diff --git a/third_party/nixpkgs/.git-blame-ignore-revs b/third_party/nixpkgs/.git-blame-ignore-revs index bf350b0cf8..2436c29afc 100644 --- a/third_party/nixpkgs/.git-blame-ignore-revs +++ b/third_party/nixpkgs/.git-blame-ignore-revs @@ -39,3 +39,60 @@ d1c1a0c656ccd8bd3b25d3c4287f2d075faf3cf3 # fix indentation in meteor default.nix a37a6de881ec4c6708e6b88fd16256bbc7f26bbd + +# treewide: automatically md-convert option descriptions +2e751c0772b9d48ff6923569adfa661b030ab6a2 + +# nixos/*: automatically convert option docs +087472b1e5230ffc8ba642b1e4f9218adf4634a2 + +# nixos/*: automatically convert option descriptions +ef176dcf7e76c3639571d7c6051246c8fbadf12a + +# nixos/*: automatically convert option docs to MD +61e93df1891972bae3e0c97a477bd44e8a477aa0 + +# nixos/*: convert options with admonitions to MD +722b99bc0eb57711c0498a86a3f55e6c69cdb05f + +# nixos/*: automatically convert option docs +6039648c50c7c0858b5e506c6298773a98e0f066 + +# nixos/*: md-convert options with unordered lists +c915b915b5e466a0b0b2af2906cd4d2380b8a1de + +# nixos/*: convert options with listings +f2ea09ecbe1fa1da32eaa6e036d64ac324a2986f + +# nixos/*: convert straggler options to MD +1d41cff3dc4c8f37bb5841f51fcbff705e169178 + +# nixos/*: normalize manpage references to single-line form +423545fe4865d126e86721ba30da116e29c65004 + +# nixos/documentation: split options doc build +fc614c37c653637e5475a0b0a987489b4d1f351d + +# nixos/*: convert options with admonitions to MD +722b99bc0eb57711c0498a86a3f55e6c69cdb05f + +# nixos/*: convert internal option descriptions to MD +9547123258f69efd92b54763051d6dc7f3bfcaca + +# nixos/*: replace with double linebreaks +694d5b19d30bf66687b42fb77f43ea7cd1002a62 + +# treewide: add defaultText for options with simple interpolation defaults +fb0e5be84331188a69b3edd31679ca6576edb75a + +# nixos/*: mark pre-existing markdown descriptions as mdDoc +7e7d68a250f75678451cd44f8c3d585bf750461e + +# nixos/*: normalize link format +3aebb4a2be8821a6d8a695f0908d8567dc00de31 + +# nixos/*: replace in option docs with +16102dce2fbad670bd47dd75c860a8daa5fe47ad + +# nixos/*: add trivial defaultText for options with simple defaults +25124556397ba17bfd70297000270de1e6523b0a diff --git a/third_party/nixpkgs/.github/CODEOWNERS b/third_party/nixpkgs/.github/CODEOWNERS index 4dfcd715f7..2ef607d0ff 100644 --- a/third_party/nixpkgs/.github/CODEOWNERS +++ b/third_party/nixpkgs/.github/CODEOWNERS @@ -23,7 +23,7 @@ # Libraries /lib @edolstra @infinisil -/lib/systems @alyssais @ericson2314 @matthewbauer +/lib/systems @alyssais @ericson2314 @matthewbauer @amjoseph-nixpkgs /lib/generators.nix @edolstra @Profpatsch /lib/cli.nix @edolstra @Profpatsch /lib/debug.nix @edolstra @Profpatsch @@ -37,10 +37,10 @@ /pkgs/top-level/stage.nix @Ericson2314 @matthewbauer /pkgs/top-level/splice.nix @Ericson2314 @matthewbauer /pkgs/top-level/release-cross.nix @Ericson2314 @matthewbauer -/pkgs/stdenv/generic @Ericson2314 @matthewbauer +/pkgs/stdenv/generic @Ericson2314 @matthewbauer @amjoseph-nixpkgs /pkgs/stdenv/generic/check-meta.nix @Ericson2314 @matthewbauer @piegamesde -/pkgs/stdenv/cross @Ericson2314 @matthewbauer -/pkgs/build-support/cc-wrapper @Ericson2314 +/pkgs/stdenv/cross @Ericson2314 @matthewbauer @amjoseph-nixpkgs +/pkgs/build-support/cc-wrapper @Ericson2314 @amjoseph-nixpkgs /pkgs/build-support/bintools-wrapper @Ericson2314 /pkgs/build-support/setup-hooks @Ericson2314 /pkgs/build-support/setup-hooks/auto-patchelf.sh @layus @@ -58,13 +58,9 @@ /maintainers/scripts/db-to-md.sh @jtojnar @ryantm /maintainers/scripts/doc @jtojnar @ryantm -/doc/* @fricklerhandwerk /doc/build-aux/pandoc-filters @jtojnar -/doc/builders/trivial-builders.chapter.md @fricklerhandwerk /doc/contributing/ @fricklerhandwerk /doc/contributing/contributing-to-documentation.chapter.md @jtojnar @fricklerhandwerk -/doc/stdenv @fricklerhandwerk -/doc/using @fricklerhandwerk # NixOS Internals /nixos/default.nix @infinisil @@ -128,7 +124,7 @@ /doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda # C compilers -/pkgs/development/compilers/gcc @matthewbauer +/pkgs/development/compilers/gcc @matthewbauer @amjoseph-nixpkgs /pkgs/development/compilers/llvm @matthewbauer @RaitoBezarius # Compatibility stuff @@ -236,12 +232,12 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt /nixos/tests/prometheus-exporters.nix @WilliButz # PHP interpreter, packages, extensions, tests and documentation -/doc/languages-frameworks/php.section.md @aanderse @etu @globin @ma27 @talyz -/nixos/tests/php @aanderse @etu @globin @ma27 @talyz -/pkgs/build-support/build-pecl.nix @aanderse @etu @globin @ma27 @talyz -/pkgs/development/interpreters/php @jtojnar @aanderse @etu @globin @ma27 @talyz -/pkgs/development/php-packages @aanderse @etu @globin @ma27 @talyz -/pkgs/top-level/php-packages.nix @jtojnar @aanderse @etu @globin @ma27 @talyz +/doc/languages-frameworks/php.section.md @aanderse @drupol @etu @globin @ma27 @talyz +/nixos/tests/php @aanderse @drupol @etu @globin @ma27 @talyz +/pkgs/build-support/build-pecl.nix @aanderse @drupol @etu @globin @ma27 @talyz +/pkgs/development/interpreters/php @jtojnar @aanderse @drupol @etu @globin @ma27 @talyz +/pkgs/development/php-packages @aanderse @drupol @etu @globin @ma27 @talyz +/pkgs/top-level/php-packages.nix @jtojnar @aanderse @drupol @etu @globin @ma27 @talyz # Podman, CRI-O modules and related /nixos/modules/virtualisation/containers.nix @zowoq @adisbladis @@ -297,11 +293,18 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt /pkgs/development/compilers/dotnet @IvarWithoutBones # Node.js -/pkgs/build-support/node/build-npm-package @winterqt -/pkgs/build-support/node/fetch-npm-deps @winterqt -/doc/languages-frameworks/javascript.section.md @winterqt +/pkgs/build-support/node/build-npm-package @lilyinstarlight @winterqt +/pkgs/build-support/node/fetch-npm-deps @lilyinstarlight @winterqt +/doc/languages-frameworks/javascript.section.md @lilyinstarlight @winterqt # OCaml -/pkgs/build-support/ocaml @romildo @ulrikstrid -/pkgs/development/compilers/ocaml @romildo @ulrikstrid -/pkgs/development/ocaml-modules @romildo @ulrikstrid +/pkgs/build-support/ocaml @ulrikstrid +/pkgs/development/compilers/ocaml @ulrikstrid +/pkgs/development/ocaml-modules @ulrikstrid + +# ZFS +pkgs/os-specific/linux/zfs @raitobezarius +nixos/lib/make-single-disk-zfs-image.nix @raitobezarius +nixos/lib/make-multi-disk-zfs-image.nix @raitobezarius +nixos/modules/tasks/filesystems/zfs.nix @raitobezarius +nixos/tests/zfs.nix @raitobezarius diff --git a/third_party/nixpkgs/.github/PULL_REQUEST_TEMPLATE.md b/third_party/nixpkgs/.github/PULL_REQUEST_TEMPLATE.md index 5f21df834d..b2ec787313 100644 --- a/third_party/nixpkgs/.github/PULL_REQUEST_TEMPLATE.md +++ b/third_party/nixpkgs/.github/PULL_REQUEST_TEMPLATE.md @@ -22,7 +22,7 @@ For new packages please briefly describe the package or provide a link to its ho - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) -- [23.05 Release Notes (or backporting 22.11 Release notes)](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#generating-2305-release-notes) +- [23.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) (or backporting [23.05 Release notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2305.section.md)) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module diff --git a/third_party/nixpkgs/.github/labeler.yml b/third_party/nixpkgs/.github/labeler.yml index 44e5dcbf65..941cc65e6d 100644 --- a/third_party/nixpkgs/.github/labeler.yml +++ b/third_party/nixpkgs/.github/labeler.yml @@ -64,6 +64,9 @@ - pkgs/build-support/kernel/**/* - pkgs/os-specific/linux/kernel/**/* +"6.topic: lib": + - lib/** + "6.topic: lua": - pkgs/development/interpreters/lua-5/**/* - pkgs/development/interpreters/luajit/**/* @@ -83,6 +86,13 @@ - nixos/tests/mate.nix - pkgs/desktops/mate/**/* +"6.topic: module system": + - lib/modules.nix + - lib/types.nix + - lib/options.nix + - lib/tests/modules.sh + - lib/tests/modules/** + "6.topic: nixos": - nixos/**/* - pkgs/os-specific/linux/nixos-rebuild/**/* @@ -93,6 +103,14 @@ - pkgs/development/nim-packages/**/* - pkgs/top-level/nim-packages.nix +"6.topic: nodejs": + - doc/languages-frameworks/javascript.section.md + - pkgs/build-support/node/**/* + - pkgs/development/node-packages/**/* + - pkgs/development/tools/yarn/* + - pkgs/development/tools/yarn2nix-moretea/**/* + - pkgs/development/web/nodejs/* + "6.topic: ocaml": - doc/languages-frameworks/ocaml.section.md - pkgs/development/compilers/ocaml/**/* diff --git a/third_party/nixpkgs/.github/workflows/backport.yml b/third_party/nixpkgs/.github/workflows/backport.yml index 60ceb304ee..81fc5306fe 100644 --- a/third_party/nixpkgs/.github/workflows/backport.yml +++ b/third_party/nixpkgs/.github/workflows/backport.yml @@ -24,7 +24,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - name: Create backport PRs - uses: korthout/backport-action@v1.2.0 + uses: korthout/backport-action@v1.3.1 with: # Config README: https://github.com/korthout/backport-action#backport-action copy_labels_pattern: 'severity:\ssecurity' diff --git a/third_party/nixpkgs/.github/workflows/basic-eval.yml b/third_party/nixpkgs/.github/workflows/basic-eval.yml index 605d6a30a3..272447ecee 100644 --- a/third_party/nixpkgs/.github/workflows/basic-eval.yml +++ b/third_party/nixpkgs/.github/workflows/basic-eval.yml @@ -19,7 +19,7 @@ jobs: # we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback steps: - uses: actions/checkout@v3 - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v22 - uses: cachix/cachix-action@v12 with: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. diff --git a/third_party/nixpkgs/.github/workflows/check-maintainers-sorted.yaml b/third_party/nixpkgs/.github/workflows/check-maintainers-sorted.yaml index fc03988b06..652ddd0749 100644 --- a/third_party/nixpkgs/.github/workflows/check-maintainers-sorted.yaml +++ b/third_party/nixpkgs/.github/workflows/check-maintainers-sorted.yaml @@ -16,7 +16,7 @@ jobs: with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v22 with: # explicitly enable sandbox extra_nix_config: sandbox = true diff --git a/third_party/nixpkgs/.github/workflows/compare-manuals.sh b/third_party/nixpkgs/.github/workflows/compare-manuals.sh deleted file mode 100755 index b2cc68c783..0000000000 --- a/third_party/nixpkgs/.github/workflows/compare-manuals.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i bash -p html-tidy - -set -euo pipefail -shopt -s inherit_errexit - -normalize() { - tidy \ - --anchor-as-name no \ - --coerce-endtags no \ - --escape-scripts no \ - --fix-backslash no \ - --fix-style-tags no \ - --fix-uri no \ - --indent yes \ - --wrap 0 \ - < "$1" \ - 2> /dev/null -} - -diff -U3 <(normalize "$1") <(normalize "$2") diff --git a/third_party/nixpkgs/.github/workflows/editorconfig.yml b/third_party/nixpkgs/.github/workflows/editorconfig.yml index 5dd85ca26f..e72f706def 100644 --- a/third_party/nixpkgs/.github/workflows/editorconfig.yml +++ b/third_party/nixpkgs/.github/workflows/editorconfig.yml @@ -28,7 +28,7 @@ jobs: with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v22 with: # nixpkgs commit is pinned so that it doesn't break # editorconfig-checker 2.4.0 diff --git a/third_party/nixpkgs/.github/workflows/manual-nixos.yml b/third_party/nixpkgs/.github/workflows/manual-nixos.yml index 85c7ac2d69..9862d8d724 100644 --- a/third_party/nixpkgs/.github/workflows/manual-nixos.yml +++ b/third_party/nixpkgs/.github/workflows/manual-nixos.yml @@ -18,7 +18,7 @@ jobs: with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v22 with: # explicitly enable sandbox extra_nix_config: sandbox = true @@ -27,13 +27,5 @@ jobs: # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. name: nixpkgs-ci signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - - name: Building NixOS manual with DocBook options + - name: Building NixOS manual run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux - - name: Building NixOS manual with Markdown options - run: | - export NIX_PATH=nixpkgs=$(pwd) - nix-build \ - --option restrict-eval true \ - --arg configuration '{ documentation.nixos.options.allowDocBook = false; }' \ - nixos/release.nix \ - -A manual.x86_64-linux diff --git a/third_party/nixpkgs/.github/workflows/manual-nixpkgs.yml b/third_party/nixpkgs/.github/workflows/manual-nixpkgs.yml index 4f76a0d732..812907ab84 100644 --- a/third_party/nixpkgs/.github/workflows/manual-nixpkgs.yml +++ b/third_party/nixpkgs/.github/workflows/manual-nixpkgs.yml @@ -19,7 +19,7 @@ jobs: with: # pull_request_target checks out the base branch by default ref: refs/pull/${{ github.event.pull_request.number }}/merge - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v22 with: # explicitly enable sandbox extra_nix_config: sandbox = true diff --git a/third_party/nixpkgs/.github/workflows/manual-rendering.yml b/third_party/nixpkgs/.github/workflows/manual-rendering.yml deleted file mode 100644 index ad47776086..0000000000 --- a/third_party/nixpkgs/.github/workflows/manual-rendering.yml +++ /dev/null @@ -1,64 +0,0 @@ -name: "Check NixOS Manual DocBook rendering against MD rendering" - - -on: - schedule: - # * is a special character in YAML so you have to quote this string - # Check every 24 hours - - cron: '0 0 * * *' - -permissions: - contents: read - -jobs: - check-rendering-equivalence: - permissions: - pull-requests: write # for peter-evans/create-or-update-comment to create or update comment - if: github.repository_owner == 'NixOS' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: cachix/install-nix-action@v20 - with: - # explicitly enable sandbox - extra_nix_config: sandbox = true - - uses: cachix/cachix-action@v12 - with: - # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere. - name: nixpkgs-ci - signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' - - - name: Build DocBook and MD manuals - run: | - export NIX_PATH=nixpkgs=$(pwd) - nix-build \ - --option restrict-eval true \ - -o docbook nixos/release.nix \ - -A manual.x86_64-linux - nix-build \ - --option restrict-eval true \ - --arg configuration '{ documentation.nixos.options.allowDocBook = false; }' \ - -o md nixos/release.nix \ - -A manual.x86_64-linux - - - name: Compare DocBook and MD manuals - id: check - run: | - export NIX_PATH=nixpkgs=$(pwd) - .github/workflows/compare-manuals.sh \ - docbook/share/doc/nixos/options.html \ - md/share/doc/nixos/options.html - - # if the manual can't be built we don't want to notify anyone. - # while this may temporarily hide rendering failures it will be a lot - # less noisy until all nixpkgs pull requests have stopped using - # docbook for option docs. - - name: Comment on failure - uses: peter-evans/create-or-update-comment@v3 - if: ${{ failure() && steps.check.conclusion == 'failure' }} - with: - issue-number: 189318 - body: | - Markdown and DocBook manuals do not agree. - - Check https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }} for details. diff --git a/third_party/nixpkgs/.github/workflows/periodic-merge-24h.yml b/third_party/nixpkgs/.github/workflows/periodic-merge-24h.yml index dd0c1a2333..abfb51244f 100644 --- a/third_party/nixpkgs/.github/workflows/periodic-merge-24h.yml +++ b/third_party/nixpkgs/.github/workflows/periodic-merge-24h.yml @@ -34,10 +34,6 @@ jobs: pairs: - from: master into: haskell-updates - - from: release-22.11 - into: staging-next-22.11 - - from: staging-next-22.11 - into: staging-22.11 - from: release-23.05 into: staging-next-23.05 - from: staging-next-23.05 diff --git a/third_party/nixpkgs/.github/workflows/update-terraform-providers.yml b/third_party/nixpkgs/.github/workflows/update-terraform-providers.yml index e0e68b4bf1..e7767dbffa 100644 --- a/third_party/nixpkgs/.github/workflows/update-terraform-providers.yml +++ b/third_party/nixpkgs/.github/workflows/update-terraform-providers.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - uses: cachix/install-nix-action@v20 + - uses: cachix/install-nix-action@v22 with: nix_path: nixpkgs=channel:nixpkgs-unstable - name: setup diff --git a/third_party/nixpkgs/CONTRIBUTING.md b/third_party/nixpkgs/CONTRIBUTING.md index 82f8d022a9..f318f19ead 100644 --- a/third_party/nixpkgs/CONTRIBUTING.md +++ b/third_party/nixpkgs/CONTRIBUTING.md @@ -61,14 +61,26 @@ Pull requests should not be squash merged in order to keep complete commit messa This means that, when addressing review comments in order to keep the pull request in an always mergeable status, you will sometimes need to rewrite your branch's history and then force-push it with `git push --force-with-lease`. Useful git commands that can help a lot with this are `git commit --patch --amend` and `git rebase --interactive`. For more details consult the git man pages or online resources like [git-rebase.io](https://git-rebase.io/) or [The Pro Git Book](https://git-scm.com/book/en/v2/Git-Tools-Rewriting-History). +## Testing changes + +To run the main types of tests locally: + +- Run package-internal tests with `nix-build --attr pkgs.PACKAGE.passthru.tests` +- Run [NixOS tests](https://nixos.org/manual/nixos/unstable/#sec-nixos-tests) with `nix-build --attr nixosTest.NAME`, where `NAME` is the name of the test listed in `nixos/tests/all-tests.nix` +- Run [global package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) with `nix-build --attr tests.PACKAGE`, where `PACKAGE` is the name of the test listed in `pkgs/test/default.nix` +- See `lib/tests/NAME.nix` for instructions on running specific library tests + ## Rebasing between branches (i.e. from master to staging) From time to time, changes between branches must be rebased, for example, if the number of new rebuilds they would cause is too large for the target branch. When rebasing, care must be taken to include only the intended changes, otherwise -many CODEOWNERS will be inadvertently requested for review. To achieve this, +many CODEOWNERS will be inadvertently requested for review. To achieve this, rebasing should not be performed directly on the target branch, but on the merge -base between the current and target branch. +base between the current and target branch. As an additional precautionary measure, +you should temporarily mark the PR as draft for the duration of the operation. +This reduces the probability of mass-pinging people. (OfBorg might still +request a couple of persons for reviews though.) In the following example, we assume that the current branch, called `feature`, is based on `master`, and we rebase it onto the merge base between @@ -102,21 +114,51 @@ git status git push origin feature --force-with-lease ``` +### Something went wrong and a lot of people were pinged + +It happens. Remember to be kind, especially to new contributors. +There is no way back, so the pull request should be closed and locked +(if possible). The changes should be re-submitted in a new PR, in which the people +originally involved in the conversation need to manually be pinged again. +No further discussion should happen on the original PR, as a lot of people +are now subscribed to it. + +The following message (or a version thereof) might be left when closing to +describe the situation, since closing and locking without any explanation +is kind of rude: + +```markdown +It looks like you accidentally mass-pinged a bunch of people, which are now subscribed +and getting notifications for everything in this pull request. Unfortunately, they +cannot be automatically unsubscribed from the issue (removing review request does not +unsubscribe), therefore development cannot continue in this pull request anymore. + +Please open a new pull request with your changes, link back to this one and ping the +people actually involved in here over there. + +In order to avoid this in the future, there are instructions for how to properly +rebase between branches in our [contribution guidelines](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md#rebasing-between-branches-ie-from-master-to-staging). +Setting your pull request to draft prior to rebasing is strongly recommended. +In draft status, you can preview the list of people that are about to be requested +for review, which allows you to sidestep this issue. +This is not a bulletproof method though, as OfBorg still does review requests even on draft PRs. +``` + ## Backporting changes Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches). -You can add a label such as `backport release-22.11` to a PR, so that merging it will +You can add a label such as `backport release-23.05` to a PR, so that merging it will automatically create a backport (via [a GitHub Action](.github/workflows/backport.yml)). -This also works for PR's that have already been merged, and might take a couple of minutes to trigger. +This also works for pull requests that have already been merged, and might take a couple of minutes to trigger. You can also create the backport manually: 1. Take note of the commits in which the change was introduced into `master` branch. -2. Check out the target _release branch_, e.g. `release-22.11`. Do not use a _channel branch_ like `nixos-22.11` or `nixpkgs-22.11-darwin`. +2. Check out the target _release branch_, e.g. `release-23.05`. Do not use a _channel branch_ like `nixos-23.05` or `nixpkgs-23.05-darwin`. 3. Create a branch for your change, e.g. `git checkout -b backport`. 4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe ` and add a reason. Otherwise use `git cherry-pick -x `. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar. Please also ensure the commits exists on the master branch; in the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request. -5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-22.11`) as the target branch of the pull request, and link to the pull request in which the original change was committed to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[22.11]`. +5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-23.05`) as the target branch of the pull request, and link to the pull request in which the original change was committed to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[23.05]`. 6. When the backport pull request is merged and you have the necessary privileges you can also replace the label `9.needs: port to stable` with `8.has: port to stable` on the original pull request. This way maintainers can keep track of missing backports easier. ## Criteria for Backporting changes @@ -128,19 +170,6 @@ Anything that does not cause user or downstream dependency regressions can be ba - Services which require a client to be up-to-date regardless. (E.g. `spotify`, `steam`, or `discord`) - Security critical applications (E.g. `firefox`) -## Generating 23.05 Release Notes - - -Documentation in nixpkgs is transitioning to a markdown-centric workflow. In the past release notes required a translation step to convert from markdown to a compatible docbook document, but this is no longer necessary. - -Steps for updating 23.05 Release notes: - -1. Edit `nixos/doc/manual/release-notes/rl-2305.section.md` with the desired changes -2. Commit changes to `rl-2305.section.md`. - ## Reviewing contributions See the nixpkgs manual for more details on how to [Review contributions](https://nixos.org/nixpkgs/manual/#chap-reviewing-contributions). diff --git a/third_party/nixpkgs/README.md b/third_party/nixpkgs/README.md index 4c6ad63516..d840e2a8c5 100644 --- a/third_party/nixpkgs/README.md +++ b/third_party/nixpkgs/README.md @@ -51,9 +51,9 @@ Nixpkgs and NixOS are built and tested by our continuous integration system, [Hydra](https://hydra.nixos.org/). * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined) -* [Continuous package builds for the NixOS 22.11 release](https://hydra.nixos.org/jobset/nixos/release-22.11) +* [Continuous package builds for the NixOS 23.05 release](https://hydra.nixos.org/jobset/nixos/release-23.05) * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents) -* [Tests for the NixOS 22.11 release](https://hydra.nixos.org/job/nixos/release-22.11/tested#tabs-constituents) +* [Tests for the NixOS 23.05 release](https://hydra.nixos.org/job/nixos/release-23.05/tested#tabs-constituents) Artifacts successfully built with Hydra are published to cache at https://cache.nixos.org/. When successful build and test criteria are diff --git a/third_party/nixpkgs/doc/.gitignore b/third_party/nixpkgs/doc/.gitignore deleted file mode 100644 index b08285995f..0000000000 --- a/third_party/nixpkgs/doc/.gitignore +++ /dev/null @@ -1,11 +0,0 @@ -*.chapter.xml -*.section.xml -.version -functions/library/generated -functions/library/locations.xml -highlightjs -manual-full.xml -out -result -result-* -media diff --git a/third_party/nixpkgs/doc/Makefile b/third_party/nixpkgs/doc/Makefile deleted file mode 100644 index 208f23f502..0000000000 --- a/third_party/nixpkgs/doc/Makefile +++ /dev/null @@ -1,119 +0,0 @@ -MD_TARGETS=$(addsuffix .xml, $(basename $(shell find . -type f -regex '.*\.md$$' -not -name README.md))) - -PANDOC ?= pandoc - -pandoc_media_dir = media -# NOTE: Keep in sync with conversion script (/maintainers/scripts/db-to-md.sh). -# TODO: Remove raw-attribute when we can get rid of DocBook altogether. -pandoc_commonmark_enabled_extensions = +attributes+fenced_divs+footnotes+bracketed_spans+definition_lists+pipe_tables+raw_attribute -# Not needed: -# - docbook-reader/citerefentry-to-rst-role.lua (only relevant for DocBook → MarkDown/rST/MyST) -pandoc_flags = --extract-media=$(pandoc_media_dir) \ - --lua-filter=$(PANDOC_LUA_FILTERS_DIR)/diagram-generator.lua \ - --lua-filter=build-aux/pandoc-filters/myst-reader/roles.lua \ - --lua-filter=$(PANDOC_LINK_MANPAGES_FILTER) \ - --lua-filter=build-aux/pandoc-filters/docbook-writer/rst-roles.lua \ - --lua-filter=build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua \ - -f commonmark$(pandoc_commonmark_enabled_extensions)+smart - -.PHONY: all -all: validate format out/html/index.html out/epub/manual.epub - -.PHONY: render-md -render-md: ${MD_TARGETS} - -.PHONY: debug -debug: - nix-shell --run "xmloscopy --docbook5 ./manual.xml ./manual-full.xml" - -.PHONY: format -format: doc-support/result - find . -iname '*.xml' -type f | while read f; do \ - echo $$f ;\ - xmlformat --config-file "doc-support/result/xmlformat.conf" -i $$f ;\ - done - -.PHONY: fix-misc-xml -fix-misc-xml: - find . -iname '*.xml' -type f \ - -exec ../nixos/doc/varlistentry-fixer.rb {} ';' - -.PHONY: clean -clean: - rm -f ${MD_TARGETS} doc-support/result .version manual-full.xml functions/library/locations.xml functions/library/generated - rm -rf ./out/ ./highlightjs ./media - -.PHONY: validate -validate: manual-full.xml doc-support/result - jing doc-support/result/docbook.rng manual-full.xml - -out/html/index.html: doc-support/result manual-full.xml style.css highlightjs - mkdir -p out/html - xsltproc \ - --nonet --xinclude \ - --output $@ \ - doc-support/result/xhtml.xsl \ - ./manual-full.xml - - mkdir -p out/html/highlightjs/ - cp -r highlightjs out/html/ - - cp -r $(pandoc_media_dir) out/html/ - cp ./overrides.css out/html/ - cp ./style.css out/html/style.css - - mkdir -p out/html/images/callouts - cp doc-support/result/xsl/docbook/images/callouts/*.svg out/html/images/callouts/ - chmod u+w -R out/html/ - -out/epub/manual.epub: manual-full.xml - mkdir -p out/epub/scratch - xsltproc --nonet \ - --output out/epub/scratch/ \ - doc-support/result/epub.xsl \ - ./manual-full.xml - - cp -r $(pandoc_media_dir) out/epub/scratch/OEBPS - cp ./overrides.css out/epub/scratch/OEBPS - cp ./style.css out/epub/scratch/OEBPS - mkdir -p out/epub/scratch/OEBPS/images/callouts/ - cp doc-support/result/xsl/docbook/images/callouts/*.svg out/epub/scratch/OEBPS/images/callouts/ - echo "application/epub+zip" > mimetype - zip -0Xq "out/epub/manual.epub" mimetype - rm mimetype - cd "out/epub/scratch/" && zip -Xr9D "../manual.epub" * - rm -rf "out/epub/scratch/" - -highlightjs: doc-support/result - mkdir -p highlightjs - cp -r doc-support/result/highlightjs/highlight.pack.js highlightjs/ - cp -r doc-support/result/highlightjs/LICENSE highlightjs/ - cp -r doc-support/result/highlightjs/mono-blue.css highlightjs/ - cp -r doc-support/result/highlightjs/loader.js highlightjs/ - - -manual-full.xml: ${MD_TARGETS} .version functions/library/locations.xml functions/library/generated *.xml **/*.xml **/**/*.xml - xmllint --nonet --xinclude --noxincludenode manual.xml --output manual-full.xml - -.version: doc-support/result - ln -rfs ./doc-support/result/version .version - -doc-support/result: doc-support/default.nix - (cd doc-support; nix-build) - -functions/library/locations.xml: doc-support/result - ln -rfs ./doc-support/result/function-locations.xml functions/library/locations.xml - -functions/library/generated: doc-support/result - ln -rfs ./doc-support/result/function-docs functions/library/generated - -%.section.xml: %.section.md - $(PANDOC) $^ -t docbook \ - $(pandoc_flags) \ - -o $@ - -%.chapter.xml: %.chapter.md - $(PANDOC) $^ -t docbook \ - --top-level-division=chapter \ - $(pandoc_flags) \ - -o $@ diff --git a/third_party/nixpkgs/doc/build-aux/pandoc-filters/docbook-reader/citerefentry-to-rst-role.lua b/third_party/nixpkgs/doc/build-aux/pandoc-filters/docbook-reader/citerefentry-to-rst-role.lua deleted file mode 100644 index 281e85af27..0000000000 --- a/third_party/nixpkgs/doc/build-aux/pandoc-filters/docbook-reader/citerefentry-to-rst-role.lua +++ /dev/null @@ -1,23 +0,0 @@ ---[[ -Converts Code AST nodes produced by pandoc’s DocBook reader -from citerefentry elements into AST for corresponding role -for reStructuredText. - -We use subset of MyST syntax (CommonMark with features from rST) -so let’s use the rST AST for rST features. - -Reference: https://www.sphinx-doc.org/en/master/usage/restructuredtext/roles.html#role-manpage -]] - -function Code(elem) - elem.classes = elem.classes:map(function (x) - if x == 'citerefentry' then - elem.attributes['role'] = 'manpage' - return 'interpreted-text' - else - return x - end - end) - - return elem -end diff --git a/third_party/nixpkgs/doc/build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua b/third_party/nixpkgs/doc/build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua deleted file mode 100644 index fa97729a28..0000000000 --- a/third_party/nixpkgs/doc/build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua +++ /dev/null @@ -1,34 +0,0 @@ ---[[ -Converts Link AST nodes with empty label to DocBook xref elements. - -This is a temporary script to be able use cross-references conveniently -using syntax taken from MyST, while we still use docbook-xsl -for generating the documentation. - -Reference: https://myst-parser.readthedocs.io/en/latest/using/syntax.html#targets-and-cross-referencing -]] - -local function starts_with(start, str) - return str:sub(1, #start) == start -end - -local function escape_xml_arg(arg) - amps = arg:gsub('&', '&') - amps_quotes = amps:gsub('"', '"') - amps_quotes_lt = amps_quotes:gsub('<', '<') - - return amps_quotes_lt -end - -function Link(elem) - has_no_content = #elem.content == 0 - targets_anchor = starts_with('#', elem.target) - has_no_attributes = elem.title == '' and elem.identifier == '' and #elem.classes == 0 and #elem.attributes == 0 - - if has_no_content and targets_anchor and has_no_attributes then - -- xref expects idref without the pound-sign - target_without_hash = elem.target:sub(2, #elem.target) - - return pandoc.RawInline('docbook', '') - end -end diff --git a/third_party/nixpkgs/doc/build-aux/pandoc-filters/docbook-writer/rst-roles.lua b/third_party/nixpkgs/doc/build-aux/pandoc-filters/docbook-writer/rst-roles.lua deleted file mode 100644 index 5c1b034d07..0000000000 --- a/third_party/nixpkgs/doc/build-aux/pandoc-filters/docbook-writer/rst-roles.lua +++ /dev/null @@ -1,44 +0,0 @@ ---[[ -Converts AST for reStructuredText roles into corresponding -DocBook elements. - -Currently, only a subset of roles is supported. - -Reference: - List of roles: - https://www.sphinx-doc.org/en/master/usage/restructuredtext/roles.html - manpage: - https://tdg.docbook.org/tdg/5.1/citerefentry.html - file: - https://tdg.docbook.org/tdg/5.1/filename.html -]] - -function Code(elem) - if elem.classes:includes('interpreted-text') then - local tag = nil - local content = elem.text - if elem.attributes['role'] == 'manpage' then - tag = 'citerefentry' - local title, volnum = content:match('^(.+)%((%w+)%)$') - if title == nil then - -- No volnum in parentheses. - title = content - end - content = '' .. title .. '' .. (volnum ~= nil and ('' .. volnum .. '') or '') - elseif elem.attributes['role'] == 'file' then - tag = 'filename' - elseif elem.attributes['role'] == 'command' then - tag = 'command' - elseif elem.attributes['role'] == 'option' then - tag = 'option' - elseif elem.attributes['role'] == 'var' then - tag = 'varname' - elseif elem.attributes['role'] == 'env' then - tag = 'envar' - end - - if tag ~= nil then - return pandoc.RawInline('docbook', '<' .. tag .. '>' .. content .. '') - end - end -end diff --git a/third_party/nixpkgs/doc/build-aux/pandoc-filters/link-manpages.nix b/third_party/nixpkgs/doc/build-aux/pandoc-filters/link-manpages.nix deleted file mode 100644 index 2589a7c342..0000000000 --- a/third_party/nixpkgs/doc/build-aux/pandoc-filters/link-manpages.