson.dev"; email = "nixpkgs@maxwilson.dev";
github = "mwilsoncoding"; github = "mwilsoncoding";
@ -10743,6 +10775,15 @@
fingerprint = "B00F E582 FD3F 0732 EA48 3937 F558 14E4 D687 4375"; fingerprint = "B00F E582 FD3F 0732 EA48 3937 F558 14E4 D687 4375";
}]; }];
}; };
PlayerNameHere = {
name = "Dixon Sean Low Yan Feng";
email = "dixonseanlow@protonmail.com";
github = "PlayerNameHere";
githubId = 56017218;
keys = [{
fingerprint = "E6F4 BFB4 8DE3 893F 68FC A15F FF5F 4B30 A41B BAC8";
}];
};
plchldr = { plchldr = {
email = "mail@oddco.de"; email = "mail@oddco.de";
github = "plchldr"; github = "plchldr";
@ -10755,6 +10796,12 @@
githubId = 358550; githubId = 358550;
name = "Philip Lykke Carlsen"; name = "Philip Lykke Carlsen";
}; };
pleshevskiy = {
email = "dmitriy@pleshevski.ru";
github = "pleshevskiy";
githubId = 7839004;
name = "Dmitriy Pleshevskiy";
};
plumps = { plumps = {
email = "maks.bronsky@web.de"; email = "maks.bronsky@web.de";
github = "plumps"; github = "plumps";
@ -13724,12 +13771,6 @@
githubId = 2164118; githubId = 2164118;
name = "Tobias Bora"; name = "Tobias Bora";
}; };
tohl = {
email = "tom@logand.com";
github = "tohl";
githubId = 12159013;
name = "Tomas Hlavaty";
};
tokudan = { tokudan = {
email = "git@danielfrank.net"; email = "git@danielfrank.net";
github = "tokudan"; github = "tokudan";
@ -15673,4 +15714,10 @@
githubId = 5228243; githubId = 5228243;
name = "waelwindows"; name = "waelwindows";
}; };
wuyoli = {
name = "wuyoli";
email = "wuyoli@tilde.team";
github = "wuyoli";
githubId = 104238274;
};
} }

View file

@ -63,7 +63,7 @@ luaepnf,,,,,,
luaevent,,,,,, luaevent,,,,,,
luaexpat,,,,1.4.1-1,,arobyn flosse luaexpat,,,,1.4.1-1,,arobyn flosse
luaffi,,,http://luarocks.org/dev,,, luaffi,,,http://luarocks.org/dev,,,
luafilesystem,,,,1.7.0-2,,flosse luafilesystem,,,,1.8.0-1,,flosse
lualogging,,,,,, lualogging,,,,,,
luaossl,,,,,5.1, luaossl,,,,,5.1,
luaposix,,,,34.1.1-1,,vyp lblasc luaposix,,,,34.1.1-1,,vyp lblasc

1 name src ref server version luaversion maintainers
63 luaevent
64 luaexpat 1.4.1-1 arobyn flosse
65 luaffi http://luarocks.org/dev
66 luafilesystem 1.7.0-2 1.8.0-1 flosse
67 lualogging
68 luaossl 5.1
69 luaposix 34.1.1-1 vyp lblasc

View file

@ -48,7 +48,17 @@ let
let let
result = builtins.tryEval pathContent; result = builtins.tryEval pathContent;
dedupResults = lst: nubOn ({ package, attrPath }: package.updateScript) (lib.concatLists lst); somewhatUniqueRepresentant =
{ package, attrPath }: {
inherit (package) updateScript;
# Some updaters use the same `updateScript` value for all packages.
# Also compare `meta.description`.
position = package.meta.position or null;
# We cannot always use `meta.position` since it might not be available
# or it might be shared among multiple packages.
};
dedupResults = lst: nubOn somewhatUniqueRepresentant (lib.concatLists lst);
in in
if result.success then if result.success then
let let

View file

@ -182,6 +182,8 @@ with lib.maintainers; {
members = [ members = [
cole-h cole-h
grahamc grahamc
hoverbear
lheckemann
]; ];
scope = "Group registration for packages maintained by Determinate Systems."; scope = "Group registration for packages maintained by Determinate Systems.";
shortName = "Determinate Systems employees"; shortName = "Determinate Systems employees";

View file

@ -9,7 +9,7 @@ containers.database =
{ config = { config =
{ config, pkgs, ... }: { config, pkgs, ... }:
{ services.postgresql.enable = true; { services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_10; services.postgresql.package = pkgs.postgresql_14;
}; };
}; };
``` ```

View file

@ -166,7 +166,7 @@ Packages
pkgs.emacs pkgs.emacs
]; ];
services.postgresql.package = pkgs.postgresql_10; services.postgresql.package = pkgs.postgresql_14;
``` ```
The latter option definition changes the default PostgreSQL package The latter option definition changes the default PostgreSQL package

View file

@ -11,7 +11,7 @@ containers.database =
{ config = { config =
{ config, pkgs, ... }: { config, pkgs, ... }:
{ services.postgresql.enable = true; { services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_10; services.postgresql.package = pkgs.postgresql_14;
}; };
}; };
</programlisting> </programlisting>

View file

@ -217,7 +217,7 @@ environment.systemPackages =
pkgs.emacs pkgs.emacs
]; ];
services.postgresql.package = pkgs.postgresql_10; services.postgresql.package = pkgs.postgresql_14;
</programlisting> </programlisting>
<para> <para>
The latter option definition changes the default PostgreSQL The latter option definition changes the default PostgreSQL

View file

@ -1,35 +1,135 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-booting-from-usb"> <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-booting-from-usb">
<title>Booting from a USB Drive</title> <title>Booting from a USB flash drive</title>
<para> <para>
For systems without CD drive, the NixOS live CD can be booted from a The image has to be written verbatim to the USB flash drive for it
USB stick. You can use the <literal>dd</literal> utility to write to be bootable on UEFI and BIOS systems. Here are the recommended
the image: <literal>dd if=path-to-image of=/dev/sdX</literal>. Be tools to do that.
careful about specifying the correct drive; you can use the
<literal>lsblk</literal> command to get a list of block devices.
</para> </para>
<note> <section xml:id="sec-booting-from-usb-graphical">
<title>On macOS</title> <title>Creating bootable USB flash drive with a graphical
tool</title>
<para>
Etcher is a popular and user-friendly tool. It works on Linux,
Windows and macOS.
</para>
<para>
Download it from
<link xlink:href="https://www.balena.io/etcher/">balena.io</link>,
start the program, select the downloaded NixOS ISO, then select
the USB flash drive and flash it.
</para>
<warning>
<para>
Etcher reports errors and usage statistics by default, which can
be disabled in the settings.
</para>
</warning>
<para>
An alternative is
<link xlink:href="https://bztsrc.gitlab.io/usbimager">USBImager</link>,
which is very simple and does not connect to the internet.
Download the version with write-only (wo) interface for your
system. Start the program, select the image, select the USB flash
drive and click <quote>Write</quote>.
</para>
</section>
<section xml:id="sec-booting-from-usb-linux">
<title>Creating bootable USB flash drive from a Terminal on
Linux</title>
<orderedlist numeration="arabic" spacing="compact">
<listitem>
<para>
Plug in the USB flash drive.
</para>
</listitem>
<listitem>
<para>
Find the corresponding device with <literal>lsblk</literal>.
You can distinguish them by their size.
</para>
</listitem>
<listitem>
<para>
Make sure all partitions on the device are properly unmounted.
Replace <literal>sdX</literal> with your device (e.g.
<literal>sdb</literal>).
</para>
</listitem>
</orderedlist>
<programlisting> <programlisting>
$ diskutil list sudo umount /dev/sdX*
[..] </programlisting>
/dev/diskN (external, physical): <orderedlist numeration="arabic" spacing="compact">
#: TYPE NAME SIZE IDENTIFIER <listitem override="4">
[..] <para>
$ diskutil unmountDisk diskN Then use the <literal>dd</literal> utility to write the image
Unmount of all volumes on diskN was successful to the USB flash drive.
$ sudo dd if=nix.iso of=/dev/rdiskN bs=1M </para>
</listitem>
</orderedlist>
<programlisting>
sudo dd if=&lt;path-to-image&gt; of=/dev/sdX bs=4M conv=fsync
</programlisting>
</section>
<section xml:id="sec-booting-from-usb-macos">
<title>Creating bootable USB flash drive from a Terminal on
macOS</title>
<orderedlist numeration="arabic" spacing="compact">
<listitem>
<para>
Plug in the USB flash drive.
</para>
</listitem>
<listitem>
<para>
Find the corresponding device with
<literal>diskutil list</literal>. You can distinguish them by
their size.
</para>
</listitem>
<listitem>
<para>
Make sure all partitions on the device are properly unmounted.
Replace <literal>diskX</literal> with your device (e.g.
<literal>disk1</literal>).
</para>
</listitem>
</orderedlist>
<programlisting>
diskutil unmountDisk diskX
</programlisting>
<orderedlist numeration="arabic" spacing="compact">
<listitem override="4">
<para>
Then use the <literal>dd</literal> utility to write the image
to the USB flash drive.
</para>
</listitem>
</orderedlist>
<programlisting>
sudo dd if=&lt;path-to-image&gt; of=/dev/rdiskX bs=4m
</programlisting> </programlisting>
<para> <para>
Using the 'raw' <literal>rdiskN</literal> device instead of
<literal>diskN</literal> completes in minutes instead of hours.
After <literal>dd</literal> completes, a GUI dialog &quot;The disk After <literal>dd</literal> completes, a GUI dialog &quot;The disk
you inserted was not readable by this computer&quot; will pop up, you inserted was not readable by this computer&quot; will pop up,
which can be ignored. which can be ignored.
</para> </para>
</note> <note>
<para> <para>
The <literal>dd</literal> utility will write the image verbatim to Using the 'raw' <literal>rdiskX</literal> device instead of
the drive, making it the recommended option for both UEFI and <literal>diskX</literal> with dd completes in minutes instead of
non-UEFI installations. hours.
</para> </para>
</note>
<orderedlist numeration="arabic" spacing="compact">
<listitem override="5">
<para>
Eject the disk when it is finished.
</para>
</listitem>
</orderedlist>
<programlisting>
diskutil eject /dev/diskX
</programlisting>
</section>
</section> </section>