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ pkgs ? import ../../.. {} }: -let - inherit (pkgs) lib; - manpageURLs = lib.importJSON (pkgs.path + "/doc/manpage-urls.json"); -in pkgs.writeText "link-manpages.lua" '' - --[[ - Adds links to known man pages that aren't already in a link. - ]] - - local manpage_urls = { - ${lib.concatStringsSep "\n" (lib.mapAttrsToList (man: url: - " [${builtins.toJSON man}] = ${builtins.toJSON url},") manpageURLs)} - } - - traverse = 'topdown' - - -- Returning false as the second value aborts processing of child elements. - function Link(elem) - return elem, false - end - - function Code(elem) - local is_man_role = elem.classes:includes('interpreted-text') and elem.attributes['role'] == 'manpage' - if is_man_role and manpage_urls[elem.text] ~= nil then - return pandoc.Link(elem, manpage_urls[elem.text]), false - end - end -'' diff --git a/third_party/nixpkgs/doc/build-aux/pandoc-filters/myst-reader/roles.lua b/third_party/nixpkgs/doc/build-aux/pandoc-filters/myst-reader/roles.lua deleted file mode 100644 index f4ef6d390b..0000000000 --- a/third_party/nixpkgs/doc/build-aux/pandoc-filters/myst-reader/roles.lua +++ /dev/null @@ -1,36 +0,0 @@ ---[[ -Replaces Str AST nodes containing {role}, followed by a Code node -by a Code node with attrs that would be produced by rST reader -from the role syntax. - -This is to emulate MyST syntax in Pandoc. -(MyST is a CommonMark flavour with rST features mixed in.) - -Reference: https://myst-parser.readthedocs.io/en/latest/syntax/syntax.html#roles-an-in-line-extension-point -]] - -function Inlines(inlines) - for i = #inlines-1,1,-1 do - local first = inlines[i] - local second = inlines[i+1] - local correct_tags = first.tag == 'Str' and second.tag == 'Code' - if correct_tags then - -- docutils supports alphanumeric strings separated by [-._:] - -- We are slightly more liberal for simplicity. - -- Allow preceding punctuation (eg '('), otherwise '({file}`...`)' - -- does not match. Also allow anything followed by a non-breaking space - -- since pandoc emits those after certain abbreviations (e.g. e.g.). - local prefix, role = first.text:match('^(.*){([-._+:%w]+)}$') - if role ~= nil and (prefix == '' or prefix:match("^.*[%p ]$") ~= nil) then - if prefix == '' then - inlines:remove(i) - else - first.text = prefix - end - second.attributes['role'] = role - second.classes:insert('interpreted-text') - end - end - end - return inlines -end diff --git a/third_party/nixpkgs/doc/build-aux/pandoc-filters/myst-writer/roles.lua b/third_party/nixpkgs/doc/build-aux/pandoc-filters/myst-writer/roles.lua deleted file mode 100644 index 0136bc5506..0000000000 --- a/third_party/nixpkgs/doc/build-aux/pandoc-filters/myst-writer/roles.lua +++ /dev/null @@ -1,25 +0,0 @@ ---[[ -Replaces Code nodes with attrs that would be produced by rST reader -from the role syntax by a Str AST node containing {role}, followed by a Code node. - -This is to emulate MyST syntax in Pandoc. -(MyST is a CommonMark flavour with rST features mixed in.) - -Reference: https://myst-parser.readthedocs.io/en/latest/syntax/syntax.html#roles-an-in-line-extension-point -]] - -function Code(elem) - local role = elem.attributes['role'] - - if elem.classes:includes('interpreted-text') and role ~= nil then - elem.classes = elem.classes:filter(function (c) - return c ~= 'interpreted-text' - end) - elem.attributes['role'] = nil - - return { - pandoc.Str('{' .. role .. '}'), - elem, - } - end -end diff --git a/third_party/nixpkgs/doc/builders.md b/third_party/nixpkgs/doc/builders.md new file mode 100644 index 0000000000..2e95942240 --- /dev/null +++ b/third_party/nixpkgs/doc/builders.md @@ -0,0 +1,12 @@ +# Builders {#part-builders} + +```{=include=} chapters +builders/fetchers.chapter.md +builders/trivial-builders.chapter.md +builders/testers.chapter.md +builders/special.md +builders/images.md +hooks/index.md +languages-frameworks/index.md +builders/packages/index.md +``` diff --git a/third_party/nixpkgs/doc/builders/fetchers.chapter.md b/third_party/nixpkgs/doc/builders/fetchers.chapter.md index b86fffa460..4d4f3f427c 100644 --- a/third_party/nixpkgs/doc/builders/fetchers.chapter.md +++ b/third_party/nixpkgs/doc/builders/fetchers.chapter.md @@ -132,11 +132,16 @@ A number of fetcher functions wrap part of `fetchurl` and `fetchzip`. They are m `fetchFromGitHub` expects four arguments. `owner` is a string corresponding to the GitHub user or organization that controls this repository. `repo` corresponds to the name of the software repository. These are located at the top of every GitHub HTML page as `owner`/`repo`. `rev` corresponds to the Git commit hash or tag (e.g `v1.0`) that will be downloaded from Git. Finally, `hash` corresponds to the hash of the extracted directory. Again, other hash algorithms are also available, but `hash` is currently preferred. +To use a different GitHub instance, use `githubBase` (defaults to `"github.com"`). + `fetchFromGitHub` uses `fetchzip` to download the source archive generated by GitHub for the specified revision. If `leaveDotGit`, `deepClone` or `fetchSubmodules` are set to `true`, `fetchFromGitHub` will use `fetchgit` instead. Refer to its section for documentation of these options. ## `fetchFromGitLab` {#fetchfromgitlab} -This is used with GitLab repositories. The arguments expected are very similar to `fetchFromGitHub` above. +This is used with GitLab repositories. It behaves similarly to `fetchFromGitHub`, and expects `owner`, `repo`, `rev`, and `hash`. + +To use a specific GitLab instance, use `domain` (defaults to `"gitlab.com"`). + ## `fetchFromGitiles` {#fetchfromgitiles} @@ -144,7 +149,7 @@ This is used with Gitiles repositories. The arguments expected are similar to `f ## `fetchFromBitbucket` {#fetchfrombitbucket} -This is used with BitBucket repositories. The arguments expected are very similar to fetchFromGitHub above. +This is used with BitBucket repositories. The arguments expected are very similar to `fetchFromGitHub` above. ## `fetchFromSavannah` {#fetchfromsavannah} diff --git a/third_party/nixpkgs/doc/builders/images.md b/third_party/nixpkgs/doc/builders/images.md new file mode 100644 index 0000000000..5596784bfa --- /dev/null +++ b/third_party/nixpkgs/doc/builders/images.md @@ -0,0 +1,13 @@ +# Images {#chap-images} + +This chapter describes tools for creating various types of images. + +```{=include=} sections +images/appimagetools.section.md +images/dockertools.section.md +images/ocitools.section.md +images/snaptools.section.md +images/portableservice.section.md +images/makediskimage.section.md +images/binarycache.section.md +``` diff --git a/third_party/nixpkgs/doc/builders/images.xml b/third_party/nixpkgs/doc/builders/images.xml deleted file mode 100644 index a4661ab5a7..0000000000 --- a/third_party/nixpkgs/doc/builders/images.xml +++ /dev/null @@ -1,15 +0,0 @@ - - Images - - This chapter describes tools for creating various types of images. - - - - - - - - - diff --git a/third_party/nixpkgs/doc/builders/packages/dlib.section.md b/third_party/nixpkgs/doc/builders/packages/dlib.section.md index 022195310a..bd5b1a20a4 100644 --- a/third_party/nixpkgs/doc/builders/packages/dlib.section.md +++ b/third_party/nixpkgs/doc/builders/packages/dlib.section.md @@ -1,6 +1,6 @@ # DLib {#dlib} -[DLib](http://dlib.net/) is a modern, C++-based toolkit which provides several machine learning algorithms. +[DLib](http://dlib.net/) is a modern, C++\-based toolkit which provides several machine learning algorithms. ## Compiling without AVX support {#compiling-without-avx-support} diff --git a/third_party/nixpkgs/doc/builders/packages/index.md b/third_party/nixpkgs/doc/builders/packages/index.md new file mode 100644 index 0000000000..1f44357024 --- /dev/null +++ b/third_party/nixpkgs/doc/builders/packages/index.md @@ -0,0 +1,27 @@ +# Packages {#chap-packages} + +This chapter contains information about how to use and maintain the Nix expressions for a number of specific packages, such as the Linux kernel or X.org. + +```{=include=} sections +citrix.section.md +dlib.section.md +eclipse.section.md +elm.section.md +emacs.section.md +firefox.section.md +fish.section.md +fuse.section.md +ibus.section.md +kakoune.section.md +linux.section.md +locales.section.md +etc-files.section.md +nginx.section.md +opengl.section.md +shell-helpers.section.md +steam.section.md +cataclysm-dda.section.md +urxvt.section.md +weechat.section.md +xorg.section.md +``` diff --git a/third_party/nixpkgs/doc/builders/packages/index.xml b/third_party/nixpkgs/doc/builders/packages/index.xml deleted file mode 100644 index 206e1e49f1..0000000000 --- a/third_party/nixpkgs/doc/builders/packages/index.xml +++ /dev/null @@ -1,29 +0,0 @@ - - Packages - - This chapter contains information about how to use and maintain the Nix expressions for a number of specific packages, such as the Linux kernel or X.org. - - - - - - - - - - - - - - - - - - - - - - - diff --git a/third_party/nixpkgs/doc/builders/special.md b/third_party/nixpkgs/doc/builders/special.md new file mode 100644 index 0000000000..6d07fa87f3 --- /dev/null +++ b/third_party/nixpkgs/doc/builders/special.md @@ -0,0 +1,11 @@ +# Special builders {#chap-special} + +This chapter describes several special builders. + +```{=include=} sections +special/fhs-environments.section.md +special/makesetuphook.section.md +special/mkshell.section.md +special/darwin-builder.section.md +special/vm-tools.section.md +``` diff --git a/third_party/nixpkgs/doc/builders/special.xml b/third_party/nixpkgs/doc/builders/special.xml deleted file mode 100644 index 18cf6cfd39..0000000000 --- a/third_party/nixpkgs/doc/builders/special.xml +++ /dev/null @@ -1,13 +0,0 @@ - - Special builders - - This chapter describes several special builders. - - - - - - - diff --git a/third_party/nixpkgs/doc/builders/special/darwin-builder.section.md b/third_party/nixpkgs/doc/builders/special/darwin-builder.section.md index 30bf2d0951..13d01a0e3a 100644 --- a/third_party/nixpkgs/doc/builders/special/darwin-builder.section.md +++ b/third_party/nixpkgs/doc/builders/special/darwin-builder.section.md @@ -1,11 +1,12 @@ -# darwin.builder {#sec-darwin-builder} +# darwin.linux-builder {#sec-darwin-builder} -`darwin.builder` provides a way to bootstrap a Linux builder on a macOS machine. +`darwin.linux-builder` provides a way to bootstrap a Linux builder on a macOS machine. This requires macOS version 12.4 or later. -This also requires that port 22 on your machine is free (since Nix does not -permit specifying a non-default SSH port for builders). +The builder runs on host port 31022 by default. +You can change it by overriding `virtualisation.darwin-builder.hostPort`. +See the [example](#sec-darwin-builder-example-flake). You will also need to be a trusted user for your Nix installation. In other words, your `/etc/nix/nix.conf` should have something like: @@ -17,7 +18,7 @@ extra-trusted-users = To launch the builder, run the following flake: ```ShellSession -$ nix run nixpkgs#darwin.builder +$ nix run nixpkgs#darwin.linux-builder ``` That will prompt you to enter your `sudo` password: @@ -50,19 +51,28 @@ To delegate builds to the remote builder, add the following options to your ``` # - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine # - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure) -builders = ssh-ng://builder@localhost ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo= +builders = ssh-ng://builder@linux-builder ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo= # Not strictly necessary, but this will reduce your disk utilization builders-use-substitutes = true ``` +To allow Nix to connect to a builder not running on port 22, you will also need to create a new file at `/etc/ssh/ssh_config.d/100-linux-builder.conf`: + +``` +Host linux-builder + Hostname localhost + HostKeyAlias linux-builder + Port 31022 +``` + … and then restart your Nix daemon to apply the change: ```ShellSession $ sudo launchctl kickstart -k system/org.nixos.nix-daemon ``` -## Example flake usage +## Example flake usage {#sec-darwin-builder-example-flake} ``` { @@ -120,7 +130,7 @@ $ sudo launchctl kickstart -k system/org.nixos.nix-daemon } ``` -## Reconfiguring the builder +## Reconfiguring the builder {#sec-darwin-builder-reconfiguring} Initially you should not change the builder configuration else you will not be able to use the binary cache. However, after you have the builder running locally diff --git a/third_party/nixpkgs/doc/builders/special/fhs-environments.section.md b/third_party/nixpkgs/doc/builders/special/fhs-environments.section.md index 5a248e4ead..8145fbd730 100644 --- a/third_party/nixpkgs/doc/builders/special/fhs-environments.section.md +++ b/third_party/nixpkgs/doc/builders/special/fhs-environments.section.md @@ -11,6 +11,8 @@ Accepted arguments are: Packages to be installed for the main host's architecture (i.e. x86_64 on x86_64 installations). Along with libraries binaries are also installed. - `multiPkgs` Packages to be installed for all architectures supported by a host (i.e. i686 and x86_64 on x86_64 installations). Only libraries are installed by default. +- `multiArch` + Whether to install 32bit multiPkgs into the FHSEnv in 64bit environments - `extraBuildCommands` Additional commands to be executed for finalizing the directory structure. - `extraBuildCommandsMulti` diff --git a/third_party/nixpkgs/doc/builders/special/makesetuphook.section.md b/third_party/nixpkgs/doc/builders/special/makesetuphook.section.md index fee508dc29..eb04241213 100644 --- a/third_party/nixpkgs/doc/builders/special/makesetuphook.section.md +++ b/third_party/nixpkgs/doc/builders/special/makesetuphook.section.md @@ -12,7 +12,7 @@ pkgs.makeSetupHook { } ./script.sh ``` -#### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example} +### setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash {#sec-pkgs.makeSetupHook-usage-example} ```nix pkgs.makeSetupHook { diff --git a/third_party/nixpkgs/doc/builders/special/vm-tools.section.md b/third_party/nixpkgs/doc/builders/special/vm-tools.section.md index 3b6fb0d255..8feab04902 100644 --- a/third_party/nixpkgs/doc/builders/special/vm-tools.section.md +++ b/third_party/nixpkgs/doc/builders/special/vm-tools.section.md @@ -6,7 +6,7 @@ A set of VM related utilities, that help in building some packages in more advan A bash script fragment that produces a disk image at `destination`. -### Attributes +### Attributes {#vm-tools-createEmptyImage-attributes} * `size`. The disk size, in MiB. * `fullName`. Name that will be written to `${destination}/nix-support/full-name`. @@ -20,14 +20,14 @@ Thus, any pure Nix derivation should run unmodified. If the build fails and Nix is run with the `-K/--keep-failed` option, a script `run-vm` will be left behind in the temporary build directory that allows you to boot into the VM and debug it interactively. -### Attributes +### Attributes {#vm-tools-runInLinuxVM-attributes} * `preVM` (optional). Shell command to be evaluated *before* the VM is started (i.e., on the host). * `memSize` (optional, default `512`). The memory size of the VM in MiB. * `diskImage` (optional). A file system image to be attached to `/dev/sda`. Note that currently we expect the image to contain a filesystem, not a full disk image with a partition table etc. -### Examples +### Examples {#vm-tools-runInLinuxVM-examples} Build the derivation hello inside a VM: ```nix @@ -56,13 +56,13 @@ runInLinuxVM (hello.overrideAttrs (_: { Takes a file, such as an ISO, and extracts its contents into the store. -### Attributes +### Attributes {#vm-tools-extractFs-attributes} * `file`. Path to the file to be extracted. Note that currently we expect the image to contain a filesystem, not a full disk image with a partition table etc. * `fs` (optional). Filesystem of the contents of the file. -### Examples +### Examples {#vm-tools-extractFs-examples} Extract the contents of an ISO file: ```nix @@ -82,7 +82,7 @@ Like [](#vm-tools-runInLinuxVM), but instead of using `stdenv` from the Nix stor Generate a script that can be used to run an interactive session in the given image. -### Examples +### Examples {#vm-tools-makeImageTestScript-examples} Create a script for running a Fedora 27 VM: ```nix @@ -100,7 +100,7 @@ makeImageTestScript diskImages.ubuntu2004x86_64 A set of functions that build a predefined set of minimal Linux distributions images. -### Images +### Images {#vm-tools-diskImageFuns-images} * Fedora * `fedora26x86_64` @@ -126,12 +126,12 @@ A set of functions that build a predefined set of minimal Linux distributions im * `debian11i386` * `debian11x86_64` -### Attributes +### Attributes {#vm-tools-diskImageFuns-attributes} * `size` (optional, defaults to `4096`). The size of the image, in MiB. * `extraPackages` (optional). A list names of additional packages from the distribution that should be included in the image. -### Examples +### Examples {#vm-tools-diskImageFuns-examples} 8GiB image containing Firefox in addition to the default packages: ```nix diff --git a/third_party/nixpkgs/doc/builders/testers.chapter.md b/third_party/nixpkgs/doc/builders/testers.chapter.md index 928a57673e..fb6a28b7ee 100644 --- a/third_party/nixpkgs/doc/builders/testers.chapter.md +++ b/third_party/nixpkgs/doc/builders/testers.chapter.md @@ -1,5 +1,5 @@ # Testers {#chap-testers} -This chapter describes several testing builders which are available in the testers namespace. +This chapter describes several testing builders which are available in the `testers` namespace. ## `hasPkgConfigModule` {#tester-hasPkgConfigModule} diff --git a/third_party/nixpkgs/doc/contributing.md b/third_party/nixpkgs/doc/contributing.md new file mode 100644 index 0000000000..3215dbe32b --- /dev/null +++ b/third_party/nixpkgs/doc/contributing.md @@ -0,0 +1,10 @@ +# Contributing to Nixpkgs {#part-contributing} + +```{=include=} chapters +contributing/quick-start.chapter.md +contributing/coding-conventions.chapter.md +contributing/submitting-changes.chapter.md +contributing/vulnerability-roundup.chapter.md +contributing/reviewing-contributions.chapter.md +contributing/contributing-to-documentation.chapter.md +``` diff --git a/third_party/nixpkgs/doc/contributing/coding-conventions.chapter.md b/third_party/nixpkgs/doc/contributing/coding-conventions.chapter.md index 7a538de18d..03cd3dd458 100644 --- a/third_party/nixpkgs/doc/contributing/coding-conventions.chapter.md +++ b/third_party/nixpkgs/doc/contributing/coding-conventions.chapter.md @@ -220,7 +220,9 @@ There are a few naming guidelines: - The `version` attribute _must_ start with a digit e.g`"0.3.1rc2". -- If a package is not a release but a commit from a repository, then the `version` attribute _must_ be the date of that (fetched) commit. The date _must_ be in `"unstable-YYYY-MM-DD"` format. +- If a package is a commit from a repository without a version assigned, then the `version` attribute _should_ be the latest upstream version preceding that commit, followed by `-unstable-` and the date of the (fetched) commit. The date _must_ be in `"YYYY-MM-DD"` format. + +Example: Given a project had its latest releases `2.2` in November 2021, and `3.0` in January 2022, a commit authored on March 15, 2022 for an upcoming bugfix release `2.2.1` would have `version = "2.2-unstable-2022-03-15"`. - Dashes in the package `pname` _should_ be preserved in new variable names, rather than converted to underscores or camel cased — e.g., `http-parser` instead of `http_parser` or `httpParser`. The hyphenated style is preferred in all three package names. diff --git a/third_party/nixpkgs/doc/contributing/reviewing-contributions.chapter.md b/third_party/nixpkgs/doc/contributing/reviewing-contributions.chapter.md index 6685c5b60a..10c72fe3d1 100644 --- a/third_party/nixpkgs/doc/contributing/reviewing-contributions.chapter.md +++ b/third_party/nixpkgs/doc/contributing/reviewing-contributions.chapter.md @@ -12,7 +12,7 @@ When reviewing a pull request, please always be nice and polite. Controversial c GitHub provides reactions as a simple and quick way to provide feedback to pull requests or any comments. The thumb-down reaction should be used with care and if possible accompanied with some explanation so the submitter has directions to improve their contribution. -pull request reviews should include a list of what has been reviewed in a comment, so other reviewers and mergers can know the state of the review. +Pull request reviews should include a list of what has been reviewed in a comment, so other reviewers and mergers can know the state of the review. All the review template samples provided in this section are generic and meant as examples. Their usage is optional and the reviewer is free to adapt them to their liking. @@ -62,6 +62,8 @@ Sample template for a package update review is provided below. - [ ] package build on ARCHITECTURE - [ ] executables tested on ARCHITECTURE - [ ] all depending packages build +- [ ] patches have a comment describing either the upstream URL or a reason why the patch wasn't upstreamed +- [ ] patches that are remotely available are fetched rather than vendored ##### Possible improvements @@ -105,7 +107,8 @@ Sample template for a new package review is provided below. - [ ] source is fetched using the appropriate function - [ ] the list of `phases` is not overridden - [ ] when a phase (like `installPhase`) is overridden it starts with `runHook preInstall` and ends with `runHook postInstall`. -- [ ] patches that are remotely available are fetched with `fetchpatch` +- [ ] patches have a comment describing either the upstream URL or a reason why the patch wasn't upstreamed +- [ ] patches that are remotely available are fetched rather than vendored ##### Possible improvements @@ -201,7 +204,7 @@ checks should be performed: them to either recommit using that key or to remove their key information. - Given a maintainter entry like this: + Given a maintainer entry like this: ``` nix { diff --git a/third_party/nixpkgs/doc/contributing/staging-workflow.dot b/third_party/nixpkgs/doc/contributing/staging-workflow.dot new file mode 100644 index 0000000000..faca7a1cad --- /dev/null +++ b/third_party/nixpkgs/doc/contributing/staging-workflow.dot @@ -0,0 +1,16 @@ +digraph { + "small changes" [shape=none] + "mass-rebuilds and other large changes" [shape=none] + "critical security fixes" [shape=none] + "broken staging-next fixes" [shape=none] + + "small changes" -> master + "mass-rebuilds and other large changes" -> staging + "critical security fixes" -> master + "broken staging-next fixes" -> "staging-next" + + "staging-next" -> master [color="#E85EB0"] [label="stabilization ends"] [fontcolor="#E85EB0"] + "staging" -> "staging-next" [color="#E85EB0"] [label="stabilization starts"] [fontcolor="#E85EB0"] + + master -> "staging-next" -> staging [color="#5F5EE8"] [label="every six hours (GitHub Action)"] [fontcolor="#5F5EE8"] +} diff --git a/third_party/nixpkgs/doc/contributing/staging-workflow.svg b/third_party/nixpkgs/doc/contributing/staging-workflow.svg new file mode 100644 index 0000000000..1a174a7883 --- /dev/null +++ b/third_party/nixpkgs/doc/contributing/staging-workflow.svg @@ -0,0 +1,102 @@ + + + + + + + + + +small changes +small changes + + + +master + +master + + + +small changes->master + + + + + +mass-rebuilds and other large changes +mass-rebuilds and other large changes + + + +staging + +staging + + + +mass-rebuilds and other large changes->staging + + + + + +critical security fixes +critical security fixes + + + +critical security fixes->master + + + + + +broken staging-next fixes +broken staging-next fixes + + + +staging-next + +staging-next + + + +broken staging-next fixes->staging-next + + + + + +master->staging-next + + +every six hours (GitHub Action) + + + +staging->staging-next + + +stabilization starts + + + +staging-next->master + + +stabilization ends + + + +staging-next->staging + + +every six hours (GitHub Action) + + + diff --git a/third_party/nixpkgs/doc/contributing/submitting-changes.chapter.md b/third_party/nixpkgs/doc/contributing/submitting-changes.chapter.md index 30fe4fa47d..5a3d269569 100644 --- a/third_party/nixpkgs/doc/contributing/submitting-changes.chapter.md +++ b/third_party/nixpkgs/doc/contributing/submitting-changes.chapter.md @@ -214,39 +214,81 @@ The last checkbox is fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blo - Hydra builds for master and staging should not be used as testing platform, it’s a build farm for changes that have been already tested. - When changing the bootloader installation process, extra care must be taken. Grub installations cannot be rolled back, hence changes may break people’s installations forever. For any non-trivial change to the bootloader please file a PR asking for review, especially from \@edolstra. +### Branches {#submitting-changes-branches} + +The `nixpkgs` repository has three major branches: +- `master` +- `staging` +- `staging-next` + +The most important distinction between them is that `staging` +(colored red in the diagram below) can receive commits which cause +a mass-rebuild (for example, anything that changes the `drvPath` of +`stdenv`). The other two branches `staging-next` and `master` +(colored green in the diagram below) can *not* receive commits which +cause a mass-rebuild. + +Arcs between the branches show possible merges into these branches, +either from other branches or from independently submitted PRs. The +colors of these edges likewise show whether or not they could +trigger a mass rebuild (red) or must not trigger a mass rebuild +(green). + +Hydra runs automatic builds for the green branches. + +Notice that the automatic merges are all green arrows. This is by +design. Any merge which might cause a mass rebuild on a branch +which has automatic builds (`staging-next`, `master`) will be a +manual merge to make sure it is good use of compute power. + +Nixpkgs has two branches so that there is one branch (`staging`) +which accepts mass-rebuilding commits, and one fast-rebuilding +branch which accepts independent PRs (`master`). The `staging-next` +branch allows the Hydra operators to batch groups of commits to +`staging` to be built. By keeping the `staging-next` branch +separate from `staging`, this batching does not block +developers from merging changes into `staging`. + ```{.graphviz caption="Staging workflow"} digraph { - "small changes" [shape=none] - "mass-rebuilds and other large changes" [shape=none] - "critical security fixes" [shape=none] - "broken staging-next fixes" [shape=none] + master [color="green" fontcolor=green] + "staging-next" [color="green" fontcolor=green] + staging [color="red" fontcolor=red] - "small changes" -> master - "mass-rebuilds and other large changes" -> staging - "critical security fixes" -> master - "broken staging-next fixes" -> "staging-next" + "small changes" [fontcolor=green shape=none] + "small changes" -> master [color=green] - "staging-next" -> master [color="#E85EB0"] [label="stabilization ends"] [fontcolor="#E85EB0"] - "staging" -> "staging-next" [color="#E85EB0"] [label="stabilization starts"] [fontcolor="#E85EB0"] + "mass-rebuilds and other large changes" [fontcolor=red shape=none] + "mass-rebuilds and other large changes" -> staging [color=red] - master -> "staging-next" -> staging [color="#5F5EE8"] [label="every six hours (GitHub Action)"] [fontcolor="#5F5EE8"] + "critical security fixes" [fontcolor=green shape=none] + "critical security fixes" -> master [color=green] + + "staging fixes which do not cause staging to mass-rebuild" [fontcolor=green shape=none] + "staging fixes which do not cause staging to mass-rebuild" -> "staging-next" [color=green] + + "staging-next" -> master [color="red"] [label="manual merge"] [fontcolor="red"] + "staging" -> "staging-next" [color="red"] [label="manual merge"] [fontcolor="red"] + + master -> "staging-next" [color="green"] [label="automatic merge (GitHub Action)"] [fontcolor="green"] + "staging-next" -> staging [color="green"] [label="automatic merge (GitHub Action)"] [fontcolor="green"] } ``` -[This GitHub Action](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/periodic-merge-6h.yml) brings changes from `master` to `staging-next` and from `staging-next` to `staging` every 6 hours; these are the blue arrows in the diagram above. The purple arrows in the diagram above are done manually and much less frequently. You can get an idea of how often these merges occur by looking at the git history. +[This GitHub Action](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/periodic-merge-6h.yml) brings changes from `master` to `staging-next` and from `staging-next` to `staging` every 6 hours; these are the green arrows in the diagram above. The red arrows in the diagram above are done manually and much less frequently. You can get an idea of how often these merges occur by looking at the git history. -### Master branch {#submitting-changes-master-branch} +#### Master branch {#submitting-changes-master-branch} The `master` branch is the main development branch. It should only see non-breaking commits that do not cause mass rebuilds. -### Staging branch {#submitting-changes-staging-branch} +#### Staging branch {#submitting-changes-staging-branch} The `staging` branch is a development branch where mass-rebuilds go. Mass rebuilds are commits that cause rebuilds for many packages, like more than 500 (or perhaps, if it's 'light' packages, 1000). It should only see non-breaking mass-rebuild commits. That means it is not to be used for testing, and changes must have been well tested already. If the branch is already in a broken state, please refrain from adding extra new breakages. During the process of a releasing a new NixOS version, this branch or the release-critical packages can be restricted to non-breaking changes. -### Staging-next branch {#submitting-changes-staging-next-branch} +#### Staging-next branch {#submitting-changes-staging-next-branch} The `staging-next` branch is for stabilizing mass-rebuilds submitted to the `staging` branch prior to merging them into `master`. Mass-rebuilds must go via the `staging` branch. It must only see non-breaking commits that are fixing issues blocking it from being merged into the `master` branch. @@ -254,7 +296,7 @@ If the branch is already in a broken state, please refrain from adding extra new During the process of a releasing a new NixOS version, this branch or the release-critical packages can be restricted to non-breaking changes. -### Stable release branches {#submitting-changes-stable-release-branches} +#### Stable release branches {#submitting-changes-stable-release-branches} The same staging workflow applies to stable release branches, but the main branch is called `release-*` instead of `master`. diff --git a/third_party/nixpkgs/doc/default.nix b/third_party/nixpkgs/doc/default.nix index 4f55c95a04..8efa406ec1 100644 --- a/third_party/nixpkgs/doc/default.nix +++ b/third_party/nixpkgs/doc/default.nix @@ -1,43 +1,146 @@ { pkgs ? (import ./.. { }), nixpkgs ? { }}: let - doc-support = import ./doc-support { inherit pkgs nixpkgs; }; + inherit (pkgs) lib; + inherit (lib) hasPrefix removePrefix; + + lib-docs = import ./doc-support/lib-function-docs.nix { + inherit pkgs nixpkgs; + libsets = [ + { name = "asserts"; description = "assertion functions"; } + { name = "attrsets"; description = "attribute set functions"; } + { name = "strings"; description = "string manipulation functions"; } + { name = "versions"; description = "version string functions"; } + { name = "trivial"; description = "miscellaneous functions"; } + { name = "fixedPoints"; baseName = "fixed-points"; description = "explicit recursion functions"; } + { name = "lists"; description = "list manipulation functions"; } + { name = "debug"; description = "debugging functions"; } + { name = "options"; description = "NixOS / nixpkgs option handling"; } + { name = "path"; description = "path functions"; } + { name = "filesystem"; description = "filesystem functions"; } + { name = "sources"; description = "source filtering functions"; } + { name = "cli"; description = "command-line serialization functions"; } + ]; + }; + + epub = pkgs.runCommand "manual.epub" { + nativeBuildInputs = with pkgs; [ libxslt zip ]; + + epub = '' + + + Nixpkgs Manual + Version ${pkgs.lib.version} + + + Temporarily unavailable + + The Nixpkgs manual is currently not available in EPUB format, + please use the HTML manual + instead. + + + If you've used the EPUB manual in the past and it has been useful to you, please + let us know. + + + + ''; + + passAsFile = [ "epub" ]; + } '' + mkdir scratch + xsltproc \ + --param chapter.autolabel 0 \ + --nonet \ + --output scratch/ \ + ${pkgs.docbook_xsl_ns}/xml/xsl/docbook/epub/docbook.xsl \ + $epubPath + + echo "application/epub+zip" > mimetype + zip -0Xq "$out" mimetype + cd scratch && zip -Xr9D "$out" * + ''; + + # NB: This file describes the Nixpkgs manual, which happens to use module + # docs infra originally developed for NixOS. + optionsDoc = pkgs.nixosOptionsDoc { + inherit (pkgs.lib.evalModules { + modules = [ ../pkgs/top-level/config.nix ]; + class = "nixpkgsConfig"; + }) options; + documentType = "none"; + transformOptions = opt: + opt // { + declarations = + map + (decl: + if hasPrefix (toString ../..) (toString decl) + then + let subpath = removePrefix "/" (removePrefix (toString ../.) (toString decl)); + in { url = "https://github.com/NixOS/nixpkgs/blob/master/${subpath}"; name = subpath; } + else decl) + opt.declarations; + }; + }; in pkgs.stdenv.mkDerivation { name = "nixpkgs-manual"; nativeBuildInputs = with pkgs; [ - pandoc - graphviz - libxml2 - libxslt - zip - jing - xmlformat + nixos-render-docs ]; - src = pkgs.nix-gitignore.gitignoreSource [] ./.; + src = ./.; postPatch = '' - ln -s ${doc-support} ./doc-support/result + ln -s ${optionsDoc.optionsJSON}/share/doc/nixos/options.json ./config-options.json ''; - preBuild = '' - make -j$NIX_BUILD_CORES render-md + buildPhase = '' + cat \ + ./functions/library.md.in \ + ${lib-docs}/index.md \ + > ./functions/library.md + substitute ./manual.md.in ./manual.md \ + --replace '@MANUAL_VERSION@' '${pkgs.lib.version}' + + mkdir -p out/media + + mkdir -p out/highlightjs + cp -t out/highlightjs \ + ${pkgs.documentation-highlighter}/highlight.pack.js \ + ${pkgs.documentation-highlighter}/LICENSE \ + ${pkgs.documentation-highlighter}/mono-blue.css \ + ${pkgs.documentation-highlighter}/loader.js + + cp -t out ./overrides.css ./style.css + + nixos-render-docs manual html \ + --manpage-urls ./manpage-urls.json \ + --revision ${pkgs.lib.trivial.revisionWithDefault (pkgs.rev or "master")} \ + --stylesheet style.css \ + --stylesheet overrides.css \ + --stylesheet highlightjs/mono-blue.css \ + --script ./highlightjs/highlight.pack.js \ + --script ./highlightjs/loader.js \ + --toc-depth 1 \ + --section-toc-depth 1 \ + manual.md \ + out/index.html ''; installPhase = '' dest="$out/share/doc/nixpkgs" mkdir -p "$(dirname "$dest")" - mv out/html "$dest" + mv out "$dest" mv "$dest/index.html" "$dest/manual.html" - mv out/epub/manual.epub "$dest/nixpkgs-manual.epub" + cp ${epub} "$dest/nixpkgs-manual.epub" mkdir -p $out/nix-support/ echo "doc manual $dest manual.html" >> $out/nix-support/hydra-build-products echo "doc manual $dest nixpkgs-manual.epub" >> $out/nix-support/hydra-build-products ''; - - # Environment variables - PANDOC_LUA_FILTERS_DIR = "${pkgs.pandoc-lua-filters}/share/pandoc/filters"; - PANDOC_LINK_MANPAGES_FILTER = import build-aux/pandoc-filters/link-manpages.nix { inherit pkgs; }; } diff --git a/third_party/nixpkgs/doc/doc-support/default.nix b/third_party/nixpkgs/doc/doc-support/default.nix deleted file mode 100644 index cfa7cbdc82..0000000000 --- a/third_party/nixpkgs/doc/doc-support/default.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ pkgs ? (import ../.. {}), nixpkgs ? { }}: -let - inherit (pkgs) lib; - inherit (lib) hasPrefix removePrefix; - - libsets = [ - { name = "asserts"; description = "assertion functions"; } - { name = "attrsets"; description = "attribute set functions"; } - { name = "strings"; description = "string manipulation functions"; } - { name = "versions"; description = "version string functions"; } - { name = "trivial"; description = "miscellaneous functions"; } - { name = "lists"; description = "list manipulation functions"; } - { name = "debug"; description = "debugging functions"; } - { name = "options"; description = "NixOS / nixpkgs option handling"; } - { name = "path"; description = "path functions"; } - { name = "filesystem"; description = "filesystem functions"; } - { name = "sources"; description = "source filtering functions"; } - { name = "cli"; description = "command-line serialization functions"; } - ]; - - locationsXml = import ./lib-function-locations.nix { inherit pkgs nixpkgs libsets; }; - functionDocs = import ./lib-function-docs.nix { inherit locationsXml pkgs libsets; }; - version = pkgs.lib.version; - - epub-xsl = pkgs.writeText "epub.xsl" '' - - - - - - ''; - - xhtml-xsl = pkgs.writeText "xhtml.xsl" '' - - - - - - ''; - - # NB: This file describes the Nixpkgs manual, which happens to use module - # docs infra originally developed for NixOS. - optionsDoc = pkgs.nixosOptionsDoc { - inherit (pkgs.lib.evalModules { - modules = [ ../../pkgs/top-level/config.nix ]; - class = "nixpkgsConfig"; - }) options; - documentType = "none"; - transformOptions = opt: - opt // { - declarations = - map - (decl: - if hasPrefix (toString ../..) (toString decl) - then - let subpath = removePrefix "/" (removePrefix (toString ../..) (toString decl)); - in { url = "https://github.com/NixOS/nixpkgs/blob/master/${subpath}"; name = subpath; } - else decl) - opt.declarations; - }; - }; - -in pkgs.runCommand "doc-support" {} -'' - mkdir result - ( - cd result - ln -s ${locationsXml} ./function-locations.xml - ln -s ${functionDocs} ./function-docs - ln -s ${optionsDoc.optionsDocBook} ./config-options.docbook.xml - - ln -s ${pkgs.docbook5}/xml/rng/docbook/docbook.rng ./docbook.rng - ln -s ${pkgs.docbook_xsl_ns}/xml/xsl ./xsl - ln -s ${epub-xsl} ./epub.xsl - ln -s ${xhtml-xsl} ./xhtml.xsl - - ln -s ${./xmlformat.conf} ./xmlformat.conf - ln -s ${pkgs.documentation-highlighter} ./highlightjs - - echo -n "${version}" > ./version - ) - mv result $out -'' diff --git a/third_party/nixpkgs/doc/doc-support/lib-function-docs.nix b/third_party/nixpkgs/doc/doc-support/lib-function-docs.nix index cf218fa704..8592fafbbd 100644 --- a/third_party/nixpkgs/doc/doc-support/lib-function-docs.nix +++ b/third_party/nixpkgs/doc/doc-support/lib-function-docs.nix @@ -1,36 +1,41 @@ # Generates the documentation for library functions via nixdoc. -{ pkgs, locationsXml, libsets }: +{ pkgs, nixpkgs, libsets }: -with pkgs; stdenv.mkDerivation { +with pkgs; + +let + locationsJSON = import ./lib-function-locations.nix { inherit pkgs nixpkgs libsets; }; +in +stdenv.mkDerivation { name = "nixpkgs-lib-docs"; src = ../../lib; buildInputs = [ nixdoc ]; installPhase = '' function docgen { - # TODO: wrap lib.$1 in , make nixdoc not escape it - if [[ -e "../lib/$1.nix" ]]; then - nixdoc -c "$1" -d "lib.$1: $2" -f "$1.nix" > "$out/$1.xml" + name=$1 + baseName=$2 + description=$3 + # TODO: wrap lib.$name in , make nixdoc not escape it + if [[ -e "../lib/$baseName.nix" ]]; then + nixdoc -c "$name" -d "lib.$name: $description" -l ${locationsJSON} -f "$baseName.nix" > "$out/$name.md" else - nixdoc -c "$1" -d "lib.$1: $2" -f "$1/default.nix" > "$out/$1.xml" + nixdoc -c "$name" -d "lib.$name: $description" -l ${locationsJSON} -f "$baseName/default.nix" > "$out/$name.md" fi - echo "" >> "$out/index.xml" + echo "$out/$name.md" >> "$out/index.md" } mkdir -p "$out" - cat > "$out/index.xml" << 'EOF' - - + cat > "$out/index.md" << 'EOF' + ```{=include=} sections EOF - ${lib.concatMapStrings ({ name, description }: '' - docgen ${name} ${lib.escapeShellArg description} + ${lib.concatMapStrings ({ name, baseName ? name, description }: '' + docgen ${name} ${baseName} ${lib.escapeShellArg description} '') libsets} - echo "" >> "$out/index.xml" - - ln -s ${locationsXml} $out/locations.xml + echo '```' >> "$out/index.md" ''; } diff --git a/third_party/nixpkgs/doc/doc-support/lib-function-locations.nix b/third_party/nixpkgs/doc/doc-support/lib-function-locations.nix index 1ee5964833..e6794617fd 100644 --- a/third_party/nixpkgs/doc/doc-support/lib-function-locations.nix +++ b/third_party/nixpkgs/doc/doc-support/lib-function-locations.nix @@ -58,28 +58,18 @@ let [ "-prime" ]; urlPrefix = "https://github.com/NixOS/nixpkgs/blob/${revision}"; - xmlstrings = (nixpkgsLib.strings.concatMapStrings - ({ name, value }: - '' -
${name} - - Located at - ${value.file}:${builtins.toString value.line} - in <nixpkgs>. - -
- '') - relativeLocs); + jsonLocs = builtins.listToAttrs + (builtins.map + ({ name, value }: { + name = sanitizeId name; + value = + let + text = "${value.file}:${builtins.toString value.line}"; + target = "${urlPrefix}/${value.file}#L${builtins.toString value.line}"; + in + "[${text}](${target}) in ``"; + }) + relativeLocs); -in pkgs.writeText - "locations.xml" - '' -
- All the locations for every lib function - This file is only for inclusion by other files. - ${xmlstrings} -
- '' +in +pkgs.writeText "locations.json" (builtins.toJSON jsonLocs) diff --git a/third_party/nixpkgs/doc/doc-support/parameters.xml b/third_party/nixpkgs/doc/doc-support/parameters.xml deleted file mode 100644 index 5b39d2f7f1..0000000000 --- a/third_party/nixpkgs/doc/doc-support/parameters.xml +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - diff --git a/third_party/nixpkgs/doc/doc-support/xmlformat.conf b/third_party/nixpkgs/doc/doc-support/xmlformat.conf deleted file mode 100644 index c3f39c7fd8..0000000000 --- a/third_party/nixpkgs/doc/doc-support/xmlformat.conf +++ /dev/null @@ -1,72 +0,0 @@ -# -# DocBook Configuration file for "xmlformat" -# see http://www.kitebird.com/software/xmlformat/ -# 10 Sept. 2004 -# - -# Only block elements -ackno address appendix article biblioentry bibliography bibliomixed \ -biblioset blockquote book bridgehead callout calloutlist caption caution \ -chapter chapterinfo classsynopsis cmdsynopsis colophon constraintdef \ -constructorsynopsis dedication destructorsynopsis entry epigraph equation example \ -figure formalpara funcsynopsis glossary glossdef glossdiv glossentry glosslist \ -glosssee glossseealso graphic graphicco highlights imageobjectco important \ -index indexdiv indexentry indexinfo info informalequation informalexample \ -informalfigure informaltable legalnotice literallayout lot lotentry mediaobject \ -mediaobjectco msgmain msgset note orderedlist para part preface primaryie \ -procedure qandadiv qandaentry qandaset refentry refentrytitle reference \ -refnamediv refsect1 refsect2 refsect3 refsection revhistory screenshot sect1 \ -sect2 sect3 sect4 sect5 section seglistitem set setindex sidebar simpara \ -simplesect step substeps synopfragment synopsis table term title \ -toc variablelist varlistentry warning itemizedlist listitem \ -footnote colspec partintro row simplelist subtitle tbody tgroup thead tip - format block - normalize no - - -#appendix bibliography chapter glossary preface reference -# element-break 3 - -sect1 section - element-break 2 - - -# -para abstract - format block - entry-break 1 - exit-break 1 - normalize yes - -title - format block - normalize = yes - entry-break = 0 - exit-break = 0 - -# Inline elements -abbrev accel acronym action application citation citebiblioid citerefentry citetitle \ -classname co code command computeroutput constant country database date email emphasis \ -envar errorcode errorname errortext errortype exceptionname fax filename \ -firstname firstterm footnoteref foreignphrase funcdef funcparams function \ -glossterm group guibutton guiicon guilabel guimenu guimenuitem guisubmenu \ -hardware holder honorific indexterm inlineequation inlinegraphic inlinemediaobject \ -interface interfacename \ -keycap keycode keycombo keysym lineage link literal manvolnum markup medialabel \ -menuchoice methodname methodparam modifier mousebutton olink ooclass ooexception \ -oointerface option optional otheraddr othername package paramdef parameter personname \ -phrase pob postcode productname prompt property quote refpurpose replaceable \ -returnvalue revnumber sgmltag state street structfield structname subscript \ -superscript surname symbol systemitem token trademark type ulink userinput \ -uri varargs varname void wordasword xref year mathphrase member tag - format inline - -programlisting screen - format verbatim - entry-break = 0 - exit-break = 0 - -# This is needed so that the spacing inside those tags is kept. -term cmdsynopsis arg - normalize yes - format block diff --git a/third_party/nixpkgs/doc/functions.md b/third_party/nixpkgs/doc/functions.md new file mode 100644 index 0000000000..09033c9e3c --- /dev/null +++ b/third_party/nixpkgs/doc/functions.md @@ -0,0 +1,11 @@ +# Functions reference {#chap-functions} + +The nixpkgs repository has several utility functions to manipulate Nix expressions. + +```{=include=} sections +functions/library.md +functions/generators.section.md +functions/debug.section.md +functions/prefer-remote-fetch.section.md +functions/nix-gitignore.section.md +``` diff --git a/third_party/nixpkgs/doc/functions.xml b/third_party/nixpkgs/doc/functions.xml deleted file mode 100644 index 8ef530d307..0000000000 --- a/third_party/nixpkgs/doc/functions.xml +++ /dev/null @@ -1,14 +0,0 @@ - - Functions reference - - The nixpkgs repository has several utility functions to manipulate Nix expressions. - - - - - - - diff --git a/third_party/nixpkgs/doc/functions/generators.section.md b/third_party/nixpkgs/doc/functions/generators.section.md index d54e5027c7..8b3ae6843a 100644 --- a/third_party/nixpkgs/doc/functions/generators.section.md +++ b/third_party/nixpkgs/doc/functions/generators.section.md @@ -16,7 +16,7 @@ let if v == true then ''"yes"'' else if v == false then ''"no"'' else if isString v then ''"${v}"'' - # and delegats all other values to the default generator + # and delegates all other values to the default generator else generators.mkValueStringDefault {} v; } ":"; }; diff --git a/third_party/nixpkgs/doc/functions/library.md.in b/third_party/nixpkgs/doc/functions/library.md.in new file mode 100644 index 0000000000..e17de86feb --- /dev/null +++ b/third_party/nixpkgs/doc/functions/library.md.in @@ -0,0 +1,5 @@ +# Nixpkgs Library Functions {#sec-functions-library} + +Nixpkgs provides a standard library at `pkgs.lib`, or through `import `. + + diff --git a/third_party/nixpkgs/doc/functions/library.xml b/third_party/nixpkgs/doc/functions/library.xml deleted file mode 100644 index 788ea0b94f..0000000000 --- a/third_party/nixpkgs/doc/functions/library.xml +++ /dev/null @@ -1,14 +0,0 @@ -
- Nixpkgs Library Functions - - - Nixpkgs provides a standard library at pkgs.lib, or through import <nixpkgs/lib>. - - - - -
diff --git a/third_party/nixpkgs/doc/hooks/autoconf.section.md b/third_party/nixpkgs/doc/hooks/autoconf.section.md index 13d75910f1..90e4681ef9 100644 --- a/third_party/nixpkgs/doc/hooks/autoconf.section.md +++ b/third_party/nixpkgs/doc/hooks/autoconf.section.md @@ -1,4 +1,3 @@ - -### Autoconf {#setup-hook-autoconf} +# Autoconf {#setup-hook-autoconf} The `autoreconfHook` derivation adds `autoreconfPhase`, which runs autoreconf, libtoolize and automake, essentially preparing the configure script in autotools-based builds. Most autotools-based packages come with the configure script pre-generated, but this hook is necessary for a few packages and when you need to patch the package’s configure scripts. diff --git a/third_party/nixpkgs/doc/hooks/automake.section.md b/third_party/nixpkgs/doc/hooks/automake.section.md index 562ac18fcd..dd0ff9c0cc 100644 --- a/third_party/nixpkgs/doc/hooks/automake.section.md +++ b/third_party/nixpkgs/doc/hooks/automake.section.md @@ -1,4 +1,3 @@ - -### Automake {#setup-hook-automake} +# Automake {#setup-hook-automake} Adds the `share/aclocal` subdirectory of each build input to the `ACLOCAL_PATH` environment variable. diff --git a/third_party/nixpkgs/doc/hooks/autopatchelf.section.md b/third_party/nixpkgs/doc/hooks/autopatchelf.section.md index 9c2852ccf2..008a90d461 100644 --- a/third_party/nixpkgs/doc/hooks/autopatchelf.section.md +++ b/third_party/nixpkgs/doc/hooks/autopatchelf.section.md @@ -1,5 +1,4 @@ - -### autoPatchelfHook {#setup-hook-autopatchelfhook} +# autoPatchelfHook {#setup-hook-autopatchelfhook} This is a special setup hook which helps in packaging proprietary software in that it automatically tries to find missing shared library dependencies of ELF files based on the given `buildInputs` and `nativeBuildInputs`. diff --git a/third_party/nixpkgs/doc/hooks/breakpoint.section.md b/third_party/nixpkgs/doc/hooks/breakpoint.section.md index 9600e06b79..424a9424b5 100644 --- a/third_party/nixpkgs/doc/hooks/breakpoint.section.md +++ b/third_party/nixpkgs/doc/hooks/breakpoint.section.md @@ -1,5 +1,4 @@ - -### breakpointHook {#breakpointhook} +# breakpointHook {#breakpointhook} This hook will make a build pause instead of stopping when a failure happens. It prevents nix from cleaning up the build environment immediately and allows the user to attach to a build environment using the `cntr` command. Upon build error it will print instructions on how to use `cntr`, which can be used to enter the environment for debugging. Installing cntr and running the command will provide shell access to the build sandbox of failed build. At `/var/lib/cntr` the sandboxed filesystem is mounted. All commands and files of the system are still accessible within the shell. To execute commands from the sandbox use the cntr exec subcommand. `cntr` is only supported on Linux-based platforms. To use it first add `cntr` to your `environment.systemPackages` on NixOS or alternatively to the root user on non-NixOS systems. Then in the package that is supposed to be inspected, add `breakpointHook` to `nativeBuildInputs`. diff --git a/third_party/nixpkgs/doc/hooks/cmake.section.md b/third_party/nixpkgs/doc/hooks/cmake.section.md index 58fbfa45a2..b5dc5a9144 100644 --- a/third_party/nixpkgs/doc/hooks/cmake.section.md +++ b/third_party/nixpkgs/doc/hooks/cmake.section.md @@ -1,4 +1,3 @@ - -### cmake {#cmake} +# cmake {#cmake} Overrides the default configure phase to run the CMake command. By default, we use the Make generator of CMake. In addition, dependencies are added automatically to `CMAKE_PREFIX_PATH` so that packages are correctly detected by CMake. Some additional flags are passed in to give similar behavior to configure-based packages. You can disable this hook’s behavior by setting `configurePhase` to a custom value, or by setting `dontUseCmakeConfigure`. `cmakeFlags` controls flags passed only to CMake. By default, parallel building is enabled as CMake supports parallel building almost everywhere. When Ninja is also in use, CMake will detect that and use the ninja generator. diff --git a/third_party/nixpkgs/doc/hooks/gdk-pixbuf.section.md b/third_party/nixpkgs/doc/hooks/gdk-pixbuf.section.md index 565216560a..cf7203dfc6 100644 --- a/third_party/nixpkgs/doc/hooks/gdk-pixbuf.section.md +++ b/third_party/nixpkgs/doc/hooks/gdk-pixbuf.section.md @@ -1,4 +1,3 @@ - -### gdk-pixbuf {#setup-hook-gdk-pixbuf} +# gdk-pixbuf {#setup-hook-gdk-pixbuf} Exports `GDK_PIXBUF_MODULE_FILE` environment variable to the builder. Add librsvg package to `buildInputs` to get svg support. See also the [setup hook description in GNOME platform docs](#ssec-gnome-hooks-gdk-pixbuf). diff --git a/third_party/nixpkgs/doc/hooks/ghc.section.md b/third_party/nixpkgs/doc/hooks/ghc.section.md index a4b0841ea4..ac054b954a 100644 --- a/third_party/nixpkgs/doc/hooks/ghc.section.md +++ b/third_party/nixpkgs/doc/hooks/ghc.section.md @@ -1,4 +1,3 @@ - -### GHC {#ghc} +# GHC {#ghc} Creates a temporary package database and registers every Haskell build input in it (TODO: how?). diff --git a/third_party/nixpkgs/doc/hooks/gnome.section.md b/third_party/nixpkgs/doc/hooks/gnome.section.md index 8c209d9b47..b10e808020 100644 --- a/third_party/nixpkgs/doc/hooks/gnome.section.md +++ b/third_party/nixpkgs/doc/hooks/gnome.section.md @@ -1,4 +1,3 @@ - -### GNOME platform {#gnome-platform} +# GNOME platform {#gnome-platform} Hooks related to GNOME platform and related libraries like GLib, GTK and GStreamer are described in [](#sec-language-gnome). diff --git a/third_party/nixpkgs/doc/hooks/index.md b/third_party/nixpkgs/doc/hooks/index.md new file mode 100644 index 0000000000..c1e86a3033 --- /dev/null +++ b/third_party/nixpkgs/doc/hooks/index.md @@ -0,0 +1,33 @@ +# Hooks reference {#chap-hooks} + +Nixpkgs has several hook packages that augment the stdenv phases. + +The stdenv built-in hooks are documented in [](#ssec-setup-hooks). + +```{=include=} sections +autoconf.section.md +automake.section.md +autopatchelf.section.md +breakpoint.section.md +cmake.section.md +gdk-pixbuf.section.md +ghc.section.md +gnome.section.md +installShellFiles.section.md +libiconv.section.md +libxml2.section.md +meson.section.md +ninja.section.md +patch-rc-path-hooks.section.md +perl.section.md +pkg-config.section.md +postgresql-test-hook.section.md +python.section.md +qt-4.section.md +scons.section.md +tetex-tex-live.section.md +unzip.section.md +validatePkgConfig.section.md +waf.section.md +xcbuild.section.md +``` diff --git a/third_party/nixpkgs/doc/hooks/index.xml b/third_party/nixpkgs/doc/hooks/index.xml deleted file mode 100644 index 0917fac6c0..0000000000 --- a/third_party/nixpkgs/doc/hooks/index.xml +++ /dev/null @@ -1,37 +0,0 @@ - - Hooks reference - - Nixpkgs has several hook packages that augment the stdenv phases. - - - The stdenv built-in hooks are documented in . - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/third_party/nixpkgs/doc/hooks/installShellFiles.section.md b/third_party/nixpkgs/doc/hooks/installShellFiles.section.md index d27527503f..84adea2fa3 100644 --- a/third_party/nixpkgs/doc/hooks/installShellFiles.section.md +++ b/third_party/nixpkgs/doc/hooks/installShellFiles.section.md @@ -1,5 +1,4 @@ - -### `installShellFiles` {#installshellfiles} +# `installShellFiles` {#installshellfiles} This hook helps with installing manpages and shell completion files. It exposes 2 shell functions `installManPage` and `installShellCompletion` that can be used from your `postInstall` hook. diff --git a/third_party/nixpkgs/doc/hooks/libiconv.section.md b/third_party/nixpkgs/doc/hooks/libiconv.section.md index c228fe339e..0ffa6d09b0 100644 --- a/third_party/nixpkgs/doc/hooks/libiconv.section.md +++ b/third_party/nixpkgs/doc/hooks/libiconv.section.md @@ -1,4 +1,3 @@ - -### libiconv, libintl {#libiconv-libintl} +# libiconv, libintl {#libiconv-libintl} A few libraries automatically add to `NIX_LDFLAGS` their library, making their symbols automatically available to the linker. This includes libiconv and libintl (gettext). This is done to provide compatibility between GNU Linux, where libiconv and libintl are bundled in, and other systems where that might not be the case. Sometimes, this behavior is not desired. To disable this behavior, set `dontAddExtraLibs`. diff --git a/third_party/nixpkgs/doc/hooks/libxml2.section.md b/third_party/nixpkgs/doc/hooks/libxml2.section.md index 770ef9ff3f..df387fb5e2 100644 --- a/third_party/nixpkgs/doc/hooks/libxml2.section.md +++ b/third_party/nixpkgs/doc/hooks/libxml2.section.md @@ -1,4 +1,3 @@ - -### libxml2 {#setup-hook-libxml2} +# libxml2 {#setup-hook-libxml2} Adds every file named `catalog.xml` found under the `xml/dtd` and `xml/xsl` subdirectories of each build input to the `XML_CATALOG_FILES` environment variable. diff --git a/third_party/nixpkgs/doc/hooks/meson.section.md b/third_party/nixpkgs/doc/hooks/meson.section.md index 32804b5e32..fd7779e646 100644 --- a/third_party/nixpkgs/doc/hooks/meson.section.md +++ b/third_party/nixpkgs/doc/hooks/meson.section.md @@ -1,26 +1,25 @@ - -### Meson {#meson} +# Meson {#meson} Overrides the configure phase to run meson to generate Ninja files. To run these files, you should accompany Meson with ninja. By default, `enableParallelBuilding` is enabled as Meson supports parallel building almost everywhere. -#### Variables controlling Meson {#variables-controlling-meson} +## Variables controlling Meson {#variables-controlling-meson} -##### `mesonFlags` {#mesonflags} +### `mesonFlags` {#mesonflags} Controls the flags passed to meson. -##### `mesonBuildType` {#mesonbuildtype} +### `mesonBuildType` {#mesonbuildtype} Which [`--buildtype`](https://mesonbuild.com/Builtin-options.html#core-options) to pass to Meson. We default to `plain`. -##### `mesonAutoFeatures` {#mesonautofeatures} +### `mesonAutoFeatures` {#mesonautofeatures} What value to set [`-Dauto_features=`](https://mesonbuild.com/Builtin-options.html#core-options) to. We default to `enabled`. -##### `mesonWrapMode` {#mesonwrapmode} +### `mesonWrapMode` {#mesonwrapmode} What value to set [`-Dwrap_mode=`](https://mesonbuild.com/Builtin-options.html#core-options) to. We default to `nodownload` as we disallow network access. -##### `dontUseMesonConfigure` {#dontusemesonconfigure} +### `dontUseMesonConfigure` {#dontusemesonconfigure} Disables using Meson’s `configurePhase`. diff --git a/third_party/nixpkgs/doc/hooks/ninja.section.md b/third_party/nixpkgs/doc/hooks/ninja.section.md index 5ea1ee8707..4b0e33feb5 100644 --- a/third_party/nixpkgs/doc/hooks/ninja.section.md +++ b/third_party/nixpkgs/doc/hooks/ninja.section.md @@ -1,4 +1,3 @@ - -### ninja {#ninja} +# ninja {#ninja} Overrides the build, install, and check phase to run ninja instead of make. You can disable this behavior with the `dontUseNinjaBuild`, `dontUseNinjaInstall`, and `dontUseNinjaCheck`, respectively. Parallel building is enabled by default in Ninja. diff --git a/third_party/nixpkgs/doc/hooks/perl.section.md b/third_party/nixpkgs/doc/hooks/perl.section.md index 403227a9bf..06942bd3c0 100644 --- a/third_party/nixpkgs/doc/hooks/perl.section.md +++ b/third_party/nixpkgs/doc/hooks/perl.section.md @@ -1,4 +1,3 @@ - -### Perl {#setup-hook-perl} +# Perl {#setup-hook-perl} Adds the `lib/site_perl` subdirectory of each build input to the `PERL5LIB` environment variable. For instance, if `buildInputs` contains Perl, then the `lib/site_perl` subdirectory of each input is added to the `PERL5LIB` environment variable. diff --git a/third_party/nixpkgs/doc/hooks/pkg-config.section.md b/third_party/nixpkgs/doc/hooks/pkg-config.section.md index 969c81f6d1..c98701cf9c 100644 --- a/third_party/nixpkgs/doc/hooks/pkg-config.section.md +++ b/third_party/nixpkgs/doc/hooks/pkg-config.section.md @@ -1,4 +1,3 @@ - -### pkg-config {#setup-hook-pkg-config} +# pkg-config {#setup-hook-pkg-config} Adds the `lib/pkgconfig` and `share/pkgconfig` subdirectories of each build input to the `PKG_CONFIG_PATH` environment variable. diff --git a/third_party/nixpkgs/doc/hooks/python.section.md b/third_party/nixpkgs/doc/hooks/python.section.md index a46a727e95..ecaae491e9 100644 --- a/third_party/nixpkgs/doc/hooks/python.section.md +++ b/third_party/nixpkgs/doc/hooks/python.section.md @@ -1,4 +1,3 @@ - -### Python {#setup-hook-python} +# Python {#setup-hook-python} Adds the `lib/${python.libPrefix}/site-packages` subdirectory of each build input to the `PYTHONPATH` environment variable. diff --git a/third_party/nixpkgs/doc/hooks/qt-4.section.md b/third_party/nixpkgs/doc/hooks/qt-4.section.md index f15d858e23..4b704df495 100644 --- a/third_party/nixpkgs/doc/hooks/qt-4.section.md +++ b/third_party/nixpkgs/doc/hooks/qt-4.section.md @@ -1,4 +1,3 @@ - -### Qt 4 {#qt-4} +# Qt 4 {#qt-4} Sets the `QTDIR` environment variable to Qt’s path. diff --git a/third_party/nixpkgs/doc/hooks/scons.section.md b/third_party/nixpkgs/doc/hooks/scons.section.md index 1392269e5d..0a7a7aa023 100644 --- a/third_party/nixpkgs/doc/hooks/scons.section.md +++ b/third_party/nixpkgs/doc/hooks/scons.section.md @@ -1,4 +1,3 @@ - -### scons {#scons} +# scons {#scons} Overrides the build, install, and check phases. This uses the scons build system as a replacement for make. scons does not provide a configure phase, so everything is managed at build and install time. diff --git a/third_party/nixpkgs/doc/hooks/tetex-tex-live.section.md b/third_party/nixpkgs/doc/hooks/tetex-tex-live.section.md index 0ecdcc12e4..b702971d72 100644 --- a/third_party/nixpkgs/doc/hooks/tetex-tex-live.section.md +++ b/third_party/nixpkgs/doc/hooks/tetex-tex-live.section.md @@ -1,4 +1,3 @@ - -### teTeX / TeX Live {#tetex-tex-live} +# teTeX / TeX Live {#tetex-tex-live} Adds the `share/texmf-nix` subdirectory of each build input to the `TEXINPUTS` environment variable. diff --git a/third_party/nixpkgs/doc/hooks/unzip.section.md b/third_party/nixpkgs/doc/hooks/unzip.section.md index 91dc072de6..5ec67e576a 100644 --- a/third_party/nixpkgs/doc/hooks/unzip.section.md +++ b/third_party/nixpkgs/doc/hooks/unzip.section.md @@ -1,4 +1,3 @@ - -### unzip {#unzip} +# unzip {#unzip} This setup hook will allow you to unzip .zip files specified in `$src`. There are many similar packages like `unrar`, `undmg`, etc. diff --git a/third_party/nixpkgs/doc/hooks/validatePkgConfig.section.md b/third_party/nixpkgs/doc/hooks/validatePkgConfig.section.md index 8719ae930f..aa6e0c06c2 100644 --- a/third_party/nixpkgs/doc/hooks/validatePkgConfig.section.md +++ b/third_party/nixpkgs/doc/hooks/validatePkgConfig.section.md @@ -1,4 +1,3 @@ - -### validatePkgConfig {#validatepkgconfig} +# validatePkgConfig {#validatepkgconfig} The `validatePkgConfig` hook validates all pkg-config (`.pc`) files in a package. This helps catching some common errors in pkg-config files, such as undefined variables. diff --git a/third_party/nixpkgs/doc/hooks/waf.section.md b/third_party/nixpkgs/doc/hooks/waf.section.md index de65abde45..ee1bccff1d 100644 --- a/third_party/nixpkgs/doc/hooks/waf.section.md +++ b/third_party/nixpkgs/doc/hooks/waf.section.md @@ -1,4 +1,3 @@ - -### wafHook {#wafhook} +# wafHook {#wafhook} Overrides the configure, build, and install phases. This will run the “waf” script used by many projects. If `wafPath` (default `./waf`) doesn’t exist, it will copy the version of waf available in Nixpkgs. `wafFlags` can be used to pass flags to the waf script. diff --git a/third_party/nixpkgs/doc/hooks/xcbuild.section.md b/third_party/nixpkgs/doc/hooks/xcbuild.section.md index 1426431f6d..bf404b64c3 100644 --- a/third_party/nixpkgs/doc/hooks/xcbuild.section.md +++ b/third_party/nixpkgs/doc/hooks/xcbuild.section.md @@ -1,4 +1,3 @@ - -### xcbuildHook {#xcbuildhook} +# xcbuildHook {#xcbuildhook} Overrides the build and install phases to run the "xcbuild" command. This hook is needed when a project only comes with build files for the XCode build system. You can disable this behavior by setting buildPhase and configurePhase to a custom value. xcbuildFlags controls flags passed only to xcbuild. diff --git a/third_party/nixpkgs/doc/languages-frameworks/bower.section.md b/third_party/nixpkgs/doc/languages-frameworks/bower.section.md index 6226dc0702..fceb6aaccb 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/bower.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/bower.section.md @@ -1,6 +1,6 @@ # Bower {#sec-bower} -[Bower](https://bower.io) is a package manager for web site front-end components. Bower packages (comprising of build artefacts and sometimes sources) are stored in `git` repositories, typically on Github. The package registry is run by the Bower team with package metadata coming from the `bower.json` file within each package. +[Bower](https://bower.io) is a package manager for web site front-end components. Bower packages (comprising of build artifacts and sometimes sources) are stored in `git` repositories, typically on Github. The package registry is run by the Bower team with package metadata coming from the `bower.json` file within each package. The end result of running Bower is a `bower_components` directory which can be included in the web app's build process. @@ -41,32 +41,18 @@ The function is implemented in [pkgs/development/bower-modules/generic/default.n ### Example buildBowerComponents {#ex-buildBowerComponents} -```{=docbook} - +```nix bowerComponents = buildBowerComponents { name = "my-web-app"; - generated = ./bower-packages.nix; - src = myWebApp; + generated = ./bower-packages.nix; # note 1 + src = myWebApp; # note 2 }; - ``` In ["buildBowerComponents" example](#ex-buildBowerComponents) the following arguments are of special significance to the function: -```{=docbook} - - - - generated specifies the file which was created by bower2nix. - - - - - src is your project's sources. It needs to contain a bower.json file. - - - -``` +1. `generated` specifies the file which was created by {command}`bower2nix`. +2. `src` is your project's sources. It needs to contain a {file}`bower.json` file. `buildBowerComponents` will run Bower to link together the output of `bower2nix`, resulting in a `bower_components` directory which can be used. @@ -91,10 +77,9 @@ gulp.task('build', [], function () { ### Example Full example — default.nix {#ex-buildBowerComponentsDefaultNix} -```{=docbook} - +```nix { myWebApp ? { outPath = ./.; name = "myWebApp"; } -, pkgs ? import <nixpkgs> {} +, pkgs ? import {} }: pkgs.stdenv.mkDerivation { @@ -103,49 +88,29 @@ pkgs.stdenv.mkDerivation { buildInputs = [ pkgs.nodePackages.gulp ]; - bowerComponents = pkgs.buildBowerComponents { + bowerComponents = pkgs.buildBowerComponents { # note 1 name = "my-web-app"; generated = ./bower-packages.nix; src = myWebApp; }; buildPhase = '' - cp --reflink=auto --no-preserve=mode -R $bowerComponents/bower_components . - export HOME=$PWD - ${pkgs.nodePackages.gulp}/bin/gulp build + cp --reflink=auto --no-preserve=mode -R $bowerComponents/bower_components . # note 2 + export HOME=$PWD # note 3 + ${pkgs.nodePackages.gulp}/bin/gulp build # note 4 ''; installPhase = "mv gulpdist $out"; } - ``` A few notes about [Full example — `default.nix`](#ex-buildBowerComponentsDefaultNix): -```{=docbook} - - - - The result of buildBowerComponents is an input to the frontend build. - - - - - Whether to symlink or copy the bower_components directory depends on the build tool in use. In this case a copy is used to avoid gulp silliness with permissions. - - - - - gulp requires HOME to refer to a writeable directory. - - - - - The actual build command. Other tools could be used. - - - -``` +1. The result of `buildBowerComponents` is an input to the frontend build. +2. Whether to symlink or copy the {file}`bower_components` directory depends on the build tool in use. + In this case a copy is used to avoid {command}`gulp` silliness with permissions. +3. {command}`gulp` requires `HOME` to refer to a writeable directory. +4. The actual build command in this example is {command}`gulp`. Other tools could be used instead. ## Troubleshooting {#ssec-bower2nix-troubleshooting} diff --git a/third_party/nixpkgs/doc/languages-frameworks/cuda.section.md b/third_party/nixpkgs/doc/languages-frameworks/cuda.section.md index f523a8c884..6b19e02e74 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/cuda.