View file

@ -1,26 +1,212 @@
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" xml:id="sec-installation"> <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" xml:id="sec-installation">
<title>Installing NixOS</title> <title>Installing NixOS</title>
<section xml:id="sec-installation-booting"> <section xml:id="sec-installation-booting">
<title>Booting the system</title> <title>Booting from the install medium</title>
<para>
To begin the installation, you have to boot your computer from the
install drive.
</para>
<orderedlist numeration="arabic">
<listitem>
<para>
Plug in the install drive. Then turn on or restart your
computer.
</para>
</listitem>
<listitem>
<para>
Open the boot menu by pressing the appropriate key, which is
usually shown on the display on early boot. Select the USB
flash drive (the option usually contains the word
<quote>USB</quote>). If you choose the incorrect drive, your
computer will likely continue to boot as normal. In that case
restart your computer and pick a different drive.
</para>
<note>
<para>
The key to open the boot menu is different across computer
brands and even models. It can be <keycap>F12</keycap>, but
also <keycap>F1</keycap>, <keycap>F9</keycap>,
<keycap>F10</keycap>, <keycap>Enter</keycap>,
<keycap>Del</keycap>, <keycap>Esc</keycap> or another
function key. If you are unsure and dont see it on the
early boot screen, you can search online for your computers
brand, model followed by <quote>boot from usb</quote>. The
computer might not even have that feature, so you have to go
into the BIOS/UEFI settings to change the boot order. Again,
search online for details about your specific computer
model.
</para>
<para>
For Apple computers with Intel processors press and hold the
<keycap></keycap> (Option or Alt) key until you see the
boot menu. On Apple silicon press and hold the power button.
</para>
</note>
<note>
<para>
If your computer supports both BIOS and UEFI boot, choose
the UEFI option.
</para>
</note>
<note>
<para>
If you use a CD for the installation, the computer will
probably boot from it automatically. If not, choose the
option containing the word <quote>CD</quote> from the boot
menu.
</para>
</note>
</listitem>
<listitem>
<para>
Shortly after selecting the appropriate boot drive, you should
be presented with a menu with different installer options.
Leave the default and wait (or press <keycap>Enter</keycap> to
speed up).
</para>
</listitem>
<listitem>
<para>
The graphical images will start their corresponding desktop
environment and the graphical installer, which can take some
time. The minimal images will boot to a command line. You have
to follow the instructions in
<xref linkend="sec-installation-manual" /> there.
</para>
</listitem>
</orderedlist>
</section>
<section xml:id="sec-installation-graphical">
<title>Graphical Installation</title>
<para>
The graphical installer is recommended for desktop users and will
guide you through the installation.
</para>
<orderedlist numeration="arabic">
<listitem>
<para>
In the <quote>Welcome</quote> screen, you can select the
language of the Installer and the installed system.
</para>
<tip>
<para>
Leaving the language as <quote>American English</quote> will
make it easier to search for error messages in a search
engine or to report an issue.
</para>
</tip>
</listitem>
<listitem>
<para>
Next you should choose your location to have the timezone set
correctly. You can actually click on the map!
</para>
<note>
<para>
The installer will use an online service to guess your
location based on your public IP address.
</para>
</note>
</listitem>
<listitem>
<para>
Then you can select the keyboard layout. The default keyboard
model should work well with most desktop keyboards. If you
have a special keyboard or notebook, your model might be in
the list. Select the language you are most comfortable typing
in.
</para>
</listitem>
<listitem>
<para>
On the <quote>Users</quote> screen, you have to type in your
display name, login name and password. You can also enable an
option to automatically login to the desktop.
</para>
</listitem>
<listitem>
<para>
Then you have the option to choose a desktop environment. If
you want to create a custom setup with a window manager, you
can select <quote>No desktop</quote>.
</para>
<tip>
<para>
If you dont have a favorite desktop and dont know which
one to choose, you can stick to either GNOME or Plasma. They
have a quite different design, so you should choose
whichever you like better. They are both popular choices and
well tested on NixOS.
</para>
</tip>
</listitem>
<listitem>
<para>
You have the option to allow unfree software in the next
screen.
</para>
</listitem>
<listitem>
<para>
The easiest option in the <quote>Partitioning</quote> screen
is <quote>Erase disk</quote>, which will delete all data from
the selected disk and install the system on it. Also select
<quote>Swap (with Hibernation)</quote> in the dropdown below
it. You have the option to encrypt the whole disk with LUKS.
</para>
<note>
<para>
At the top left you see if the Installer was booted with
BIOS or UEFI. If you know your system supports UEFI and it
shows <quote>BIOS</quote>, reboot with the correct option.
</para>
</note>
<warning>
<para>
Make sure you have selected the correct disk at the top and
that no valuable data is still on the disk! It will be
deleted when formatting the disk.
</para>
</warning>
</listitem>
<listitem>
<para>
Check the choices you made in the <quote>Summary</quote> and
click <quote>Install</quote>.
</para>
<note>
<para>
The installation takes about 15 minutes. The time varies
based on the selected desktop environment, internet
connection speed and disk write speed.
</para>
</note>
</listitem>
<listitem>
<para>
When the install is complete, remove the USB flash drive and
reboot into your new system!
</para>
</listitem>
</orderedlist>
</section>
<section xml:id="sec-installation-manual">
<title>Manual Installation</title>
<para> <para>
NixOS can be installed on BIOS or UEFI systems. The procedure for NixOS can be installed on BIOS or UEFI systems. The procedure for
a UEFI installation is by and large the same as a BIOS a UEFI installation is broadly the same as for a BIOS
installation. The differences are mentioned in the steps that installation. The differences are mentioned in the following
follow. steps.
</para>
<para>
The installation media can be burned to a CD, or now more
commonly, <quote>burned</quote> to a USB drive (see
<xref linkend="sec-booting-from-usb" />).
</para>
<para>
The installation media contains a basic NixOS installation. When
its finished booting, it should have detected most of your
hardware.
</para> </para>
<para> <para>
The NixOS manual is available by running The NixOS manual is available by running
<literal>nixos-help</literal>. <literal>nixos-help</literal> in the command line or from the
application menu in the desktop environment.
</para>
<para>
To have access to the command line on the graphical images, open
Terminal (GNOME) or Konsole (Plasma) from the application menu.
</para> </para>
<para> <para>
You are logged-in automatically as <literal>nixos</literal>. The You are logged-in automatically as <literal>nixos</literal>. The
@ -31,11 +217,8 @@
$ sudo -i $ sudo -i
</programlisting> </programlisting>
<para> <para>
If you downloaded the graphical ISO image, you can run You can use <literal>loadkeys</literal> to switch to your
<literal>systemctl start display-manager</literal> to start the preferred keyboard layout. (We even provide neo2 via
desktop environment. If you want to continue on the terminal, you
can use <literal>loadkeys</literal> to switch to your preferred
keyboard layout. (We even provide neo2 via
<literal>loadkeys de neo</literal>!) <literal>loadkeys de neo</literal>!)
</para> </para>
<para> <para>
@ -49,8 +232,12 @@ $ sudo -i
bootloader lists boot entries, select the serial console boot bootloader lists boot entries, select the serial console boot
entry. entry.
</para> </para>
<section xml:id="sec-installation-booting-networking"> <section xml:id="sec-installation-manual-networking">
<title>Networking in the installer</title> <title>Networking in the installer</title>
<para>
<anchor xml:id="sec-installation-booting-networking" />
<!-- legacy anchor -->
</para>
<para> <para>
The boot process should have brought up networking (check The boot process should have brought up networking (check
<literal>ip a</literal>). Networking is necessary for the <literal>ip a</literal>). Networking is necessary for the
@ -130,12 +317,15 @@ OK
able to login. able to login.
</para> </para>
</section> </section>
</section> <section xml:id="sec-installation-manual-partitioning">
<section xml:id="sec-installation-partitioning">
<title>Partitioning and formatting</title> <title>Partitioning and formatting</title>
<para> <para>
The NixOS installer doesnt do any partitioning or formatting, so <anchor xml:id="sec-installation-partitioning" />
you need to do that yourself. <!-- legacy anchor -->
</para>
<para>
The NixOS installer doesnt do any partitioning or formatting,
so you need to do that yourself.
</para> </para>
<para> <para>
The NixOS installer ships with multiple partitioning tools. The The NixOS installer ships with multiple partitioning tools. The
@ -144,12 +334,16 @@ OK
<literal>cfdisk</literal>, and <literal>cgdisk</literal>. <literal>cfdisk</literal>, and <literal>cgdisk</literal>.
</para> </para>
<para> <para>
The recommended partition scheme differs depending if the computer The recommended partition scheme differs depending if the
uses <emphasis>Legacy Boot</emphasis> or computer uses <emphasis>Legacy Boot</emphasis> or
<emphasis>UEFI</emphasis>. <emphasis>UEFI</emphasis>.
</para> </para>
<section xml:id="sec-installation-partitioning-UEFI"> <section xml:id="sec-installation-manual-partitioning-UEFI">
<title>UEFI (GPT)</title> <title>UEFI (GPT)</title>
<para>
<anchor xml:id="sec-installation-partitioning-UEFI" />
<!-- legacy anchor -->
</para>
<para> <para>
Here's an example partition scheme for UEFI, using Here's an example partition scheme for UEFI, using
<literal>/dev/sda</literal> as the device. <literal>/dev/sda</literal> as the device.
@ -171,10 +365,10 @@ OK
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Add the <emphasis>root</emphasis> partition. This will fill Add the <emphasis>root</emphasis> partition. This will
the disk except for the end part, where the swap will live, fill the disk except for the end part, where the swap will
and the space left in front (512MiB) which will be used by live, and the space left in front (512MiB) which will be
the boot partition. used by the boot partition.
</para> </para>
<programlisting> <programlisting>
# parted /dev/sda -- mkpart primary 512MB -8GB # parted /dev/sda -- mkpart primary 512MB -8GB
@ -200,8 +394,8 @@ OK
<para> <para>
Finally, the <emphasis>boot</emphasis> partition. NixOS by Finally, the <emphasis>boot</emphasis> partition. NixOS by
default uses the ESP (EFI system partition) as its default uses the ESP (EFI system partition) as its
<emphasis>/boot</emphasis> partition. It uses the initially <emphasis>/boot</emphasis> partition. It uses the
reserved 512MiB at the start of the disk. initially reserved 512MiB at the start of the disk.
</para> </para>
<programlisting> <programlisting>
# parted /dev/sda -- mkpart ESP fat32 1MB 512MB # parted /dev/sda -- mkpart ESP fat32 1MB 512MB
@ -211,11 +405,15 @@ OK
</orderedlist> </orderedlist>
<para> <para>
Once complete, you can follow with Once complete, you can follow with
<xref linkend="sec-installation-partitioning-formatting" />. <xref linkend="sec-installation-manual-partitioning-formatting" />.
</para> </para>
</section> </section>
<section xml:id="sec-installation-partitioning-MBR"> <section xml:id="sec-installation-manual-partitioning-MBR">
<title>Legacy Boot (MBR)</title> <title>Legacy Boot (MBR)</title>
<para>
<anchor xml:id="sec-installation-partitioning-MBR" />
<!-- legacy anchor -->
</para>
<para> <para>
Here's an example partition scheme for Legacy Boot, using Here's an example partition scheme for Legacy Boot, using
<literal>/dev/sda</literal> as the device. <literal>/dev/sda</literal> as the device.
@ -237,9 +435,9 @@ OK
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Add the <emphasis>root</emphasis> partition. This will fill Add the <emphasis>root</emphasis> partition. This will
the the disk except for the end part, where the swap will fill the the disk except for the end part, where the swap
live. will live.
</para> </para>
<programlisting> <programlisting>
# parted /dev/sda -- mkpart primary 1MB -8GB # parted /dev/sda -- mkpart primary 1MB -8GB
@ -256,9 +454,9 @@ OK
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Finally, add a <emphasis>swap</emphasis> partition. The size Finally, add a <emphasis>swap</emphasis> partition. The
required will vary according to needs, here a 8GiB one is size required will vary according to needs, here a 8GiB
created. one is created.
</para> </para>
<programlisting> <programlisting>
# parted /dev/sda -- mkpart primary linux-swap -8GB 100% # parted /dev/sda -- mkpart primary linux-swap -8GB 100%
@ -273,11 +471,15 @@ OK
</orderedlist> </orderedlist>
<para> <para>
Once complete, you can follow with Once complete, you can follow with
<xref linkend="sec-installation-partitioning-formatting" />. <xref linkend="sec-installation-manual-partitioning-formatting" />.
</para> </para>
</section> </section>
<section xml:id="sec-installation-partitioning-formatting"> <section xml:id="sec-installation-manual-partitioning-formatting">
<title>Formatting</title> <title>Formatting</title>
<para>
<anchor xml:id="sec-installation-partitioning-formatting" />
<!-- legacy anchor -->
</para>
<para> <para>
Use the following commands: Use the following commands:
</para> </para>
@ -286,10 +488,10 @@ OK
<para> <para>
For initialising Ext4 partitions: For initialising Ext4 partitions:
<literal>mkfs.ext4</literal>. It is recommended that you <literal>mkfs.ext4</literal>. It is recommended that you
assign a unique symbolic label to the file system using the assign a unique symbolic label to the file system using
option <literal>-L label</literal>, since this makes the the option <literal>-L label</literal>, since this makes
file system configuration independent from device changes. the file system configuration independent from device
For example: changes. For example:
</para> </para>
<programlisting> <programlisting>
# mkfs.ext4 -L nixos /dev/sda1 # mkfs.ext4 -L nixos /dev/sda1
@ -334,8 +536,12 @@ OK
</itemizedlist> </itemizedlist>
</section> </section>
</section> </section>
<section xml:id="sec-installation-installing"> <section xml:id="sec-installation-manual-installing">
<title>Installing</title> <title>Installing</title>
<para>
<anchor xml:id="sec-installation-installing" />
<!-- legacy anchor -->
</para>
<orderedlist numeration="arabic"> <orderedlist numeration="arabic">
<listitem> <listitem>
<para> <para>
@ -363,9 +569,9 @@ OK
<para> <para>
If your machine has a limited amount of memory, you may want If your machine has a limited amount of memory, you may want
to activate swap devices now to activate swap devices now
(<literal>swapon device</literal>). The installer (or rather, (<literal>swapon device</literal>). The installer (or
the build actions that it may spawn) may need quite a bit of rather, the build actions that it may spawn) may need quite
RAM, depending on your configuration. a bit of RAM, depending on your configuration.
</para> </para>
<programlisting> <programlisting>
# swapon /dev/sda2 # swapon /dev/sda2
@ -384,7 +590,8 @@ OK
<xref linkend="sec-configuration-syntax" />, while a list of <xref linkend="sec-configuration-syntax" />, while a list of
available configuration options appears in available configuration options appears in
<xref linkend="ch-options" />. A minimal example is shown in <xref linkend="ch-options" />. A minimal example is shown in
<link linkend="ex-config">Example: NixOS Configuration</link>. <link linkend="ex-config">Example: NixOS
Configuration</link>.
</para> </para>
<para> <para>
The command <literal>nixos-generate-config</literal> can The command <literal>nixos-generate-config</literal> can
@ -402,8 +609,8 @@ OK
# nano /mnt/etc/nixos/configuration.nix # nano /mnt/etc/nixos/configuration.nix
</programlisting> </programlisting>
<para> <para>
If youre using the graphical ISO image, other editors may be If youre using the graphical ISO image, other editors may
available (such as <literal>vim</literal>). If you have be available (such as <literal>vim</literal>). If you have
network access, you can also install other editors for network access, you can also install other editors for
instance, you can install Emacs by running instance, you can install Emacs by running
<literal>nix-env -f '&lt;nixpkgs&gt;' -iA emacs</literal>. <literal>nix-env -f '&lt;nixpkgs&gt;' -iA emacs</literal>.
@ -440,9 +647,9 @@ OK
option option
<xref linkend="opt-boot.loader.systemd-boot.enable" /> <xref linkend="opt-boot.loader.systemd-boot.enable" />
to <literal>true</literal>. to <literal>true</literal>.
<literal>nixos-generate-config</literal> should do this <literal>nixos-generate-config</literal> should do
automatically for new configurations when booted in UEFI this automatically for new configurations when booted
mode. in UEFI mode.
</para> </para>
<para> <para>
You may want to look at the options starting with You may want to look at the options starting with
@ -481,35 +688,36 @@ OK
</para> </para>
<para> <para>
Another critical option is <literal>fileSystems</literal>, Another critical option is <literal>fileSystems</literal>,
specifying the file systems that need to be mounted by NixOS. specifying the file systems that need to be mounted by
However, you typically dont need to set it yourself, because NixOS. However, you typically dont need to set it yourself,
<literal>nixos-generate-config</literal> sets it automatically because <literal>nixos-generate-config</literal> sets it
in automatically in
<literal>/mnt/etc/nixos/hardware-configuration.nix</literal> <literal>/mnt/etc/nixos/hardware-configuration.nix</literal>
from your currently mounted file systems. (The configuration from your currently mounted file systems. (The configuration
file <literal>hardware-configuration.nix</literal> is included file <literal>hardware-configuration.nix</literal> is
from <literal>configuration.nix</literal> and will be included from <literal>configuration.nix</literal> and will
overwritten by future invocations of be overwritten by future invocations of
<literal>nixos-generate-config</literal>; thus, you generally <literal>nixos-generate-config</literal>; thus, you
should not modify it.) Additionally, you may want to look at generally should not modify it.) Additionally, you may want
to look at
<link xlink:href="https://github.com/NixOS/nixos-hardware">Hardware <link xlink:href="https://github.com/NixOS/nixos-hardware">Hardware
configuration for known-hardware</link> at this point or after configuration for known-hardware</link> at this point or
installation. after installation.
</para> </para>
<note> <note>
<para> <para>
Depending on your hardware configuration or type of file Depending on your hardware configuration or type of file
system, you may need to set the option system, you may need to set the option
<literal>boot.initrd.kernelModules</literal> to include the <literal>boot.initrd.kernelModules</literal> to include
kernel modules that are necessary for mounting the root file the kernel modules that are necessary for mounting the
system, otherwise the installed system will not be able to root file system, otherwise the installed system will not
boot. (If this happens, boot from the installation media be able to boot. (If this happens, boot from the
again, mount the target file system on installation media again, mount the target file system on
<literal>/mnt</literal>, fix <literal>/mnt</literal>, fix
<literal>/mnt/etc/nixos/configuration.nix</literal> and <literal>/mnt/etc/nixos/configuration.nix</literal> and
rerun <literal>nixos-install</literal>.) In most cases, rerun <literal>nixos-install</literal>.) In most cases,
<literal>nixos-generate-config</literal> will figure out the <literal>nixos-generate-config</literal> will figure out
required modules. the required modules.
</para> </para>
</note> </note>
</listitem> </listitem>
@ -522,16 +730,16 @@ OK
</programlisting> </programlisting>
<para> <para>
This will install your system based on the configuration you This will install your system based on the configuration you
provided. If anything fails due to a configuration problem or provided. If anything fails due to a configuration problem
any other issue (such as a network outage while downloading or any other issue (such as a network outage while
binaries from the NixOS binary cache), you can re-run downloading binaries from the NixOS binary cache), you can
<literal>nixos-install</literal> after fixing your re-run <literal>nixos-install</literal> after fixing your
<literal>configuration.nix</literal>. <literal>configuration.nix</literal>.
</para> </para>
<para> <para>
As the last step, <literal>nixos-install</literal> will ask As the last step, <literal>nixos-install</literal> will ask
you to set the password for the <literal>root</literal> user, you to set the password for the <literal>root</literal>
e.g. user, e.g.
</para> </para>
<programlisting> <programlisting>
setting root password... setting root password...
@ -558,12 +766,12 @@ Retype new password: ***
<para> <para>
You should now be able to boot into the installed NixOS. The You should now be able to boot into the installed NixOS. The
GRUB boot menu shows a list of <emphasis>available GRUB boot menu shows a list of <emphasis>available
configurations</emphasis> (initially just one). Every time you configurations</emphasis> (initially just one). Every time
change the NixOS configuration (see you change the NixOS configuration (see
<link linkend="sec-changing-config">Changing <link linkend="sec-changing-config">Changing
Configuration</link>), a new item is added to the menu. This Configuration</link>), a new item is added to the menu. This
allows you to easily roll back to a previous configuration if allows you to easily roll back to a previous configuration
something goes wrong. if something goes wrong.
</para> </para>
<para> <para>
You should log in and change the <literal>root</literal> You should log in and change the <literal>root</literal>
@ -584,16 +792,20 @@ $ passwd eelco
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
<section xml:id="sec-installation-summary"> <section xml:id="sec-installation-manual-summary">
<title>Installation summary</title> <title>Installation summary</title>
<para>
<anchor xml:id="sec-installation-summary" />
<!-- legacy anchor -->
</para>
<para> <para>
To summarise, <link linkend="ex-install-sequence">Example: To summarise, <link linkend="ex-install-sequence">Example:
Commands for Installing NixOS on Commands for Installing NixOS on
<literal>/dev/sda</literal></link> shows a typical sequence of <literal>/dev/sda</literal></link> shows a typical sequence of
commands for installing NixOS on an empty hard drive (here commands for installing NixOS on an empty hard drive (here
<literal>/dev/sda</literal>). <link linkend="ex-config">Example: <literal>/dev/sda</literal>). <link linkend="ex-config">Example:
NixOS Configuration</link> shows a corresponding configuration Nix NixOS Configuration</link> shows a corresponding configuration
expression. Nix expression.
</para> </para>
<anchor xml:id="ex-partition-scheme-MBR" /> <anchor xml:id="ex-partition-scheme-MBR" />
<para> <para>
@ -619,8 +831,8 @@ $ passwd eelco
</programlisting> </programlisting>
<anchor xml:id="ex-install-sequence" /> <anchor xml:id="ex-install-sequence" />
<para> <para>
<emphasis role="strong">Example: Commands for Installing NixOS on <emphasis role="strong">Example: Commands for Installing NixOS
<literal>/dev/sda</literal></emphasis> on <literal>/dev/sda</literal></emphasis>
</para> </para>
<para> <para>
With a partitioned disk. With a partitioned disk.
@ -662,6 +874,7 @@ $ passwd eelco
} }
</programlisting> </programlisting>
</section> </section>
</section>
<section xml:id="sec-installation-additional-notes"> <section xml:id="sec-installation-additional-notes">
<title>Additional installation notes</title> <title>Additional installation notes</title>
<xi:include href="installing-usb.section.xml" /> <xi:include href="installing-usb.section.xml" />

View file

@ -2,16 +2,15 @@
<title>Obtaining NixOS</title> <title>Obtaining NixOS</title>
<para> <para>
NixOS ISO images can be downloaded from the NixOS ISO images can be downloaded from the
<link xlink:href="https://nixos.org/nixos/download.html">NixOS <link xlink:href="https://nixos.org/download.html#nixos-iso">NixOS
download page</link>. There are a number of installation options. If download page</link>. Follow the instructions in
you happen to have an optical drive and a spare CD, burning the <xref linkend="sec-booting-from-usb" /> to create a bootable USB
image to CD and booting from that is probably the easiest option. flash drive.
Most people will need to prepare a USB stick to boot from. </para>
<xref linkend="sec-booting-from-usb" /> describes the preferred <para>
method to prepare a USB stick. A number of alternative methods are If you have a very old system that cant boot from USB, you can burn
presented in the the image to an empty CD. NixOS might not work very well on such
<link xlink:href="https://nixos.wiki/wiki/NixOS_Installation_Guide#Making_the_installation_media">NixOS systems.
Wiki</link>.
</para> </para>
<para> <para>
As an alternative to installing NixOS yourself, you can get a As an alternative to installing NixOS yourself, you can get a
@ -23,16 +22,16 @@
Using virtual appliances in Open Virtualization Format (OVF) Using virtual appliances in Open Virtualization Format (OVF)
that can be imported into VirtualBox. These are available from that can be imported into VirtualBox. These are available from
the the
<link xlink:href="https://nixos.org/nixos/download.html">NixOS <link xlink:href="https://nixos.org/download.html#nixos-virtualbox">NixOS
download page</link>. download page</link>.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
Using AMIs for Amazons EC2. To find one for your region and Using AMIs for Amazons EC2. To find one for your region, please
instance type, please refer to the refer to the
<link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/ec2-amis.nix">list <link xlink:href="https://nixos.org/download.html#nixos-amazon">download
of most recent AMIs</link>. page</link>.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>