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/cuda.section.md @@ -8,7 +8,7 @@ A package set is available for each CUDA version, so for example `cudaPackages_11_6`. Within each set is a matching version of the above listed packages. Additionally, other versions of the packages that are packaged and compatible are available as well. For example, there can be a -`cudaPackages.cudnn_8_3_2` package. +`cudaPackages.cudnn_8_3` package. To use one or more CUDA packages in an expression, give the expression a `cudaPackages` parameter, and in case CUDA is optional ```nix @@ -28,7 +28,7 @@ set. ```nix mypkg = let cudaPackages = cudaPackages_11_5.overrideScope' (final: prev: { - cudnn = prev.cudnn_8_3_2; + cudnn = prev.cudnn_8_3; }}); in callPackage { inherit cudaPackages; }; ``` diff --git a/third_party/nixpkgs/doc/languages-frameworks/dhall.section.md b/third_party/nixpkgs/doc/languages-frameworks/dhall.section.md index 83fe2e9ae0..846b8cfd31 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/dhall.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/dhall.section.md @@ -307,12 +307,12 @@ $ nix-env --install --attr haskellPackages.dhall-nixpkgs $ nix-env --install --attr nix-prefetch-git # Used by dhall-to-nixpkgs -$ dhall-to-nixpkgs github https://github.com/Gabriel439/dhall-semver.git +$ dhall-to-nixpkgs github https://github.com/Gabriella439/dhall-semver.git { buildDhallGitHubPackage, Prelude }: buildDhallGitHubPackage { name = "dhall-semver"; githubBase = "github.com"; - owner = "Gabriel439"; + owner = "Gabriella439"; repo = "dhall-semver"; rev = "2d44ae605302ce5dc6c657a1216887fbb96392a4"; fetchSubmodules = false; diff --git a/third_party/nixpkgs/doc/languages-frameworks/dotnet.section.md b/third_party/nixpkgs/doc/languages-frameworks/dotnet.section.md index b6a622875a..246490d67d 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/dotnet.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/dotnet.section.md @@ -92,7 +92,7 @@ The `dotnetCorePackages.sdk` contains both a runtime and the full sdk of a given To package Dotnet applications, you can use `buildDotnetModule`. This has similar arguments to `stdenv.mkDerivation`, with the following additions: -* `projectFile` is used for specifying the dotnet project file, relative to the source root. These usually have `.sln` or `.csproj` file extensions. This can be a list of multiple projects as well. Most of the time dotnet can figure this location out by itself, so this should only be set if necessary. +* `projectFile` is used for specifying the dotnet project file, relative to the source root. These have `.sln` (entire solution) or `.csproj` (single project) file extensions. This can be a list of multiple projects as well. When omitted, will attempt to find and build the solution (`.sln`). If running into problems, make sure to set it to a file (or a list of files) with the `.csproj` extension - building applications as entire solutions is not fully supported by the .NET CLI. * `nugetDeps` takes either a path to a `deps.nix` file, or a derivation. The `deps.nix` file can be generated using the script attached to `passthru.fetch-deps`. This file can also be generated manually using `nuget-to-nix` tool, which is available in nixpkgs. If the argument is a derivation, it will be used directly and assume it has the same output as `mkNugetDeps`. * `packNupkg` is used to pack project as a `nupkg`, and installs it to `$out/share`. If set to `true`, the derivation can be used as a dependency for another dotnet project by adding it to `projectReferences`. * `projectReferences` can be used to resolve `ProjectReference` project items. Referenced projects can be packed with `buildDotnetModule` by setting the `packNupkg = true` attribute and passing a list of derivations to `projectReferences`. Since we are sharing referenced projects as NuGets they must be added to csproj/fsproj files as `PackageReference` as well. @@ -108,11 +108,13 @@ To package Dotnet applications, you can use `buildDotnetModule`. This has simila * `executables` is used to specify which executables get wrapped to `$out/bin`, relative to `$out/lib/$pname`. If this is unset, all executables generated will get installed. If you do not want to install any, set this to `[]`. This gets done in the `preFixup` phase. * `runtimeDeps` is used to wrap libraries into `LD_LIBRARY_PATH`. This is how dotnet usually handles runtime dependencies. * `buildType` is used to change the type of build. Possible values are `Release`, `Debug`, etc. By default, this is set to `Release`. -* `selfContainedBuild` allows to enable the [self-contained](https://docs.microsoft.com/en-us/dotnet/core/deploying/#publish-self-contained) build flag. By default, it is set to false and generated applications have a dependency on the selected dotnet runtime. If enabled, the dotnet runtime is bundled into the executable and the built app has no dependency on Dotnet. +* `selfContainedBuild` allows to enable the [self-contained](https://docs.microsoft.com/en-us/dotnet/core/deploying/#publish-self-contained) build flag. By default, it is set to false and generated applications have a dependency on the selected dotnet runtime. If enabled, the dotnet runtime is bundled into the executable and the built app has no dependency on .NET. +* `useAppHost` will enable creation of a binary executable that runs the .NET application using the specified root. More info in [Microsoft docs](https://learn.microsoft.com/en-us/dotnet/core/deploying/#publish-framework-dependent). Enabled by default. +* `useDotnetFromEnv` will change the binary wrapper so that it uses the .NET from the environment. The runtime specified by `dotnet-runtime` is given as a fallback in case no .NET is installed in the user's environment. This is most useful for .NET global tools and LSP servers, which often extend the .NET CLI and their runtime should match the users' .NET runtime. * `dotnet-sdk` is useful in cases where you need to change what dotnet SDK is being used. You can also set this to the result of `dotnetSdkPackages.combinePackages`, if the project uses multiple SDKs to build. * `dotnet-runtime` is useful in cases where you need to change what dotnet runtime is being used. This can be either a regular dotnet runtime, or an aspnetcore. * `dotnet-test-sdk` is useful in cases where unit tests expect a different dotnet SDK. By default, this is set to the `dotnet-sdk` attribute. -* `testProjectFile` is useful in cases where the regular project file does not contain the unit tests. It gets restored and build, but not installed. You may need to regenerate your nuget lockfile after setting this. +* `testProjectFile` is useful in cases where the regular project file does not contain the unit tests. It gets restored and build, but not installed. You may need to regenerate your nuget lockfile after setting this. Note that if set, only tests from this project are executed. * `disabledTests` is used to disable running specific unit tests. This gets passed as: `dotnet test --filter "FullyQualifiedName!={}"`, to ensure compatibility with all unit test frameworks. * `dotnetRestoreFlags` can be used to pass flags to `dotnet restore`. * `dotnetBuildFlags` can be used to pass flags to `dotnet build`. @@ -121,7 +123,7 @@ To package Dotnet applications, you can use `buildDotnetModule`. This has simila * `dotnetPackFlags` can be used to pass flags to `dotnet pack`. Used only if `packNupkg` is set to `true`. * `dotnetFlags` can be used to pass flags to all of the above phases. -When packaging a new application, you need to fetch its dependencies. You can run `nix-build -A package.fetch-deps` to generate a script that will build a lockfile for you. After running the script you should have the location of the generated lockfile printed to the console, which can be copied to a stable directory. Then set `nugetDeps = ./deps.nix` and you're ready to build the derivation. +When packaging a new application, you need to fetch its dependencies. Create an empty `deps.nix`, set `nugetDeps = ./deps.nix`, then run `nix-build -A package.fetch-deps` to generate a script that will build the lockfile for you. Here is an example `default.nix`, using some of the previously discussed arguments: ```nix @@ -151,3 +153,60 @@ in buildDotnetModule rec { runtimeDeps = [ ffmpeg ]; # This will wrap ffmpeg's library path into `LD_LIBRARY_PATH`. } ``` + +## Dotnet global tools {#dotnet-global-tools} + +[.NET Global tools](https://learn.microsoft.com/en-us/dotnet/core/tools/global-tools) are a mechanism provided by the dotnet CLI to install .NET binaries from Nuget packages. + +They can be installed either as a global tool for the entire system, or as a local tool specific to project. + +The local installation is the easiest and works on NixOS in the same way as on other Linux distributions. +[See dotnet documention](https://learn.microsoft.com/en-us/dotnet/core/tools/global-tools#install-a-local-tool) to learn more. + +[The global installation method](https://learn.microsoft.com/en-us/dotnet/core/tools/global-tools#install-a-global-tool) +should also work most of the time. You have to remember to update the `PATH` +value to the location the tools are installed to (the CLI will inform you about it during installation) and also set +the `DOTNET_ROOT` value, so that the tool can find the .NET SDK package. +You can find the path to the SDK by running `nix eval --raw nixpkgs#dotnet-sdk` (substitute the `dotnet-sdk` package for +another if a different SDK version is needed). + +This method is not recommended on NixOS, since it's not declarative and involves installing binaries not made for NixOS, +which will not always work. + +The third, and preferred way, is packaging the tool into a Nix derivation. + +### Packaging Dotnet global tools {#packaging-dotnet-global-tools} + +Dotnet global tools are standard .NET binaries, just made available through a special +NuGet package. Therefore, they can be built and packaged like every .NET application, +using `buildDotnetModule`. + +If however the source is not available or difficult to build, the +`buildDotnetGlobalTool` helper can be used, which will package the tool +straight from its NuGet package. + +This helper has the same arguments as `buildDotnetModule`, with a few differences: + +* `pname` and `version` are required, and will be used to find the NuGet package of the tool +* `nugetName` can be used to override the NuGet package name that will be downloaded, if it's different from `pname` +* `nugetSha256` is the hash of the fetched NuGet package. Set this to `lib.fakeHash256` for the first build, and it will error out, giving you the proper hash. Also remember to update it during version updates (it will not error out if you just change the version while having a fetched package in `/nix/store`) +* `dotnet-runtime` is set to `dotnet-sdk` by default. When changing this, remember that .NET tools fetched from NuGet require an SDK. + +Here is an example of packaging `pbm`, an unfree binary without source available: +```nix +{ buildDotnetGlobalTool, lib }: + +buildDotnetGlobalTool { + pname = "pbm"; + version = "1.3.1"; + + nugetSha256 = "sha256-ZG2HFyKYhVNVYd2kRlkbAjZJq88OADe3yjxmLuxXDUo="; + + meta = with lib; { + homepage = "https://cmd.petabridge.com/index.html"; + changelog = "https://cmd.petabridge.com/articles/RELEASE_NOTES.html"; + license = licenses.unfree; + platforms = platforms.linux; + }; +} +``` diff --git a/third_party/nixpkgs/doc/languages-frameworks/gnome.section.md b/third_party/nixpkgs/doc/languages-frameworks/gnome.section.md index 3c8539ac42..5208f1013c 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/gnome.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/gnome.section.md @@ -27,7 +27,7 @@ The modules are typically installed to `lib/gio/modules/` directory of a package In particular, we recommend: -* adding `dconf.lib` for any software on Linux that reads [GSettings](#ssec-gnome-settings) (even transitivily through e.g. GTK’s file manager) +* adding `dconf.lib` for any software on Linux that reads [GSettings](#ssec-gnome-settings) (even transitively through e.g. GTK’s file manager) * adding `glib-networking` for any software that accesses network using GIO or libsoup – glib-networking contains a module that implements TLS support and loads system-wide proxy settings To allow software to use various virtual file systems, `gvfs` package can be also added. But that is usually an optional feature so we typically use `gvfs` from the system (e.g. installed globally using NixOS module). @@ -137,15 +137,15 @@ Most GNOME package offer [`updateScript`](#var-passthru-updateScript), it is the ## Frequently encountered issues {#ssec-gnome-common-issues} -#### `GLib-GIO-ERROR **: 06:04:50.903: No GSettings schemas are installed on the system` {#ssec-gnome-common-issues-no-schemas} +### `GLib-GIO-ERROR **: 06:04:50.903: No GSettings schemas are installed on the system` {#ssec-gnome-common-issues-no-schemas} There are no schemas available in `XDG_DATA_DIRS`. Temporarily add a random package containing schemas like `gsettings-desktop-schemas` to `buildInputs`. [`glib`](#ssec-gnome-hooks-glib) and [`wrapGAppsHook`](#ssec-gnome-hooks-wrapgappshook) setup hooks will take care of making the schemas available to application and you will see the actual missing schemas with the [next error](#ssec-gnome-common-issues-missing-schema). Or you can try looking through the source code for the actual schemas used. -#### `GLib-GIO-ERROR **: 06:04:50.903: Settings schema ‘org.gnome.foo’ is not installed` {#ssec-gnome-common-issues-missing-schema} +### `GLib-GIO-ERROR **: 06:04:50.903: Settings schema ‘org.gnome.foo’ is not installed` {#ssec-gnome-common-issues-missing-schema} Package is missing some GSettings schemas. You can find out the package containing the schema with `nix-locate org.gnome.foo.gschema.xml` and let the hooks handle the wrapping as [above](#ssec-gnome-common-issues-no-schemas). -#### When using `wrapGAppsHook` with special derivers you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped} +### When using `wrapGAppsHook` with special derivers you can end up with double wrapped binaries. {#ssec-gnome-common-issues-double-wrapped} This is because derivers like `python.pkgs.buildPythonApplication` or `qt5.mkDerivation` have setup-hooks automatically added that produce wrappers with makeWrapper. The simplest way to workaround that is to disable the `wrapGAppsHook` automatic wrapping with `dontWrapGApps = true;` and pass the arguments it intended to pass to makeWrapper to another. @@ -193,7 +193,7 @@ mkDerivation { } ``` -#### I am packaging a project that cannot be wrapped, like a library or GNOME Shell extension. {#ssec-gnome-common-issues-unwrappable-package} +### I am packaging a project that cannot be wrapped, like a library or GNOME Shell extension. {#ssec-gnome-common-issues-unwrappable-package} You can rely on applications depending on the library setting the necessary environment variables but that is often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples: @@ -209,6 +209,6 @@ You can rely on applications depending on the library setting the necessary envi []{#ssec-gnome-common-issues-unwrappable-package-gsettings-c} [Hard-coding GSettings schema path in C library](https://github.com/NixOS/nixpkgs/blob/29c120c065d03b000224872251bed93932d42412/pkgs/development/libraries/glib-networking/default.nix#L31-L34) – nothing special other than using [Coccinelle patch](https://github.com/NixOS/nixpkgs/pull/67957#issuecomment-527717467) to generate the patch itself. -#### I need to wrap a binary outside `bin` and `libexec` directories. {#ssec-gnome-common-issues-weird-location} +### I need to wrap a binary outside `bin` and `libexec` directories. {#ssec-gnome-common-issues-weird-location} You can manually trigger the wrapping with `wrapGApp` in `preFixup` phase. It takes a path to a program as a first argument; the remaining arguments are passed directly to [`wrapProgram`](#fun-wrapProgram) function. diff --git a/third_party/nixpkgs/doc/languages-frameworks/go.section.md b/third_party/nixpkgs/doc/languages-frameworks/go.section.md index c697a69087..cf18084142 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/go.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/go.section.md @@ -19,7 +19,7 @@ In the following is an example expression using `buildGoModule`, the following a To avoid updating this field when dependencies change, run `go mod vendor` in your source repo and set `vendorHash = null;` To obtain the actual hash, set `vendorHash = lib.fakeSha256;` and run the build ([more details here](#sec-source-hashes)). -- `proxyVendor`: Fetches (go mod download) and proxies the vendor directory. This is useful if your code depends on c code and go mod tidy does not include the needed sources to build or if any dependency has case-insensitive conflicts which will produce platform dependant `vendorHash` checksums. +- `proxyVendor`: Fetches (go mod download) and proxies the vendor directory. This is useful if your code depends on c code and go mod tidy does not include the needed sources to build or if any dependency has case-insensitive conflicts which will produce platform-dependent `vendorHash` checksums. - `modPostBuild`: Shell commands to run after the build of the go-modules executes `go mod vendor`, and before calculating fixed output derivation's `vendorHash` (or `vendorSha256`). Note that if you change this attribute, you need to update `vendorHash` (or `vendorSha256`) attribute. ```nix diff --git a/third_party/nixpkgs/doc/languages-frameworks/haskell.section.md b/third_party/nixpkgs/doc/languages-frameworks/haskell.section.md index a36843c97c..6097233184 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/haskell.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/haskell.section.md @@ -23,7 +23,7 @@ installing and using them. All of these packages are originally defined in the `haskellPackages` package set and are re-exposed with a reduced dependency closure for convenience. -(see `justStaticExecutables` below) +(see `justStaticExecutables` or `separateBinOutput` below) The `haskellPackages` set includes at least one version of every package from Hackage as well as some manually injected packages. This amounts to a lot of @@ -45,16 +45,17 @@ The attribute names in `haskellPackages` always correspond with their name on Hackage. Since Hackage allows names that are not valid Nix without escaping, you need to take care when handling attribute names like `3dmodels`. -For packages that are part of [Stackage], we use the version prescribed by a -Stackage solver (usually the current LTS one) as the default version. For all -other packages we use the latest version from Hackage. See -[below](#haskell-available-versions) to learn which versions are provided -exactly. +For packages that are part of [Stackage] (a curated set of known to be +compatible packages), we use the version prescribed by a Stackage snapshot +(usually the current LTS one) as the default version. For all other packages we +use the latest version from [Hackage](https://hackage.org) (the repository of +basically all open source Haskell packages). See [below](#haskell-available- +versions) for a few more details on this. -Roughly half of the 16K packages contained in `haskellPackages` don't actually -build and are marked as broken semi-automatically. Most of those packages are -deprecated or unmaintained, but sometimes packages that should build, do not -build. Very often fixing them is not a lot of work. +Roughly half of the 16K packages contained in `haskellPackages` don’t actually +build and are [marked as broken semi-automatically](https://github.com/NixOS/nixpkgs/blob/haskell-updates/pkgs/development/haskell-modules/configuration-hackage2nix/broken.yaml). +Most of those packages are deprecated or unmaintained, but sometimes packages +that should build, do not build. Very often fixing them is not a lot of work. + +```nix +let + # Name of the compiler and package set you want to change. If you are using + # the default package set `haskellPackages`, you need to look up what version + # of GHC it currently uses (note that this is subject to change). + ghcName = "ghc92"; + # Desired new setting + enableProfiling = true; +in + +[ + # The first overlay modifies the GHC derivation so that it does or does not + # build profiling versions of the core libraries bundled with it. It is + # recommended to only use such an overlay if you are enabling profiling on a + # platform that doesn't by default, because compiling GHC from scratch is + # quite expensive. + (final: prev: + let + inherit (final) lib; + in + + { + haskell = lib.recursiveUpdate prev.haskell { + compiler.${ghcName} = prev.haskell.compiler.${ghcName}.override { + # Unfortunately, the GHC setting is named differently for historical reasons + enableProfiledLibs = enableProfiling; + }; + }; + }) + + (final: prev: + let + inherit (final) lib; + haskellLib = final.haskell.lib.compose; + in + + { + haskell = lib.recursiveUpdate prev.haskell { + packages.${ghcName} = prev.haskell.packages.${ghcName}.override { + overrides = hfinal: hprev: { + mkDerivation = args: hprev.mkDerivation (args // { + # Since we are forcing our ideas upon mkDerivation, this change will + # affect every package in the package set. + enableLibraryProfiling = enableProfiling; + + # To actually use profiling on an executable, executable profiling + # needs to be enabled for the executable you want to profile. You + # can either do this globally or… + enableExecutableProfiling = enableProfiling; + }); + + # …only for the package that contains an executable you want to profile. + # That saves on unnecessary rebuilds for packages that you only depend + # on for their library, but also contain executables (e.g. pandoc). + my-executable = haskellLib.enableExecutableProfiling hprev.my-executable; + + # If you are disabling profiling to save on build time, but want to + # retain the ability to substitute from the binary cache. Drop the + # override for mkDerivation above and instead have an override like + # this for the specific packages you are building locally and want + # to make cheaper to build. + my-library = haskellLib.disableLibraryProfiling hprev.my-library; + }; + }; + }; + }) +] +``` + + + [Stackage]: https://www.stackage.org [cabal-project-files]: https://cabal.readthedocs.io/en/latest/cabal-project.html [cabal2nix]: https://github.com/nixos/cabal2nix @@ -1083,8 +1289,11 @@ on the issue linked above. [haskell.nix]: https://input-output-hk.github.io/haskell.nix/index.html [HLS user guide]: https://haskell-language-server.readthedocs.io/en/latest/configuration.html#configuring-your-editor [hoogle]: https://wiki.haskell.org/Hoogle +[incremental-builds]: https://www.haskellforall.com/2022/12/nixpkgs-support-for-incremental-haskell.html [jailbreak-cabal]: https://github.com/NixOS/jailbreak-cabal/ +[multiple-outputs]: https://nixos.org/manual/nixpkgs/stable/#chap-multiple-output [optparse-applicative-completions]: https://github.com/pcapriotti/optparse-applicative/blob/7726b63796aa5d0df82e926d467f039b78ca09e2/README.md#bash-zsh-and-fish-completions [profiling-detail]: https://cabal.readthedocs.io/en/latest/cabal-project.html#cfg-field-profiling-detail [profiling]: https://downloads.haskell.org/~ghc/latest/docs/html/users_guide/profiling.html [search.nixos.org]: https://search.nixos.org +[turtle]: https://hackage.haskell.org/package/turtle diff --git a/third_party/nixpkgs/doc/languages-frameworks/index.md b/third_party/nixpkgs/doc/languages-frameworks/index.md new file mode 100644 index 0000000000..cdbf08f179 --- /dev/null +++ b/third_party/nixpkgs/doc/languages-frameworks/index.md @@ -0,0 +1,45 @@ +# Languages and frameworks {#chap-language-support} + +The [standard build environment](#chap-stdenv) makes it easy to build typical Autotools-based packages with very little code. Any other kind of package can be accommodated by overriding the appropriate phases of `stdenv`. However, there are specialised functions in Nixpkgs to easily build packages for other programming languages, such as Perl or Haskell. These are described in this chapter. + +```{=include=} sections +agda.section.md +android.section.md +beam.section.md +bower.section.md +chicken.section.md +coq.section.md +crystal.section.md +cuda.section.md +cuelang.section.md +dart.section.md +dhall.section.md +dotnet.section.md +emscripten.section.md +gnome.section.md +go.section.md +haskell.section.md +hy.section.md +idris.section.md +ios.section.md +java.section.md +javascript.section.md +lisp.section.md +lua.section.md +maven.section.md +nim.section.md +ocaml.section.md +octave.section.md +perl.section.md +php.section.md +pkg-config.section.md +python.section.md +qt.section.md +r.section.md +ruby.section.md +rust.section.md +swift.section.md +texlive.section.md +titanium.section.md +vim.section.md +``` diff --git a/third_party/nixpkgs/doc/languages-frameworks/index.xml b/third_party/nixpkgs/doc/languages-frameworks/index.xml deleted file mode 100644 index 94c4e30302..0000000000 --- a/third_party/nixpkgs/doc/languages-frameworks/index.xml +++ /dev/null @@ -1,47 +0,0 @@ - - Languages and frameworks - - The standard build environment makes it easy to build typical Autotools-based packages with very little code. Any other kind of package can be accommodated by overriding the appropriate phases of stdenv. However, there are specialised functions in Nixpkgs to easily build packages for other programming languages, such as Perl or Haskell. These are described in this chapter. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/third_party/nixpkgs/doc/languages-frameworks/ios.section.md b/third_party/nixpkgs/doc/languages-frameworks/ios.section.md index 04b013be12..eb8e2ca553 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/ios.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/ios.section.md @@ -104,7 +104,7 @@ The above function takes a variety of parameters: and the location where the source code resides * `sdkVersion` specifies which version of the iOS SDK to use. -It also possile to adjust the `xcodebuild` parameters. This is only needed in +It also possible to adjust the `xcodebuild` parameters. This is only needed in rare circumstances. In most cases the default values should suffice: * Specifies which `xcodebuild` target to build. By default it takes the target @@ -130,7 +130,7 @@ In addition, you need to set the following parameters: store certificates. * `generateIPA` specifies that we want to produce an IPA file (this is probably what you want) -* `generateXCArchive` specifies thet we want to produce an xcarchive file. +* `generateXCArchive` specifies that we want to produce an xcarchive file. When building IPA files on Hydra and when it is desired to allow iOS devices to install IPAs by browsing to the Hydra build products page, you can enable the diff --git a/third_party/nixpkgs/doc/languages-frameworks/javascript.section.md b/third_party/nixpkgs/doc/languages-frameworks/javascript.section.md index fdb570ebc3..0a2099b0a6 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/javascript.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/javascript.section.md @@ -143,7 +143,7 @@ To update NPM packages in nixpkgs, run the same `generate.sh` script: #### Git protocol error {#javascript-git-error} Some packages may have Git dependencies from GitHub specified with `git://`. -GitHub has [disabled unecrypted Git connections](https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git), so you may see the following error when running the generate script: +GitHub has [disabled unencrypted Git connections](https://github.blog/2021-09-01-improving-git-protocol-security-github/#no-more-unauthenticated-git), so you may see the following error when running the generate script: ``` The unauthenticated git protocol on port 9418 is no longer supported @@ -196,10 +196,14 @@ buildNpmPackage rec { * `npmDepsHash`: The output hash of the dependencies for this project. Can be calculated in advance with [`prefetch-npm-deps`](#javascript-buildNpmPackage-prefetch-npm-deps). * `makeCacheWritable`: Whether to make the cache writable prior to installing dependencies. Don't set this unless npm tries to write to the cache directory, as it can slow down the build. * `npmBuildScript`: The script to run to build the project. Defaults to `"build"`. +* `npmWorkspace`: The workspace directory within the project to build and install. +* `dontNpmBuild`: Option to disable running the build script. Set to `true` if the package does not have a build script. Defaults to `false`. Alternatively, setting `buildPhase` explicitly also disables this. +* `dontNpmInstall`: Option to disable running `npm install`. Defaults to `false`. Alternatively, setting `installPhase` explicitly also disables this. * `npmFlags`: Flags to pass to all npm commands. -* `npmInstallFlags`: Flags to pass to `npm ci` and `npm prune`. +* `npmInstallFlags`: Flags to pass to `npm ci`. * `npmBuildFlags`: Flags to pass to `npm run ${npmBuildScript}`. * `npmPackFlags`: Flags to pass to `npm pack`. +* `npmPruneFlags`: Flags to pass to `npm prune`. Defaults to the value of `npmInstallFlags`. #### prefetch-npm-deps {#javascript-buildNpmPackage-prefetch-npm-deps} diff --git a/third_party/nixpkgs/doc/languages-frameworks/lua.section.md b/third_party/nixpkgs/doc/languages-frameworks/lua.section.md index 2ed02ab9d6..c5049326a7 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/lua.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/lua.section.md @@ -179,7 +179,7 @@ Each interpreter has the following attributes: #### `buildLuarocksPackage` function {#buildluarockspackage-function} -The `buildLuarocksPackage` function is implemented in `pkgs/development/interpreters/lua-5/build-lua-package.nix` +The `buildLuarocksPackage` function is implemented in `pkgs/development/interpreters/lua-5/build-luarocks-package.nix` The following is an example: ```nix luaposix = buildLuarocksPackage { diff --git a/third_party/nixpkgs/doc/languages-frameworks/maven.section.md b/third_party/nixpkgs/doc/languages-frameworks/maven.section.md index cc5b4e3ed7..3b5e2e14ee 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/maven.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/maven.section.md @@ -165,6 +165,39 @@ The build will fail, and tell you the expected `outputHash` to place. When you'v If your package uses _SNAPSHOT_ dependencies or _version ranges_; there is a strong likelihood that over-time your output hash will change since the resolved dependencies may change. Hence this method is less recommended then using `buildMaven`. +#### Stable Maven plugins {#stable-maven-plugins} + +Maven defines default versions for its core plugins, e.g. `maven-compiler-plugin`. +If your project does not override these versions, an upgrade of Maven will change the version of the used plugins. +This changes the output of the first invocation and the plugins required by the second invocation. +However, since a hash is given for the output of the first invocation, the second invocation will simply fail +because the requested plugins are missing. +This will prevent automatic upgrades of Maven: the manual fix for this is to change the hash of the first invocation. + +To make sure that your package does not add manual effort when upgrading Maven, explicitly define versions for all +plugins. You can check if this is the case by adding the following plugin to your (parent) POM: + +```xml + + org.apache.maven.plugins + maven-enforcer-plugin + 3.3.0 + + + enforce-plugin-versions + + enforce + + + + + + + + + +``` + ## Building a JAR {#building-a-jar} Regardless of which strategy is chosen above, the step to build the derivation is the same. diff --git a/third_party/nixpkgs/doc/languages-frameworks/nim.section.md b/third_party/nixpkgs/doc/languages-frameworks/nim.section.md index 4f97c7585f..6b0fb3df03 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/nim.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/nim.section.md @@ -15,32 +15,23 @@ case of packages not containing exported library code the attribute The following example shows a Nim program that depends only on Nim libraries: ```nix -{ lib, nimPackages, fetchurl }: - -nimPackages.buildNimPackage rec { - pname = "hottext"; - version = "1.4"; +{ lib, nimPackages, fetchFromGitHub }: +nimPackages.buildNimPackage (finalAttrs: { + pname = "ttop"; + version = "1.0.1"; nimBinOnly = true; - src = fetchurl { - url = "https://git.sr.ht/~ehmry/hottext/archive/v${version}.tar.gz"; - hash = "sha256-hIUofi81zowSMbt1lUsxCnVzfJGN3FEiTtN8CEFpwzY="; + src = fetchFromGitHub { + owner = "inv2004"; + repo = "ttop"; + rev = "v${finalAttrs.version}"; + hash = "sha256-x4Uczksh6p3XX/IMrOFtBxIleVHdAPX9e8n32VAUTC4="; }; - buildInputs = with nimPackages; [ - bumpy - chroma - flatty - nimsimd - pixie - sdl2 - typography - vmath - zippy - ]; -} + buildInputs = with nimPackages; [ asciigraph illwill parsetoml zippy ]; +}) ``` ## Nim library packages in Nixpkgs {#nim-library-packages-in-nixpkgs} @@ -60,15 +51,15 @@ non-Nim package: ```nix { lib, buildNimPackage, fetchNimble, SDL2 }: -buildNimPackage rec { +buildNimPackage (finalAttrs: { pname = "sdl2"; version = "2.0.4"; src = fetchNimble { - inherit pname version; - hash = "sha256-qDtVSnf+7rTq36WAxgsUZ8XoUk4sKwHyt8EJcY5WP+o="; + inherit (finalAttrs) pname version; + hash = "sha256-Vtcj8goI4zZPQs2TbFoBFlcR5UqDtOldaXSH/+/xULk="; }; propagatedBuildInputs = [ SDL2 ]; -} +}) ``` ## `buildNimPackage` parameters {#buildnimpackage-parameters} diff --git a/third_party/nixpkgs/doc/languages-frameworks/php.section.md b/third_party/nixpkgs/doc/languages-frameworks/php.section.md index 8600e49d45..6c4315f5c4 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/php.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/php.section.md @@ -22,7 +22,7 @@ NixOS - not necessarily the latest major release from upstream. All available PHP attributes are wrappers around their respective binary PHP package and provide commonly used extensions this way. The -real PHP 7.4 package, i.e. the unwrapped one, is available as +real PHP 8.1 package, i.e. the unwrapped one, is available as `php81.unwrapped`; see the next section for more details. Interactive tools built on PHP are put in `php.packages`; composer is diff --git a/third_party/nixpkgs/doc/languages-frameworks/python.section.md b/third_party/nixpkgs/doc/languages-frameworks/python.section.md index 9cd80b9385..23c8526787 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/python.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/python.section.md @@ -512,9 +512,10 @@ when building the bindings and are therefore added as `buildInputs`. ```nix { lib -, pkgs , buildPythonPackage , fetchPypi +, libxml2 +, libxslt }: buildPythonPackage rec { @@ -528,8 +529,8 @@ buildPythonPackage rec { }; buildInputs = [ - pkgs.libxml2 - pkgs.libxslt + libxml2 + libxslt ]; meta = with lib; { @@ -554,11 +555,13 @@ therefore we have to set `LDFLAGS` and `CFLAGS`. ```nix { lib -, pkgs , buildPythonPackage , fetchPypi # dependencies +, fftw +, fftwFloat +, fftwLongDouble , numpy , scipy }: @@ -574,9 +577,9 @@ buildPythonPackage rec { }; buildInputs = [ - pkgs.fftw - pkgs.fftwFloat - pkgs.fftwLongDouble + fftw + fftwFloat + fftwLongDouble ]; propagatedBuildInputs = [ @@ -585,8 +588,8 @@ buildPythonPackage rec { ]; preConfigure = '' - export LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib" - export CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include" + export LDFLAGS="-L${fftw.dev}/lib -L${fftwFloat.out}/lib -L${fftwLongDouble.out}/lib" + export CFLAGS="-I${fftw.dev}/include -I${fftwFloat.dev}/include -I${fftwLongDouble.dev}/include" ''; # Tests cannot import pyfftw. pyfftw works fine though. @@ -995,7 +998,7 @@ and in this case the `python3` interpreter is automatically used. ### Interpreters {#interpreters} Versions 2.7, 3.8, 3.9, 3.10 and 3.11 of the CPython interpreter are available -as respectively `python27`, python38`, `python39`, `python310` and `python311`. +as respectively `python27`, `python38`, `python39`, `python310` and `python311`. The aliases `python2` and `python3` correspond to respectively `python27` and `python310`. The attribute `python` maps to `python2`. The PyPy interpreters compatible with Python 2.7 and 3 are available as `pypy27` and `pypy3`, with @@ -1514,10 +1517,6 @@ Note: There is a boolean value `lib.inNixShell` set to `true` if nix-shell is in Packages inside nixpkgs are written by hand. However many tools exist in community to help save time. No tool is preferred at the moment. -- [pypi2nix](https://github.com/nix-community/pypi2nix): Generate Nix - expressions for your Python project. Note that [sharing derivations from - pypi2nix with nixpkgs is possible but not - encouraged](https://github.com/nix-community/pypi2nix/issues/222#issuecomment-443497376). - [nixpkgs-pytools](https://github.com/nix-community/nixpkgs-pytools) - [poetry2nix](https://github.com/nix-community/poetry2nix) diff --git a/third_party/nixpkgs/doc/languages-frameworks/qt.section.md b/third_party/nixpkgs/doc/languages-frameworks/qt.section.md index e09194e391..2300c5f60e 100644 --- a/third_party/nixpkgs/doc/languages-frameworks/qt.section.md +++ b/third_party/nixpkgs/doc/languages-frameworks/qt.section.md @@ -10,37 +10,22 @@ pure and explicit at build-time, at the cost of introducing an extra indirection ## Nix expression for a Qt package (default.nix) {#qt-default-nix} -```{=docbook} - -{ stdenv, lib, qtbase, wrapQtAppsHook }: +```nix +{ stdenv, lib, qtbase, wrapQtAppsHook }: stdenv.mkDerivation { pname = "myapp"; version = "1.0"; buildInputs = [ qtbase ]; - nativeBuildInputs = [ wrapQtAppsHook ]; + nativeBuildInputs = [ wrapQtAppsHook ]; } - - - - - - Import Qt modules directly, that is: qtbase, qtdeclarative, etc. - Do not import Qt package sets such as qt5 - because the Qt versions of dependencies may not be coherent, causing build and runtime failures. - - - - - All Qt packages must include wrapQtAppsHook in - nativeBuildInputs, or you must explicitly set - dontWrapQtApps. - - - ``` +It is important to import Qt modules directly, that is: `qtbase`, `qtdeclarative`, etc. *Do not* import Qt package sets such as `qt5` because the Qt versions of dependencies may not be coherent, causing build and runtime failures. + +Additionally all Qt packages must include `wrapQtAppsHook` in `nativeBuildInputs`, or you must explicitly set `dontWrapQtApps`. + ## Locating runtime dependencies {#qt-runtime-dependencies} Qt applications must be wrapped to find runtime dependencies. diff --git a/third_party/nixpkgs/doc/lib.md b/third_party/nixpkgs/doc/lib.md new file mode 100644 index 0000000000..2c3105333e --- /dev/null +++ b/third_party/nixpkgs/doc/lib.md @@ -0,0 +1,6 @@ +# Nixpkgs `lib` {#id-1.4} + +```{=include=} chapters +functions.md +module-system/module-system.chapter.md +``` diff --git a/third_party/nixpkgs/doc/manual.md.in b/third_party/nixpkgs/doc/manual.md.in new file mode 100644 index 0000000000..a4a73a9130 --- /dev/null +++ b/third_party/nixpkgs/doc/manual.md.in @@ -0,0 +1,14 @@ +# Nixpkgs Manual {#nixpkgs-manual} +## Version @MANUAL_VERSION@ + +```{=include=} chapters +preface.chapter.md +``` + +```{=include=} parts +using-nixpkgs.md +lib.md +stdenv.md +builders.md +contributing.md +``` diff --git a/third_party/nixpkgs/doc/manual.xml b/third_party/nixpkgs/doc/manual.xml deleted file mode 100644 index de3d40f553..0000000000 --- a/third_party/nixpkgs/doc/manual.xml +++ /dev/null @@ -1,49 +0,0 @@ - - - Nixpkgs Manual - Version - - - - - Using Nixpkgs - - - - - - Nixpkgs <code>lib</code> - - - - - Standard environment - - - - - - - - Builders - - - - - - - - - - - Contributing to Nixpkgs - - - - - - - - diff --git a/third_party/nixpkgs/doc/shell.nix b/third_party/nixpkgs/doc/shell.nix deleted file mode 100644 index 5fa2b44248..0000000000 --- a/third_party/nixpkgs/doc/shell.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ pkgs ? import ../. { } }: -(import ./default.nix { }).overrideAttrs -(x: { buildInputs = (x.buildInputs or [ ]) ++ [ pkgs.xmloscopy pkgs.ruby ]; }) diff --git a/third_party/nixpkgs/doc/stdenv.md b/third_party/nixpkgs/doc/stdenv.md new file mode 100644 index 0000000000..1ef81f84b5 --- /dev/null +++ b/third_party/nixpkgs/doc/stdenv.md @@ -0,0 +1,9 @@ +# Standard environment {#part-stdenv} + +```{=include=} chapters +stdenv/stdenv.chapter.md +stdenv/meta.chapter.md +stdenv/multiple-output.chapter.md +stdenv/cross-compilation.chapter.md +stdenv/platform-notes.chapter.md +``` diff --git a/third_party/nixpkgs/doc/stdenv/meta.chapter.md b/third_party/nixpkgs/doc/stdenv/meta.chapter.md index 2e0cae67d5..e626e79429 100644 --- a/third_party/nixpkgs/doc/stdenv/meta.chapter.md +++ b/third_party/nixpkgs/doc/stdenv/meta.chapter.md @@ -70,7 +70,7 @@ A list of the maintainers of this Nix expression. Maintainers are defined in [`n ### `mainProgram` {#var-meta-mainProgram} -The name of the main binary for the package. This effects the binary `nix run` executes and falls back to the name of the package. Example: `"rg"` +The name of the main binary for the package. This affects the binary `nix run` executes and falls back to the name of the package. Example: `"rg"` ### `priority` {#var-meta-priority} @@ -128,7 +128,7 @@ Prefer `passthru.tests` for tests that are introduced in nixpkgs because: * we can run `passthru.tests` independently * `installCheckPhase` adds overhead to each build -For more on how to write and run package tests, see . +For more on how to write and run package tests, see [](#sec-package-tests). #### NixOS tests {#var-meta-tests-nixos} @@ -182,7 +182,7 @@ runCommand "my-package-test" { ### `timeout` {#var-meta-timeout} -A timeout (in seconds) for building the derivation. If the derivation takes longer than this time to build, it can fail due to breaking the timeout. However, all computers do not have the same computing power, hence some builders may decide to apply a multiplicative factor to this value. When filling this value in, try to keep it approximately consistent with other values already present in `nixpkgs`. +A timeout (in seconds) for building the derivation. If the derivation takes longer than this time to build, Hydra will fail it due to breaking the timeout. However, all computers do not have the same computing power, hence some builders may decide to apply a multiplicative factor to this value. When filling this value in, try to keep it approximately consistent with other values already present in `nixpkgs`. `meta` attributes are not stored in the instantiated derivation. Therefore, this setting may be lost when the package is used as a dependency. diff --git a/third_party/nixpkgs/doc/stdenv/stdenv.chapter.md b/third_party/nixpkgs/doc/stdenv/stdenv.chapter.md index a923da935c..a0f81b97f6 100644 --- a/third_party/nixpkgs/doc/stdenv/stdenv.chapter.md +++ b/third_party/nixpkgs/doc/stdenv/stdenv.chapter.md @@ -286,7 +286,7 @@ This is where “sum-like” comes in from above: We can just sum all of the hos Because of the bounds checks, the uncommon cases are `h = t` and `h + 2 = t`. In the former case, the motivation for `mapOffset` is that since its host and target platforms are the same, no transitive dependency of it should be able to “discover” an offset greater than its reduced target offsets. `mapOffset` effectively “squashes” all its transitive dependencies’ offsets so that none will ever be greater than the target offset of the original `h = t` package. In the other case, `h + 1` is skipped over between the host and target offsets. Instead of squashing the offsets, we need to “rip” them apart so no transitive dependencies’ offset is that one. -Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. \[One can imagine the dependending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforagable capability.\] The offset bounds checking and definition of `mapOffset` together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency. +Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. \[One can imagine the depending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforgeable capability.\] The offset bounds checking and definition of `mapOffset` together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency. #### Variables specifying dependencies {#variables-specifying-dependencies} @@ -464,10 +464,8 @@ The commit object contains the following values: If the returned array contains exactly one object (e.g. `[{}]`), all values are optional and will be determined automatically. -```{=docbook} - -Standard output of an update script using commit feature -``` +::: {.example #var-passthru-updateScript-example-commit} +# Standard output of an update script using commit feature ```json [ @@ -481,10 +479,7 @@ If the returned array contains exactly one object (e.g. `[{}]`), all values are } ] ``` - -```{=docbook} - -``` +::: ### Recursive attributes in `mkDerivation` {#mkderivation-recursive-attributes} @@ -971,7 +966,8 @@ to `~/.gdbinit`. GDB will then be able to find debug information installed via ` The installCheck phase checks whether the package was installed correctly by running its test suite against the installed directories. The default `installCheck` calls `make installcheck`. -It is often better to add tests that are not part of the source distribution to `passthru.tests` (see ). This avoids adding overhead to every build and enables us to run them independently. +It is often better to add tests that are not part of the source distribution to `passthru.tests` (see +[](#var-meta-tests)). This avoids adding overhead to every build and enables us to run them independently. #### Variables controlling the installCheck phase {#variables-controlling-the-installcheck-phase} @@ -1234,7 +1230,7 @@ This runs the strip command on installed binaries and libraries. This removes un This setup hook patches installed scripts to add Nix store paths to their shebang interpreter as found in the build environment. The [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix)) line tells a Unix-like operating system which interpreter to use to execute the script's contents. -::: note +::: {.note} The [generic builder][generic-builder] populates `PATH` from inputs of the derivation. ::: @@ -1272,7 +1268,7 @@ patchShebangs --build configure Interpreter paths that point to a valid Nix store location are not changed. -::: note +::: {.note} A script file must be marked as executable, otherwise it will not be considered. ::: diff --git a/third_party/nixpkgs/doc/using-nixpkgs.md b/third_party/nixpkgs/doc/using-nixpkgs.md new file mode 100644 index 0000000000..bb222ae384 --- /dev/null +++ b/third_party/nixpkgs/doc/using-nixpkgs.md @@ -0,0 +1,7 @@ +# Using Nixpkgs {#part-using} + +```{=include=} chapters +using/configuration.chapter.md +using/overlays.chapter.md +using/overrides.chapter.md +``` diff --git a/third_party/nixpkgs/doc/using/configuration.chapter.md b/third_party/nixpkgs/doc/using/configuration.chapter.md index e657cb21c2..8d246b117b 100644 --- a/third_party/nixpkgs/doc/using/configuration.chapter.md +++ b/third_party/nixpkgs/doc/using/configuration.chapter.md @@ -185,8 +185,10 @@ You can define a function called `packageOverrides` in your local `~/.config/nix The following attributes can be passed in [`config`](#chap-packageconfig). -```{=docbook} - +```{=include=} options +id-prefix: opt- +list-id: configuration-variable-list +source: ../config-options.json ``` diff --git a/third_party/nixpkgs/doc/using/overrides.chapter.md b/third_party/nixpkgs/doc/using/overrides.chapter.md index 198b450419..a1ef9afb0b 100644 --- a/third_party/nixpkgs/doc/using/overrides.chapter.md +++ b/third_party/nixpkgs/doc/using/overrides.chapter.md @@ -16,6 +16,12 @@ Example usages: pkgs.foo.override { arg1 = val1; arg2 = val2; ... } ``` +It's also possible to access the previous arguments. + +```nix +pkgs.foo.override (previous: { arg1 = previous.arg1; ... }) +``` + ```nix @@ -36,15 +42,15 @@ In the first example, `pkgs.foo` is the result of a function call with some defa The function `overrideAttrs` allows overriding the attribute set passed to a `stdenv.mkDerivation` call, producing a new derivation based on the original one. This function is available on all derivations produced by the `stdenv.mkDerivation` function, which is most packages in the nixpkgs expression `pkgs`. -Example usage: +Example usages: ```nix -helloWithDebug = pkgs.hello.overrideAttrs (finalAttrs: previousAttrs: { - separateDebugInfo = true; +helloBar = pkgs.hello.overrideAttrs (finalAttrs: previousAttrs: { + pname = previousAttrs.pname + "-bar"; }); ``` -In the above example, the `separateDebugInfo` attribute is overridden to be true, thus building debug info for `helloWithDebug`, while all other attributes will be retained from the original `hello` package. +In the above example, "-bar" is appended to the pname attribute, while all other attributes will be retained from the original `hello` package. The argument `previousAttrs` is conventionally used to refer to the attr set originally passed to `stdenv.mkDerivation`. @@ -52,6 +58,16 @@ The argument `finalAttrs` refers to the final attributes passed to `mkDerivation If only a one-argument function is written, the argument has the meaning of `previousAttrs`. +Function arguments can be omitted entirely if there is no need to access `previousAttrs` or `finalAttrs`. + +```nix +helloWithDebug = pkgs.hello.overrideAttrs { + separateDebugInfo = true; +}; +``` + +In the above example, the `separateDebugInfo` attribute is overridden to be true, thus building debug info for `helloWithDebug`. + ::: {.note} Note that `separateDebugInfo` is processed only by the `stdenv.mkDerivation` function, not the generated, raw Nix derivation. Thus, using `overrideDerivation` will not work in this case, as it overrides only the attributes of the final derivation. It is for this reason that `overrideAttrs` should be preferred in (almost) all cases to `overrideDerivation`, i.e. to allow using `stdenv.mkDerivation` to process input arguments, as well as the fact that it is easier to use (you can use the same attribute names you see in your Nix code, instead of the ones generated (e.g. `buildInputs` vs `nativeBuildInputs`), and it involves less typing). ::: diff --git a/third_party/nixpkgs/lib/attrsets.nix b/third_party/nixpkgs/lib/attrsets.nix index 1f11eaaa82..0335146e2a 100644 --- a/third_party/nixpkgs/lib/attrsets.nix +++ b/third_party/nixpkgs/lib/attrsets.nix @@ -3,7 +3,7 @@ let inherit (builtins) head tail length; - inherit (lib.trivial) flip id mergeAttrs pipe; + inherit (lib.trivial) id mergeAttrs; inherit (lib.strings) concatStringsSep concatMapStringsSep escapeNixIdentifier sanitizeDerivationName; inherit (lib.lists) foldr foldl' concatMap concatLists elemAt all partition groupBy take foldl; in @@ -123,7 +123,11 @@ rec { { x = "a"; y = "b"; } => { x = "a"; xa = "a"; y = "b"; yb = "b"; } */ - concatMapAttrs = f: flip pipe [ (mapAttrs f) attrValues (foldl' mergeAttrs { }) ]; + concatMapAttrs = f: v: + foldl' mergeAttrs { } + (attrValues + (mapAttrs f v) + ); /* Update or set specific paths of an attribute set. diff --git a/third_party/nixpkgs/lib/customisation.nix b/third_party/nixpkgs/lib/customisation.nix index fe32e890f3..a9281b1ab6 100644 --- a/third_party/nixpkgs/lib/customisation.nix +++ b/third_party/nixpkgs/lib/customisation.nix @@ -46,12 +46,6 @@ rec { // (drv.passthru or {}) // - # TODO(@Artturin): remove before release 23.05 and only have __spliced. - (lib.optionalAttrs (drv ? crossDrv && drv ? nativeDrv) { - crossDrv = overrideDerivation drv.crossDrv f; - nativeDrv = overrideDerivation drv.nativeDrv f; - }) - // lib.optionalAttrs (drv ? __spliced) { __spliced = {} // (lib.mapAttrs (_: sDrv: overrideDerivation sDrv f) drv.__spliced); }); diff --git a/third_party/nixpkgs/lib/debug.nix b/third_party/nixpkgs/lib/debug.nix index a851cd7477..97e87acccf 100644 --- a/third_party/nixpkgs/lib/debug.nix +++ b/third_party/nixpkgs/lib/debug.nix @@ -15,22 +15,15 @@ { lib }: let inherit (lib) - isInt - attrNames isList isAttrs substring - addErrorContext attrValues concatLists - concatStringsSep const elem generators - head id - isDerivation - isFunction mapAttrs trace; in diff --git a/third_party/nixpkgs/lib/default.nix b/third_party/nixpkgs/lib/default.nix index 8fea4b8ad6..73b8ad8715 100644 --- a/third_party/nixpkgs/lib/default.nix +++ b/third_party/nixpkgs/lib/default.nix @@ -138,7 +138,7 @@ let mergeDefaultOption mergeOneOption mergeEqualOption mergeUniqueOption getValues getFiles optionAttrSetToDocList optionAttrSetToDocList' - scrubOptionValue literalExpression literalExample literalDocBook + scrubOptionValue literalExpression literalExample showOption showOptionWithDefLocs showFiles unknownModule mkOption mkPackageOption mkPackageOptionMD mdDoc literalMD; diff --git a/third_party/nixpkgs/lib/derivations.nix b/third_party/nixpkgs/lib/derivations.nix index dce98b46dd..5b7ed1868e 100644 --- a/third_party/nixpkgs/lib/derivations.nix +++ b/third_party/nixpkgs/lib/derivations.nix @@ -31,7 +31,7 @@ in (lazyDerivation { inherit derivation; meta.foo = true; }).meta - In these expressions, it `derivation` _will_ be evaluated: + In these expressions, `derivation` _will_ be evaluated: "${lazyDerivation { inherit derivation }}" diff --git a/third_party/nixpkgs/lib/filesystem.nix b/third_party/nixpkgs/lib/filesystem.nix index 4860d4d02a..f5bb8e9b59 100644 --- a/third_party/nixpkgs/lib/filesystem.nix +++ b/third_party/nixpkgs/lib/filesystem.nix @@ -9,10 +9,6 @@ let pathExists ; - inherit (lib.strings) - hasPrefix - ; - inherit (lib.filesystem) pathType ; diff --git a/third_party/nixpkgs/lib/fixed-points.nix b/third_party/nixpkgs/lib/fixed-points.nix index 926428293c..a63f349b71 100644 --- a/third_party/nixpkgs/lib/fixed-points.nix +++ b/third_party/nixpkgs/lib/fixed-points.nix @@ -1,34 +1,49 @@ { lib, ... }: rec { - # Compute the fixed point of the given function `f`, which is usually an - # attribute set that expects its final, non-recursive representation as an - # argument: - # - # f = self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } - # - # Nix evaluates this recursion until all references to `self` have been - # resolved. At that point, the final result is returned and `f x = x` holds: - # - # nix-repl> fix f - # { bar = "bar"; foo = "foo"; foobar = "foobar"; } - # - # Type: fix :: (a -> a) -> a - # - # See https://en.wikipedia.org/wiki/Fixed-point_combinator for further - # details. + /* + Compute the fixed point of the given function `f`, which is usually an + attribute set that expects its final, non-recursive representation as an + argument: + + ``` + f = self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } + ``` + + Nix evaluates this recursion until all references to `self` have been + resolved. At that point, the final result is returned and `f x = x` holds: + + ``` + nix-repl> fix f + { bar = "bar"; foo = "foo"; foobar = "foobar"; } + ``` + + Type: fix :: (a -> a) -> a + + See https://en.wikipedia.org/wiki/Fixed-point_combinator for further + details. + */ fix = f: let x = f x; in x; - # A variant of `fix` that records the original recursive attribute set in the - # result. This is useful in combination with the `extends` function to - # implement deep overriding. See pkgs/development/haskell-modules/default.nix - # for a concrete example. + /* + A variant of `fix` that records the original recursive attribute set in the + result, in an attribute named `__unfix__`. + + This is useful in combination with the `extends` function to + implement deep overriding. + */ fix' = f: let x = f x // { __unfix__ = f; }; in x; - # Return the fixpoint that `f` converges to when called recursively, starting - # with the input `x`. - # - # nix-repl> converge (x: x / 2) 16 - # 0 + /* + Return the fixpoint that `f` converges to when called iteratively, starting + with the input `x`. + + ``` + nix-repl> converge (x: x / 2) 16 + 0 + ``` + + Type: (a -> a) -> a -> a + */ converge = f: x: let x' = f x; @@ -37,75 +52,94 @@ rec { then x else converge f x'; - # Modify the contents of an explicitly recursive attribute set in a way that - # honors `self`-references. This is accomplished with a function - # - # g = self: super: { foo = super.foo + " + "; } - # - # that has access to the unmodified input (`super`) as well as the final - # non-recursive representation of the attribute set (`self`). `extends` - # differs from the native `//` operator insofar as that it's applied *before* - # references to `self` are resolved: - # - # nix-repl> fix (extends g f) - # { bar = "bar"; foo = "foo + "; foobar = "foo + bar"; } - # - # The name of the function is inspired by object-oriented inheritance, i.e. - # think of it as an infix operator `g extends f` that mimics the syntax from - # Java. It may seem counter-intuitive to have the "base class" as the second - # argument, but it's nice this way if several uses of `extends` are cascaded. - # - # To get a better understanding how `extends` turns a function with a fix - # point (the package set we start with) into a new function with a different fix - # point (the desired packages set) lets just see, how `extends g f` - # unfolds with `g` and `f` defined above: - # - # extends g f = self: let super = f self; in super // g self super; - # = self: let super = { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; }; in super // g self super - # = self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } // g self { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } - # = self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } // { foo = "foo" + " + "; } - # = self: { foo = "foo + "; bar = "bar"; foobar = self.foo + self.bar; } - # + /* + Modify the contents of an explicitly recursive attribute set in a way that + honors `self`-references. This is accomplished with a function + + ```nix + g = self: super: { foo = super.foo + " + "; } + ``` + + that has access to the unmodified input (`super`) as well as the final + non-recursive representation of the attribute set (`self`). `extends` + differs from the native `//` operator insofar as that it's applied *before* + references to `self` are resolved: + + ``` + nix-repl> fix (extends g f) + { bar = "bar"; foo = "foo + "; foobar = "foo + bar"; } + ``` + + The name of the function is inspired by object-oriented inheritance, i.e. + think of it as an infix operator `g extends f` that mimics the syntax from + Java. It may seem counter-intuitive to have the "base class" as the second + argument, but it's nice this way if several uses of `extends` are cascaded. + + To get a better understanding how `extends` turns a function with a fix + point (the package set we start with) into a new function with a different fix + point (the desired packages set) lets just see, how `extends g f` + unfolds with `g` and `f` defined above: + + ``` + extends g f = self: let super = f self; in super // g self super; + = self: let super = { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; }; in super // g self super + = self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } // g self { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } + = self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; } // { foo = "foo" + " + "; } + = self: { foo = "foo + "; bar = "bar"; foobar = self.foo + self.bar; } + ``` + */ extends = f: rattrs: self: let super = rattrs self; in super // f self super; - # Compose two extending functions of the type expected by 'extends' - # into one where changes made in the first are available in the - # 'super' of the second + /* + Compose two extending functions of the type expected by 'extends' + into one where changes made in the first are available in the + 'super' of the second + */ composeExtensions = f: g: final: prev: let fApplied = f final prev; prev' = prev // fApplied; in fApplied // g final prev'; - # Compose several extending functions of the type expected by 'extends' into - # one where changes made in preceding functions are made available to - # subsequent ones. - # - # composeManyExtensions : [packageSet -> packageSet -> packageSet] -> packageSet -> packageSet -> packageSet - # ^final ^prev ^overrides ^final ^prev ^overrides + /* + Compose several extending functions of the type expected by 'extends' into + one where changes made in preceding functions are made available to + subsequent ones. + + ``` + composeManyExtensions : [packageSet -> packageSet -> packageSet] -> packageSet -> packageSet -> packageSet + ^final ^prev ^overrides ^final ^prev ^overrides + ``` + */ composeManyExtensions = lib.foldr (x: y: composeExtensions x y) (final: prev: {}); - # Create an overridable, recursive attribute set. For example: - # - # nix-repl> obj = makeExtensible (self: { }) - # - # nix-repl> obj - # { __unfix__ = «lambda»; extend = «lambda»; } - # - # nix-repl> obj = obj.extend (self: super: { foo = "foo"; }) - # - # nix-repl> obj - # { __unfix__ = «lambda»; extend = «lambda»; foo = "foo"; } - # - # nix-repl> obj = obj.extend (self: super: { foo = super.foo + " + "; bar = "bar"; foobar = self.foo + self.bar; }) - # - # nix-repl> obj - # { __unfix__ = «lambda»; bar = "bar"; extend = «lambda»; foo = "foo + "; foobar = "foo + bar"; } + /* + Create an overridable, recursive attribute set. For example: + + ``` + nix-repl> obj = makeExtensible (self: { }) + + nix-repl> obj + { __unfix__ = «lambda»; extend = «lambda»; } + + nix-repl> obj = obj.extend (self: super: { foo = "foo"; }) + + nix-repl> obj + { __unfix__ = «lambda»; extend = «lambda»; foo = "foo"; } + + nix-repl> obj = obj.extend (self: super: { foo = super.foo + " + "; bar = "bar"; foobar = self.foo + self.bar; }) + + nix-repl> obj + { __unfix__ = «lambda»; bar = "bar"; extend = «lambda»; foo = "foo + "; foobar = "foo + bar"; } + ``` + */ makeExtensible = makeExtensibleWithCustomName "extend"; - # Same as `makeExtensible` but the name of the extending attribute is - # customized. + /* + Same as `makeExtensible` but the name of the extending attribute is + customized. + */ makeExtensibleWithCustomName = extenderName: rattrs: fix' (self: (rattrs self) // { ${extenderName} = f: makeExtensibleWithCustomName extenderName (extends f rattrs); diff --git a/third_party/nixpkgs/lib/generators.nix b/third_party/nixpkgs/lib/generators.nix index 496845fc9a..a2dddedd2d 100644 --- a/third_party/nixpkgs/lib/generators.nix +++ b/third_party/nixpkgs/lib/generators.nix @@ -168,7 +168,7 @@ rec { mkKeyValue ? mkKeyValueDefault {} "=", # allow lists as values for duplicate keys listsAsDuplicateKeys ? false - }: { globalSection, sections }: + }: { globalSection, sections ? {} }: ( if globalSection == {} then "" else (toKeyValue { inherit mkKeyValue listsAsDuplicateKeys; } globalSection) diff --git a/third_party/nixpkgs/lib/licenses.nix b/third_party/nixpkgs/lib/licenses.nix index a9a1170050..ee71488263 100644 --- a/third_party/nixpkgs/lib/licenses.nix +++ b/third_party/nixpkgs/lib/licenses.nix @@ -1,7 +1,7 @@ { lib }: lib.mapAttrs (lname: lset: let - defaultLicense = rec { + defaultLicense = { shortName = lname; free = true; # Most of our licenses are Free, explicitly declare unfree additions as such! deprecated = false; @@ -98,6 +98,11 @@ in mkLicense lset) ({ fullName = "Artistic License 1.0"; }; + artistic1-cl8 = { + spdxId = "Artistic-1.0-cl8"; + fullName = "Artistic License 1.0 w/clause 8"; + }; + artistic2 = { spdxId = "Artistic-2.0"; fullName = "Artistic License 2.0"; @@ -178,6 +183,11 @@ in mkLicense lset) ({ fullName = ''BSD 3-clause "New" or "Revised" License''; }; + bsd3Clear = { + spdxId = "BSD-3-Clause-Clear"; + fullName = "BSD 3-Clause Clear License"; + }; + bsdOriginal = { spdxId = "BSD-4-Clause"; fullName = ''BSD 4-clause "Original" or "Old" License''; @@ -215,6 +225,12 @@ in mkLicense lset) ({ url = "https://opensource.org/licenses/CAL-1.0"; }; + caldera = { + spdxId = "Caldera"; + fullName = "Caldera License"; + url = "http://www.lemis.com/grog/UNIX/ancient-source-all.pdf"; + }; + capec = { fullName = "Common Attack Pattern