View file

@ -38,24 +38,6 @@
<literal>stdenv.buildPlatform.canExecute stdenv.hostPlatform</literal>. <literal>stdenv.buildPlatform.canExecute stdenv.hostPlatform</literal>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>polymc</literal> package has been removed due to
a rogue maintainer. It has been replaced by
<literal>prismlauncher</literal>, a fork by the rest of the
maintainers. For more details, see
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/196624">the
pull request that made this change</link> and
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/196460">this
issue detailing the vulnerability</link>. Users with existing
installations should rename
<literal>~/.local/share/polymc</literal> to
<literal>~/.local/share/PrismLauncher</literal>. The main
config files path has also moved from
<literal>~/.local/share/polymc/polymc.cfg</literal> to
<literal>~/.local/share/PrismLauncher/prismlauncher.cfg</literal>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <literal>nixpkgs.hostPlatform</literal> and The <literal>nixpkgs.hostPlatform</literal> and
@ -155,6 +137,15 @@
certificates by default. certificates by default.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Improved performances of
<literal>lib.closePropagation</literal> which was previously
quadratic. This is used in e.g.
<literal>ghcWithPackages</literal>. Please see backward
incompatibilities notes below.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Cinnamon has been updated to 5.4. While at it, the cinnamon Cinnamon has been updated to 5.4. While at it, the cinnamon
@ -321,6 +312,14 @@
<link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>. <link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link>,
a simple object storage server for geodistributed deployments,
alternative to MinIO. Available as
<link linkend="opt-services.garage.enable">services.garage</link>.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<link xlink:href="https://netbird.io">netbird</link>, a zero <link xlink:href="https://netbird.io">netbird</link>, a zero
@ -428,6 +427,13 @@
<link xlink:href="options.html#opt-services.listmonk.enable">services.listmonk</link>. <link xlink:href="options.html#opt-services.listmonk.enable">services.listmonk</link>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<link xlink:href="https://uptime.kuma.pet/">Uptime
Kuma</link>, a fancy self-hosted monitoring tool. Available as
<link linkend="opt-services.uptime-kuma.enable">services.uptime-kuma</link>.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section xml:id="sec-release-22.11-incompatibilities"> <section xml:id="sec-release-22.11-incompatibilities">
@ -505,6 +511,16 @@
future Git update without notice. future Git update without notice.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<literal>openssh</literal> was updated to version 9.1,
disabling the generation of DSA keys when using
<literal>ssh-keygen -A</literal> as they are insecure. Also,
<literal>SetEnv</literal> directives in
<literal>ssh_config</literal> and
<literal>sshd_config</literal> are now first-match-wins
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<literal>bsp-layout</literal> no longer uses the command <literal>bsp-layout</literal> no longer uses the command
@ -561,6 +577,17 @@
this version for the entire lifecycle of the 22.11 release. this version for the entire lifecycle of the 22.11 release.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The ipfs package and module were renamed to kubo. The kubo
module now uses an RFC42-style <literal>settings</literal>
option instead of <literal>extraConfig</literal> and the
<literal>gatewayAddress</literal>,
<literal>apiAddress</literal> and
<literal>swarmAddress</literal> options were renamed. Using
the old names will print a warning but still work.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<literal>pkgs.cosign</literal> does not provide the <literal>pkgs.cosign</literal> does not provide the
@ -611,6 +638,12 @@
notes</link>. notes</link>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<literal>lib.closePropagation</literal> now needs that all
gathered sets have an <literal>outPath</literal> attribute.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
lemmy module option lemmy module option
@ -625,6 +658,14 @@
module removed, due to lack of maintainers. module removed, due to lack of maintainers.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>nix.checkConfig</literal> option now fully
disables the config check. The new
<literal>nix.checkAllErrors</literal> option behaves like
<literal>nix.checkConfig</literal> previously did.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<literal>generateOptparseApplicativeCompletions</literal> and <literal>generateOptparseApplicativeCompletions</literal> and
@ -739,6 +780,14 @@
for vim). for vim).
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>adguardhome</literal> module no longer uses
<literal>host</literal> and <literal>port</literal> options,
use <literal>settings.bind_host</literal> and
<literal>settings.bind_port</literal> instead.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The default <literal>kops</literal> version is now 1.25.1 and The default <literal>kops</literal> version is now 1.25.1 and
@ -751,6 +800,24 @@
due to upstream dropping support. due to upstream dropping support.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<literal>mysql57</literal> has been removed. Please update to
<literal>mysql80</literal> or <literal>mariadb</literal>. See
the
<link xlink:href="https://mariadb.com/kb/en/upgrading-from-mysql-to-mariadb/">upgrade
guide</link> for more information.
</para>
</listitem>
<listitem>
<para>
Consequently, <literal>cqrlog</literal> and
<literal>amorok</literal> now use <literal>mariadb</literal>
instead of <literal>mysql57</literal> for their embedded
databases. Running <literal>mysql_upgrade</literal> may be
neccesary.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<literal>k3s</literal> supports <literal>clusterInit</literal> <literal>k3s</literal> supports <literal>clusterInit</literal>
@ -807,6 +874,18 @@
<literal>hardware.saleae-logic.package</literal>. <literal>hardware.saleae-logic.package</literal>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
ZFS module will not allow hibernation by default, this is a
safety measure to prevent data loss cases like the ones
described at
<link xlink:href="https://github.com/openzfs/zfs/issues/260">OpenZFS/260</link>
and
<link xlink:href="https://github.com/openzfs/zfs/issues/12842">OpenZFS/12842</link>.
Use the <literal>boot.zfs.allowHibernation</literal> option to
configure this behaviour.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The Redis module now disables RDB persistence when The Redis module now disables RDB persistence when
@ -827,12 +906,84 @@
the mtu on interfaces and tag its packets with an fwmark. the mtu on interfaces and tag its packets with an fwmark.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The option <literal>overrideStrategy</literal> was added to
the different systemd unit options
(<literal>systemd.services.&lt;name&gt;</literal>,
<literal>systemd.sockets.&lt;name&gt;</literal>, …) to allow
enforcing the creation of a dropin file, rather than the main
unit file, by setting it to <literal>asDropin</literal>. This
is useful in cases where the existence of the main unit file
is not known to Nix at evaluation time, for example when the
main unit file is provided by adding a package to
<literal>systemd.packages</literal>. See the fix proposed in
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/135557#issuecomment-1295392470">NixOSs
systemd abstraction doesnt work with systemd template
units</link> for an example.
</para>
</listitem>
<listitem>
<para>
The <literal>polymc</literal> package has been removed due to
a rogue maintainer. It has been replaced by
<literal>prismlauncher</literal>, a fork by the rest of the
maintainers. For more details, see
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/196624">the
pull request that made this change</link> and
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/196460">this
issue detailing the vulnerability</link>. Users with existing
installations should rename
<literal>~/.local/share/polymc</literal> to
<literal>~/.local/share/PrismLauncher</literal>. The main
config files path has also moved from
<literal>~/.local/share/polymc/polymc.cfg</literal> to
<literal>~/.local/share/PrismLauncher/prismlauncher.cfg</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>bloat</literal> package has been updated from
unstable-2022-03-31 to unstable-2022-10-25, which brings a
breaking change. See
<link xlink:href="https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73">this
upstream commit message</link> for details.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
The <literal>services.matrix-synapse</literal> systemd unit The <literal>services.matrix-synapse</literal> systemd unit
has been hardened. has been hardened.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <literal>services.grafana</literal> options were converted
to a
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
0042</link> configuration.
</para>
</listitem>
<listitem>
<para>
The <literal>services.grafana.provision.datasources</literal>
and <literal>services.grafana.provision.dashboards</literal>
options were converted to a
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
0042</link> configuration. They also now support specifying
the provisioning YAML file with <literal>path</literal>
option.
</para>
</listitem>
<listitem>
<para>
The <literal>services.grafana.provision.alerting</literal>
option was added. It includes suboptions for every
alerting-related objects (with the exception of
<literal>notifiers</literal>), which means its now possible
to configure modern Grafana alerting declaratively.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
Matrix Synapse now requires entries in the Matrix Synapse now requires entries in the
@ -907,6 +1058,48 @@
re-enabled it. re-enabled it.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Nextcloud has been updated to version
<emphasis role="strong">25</emphasis>. Additionally the
following things have changed for Nextcloud in NixOS:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
For Nextcloud <emphasis role="strong">&gt;=24</emphasis>,
the default PHP version is 8.1.
</para>
</listitem>
<listitem>
<para>
Nextcloud <emphasis role="strong">23</emphasis> has been
removed since it will reach its
<link xlink:href="https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d">end
of life in December 2022</link>.
</para>
</listitem>
<listitem>
<para>
For <literal>system.stateVersion</literal> being
<emphasis role="strong">&gt;=22.11</emphasis>, Nextcloud
25 will be installed by default. For older versions,
Nextcloud 24 will be installed.
</para>
</listitem>
<listitem>
<para>
Please ensure that you only upgrade on major release at a
time! Nextcloud doesnt support upgrades across multiple
versions, i.e. an upgrade from
<emphasis role="strong">23</emphasis> to
<emphasis role="strong">25</emphasis> is only possible
when upgrading to <emphasis role="strong">24</emphasis>
first.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem> <listitem>
<para> <para>
Add udev rules for the Teensy family of microcontrollers. Add udev rules for the Teensy family of microcontrollers.
@ -949,6 +1142,18 @@
<literal>services.wordpress.sites.&lt;site&gt;.languages</literal>. <literal>services.wordpress.sites.&lt;site&gt;.languages</literal>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The default package for
<literal>services.mullvad-vpn.package</literal> was changed to
<literal>pkgs.mullvad</literal>, allowing cross-platform usage
of Mullvad. <literal>pkgs.mullvad</literal> only contains the
Mullvad CLI tool, so users who rely on the Mullvad GUI will
want to change it back to <literal>pkgs.mullvad-vpn</literal>,
or add <literal>pkgs.mullvad-vpn</literal> to their
environment.
</para>
</listitem>
<listitem> <listitem>
<para> <para>
There is a new module for the <literal>thunar</literal> There is a new module for the <literal>thunar</literal>

View file

@ -1,31 +1,72 @@
# Booting from a USB Drive {#sec-booting-from-usb} # Booting from a USB flash drive {#sec-booting-from-usb}
For systems without CD drive, the NixOS live CD can be booted from a USB The image has to be written verbatim to the USB flash drive for it to be
stick. You can use the `dd` utility to write the image: bootable on UEFI and BIOS systems. Here are the recommended tools to do that.
`dd if=path-to-image of=/dev/sdX`. Be careful about specifying the correct
drive; you can use the `lsblk` command to get a list of block devices.
::: {.note} ## Creating bootable USB flash drive with a graphical tool {#sec-booting-from-usb-graphical}
::: {.title}
On macOS Etcher is a popular and user-friendly tool. It works on Linux, Windows and macOS.
Download it from [balena.io](https://www.balena.io/etcher/), start the program,
select the downloaded NixOS ISO, then select the USB flash drive and flash it.
::: {.warning}
Etcher reports errors and usage statistics by default, which can be disabled in
the settings.
::: :::
An alternative is [USBImager](https://bztsrc.gitlab.io/usbimager),
which is very simple and does not connect to the internet. Download the version
with write-only (wo) interface for your system. Start the program,
select the image, select the USB flash drive and click "Write".
## Creating bootable USB flash drive from a Terminal on Linux {#sec-booting-from-usb-linux}
1. Plug in the USB flash drive.
2. Find the corresponding device with `lsblk`. You can distinguish them by
their size.
3. Make sure all partitions on the device are properly unmounted. Replace `sdX`
with your device (e.g. `sdb`).
```ShellSession ```ShellSession
$ diskutil list sudo umount /dev/sdX*
[..]
/dev/diskN (external, physical):
#: TYPE NAME SIZE IDENTIFIER
[..]
$ diskutil unmountDisk diskN
Unmount of all volumes on diskN was successful
$ sudo dd if=nix.iso of=/dev/rdiskN bs=1M
``` ```
Using the \'raw\' `rdiskN` device instead of `diskN` completes in 4. Then use the `dd` utility to write the image to the USB flash drive.
minutes instead of hours. After `dd` completes, a GUI dialog \"The disk
```ShellSession
sudo dd if=<path-to-image> of=/dev/sdX bs=4M conv=fsync
```
## Creating bootable USB flash drive from a Terminal on macOS {#sec-booting-from-usb-macos}
1. Plug in the USB flash drive.
2. Find the corresponding device with `diskutil list`. You can distinguish them
by their size.
3. Make sure all partitions on the device are properly unmounted. Replace `diskX`
with your device (e.g. `disk1`).
```ShellSession
diskutil unmountDisk diskX
```
4. Then use the `dd` utility to write the image to the USB flash drive.
```ShellSession
sudo dd if=<path-to-image> of=/dev/rdiskX bs=4m
```
After `dd` completes, a GUI dialog \"The disk
you inserted was not readable by this computer\" will pop up, which can you inserted was not readable by this computer\" will pop up, which can
be ignored. be ignored.
::: {.note}
Using the \'raw\' `rdiskX` device instead of `diskX` with dd completes in
minutes instead of hours.
::: :::
The `dd` utility will write the image verbatim to the drive, making it 5. Eject the disk when it is finished.
the recommended option for both UEFI and non-UEFI installations.
```ShellSession
diskutil eject /dev/diskX
```

View file

@ -1,30 +1,143 @@
# Installing NixOS {#sec-installation} # Installing NixOS {#sec-installation}
## Booting the system {#sec-installation-booting} ## Booting from the install medium {#sec-installation-booting}
To begin the installation, you have to boot your computer from the install drive.
1. Plug in the install drive. Then turn on or restart your computer.
2. Open the boot menu by pressing the appropriate key, which is usually shown
on the display on early boot.
Select the USB flash drive (the option usually contains the word "USB").
If you choose the incorrect drive, your computer will likely continue to
boot as normal. In that case restart your computer and pick a
different drive.
::: {.note}
The key to open the boot menu is different across computer brands and even
models. It can be <kbd>F12</kbd>, but also <kbd>F1</kbd>,
<kbd>F9</kbd>, <kbd>F10</kbd>, <kbd>Enter</kbd>, <kbd>Del</kbd>,
<kbd>Esc</kbd> or another function key. If you are unsure and don't see
it on the early boot screen, you can search online for your computers
brand, model followed by "boot from usb".
The computer might not even have that feature, so you have to go into the
BIOS/UEFI settings to change the boot order. Again, search online for
details about your specific computer model.
For Apple computers with Intel processors press and hold the <kbd></kbd>
(Option or Alt) key until you see the boot menu. On Apple silicon press
and hold the power button.
:::
::: {.note}
If your computer supports both BIOS and UEFI boot, choose the UEFI option.
:::
::: {.note}
If you use a CD for the installation, the computer will probably boot from
it automatically. If not, choose the option containing the word "CD" from
the boot menu.
:::
3. Shortly after selecting the appropriate boot drive, you should be
presented with a menu with different installer options. Leave the default
and wait (or press <kbd>Enter</kbd> to speed up).
4. The graphical images will start their corresponding desktop environment
and the graphical installer, which can take some time. The minimal images
will boot to a command line. You have to follow the instructions in
[](#sec-installation-manual) there.
## Graphical Installation {#sec-installation-graphical}
The graphical installer is recommended for desktop users and will guide you
through the installation.
1. In the "Welcome" screen, you can select the language of the Installer and
the installed system.
::: {.tip}
Leaving the language as "American English" will make it easier to search for
error messages in a search engine or to report an issue.
:::
2. Next you should choose your location to have the timezone set correctly.
You can actually click on the map!
::: {.note}
The installer will use an online service to guess your location based on
your public IP address.
:::
3. Then you can select the keyboard layout. The default keyboard model should
work well with most desktop keyboards. If you have a special keyboard or
notebook, your model might be in the list. Select the language you are most
comfortable typing in.
4. On the "Users" screen, you have to type in your display name, login name
and password. You can also enable an option to automatically login to the
desktop.
5. Then you have the option to choose a desktop environment. If you want to
create a custom setup with a window manager, you can select "No desktop".
::: {.tip}
If you don't have a favorite desktop and don't know which one to choose,
you can stick to either GNOME or Plasma. They have a quite different
design, so you should choose whichever you like better.
They are both popular choices and well tested on NixOS.
:::
6. You have the option to allow unfree software in the next screen.
7. The easiest option in the "Partitioning" screen is "Erase disk", which will
delete all data from the selected disk and install the system on it.
Also select "Swap (with Hibernation)" in the dropdown below it.
You have the option to encrypt the whole disk with LUKS.
::: {.note}
At the top left you see if the Installer was booted with BIOS or UEFI. If
you know your system supports UEFI and it shows "BIOS", reboot with the
correct option.
:::
::: {.warning}
Make sure you have selected the correct disk at the top and that no
valuable data is still on the disk! It will be deleted when
formatting the disk.
:::
8. Check the choices you made in the "Summary" and click "Install".
::: {.note}
The installation takes about 15 minutes. The time varies based on the
selected desktop environment, internet connection speed and disk write speed.
:::
9. When the install is complete, remove the USB flash drive and
reboot into your new system!
## Manual Installation {#sec-installation-manual}
NixOS can be installed on BIOS or UEFI systems. The procedure for a UEFI NixOS can be installed on BIOS or UEFI systems. The procedure for a UEFI
installation is by and large the same as a BIOS installation. The installation is broadly the same as for a BIOS installation. The differences
differences are mentioned in the steps that follow. are mentioned in the following steps.
The installation media can be burned to a CD, or now more commonly, The NixOS manual is available by running `nixos-help` in the command line
"burned" to a USB drive (see [](#sec-booting-from-usb)). or from the application menu in the desktop environment.
The installation media contains a basic NixOS installation. When it's To have access to the command line on the graphical images, open
finished booting, it should have detected most of your hardware. Terminal (GNOME) or Konsole (Plasma) from the application menu.
The NixOS manual is available by running `nixos-help`.
You are logged-in automatically as `nixos`. The `nixos` user account has You are logged-in automatically as `nixos`. The `nixos` user account has
an empty password so you can use `sudo` without a password: an empty password so you can use `sudo` without a password:
```ShellSession ```ShellSession
$ sudo -i $ sudo -i
``` ```
If you downloaded the graphical ISO image, you can run `systemctl You can use `loadkeys` to switch to your preferred keyboard layout.
start display-manager` to start the desktop environment. If you want (We even provide neo2 via `loadkeys de neo`!)
to continue on the terminal, you can use `loadkeys` to switch to your
preferred keyboard layout. (We even provide neo2 via `loadkeys de
neo`!)
If the text is too small to be legible, try `setfont ter-v32n` to If the text is too small to be legible, try `setfont ter-v32n` to
increase the font size. increase the font size.
@ -33,7 +146,8 @@ To install over a serial port connect with `115200n8` (e.g.
`picocom -b 115200 /dev/ttyUSB0`). When the bootloader lists boot `picocom -b 115200 /dev/ttyUSB0`). When the bootloader lists boot
entries, select the serial console boot entry. entries, select the serial console boot entry.
### Networking in the installer {#sec-installation-booting-networking} ### Networking in the installer {#sec-installation-manual-networking}
[]{#sec-installation-booting-networking} <!-- legacy anchor -->
The boot process should have brought up networking (check `ip The boot process should have brought up networking (check `ip
a`). Networking is necessary for the installer, since it will a`). Networking is necessary for the installer, since it will
@ -100,7 +214,8 @@ placed by mounting the image on a different machine). Alternatively you
must set a password for either `root` or `nixos` with `passwd` to be must set a password for either `root` or `nixos` with `passwd` to be
able to login. able to login.
## Partitioning and formatting {#sec-installation-partitioning} ### Partitioning and formatting {#sec-installation-manual-partitioning}
[]{#sec-installation-partitioning} <!-- legacy anchor -->
The NixOS installer doesn't do any partitioning or formatting, so you The NixOS installer doesn't do any partitioning or formatting, so you
need to do that yourself. need to do that yourself.
@ -112,7 +227,8 @@ below use `parted`, but also provides `fdisk`, `gdisk`, `cfdisk`, and
The recommended partition scheme differs depending if the computer uses The recommended partition scheme differs depending if the computer uses
*Legacy Boot* or *UEFI*. *Legacy Boot* or *UEFI*.
### UEFI (GPT) {#sec-installation-partitioning-UEFI} #### UEFI (GPT) {#sec-installation-manual-partitioning-UEFI}
[]{#sec-installation-partitioning-UEFI} <!-- legacy anchor -->
Here\'s an example partition scheme for UEFI, using `/dev/sda` as the Here\'s an example partition scheme for UEFI, using `/dev/sda` as the
device. device.
@ -158,9 +274,10 @@ update /etc/fstab.
``` ```
Once complete, you can follow with Once complete, you can follow with
[](#sec-installation-partitioning-formatting). [](#sec-installation-manual-partitioning-formatting).
### Legacy Boot (MBR) {#sec-installation-partitioning-MBR} #### Legacy Boot (MBR) {#sec-installation-manual-partitioning-MBR}
[]{#sec-installation-partitioning-MBR} <!-- legacy anchor -->
Here\'s an example partition scheme for Legacy Boot, using `/dev/sda` as Here\'s an example partition scheme for Legacy Boot, using `/dev/sda` as
the device. the device.
@ -202,9 +319,10 @@ update /etc/fstab.
::: :::
Once complete, you can follow with Once complete, you can follow with
[](#sec-installation-partitioning-formatting). [](#sec-installation-manual-partitioning-formatting).
### Formatting {#sec-installation-partitioning-formatting} #### Formatting {#sec-installation-manual-partitioning-formatting}
[]{#sec-installation-partitioning-formatting} <!-- legacy anchor -->
Use the following commands: Use the following commands:
@ -239,7 +357,8 @@ Use the following commands:
- For creating software RAID devices, use `mdadm`. - For creating software RAID devices, use `mdadm`.
## Installing {#sec-installation-installing} ### Installing {#sec-installation-manual-installing}
[]{#sec-installation-installing} <!-- legacy anchor -->
1. Mount the target file system on which NixOS should be installed on 1. Mount the target file system on which NixOS should be installed on
`/mnt`, e.g. `/mnt`, e.g.
@ -410,7 +529,8 @@ Use the following commands:
You may also want to install some software. This will be covered in You may also want to install some software. This will be covered in
[](#sec-package-management). [](#sec-package-management).
## Installation summary {#sec-installation-summary} ### Installation summary {#sec-installation-manual-summary}
[]{#sec-installation-summary} <!-- legacy anchor -->
To summarise, [Example: Commands for Installing NixOS on `/dev/sda`](#ex-install-sequence) To summarise, [Example: Commands for Installing NixOS on `/dev/sda`](#ex-install-sequence)
shows a typical sequence of commands for installing NixOS on an empty hard shows a typical sequence of commands for installing NixOS on an empty hard

View file

@ -1,24 +1,21 @@
# Obtaining NixOS {#sec-obtaining} # Obtaining NixOS {#sec-obtaining}
NixOS ISO images can be downloaded from the [NixOS download NixOS ISO images can be downloaded from the [NixOS download
page](https://nixos.org/nixos/download.html). There are a number of page](https://nixos.org/download.html#nixos-iso). Follow the instructions in
installation options. If you happen to have an optical drive and a spare [](#sec-booting-from-usb) to create a bootable USB flash drive.
CD, burning the image to CD and booting from that is probably the
easiest option. Most people will need to prepare a USB stick to boot If you have a very old system that can't boot from USB, you can burn the image
from. [](#sec-booting-from-usb) describes the preferred method to to an empty CD. NixOS might not work very well on such systems.
prepare a USB stick. A number of alternative methods are presented in
the [NixOS Wiki](https://nixos.wiki/wiki/NixOS_Installation_Guide#Making_the_installation_media).
As an alternative to installing NixOS yourself, you can get a running As an alternative to installing NixOS yourself, you can get a running
NixOS system through several other means: NixOS system through several other means:
- Using virtual appliances in Open Virtualization Format (OVF) that - Using virtual appliances in Open Virtualization Format (OVF) that
can be imported into VirtualBox. These are available from the [NixOS can be imported into VirtualBox. These are available from the [NixOS
download page](https://nixos.org/nixos/download.html). download page](https://nixos.org/download.html#nixos-virtualbox).
- Using AMIs for Amazon's EC2. To find one for your region and - Using AMIs for Amazon's EC2. To find one for your region, please refer
instance type, please refer to the [list of most recent to the [download page](https://nixos.org/download.html#nixos-amazon).
AMIs](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/ec2-amis.nix).
- Using NixOps, the NixOS-based cloud deployment tool, which allows - Using NixOps, the NixOS-based cloud deployment tool, which allows
you to provision VirtualBox and EC2 NixOS instances from declarative you to provision VirtualBox and EC2 NixOS instances from declarative

View file

@ -19,6 +19,7 @@ pandoc_flags=(
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/myst-reader/roles.lua" "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/myst-reader/roles.lua"
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/link-unix-man-references.lua" "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/link-unix-man-references.lua"
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/rst-roles.lua" "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/rst-roles.lua"
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/html-elements.lua"
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua" "--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua"
-f "commonmark${pandoc_commonmark_enabled_extensions}+smart" -f "commonmark${pandoc_commonmark_enabled_extensions}+smart"
-t docbook -t docbook

View file

@ -20,16 +20,6 @@ In addition to numerous new and upgraded packages, this release has the followin
built for `stdenv.hostPlatform` (i.e. produced by `stdenv.cc`) by evaluating built for `stdenv.hostPlatform` (i.e. produced by `stdenv.cc`) by evaluating
`stdenv.buildPlatform.canExecute stdenv.hostPlatform`. `stdenv.buildPlatform.canExecute stdenv.hostPlatform`.
- The `polymc` package has been removed due to a rogue maintainer. It has been
replaced by `prismlauncher`, a fork by the rest of the maintainers. For more
details, see [the pull request that made this
change](https://github.com/NixOS/nixpkgs/pull/196624) and [this issue
detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460).
Users with existing installations should rename `~/.local/share/polymc` to
`~/.local/share/PrismLauncher`. The main config file's path has also moved
from `~/.local/share/polymc/polymc.cfg` to
`~/.local/share/PrismLauncher/prismlauncher.cfg`.
- The `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options have been added. - The `nixpkgs.hostPlatform` and `nixpkgs.buildPlatform` options have been added.
These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options. These cover and override the `nixpkgs.{system,localSystem,crossSystem}` options.
@ -65,6 +55,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default. - Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default.
- Improved performances of `lib.closePropagation` which was previously quadratic. This is used in e.g. `ghcWithPackages`. Please see backward incompatibilities notes below.
- Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to - Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to
blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream. blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream.
@ -116,6 +108,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable). - [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable).
- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable).
- [netbird](https://netbird.io), a zero configuration VPN. - [netbird](https://netbird.io), a zero configuration VPN.
Available as [services.netbird](options.html#opt-services.netbird.enable). Available as [services.netbird](options.html#opt-services.netbird.enable).
@ -146,6 +140,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable). - [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable).
- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-22.11-incompatibilities} ## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
@ -172,6 +168,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `fetchgit` fetcher now uses [cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalscone_mode_handling) by default for sparse checkouts. [Non-cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalsnon_cone_problems) can be enabled by passing `nonConeMode = true`, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice. - The `fetchgit` fetcher now uses [cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalscone_mode_handling) by default for sparse checkouts. [Non-cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalsnon_cone_problems) can be enabled by passing `nonConeMode = true`, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice.
- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins
- `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`. - `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`.
- The Barco ClickShare driver/client package `pkgs.clickshare-csc1` and the option `programs.clickshare-csc1.enable` have been removed, - The Barco ClickShare driver/client package `pkgs.clickshare-csc1` and the option `programs.clickshare-csc1.enable` have been removed,
@ -192,6 +190,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- PHP 7.4 is no longer supported due to upstream not supporting this - PHP 7.4 is no longer supported due to upstream not supporting this
version for the entire lifecycle of the 22.11 release. version for the entire lifecycle of the 22.11 release.