Enumeration and Classification"; url = "https://capec.mitre.org/about/termsofuse.html"; @@ -284,11 +300,26 @@ in mkLicense lset) ({ free = false; }; + cc-by-sa-10 = { + spdxId = "CC-BY-SA-1.0"; + fullName = "Creative Commons Attribution Share Alike 1.0"; + }; + + cc-by-sa-20 = { + spdxId = "CC-BY-SA-2.0"; + fullName = "Creative Commons Attribution Share Alike 2.0"; + }; + cc-by-sa-25 = { spdxId = "CC-BY-SA-2.5"; fullName = "Creative Commons Attribution Share Alike 2.5"; }; + cc-by-10 = { + spdxId = "CC-BY-1.0"; + fullName = "Creative Commons Attribution 1.0"; + }; + cc-by-30 = { spdxId = "CC-BY-3.0"; fullName = "Creative Commons Attribution 3.0"; @@ -475,6 +506,16 @@ in mkLicense lset) ({ url = "http://www.schristiancollins.com/generaluser.php"; # license included in sources }; + gfl = { + fullName = "GUST Font License"; + url = "http://www.gust.org.pl/fonts/licenses/GUST-FONT-LICENSE.txt"; + }; + + gfsl = { + fullName = "GUST Font Source License"; + url = "http://www.gust.org.pl/fonts/licenses/GUST-FONT-SOURCE-LICENSE.txt"; + }; + gpl1Only = { spdxId = "GPL-1.0-only"; fullName = "GNU General Public License v1.0 only"; @@ -556,6 +597,12 @@ in mkLicense lset) ({ fullName = "Imlib2 License"; }; + info-zip = { + spdxId = "Info-ZIP"; + fullName = "Info-ZIP License"; + url = "http://www.info-zip.org/pub/infozip/license.html"; + }; + inria-compcert = { fullName = "INRIA Non-Commercial License Agreement for the CompCert verified compiler"; url = "https://compcert.org/doc/LICENSE.txt"; @@ -603,12 +650,24 @@ in mkLicense lset) ({ free = true; }; + fairsource09 = { + fullName = "Fair Source License, version 0.9"; + url = "https://fair.io/v0.9.txt"; + free = false; + redistributable = true; + }; + issl = { fullName = "Intel Simplified Software License"; url = "https://software.intel.com/en-us/license/intel-simplified-software-license"; free = false; }; + knuth = { + fullName = "Knuth CTAN License"; + spdxId = "Knuth-CTAN"; + }; + lal12 = { spdxId = "LAL-1.2"; fullName = "Licence Art Libre 1.2"; @@ -685,11 +744,21 @@ in mkLicense lset) ({ url = "https://opensource.franz.com/preamble.html"; }; + lppl1 = { + spdxId = "LPPL-1.0"; + fullName = "LaTeX Project Public License v1.0"; + }; + lppl12 = { spdxId = "LPPL-1.2"; fullName = "LaTeX Project Public License v1.2"; }; + lppl13a = { + spdxId = "LPPL-1.3a"; + fullName = "LaTeX Project Public License v1.3a"; + }; + lppl13c = { spdxId = "LPPL-1.3c"; fullName = "LaTeX Project Public License v1.3c"; @@ -747,6 +816,12 @@ in mkLicense lset) ({ fullName = "Microsoft Public License"; }; + mulan-psl2 = { + spdxId = "MulanPSL-2.0"; + fullName = "Mulan Permissive Software License, Version 2"; + url = "https://license.coscl.org.cn/MulanPSL2"; + }; + nasa13 = { spdxId = "NASA-1.3"; fullName = "NASA Open Source Agreement 1.3"; @@ -805,6 +880,11 @@ in mkLicense lset) ({ fullName = "OpenSSL License"; }; + opubl = { + spdxId = "OPUBL-1.0"; + fullName = "Open Publication License v1.0"; + }; + osl2 = { spdxId = "OSL-2.0"; fullName = "Open Software License 2.0"; @@ -927,6 +1007,14 @@ in mkLicense lset) ({ url = "https://github.com/thestk/stk/blob/master/LICENSE"; }; + sustainableUse = { + shortName = "sustainable"; + fullName = "Sustainable Use License"; + url = "https://github.com/n8n-io/n8n/blob/master/LICENSE.md"; + free = false; + redistributable = false; # only free to redistribute "for non-commercial purposes" + }; + tsl = { shortName = "TSL"; fullName = "Timescale License Agreegment"; diff --git a/third_party/nixpkgs/lib/lists.nix b/third_party/nixpkgs/lib/lists.nix index 2186cd4a79..5d9af0cf71 100644 --- a/third_party/nixpkgs/lib/lists.nix +++ b/third_party/nixpkgs/lib/lists.nix @@ -198,8 +198,38 @@ rec { default: # Input list list: - let found = filter pred list; - in if found == [] then default else head found; + let + # A naive recursive implementation would be much simpler, but + # would also overflow the evaluator stack. We use `foldl'` as a workaround + # because it reuses the same stack space, evaluating the function for one + # element after another. We can't return early, so this means that we + # sacrifice early cutoff, but that appears to be an acceptable cost. A + # clever scheme with "exponential search" is possible, but appears over- + # engineered for now. See https://github.com/NixOS/nixpkgs/pull/235267 + + # Invariant: + # - if index < 0 then el == elemAt list (- index - 1) and all elements before el didn't satisfy pred + # - if index >= 0 then pred (elemAt list index) and all elements before (elemAt list index) didn't satisfy pred + # + # We start with index -1 and the 0'th element of the list, which satisfies the invariant + resultIndex = foldl' (index: el: + if index < 0 then + # No match yet before the current index, we need to check the element + if pred el then + # We have a match! Turn it into the actual index to prevent future iterations from modifying it + - index - 1 + else + # Still no match, update the index to the next element (we're counting down, so minus one) + index - 1 + else + # There's already a match, propagate the index without evaluating anything + index + ) (-1) list; + in + if resultIndex < 0 then + default + else + elemAt list resultIndex; /* Return true if function `pred` returns true for at least one element of `list`. diff --git a/third_party/nixpkgs/lib/modules.nix b/third_party/nixpkgs/lib/modules.nix index 4dc8c663b2..f16df20425 100644 --- a/third_party/nixpkgs/lib/modules.nix +++ b/third_party/nixpkgs/lib/modules.nix @@ -21,7 +21,6 @@ let isBool isFunction isList - isPath isString length mapAttrs @@ -134,11 +133,6 @@ let ${if prefix == [] then null # unset => visible else "internal"} = true; - # TODO: hidden during the markdown transition to not expose downstream - # users of the docs infra to markdown if they're not ready for it. - # we don't make this visible conditionally because it can impact - # performance (https://github.com/NixOS/nixpkgs/pull/208407#issuecomment-1368246192) - visible = false; # TODO: Change the type of this option to a submodule with a # freeformType, so that individual arguments can be documented # separately @@ -545,59 +539,74 @@ let mergeModules' = prefix: options: configs: let - /* byName is like foldAttrs, but will look for attributes to merge in the - specified attribute name. - - byName "foo" (module: value: ["module.hidden=${module.hidden},value=${value}"]) - [ - { - hidden="baz"; - foo={qux="bar"; gla="flop";}; - } - { - hidden="fli"; - foo={qux="gne"; gli="flip";}; - } - ] - ===> - { - gla = [ "module.hidden=baz,value=flop" ]; - gli = [ "module.hidden=fli,value=flip" ]; - qux = [ "module.hidden=baz,value=bar" "module.hidden=fli,value=gne" ]; - } - */ - byName = attr: f: modules: - zipAttrsWith (n: concatLists) - (map (module: let subtree = module.${attr}; in + # an attrset 'name' => list of submodules that declare ‘name’. + declsByName = + zipAttrsWith + (n: concatLists) + (map + (module: let subtree = module.options; in if !(builtins.isAttrs subtree) then - throw (if attr == "config" then '' - You're trying to define a value of type `${builtins.typeOf subtree}' - rather than an attribute set for the option - `${builtins.concatStringsSep "." prefix}'! - - This usually happens if `${builtins.concatStringsSep "." prefix}' has option - definitions inside that are not matched. Please check how to properly define - this option by e.g. referring to `man 5 configuration.nix'! - '' else '' + throw '' An option declaration for `${builtins.concatStringsSep "." prefix}' has type `${builtins.typeOf subtree}' rather than an attribute set. Did you mean to define this outside of `options'? - '') + '' else - mapAttrs (n: f module) subtree - ) modules); - # an attrset 'name' => list of submodules that declare ‘name’. - declsByName = byName "options" (module: option: - [{ inherit (module) _file; options = option; }] - ) options; + mapAttrs + (n: option: + [{ inherit (module) _file; options = option; }] + ) + subtree + ) + options); + + # The root of any module definition must be an attrset. + checkedConfigs = + assert + lib.all + (c: + # TODO: I have my doubts that this error would occur when option definitions are not matched. + # The implementation of this check used to be tied to a superficially similar check for + # options, so maybe that's why this is here. + isAttrs c.config || throw '' + In module `${c.file}', you're trying to define a value of type `${builtins.typeOf c.config}' + rather than an attribute set for the option + `${builtins.concatStringsSep "." prefix}'! + + This usually happens if `${builtins.concatStringsSep "." prefix}' has option + definitions inside that are not matched. Please check how to properly define + this option by e.g. referring to `man 5 configuration.nix'! + '' + ) + configs; + configs; + # an attrset 'name' => list of submodules that define ‘name’. - defnsByName = byName "config" (module: value: - map (config: { inherit (module) file; inherit config; }) (pushDownProperties value) - ) configs; + pushedDownDefinitionsByName = + zipAttrsWith + (n: concatLists) + (map + (module: + mapAttrs + (n: value: + map (config: { inherit (module) file; inherit config; }) (pushDownProperties value) + ) + module.config + ) + checkedConfigs); # extract the definitions for each loc - defnsByName' = byName "config" (module: value: - [{ inherit (module) file; inherit value; }] - ) configs; + rawDefinitionsByName = + zipAttrsWith + (n: concatLists) + (map + (module: + mapAttrs + (n: value: + [{ inherit (module) file; inherit value; }] + ) + module.config + ) + checkedConfigs); # Convert an option tree decl to a submodule option decl optionTreeToOption = decl: @@ -619,8 +628,8 @@ let # We're descending into attribute ‘name’. let loc = prefix ++ [name]; - defns = defnsByName.${name} or []; - defns' = defnsByName'.${name} or []; + defns = pushedDownDefinitionsByName.${name} or []; + defns' = rawDefinitionsByName.${name} or []; optionDecls = filter (m: isOption m.options) decls; in if length optionDecls == length decls then @@ -663,7 +672,7 @@ let # Propagate all unmatched definitions from nested option sets mapAttrs (n: v: v.unmatchedDefns) resultsByName # Plus the definitions for the current prefix that don't have a matching option - // removeAttrs defnsByName' (attrNames matchedOptions); + // removeAttrs rawDefinitionsByName (attrNames matchedOptions); in { inherit matchedOptions; @@ -910,6 +919,40 @@ let else opt // { type = opt.type.substSubModules opt.options; options = []; }; + /* + Merge an option's definitions in a way that preserves the priority of the + individual attributes in the option value. + + This does not account for all option semantics, such as readOnly. + + Type: + option -> attrsOf { highestPrio, value } + */ + mergeAttrDefinitionsWithPrio = opt: + let + defsByAttr = + lib.zipAttrs ( + lib.concatLists ( + lib.concatMap + ({ value, ... }@def: + map + (lib.mapAttrsToList (k: value: { ${k} = def // { inherit value; }; })) + (pushDownProperties value) + ) + opt.definitionsWithLocations + ) + ); + in + assert opt.type.name == "attrsOf" || opt.type.name == "lazyAttrsOf"; + lib.mapAttrs + (k: v: + let merging = lib.mergeDefinitions (opt.loc ++ [k]) opt.type.nestedTypes.elemType v; + in { + value = merging.mergedValue; + inherit (merging.defsFinal') highestPrio; + }) + defsByAttr; + /* Properties. */ mkIf = condition: content: @@ -1146,14 +1189,11 @@ let use = id; }; - /* Transitional version of mkAliasOptionModule that uses MD docs. */ - mkAliasOptionModuleMD = from: to: doRename { - inherit from to; - visible = true; - warn = false; - use = id; - markdown = true; - }; + /* Transitional version of mkAliasOptionModule that uses MD docs. + + This function is no longer necessary and merely an alias of `mkAliasOptionModule`. + */ + mkAliasOptionModuleMD = mkAliasOptionModule; /* mkDerivedConfig : Option a -> (a -> Definition b) -> Definition b @@ -1175,7 +1215,7 @@ let (opt.highestPrio or defaultOverridePriority) (f opt.value); - doRename = { from, to, visible, warn, use, withPriority ? true, markdown ? false }: + doRename = { from, to, visible, warn, use, withPriority ? true }: { config, options, ... }: let fromOpt = getAttrFromPath from options; @@ -1186,9 +1226,7 @@ let { options = setAttrByPath from (mkOption { inherit visible; - description = if markdown - then lib.mdDoc "Alias of {option}`${showOption to}`." - else "Alias of ."; + description = "Alias of {option}`${showOption to}`."; apply = x: use (toOf config); } // optionalAttrs (toType != null) { type = toType; @@ -1256,6 +1294,7 @@ private // importJSON importTOML mergeDefinitions + mergeAttrDefinitionsWithPrio mergeOptionDecls # should be private? mkAfter mkAliasAndWrapDefinitions diff --git a/third_party/nixpkgs/lib/options.nix b/third_party/nixpkgs/lib/options.nix index af7914bb51..c42bc1e6c6 100644 --- a/third_party/nixpkgs/lib/options.nix +++ b/third_party/nixpkgs/lib/options.nix @@ -100,10 +100,7 @@ rec { name: mkOption { default = false; example = true; - description = - if name ? _type && name._type == "mdDoc" - then lib.mdDoc "Whether to enable ${name.text}." - else "Whether to enable ${name}."; + description = "Whether to enable ${name}."; type = lib.types.bool; }; @@ -185,10 +182,10 @@ rec { (if isList example then "pkgs." + concatStringsSep "." example else example); }); - /* Like mkPackageOption, but emit an mdDoc description instead of DocBook. */ - mkPackageOptionMD = pkgs: name: extra: - let option = mkPackageOption pkgs name extra; - in option // { description = lib.mdDoc option.description; }; + /* Alias of mkPackageOption. Previously used to create options with markdown + documentation, which is no longer required. + */ + mkPackageOptionMD = mkPackageOption; /* This option accepts anything, but it does not produce any result. @@ -344,26 +341,12 @@ rec { if ! isString text then throw "literalExpression expects a string." else { _type = "literalExpression"; inherit text; }; - literalExample = lib.warn "literalExample is deprecated, use literalExpression instead, or use literalDocBook for a non-Nix description." literalExpression; - - - /* For use in the `defaultText` and `example` option attributes. Causes the - given DocBook text to be inserted verbatim in the documentation, for when - a `literalExpression` would be too hard to read. - */ - literalDocBook = text: - if ! isString text then throw "literalDocBook expects a string." - else - lib.warnIf (lib.isInOldestRelease 2211) - "literalDocBook is deprecated, use literalMD instead" - { _type = "literalDocBook"; inherit text; }; + literalExample = lib.warn "literalExample is deprecated, use literalExpression instead, or use literalMD for a non-Nix description." literalExpression; /* Transition marker for documentation that's already migrated to markdown - syntax. + syntax. This is a no-op and no longer needed. */ - mdDoc = text: - if ! isString text then throw "mdDoc expects a string." - else { _type = "mdDoc"; inherit text; }; + mdDoc = lib.id; /* For use in the `defaultText` and `example` option attributes. Causes the given MD text to be inserted verbatim in the documentation, for when diff --git a/third_party/nixpkgs/lib/path/default.nix b/third_party/nixpkgs/lib/path/default.nix index a4a08668ae..936e9b0302 100644 --- a/third_party/nixpkgs/lib/path/default.nix +++ b/third_party/nixpkgs/lib/path/default.nix @@ -7,6 +7,7 @@ let isPath split match + typeOf ; inherit (lib.lists) @@ -18,6 +19,7 @@ let all concatMap foldl' + take ; inherit (lib.strings) @@ -100,6 +102,22 @@ let # An empty string is not a valid relative path, so we need to return a `.` when we have no components (if components == [] then "." else concatStringsSep "/" components); + # Type: Path -> { root :: Path, components :: [ String ] } + # + # Deconstruct a path value type into: + # - root: The filesystem root of the path, generally `/` + # - components: All the path's components + # + # This is similar to `splitString "/" (toString path)` but safer + # because it can distinguish different filesystem roots + deconstructPath = + let + recurse = components: base: + # If the parent of a path is the path itself, then it's a filesystem root + if base == dirOf base then { root = base; inherit components; } + else recurse ([ (baseNameOf base) ] ++ components) (dirOf base); + in recurse []; + in /* No rec! Add dependencies on this file at the top. */ { /* Append a subpath string to a path. @@ -108,6 +126,12 @@ in /* No rec! Add dependencies on this file at the top. */ { More specifically, it checks that the first argument is a [path value type](https://nixos.org/manual/nix/stable/language/values.html#type-path"), and that the second argument is a valid subpath string (see `lib.path.subpath.isValid`). + Laws: + + - Not influenced by subpath normalisation + + append p s == append p (subpath.normalise s) + Type: append :: Path -> String -> Path @@ -149,6 +173,51 @@ in /* No rec! Add dependencies on this file at the top. */ { ${subpathInvalidReason subpath}''; path + ("/" + subpath); + /* + Whether the first path is a component-wise prefix of the second path. + + Laws: + + - `hasPrefix p q` is only true if `q == append p s` for some subpath `s`. + + - `hasPrefix` is a [non-strict partial order](https://en.wikipedia.org/wiki/Partially_ordered_set#Non-strict_partial_order) over the set of all path values + + Type: + hasPrefix :: Path -> Path -> Bool + + Example: + hasPrefix /foo /foo/bar + => true + hasPrefix /foo /foo + => true + hasPrefix /foo/bar /foo + => false + hasPrefix /. /foo + => true + */ + hasPrefix = + path1: + assert assertMsg + (isPath path1) + "lib.path.hasPrefix: First argument is of type ${typeOf path1}, but a path was expected"; + let + path1Deconstructed = deconstructPath path1; + in + path2: + assert assertMsg + (isPath path2) + "lib.path.hasPrefix: Second argument is of type ${typeOf path2}, but a path was expected"; + let + path2Deconstructed = deconstructPath path2; + in + assert assertMsg + (path1Deconstructed.root == path2Deconstructed.root) '' + lib.path.hasPrefix: Filesystem roots must be the same for both paths, but paths with different roots were given: + first argument: "${toString path1}" with root "${toString path1Deconstructed.root}" + second argument: "${toString path2}" with root "${toString path2Deconstructed.root}"''; + take (length path1Deconstructed.components) path2Deconstructed.components == path1Deconstructed.components; + + /* Whether a value is a valid subpath string. - The value is a string diff --git a/third_party/nixpkgs/lib/path/tests/default.nix b/third_party/nixpkgs/lib/path/tests/default.nix index 9a31e42828..6b8e515f43 100644 --- a/third_party/nixpkgs/lib/path/tests/default.nix +++ b/third_party/nixpkgs/lib/path/tests/default.nix @@ -24,8 +24,9 @@ pkgs.runCommand "lib-path-tests" { export TEST_LIB=$PWD/lib echo "Running unit tests lib/path/tests/unit.nix" - nix-instantiate --eval lib/path/tests/unit.nix \ - --argstr libpath "$TEST_LIB" + nix-instantiate --eval --show-trace \ + --argstr libpath "$TEST_LIB" \ + lib/path/tests/unit.nix echo "Running property tests lib/path/tests/prop.sh" bash lib/path/tests/prop.sh ${toString seed} diff --git a/third_party/nixpkgs/lib/path/tests/prop.sh b/third_party/nixpkgs/lib/path/tests/prop.sh index e48c6667fa..9fea521577 100755 --- a/third_party/nixpkgs/lib/path/tests/prop.sh +++ b/third_party/nixpkgs/lib/path/tests/prop.sh @@ -71,7 +71,7 @@ fi # Precalculate all normalisations with a single Nix call. Calling Nix for each # string individually would take way too long -nix-instantiate --eval --strict --json \ +nix-instantiate --eval --strict --json --show-trace \ --argstr libpath "$TEST_LIB" \ --argstr dir "$tmp/strings" \ "$SCRIPT_DIR"/prop.nix \ diff --git a/third_party/nixpkgs/lib/path/tests/unit.nix b/third_party/nixpkgs/lib/path/tests/unit.nix index 61c4ab4d6f..9c5b752cf6 100644 --- a/third_party/nixpkgs/lib/path/tests/unit.nix +++ b/third_party/nixpkgs/lib/path/tests/unit.nix @@ -3,7 +3,7 @@ { libpath }: let lib = import libpath; - inherit (lib.path) append subpath; + inherit (lib.path) hasPrefix append subpath; cases = lib.runTests { # Test examples from the lib.path.append documentation @@ -40,6 +40,23 @@ let expected = false; }; + testHasPrefixExample1 = { + expr = hasPrefix /foo /foo/bar; + expected = true; + }; + testHasPrefixExample2 = { + expr = hasPrefix /foo /foo; + expected = true; + }; + testHasPrefixExample3 = { + expr = hasPrefix /foo/bar /foo; + expected = false; + }; + testHasPrefixExample4 = { + expr = hasPrefix /. /foo; + expected = true; + }; + # Test examples from the lib.path.subpath.isValid documentation testSubpathIsValidExample1 = { expr = subpath.isValid null; diff --git a/third_party/nixpkgs/lib/sources.nix b/third_party/nixpkgs/lib/sources.nix index d990777c6f..8b7cd5c84f 100644 --- a/third_party/nixpkgs/lib/sources.nix +++ b/third_party/nixpkgs/lib/sources.nix @@ -5,22 +5,16 @@ let inherit (builtins) match - readDir split storeDir - tryEval ; inherit (lib) boolToString filter - getAttr isString - pathExists readFile ; inherit (lib.filesystem) - pathType - pathIsDirectory pathIsRegularFile ; diff --git a/third_party/nixpkgs/lib/strings.nix b/third_party/nixpkgs/lib/strings.nix index e875520c68..1eb6cf9c1a 100644 --- a/third_party/nixpkgs/lib/strings.nix +++ b/third_party/nixpkgs/lib/strings.nix @@ -18,6 +18,7 @@ rec { elemAt filter fromJSON + genList head isInt isList @@ -264,7 +265,8 @@ rec { lib.strings.hasPrefix: The first argument (${toString pref}) is a path value, but only strings are supported. There is almost certainly a bug in the calling code, since this function always returns `false` in such a case. This function also copies the path to the Nix store, which may not be what you want. - This behavior is deprecated and will throw an error in the future.'' + This behavior is deprecated and will throw an error in the future. + You might want to use `lib.path.hasPrefix` instead, which correctly supports paths.'' (substring 0 (stringLength pref) str == pref); /* Determine whether a string has given suffix. @@ -345,7 +347,7 @@ rec { => [ "�" "�" "�" "�" ] */ stringToCharacters = s: - map (p: substring p 1 s) (lib.range 0 (stringLength s - 1)); + genList (p: substring p 1 s) (stringLength s); /* Manipulate a string character by character and replace them by strings before concatenating the results. diff --git a/third_party/nixpkgs/lib/systems/architectures.nix b/third_party/nixpkgs/lib/systems/architectures.nix index 57b9184ca6..9be8c80e3f 100644 --- a/third_party/nixpkgs/lib/systems/architectures.nix +++ b/third_party/nixpkgs/lib/systems/architectures.nix @@ -3,8 +3,15 @@ rec { # gcc.arch to its features (as in /proc/cpuinfo) features = { + # x86_64 Generic + # Spec: https://gitlab.com/x86-psABIs/x86-64-ABI/ default = [ ]; + x86-64 = [ ]; + x86-64-v2 = [ "sse3" "ssse3" "sse4_1" "sse4_2" ]; + x86-64-v3 = [ "sse3" "ssse3" "sse4_1" "sse4_2" "avx" "avx2" "fma" ]; + x86-64-v4 = [ "sse3" "ssse3" "sse4_1" "sse4_2" "avx" "avx2" "avx512" "fma" ]; # x86_64 Intel + nehalem = [ "sse3" "ssse3" "sse4_1" "sse4_2" "aes" ]; westmere = [ "sse3" "ssse3" "sse4_1" "sse4_2" "aes" ]; sandybridge = [ "sse3" "ssse3" "sse4_1" "sse4_2" "aes" "avx" ]; ivybridge = [ "sse3" "ssse3" "sse4_1" "sse4_2" "aes" "avx" ]; @@ -18,6 +25,7 @@ rec { cascadelake = [ "sse3" "ssse3" "sse4_1" "sse4_2" "aes" "avx" "avx2" "avx512" "fma" ]; cooperlake = [ "sse3" "ssse3" "sse4_1" "sse4_2" "aes" "avx" "avx2" "avx512" "fma" ]; tigerlake = [ "sse3" "ssse3" "sse4_1" "sse4_2" "aes" "avx" "avx2" "avx512" "fma" ]; + alderlake = [ "sse3" "ssse3" "sse4_1" "sse4_2" "aes" "avx" "avx2" "fma" ]; # x86_64 AMD btver1 = [ "sse3" "ssse3" "sse4_1" "sse4_2" ]; btver2 = [ "sse3" "ssse3" "sse4_1" "sse4_2" "aes" "avx" ]; @@ -28,6 +36,7 @@ rec { znver1 = [ "sse3" "ssse3" "sse4_1" "sse4_2" "sse4a" "aes" "avx" "avx2" "fma" ]; znver2 = [ "sse3" "ssse3" "sse4_1" "sse4_2" "sse4a" "aes" "avx" "avx2" "fma" ]; znver3 = [ "sse3" "ssse3" "sse4_1" "sse4_2" "sse4a" "aes" "avx" "avx2" "fma" ]; + znver4 = [ "sse3" "ssse3" "sse4_1" "sse4_2" "sse4a" "aes" "avx" "avx2" "avx512" "fma" ]; # other armv5te = [ ]; armv6 = [ ]; @@ -39,23 +48,35 @@ rec { # a superior CPU has all the features of an inferior and is able to build and test code for it inferiors = { + # x86_64 Generic + default = [ ]; + x86-64 = [ ]; + x86-64-v2 = [ "x86-64" ]; + x86-64-v3 = [ "x86-64-v2" ] ++ inferiors.x86-64-v2; + x86-64-v4 = [ "x86-64-v3" ] ++ inferiors.x86-64-v3; + # x86_64 Intel # https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html - default = [ ]; - westmere = [ ]; - sandybridge = [ "westmere" ] ++ inferiors.westmere; - ivybridge = [ "sandybridge" ] ++ inferiors.sandybridge; - haswell = [ "ivybridge" ] ++ inferiors.ivybridge; - broadwell = [ "haswell" ] ++ inferiors.haswell; - skylake = [ "broadwell" ] ++ inferiors.broadwell; - skylake-avx512 = [ "skylake" ] ++ inferiors.skylake; + nehalem = [ "x86-64-v2" ] ++ inferiors.x86-64-v2; + westmere = [ "nehalem" ] ++ inferiors.nehalem; + sandybridge = [ "westmere" ] ++ inferiors.westmere; + ivybridge = [ "sandybridge" ] ++ inferiors.sandybridge; + + haswell = lib.unique ([ "ivybridge" "x86-64-v3" ] ++ inferiors.ivybridge ++ inferiors.x86-64-v3); + broadwell = [ "haswell" ] ++ inferiors.haswell; + skylake = [ "broadwell" ] ++ inferiors.broadwell; + + skylake-avx512 = lib.unique ([ "skylake" "x86-64-v4" ] ++ inferiors.skylake ++ inferiors.x86-64-v4); cannonlake = [ "skylake-avx512" ] ++ inferiors.skylake-avx512; icelake-client = [ "cannonlake" ] ++ inferiors.cannonlake; icelake-server = [ "icelake-client" ] ++ inferiors.icelake-client; - cascadelake = [ "skylake-avx512" ] ++ inferiors.cannonlake; + cascadelake = [ "cannonlake" ] ++ inferiors.cannonlake; cooperlake = [ "cascadelake" ] ++ inferiors.cascadelake; tigerlake = [ "icelake-server" ] ++ inferiors.icelake-server; + # CX16 does not exist on alderlake, while it does on nearly all other intel CPUs + alderlake = [ ]; + # x86_64 AMD # TODO: fill this (need testing) btver1 = [ ]; @@ -83,9 +104,10 @@ rec { # https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html # https://en.wikichip.org/wiki/amd/microarchitectures/zen # https://en.wikichip.org/wiki/intel/microarchitectures/skylake - znver1 = [ "skylake" ] ++ inferiors.skylake; + znver1 = [ "skylake" ] ++ inferiors.skylake; # Includes haswell and x86-64-v3 znver2 = [ "znver1" ] ++ inferiors.znver1; znver3 = [ "znver2" ] ++ inferiors.znver2; + znver4 = lib.unique ([ "znver3" "x86-64-v4" ] ++ inferiors.znver3 ++ inferiors.x86-64-v4); # other armv5te = [ ]; diff --git a/third_party/nixpkgs/lib/systems/default.nix b/third_party/nixpkgs/lib/systems/default.nix index f4784c61c6..a3462d2d42 100644 --- a/third_party/nixpkgs/lib/systems/default.nix +++ b/third_party/nixpkgs/lib/systems/default.nix @@ -9,6 +9,24 @@ rec { examples = import ./examples.nix { inherit lib; }; architectures = import ./architectures.nix { inherit lib; }; + /* + Elaborated systems contain functions, which means that they don't satisfy + `==` for a lack of reflexivity. + + They might *appear* to satisfy `==` reflexivity when the same exact value is + compared to itself, because object identity is used as an "optimization"; + compare the value with a reconstruction of itself, e.g. with `f == a: f a`, + or perhaps calling `elaborate` twice, and one will see reflexivity fail as described. + + Hence a custom equality test. + + Note that this does not canonicalize the systems, so you'll want to make sure + both arguments have been `elaborate`-d. + */ + equals = + let removeFunctions = a: lib.filterAttrs (_: v: !builtins.isFunction v) a; + in a: b: removeFunctions a == removeFunctions b; + /* List of all Nix system doubles the nixpkgs flake will expose the package set for. All systems listed here must be supported by nixpkgs as `localSystem`. @@ -68,7 +86,7 @@ rec { # choice. else "bfd"; extensions = rec { - sharedLibrary = + sharedLibrary = assert final.hasSharedLibraries; /**/ if final.isDarwin then ".dylib" else if final.isWindows then ".dll" else ".so"; @@ -114,6 +132,25 @@ rec { # uname -r release = null; }; + + # It is important that hasSharedLibraries==false when the platform has no + # dynamic library loader. Various tools (including the gcc build system) + # have knowledge of which platforms are incapable of dynamic linking, and + # will still build on/for those platforms with --enable-shared, but simply + # omit any `.so` build products such as libgcc_s.so. When that happens, + # it causes hard-to-troubleshoot build failures. + hasSharedLibraries = with final; + (isAndroid || isGnu || isMusl # Linux (allows multiple libcs) + || isDarwin || isSunOS || isOpenBSD || isFreeBSD || isNetBSD # BSDs + || isCygwin || isMinGW # Windows + ) && !isStatic; + + # The difference between `isStatic` and `hasSharedLibraries` is mainly the + # addition of the `staticMarker` (see make-derivation.nix). Some + # platforms, like embedded machines without a libc (e.g. arm-none-eabi) + # don't support dynamic linking, but don't get the `staticMarker`. + # `pkgsStatic` sets `isStatic=true`, so `pkgsStatic.hostPlatform` always + # has the `staticMarker`. isStatic = final.isWasm || final.isRedox; # Just a guess, based on `system` @@ -193,8 +230,7 @@ rec { }; wine = (pkgs.winePackagesFor "wine${toString final.parsed.cpu.bits}").minimal; in - if final.parsed.kernel.name == pkgs.stdenv.hostPlatform.parsed.kernel.name && - pkgs.stdenv.hostPlatform.canExecute final + if pkgs.stdenv.hostPlatform.canExecute final then "${pkgs.runtimeShell} -c '\"$@\"' --" else if final.isWindows then "${wine}/bin/wine${lib.optionalString (final.parsed.cpu.bits == 64) "64"}" diff --git a/third_party/nixpkgs/lib/systems/doubles.nix b/third_party/nixpkgs/lib/systems/doubles.nix index 6d2f015674..13f029ee1f 100644 --- a/third_party/nixpkgs/lib/systems/doubles.nix +++ b/third_party/nixpkgs/lib/systems/doubles.nix @@ -27,9 +27,9 @@ let # Linux "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "i686-linux" "loongarch64-linux" "m68k-linux" "microblaze-linux" - "microblazeel-linux" "mipsel-linux" "mips64el-linux" "powerpc64-linux" - "powerpc64le-linux" "riscv32-linux" "riscv64-linux" "s390-linux" - "s390x-linux" "x86_64-linux" + "microblazeel-linux" "mips-linux" "mips64-linux" "mips64el-linux" + "mipsel-linux" "powerpc64-linux" "powerpc64le-linux" "riscv32-linux" + "riscv64-linux" "s390-linux" "s390x-linux" "x86_64-linux" # MMIXware "mmix-mmixware" @@ -41,7 +41,7 @@ let # none "aarch64_be-none" "aarch64-none" "arm-none" "armv6l-none" "avr-none" "i686-none" - "microblaze-none" "microblazeel-none" "msp430-none" "or1k-none" "m68k-none" + "microblaze-none" "microblazeel-none" "mips-none" "mips64-none" "msp430-none" "or1k-none" "m68k-none" "powerpc-none" "powerpcle-none" "riscv32-none" "riscv64-none" "rx-none" "s390-none" "s390x-none" "vc4-none" "x86_64-none" diff --git a/third_party/nixpkgs/lib/systems/examples.nix b/third_party/nixpkgs/lib/systems/examples.nix index 4edbf4df4b..8d9c09561d 100644 --- a/third_party/nixpkgs/lib/systems/examples.nix +++ b/third_party/nixpkgs/lib/systems/examples.nix @@ -37,6 +37,10 @@ rec { config = "armv6l-unknown-linux-gnueabihf"; } // platforms.raspberrypi; + bluefield2 = { + config = "aarch64-unknown-linux-gnu"; + } // platforms.bluefield2; + remarkable1 = { config = "armv7l-unknown-linux-gnueabihf"; } // platforms.zero-gravitas; @@ -91,22 +95,16 @@ rec { } // platforms.fuloong2f_n32; # can execute on 32bit chip - mips-linux-gnu = { config = "mips-unknown-linux-gnu"; } // platforms.gcc_mips32r2_o32; - mipsel-linux-gnu = { config = "mipsel-unknown-linux-gnu"; } // platforms.gcc_mips32r2_o32; - mipsisa32r6-linux-gnu = { config = "mipsisa32r6-unknown-linux-gnu"; } // platforms.gcc_mips32r6_o32; - mipsisa32r6el-linux-gnu = { config = "mipsisa32r6el-unknown-linux-gnu"; } // platforms.gcc_mips32r6_o32; + mips-linux-gnu = { config = "mips-unknown-linux-gnu"; } // platforms.gcc_mips32r2_o32; + mipsel-linux-gnu = { config = "mipsel-unknown-linux-gnu"; } // platforms.gcc_mips32r2_o32; # require 64bit chip (for more registers, 64-bit floating point, 64-bit "long long") but use 32bit pointers - mips64-linux-gnuabin32 = { config = "mips64-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r2_n32; - mips64el-linux-gnuabin32 = { config = "mips64el-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r2_n32; - mipsisa64r6-linux-gnuabin32 = { config = "mipsisa64r6-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r6_n32; - mipsisa64r6el-linux-gnuabin32 = { config = "mipsisa64r6el-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r6_n32; + mips64-linux-gnuabin32 = { config = "mips64-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r2_n32; + mips64el-linux-gnuabin32 = { config = "mips64el-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r2_n32; # 64bit pointers - mips64-linux-gnuabi64 = { config = "mips64-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r2_64; - mips64el-linux-gnuabi64 = { config = "mips64el-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r2_64; - mipsisa64r6-linux-gnuabi64 = { config = "mipsisa64r6-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r6_64; - mipsisa64r6el-linux-gnuabi64 = { config = "mipsisa64r6el-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r6_64; + mips64-linux-gnuabi64 = { config = "mips64-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r2_64; + mips64el-linux-gnuabi64 = { config = "mips64el-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r2_64; muslpi = raspberryPi // { config = "armv6l-unknown-linux-musleabihf"; @@ -135,6 +133,16 @@ rec { libc = "newlib"; }; + mips64-embedded = { + config = "mips64-none-elf"; + libc = "newlib"; + }; + + mips-embedded = { + config = "mips-none-elf"; + libc = "newlib"; + }; + loongarch64-linux = { config = "loongarch64-unknown-linux-gnu"; }; diff --git a/third_party/nixpkgs/lib/systems/inspect.nix b/third_party/nixpkgs/lib/systems/inspect.nix index 89e9f4231d..022e459c39 100644 --- a/third_party/nixpkgs/lib/systems/inspect.nix +++ b/third_party/nixpkgs/lib/systems/inspect.nix @@ -87,7 +87,7 @@ rec { isNone = { kernel = kernels.none; }; isAndroid = [ { abi = abis.android; } { abi = abis.androideabi; } ]; - isGnu = with abis; map (a: { abi = a; }) [ gnuabi64 gnu gnueabi gnueabihf gnuabielfv1 gnuabielfv2 ]; + isGnu = with abis; map (a: { abi = a; }) [ gnuabi64 gnuabin32 gnu gnueabi gnueabihf gnuabielfv1 gnuabielfv2 ]; isMusl = with abis; map (a: { abi = a; }) [ musl musleabi musleabihf muslabin32 muslabi64 ]; isUClibc = with abis; map (a: { abi = a; }) [ uclibc uclibceabi uclibceabihf ]; diff --git a/third_party/nixpkgs/lib/systems/parse.nix b/third_party/nixpkgs/lib/systems/parse.nix index ea8e1ff8fc..6eb4f27cc5 100644 --- a/third_party/nixpkgs/lib/systems/parse.nix +++ b/third_party/nixpkgs/lib/systems/parse.nix @@ -91,14 +91,10 @@ rec { microblaze = { bits = 32; significantByte = bigEndian; family = "microblaze"; }; microblazeel = { bits = 32; significantByte = littleEndian; family = "microblaze"; }; - mips = { bits = 32; significantByte = bigEndian; family = "mips"; }; - mipsel = { bits = 32; significantByte = littleEndian; family = "mips"; }; - mipsisa32r6 = { bits = 32; significantByte = bigEndian; family = "mips"; }; - mipsisa32r6el = { bits = 32; significantByte = littleEndian; family = "mips"; }; - mips64 = { bits = 64; significantByte = bigEndian; family = "mips"; }; - mips64el = { bits = 64; significantByte = littleEndian; family = "mips"; }; - mipsisa64r6 = { bits = 64; significantByte = bigEndian; family = "mips"; }; - mipsisa64r6el = { bits = 64; significantByte = littleEndian; family = "mips"; }; + mips = { bits = 32; significantByte = bigEndian; family = "mips"; }; + mipsel = { bits = 32; significantByte = littleEndian; family = "mips"; }; + mips64 = { bits = 64; significantByte = bigEndian; family = "mips"; }; + mips64el = { bits = 64; significantByte = littleEndian; family = "mips"; }; mmix = { bits = 64; significantByte = bigEndian; family = "mmix"; }; diff --git a/third_party/nixpkgs/lib/systems/platforms.nix b/third_party/nixpkgs/lib/systems/platforms.nix index d574943e47..0b6a9f3891 100644 --- a/third_party/nixpkgs/lib/systems/platforms.nix +++ b/third_party/nixpkgs/lib/systems/platforms.nix @@ -209,6 +209,14 @@ rec { # Legacy attribute, for compatibility with existing configs only. raspberrypi2 = armv7l-hf-multiplatform; + # Nvidia Bluefield 2 (w. crypto support) + bluefield2 = { + gcc = { + arch = "armv8-a+fp+simd+crc+crypto"; + cpu = "cortex-a72"; + }; + }; + zero-gravitas = { linux-kernel = { name = "zero-gravitas"; diff --git a/third_party/nixpkgs/lib/tests/filesystem.sh b/third_party/nixpkgs/lib/tests/filesystem.sh index 4a5ffeb124..cfd333d000 100755 --- a/third_party/nixpkgs/lib/tests/filesystem.sh +++ b/third_party/nixpkgs/lib/tests/filesystem.sh @@ -35,58 +35,50 @@ touch regular ln -s target symlink mkfifo fifo -checkPathType() { - local path=$1 - local expectedPathType=$2 - local actualPathType=$(nix-instantiate --eval --strict --json 2>&1 \ - -E '{ path }: let lib = import ; in lib.filesystem.pathType path' \ - --argstr path "$path") - if [[ "$actualPathType" != "$expectedPathType" ]]; then - die "lib.filesystem.pathType \"$path\" == $actualPathType, but $expectedPathType was expected" +expectSuccess() { + local expr=$1 + local expectedResultRegex=$2 + if ! result=$(nix-instantiate --eval --strict --json \ + --expr "with (import ).filesystem; $expr"); then + die "$expr failed to evaluate, but it was expected to succeed" + fi + if [[ ! "$result" =~ $expectedResultRegex ]]; then + die "$expr == $result, but $expectedResultRegex was expected" fi } -checkPathType "/" '"directory"' -checkPathType "$PWD/directory" '"directory"' -checkPathType "$PWD/regular" '"regular"' -checkPathType "$PWD/symlink" '"symlink"' -checkPathType "$PWD/fifo" '"unknown"' -checkPathType "$PWD/non-existent" "error: evaluation aborted with the following error message: 'lib.filesystem.pathType: Path $PWD/non-existent does not exist.'" - -checkPathIsDirectory() { - local path=$1 - local expectedIsDirectory=$2 - local actualIsDirectory=$(nix-instantiate --eval --strict --json 2>&1 \ - -E '{ path }: let lib = import ; in lib.filesystem.pathIsDirectory path' \ - --argstr path "$path") - if [[ "$actualIsDirectory" != "$expectedIsDirectory" ]]; then - die "lib.filesystem.pathIsDirectory \"$path\" == $actualIsDirectory, but $expectedIsDirectory was expected" +expectFailure() { + local expr=$1 + local expectedErrorRegex=$2 + if result=$(nix-instantiate --eval --strict --json 2>"$work/stderr" \ + --expr "with (import ).filesystem; $expr"); then + die "$expr evaluated successfully to $result, but it was expected to fail" + fi + if [[ ! "$(<"$work/stderr")" =~ $expectedErrorRegex ]]; then + die "Error was $(<"$work/stderr"), but $expectedErrorRegex was expected" fi } -checkPathIsDirectory "/" "true" -checkPathIsDirectory "$PWD/directory" "true" -checkPathIsDirectory "$PWD/regular" "false" -checkPathIsDirectory "$PWD/symlink" "false" -checkPathIsDirectory "$PWD/fifo" "false" -checkPathIsDirectory "$PWD/non-existent" "false" +expectSuccess "pathType /." '"directory"' +expectSuccess "pathType $PWD/directory" '"directory"' +expectSuccess "pathType $PWD/regular" '"regular"' +expectSuccess "pathType $PWD/symlink" '"symlink"' +expectSuccess "pathType $PWD/fifo" '"unknown"' +# Different errors depending on whether the builtins.readFilePath primop is available or not +expectFailure "pathType $PWD/non-existent" "error: (evaluation aborted with the following error message: 'lib.filesystem.pathType: Path $PWD/non-existent does not exist.'|getting status of '$PWD/non-existent': No such file or directory)" -checkPathIsRegularFile() { - local path=$1 - local expectedIsRegularFile=$2 - local actualIsRegularFile=$(nix-instantiate --eval --strict --json 2>&1 \ - -E '{ path }: let lib = import ; in lib.filesystem.pathIsRegularFile path' \ - --argstr path "$path") - if [[ "$actualIsRegularFile" != "$expectedIsRegularFile" ]]; then - die "lib.filesystem.pathIsRegularFile \"$path\" == $actualIsRegularFile, but $expectedIsRegularFile was expected" - fi -} +expectSuccess "pathIsDirectory /." "true" +expectSuccess "pathIsDirectory $PWD/directory" "true" +expectSuccess "pathIsDirectory $PWD/regular" "false" +expectSuccess "pathIsDirectory $PWD/symlink" "false" +expectSuccess "pathIsDirectory $PWD/fifo" "false" +expectSuccess "pathIsDirectory $PWD/non-existent" "false" -checkPathIsRegularFile "/" "false" -checkPathIsRegularFile "$PWD/directory" "false" -checkPathIsRegularFile "$PWD/regular" "true" -checkPathIsRegularFile "$PWD/symlink" "false" -checkPathIsRegularFile "$PWD/fifo" "false" -checkPathIsRegularFile "$PWD/non-existent" "false" +expectSuccess "pathIsRegularFile /." "false" +expectSuccess "pathIsRegularFile $PWD/directory" "false" +expectSuccess "pathIsRegularFile $PWD/regular" "true" +expectSuccess "pathIsRegularFile $PWD/symlink" "false" +expectSuccess "pathIsRegularFile $PWD/fifo" "false" +expectSuccess "pathIsRegularFile $PWD/non-existent" "false" echo >&2 tests ok diff --git a/third_party/nixpkgs/lib/tests/misc.nix b/third_party/nixpkgs/lib/tests/misc.nix index 231f19c513..ce980436c1 100644 --- a/third_party/nixpkgs/lib/tests/misc.nix +++ b/third_party/nixpkgs/lib/tests/misc.nix @@ -518,6 +518,46 @@ runTests { expected = false; }; + testFindFirstExample1 = { + expr = findFirst (x: x > 3) 7 [ 1 6 4 ]; + expected = 6; + }; + + testFindFirstExample2 = { + expr = findFirst (x: x > 9) 7 [ 1 6 4 ]; + expected = 7; + }; + + testFindFirstEmpty = { + expr = findFirst (abort "when the list is empty, the predicate is not needed") null []; + expected = null; + }; + + testFindFirstSingleMatch = { + expr = findFirst (x: x == 5) null [ 5 ]; + expected = 5; + }; + + testFindFirstSingleDefault = { + expr = findFirst (x: false) null [ (abort "if the predicate doesn't access the value, it must not be evaluated") ]; + expected = null; + }; + + testFindFirstNone = { + expr = builtins.tryEval (findFirst (x: x == 2) null [ 1 (throw "the last element must be evaluated when there's no match") ]); + expected = { success = false; value = false; }; + }; + + # Makes sure that the implementation doesn't cause a stack overflow + testFindFirstBig = { + expr = findFirst (x: x == 1000000) null (range 0 1000000); + expected = 1000000; + }; + + testFindFirstLazy = { + expr = findFirst (x: x == 1) 7 [ 1 (abort "list elements after the match must not be evaluated") ]; + expected = 1; + }; # ATTRSETS diff --git a/third_party/nixpkgs/lib/tests/modules.sh b/third_party/nixpkgs/lib/tests/modules.sh index 7fdc3d3d81..50f24c09ca 100755 --- a/third_party/nixpkgs/lib/tests/modules.sh +++ b/third_party/nixpkgs/lib/tests/modules.sh @@ -61,6 +61,18 @@ checkConfigError() { # Shorthand meta attribute does not duplicate the config checkConfigOutput '^"one two"$' config.result ./shorthand-meta.nix +checkConfigOutput '^true$' config.result ./test-mergeAttrDefinitionsWithPrio.nix + +# types.pathInStore +checkConfigOutput '".*/store/0lz9p8xhf89kb1c1kk6jxrzskaiygnlh-bash-5.2-p15.drv"' config.pathInStore.ok1 ./types.nix +checkConfigOutput '".*/store/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15"' config.pathInStore.ok2 ./types.nix +checkConfigOutput '".*/store/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15/bin/bash"' config.pathInStore.ok3 ./types.nix +checkConfigError 'A definition for option .* is not of type .path in the Nix store.. Definition values:\n\s*- In .*: ""' config.pathInStore.bad1 ./types.nix +checkConfigError 'A definition for option .* is not of type .path in the Nix store.. Definition values:\n\s*- In .*: ".*/store"' config.pathInStore.bad2 ./types.nix +checkConfigError 'A definition for option .* is not of type .path in the Nix store.. Definition values:\n\s*- In .*: ".*/store/"' config.pathInStore.bad3 ./types.nix +checkConfigError 'A definition for option .* is not of type .path in the Nix store.. Definition values:\n\s*- In .*: ".*/store/.links"' config.pathInStore.bad4 ./types.nix +checkConfigError 'A definition for option .* is not of type .path in the Nix store.. Definition values:\n\s*- In .*: "/foo/bar"' config.pathInStore.bad5 ./types.nix + # Check boolean option. checkConfigOutput '^false$' config.enable ./declare-enable.nix checkConfigError 'The option .* does not exist. Definition values:\n\s*- In .*: true' config.enable ./define-enable.nix @@ -195,7 +207,7 @@ checkConfigOutput '^"foo"$' config.submodule.foo ./declare-submoduleWith-special ## shorthandOnlyDefines config behaves as expected checkConfigOutput '^true$' config.submodule.config ./declare-submoduleWith-shorthand.nix ./define-submoduleWith-shorthand.nix checkConfigError 'is not of type `boolean' config.submodule.config ./declare-submoduleWith-shorthand.nix ./define-submoduleWith-noshorthand.nix -checkConfigError "You're trying to define a value of type \`bool'\n\s*rather than an attribute set for the option" config.submodule.config ./declare-submoduleWith-noshorthand.nix ./define-submoduleWith-shorthand.nix +checkConfigError "In module ..*define-submoduleWith-shorthand.nix., you're trying to define a value of type \`bool'\n\s*rather than an attribute set for the option" config.submodule.config ./declare-submoduleWith-noshorthand.nix ./define-submoduleWith-shorthand.nix checkConfigOutput '^true$' config.submodule.config ./declare-submoduleWith-noshorthand.nix ./define-submoduleWith-noshorthand.nix ## submoduleWith should merge all modules in one swoop @@ -378,7 +390,7 @@ checkConfigOutput '^{ }$' config.sub.nixosOk ./class-check.nix checkConfigError 'The module .*/module-class-is-darwin.nix was imported into nixos instead of darwin.' config.sub.nixosFail.config ./class-check.nix # submoduleWith type merge with different class -checkConfigError 'error: A submoduleWith option is declared multiple times with conflicting class values "darwin" and "nixos".' config.sub.mergeFail.config ./class-check.nix +checkConfigError 'A submoduleWith option is declared multiple times with conflicting class values "darwin" and "nixos".' config.sub.mergeFail.config ./class-check.nix # _type check checkConfigError 'Could not load a value as a module, because it is of type "flake", in file .*/module-imports-_type-check.nix' config.ok.config ./module-imports-_type-check.nix diff --git a/third_party/nixpkgs/lib/tests/modules/test-mergeAttrDefinitionsWithPrio.nix b/third_party/nixpkgs/lib/tests/modules/test-mergeAttrDefinitionsWithPrio.nix new file mode 100644 index 0000000000..3233f41513 --- /dev/null +++ b/third_party/nixpkgs/lib/tests/modules/test-mergeAttrDefinitionsWithPrio.nix @@ -0,0 +1,21 @@ +{ lib, options, ... }: + +let + defs = lib.modules.mergeAttrDefinitionsWithPrio options._module.args; + assertLazy = pos: throw "${pos.file}:${toString pos.line}:${toString pos.column}: The test must not evaluate this the assertLazy thunk, but it did. Unexpected strictness leads to unexpected errors and performance problems."; +in + +{ + options.result = lib.mkOption { }; + config._module.args = { + default = lib.mkDefault (assertLazy __curPos); + regular = null; + force = lib.mkForce (assertLazy __curPos); + unused = assertLazy __curPos; + }; + config.result = + assert defs.default.highestPrio == (lib.mkDefault (assertLazy __curPos)).priority; + assert defs.regular.highestPrio == lib.modules.defaultOverridePriority; + assert defs.force.highestPrio == (lib.mkForce (assertLazy __curPos)).priority; + true; +} diff --git a/third_party/nixpkgs/lib/tests/modules/types.nix b/third_party/nixpkgs/lib/tests/modules/types.nix new file mode 100644 index 0000000000..7c43a6819e --- /dev/null +++ b/third_party/nixpkgs/lib/tests/modules/types.nix @@ -0,0 +1,24 @@ +{ lib, ... }: +let + inherit (builtins) + storeDir; + inherit (lib) + types + mkOption + ; +in +{ + options = { + pathInStore = mkOption { type = types.lazyAttrsOf types.pathInStore; }; + }; + config = { + pathInStore.ok1 = "${storeDir}/0lz9p8xhf89kb1c1kk6jxrzskaiygnlh-bash-5.2-p15.drv"; + pathInStore.ok2 = "${storeDir}/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15"; + pathInStore.ok3 = "${storeDir}/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15/bin/bash"; + pathInStore.bad1 = ""; + pathInStore.bad2 = "${storeDir}"; + pathInStore.bad3 = "${storeDir}/"; + pathInStore.bad4 = "${storeDir}/.links"; # technically true, but not reasonable + pathInStore.bad5 = "/foo/bar"; + }; +} diff --git a/third_party/nixpkgs/lib/tests/release.nix b/third_party/nixpkgs/lib/tests/release.nix index f5c6e81030..805f7a7e95 100644 --- a/third_party/nixpkgs/lib/tests/release.nix +++ b/third_party/nixpkgs/lib/tests/release.nix @@ -2,53 +2,63 @@ # Don't test properties of pkgs.lib, but rather the lib in the parent directory pkgs ? import ../.. {} // { lib = throw "pkgs.lib accessed, but the lib tests should use nixpkgs' lib path directly!"; }, nix ? pkgs.nix, + nixVersions ? [ pkgs.nixVersions.minimum nix pkgs.nixVersions.unstable ], }: -pkgs.runCommand "nixpkgs-lib-tests" { - buildInputs = [ - (import ./check-eval.nix) - (import ./maintainers.nix { - inherit pkgs; - lib = import ../.; - }) - (import ./teams.nix { - inherit pkgs; - lib = import ../.; - }) - (import ../path/tests { - inherit pkgs; - }) - ]; - nativeBuildInputs = [ - nix - ]; - strictDeps = true; -} '' - datadir="${nix}/share" - export TEST_ROOT=$(pwd)/test-tmp - export NIX_BUILD_HOOK= - export NIX_CONF_DIR=$TEST_ROOT/etc - export NIX_LOCALSTATE_DIR=$TEST_ROOT/var - export NIX_LOG_DIR=$TEST_ROOT/var/log/nix - export NIX_STATE_DIR=$TEST_ROOT/var/nix - export NIX_STORE_DIR=$TEST_ROOT/store - export PAGER=cat - cacheDir=$TEST_ROOT/binary-cache +let + testWithNix = nix: + pkgs.runCommand "nixpkgs-lib-tests-nix-${nix.version}" { + buildInputs = [ + (import ./check-eval.nix) + (import ./maintainers.nix { + inherit pkgs; + lib = import ../.; + }) + (import ./teams.nix { + inherit pkgs; + lib = import ../.; + }) + (import ../path/tests { + inherit pkgs; + }) + ]; + nativeBuildInputs = [ + nix + ]; + strictDeps = true; + } '' + datadir="${nix}/share" + export TEST_ROOT=$(pwd)/test-tmp + export NIX_BUILD_HOOK= + export NIX_CONF_DIR=$TEST_ROOT/etc + export NIX_LOCALSTATE_DIR=$TEST_ROOT/var + export NIX_LOG_DIR=$TEST_ROOT/var/log/nix + export NIX_STATE_DIR=$TEST_ROOT/var/nix + export NIX_STORE_DIR=$TEST_ROOT/store + export PAGER=cat + cacheDir=$TEST_ROOT/binary-cache - mkdir -p $NIX_CONF_DIR - echo "experimental-features = nix-command" >> $NIX_CONF_DIR/nix.conf + nix-store --init - nix-store --init + cp -r ${../.} lib + echo "Running lib/tests/modules.sh" + bash lib/tests/modules.sh - cp -r ${../.} lib - echo "Running lib/tests/modules.sh" - bash lib/tests/modules.sh + echo "Running lib/tests/filesystem.sh" + TEST_LIB=$PWD/lib bash lib/tests/filesystem.sh - echo "Running lib/tests/filesystem.sh" - TEST_LIB=$PWD/lib bash lib/tests/filesystem.sh + echo "Running lib/tests/sources.sh" + TEST_LIB=$PWD/lib bash lib/tests/sources.sh - echo "Running lib/tests/sources.sh" - TEST_LIB=$PWD/lib bash lib/tests/sources.sh + echo "Running lib/tests/systems.nix" + [[ $(nix-instantiate --eval --strict lib/tests/systems.nix | tee /dev/stderr) == '[ ]' ]]; - touch $out -'' + mkdir $out + echo success > $out/${nix.version} + ''; + +in + pkgs.symlinkJoin { + name = "nixpkgs-lib-tests"; + paths = map testWithNix nixVersions; + } diff --git a/third_party/nixpkgs/lib/tests/sources.sh b/third_party/nixpkgs/lib/tests/sources.sh index a7f490a79d..cda77aa96b 100755 --- a/third_party/nixpkgs/lib/tests/sources.sh +++ b/third_party/nixpkgs/lib/tests/sources.sh @@ -23,14 +23,19 @@ clean_up() { trap clean_up EXIT cd "$work" +# Crudely unquotes a JSON string by just taking everything between the first and the second quote. +# We're only using this for resulting /nix/store paths, which can't contain " anyways, +# nor can they contain any other characters that would need to be escaped specially in JSON +# This way we don't need to add a dependency on e.g. jq +crudeUnquoteJSON() { + cut -d \" -f2 +} + touch {README.md,module.o,foo.bar} -# nix-instantiate doesn't write out the source, only computing the hash, so -# this uses the experimental nix command instead. - -dir="$(nix eval --impure --raw --expr '(with import ; "${ +dir="$(nix-instantiate --eval --strict --read-write-mode --json --expr '(with import ; "${ cleanSource ./. -}")')" +}")' | crudeUnquoteJSON)" (cd "$dir"; find) | sort -f | diff -U10 - <(cat < + sys == elaborate (toLosslessStringMaybe sys) + + NOTE: This property is not guaranteed when `sys` was elaborated by a different + version of Nixpkgs. + */ + toLosslessStringMaybe = sys: + if lib.isString sys then sys + else if lib.systems.equals sys (lib.systems.elaborate sys.system) then sys.system + else null; + +in +lib.runTests ( # We assert that the new algorithmic way of generating these lists matches the # way they were hard-coded before. # @@ -5,20 +34,14 @@ # calculating the lists anyway?". The answer is one can mindlessly update these # tests as new platforms become supported, and then just give the diff a quick # sanity check before committing :). -let - lib = import ../default.nix; - mseteq = x: y: { - expr = lib.sort lib.lessThan x; - expected = lib.sort lib.lessThan y; - }; -in -with lib.systems.doubles; lib.runTests { + +(with lib.systems.doubles; { testall = mseteq all (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos ++ wasi ++ windows ++ embedded ++ mmix ++ js ++ genode ++ redox); testarm = mseteq arm [ "armv5tel-linux" "armv6l-linux" "armv6l-netbsd" "armv6l-none" "armv7a-linux" "armv7a-netbsd" "armv7l-linux" "armv7l-netbsd" "arm-none" "armv7a-darwin" ]; testarmv7 = mseteq armv7 [ "armv7a-darwin" "armv7a-linux" "armv7l-linux" "armv7a-netbsd" "armv7l-netbsd" ]; testi686 = mseteq i686 [ "i686-linux" "i686-freebsd13" "i686-genode" "i686-netbsd" "i686-openbsd" "i686-cygwin" "i686-windows" "i686-none" "i686-darwin" ]; - testmips = mseteq mips [ "mips64el-linux" "mipsel-linux" "mipsel-netbsd" ]; + testmips = mseteq mips [ "mips-none" "mips64-none" "mips-linux" "mips64-linux" "mips64el-linux" "mipsel-linux" "mipsel-netbsd" ]; testmmix = mseteq mmix [ "mmix-mmixware" ]; testpower = mseteq power [ "powerpc-netbsd" "powerpc-none" "powerpc64-linux" "powerpc64le-linux" "powerpcle-none" ]; testriscv = mseteq riscv [ "riscv32-linux" "riscv64-linux" "riscv32-netbsd" "riscv64-netbsd" "riscv32-none" "riscv64-none" ]; @@ -34,9 +57,49 @@ with lib.systems.doubles; lib.runTests { testredox = mseteq redox [ "x86_64-redox" ]; testgnu = mseteq gnu (linux /* ++ kfreebsd ++ ... */); testillumos = mseteq illumos [ "x86_64-solaris" ]; - testlinux = mseteq linux [ "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "i686-linux" "mips64el-linux" "mipsel-linux" "riscv32-linux" "riscv64-linux" "x86_64-linux" "powerpc64-linux" "powerpc64le-linux" "m68k-linux" "s390-linux" "s390x-linux" "microblaze-linux" "microblazeel-linux" "loongarch64-linux" ]; + testlinux = mseteq linux [ "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "i686-linux" "loongarch64-linux" "m68k-linux" "microblaze-linux" "microblazeel-linux" "mips-linux" "mips64-linux" "mips64el-linux" "mipsel-linux" "powerpc64-linux" "powerpc64le-linux" "riscv32-linux" "riscv64-linux" "s390-linux" "s390x-linux" "x86_64-linux" ]; testnetbsd = mseteq netbsd [ "aarch64-netbsd" "armv6l-netbsd" "armv7a-netbsd" "armv7l-netbsd" "i686-netbsd" "m68k-netbsd" "mipsel-netbsd" "powerpc-netbsd" "riscv32-netbsd" "riscv64-netbsd" "x86_64-netbsd" ]; testopenbsd = mseteq openbsd [ "i686-openbsd" "x86_64-openbsd" ]; testwindows = mseteq windows [ "i686-cygwin" "x86_64-cygwin" "i686-windows" "x86_64-windows" ]; testunix = mseteq unix (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos ++ cygwin ++ redox); +}) + +// { + test_equals_example_x86_64-linux = { + expr = lib.systems.equals (lib.systems.elaborate "x86_64-linux") (lib.systems.elaborate "x86_64-linux"); + expected = true; + }; + + test_toLosslessStringMaybe_example_x86_64-linux = { + expr = toLosslessStringMaybe (lib.systems.elaborate "x86_64-linux"); + expected = "x86_64-linux"; + }; + test_toLosslessStringMaybe_fail = { + expr = toLosslessStringMaybe (lib.systems.elaborate "x86_64-linux" // { something = "extra"; }); + expected = null; + }; } + +# Generate test cases to assert that a change in any non-function attribute makes a platform unequal +// lib.concatMapAttrs (platformAttrName: origValue: { + + ${"test_equals_unequal_${platformAttrName}"} = + let modified = + assert origValue != arbitraryValue; + lib.systems.elaborate "x86_64-linux" // { ${platformAttrName} = arbitraryValue; }; + arbitraryValue = x: "<>"; + in { + expr = lib.systems.equals (lib.systems.elaborate "x86_64-linux") modified; + expected = { + # Changes in these attrs are not detectable because they're function. + # The functions should be derived from the data, so this is not a problem. + canExecute = null; + emulator = null; + emulatorAvailable = null; + isCompatible = null; + }?${platformAttrName}; + }; + +}) (lib.systems.elaborate "x86_64-linux" /* arbitrary choice, just to get all the elaborated attrNames */) + +) diff --git a/third_party/nixpkgs/lib/trivial.nix b/third_party/nixpkgs/lib/trivial.nix index 26e4b32400..34c100959e 100644 --- a/third_party/nixpkgs/lib/trivial.nix +++ b/third_party/nixpkgs/lib/trivial.nix @@ -179,7 +179,7 @@ rec { they take effect as soon as the oldest release reaches end of life. */ oldestSupportedRelease = # Update on master only. Do not backport. - 2211; + 2305; /* Whether a feature is supported in all supported releases (at the time of release branch-off, if applicable). See `oldestSupportedRelease`. */ diff --git a/third_party/nixpkgs/lib/types.nix b/third_party/nixpkgs/lib/types.nix index 9360d42f58..ddd37f260c 100644 --- a/third_party/nixpkgs/lib/types.nix +++ b/third_party/nixpkgs/lib/types.nix @@ -211,7 +211,7 @@ rec { # nixos/doc/manual/development/option-types.xml! types = rec { - raw = mkOptionType rec { + raw = mkOptionType { name = "raw"; description = "raw value"; descriptionClass = "noun"; @@ -461,6 +461,7 @@ rec { # - strings with context, e.g. "${pkgs.foo}" or (toString pkgs.foo) # - hardcoded store path literals (/nix/store/hash-foo) or strings without context # ("/nix/store/hash-foo"). These get a context added to them using builtins.storePath. + # If you don't need a *top-level* store path, consider using pathInStore instead. package = mkOptionType { name = "package"; descriptionClass = "noun"; @@ -491,6 +492,14 @@ rec { merge = mergeEqualOption; }; + pathInStore = mkOptionType { + name = "pathInStore"; + description = "path in the Nix store"; + descriptionClass = "noun"; + check = x: isStringLike x && builtins.match "${builtins.storeDir}/[^.].*" (toString x) != null; + merge = mergeEqualOption; + }; + listOf = elemType: mkOptionType rec { name = "listOf"; description = "list of ${optionDescriptionPhrase (class: class == "noun" || class == "composite") elemType}"; diff --git a/third_party/nixpkgs/maintainers/maintainer-list.nix b/third_party/nixpkgs/maintainers/maintainer-list.nix index c4fafc03ac..5294d2e0e4 100644 --- a/third_party/nixpkgs/maintainers/maintainer-list.nix +++ b/third_party/nixpkgs/maintainers/maintainer-list.nix @@ -64,6 +64,12 @@ githubId = 64707304; name = "Dmitry Kulikov"; }; + _0x120581f = { + email = "nixpkgs@0x120581f.dev"; + name = "0x120581f"; + github = "0x120581f"; + githubId = 130835755; + }; _0x4A6F = { email = "mail-maintainer@0x4A6F.dev"; matrix = "@0x4a6f:matrix.org"; @@ -177,12 +183,28 @@ githubId = 12578560; name = "Quinn Bohner"; }; + _8-bit-fox = { + email = "sebastian@markwaerter.de"; + github = "8-bit-fox"; + githubId = 43320117; + name = "Sebastian Marquardt"; + }; _9999years = { email = "rbt@fastmail.com"; github = "9999years"; githubId = 15312184; name = "Rebecca Turner"; }; + _999eagle = { + email = "github@999eagle.moe"; + matrix = "@sophie:catgirl.cloud"; + github = "999eagle"; + githubId = 1221984; + name = "Sophie Tauchert"; + keys = [{ + fingerprint = "7B59 F09E 0FE5 BC34 F032 1FB4 5270 1DE5 F5F5 1125"; + }]; + }; a1russell = { email = "adamlr6+pub@gmail.com"; github = "a1russell"; @@ -303,6 +325,12 @@ githubId = 2321000; name = "Ruslan Babayev"; }; + abustany = { + email = "adrien@bustany.org"; + github = "abustany"; + githubId = 2526296; + name = "Adrien Bustany"; + }; acairncross = { email = "acairncross@gmail.com"; github = "acairncross"; @@ -504,6 +532,12 @@ githubId = 44871469; name = "Etienne Wodey"; }; + aither64 = { + email = "aither@havefun.cz"; + github = "aither64"; + githubId = 4717906; + name = "Jakub Skokan"; + }; ajgrf = { email = "a@ajgrf.com"; github = "ajgrf"; @@ -598,6 +632,12 @@ githubId = 43479487; name = "Titouan Biteau"; }; + aldoborrero = { + email = "aldoborrero+nixos@pm.me"; + github = "aldoborrero"; + githubId = 82811; + name = "Aldo Borrero"; + }; aleksana = { email = "me@aleksana.moe"; github = "Aleksanaa"; @@ -773,6 +813,12 @@ fingerprint = "B422 CFB1 C9EF 73F7 E1E2 698D F53E 3233 42F7 A6D3A"; }]; }; + alxsimon = { + email = "alexis.simon@normalesup.org"; + github = "alxsimon"; + githubId = 9567176; + name = "Alexis Simon"; + }; alyaeanyx = { email = "alyaeanyx@mailbox.org"; github = "alyaeanyx"; @@ -931,6 +977,12 @@ githubId = 123550; name = "André Silva"; }; + andresnav = { + email = "nix@andresnav.com"; + github = "andres-nav"; + githubId = 118762770; + name = "Andres Navarro"; + }; andrestylianos = { email = "andre.stylianos@gmail.com"; github = "andrestylianos"; @@ -1179,6 +1231,12 @@ githubId = 914687; name = "Alexis Praga"; }; + aprl = { + email = "aprl@acab.dev"; + github = "cutestnekoaqua"; + githubId = 30842467; + name = "April John"; + }; ar1a = { email = "aria@ar1as.space"; github = "ar1a"; @@ -1399,6 +1457,12 @@ githubId = 453170; name = "Alastair Pharo"; }; + astavie = { + email = "astavie@pm.me"; + github = "astavie"; + githubId = 7745457; + name = "Astavie"; + }; astro = { email = "astro@spaceboyz.net"; github = "astro"; @@ -1627,6 +1691,12 @@ fingerprint = "2688 0377 C31D 9E81 9BDF 83A8 C8C6 BDDB 3847 F72B"; }]; }; + azd325 = { + email = "tim.kleinschmidt@gmail.com"; + github = "Azd325"; + githubId = 426541; + name = "Tim Kleinschmidt"; + }; azuwis = { email = "azuwis@gmail.com"; github = "azuwis"; @@ -1758,6 +1828,16 @@ fingerprint = "A3E1 C409 B705 50B3 BF41 492B 5684 0A61 4DBE 37AE"; }]; }; + bastaynav = { + name = "Ivan Bastrakov"; + email = "bastaynav@proton.me"; + matrix = "@bastaynav:matrix.org"; + github = "bastaynav"; + githubId = 6987136; + keys = [{ + fingerprint = "2C6D 37D4 6AA1 DCDA BE8D F346 43E2 CF4C 01B9 4940"; + }]; + }; basvandijk = { email = "v.dijk.bas@gmail.com"; github = "basvandijk"; @@ -1857,6 +1937,12 @@ githubId = 11135; name = "Berk D. Demir"; }; + bddvlpr = { + email = "luna@bddvlpr.com"; + github = "bddvlpr"; + githubId = 17461028; + name = "Luna Simons"; + }; bdesham = { email = "benjamin@esham.io"; github = "bdesham"; @@ -1875,6 +1961,12 @@ github = "beardhatcode"; githubId = 662538; }; + beeb = { + name = "Valentin Bersier"; + email = "hi@beeb.li"; + github = "beeb"; + githubId = 703631; + }; beezow = { name = "beezow"; email = "zbeezow@gmail.com"; @@ -1915,6 +2007,16 @@ fingerprint = "E9A3 7864 2165 28CE 507C CA82 72EA BF75 C331 CD25"; }]; }; + Benjamin-L = { + name = "Benjamin Lee"; + email = "benjamin@computer.surgery"; + matrix = "@benjamin:computer.surgery"; + github = "Benjamin-L"; + githubId = 6504174; + keys = [{ + fingerprint = "9D84 09A0 44FC 1EEB AE2D FA30 FB96 24E2 885D 55A4"; + }]; + }; benkuhn = { email = "ben@ben-kuhn.com"; github = "ben-kuhn"; @@ -2180,12 +2282,25 @@ fingerprint = "17C7 95D4 871C 2F87 83C8 053D 0C61 C4E5 907F 76C8"; }]; }; + booniepepper = { + name = "J.R. Hill"; + email = "justin@so.dang.cool"; + github = "booniepepper"; + githubId = 17605298; + }; bootstrap-prime = { email = "bootstrap.prime@gmail.com"; github = "bootstrap-prime"; githubId = 68566724; name = "bootstrap-prime"; }; + boozedog = { + email = "code@booze.dog"; + github = "boozedog"; + githubId = 1410808; + matrix = "@boozedog:matrix.org"; + name = "David A. Buser"; + }; borisbabic = { email = "boris.ivan.babic@gmail.com"; github = "borisbabic"; @@ -2439,7 +2554,7 @@ }; cafkafk = { email = "christina@cafkafk.com"; - matrix = "@cafkafk:matrix.cafkafk.com"; + matrix = "@cafkafk:m.cafkafk.com"; name = "Christina Sørensen"; github = "cafkafk"; githubId = 89321978; @@ -2452,6 +2567,12 @@ } ]; }; + CaitlinDavitt = { + email = "CaitlinDavitt@gmail.com"; + github = "CaitlinDavitt"; + githubId = 48105979; + name = "Caitlin Davitt"; + }; calavera = { email = "david.calavera@gmail.com"; github = "calavera"; @@ -2543,6 +2664,12 @@ githubId = 82591; name = "Carl Sverre"; }; + carlthome = { + name = "Carl Thomé"; + email = "carlthome@gmail.com"; + github = "carlthome"; + githubId = 1595907; + }; carpinchomug = { email = "aki.suda@protonmail.com"; github = "carpinchomug"; @@ -2730,6 +2857,13 @@ githubId = 6608071; name = "Charles Huyghues-Despointes"; }; + chayleaf = { + email = "chayleaf-nix@pavluk.org"; + github = "chayleaf"; + githubId = 9590981; + matrix = "@chayleaf:matrix.pavluk.org"; + name = "Anna Pavlyuk"; + }; chekoopa = { email = "chekoopa@mail.ru"; github = "chekoopa"; @@ -2781,6 +2915,12 @@ githubId = 14790226; name = "Hubert Jasudowicz"; }; + c-h-johnson = { + name = "Charles Johnson"; + email = "charles@charlesjohnson.name"; + github = "c-h-johnson"; + githubId = 138403247; + }; chkno = { email = "scottworley@scottworley.com"; github = "chkno"; @@ -2919,7 +3059,7 @@ }; citadelcore = { email = "alex@arctarus.co.uk"; - github = "CitadelCore"; + github = "VertexA115"; githubId = 5567402; name = "Alex Zero"; keys = [{ @@ -3049,6 +3189,15 @@ githubId = 34317; name = "Corey O'Connor"; }; + code-asher = { + email = "ash@coder.com"; + github = "code-asher"; + githubId = 45609798; + name = "Asher"; + keys = [{ + fingerprint = "6E3A FA6D 915C C2A4 D26F C53E 7BB4 BA9C 