- The ipfs package and module were renamed to kubo. The kubo module now uses an RFC42-style `settings` option instead of `extraConfig` and the `gatewayAddress`, `apiAddress` and `swarmAddress` options were renamed. Using the old names will print a warning but still work.
- `pkgs.cosign` does not provide the `cosigned` binary anymore. The `sget` binary has been moved into its own package. - `pkgs.cosign` does not provide the `cosigned` binary anymore. The `sget` binary has been moved into its own package.
- Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues. - Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
@ -205,11 +205,15 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- `teleport` has been upgraded to major version 10. Please see upstream [upgrade instructions](https://goteleport.com/docs/ver/10.0/management/operations/upgrading/) and [release notes](https://goteleport.com/docs/ver/10.0/changelog/#1000). - `teleport` has been upgraded to major version 10. Please see upstream [upgrade instructions](https://goteleport.com/docs/ver/10.0/management/operations/upgrading/) and [release notes](https://goteleport.com/docs/ver/10.0/changelog/#1000).
- `lib.closePropagation` now needs that all gathered sets have an `outPath` attribute.
- lemmy module option `services.lemmy.settings.database.createLocally` - lemmy module option `services.lemmy.settings.database.createLocally`
moved to `services.lemmy.database.createLocally`. moved to `services.lemmy.database.createLocally`.
- virtlyst package and `services.virtlyst` module removed, due to lack of maintainers. - virtlyst package and `services.virtlyst` module removed, due to lack of maintainers.
- The `nix.checkConfig` option now fully disables the config check. The new `nix.checkAllErrors` option behaves like `nix.checkConfig` previously did.
- `generateOptparseApplicativeCompletions` and `generateOptparseApplicativeCompletion` from `haskell.lib.compose` - `generateOptparseApplicativeCompletions` and `generateOptparseApplicativeCompletion` from `haskell.lib.compose`
(and `haskell.lib`) have been deprecated in favor of `generateOptparseApplicativeCompletions` (plural!) as (and `haskell.lib`) have been deprecated in favor of `generateOptparseApplicativeCompletions` (plural!) as
provided by the haskell package sets (so `haskellPackages.generateOptparseApplicativeCompletions` etc.). provided by the haskell package sets (so `haskellPackages.generateOptparseApplicativeCompletions` etc.).
@ -242,10 +246,15 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
Use `configure.packages` instead. Use `configure.packages` instead.
- Neovim can not be configured with plug anymore (still works for vim). - Neovim can not be configured with plug anymore (still works for vim).
- The `adguardhome` module no longer uses `host` and `port` options, use `settings.bind_host` and `settings.bind_port` instead.
- The default `kops` version is now 1.25.1 and support for 1.22 and older has been dropped. - The default `kops` version is now 1.25.1 and support for 1.22 and older has been dropped.
- `k3s` no longer supports docker as runtime due to upstream dropping support. - `k3s` no longer supports docker as runtime due to upstream dropping support.
- `mysql57` has been removed. Please update to `mysql80` or `mariadb`. See the [upgrade guide](https://mariadb.com/kb/en/upgrading-from-mysql-to-mariadb/) for more information.
- Consequently, `cqrlog` and `amorok` now use `mariadb` instead of `mysql57` for their embedded databases. Running `mysql_upgrade` may be neccesary.
- `k3s` supports `clusterInit` option, and it is enabled by default, for servers. - `k3s` supports `clusterInit` option, and it is enabled by default, for servers.
- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides, use `features` instead, which defaults to `[ "lua54" "luau" ]`. - `stylua` no longer accepts `lua52Support` and `luauSupport` overrides, use `features` instead, which defaults to `[ "lua54" "luau" ]`.
@ -264,14 +273,38 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`. - A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
- ZFS module will not allow hibernation by default, this is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). Use the `boot.zfs.allowHibernation` option to configure this behaviour.
- The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default. - The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default.
- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance. - Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.
- The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark. - The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark.
- The option `overrideStrategy` was added to the different systemd unit options (`systemd.services.<name>`, `systemd.sockets.<name>`, …) to allow enforcing the creation of a dropin file, rather than the main unit file, by setting it to `asDropin`.
This is useful in cases where the existence of the main unit file is not known to Nix at evaluation time, for example when the main unit file is provided by adding a package to `systemd.packages`.
See the fix proposed in [NixOS's systemd abstraction doesn't work with systemd template units](https://github.com/NixOS/nixpkgs/issues/135557#issuecomment-1295392470) for an example.
- The `polymc` package has been removed due to a rogue maintainer. It has been
replaced by `prismlauncher`, a fork by the rest of the maintainers. For more
details, see [the pull request that made this
change](https://github.com/NixOS/nixpkgs/pull/196624) and [this issue
detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460).
Users with existing installations should rename `~/.local/share/polymc` to
`~/.local/share/PrismLauncher`. The main config file's path has also moved
from `~/.local/share/polymc/polymc.cfg` to
`~/.local/share/PrismLauncher/prismlauncher.cfg`.
- The `bloat` package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See [this upstream commit message](https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73) for details.
- The `services.matrix-synapse` systemd unit has been hardened. - The `services.matrix-synapse` systemd unit has been hardened.
- The `services.grafana` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.
- The `services.grafana.provision.datasources` and `services.grafana.provision.dashboards` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. They also now support specifying the provisioning YAML file with `path` option.
- The `services.grafana.provision.alerting` option was added. It includes suboptions for every alerting-related objects (with the exception of `notifiers`), which means it's now possible to configure modern Grafana alerting declaratively.
- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation. - Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
- The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details. - The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details.
@ -290,6 +323,16 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The udisks2 service, available at `services.udisks2.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed. - The udisks2 service, available at `services.udisks2.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.
This also means that polkit will now actually be disabled by default. The default for `security.polkit.enable` was already flipped in the previous release, but udisks2 being enabled by default re-enabled it. This also means that polkit will now actually be disabled by default. The default for `security.polkit.enable` was already flipped in the previous release, but udisks2 being enabled by default re-enabled it.
- Nextcloud has been updated to version **25**. Additionally the following things have changed
for Nextcloud in NixOS:
- For Nextcloud **>=24**, the default PHP version is 8.1.
- Nextcloud **23** has been removed since it will reach its [end of life in December 2022](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d).
- For `system.stateVersion` being **>=22.11**, Nextcloud 25 will be installed by default. For older versions,
Nextcloud 24 will be installed.
- Please ensure that you only upgrade on major release at a time! Nextcloud doesn't support
upgrades across multiple versions, i.e. an upgrade from **23** to **25** is only possible
when upgrading to **24** first.
- Add udev rules for the Teensy family of microcontrollers. - Add udev rules for the Teensy family of microcontrollers.
- systemd-oomd is enabled by default. Depending on which systemd units have - systemd-oomd is enabled by default. Depending on which systemd units have
@ -307,6 +350,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The Wordpress module got support for installing language packs through `services.wordpress.sites.<site>.languages`. - The Wordpress module got support for installing language packs through `services.wordpress.sites.<site>.languages`.
- The default package for `services.mullvad-vpn.package` was changed to `pkgs.mullvad`, allowing cross-platform usage of Mullvad. `pkgs.mullvad` only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to `pkgs.mullvad-vpn`, or add `pkgs.mullvad-vpn` to their environment.
- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed. - There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed.
- There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service. - There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service.

View file

@ -122,10 +122,14 @@ in rec {
optionsJSON = pkgs.runCommand "options.json" optionsJSON = pkgs.runCommand "options.json"
{ meta.description = "List of NixOS options in JSON format"; { meta.description = "List of NixOS options in JSON format";
buildInputs = [ nativeBuildInputs = [
pkgs.brotli pkgs.brotli
(let (let
self = (pkgs.python3Minimal.override { # python3Minimal can't be overridden with packages on Darwin, due to a missing framework.
# Instead of modifying stdenv, we take the easy way out, since most people on Darwin will
# just be hacking on the Nixpkgs manual (which also uses make-options-doc).
python = if pkgs.stdenv.isDarwin then pkgs.python3 else pkgs.python3Minimal;
self = (python.override {
inherit self; inherit self;
includeSiteCustomize = true; includeSiteCustomize = true;
}); });

View file

@ -187,11 +187,14 @@ in rec {
done done
done done
# Symlink all units defined by systemd.units. If these are also # Symlink units defined by systemd.units where override strategy
# provided by systemd or systemd.packages, then add them as # shall be automatically detected. If these are also provided by
# systemd or systemd.packages, then add them as
# <unit-name>.d/overrides.conf, which makes them extend the # <unit-name>.d/overrides.conf, which makes them extend the
# upstream unit. # upstream unit.
for i in ${toString (mapAttrsToList (n: v: v.unit) units)}; do for i in ${toString (mapAttrsToList
(n: v: v.unit)
(lib.filterAttrs (n: v: (attrByPath [ "overrideStrategy" ] "asDropinIfExists" v) == "asDropinIfExists") units))}; do
fn=$(basename $i/*) fn=$(basename $i/*)
if [ -e $out/$fn ]; then if [ -e $out/$fn ]; then
if [ "$(readlink -f $i/$fn)" = /dev/null ]; then if [ "$(readlink -f $i/$fn)" = /dev/null ]; then
@ -210,11 +213,21 @@ in rec {
fi fi
done done
# Symlink units defined by systemd.units which shall be
# treated as drop-in file.
for i in ${toString (mapAttrsToList
(n: v: v.unit)
(lib.filterAttrs (n: v: v ? overrideStrategy && v.overrideStrategy == "asDropin") units))}; do
fn=$(basename $i/*)
mkdir -p $out/$fn.d
ln -s $i/$fn $out/$fn.d/overrides.conf
done
# Create service aliases from aliases option. # Create service aliases from aliases option.
${concatStrings (mapAttrsToList (name: unit: ${concatStrings (mapAttrsToList (name: unit:
concatMapStrings (name2: '' concatMapStrings (name2: ''
ln -sfn '${name}' $out/'${name2}' ln -sfn '${name}' $out/'${name2}'
'') unit.aliases) units)} '') (unit.aliases or [])) units)}
# Create .wants and .requires symlinks from the wantedBy and # Create .wants and .requires symlinks from the wantedBy and
# requiredBy options. # requiredBy options.
@ -222,13 +235,13 @@ in rec {
concatMapStrings (name2: '' concatMapStrings (name2: ''
mkdir -p $out/'${name2}.wants' mkdir -p $out/'${name2}.wants'
ln -sfn '../${name}' $out/'${name2}.wants'/ ln -sfn '../${name}' $out/'${name2}.wants'/
'') unit.wantedBy) units)} '') (unit.wantedBy or [])) units)}
${concatStrings (mapAttrsToList (name: unit: ${concatStrings (mapAttrsToList (name: unit:
concatMapStrings (name2: '' concatMapStrings (name2: ''
mkdir -p $out/'${name2}.requires' mkdir -p $out/'${name2}.requires'
ln -sfn '../${name}' $out/'${name2}.requires'/ ln -sfn '../${name}' $out/'${name2}.requires'/
'') unit.requiredBy) units)} '') (unit.requiredBy or [])) units)}
${optionalString (type == "system") '' ${optionalString (type == "system") ''
# Stupid misc. symlinks. # Stupid misc. symlinks.
@ -340,7 +353,7 @@ in rec {
''; '';
targetToUnit = name: def: targetToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable; { inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = text =
'' ''
[Unit] [Unit]
@ -349,7 +362,7 @@ in rec {
}; };
serviceToUnit = name: def: serviceToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable; { inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def + text = commonUnitText def +
'' ''
[Service] [Service]
@ -371,7 +384,7 @@ in rec {
}; };
socketToUnit = name: def: socketToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable; { inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def + text = commonUnitText def +
'' ''
[Socket] [Socket]
@ -382,7 +395,7 @@ in rec {
}; };
timerToUnit = name: def: timerToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable; { inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def + text = commonUnitText def +
'' ''
[Timer] [Timer]
@ -391,7 +404,7 @@ in rec {
}; };
pathToUnit = name: def: pathToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable; { inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def + text = commonUnitText def +
'' ''
[Path] [Path]
@ -400,7 +413,7 @@ in rec {
}; };
mountToUnit = name: def: mountToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable; { inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def + text = commonUnitText def +
'' ''
[Mount] [Mount]
@ -409,7 +422,7 @@ in rec {
}; };
automountToUnit = name: def: automountToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable; { inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def + text = commonUnitText def +
'' ''
[Automount] [Automount]
@ -418,7 +431,7 @@ in rec {
}; };
sliceToUnit = name: def: sliceToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable; { inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def + text = commonUnitText def +
'' ''
[Slice] [Slice]

View file

@ -48,6 +48,22 @@ in rec {
''; '';
}; };
overrideStrategy = mkOption {
default = "asDropinIfExists";
type = types.enum [ "asDropinIfExists" "asDropin" ];
description = lib.mdDoc ''
Defines how unit configuration is provided for systemd:
`asDropinIfExists` creates a unit file when no unit file is provided by the package
otherwise a drop-in file name `overrides.conf`.
`asDropin` creates a drop-in file named `overrides.conf`.
Mainly needed to define instances for systemd template units (e.g. `systemd-nspawn@mycontainer.service`).
See also systemd.unit(1).
'';
};
requiredBy = mkOption { requiredBy = mkOption {
default = []; default = [];
type = types.listOf unitNameType; type = types.listOf unitNameType;

View file

@ -697,7 +697,7 @@ in {
value = "[a-zA-Z0-9/+.-]+"; value = "[a-zA-Z0-9/+.-]+";
options = "${id}(=${value})?(,${id}=${value})*"; options = "${id}(=${value})?(,${id}=${value})*";
scheme = "${id}(${sep}${options})?"; scheme = "${id}(${sep}${options})?";
content = "${base64}${sep}${base64}"; content = "${base64}${sep}${base64}(${sep}${base64})?";
mcf = "^${sep}${scheme}${sep}${content}$"; mcf = "^${sep}${scheme}${sep}${content}$";
in in
if (allowsLogin user.hashedPassword if (allowsLogin user.hashedPassword

View file

@ -261,7 +261,7 @@ in
in optional primeEnabled { in optional primeEnabled {
name = igpuDriver; name = igpuDriver;
display = offloadCfg.enable; display = offloadCfg.enable;
modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ]; modules = optionals (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ];
deviceSection = '' deviceSection = ''
BusID "${igpuBusId}" BusID "${igpuBusId}"
${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''} ${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''}

View file

@ -421,7 +421,7 @@ let
echo "Usage size: $usage_size" echo "Usage size: $usage_size"
echo "Image size: $image_size" echo "Image size: $image_size"
truncate --size=$image_size "$out" truncate --size=$image_size "$out"
faketime "2000-01-01 00:00:00" mkfs.vfat -i 12345678 -n EFIBOOT "$out" mkfs.vfat --invariant -i 12345678 -n EFIBOOT "$out"
# Force a fixed order in mcopy for better determinism, and avoid file globbing # Force a fixed order in mcopy for better determinism, and avoid file globbing
for d in $(find EFI -type d | sort); do for d in $(find EFI -type d | sort); do

View file

@ -224,14 +224,25 @@ in
# Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img # Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img
eval $(partx $img -o START,SECTORS --nr 1 --pairs) eval $(partx $img -o START,SECTORS --nr 1 --pairs)
truncate -s $((SECTORS * 512)) firmware_part.img truncate -s $((SECTORS * 512)) firmware_part.img
faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img
mkfs.vfat --invariant -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img
# Populate the files intended for /boot/firmware # Populate the files intended for /boot/firmware
mkdir firmware mkdir firmware
${config.sdImage.populateFirmwareCommands} ${config.sdImage.populateFirmwareCommands}
find firmware -exec touch --date=2000-01-01 {} +
# Copy the populated /boot/firmware into the SD image # Copy the populated /boot/firmware into the SD image
(cd firmware; mcopy -psvm -i ../firmware_part.img ./* ::) cd firmware
# Force a fixed order in mcopy for better determinism, and avoid file globbing
for d in $(find . -type d -mindepth 1 | sort); do
faketime "2000-01-01 00:00:00" mmd -i ../firmware_part.img "::/$d"
done
for f in $(find . -type f | sort); do
mcopy -pvm -i ../firmware_part.img "$f" "::/$f"
done
cd ..
# Verify the FAT partition before copying it. # Verify the FAT partition before copying it.
fsck.vfat -vn firmware_part.img fsck.vfat -vn firmware_part.img
dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS

View file

@ -56,6 +56,7 @@ let
) )
pkgSet; pkgSet;
in scrubbedEval.options; in scrubbedEval.options;
baseOptionsJSON = baseOptionsJSON =
let let
filter = filter =
@ -67,9 +68,9 @@ let
); );
in in
pkgs.runCommand "lazy-options.json" { pkgs.runCommand "lazy-options.json" {
libPath = filter "${toString pkgs.path}/lib"; libPath = filter (pkgs.path + "/lib");
pkgsLibPath = filter "${toString pkgs.path}/pkgs/pkgs-lib"; pkgsLibPath = filter (pkgs.path + "/pkgs/pkgs-lib");
nixosPath = filter "${toString pkgs.path}/nixos"; nixosPath = filter (pkgs.path + "/nixos");
modules = map (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy; modules = map (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy;
} '' } ''
export NIX_STORE_DIR=$TMPDIR/store export NIX_STORE_DIR=$TMPDIR/store
@ -99,6 +100,7 @@ let
exit 1 exit 1
} >&2 } >&2
''; '';
inherit (cfg.nixos.options) warningsAreErrors allowDocBook; inherit (cfg.nixos.options) warningsAreErrors allowDocBook;
}; };

View file

@ -358,7 +358,7 @@ in
else "nixpkgs.localSystem"; else "nixpkgs.localSystem";
pkgsSystem = finalPkgs.stdenv.targetPlatform.system; pkgsSystem = finalPkgs.stdenv.targetPlatform.system;
in { in {
assertion = !hasPlatform -> nixosExpectedSystem == pkgsSystem; assertion = constructedByMe -> !hasPlatform -> nixosExpectedSystem == pkgsSystem;
message = "The NixOS nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but NixOS was configured for system ${nixosExpectedSystem} via NixOS option ${nixosOption}. The NixOS system settings must match the Nixpkgs target system."; message = "The NixOS nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but NixOS was configured for system ${nixosExpectedSystem} via NixOS option ${nixosOption}. The NixOS system settings must match the Nixpkgs target system.";
} }
) )

View file

@ -718,6 +718,7 @@
./services/monitoring/ups.nix ./services/monitoring/ups.nix
./services/monitoring/uptime.nix ./services/monitoring/uptime.nix
./services/monitoring/vmagent.nix ./services/monitoring/vmagent.nix
./services/monitoring/uptime-kuma.nix
./services/monitoring/vnstat.nix ./services/monitoring/vnstat.nix
./services/monitoring/zabbix-agent.nix ./services/monitoring/zabbix-agent.nix
./services/monitoring/zabbix-proxy.nix ./services/monitoring/zabbix-proxy.nix
@ -978,6 +979,7 @@
./services/video/rtsp-simple-server.nix ./services/video/rtsp-simple-server.nix
./services/networking/uptermd.nix ./services/networking/uptermd.nix
./services/networking/v2ray.nix ./services/networking/v2ray.nix
./services/networking/vdirsyncer.nix
./services/networking/vsftpd.nix ./services/networking/vsftpd.nix
./services/networking/wasabibackend.nix ./services/networking/wasabibackend.nix
./services/networking/websockify.nix ./services/networking/websockify.nix
@ -1145,6 +1147,7 @@
./services/web-servers/caddy/default.nix ./services/web-servers/caddy/default.nix
./services/web-servers/darkhttpd.nix ./services/web-servers/darkhttpd.nix
./services/web-servers/fcgiwrap.nix ./services/web-servers/fcgiwrap.nix
./services/web-servers/garage.nix
./services/web-servers/hitch/default.nix ./services/web-servers/hitch/default.nix
./services/web-servers/hydron.nix ./services/web-servers/hydron.nix
./services/web-servers/jboss/default.nix ./services/web-servers/jboss/default.nix
@ -1252,6 +1255,7 @@
./system/boot/systemd/user.nix ./system/boot/systemd/user.nix
./system/boot/timesyncd.nix ./system/boot/timesyncd.nix
./system/boot/tmp.nix ./system/boot/tmp.nix
./system/boot/uvesafb.nix
./system/etc/etc-activation.nix ./system/etc/etc-activation.nix
./tasks/auto-upgrade.nix ./tasks/auto-upgrade.nix
./tasks/bcache.nix ./tasks/bcache.nix

View file

@ -13,4 +13,9 @@ with lib;
documentation.nixos.enable = mkDefault false; documentation.nixos.enable = mkDefault false;
programs.command-not-found.enable = mkDefault false; programs.command-not-found.enable = mkDefault false;
xdg.autostart.enable = mkDefault false;
xdg.icons.enable = mkDefault false;
xdg.mime.enable = mkDefault false;
xdg.sounds.enable = mkDefault false;
} }

View file

@ -184,7 +184,7 @@ in
# Tell zsh how to find installed completions. # Tell zsh how to find installed completions.
for p in ''${(z)NIX_PROFILES}; do for p in ''${(z)NIX_PROFILES}; do
fpath+=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions) fpath=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions $fpath)
done done
# Setup custom shell init stuff. # Setup custom shell init stuff.

View file

@ -26,8 +26,8 @@ let
Type = "oneshot"; Type = "oneshot";
User = user; User = user;
Group = mkDefault "acme"; Group = mkDefault "acme";
UMask = 0022; UMask = "0022";
StateDirectoryMode = 750; StateDirectoryMode = "750";
ProtectSystem = "strict"; ProtectSystem = "strict";
ReadWritePaths = [ ReadWritePaths = [
"/var/lib/acme" "/var/lib/acme"
@ -62,9 +62,9 @@ let
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = [
# 1. allow a reasonable set of syscalls # 1. allow a reasonable set of syscalls
"@system-service" "@system-service @resources"
# 2. and deny unreasonable ones # 2. and deny unreasonable ones
"~@privileged @resources" "~@privileged"
# 3. then allow the required subset within denied groups # 3. then allow the required subset within denied groups
"@chown" "@chown"
]; ];
@ -85,7 +85,7 @@ let
serviceConfig = commonServiceConfig // { serviceConfig = commonServiceConfig // {
StateDirectory = "acme/.minica"; StateDirectory = "acme/.minica";
BindPaths = "/var/lib/acme/.minica:/tmp/ca"; BindPaths = "/var/lib/acme/.minica:/tmp/ca";
UMask = 0077; UMask = "0077";
}; };
# Working directory will be /tmp # Working directory will be /tmp
@ -243,7 +243,7 @@ let
serviceConfig = commonServiceConfig // { serviceConfig = commonServiceConfig // {
Group = data.group; Group = data.group;
UMask = 0027; UMask = "0027";
StateDirectory = "acme/${cert}"; StateDirectory = "acme/${cert}";

View file

@ -14,6 +14,8 @@ in
security.polkit.enable = mkEnableOption (lib.mdDoc "polkit"); security.polkit.enable = mkEnableOption (lib.mdDoc "polkit");
security.polkit.debug = mkEnableOption (lib.mdDoc "debug logs from polkit. This is required in order to see log messages from rule definitions.");
security.polkit.extraConfig = mkOption { security.polkit.extraConfig = mkOption {
type = types.lines; type = types.lines;
default = ""; default = "";
@ -21,6 +23,7 @@ in
'' ''
/* Log authorization checks. */ /* Log authorization checks. */
polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) {
// Make sure to set { security.polkit.debug = true; } in configuration.nix
polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
}); });
@ -58,6 +61,11 @@ in
systemd.packages = [ pkgs.polkit.out ]; systemd.packages = [ pkgs.polkit.out ];
systemd.services.polkit.serviceConfig.ExecStart = [
""
"${pkgs.polkit.out}/lib/polkit-1/polkitd ${optionalString (!cfg.debug) "--no-debug"}"
];
systemd.services.polkit.restartTriggers = [ config.system.path ]; systemd.services.polkit.restartTriggers = [ config.system.path ];
systemd.services.polkit.stopIfChanged = false; systemd.services.polkit.stopIfChanged = false;

View file

@ -62,7 +62,7 @@ in {
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; SystemCallFilter = [ "@system-service" "~@privileged" ];
RestrictRealtime = true; RestrictRealtime = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;

View file

@ -1,72 +1,74 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
inherit (lib) inherit (lib)
concatLists
concatMap
concatMapStringsSep concatMapStringsSep
concatStringsSep concatStringsSep
filterAttrs filterAttrs
flatten
isAttrs isAttrs
isString
literalExpression literalExpression
mapAttrs' mapAttrs'
mapAttrsToList mapAttrsToList
mkIf mkIf
mkOption mkOption
optionalString optionalString
partition sort
typeOf
types types
; ;
# The priority of an option or section.
# The configurations format are order-sensitive. Pairs are added as children of
# the last sections if possible, otherwise, they start a new section.
# We sort them in topological order:
# 1. Leaf pairs.
# 2. Sections that may contain (1).
# 3. Sections that may contain (1) or (2).
# 4. Etc.
prioOf = { name, value }:
if !isAttrs value then 0 # Leaf options.
else {
target = 1; # Contains: options.
subvolume = 2; # Contains: options, target.
volume = 3; # Contains: options, target, subvolume.
}.${name} or (throw "Unknow section '${name}'");
genConfig' = set: concatStringsSep "\n" (genConfig set);
genConfig = set:
let
pairs = mapAttrsToList (name: value: { inherit name value; }) set;
sortedPairs = sort (a: b: prioOf a < prioOf b) pairs;
in
concatMap genPair sortedPairs;
genSection = sec: secName: value:
[ "${sec} ${secName}" ] ++ map (x: " " + x) (genConfig value);
genPair = { name, value }:
if !isAttrs value
then [ "${name} ${value}" ]
else concatLists (mapAttrsToList (genSection name) value);
addDefaults = settings: { backend = "btrfs-progs-sudo"; } // settings;
mkConfigFile = name: settings: pkgs.writeTextFile {
name = "btrbk-${name}.conf";
text = genConfig' (addDefaults settings);
checkPhase = ''
set +e
${pkgs.btrbk}/bin/btrbk -c $out dryrun
# According to btrbk(1), exit status 2 means parse error
# for CLI options or the config file.
if [[ $? == 2 ]]; then
echo "Btrbk configuration is invalid:"
cat $out
exit 1
fi
set -e
'';
};
cfg = config.services.btrbk; cfg = config.services.btrbk;
sshEnabled = cfg.sshAccess != [ ]; sshEnabled = cfg.sshAccess != [ ];
serviceEnabled = cfg.instances != { }; serviceEnabled = cfg.instances != { };
attr2Lines = attr:
let
pairs = mapAttrsToList (name: value: { inherit name value; }) attr;
isSubsection = value:
if isAttrs value then true
else if isString value then false
else throw "invalid type in btrbk config ${typeOf value}";
sortedPairs = partition (x: isSubsection x.value) pairs;
in
flatten (
# non subsections go first
(
map (pair: [ "${pair.name} ${pair.value}" ]) sortedPairs.wrong
)
++ # subsections go last
(
map
(
pair:
mapAttrsToList
(
childname: value:
[ "${pair.name} ${childname}" ] ++ (map (x: " " + x) (attr2Lines value))
)
pair.value
)
sortedPairs.right
)
)
;
addDefaults = settings: { backend = "btrfs-progs-sudo"; } // settings;
mkConfigFile = settings: concatStringsSep "\n" (attr2Lines (addDefaults settings));
mkTestedConfigFile = name: settings:
let
configFile = pkgs.writeText "btrbk-${name}.conf" (mkConfigFile settings);
in
pkgs.runCommand "btrbk-${name}-tested.conf" { } ''
mkdir foo
cp ${configFile} $out
if (set +o pipefail; ${pkgs.btrbk}/bin/btrbk -c $out ls foo 2>&1 | grep $out);
then
echo btrbk configuration is invalid
cat $out
exit 1
fi;
'';
in in
{ {
meta.maintainers = with lib.maintainers; [ oxalica ]; meta.maintainers = with lib.maintainers; [ oxalica ];
@ -196,7 +198,7 @@ in
( (
name: instance: { name: instance: {
name = "btrbk/${name}.conf"; name = "btrbk/${name}.conf";
value.source = mkTestedConfigFile name instance.settings; value.source = mkConfigFile name instance.settings;
} }
) )
cfg.instances; cfg.instances;

View file

@ -106,6 +106,8 @@ in {
"-Dcruise.config.file=${cfg.workDir}/conf/cruise-config.xml" "-Dcruise.config.file=${cfg.workDir}/conf/cruise-config.xml"
"-Dcruise.server.port=${toString cfg.port}" "-Dcruise.server.port=${toString cfg.port}"
"-Dcruise.server.ssl.port=${toString cfg.sslPort}" "-Dcruise.server.ssl.port=${toString cfg.sslPort}"
"--add-opens=java.base/java.lang=ALL-UNNAMED"
"--add-opens=java.base/java.util=ALL-UNNAMED"
]; ];
defaultText = literalExpression '' defaultText = literalExpression ''
[ [
@ -119,6 +121,8 @@ in {
"-Dcruise.config.file=''${config.${opt.workDir}}/conf/cruise-config.xml" "-Dcruise.config.file=''${config.${opt.workDir}}/conf/cruise-config.xml"
"-Dcruise.server.port=''${toString config.${opt.port}}" "-Dcruise.server.port=''${toString config.${opt.port}}"
"-Dcruise.server.ssl.port=''${toString config.${opt.sslPort}}" "-Dcruise.server.ssl.port=''${toString config.${opt.sslPort}}"
"--add-opens=java.base/java.lang=ALL-UNNAMED"
"--add-opens=java.base/java.util=ALL-UNNAMED"
] ]
''; '';
@ -199,7 +203,7 @@ in {
${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.startupOptions} \ ${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.startupOptions} \
${concatStringsSep " " cfg.extraOptions} \ ${concatStringsSep " " cfg.extraOptions} \
-jar ${pkgs.gocd-server}/go-server/go.jar -jar ${pkgs.gocd-server}/go-server/lib/go.jar
''; '';
serviceConfig = { serviceConfig = {

View file

@ -87,8 +87,8 @@ in {
}; };
packages = mkOption { packages = mkOption {
default = [ pkgs.stdenv pkgs.git pkgs.jdk11 config.programs.ssh.package pkgs.nix ]; default = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ];
defaultText = literalExpression "[ pkgs.stdenv pkgs.git pkgs.jdk11 config.programs.ssh.package pkgs.nix ]"; defaultText = literalExpression "[ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ]";
type = types.listOf types.package; type = types.listOf types.package;
description = lib.mdDoc '' description = lib.mdDoc ''
Packages to add to PATH for the jenkins process. Packages to add to PATH for the jenkins process.
@ -228,7 +228,7 @@ in {
# For reference: https://wiki.jenkins.io/display/JENKINS/JenkinsLinuxStartupScript # For reference: https://wiki.jenkins.io/display/JENKINS/JenkinsLinuxStartupScript
script = '' script = ''
${pkgs.jdk11}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${cfg.package}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \ ${pkgs.jdk17}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${cfg.package}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \
--httpPort=${toString cfg.port} \ --httpPort=${toString cfg.port} \
--prefix=${cfg.prefix} \ --prefix=${cfg.prefix} \
-Djava.awt.headless=true \ -Djava.awt.headless=true \

View file

@ -72,16 +72,20 @@ Type "help" for help.
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
<xref linkend="opt-environment.systemPackages" /> = [ <xref linkend="opt-environment.systemPackages" /> = [
(pkgs.writeScriptBin "upgrade-pg-cluster" '' (let
# XXX specify the postgresql package you'd like to upgrade to.
# Do not forget to list the extensions you need.
newPostgres = pkgs.postgresql_13.withPackages (pp: [
# pp.plv8
]);
in pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql # XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql systemctl stop postgresql
# XXX replace `&lt;new version&gt;` with the psqlSchema here export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWDATA="/var/lib/postgresql/&lt;new version&gt;"
# XXX specify the postgresql package you'd like to upgrade to export NEWBIN="${newPostgres}/bin"
export NEWBIN="${pkgs.postgresql_13}/bin"
export OLDDATA="${config.<xref linkend="opt-services.postgresql.dataDir"/>}" export OLDDATA="${config.<xref linkend="opt-services.postgresql.dataDir"/>}"
export OLDBIN="${config.<xref linkend="opt-services.postgresql.package"/>}/bin" export OLDBIN="${config.<xref linkend="opt-services.postgresql.package"/>}/bin"
@ -127,11 +131,24 @@ Type "help" for help.
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
After the upgrade it's advisable to analyze the new cluster (as <literal>su -l postgres</literal> in the After the upgrade it's advisable to analyze the new cluster.
<xref linkend="opt-services.postgresql.dataDir" />, in this example <filename>/var/lib/postgresql/13</filename>): </para>
<itemizedlist>
<listitem>
<para>
For PostgreSQL ≥ 14, use the <literal>vacuumdb</literal> command printed by the upgrades script.
</para>
</listitem>
<listitem>
<para>
For PostgreSQL &lt; 14, run (as <literal>su -l postgres</literal> in the <xref linkend="opt-services.postgresql.dataDir" />, in this example <filename>/var/lib/postgresql/13</filename>):
<programlisting> <programlisting>
<prompt>$ </prompt>./analyze_new_cluster.sh <prompt>$ </prompt>./analyze_new_cluster.sh
</programlisting> </programlisting>
</para>
</listitem>
</itemizedlist>
<para>
<warning><para>The next step removes the old state-directory!</para></warning> <warning><para>The next step removes the old state-directory!</para></warning>
<programlisting> <programlisting>
<prompt>$ </prompt>./delete_old_cluster.sh <prompt>$ </prompt>./delete_old_cluster.sh

View file

@ -0,0 +1,28 @@
{
"context.properties": {
"log.level": 0
},
"context.spa-libs": {
"audio.convert.*": "audioconvert/libspa-audioconvert",
"support.*": "support/libspa-support"
},
"context.modules": [
{
"name": "libpipewire-module-rt",
"args": {},
"flags": [
"ifexists",
"nofail"
]
},
{
"name": "libpipewire-module-protocol-native"
},
{
"name": "libpipewire-module-client-node"
},
{
"name": "libpipewire-module-adapter"
}
]
}

View file

@ -0,0 +1,38 @@
{
"context.properties": {},
"context.spa-libs": {
"audio.convert.*": "audioconvert/libspa-audioconvert",
"support.*": "support/libspa-support"
},
"context.modules": [
{
"name": "libpipewire-module-rt",
"args": {
"nice.level": -11
},
"flags": [
"ifexists",
"nofail"
]
},
{
"name": "libpipewire-module-protocol-native"
},
{
"name": "libpipewire-module-client-node"
},
{
"name": "libpipewire-module-adapter"
},
{
"name": "libpipewire-module-avb",
"args": {}
}
],
"context.exec": [],
"stream.properties": {},
"avb.properties": {
"ifname": "enp3s0",
"vm.overrides": {}
}
}

View file

@ -33,7 +33,8 @@ in
stdenv.mkDerivation { stdenv.mkDerivation {
name = "brscan4-etc-files-0.4.3-3"; pname = "brscan4-etc-files";
version = "0.4.3-3";
src = "${brscan4}/opt/brother/scanner/brscan4"; src = "${brscan4}/opt/brother/scanner/brscan4";
nativeBuildInputs = [ brscan4 ]; nativeBuildInputs = [ brscan4 ];

View file

@ -239,7 +239,7 @@ in {
Type = "oneshot"; Type = "oneshot";
# requires a relative directory name to create beneath /var/lib # requires a relative directory name to create beneath /var/lib
StateDirectory = user; StateDirectory = user;
StateDirectoryMode = 0750; StateDirectoryMode = "0750";
ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail"; ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail";
# lowest CPU and IO priority, but both still in best-effort class to prevent starvation # lowest CPU and IO priority, but both still in best-effort class to prevent starvation
Nice=19; Nice=19;

View file

@ -202,7 +202,7 @@ in {
NoNewPrivileges = true; NoNewPrivileges = true;
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
SystemCallArchitecture = "native"; SystemCallArchitecture = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "@resources" ]; SystemCallFilter = [ "@system-service" "~@privileged" ];
ProtectDevices = true; ProtectDevices = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;

View file

@ -137,7 +137,7 @@ in {
PrivateTmp = true; PrivateTmp = true;
WorkingDirectory = appDir; WorkingDirectory = appDir;
StateDirectory = baseNameOf dataDir; StateDirectory = baseNameOf dataDir;
UMask = 0027; UMask = "0027";
EnvironmentFile = cfg.environmentFile; EnvironmentFile = cfg.environmentFile;
ExecStart = '' ExecStart = ''

View file

@ -25,6 +25,7 @@ in {
default = { default = {
homeserver = { homeserver = {
address = "http://localhost:8008"; address = "http://localhost:8008";
software = "standard";
}; };
appservice = rec { appservice = rec {

View file

@ -162,7 +162,7 @@ in {
PrivateTmp = true; PrivateTmp = true;
WorkingDirectory = pkgs.mautrix-telegram; # necessary for the database migration scripts to be found WorkingDirectory = pkgs.mautrix-telegram; # necessary for the database migration scripts to be found
StateDirectory = baseNameOf dataDir; StateDirectory = baseNameOf dataDir;
UMask = 0027; UMask = "0027";
EnvironmentFile = cfg.environmentFile; EnvironmentFile = cfg.environmentFile;
ExecStart = '' ExecStart = ''

View file

@ -85,7 +85,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.ethminer = { systemd.services.ethminer = {
path = optional (cfg.toolkit == "cuda") [ pkgs.cudaPackages.cudatoolkit ]; path = optionals (cfg.toolkit == "cuda") [ pkgs.cudaPackages.cudatoolkit ];
description = "ethminer ethereum mining service"; description = "ethminer ethereum mining service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];

View file

@ -183,7 +183,7 @@ in
DynamicUser = true; DynamicUser = true;
ReadWritePaths = cfg.settings.DatabaseDirectory; ReadWritePaths = cfg.settings.DatabaseDirectory;
RuntimeDirectory = "geoipupdate"; RuntimeDirectory = "geoipupdate";
RuntimeDirectoryMode = 0700; RuntimeDirectoryMode = "0700";
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
PrivateDevices = true; PrivateDevices = true;
PrivateMounts = true; PrivateMounts = true;
@ -197,7 +197,7 @@ in
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProcSubset = "pid"; ProcSubset = "pid";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; SystemCallFilter = [ "@system-service" "~@privileged" ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true; RestrictRealtime = true;
RestrictNamespaces = true; RestrictNamespaces = true;

View file

@ -592,7 +592,7 @@ in
PrivateMounts = true; PrivateMounts = true;
# System Call Filtering # System Call Filtering
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
}; };
environment = { environment = {

View file

@ -107,7 +107,7 @@ in {
PrivateTmp = true; PrivateTmp = true;
WorkingDirectory = pkgs.mx-puppet-discord; WorkingDirectory = pkgs.mx-puppet-discord;
StateDirectory = baseNameOf dataDir; StateDirectory = baseNameOf dataDir;
UMask = 0027; UMask = "0027";
ExecStart = '' ExecStart = ''
${pkgs.mx-puppet-discord}/bin/mx-puppet-discord \ ${pkgs.mx-puppet-discord}/bin/mx-puppet-discord \

View file

@ -59,7 +59,7 @@ let
${mkKeyValuePairs cfg.settings} ${mkKeyValuePairs cfg.settings}
${cfg.extraOptions} ${cfg.extraOptions}
''; '';
checkPhase = checkPhase = lib.optionalString cfg.checkConfig (
if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then ''
echo "Ignoring validation for cross-compilation" echo "Ignoring validation for cross-compilation"
'' ''
@ -72,9 +72,9 @@ let
${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \
${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \
|& sed -e 's/^warning:/error:/' \ |& sed -e 's/^warning:/error:/' \
| (! grep '${if cfg.checkConfig then "^error:" else "^error: unknown setting"}') | (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}')
set -o pipefail set -o pipefail
''; '');
}; };
legacyConfMappings = { legacyConfMappings = {
@ -395,8 +395,15 @@ in
type = types.bool; type = types.bool;
default = true; default = true;
description = lib.mdDoc '' description = lib.mdDoc ''
If enabled (the default), checks for data type mismatches and that Nix If enabled, checks that Nix can parse the generated nix.conf.
can parse the generated nix.conf. '';
};
checkAllErrors = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings.
''; '';
}; };

View file

@ -36,7 +36,7 @@ in
}; };
serviceConfig = { serviceConfig = {
DynamicUser = true; DynamicUser = true;
EnvironmentFile = lib.optional (cfg.passwordFile != null) [ EnvironmentFile = lib.optionals (cfg.passwordFile != null) [
cfg.passwordFile cfg.passwordFile
]; ];
ExecStart = "${pkgs.podgrab}/bin/podgrab"; ExecStart = "${pkgs.podgrab}/bin/podgrab";

View file

@ -212,9 +212,9 @@ in
staticClients = forEach cfg.dex.oidcClients (client: { staticClients = forEach cfg.dex.oidcClients (client: {
inherit (client) id; inherit (client) id;
redirectURIs = [ client.callbackURI ]; redirectURIs = [ client.callbackURL ];
name = "OIDC for ${client.id}"; name = "OIDC for ${client.id}";
secret = "$DEX_CLIENT_${client.id}"; secretEnv = "DEX_CLIENT_${client.id}";
}); });
}; };
}; };

View file

@ -138,7 +138,7 @@ in {
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
WorkingDirectory = serviceDataDir; WorkingDirectory = serviceDataDir;
StateDirectory = baseNameOf serviceDataDir; StateDirectory = baseNameOf serviceDataDir;
UMask = 0027; UMask = "0027";
}; };
}; };
}; };

View file

@ -35,6 +35,15 @@ in
default = "sonarr"; default = "sonarr";
description = lib.mdDoc "Group under which Sonaar runs."; description = lib.mdDoc "Group under which Sonaar runs.";
}; };
package = mkOption {
type = types.package;
default = pkgs.sonarr;
defaultText = literalExpression "pkgs.sonarr";
description = lib.mdDoc ''
Sonarr package to use.
'';
};
}; };
}; };
@ -52,7 +61,7 @@ in
Type = "simple"; Type = "simple";
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
ExecStart = "${pkgs.sonarr}/bin/NzbDrone -nobrowser -data='${cfg.dataDir}'"; ExecStart = "${cfg.package}/bin/NzbDrone -nobrowser -data='${cfg.dataDir}'";
Restart = "on-failure"; Restart = "on-failure";
}; };
}; };

View file

@ -106,9 +106,9 @@ in {
} }
]; ];
services.grafana.extraOptions = mkIf cfg.provisionGrafana { services.grafana.settings.rendering = mkIf cfg.provisionGrafana {
RENDERING_SERVER_URL = "http://localhost:${toString cfg.settings.service.port}/render"; url = "http://localhost:${toString cfg.settings.service.port}/render";
RENDERING_CALLBACK_URL = "http://localhost:${toString config.services.grafana.port}"; callback_url = "http://localhost:${toString config.services.grafana.port}";
}; };
services.grafana-image-renderer.chromium = mkDefault pkgs.chromium; services.grafana-image-renderer.chromium = mkDefault pkgs.chromium;

File diff suppressed because it is too large Load diff

View file

@ -494,7 +494,7 @@ in
Group = "parsedmarc"; Group = "parsedmarc";
DynamicUser = true; DynamicUser = true;
RuntimeDirectory = "parsedmarc"; RuntimeDirectory = "parsedmarc";
RuntimeDirectoryMode = 0700; RuntimeDirectoryMode = "0700";
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
PrivateDevices = true; PrivateDevices = true;
PrivateMounts = true; PrivateMounts = true;

View file

@ -50,7 +50,7 @@ in {
"CAP_SYS_ADMIN" "CAP_SYS_ADMIN"
]; ];
DevicePolicy = "closed"; DevicePolicy = "closed";
DeviceAllow = lib.mkOverride 100 ( DeviceAllow = lib.mkOverride 50 (
if cfg.devices != [] then if cfg.devices != [] then
cfg.devices cfg.devices
else [ else [
@ -66,10 +66,7 @@ in {
ProtectProc = "invisible"; ProtectProc = "invisible";
ProcSubset = "pid"; ProcSubset = "pid";
SupplementaryGroups = [ "disk" ]; SupplementaryGroups = [ "disk" ];
SystemCallFilter = [ SystemCallFilter = [ "@system-service" "~@privileged" ];
"@system-service"
"~@privileged @resources"
];
}; };
}; };
} }

View file

@ -0,0 +1,76 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.uptime-kuma;
in
{
options = {
services.uptime-kuma = {
enable = mkEnableOption (mdDoc "Uptime Kuma, this assumes a reverse proxy to be set.");
package = mkOption {
type = types.package;
example = literalExpression "pkgs.uptime-kuma";
default = pkgs.uptime-kuma;
defaultText = "pkgs.uptime-kuma";
description = lib.mdDoc "Uptime Kuma package to use.";
};
settings = lib.mkOption {
type =
lib.types.submodule { freeformType = with lib.types; attrsOf str; };
default = { };
example = {
PORT = "4000";
NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";
};
description = lib.mdDoc ''
Additional configuration for Uptime Kuma, see
<https://github.com/louislam/uptime-kuma/wiki/Environment-Variables">
for supported values.
'';
};
};
};
config = mkIf cfg.enable {
services.uptime-kuma.settings = {
DATA_DIR = "/var/lib/uptime-kuma/";
NODE_ENV = mkDefault "production";
};
systemd.services.uptime-kuma = {
description = "Uptime Kuma";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = cfg.settings;
serviceConfig = {
Type = "simple";
StateDirectory = "uptime-kuma";
DynamicUser = true;
ExecStart = "${cfg.package}/bin/uptime-kuma-server";
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
};
};
};
}

View file

@ -3,6 +3,8 @@ with lib;
let let
cfg = config.services.kubo; cfg = config.services.kubo;
settingsFormat = pkgs.formats.json {};
kuboFlags = utils.escapeSystemdExecArgs ( kuboFlags = utils.escapeSystemdExecArgs (
optional cfg.autoMount "--mount" ++ optional cfg.autoMount "--mount" ++
optional cfg.enableGC "--enable-gc" ++ optional cfg.enableGC "--enable-gc" ++
@ -117,29 +119,6 @@ in
description = lib.mdDoc "Where to mount the IPNS namespace to"; description = lib.mdDoc "Where to mount the IPNS namespace to";
}; };
gatewayAddress = mkOption {
type = types.str;
default = "/ip4/127.0.0.1/tcp/8080";
description = lib.mdDoc "Where the IPFS Gateway can be reached";
};
apiAddress = mkOption {
type = types.str;
default = "/ip4/127.0.0.1/tcp/5001";
description = lib.mdDoc "Where Kubo exposes its API to";
};
swarmAddress = mkOption {
type = types.listOf types.str;
default = [
"/ip4/0.0.0.0/tcp/4001"
"/ip6/::/tcp/4001"
"/ip4/0.0.0.0/udp/4001/quic"
"/ip6/::/udp/4001/quic"
];
description = lib.mdDoc "Where Kubo listens for incoming p2p connections";
};
enableGC = mkOption { enableGC = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -152,11 +131,38 @@ in
description = lib.mdDoc "If set to true, the repo won't be initialized with help files"; description = lib.mdDoc "If set to true, the repo won't be initialized with help files";
}; };
extraConfig = mkOption { settings = mkOption {
type = types.attrs; type = lib.types.submodule {
freeformType = settingsFormat.type;
options = {
Addresses.API = mkOption {
type = types.str;
default = "/ip4/127.0.0.1/tcp/5001";
description = lib.mdDoc "Where Kubo exposes its API to";
};
Addresses.Gateway = mkOption {
type = types.str;
default = "/ip4/127.0.0.1/tcp/8080";
description = lib.mdDoc "Where the IPFS Gateway can be reached";
};
Addresses.Swarm = mkOption {
type = types.listOf types.str;
default = [
"/ip4/0.0.0.0/tcp/4001"
"/ip6/::/tcp/4001"
"/ip4/0.0.0.0/udp/4001/quic"
"/ip6/::/udp/4001/quic"
];
description = lib.mdDoc "Where Kubo listens for incoming p2p connections";
};
};
};
description = lib.mdDoc '' description = lib.mdDoc ''
Attrset of daemon configuration to set using {command}`ipfs config`, every time the daemon starts. Attrset of daemon configuration to set using {command}`ipfs config`, every time the daemon starts.
These are applied last, so may override configuration set by other options in this module. See [https://github.com/ipfs/kubo/blob/master/docs/config.md](https://github.com/ipfs/kubo/blob/master/docs/config.md) for reference.
Keep in mind that this configuration is stateful; i.e., unsetting anything in here does not reset the value to the default! Keep in mind that this configuration is stateful; i.e., unsetting anything in here does not reset the value to the default!
''; '';
default = { }; default = { };
@ -244,6 +250,12 @@ in
then [ cfg.package.systemd_unit ] then [ cfg.package.systemd_unit ]
else [ cfg.package.systemd_unit_hardened ]; else [ cfg.package.systemd_unit_hardened ];
services.kubo.settings = mkIf cfg.autoMount {
Mounts.FuseAllowOther = lib.mkDefault true;
Mounts.IPFS = lib.mkDefault cfg.ipfsMountDir;
Mounts.IPNS = lib.mkDefault cfg.ipnsMountDir;
};
systemd.services.ipfs = { systemd.services.ipfs = {
path = [ "/run/wrappers" cfg.package ]; path = [ "/run/wrappers" cfg.package ];
environment.IPFS_PATH = cfg.dataDir; environment.IPFS_PATH = cfg.dataDir;
@ -259,22 +271,10 @@ in
'' + '' '' + ''
ipfs --offline config profile apply ${profile} >/dev/null ipfs --offline config profile apply ${profile} >/dev/null
fi fi
'' + optionalString cfg.autoMount ''
ipfs --offline config Mounts.FuseAllowOther --json true
ipfs --offline config Mounts.IPFS ${cfg.ipfsMountDir}
ipfs --offline config Mounts.IPNS ${cfg.ipnsMountDir}
'' + '' '' + ''
ipfs --offline config show \ ipfs --offline config show \
| ${pkgs.jq}/bin/jq '. * $extraConfig' --argjson extraConfig ${ | ${pkgs.jq}/bin/jq '. * $settings' --argjson settings ${
escapeShellArg (builtins.toJSON ( escapeShellArg (builtins.toJSON cfg.settings)
recursiveUpdate
{
Addresses.API = cfg.apiAddress;
Addresses.Gateway = cfg.gatewayAddress;
Addresses.Swarm = cfg.swarmAddress;
}
cfg.extraConfig
))
} \ } \
| ipfs --offline config replace - | ipfs --offline config replace -
''; '';
@ -294,12 +294,12 @@ in
socketConfig = { socketConfig = {
ListenStream = ListenStream =
let let
fromCfg = multiaddrToListenStream cfg.gatewayAddress; fromCfg = multiaddrToListenStream cfg.settings.Addresses.Gateway;
in in
[ "" ] ++ lib.optional (fromCfg != null) fromCfg; [ "" ] ++ lib.optional (fromCfg != null) fromCfg;
ListenDatagram = ListenDatagram =
let let
fromCfg = multiaddrToListenDatagram cfg.gatewayAddress; fromCfg = multiaddrToListenDatagram cfg.settings.Addresses.Gateway;
in in
[ "" ] ++ lib.optional (fromCfg != null) fromCfg; [ "" ] ++ lib.optional (fromCfg != null) fromCfg;
}; };
@ -311,7 +311,7 @@ in
# in the multiaddr. # in the multiaddr.
socketConfig.ListenStream = socketConfig.ListenStream =
let let
fromCfg = multiaddrToListenStream cfg.apiAddress; fromCfg = multiaddrToListenStream cfg.settings.Addresses.API;
in in
[ "" "%t/ipfs.sock" ] ++ lib.optional (fromCfg != null) fromCfg; [ "" "%t/ipfs.sock" ] ++ lib.optional (fromCfg != null) fromCfg;
}; };
@ -332,15 +332,19 @@ in
(mkRenamedOptionModule [ "services" "ipfs" "autoMigrate" ] [ "services" "kubo" "autoMigrate" ]) (mkRenamedOptionModule [ "services" "ipfs" "autoMigrate" ] [ "services" "kubo" "autoMigrate" ])
(mkRenamedOptionModule [ "services" "ipfs" "ipfsMountDir" ] [ "services" "kubo" "ipfsMountDir" ]) (mkRenamedOptionModule [ "services" "ipfs" "ipfsMountDir" ] [ "services" "kubo" "ipfsMountDir" ])
(mkRenamedOptionModule [ "services" "ipfs" "ipnsMountDir" ] [ "services" "kubo" "ipnsMountDir" ]) (mkRenamedOptionModule [ "services" "ipfs" "ipnsMountDir" ] [ "services" "kubo" "ipnsMountDir" ])
(mkRenamedOptionModule [ "services" "ipfs" "gatewayAddress" ] [ "services" "kubo" "gatewayAddress" ]) (mkRenamedOptionModule [ "services" "ipfs" "gatewayAddress" ] [ "services" "kubo" "settings" "Addresses" "Gateway" ])
(mkRenamedOptionModule [ "services" "ipfs" "apiAddress" ] [ "services" "kubo" "apiAddress" ]) (mkRenamedOptionModule [ "services" "ipfs" "apiAddress" ] [ "services" "kubo" "settings" "Addresses" "API" ])
(mkRenamedOptionModule [ "services" "ipfs" "swarmAddress" ] [ "services" "kubo" "swarmAddress" ]) (mkRenamedOptionModule [ "services" "ipfs" "swarmAddress" ] [ "services" "kubo" "settings" "Addresses" "Swarm" ])
(mkRenamedOptionModule [ "services" "ipfs" "enableGC" ] [ "services" "kubo" "enableGC" ]) (mkRenamedOptionModule [ "services" "ipfs" "enableGC" ] [ "services" "kubo" "enableGC" ])
(mkRenamedOptionModule [ "services" "ipfs" "emptyRepo" ] [ "services" "kubo" "emptyRepo" ]) (mkRenamedOptionModule [ "services" "ipfs" "emptyRepo" ] [ "services" "kubo" "emptyRepo" ])
(mkRenamedOptionModule [ "services" "ipfs" "extraConfig" ] [ "services" "kubo" "extraConfig" ]) (mkRenamedOptionModule [ "services" "ipfs" "extraConfig" ] [ "services" "kubo" "settings" ])
(mkRenamedOptionModule [ "services" "ipfs" "extraFlags" ] [ "services" "kubo" "extraFlags" ]) (mkRenamedOptionModule [ "services" "ipfs" "extraFlags" ] [ "services" "kubo" "extraFlags" ])
(mkRenamedOptionModule [ "services" "ipfs" "localDiscovery" ] [ "services" "kubo" "localDiscovery" ]) (mkRenamedOptionModule [ "services" "ipfs" "localDiscovery" ] [ "services" "kubo" "localDiscovery" ])
(mkRenamedOptionModule [ "services" "ipfs" "serviceFdlimit" ] [ "services" "kubo" "serviceFdlimit" ]) (mkRenamedOptionModule [ "services" "ipfs" "serviceFdlimit" ] [ "services" "kubo" "serviceFdlimit" ])
(mkRenamedOptionModule [ "services" "ipfs" "startWhenNeeded" ] [ "services" "kubo" "startWhenNeeded" ]) (mkRenamedOptionModule [ "services" "ipfs" "startWhenNeeded" ] [ "services" "kubo" "startWhenNeeded" ])
(mkRenamedOptionModule [ "services" "kubo" "extraConfig" ] [ "services" "kubo" "settings" ])
(mkRenamedOptionModule [ "services" "kubo" "gatewayAddress" ] [ "services" "kubo" "settings" "Addresses" "Gateway" ])
(mkRenamedOptionModule [ "services" "kubo" "apiAddress" ] [ "services" "kubo" "settings" "Addresses" "API" ])
(mkRenamedOptionModule [ "services" "kubo" "swarmAddress" ] [ "services" "kubo" "settings" "Addresses" "Swarm" ])
]; ];
} }

View file

@ -15,7 +15,7 @@
<para> <para>
Litestream service is managed by a dedicated user named <literal>litestream</literal> Litestream service is managed by a dedicated user named <literal>litestream</literal>
which needs permission to the database file. Here's an example config which gives which needs permission to the database file. Here's an example config which gives
required permissions to access <link linkend="opt-services.grafana.database.path"> required permissions to access <link linkend="opt-services.grafana.settings.database.path">
grafana database</link>: grafana database</link>:
<programlisting> <programlisting>
{ pkgs, ... }: { pkgs, ... }:

View file

@ -12,37 +12,26 @@ let
"--config /var/lib/AdGuardHome/AdGuardHome.yaml" "--config /var/lib/AdGuardHome/AdGuardHome.yaml"
] ++ cfg.extraArgs); ] ++ cfg.extraArgs);
baseConfig = {
bind_host = cfg.host;
bind_port = cfg.port;
};
configFile = pkgs.writeTextFile { configFile = pkgs.writeTextFile {
name = "AdGuardHome.yaml"; name = "AdGuardHome.yaml";
text = builtins.toJSON (recursiveUpdate cfg.settings baseConfig); text = builtins.toJSON cfg.settings;
checkPhase = "${pkgs.adguardhome}/bin/adguardhome -c $out --check-config"; checkPhase = "${pkgs.adguardhome}/bin/adguardhome -c $out --check-config";
}; };
in { in
{
imports =
let cfgPath = [ "services" "adguardhome" ];
in
[
(mkRenamedOptionModuleWith { sinceRelease = 2211; from = cfgPath ++ [ "host" ]; to = cfgPath ++ [ "settings" "bind_host" ]; })
(mkRenamedOptionModuleWith { sinceRelease = 2211; from = cfgPath ++ [ "port" ]; to = cfgPath ++ [ "settings" "bind_port" ]; })
];
options.services.adguardhome = with types; { options.services.adguardhome = with types; {
enable = mkEnableOption (lib.mdDoc "AdGuard Home network-wide ad blocker"); enable = mkEnableOption (lib.mdDoc "AdGuard Home network-wide ad blocker");
host = mkOption {
default = "0.0.0.0";
type = str;
description = lib.mdDoc ''
Host address to bind HTTP server to.
'';
};
port = mkOption {
default = 3000;
type = port;
description = lib.mdDoc ''
Port to serve HTTP pages on.
'';
};
openFirewall = mkOption { openFirewall = mkOption {
default = false; default = false;
type = bool; type = bool;
@ -62,8 +51,35 @@ in {
}; };
settings = mkOption { settings = mkOption {
type = (pkgs.formats.yaml { }).type;
default = { }; default = { };
type = submodule {
freeformType = (pkgs.formats.yaml { }).type;
options = {
schema_version = mkOption {
default = pkgs.adguardhome.schema_version;
defaultText = literalExpression "pkgs.adguardhome.schema_version";
type = int;
description = lib.mdDoc ''
Schema version for the configuration.
Defaults to the `schema_version` supplied by `pkgs.adguardhome`.
'';
};
bind_host = mkOption {
default = "0.0.0.0";
type = str;
description = lib.mdDoc ''
Host address to bind HTTP server to.
'';
};
bind_port = mkOption {
default = 3000;
type = port;
description = lib.mdDoc ''
Port to serve HTTP pages on.
'';
};
};
};
description = lib.mdDoc '' description = lib.mdDoc ''
AdGuard Home configuration. Refer to AdGuard Home configuration. Refer to
<https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file> <https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file>
@ -135,6 +151,6 @@ in {
}; };
}; };
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.bind_port ];
}; };
} }

View file

@ -72,7 +72,7 @@ in
RuntimeDirectoryMode = "700"; RuntimeDirectoryMode = "700";
SystemCallFilter = [ SystemCallFilter = [
"@system-service" "@system-service"
"~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer" "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@setuid" "~@sync" "~@timer"
]; ];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM"; SystemCallErrorNumber = "EPERM";

View file

@ -111,7 +111,6 @@ in
"~@aio" "~@aio"
"~@keyring" "~@keyring"
"~@memlock" "~@memlock"
"~@resources"
"~@setuid" "~@setuid"
"~@timer" "~@timer"
]; ];

View file

@ -199,7 +199,7 @@ in
environment.systemPackages = [ pkgs.hostapd ]; environment.systemPackages = [ pkgs.hostapd ];
services.udev.packages = optional (cfg.countryCode != null) [ pkgs.crda ]; services.udev.packages = optionals (cfg.countryCode != null) [ pkgs.crda ];
systemd.services.hostapd = systemd.services.hostapd =
{ description = "hostapd wireless AP"; { description = "hostapd wireless AP";

View file

@ -56,8 +56,10 @@ let
default = null; default = null;
description = mdDoc '' description = mdDoc ''
Specifies the hashed password for the MQTT User. Specifies the hashed password for the MQTT User.
To generate hashed password install `mosquitto` To generate hashed password install the `mosquitto`
package and use `mosquitto_passwd`. package and use `mosquitto_passwd`, then extract
the second field (after the `:`) from the generated
file.
''; '';
}; };
@ -68,8 +70,9 @@ let
description = mdDoc '' description = mdDoc ''
Specifies the path to a file containing the Specifies the path to a file containing the
hashed password for the MQTT user. hashed password for the MQTT user.
To generate hashed password install `mosquitto` To generate hashed password install the `mosquitto`
package and use `mosquitto_passwd`. package and use `mosquitto_passwd`, then remove the
`username:` prefix from the generated file.
''; '';
}; };

View file

@ -4,7 +4,8 @@ let
in in
with lib; with lib;
{ {
options.services.mullvad-vpn.enable = mkOption { options.services.mullvad-vpn = {
enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = lib.mdDoc '' description = lib.mdDoc ''
@ -13,6 +14,16 @@ with lib;
''; '';
}; };
package = mkOption {
type = types.package;
default = pkgs.mullvad;
defaultText = literalExpression "pkgs.mullvad";
description = lib.mdDoc ''
The Mullvad package to use. `pkgs.mullvad` only provides the CLI tool, `pkgs.mullvad-vpn` provides both the CLI and the GUI.
'';
};
};
config = mkIf cfg.enable { config = mkIf cfg.enable {
boot.kernelModules = [ "tun" ]; boot.kernelModules = [ "tun" ];
@ -39,12 +50,12 @@ with lib;
startLimitBurst = 5; startLimitBurst = 5;
startLimitIntervalSec = 20; startLimitIntervalSec = 20;
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.mullvad}/bin/mullvad-daemon -v --disable-stdout-timestamps"; ExecStart = "${cfg.package}/bin/mullvad-daemon -v --disable-stdout-timestamps";
Restart = "always"; Restart = "always";
RestartSec = 1; RestartSec = 1;
}; };
}; };
}; };
meta.maintainers = with maintainers; [ ymarkus ]; meta.maintainers = with maintainers; [ patricksjackson ymarkus ];
} }

View file

@ -137,7 +137,7 @@ in {
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; SystemCallFilter = [ "@system-service" "~@privileged" ];
UMask = "0077"; UMask = "0077";
} }
]; ];

View file

@ -27,7 +27,7 @@ let
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}"; chronyFlags = [ "-n" "-m" "-u" "chrony" "-f" "${configFile}" ] ++ cfg.extraFlags;
in in
{ {
options = { options = {
@ -166,7 +166,7 @@ in
unitConfig.ConditionCapability = "CAP_SYS_TIME"; unitConfig.ConditionCapability = "CAP_SYS_TIME";
serviceConfig = serviceConfig =
{ Type = "simple"; { Type = "simple";
ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}"; ExecStart = "${chronyPkg}/bin/chronyd ${builtins.toString chronyFlags}";
ProtectHome = "yes"; ProtectHome = "yes";
ProtectSystem = "full"; ProtectSystem = "full";

View file

@ -25,7 +25,7 @@ let
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
ntpFlags = "-c ${configFile} -u ntp:ntp ${toString cfg.extraFlags}"; ntpFlags = [ "-c" "${configFile}" "-u" "ntp:ntp" ] ++ cfg.extraFlags;
in in
@ -137,7 +137,7 @@ in
''; '';
serviceConfig = { serviceConfig = {
ExecStart = "@${ntp}/bin/ntpd ntpd -g ${ntpFlags}"; ExecStart = "@${ntp}/bin/ntpd ntpd -g ${builtins.toString ntpFlags}";
Type = "forking"; Type = "forking";
}; };
}; };

View file

@ -318,6 +318,17 @@ in
description = "smokeping daemon user"; description = "smokeping daemon user";
home = smokepingHome; home = smokepingHome;
createHome = true; createHome = true;
# When `cfg.webService` is enabled, `thttpd` makes SmokePing available
# under `${cfg.host}:${cfg.port}/smokeping.fcgi` as per the `ln -s` below.
# We also want that going to `${cfg.host}:${cfg.port}` without `smokeping.fcgi`
# makes it easy for the user to find SmokePing.
# However `thttpd` does not seem to support easy redirections from `/` to `smokeping.fcgi`
# and only allows directory listings or `/` -> `index.html` resolution if the directory
# has `chmod 755` (see https://acme.com/software/thttpd/thttpd_man.html#PERMISSIONS,
# " directories should be 755 if you want to allow indexing").
# Otherwise it shows `403 Forbidden` on `/`.
# Thus, we need to make `smokepingHome` (which is given to `thttpd -d` below) `755`.
homeMode = "755";
}; };
users.groups.${cfg.user} = {}; users.groups.${cfg.user} = {};
systemd.services.smokeping = { systemd.services.smokeping = {

View file

@ -71,7 +71,7 @@ in
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @mount @obsolete @reboot @swap @privileged @resources"; SystemCallFilter = [ "@system-service" "~@privileged" ];
UMask = "0077"; UMask = "0077";
}; };
}; };

View file

@ -0,0 +1,214 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.vdirsyncer;
toIniJson = with generators; toINI {
mkKeyValue = mkKeyValueDefault {
mkValueString = builtins.toJSON;
} "=";
};
toConfigFile = name: cfg':
if
cfg'.configFile != null
then
cfg'.configFile
else
pkgs.writeText "vdirsyncer-${name}.conf" (toIniJson (
{
general = cfg'.config.general // (lib.optionalAttrs (cfg'.config.statusPath == null) {
status_path = "/var/lib/vdirsyncer/${name}";
});
} // (
mapAttrs' (name: nameValuePair "pair ${name}") cfg'.config.pairs
) // (
mapAttrs' (name: nameValuePair "storage ${name}") cfg'.config.storages
)
));
userUnitConfig = name: cfg': {
serviceConfig = {
User = if cfg'.user == null then "vdirsyncer" else cfg'.user;
Group = if cfg'.group == null then "vdirsyncer" else cfg'.group;
} // (optionalAttrs (cfg'.user == null) {
DynamicUser = true;
}) // (optionalAttrs (cfg'.additionalGroups != []) {
SupplementaryGroups = cfg'.additionalGroups;
}) // (optionalAttrs (cfg'.config.statusPath == null) {
StateDirectory = "vdirsyncer/${name}";
StateDirectoryMode = "0700";
});
};
commonUnitConfig = {
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
# Sandboxing
PrivateTmp = true;
NoNewPrivileges = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
LockPersonality = true;
};
};
in
{
options = {
services.vdirsyncer = {
enable = mkEnableOption (mdDoc "vdirsyncer");
package = mkPackageOption pkgs "vdirsyncer" {};
jobs = mkOption {
description = mdDoc "vdirsyncer job configurations";
type = types.attrsOf (types.submodule {
options = {
enable = (mkEnableOption (mdDoc "this vdirsyncer job")) // {
default = true;
example = false;
};
user = mkOption {
type = types.nullOr types.str;
default = null;
description = mdDoc ''
User account to run vdirsyncer as, otherwise as a systemd
dynamic user
'';
};
group = mkOption {
type = types.nullOr types.str;
default = null;
description = mdDoc "group to run vdirsyncer as";
};
additionalGroups = mkOption {
type = types.listOf types.str;
default = [];
description = mdDoc "additional groups to add the dynamic user to";
};
forceDiscover = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Run `yes | vdirsyncer discover` prior to `vdirsyncer sync`
'';
};
timerConfig = mkOption {
type = types.attrs;
default = {
OnBootSec = "1h";
OnUnitActiveSec = "6h";
};
description = mdDoc "systemd timer configuration";
};
configFile = mkOption {
type = types.nullOr types.path;
default = null;
description = mdDoc "existing configuration file";
};
config = {
statusPath = mkOption {
type = types.nullOr types.str;
default = null;
defaultText = literalExpression "/var/lib/vdirsyncer/\${attrName}";
description = mdDoc "vdirsyncer's status path";
};
general = mkOption {
type = types.attrs;
default = {};
description = mdDoc "general configuration";
};
pairs = mkOption {
type = types.attrsOf types.attrs;
default = {};
description = mdDoc "vdirsyncer pair configurations";
example = literalExpression ''
{
my_contacts = {
a = "my_cloud_contacts";
b = "my_local_contacts";
collections = [ "from a" ];
conflict_resolution = "a wins";
metadata = [ "color" "displayname" ];
};
};
'';
};
storages = mkOption {
type = types.attrsOf types.attrs;
default = {};
description = mdDoc "vdirsyncer storage configurations";
example = literalExpression ''
{
my_cloud_contacts = {
type = "carddav";
url = "https://dav.example.com/";
read_only = true;
username = "user";
"password.fetch" = [ "command" "cat" "/etc/vdirsyncer/cloud.passwd" ];
};
my_local_contacts = {
type = "carddav";
url = "https://localhost/";
username = "user";
"password.fetch" = [ "command" "cat" "/etc/vdirsyncer/local.passwd" ];
};
}
'';
};
};
};
});
};
};
};
config = mkIf cfg.enable {
systemd.services = mapAttrs' (name: cfg': nameValuePair "vdirsyncer@${name}" (
foldr recursiveUpdate {} [
commonUnitConfig
(userUnitConfig name cfg')
{
description = "synchronize calendars and contacts (${name})";
environment.VDIRSYNCER_CONFIG = toConfigFile name cfg';
serviceConfig.ExecStart =
(optional cfg'.forceDiscover (
pkgs.writeShellScript "vdirsyncer-discover-yes" ''
set -e
yes | ${cfg.package}/bin/vdirsyncer discover
''
)) ++ [ "${cfg.package}/bin/vdirsyncer sync" ];
}
]
)) (filterAttrs (name: cfg': cfg'.enable) cfg.jobs);
systemd.timers = mapAttrs' (name: cfg': nameValuePair "vdirsyncer@${name}" {
wantedBy = [ "timers.target" ];
description = "synchronize calendars and contacts (${name})";
inherit (cfg') timerConfig;
}) cfg.jobs;
};
}

View file

@ -180,7 +180,7 @@ in {
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources"; SystemCallFilter = [ "@system-service" "~@privileged @keyring" ];
} // (if (cfg.group != null) then { } // (if (cfg.group != null) then {
Group = cfg.group; Group = cfg.group;
} else {}); } else {});

View file

@ -120,7 +120,6 @@ in {
" -conf ${pkgs.writeText "hound.json" cfg.config}"; " -conf ${pkgs.writeText "hound.json" cfg.config}";
}; };
path = [ pkgs.git pkgs.mercurial pkgs.openssh ];
}; };
}; };

View file

@ -126,7 +126,7 @@ in
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; SystemCallFilter = [ "@system-service" "~@privileged" ];
}; };
}; };

View file

@ -816,13 +816,13 @@ in
always create a container/VM with a separate Tor daemon instance. always create a container/VM with a separate Tor daemon instance.
'' ++ '' ++
flatten (mapAttrsToList (n: o: flatten (mapAttrsToList (n: o:
optional (o.settings.HiddenServiceVersion == 2) [ optionals (o.settings.HiddenServiceVersion == 2) [
(optional (o.settings.HiddenServiceExportCircuitID != null) '' (optional (o.settings.HiddenServiceExportCircuitID != null) ''
HiddenServiceExportCircuitID is used in the HiddenService: ${n} HiddenServiceExportCircuitID is used in the HiddenService: ${n}
but this option is only for v3 hidden services. but this option is only for v3 hidden services.
'') '')
] ++ ] ++
optional (o.settings.HiddenServiceVersion != 2) [ optionals (o.settings.HiddenServiceVersion != 2) [
(optional (o.settings.HiddenServiceAuthorizeClient != null) '' (optional (o.settings.HiddenServiceAuthorizeClient != null) ''
HiddenServiceAuthorizeClient is used in the HiddenService: ${n} HiddenServiceAuthorizeClient is used in the HiddenService: ${n}
but this option is only for v2 hidden services. but this option is only for v2 hidden services.

View file

@ -81,7 +81,8 @@ in
- write-files - write-files
- growpart - growpart
- resizefs - resizefs
- update_etc_hosts - update_hostname
- resolv_conf
- ca-certs - ca-certs
- rsyslog - rsyslog
- users-groups - users-groups

View file

@ -146,7 +146,7 @@ in
enable = mkDefault config.boot.isContainer; enable = mkDefault config.boot.isContainer;
}; };
environment.etc.issue = environment.etc.issue = mkDefault
{ # Friendly greeting on the virtual consoles. { # Friendly greeting on the virtual consoles.
source = pkgs.writeText "issue" '' source = pkgs.writeText "issue" ''

View file

@ -372,7 +372,7 @@ in {
User = user; User = user;
WorkingDirectory = "${bookstack}"; WorkingDirectory = "${bookstack}";
RuntimeDirectory = "bookstack/cache"; RuntimeDirectory = "bookstack/cache";
RuntimeDirectoryMode = 0700; RuntimeDirectoryMode = "0700";
}; };
path = [ pkgs.replace-secret ]; path = [ pkgs.replace-secret ];
script = script =

View file

@ -119,7 +119,7 @@ in
assertions = [ assertions = [
{ {
assertion = !((cfg.webDriverSupport == true) && (cfg.playwrightSupport == true)); assertion = !((cfg.webDriverSupport == true) && (cfg.playwrightSupport == true));
message = "'services.changedetection-io.webDriverSupport' and 'services.changedetion-io.playwrightSupport' cannot be used together."; message = "'services.changedetection-io.webDriverSupport' and 'services.changedetection-io.playwrightSupport' cannot be used together.";
} }
]; ];
@ -127,7 +127,7 @@ in
defaultStateDir = cfg.datastorePath == "/var/lib/changedetection-io"; defaultStateDir = cfg.datastorePath == "/var/lib/changedetection-io";
in { in {
services.changedetection-io = { services.changedetection-io = {
wantedBy = [ "mutli-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
preStart = '' preStart = ''
mkdir -p ${cfg.datastorePath} mkdir -p ${cfg.datastorePath}
@ -135,7 +135,7 @@ in
serviceConfig = { serviceConfig = {
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
StateDirectory = mkIf defaultStateDir "changedetion-io"; StateDirectory = mkIf defaultStateDir "changedetection-io";
StateDirectoryMode = mkIf defaultStateDir "0750"; StateDirectoryMode = mkIf defaultStateDir "0750";
WorkingDirectory = cfg.datastorePath; WorkingDirectory = cfg.datastorePath;
Environment = lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}" Environment = lib.optional (cfg.baseURL != null) "BASE_URL=${cfg.baseURL}"
@ -213,6 +213,7 @@ in
}; };
}) })
]; ];
podman.defaultNetwork.dnsname.enable = true;
}; };
}; };
} }

Some files were not shown because too many files have changed in this diff Show more