783D 2BBC"; + }]; + }; CodeLongAndProsper90 = { github = "CodeLongAndProsper90"; githubId = 50145141; @@ -3139,6 +3288,12 @@ githubId = 244239; name = "Mauricio Collares"; }; + coloquinte = { + email = "gabriel.gouvine_nix@m4x.org"; + github = "coloquinte"; + githubId = 4102525; + name = "Gabriel Gouvine"; + }; commandodev = { email = "ben@perurbis.com"; github = "commandodev"; @@ -3164,6 +3319,12 @@ name = "Changsheng Wu"; githubId = 2083950; }; + conni2461 = { + email = "simon.hauser@outlook.com"; + github = "Conni2461"; + name = "Simon Hauser"; + githubId = 15233006; + }; connorbaker = { email = "connor.baker@tweag.io"; matrix = "@connorbaker:matrix.org"; @@ -3524,6 +3685,12 @@ fingerprint = "4779 D1D5 3C97 2EAE 34A5 ED3D D8AF C4BF 0567 0F9D"; }]; }; + dariof4 = { + name = "dariof4"; + email = "dazedtank@gmail.com"; + github = "dariof4"; + githubId = 9992814; + }; darkonion0 = { name = "Alexandre Peruggia"; email = "darkgenius1@protonmail.com"; @@ -3652,6 +3819,12 @@ githubId = 49904992; name = "Dawid Sowa"; }; + dbalan = { + email = "nix@dbalan.in"; + github = "dbalan"; + githubId = 223910; + name = "Dhananjay Balan"; + }; dbeckwith = { email = "djbsnx@gmail.com"; github = "dbeckwith"; @@ -3709,6 +3882,12 @@ fingerprint = "9B43 6B14 77A8 79C2 6CDB 6604 C171 2510 02C2 00F2"; }]; }; + deemp = { + email = "deempleton@gmail.com"; + github = "deemp"; + githubId = 48378098; + name = "Danila Danko"; + }; deepfire = { email = "_deepfire@feelingofgreen.ru"; github = "deepfire"; @@ -3877,6 +4056,13 @@ githubId = 17111639; name = "Devin Singh"; }; + devpikachu = { + email = "andrei.hava@proton.me"; + matrix = "@andrei:matrix.detpikachu.dev"; + github = "devpikachu"; + githubId = 30475873; + name = "Andrei Hava"; + }; devusb = { email = "mhelton@devusb.us"; github = "devusb"; @@ -4103,6 +4289,14 @@ githubId = 39825; name = "Dominik Honnef"; }; + donovanglover = { + github = "donovanglover"; + githubId = 2374245; + name = "Donovan Glover"; + keys = [{ + fingerprint = "EE7D 158E F9E7 660E 0C33 86B2 8FC5 F7D9 0A5D 8F4D"; + }]; + }; doriath = { email = "tomasz.zurkowski@gmail.com"; github = "doriath"; @@ -4239,12 +4433,12 @@ }; dsuetin = { name = "Danil Suetin"; - email = "suetin085@gmail.com"; + email = "suetin085+nixpkgs@protonmail.com"; matrix = "@dani0854:matrix.org"; github = "dani0854"; githubId = 32674935; keys = [{ - fingerprint = "6CC2 D713 6703 0D86 CA29 C71F 23B5 AA6F A374 F2FE"; + fingerprint = "E033 FE26 0E62 224B B35C 75C9 DE8B 9CED 0696 C600"; }]; }; dsymbol = { @@ -4386,6 +4580,15 @@ githubId = 1516017; name = "Ed Cragg"; }; + eddsteel = { + email = "edd@eddsteel.com"; + github = "eddsteel"; + githubId = 206872; + name = "Edd Steel"; + keys = [{ + fingerprint = "1BE8 48D7 6C7C 4C51 349D DDCC 3362 0159 D403 85A0"; + }]; + }; edef = { email = "edef@edef.eu"; github = "edef1c"; @@ -4432,6 +4635,12 @@ githubId = 54799; name = "Edward Tjörnhammar"; }; + ee2500 = { + email = "earthengine@skiff.com"; + github = "ee2500"; + githubId = 134107129; + name = "EarthEngine"; + }; eelco = { email = "edolstra+nixpkgs@gmail.com"; github = "edolstra"; @@ -4910,6 +5119,12 @@ githubId = 1847524; name = "Evan Stoll"; }; + evanrichter = { + email = "evanjrichter@gmail.com"; + github = "evanrichter"; + githubId = 330292; + name = "Evan Richter"; + }; evax = { email = "nixos@evax.fr"; github = "evax"; @@ -4928,6 +5143,12 @@ githubId = 2512008; name = "Even Brenden"; }; + evilmav = { + email = "elenskiy.ilya@gmail.com"; + github = "evilmav"; + githubId = 6803717; + name = "Ilya Elenskiy"; + }; evils = { email = "evils.devils@protonmail.com"; matrix = "@evils:nixos.dev"; @@ -4975,6 +5196,12 @@ fingerprint = "FC1D 3E4F CBCA 80DF E870 6397 C811 6E3A 0C1C A76A"; }]; }; + exploitoverload = { + email = "nix@exploitoverload.com"; + github = "exploitoverload"; + githubId = 99678549; + name = "Asier Armenteros"; + }; extends = { email = "sharosari@gmail.com"; github = "ImExtends"; @@ -5241,6 +5468,12 @@ githubId = 2489598; name = "Felix Breidenstein"; }; + flemzord = { + email = "maxence@maireaux.fr"; + github = "flemzord"; + githubId = 1952914; + name = "Maxence Maireaux"; + }; flexagoon = { email = "flexagoon@pm.me"; github = "flexagoon"; @@ -5392,6 +5625,12 @@ githubId = 7551358; name = "Frede Emil"; }; + Freed-Wu = { + email = "wuzhenyu@ustc.edu"; + github = "Freed-Wu"; + githubId = 32936898; + name = "Wu Zhenyu"; + }; freezeboy = { github = "freezeboy"; githubId = 13279982; @@ -5403,6 +5642,18 @@ githubId = 609279; name = "Isaac Shapira"; }; + freyacodes = { + email = "freya@arbjerg.dev"; + github = "freyacodes"; + githubId = 2582617; + name = "Freya Arbjerg"; + }; + fricklerhandwerk = { + email = "valentin@fricklerhandwerk.de"; + github = "fricklerhandwerk"; + githubId = 6599296; + name = "Valentin Gagarin"; + }; fridh = { email = "fridh@fridh.nl"; github = "FRidh"; @@ -5445,6 +5696,12 @@ githubId = 134872; name = "Sergei Lukianov"; }; + fsagbuya = { + email = "fa@m-labs.ph"; + github = "fsagbuya"; + githubId = 77672306; + name = "Florian Agbuya"; + }; fstamour = { email = "fr.st-amour@gmail.com"; github = "fstamour"; @@ -5495,7 +5752,7 @@ }; fuzen = { email = "me@fuzen.cafe"; - github = "Fuzen-py"; + github = "LovingMelody"; githubId = 17859309; name = "Fuzen"; }; @@ -5524,18 +5781,18 @@ githubId = 606000; name = "Gabriel Adomnicai"; }; - Gabriel439 = { - email = "Gabriel439@gmail.com"; - github = "Gabriella439"; - githubId = 1313787; - name = "Gabriel Gonzalez"; - }; GabrielDougherty = { email = "contact@gabrieldougherty.com"; github = "GabrielDougherty"; githubId = 10541219; name = "Gabriel Dougherty"; }; + Gabriella439 = { + email = "GenuineGabriella@gmail.com"; + github = "Gabriella439"; + githubId = 1313787; + name = "Gabriella Gonzalez"; + }; gador = { email = "florian.brandes@posteo.de"; github = "gador"; @@ -5545,6 +5802,16 @@ fingerprint = "0200 3EF8 8D2B CF2D 8F00 FFDC BBB3 E40E 5379 7FD9"; }]; }; + gaelreyrol = { + email = "me@gaelreyrol.dev"; + matrix = "@Zevran:matrix.org"; + name = "Gaël Reyrol"; + github = "gaelreyrol"; + githubId = 498465; + keys = [{ + fingerprint = "3492 D8FA ACFF 4C5F A56E 50B7 DFB9 B69A 2C42 7F61"; + }]; + }; GaetanLepage = { email = "gaetan@glepage.com"; github = "GaetanLepage"; @@ -5563,6 +5830,11 @@ githubId = 7047019; name = "Florent Becker"; }; + galen = { + github = "galenhuntington"; + githubId = 1851962; + name = "Galen Huntington"; + }; gamb = { email = "adam.gamble@pm.me"; github = "gamb"; @@ -5629,6 +5901,12 @@ githubId = 81654; name = "Damjan Georgievski"; }; + gdd = { + email = "gabriel.doriath.dohler@ens.fr"; + github = "gabriel-doriath-dohler"; + githubId = 40209356; + name = "Gabriel Doriath Döhler"; + }; gdinh = { email = "nix@contact.dinh.ai"; github = "gdinh"; @@ -5695,6 +5973,19 @@ githubId = 10353047; name = "Tobias Happ"; }; + getchoo = { + email = "getchoo@tuta.io"; + github = "getchoo"; + githubId = 48872998; + name = "Seth"; + }; + getpsyched = { + name = "Priyanshu Tripathi"; + email = "priyanshutr@proton.me"; + matrix = "@getpsyched:matrix.org"; + github = "getpsyched"; + githubId = 43472218; + }; gfrascadorio = { email = "gfrascadorio@tutanota.com"; github = "gfrascadorio"; @@ -5708,15 +5999,6 @@ githubId = 3217744; name = "Peter Ferenczy"; }; - ggwpaiushtha = { - name = "Ivan"; - email = "ggwpaiushtha@gmail.com"; - github = "GGwpAiushtha"; - githubId = 6987136; - keys = [{ - fingerprint = "2C6D 37D4 6AA1 DCDA BE8D F346 43E2 CF4C 01B9 4940"; - }]; - }; ghostbuster91 = { name = "Kasper Kondzielski"; email = "kghost0@gmail.com"; @@ -5816,6 +6098,21 @@ githubId = 25820499; name = "Roman Kretschmer"; }; + goatchurchprime = { + email = "julian@goatchurch.org.uk"; + github = "goatchurchprime"; + githubId = 677254; + name = "Julian Todd"; + }; + gobidev = { + email = "adrian.groh@t-online.de"; + github = "Gobidev"; + githubId = 50576978; + name = "Adrian Groh"; + keys = [{ + fingerprint = "62BD BF30 83E9 7076 9665 B60B 3AA3 153E 98B0 D771"; + }]; + }; goertzenator = { email = "daniel.goertzen@gmail.com"; github = "goertzenator"; @@ -5849,15 +6146,6 @@ githubId = 1621335; name = "Andrew Trachenko"; }; - gordias = { - name = "Gordias"; - email = "gordias@disroot.org"; - github = "gordiasdot"; - githubId = 94724133; - keys = [{ - fingerprint = "C006 B8A0 0618 F3B6 E0E4 2ECD 5D47 2848 30FA A4FA"; - }]; - }; gotcha = { email = "gotcha@bubblenet.be"; github = "gotcha"; @@ -6335,13 +6623,6 @@ githubId = 72349937; name = "Hikari"; }; - - hiljusti = { - name = "J.R. Hill"; - email = "hiljusti@so.dang.cool"; - github = "hiljusti"; - githubId = 17605298; - }; hirenashah = { email = "hiren@hiren.io"; github = "hirenashah"; @@ -6358,6 +6639,12 @@ fingerprint = "45A9 9917 578C D629 9F5F B5B4 C22D 4DE4 D7B3 2D19"; }]; }; + hitsmaxft = { + name = "Bhe Hongtyu"; + email = "mfthits@gmail.com"; + github = "hitsmaxft"; + githubId = 352727; + }; hjones2199 = { email = "hjones2199@gmail.com"; github = "hjones2199"; @@ -6391,6 +6678,15 @@ githubId = 6074754; name = "Hlodver Sigurdsson"; }; + hmajid2301 = { + name = "Haseeb Majid"; + email = "hello@haseebmajid.dev"; + github = "hmajid2301"; + githubId = 998807; + keys = [{ + fingerprint = "A236 785D 59F1 9076 1E9C E8EC 7828 3DB3 D233 E1F9"; + }]; + }; hmenke = { name = "Henri Menke"; email = "henri@henrimenke.de"; @@ -6517,6 +6813,11 @@ fingerprint = "78C2 E81C 828A 420B 269A EBC1 49FA 39F8 A7F7 35F9"; }]; }; + hulr = { + github = "hulr"; + githubId = 17255815; + name = "hulr"; + }; humancalico = { email = "humancalico@disroot.org"; github = "humancalico"; @@ -6717,7 +7018,7 @@ }; ilya-kolpakov = { email = "ilya.kolpakov@gmail.com"; - github = "ilya-kolpakov"; + github = "1pakch"; githubId = 592849; name = "Ilya Kolpakov"; }; @@ -6858,6 +7159,11 @@ githubId = 1817528; name = "Igor Polyakov"; }; + iquerejeta = { + github = "iquerejeta"; + githubId = 31273774; + name = "Inigo Querejeta-Azurmendi"; + }; irenes = { name = "Irene Knapp"; email = "ireneista@gmail.com"; @@ -6874,6 +7180,12 @@ githubId = 137306; name = "Michele Catalano"; }; + isaozler = { + email = "isaozler@gmail.com"; + github = "isaozler"; + githubId = 1378630; + name = "Isa Ozler"; + }; isgy = { name = "isgy"; email = "isgy@teiyg.com"; @@ -6997,6 +7309,12 @@ github = "j4m3s-s"; githubId = 9413812; }; + jacfal = { + name = "Jakub Pravda"; + email = "me@jakubpravda.net"; + github = "jakub-pravda"; + githubId = 16310411; + }; jacg = { name = "Jacek Generowicz"; email = "jacg@my-post-office.net"; @@ -7061,6 +7379,11 @@ github = "jali-clarke"; githubId = 17733984; }; + james-atkins = { + name = "James Atkins"; + github = "james-atkins"; + githubId = 9221409; + }; jamiemagee = { email = "jamie.magee@gmail.com"; github = "JamieMagee"; @@ -7113,7 +7436,7 @@ jayesh-bhoot = { name = "Jayesh Bhoot"; email = "jb@jayeshbhoot.com"; - github = "jayeshbhoot"; + github = "bhootjb"; githubId = 1915507; }; jayman2000 = { @@ -7200,6 +7523,12 @@ githubId = 8685505; name = "Jen-Chieh Shen"; }; + jcspeegs = { + email = "justin@speegs.com"; + github = "jcspeegs"; + githubId = 34928409; + name = "Justin Speegle"; + }; jcumming = { email = "jack@mudshark.org"; github = "jcumming"; @@ -7521,6 +7850,12 @@ githubId = 8900; name = "Johan Magnus Jonsson"; }; + jmbaur = { + email = "jaredbaur@fastmail.com"; + github = "jmbaur"; + githubId = 45740526; + name = "Jared Baur"; + }; jmc-figueira = { email = "business+nixos@jmc-figueira.dev"; github = "jmc-figueira"; @@ -7592,10 +7927,10 @@ name = "Jocelyn Thode"; }; joedevivo = { - github = "joedevivo"; - githubId = 55951; - name = "Joe DeVivo"; - }; + github = "joedevivo"; + githubId = 55951; + name = "Joe DeVivo"; + }; joelancaster = { email = "joe.a.lancas@gmail.com"; github = "JoeLancaster"; @@ -7669,6 +8004,12 @@ githubId = 2576152; name = "John M. Harris, Jr."; }; + johnpyp = { + name = "John Paul Penaloza"; + email = "johnpyp.dev@gmail.com"; + github = "johnpyp"; + githubId = 20625636; + }; johnramsden = { email = "johnramsden@riseup.net"; github = "johnramsden"; @@ -7779,6 +8120,17 @@ github = "jorsn"; githubId = 4646725; }; + joscha = { + name = "joscha Loos"; + email = "j.loos@posteo.net"; + githubId = 57965027; + }; + josephst = { + name = "Joseph Stahl"; + email = "hello@josephstahl.com"; + github = "josephst"; + githubId = 1269177; + }; joshniemela = { name = "Joshua Niemelä"; email = "josh@jniemela.dk"; @@ -7925,7 +8277,7 @@ }; juaningan = { email = "juaningan@gmail.com"; - github = "uningan"; + github = "oneingan"; githubId = 810075; name = "Juan Rodal"; }; @@ -7966,6 +8318,13 @@ githubId = 21160136; name = "Julien Moutinho"; }; + Julow = { + email = "jules@j3s.fr"; + matrix = "@juloo:matrix.org"; + github = "Julow"; + githubId = 2310568; + name = "Jules Aguillon"; + }; jumper149 = { email = "felixspringer149@gmail.com"; github = "jumper149"; @@ -8177,6 +8536,12 @@ githubId = 37185887; name = "Calvin Kim"; }; + keenanweaver = { + email = "keenanweaver@protonmail.com"; + name = "Keenan Weaver"; + github = "keenanweaver"; + githubId = 37268985; + }; keksbg = { email = "keksbg@riseup.net"; name = "Stella"; @@ -8266,6 +8631,12 @@ githubId = 546087; name = "Kristoffer K. Føllesdal"; }; + khaser = { + email = "a-horohorin@mail.ru"; + github = "khaser"; + githubId = 59027018; + name = "Andrey Khorokhorin"; + }; kho-dialga = { email = "ivandashenyou@gmail.com"; github = "Kho-Dialga"; @@ -8888,7 +9259,7 @@ github = "leifhelm"; githubId = 31693262; name = "Jakob Leifhelm"; - keys =[{ + keys = [{ fingerprint = "4A82 F68D AC07 9FFD 8BF0 89C4 6817 AA02 3810 0822"; }]; }; @@ -9130,6 +9501,12 @@ fingerprint = "74F5 E5CC 19D3 B5CB 608F 6124 68FF 81E6 A785 0F49"; }]; }; + liyangau = { + email = "d@aufomm.com"; + github = "liyangau"; + githubId = 71299093; + name = "Li Yang"; + }; lizelive = { email = "nixpkgs@lize.live"; github = "lizelive"; @@ -9217,6 +9594,12 @@ githubId = 5624721; name = "Ben Wolsieffer"; }; + lord-valen = { + name = "Lord Valen"; + matrix = "@lord-valen:matrix.org"; + github = "Lord-Valen"; + githubId = 46138807; + }; lorenz = { name = "Lorenz Brun"; email = "lorenz@brun.one"; @@ -9324,6 +9707,12 @@ githubId = 59375051; name = "Lucas Ransan"; }; + LucaGuerra = { + email = "luca@guerra.sh"; + github = "LucaGuerra"; + githubId = 35580196; + name = "Luca Guerra"; + }; lucasew = { email = "lucas59356@gmail.com"; github = "lucasew"; @@ -9381,6 +9770,13 @@ githubId = 22085373; name = "Luis Hebendanz"; }; + luisnquin = { + email = "lpaandres2020@gmail.com"; + matrix = "@luisnquin:matrix.org"; + github = "luisnquin"; + githubId = 86449787; + name = "Luis Quiñones"; + }; luispedro = { email = "luis@luispedro.org"; github = "luispedro"; @@ -9403,6 +9799,12 @@ fingerprint = "97A0 AE5E 03F3 499B 7D7A 65C6 76A4 1432 37EF 5817"; }]; }; + lukaswrz = { + email = "lukas@wrz.one"; + github = "lukaswrz"; + githubId = 84395723; + name = "Lukas Wurzinger"; + }; lukeadams = { email = "luke.adams@belljar.io"; github = "lukeadams"; @@ -9544,6 +9946,11 @@ fingerprint = "1147 43F1 E707 6F3E 6F4B 2C96 B9A8 B592 F126 F8E8"; }]; }; + mac-chaffee = { + name = "Mac Chaffee"; + github = "mac-chaffee"; + githubId = 7581860; + }; maddiethecafebabe = { email = "maddie@cafebabe.date"; github = "maddiethecafebabe"; @@ -9652,6 +10059,11 @@ githubId = 2914269; name = "Malo Bourgon"; }; + malt3 = { + github = "malt3"; + githubId = 1780588; + name = "Malte Poll"; + }; malte-v = { email = "nixpkgs@mal.tc"; github = "malte-v"; @@ -9664,6 +10076,12 @@ githubId = 346094; name = "Michael Alyn Miller"; }; + mangoiv = { + email = "contact@mangoiv.com"; + github = "mangoiv"; + githubId = 40720523; + name = "MangoIV"; + }; manojkarthick = { email = "smanojkarthick@gmail.com"; github = "manojkarthick"; @@ -9939,7 +10357,16 @@ githubId = 95194; name = "Mauricio Scheffer"; }; - maxbrunet = { + mawis = { + email = "m@tthias.eu"; + github = "mawis"; + githubId = 2042030; + name = "Matthias Wimmer"; + keys = [{ + fingerprint = "CAEC A12D CE23 37A6 6DFD 17B0 7AC7 631D 70D6 C898"; + }]; + }; + maxbrunet = { email = "max@brnt.mx"; github = "maxbrunet"; githubId = 32458727; @@ -10088,6 +10515,15 @@ githubId = 683809; name = "Jeffrey Brent McBeth"; }; + mccurdyc = { + email = "mccurdyc22@gmail.com"; + github = "mccurdyc"; + githubId = 5546264; + name = "Colton J. McCurdy"; + keys = [{ + fingerprint = "D709 03C8 0BE9 ACDC 14F0 3BFB 77BF E531 397E DE94"; + }]; + }; mcmtroffaes = { email = "matthias.troffaes@gmail.com"; github = "mcmtroffaes"; @@ -10240,6 +10676,11 @@ githubId = 9469313; name = "Gregoire Martinache"; }; + mgregson = { + github = "mgregson"; + githubId = 333572; + name = "Michael Gregson"; + }; mgttlinger = { email = "megoettlinger@gmail.com"; github = "mgttlinger"; @@ -10300,6 +10741,12 @@ github = "michaelBelsanti"; githubId = 62124625; }; + michaelCTS = { + email = "michael.vogel@cts.co"; + name = "Michael Vogel"; + github = "michaelCTS"; + githubId = 132582212; + }; michaelgrahamevans = { email = "michaelgrahamevans@gmail.com"; name = "Michael Evans"; @@ -10311,7 +10758,7 @@ name = "Michael Pacheco"; github = "MichaelPachec0"; githubId = 48970112; - keys = [ { + keys = [{ fingerprint = "8D12 991F 5558 C501 70B2 779C 7811 46B0 B5F9 5F64"; }]; }; @@ -10321,6 +10768,12 @@ githubId = 1699466; name = "Michael Peyton Jones"; }; + michaelshmitty = { + name = "Michael Smith"; + email = "shmitty@protonmail.com"; + github = "michaelshmitty"; + githubId = 114845; + }; michalrus = { email = "m@michalrus.com"; github = "michalrus"; @@ -10491,6 +10944,15 @@ githubId = 1776903; name = "Andrew Abbott"; }; + Misaka13514 = { + name = "Misaka13514"; + email = "Misaka13514@gmail.com"; + matrix = "@misaka13514:matrix.org"; + github = "Misaka13514"; + githubId = 54669781; + keys = + [{ fingerprint = "293B 93D8 A471 059F 85D7 16A6 5BA9 2099 D9BE 2DAA"; }]; + }; mislavzanic = { email = "mislavzanic3@gmail.com"; github = "mislavzanic"; @@ -10623,6 +11085,12 @@ githubId = 708570; name = "Manuel Mendez"; }; + mmusnjak = { + email = "marko.musnjak@gmail.com"; + github = "mmusnjak"; + githubId = 668956; + name = "Marko Mušnjak"; + }; mnacamura = { email = "m.nacamura@gmail.com"; github = "mnacamura"; @@ -10691,6 +11159,12 @@ fingerprint = "6460 4147 C434 F65E C306 A21F 135E EDD0 F719 34F3"; }]; }; + moody = { + email = "moody@posixcafe.org"; + github = "majiru"; + githubId = 3579600; + name = "Jacob Moody"; + }; moosingin3space = { email = "moosingin3space@gmail.com"; github = "moosingin3space"; @@ -11011,6 +11485,16 @@ githubId = 22817873; name = "Ember Keske"; }; + n3oney = { + name = "Michał Minarowski"; + email = "nixpkgs@neoney.dev"; + github = "n3oney"; + githubId = 30625554; + matrix = "@neoney:matrix.org"; + keys = [{ + fingerprint = "9E6A 25F2 C1F2 9D76 ED00 1932 1261 173A 01E1 0298"; + }]; + }; nadrieril = { email = "nadrieril@gmail.com"; github = "Nadrieril"; @@ -11038,6 +11522,11 @@ githubId = 1009523; name = "Ashijit Pramanik"; }; + name-snrl = { + github = "name-snrl"; + githubId = 72071763; + name = "Yusup Urazaev"; + }; namore = { email = "namor@hemio.de"; github = "namore"; @@ -11381,6 +11870,12 @@ fingerprint = "E576 BFB2 CF6E B13D F571 33B9 E315 A758 4613 1564"; }]; }; + nielsegberts = { + email = "nix@nielsegberts.nl"; + github = "nielsegberts"; + githubId = 368712; + name = "Niels Egberts"; + }; nigelgbanks = { name = "Nigel Banks"; email = "nigel.g.banks@gmail.com"; @@ -11423,6 +11918,16 @@ githubId = 26231126; name = "Nils ANDRÉ-CHANG"; }; + nim65s = { + email = "guilhem.saurel@laas.fr"; + matrix = "@gsaurel:laas.fr"; + github = "nim65s"; + githubId = 131929; + name = "Guilhem Saurel"; + keys = [{ + fingerprint = "9B1A 7906 5D2F 2B80 6C8A 5A1C 7D2A CDAF 4653 CF28"; + }]; + }; ninjatrappeur = { email = "felix@alternativebit.fr"; matrix = "@ninjatrappeur:matrix.org"; @@ -11565,9 +12070,10 @@ }; NotAShelf = { name = "NotAShelf"; - email = "itsashelf@gmail.com"; + email = "raf@notashelf.dev"; github = "NotAShelf"; githubId = 62766066; + matrix = "@raf:notashelf.dev"; }; notbandali = { name = "Amin Bandali"; @@ -11591,6 +12097,12 @@ githubId = 2946283; name = "Brian Cohen"; }; + nova-madeline = { + matrix = "@nova:tchncs.de"; + github = "nova-r"; + githubId = 126072875; + name = "nova madeline"; + }; novenary = { email = "streetwalkermc@gmail.com"; github = "9ary"; @@ -11659,7 +12171,7 @@ name = "Kartik Gokte"; }; nullishamy = { - email = "amy.codes@null.net"; + email = "spam@amyerskine.me"; name = "nullishamy"; github = "nullishamy"; githubId = 99221043; @@ -11723,6 +12235,12 @@ githubId = 30825096; name = "Ning Zhang"; }; + oaksoaj = { + email = "oaksoaj@riseup.net"; + name = "Oaksoaj"; + github = "oaksoaj"; + githubId = 103952141; + }; obadz = { email = "obadz-nixos@obadz.com"; github = "obadz"; @@ -11851,6 +12369,15 @@ github = "jackyliu16"; githubId = 50787361; }; + onemoresuza = { + name = "Coutinho de Souza"; + email = "dev@onemoresuza.mailer.me"; + github = "onemoresuza"; + githubId = 106456302; + keys = [{ + fingerprint = "484F D3B8 BAD7 BF5D 8B68 2AEA A2ED 1159 935E 4D7E"; + }]; + }; onixie = { email = "onixie@gmail.com"; github = "onixie"; @@ -11881,6 +12408,15 @@ github = "ony"; githubId = 11265; }; + ooliver1 = { + name = "Oliver Wilkes"; + email = "oliverwilkes2006@icloud.com"; + github = "ooliver1"; + githubId = 34910574; + keys = [{ + fingerprint = "D055 8A23 3947 B7A0 F966 B07F 0B41 0348 9833 7273"; + }]; + }; opeik = { email = "sandro@stikic.com"; github = "opeik"; @@ -11905,6 +12441,12 @@ githubId = 75299; name = "Malcolm Matalka"; }; + orichter = { + email = "richter-oliver@gmx.net"; + github = "RichterOliver"; + githubId = 135209509; + name = "Oliver Richter"; + }; orivej = { email = "orivej@gmx.fr"; github = "orivej"; @@ -12406,6 +12948,12 @@ githubId = 421510; name = "Noé Rubinstein"; }; + pho = { + email = "phofin@gmail.com"; + github = "pho"; + githubId = 88469; + name = "Jaime Breva"; + }; photex = { email = "photex@gmail.com"; github = "photex"; @@ -12491,6 +13039,12 @@ githubId = 1830959; name = "Piper McCorkle"; }; + piturnah = { + email = "peterhebden6@gmail.com"; + github = "piturnah"; + githubId = 20472367; + name = "Peter Hebden"; + }; pjbarnoy = { email = "pjbarnoy@gmail.com"; github = "pjbarnoy"; @@ -12833,6 +13387,12 @@ githubId = 406946; name = "Valentin Lorentz"; }; + proofconstruction = { + email = "source@proof.construction"; + github = "proofconstruction"; + githubId = 74747193; + name = "Alexander Groleau"; + }; proofofkeags = { email = "keagan.mcclelland@gmail.com"; github = "ProofOfKeags"; @@ -13046,6 +13606,12 @@ githubId = 18196237; name = "Quentin Inkling"; }; + quentin-m = { + email = "me+nix@quentin-machu.fr"; + github = "Quentin-M"; + githubId = 1332289; + name = "Quentin Machu"; + }; qyliss = { email = "hi@alyssa.is"; github = "alyssais"; @@ -13467,7 +14033,7 @@ name = "Riley Inman"; }; riotbib = { - email = "github-nix@lnrt.de"; + email = "lennart@cope.cool"; github = "riotbib"; githubId = 43172581; name = "Lennart Mühlenmeier"; @@ -13850,6 +14416,15 @@ githubId = 889991; name = "Ryan Artecona"; }; + ryane = { + email = "ryanesc@gmail.com"; + github = "ryane"; + githubId = 7346; + name = "Ryan Eschinger"; + keys = [{ + fingerprint = "E4F4 1EAB BF0F C785 06D8 62EF EF68 CF41 D42A 593D"; + }]; + }; ryanorendorff = { github = "ryanorendorff"; githubId = 12442942; @@ -14266,6 +14841,13 @@ githubId = 1286668; name = "Thilo Uttendorfer"; }; + sents = { + email = "finn@krein.moe"; + github = "sents"; + githubId = 26575793; + matrix = "@sents:matrix.org"; + name = "Finn Krein"; + }; sephalon = { email = "me@sephalon.net"; github = "sephalon"; @@ -14326,6 +14908,12 @@ fingerprint = "A317 37B3 693C 921B 480C C629 4A2A AAA3 82F8 294C"; }]; }; + sestrella = { + email = "sestrella.me@gmail.com"; + github = "sestrella"; + githubId = 2049686; + name = "Sebastián Estrella"; + }; seylerius = { name = "Sable Seyler"; email = "sable@seyleri.us"; @@ -14498,6 +15086,12 @@ github = "kf5grd"; githubId = 18297490; }; + shortcord = { + name = "Short Cord"; + email = "short@shortcord.com"; + github = "shortcord"; + githubId = 3823744; + }; shou = { email = "x+g@shou.io"; github = "Shou"; @@ -14519,6 +15113,11 @@ githubId = 6224096; name = "Soner Sayakci"; }; + shymega = { + name = "Dom Rodriguez"; + github = "shymega"; + githubId = 1334592; + }; siddharthist = { email = "langston.barrett@gmail.com"; github = "langston-barrett"; @@ -14550,6 +15149,12 @@ githubId = 16090; name = "Yann Hodique"; }; + sigmanificient = { + email = "sigmanificient@gmail.com"; + github = "Sigmanificient"; + githubId = 53050011; + name = "Yohann Boniface"; + }; sikmir = { email = "sikmir@disroot.org"; github = "sikmir"; @@ -14627,6 +15232,12 @@ githubId = 74881555; name = "Fofanov Sergey"; }; + sitaaax = { + email = "johannes@kle1n.com"; + github = "SitAAAx"; + githubId = 74413170; + name = "Johannes Klein"; + }; sivteck = { email = "sivaram1992@gmail.com"; github = "sivteck"; @@ -14780,6 +15391,12 @@ githubId = 1437166; name = "Xia Bin"; }; + sochotnicky = { + email = "stanislav+github@ochotnicky.com"; + github = "sochotnicky"; + githubId = 55726; + name = "Stanislav Ochotnický"; + }; softinio = { email = "code@softinio.com"; github = "softinio"; @@ -15148,6 +15765,12 @@ githubId = 38893265; name = "StrikerLulu"; }; + stteague = { + email = "stteague505@yahoo.com"; + github = "stteague"; + githubId = 77596767; + name = "Scott Teague"; + }; stumoss = { email = "samoss@gmail.com"; github = "stumoss"; @@ -15305,6 +15928,13 @@ githubId = 20063502; name = "Sybrand Aarnoutse"; }; + syboxez = { + email = "syboxez@gmail.com"; + matrix = "@Syboxez:matrix.org"; + github = "syboxez"; + githubId = 12841859; + name = "Syboxez Blank"; + }; symphorien = { email = "symphorien_nixpkgs@xlumurb.eu"; matrix = "@symphorien:xlumurb.eu"; @@ -15556,6 +16186,13 @@ githubId = 1755789; name = "Robert Irelan"; }; + tengkuizdihar = { + name = "Tengku Izdihar"; + email = "tengkuizdihar@gmail.com"; + matrix = "@tengkuizdihar:matrix.org"; + github = "tengkuizdihar"; + githubId = 22078730; + }; tennox = { email = "tennox+nix@txlab.io"; github = "tennox"; @@ -15808,6 +16445,12 @@ github = "thielema"; githubId = 898989; }; + thillux = { + name = "Markus Theil"; + email = "theil.markus@gmail.com"; + github = "thillux"; + githubId = 2171995; + }; thilobillerbeck = { name = "Thilo Billerbeck"; email = "thilo.billerbeck@officerent.de"; @@ -15908,6 +16551,12 @@ github = "TilCreator"; githubId = 18621411; }; + tillkruss = { + name = "Till Krüss"; + email = "till@kruss.io"; + github = "tillkruss"; + githubId = 665029; + }; tilpner = { name = "Till Höppner"; email = "nixpkgs@tilpner.com"; @@ -16006,6 +16655,12 @@ githubId = 3159881; name = "Tobias Markus"; }; + tm-drtina = { + email = "tm.drtina@gmail.com"; + github = "tm-drtina"; + githubId = 26902865; + name = "Tomas Drtina"; + }; tmountain = { email = "tinymountain@gmail.com"; github = "tmountain"; @@ -16301,6 +16956,12 @@ githubId = 9413924; name = "Thorsten Weber"; }; + twesterhout = { + name = "Tom Westerhout"; + matrix = "@twesterhout:matrix.org"; + github = "twesterhout"; + githubId = 14264576; + }; twey = { email = "twey@twey.co.uk"; github = "Twey"; @@ -16362,6 +17023,15 @@ fingerprint = "EE59 5E29 BB5B F2B3 5ED2 3F1C D276 FF74 6700 7335"; }]; }; + undefined-moe = { + name = "undefined"; + email = "i@undefined.moe"; + github = "undefined-moe"; + githubId = 29992205; + keys = [{ + fingerprint = "6684 4E7D D213 C75D 8828 6215 C714 A58B 6C1E 0F52"; + }]; + }; unhammer = { email = "unhammer@fsfe.org"; github = "unhammer"; @@ -16602,6 +17272,12 @@ github = "vdot0x23"; githubId = 40716069; }; + vector1dev = { + name = "vector1dev"; + matrix = "@vector1dev:vector1.dev"; + github = "vector1dev"; + githubId = 127302590; + }; veehaitch = { name = "Vincent Haupert"; email = "mail@vincent-haupert.de"; @@ -16662,7 +17338,7 @@ githubId = 7953163; name = "Vika Shleina"; keys = [{ - fingerprint = "B3C0 DA1A C18B 82E8 CA8B B1D1 4F62 CD07 CE64 796A"; + fingerprint = "5814 50EB 6E17 E715 7C63 E7F1 9879 8C3C 4D68 8D6D"; }]; }; vincentbernat = { @@ -16834,6 +17510,15 @@ githubId = 5228243; name = "waelwindows"; }; + wahtique = { + name = "William Veal Phan"; + email = "williamvphan@yahoo.fr"; + github = "wahtique"; + githubId = 55251330; + keys = [{ + fingerprint = "9262 E3A7 D129 C4DD A7C1 26CE 370D D9BE 9121 F0B3"; + }]; + }; waiting-for-dev = { email = "marc@lamarciana.com"; github = "waiting-for-dev"; @@ -16885,14 +17570,14 @@ github = "wdavidw"; githubId = 46896; }; - WeebSorceress = { - name = "WeebSorceress"; - email = "hello@weebsorceress.anonaddy.me"; - matrix = "@weebsorceress:matrix.org"; - github = "WeebSorceress"; - githubId = 106774777; + weathercold = { + name = "Weathercold"; + email = "weathercold.scr@gmail.com"; + matrix = "@weathercold:matrix.org"; + github = "Weathercold"; + githubId = 49368953; keys = [{ - fingerprint = "659A 9BC3 F904 EC24 1461 2EFE 7F57 3443 17F0 FA43"; + fingerprint = "D20F C904 A145 8B28 53D8 FBA0 0422 0096 01E4 87FC"; }]; }; wegank = { @@ -17346,10 +18031,10 @@ }; yayayayaka = { email = "nixpkgs@uwu.is"; - matrix = "@lara:uwu.is"; + matrix = "@yaya:uwu.is"; github = "yayayayaka"; githubId = 73759599; - name = "Lara A."; + name = "Yaya"; }; ydlr = { name = "ydlr"; @@ -17524,6 +18209,16 @@ fingerprint = "9F19 3AE8 AA25 647F FC31 46B5 416F 303B 43C2 0AC3"; }]; }; + yvan-sraka = { + email = "yvan@sraka.xyz"; + github = "yvan-sraka"; + githubId = 705213; + keys = [{ + fingerprint = "FE9A 953C 97E4 54FE 6598 BFDD A4FB 3EAA 6F45 2379"; + }]; + matrix = "@/yvan:matrix.org"; + name = "Yvan Sraka"; + }; yvesf = { email = "yvesf+nix@xapek.org"; github = "yvesf"; @@ -17673,6 +18368,12 @@ githubId = 2189609; name = "Zhaofeng Li"; }; + zi3m5f = { + name = "zi3m5f"; + email = "k7n3o3a6f@mozmail.com"; + github = "zi3m5f"; + githubId = 113244000; + }; ziguana = { name = "Zig Uana"; email = "git@ziguana.dev"; @@ -17798,5 +18499,11 @@ githubId = 32876; name = "Diego Zamboni"; }; + zzzsy = { + email = "me@zzzsy.top"; + github = "zzzsyyy"; + githubId = 59917878; + name = "Mathias Zhang"; + }; } /* Keep the list alphabetically sorted. */ diff --git a/third_party/nixpkgs/maintainers/scripts/check-hydra-by-maintainer.nix b/third_party/nixpkgs/maintainers/scripts/check-hydra-by-maintainer.nix index 326aae47f8..c40729a397 100644 --- a/third_party/nixpkgs/maintainers/scripts/check-hydra-by-maintainer.nix +++ b/third_party/nixpkgs/maintainers/scripts/check-hydra-by-maintainer.nix @@ -1,15 +1,18 @@ { maintainer }: let - pkgs = import ./../../default.nix { }; + pkgs = import ./../../default.nix { + config.allowAliases = false; + }; + inherit (pkgs) lib; maintainer_ = pkgs.lib.maintainers.${maintainer}; packagesWith = cond: return: prefix: set: - (pkgs.lib.flatten - (pkgs.lib.mapAttrsToList + (lib.flatten + (lib.mapAttrsToList (name: pkg: let result = builtins.tryEval ( - if pkgs.lib.isDerivation pkg && cond name pkg then + if lib.isDerivation pkg && cond name pkg then # Skip packages whose closure fails on evaluation. # This happens for pkgs like `python27Packages.djangoql` # that have disabled Python pkgs as dependencies. @@ -42,7 +45,7 @@ let ) ) (name: name) - ("") + "" pkgs; in diff --git a/third_party/nixpkgs/maintainers/scripts/fix-maintainers.pl b/third_party/nixpkgs/maintainers/scripts/fix-maintainers.pl index 81f6450c5f..a83df9ec0c 100755 --- a/third_party/nixpkgs/maintainers/scripts/fix-maintainers.pl +++ b/third_party/nixpkgs/maintainers/scripts/fix-maintainers.pl @@ -42,7 +42,7 @@ while(my($k, $v) = each %$maintainers_json) { } my $resp_json = from_json($resp->content); my $api_user = %$resp_json{"login"}; - if ($current_user ne $api_user) { + if (lc($current_user) ne lc($api_user)) { print $current_user . " is now known on github as " . $api_user . ". Editing maintainer-list.nix…\n"; my $file = path($maintainers_list_nix); my $data = $file->slurp_utf8; diff --git a/third_party/nixpkgs/maintainers/scripts/nix-generate-from-cpan.pl b/third_party/nixpkgs/maintainers/scripts/nix-generate-from-cpan.pl index ce0599dda0..6754f79009 100755 --- a/third_party/nixpkgs/maintainers/scripts/nix-generate-from-cpan.pl +++ b/third_party/nixpkgs/maintainers/scripts/nix-generate-from-cpan.pl @@ -6,6 +6,7 @@ use warnings; use CPAN::Meta(); use CPANPLUS::Backend(); +use MIME::Base64; use Module::CoreList; use Getopt::Long::Descriptive qw( describe_options ); use JSON::PP qw( encode_json ); @@ -354,6 +355,11 @@ sub render_license { return $license_line; } +sub sha256_to_sri { + my ($sha256) = @_; + return "sha256-" . encode_base64(pack("H*", $sha256), ''); +} + my ( $opt, $module_name ) = handle_opts(); Log::Log4perl->easy_init( @@ -380,8 +386,9 @@ INFO( "package: ", $module->package, " (", "$pkg_name-$pkg_version", ", ", $attr INFO( "path: ", $module->path ); my $tar_path = $module->fetch(); +my $sri_hash = sha256_to_sri($module->status->checksum_value); INFO( "downloaded to: ", $tar_path ); -INFO( "sha-256: ", $module->status->checksum_value ); +INFO( "hash: ", $sri_hash ); my $pkg_path = $module->extract(); INFO( "unpacked to: ", $pkg_path ); @@ -436,7 +443,7 @@ print < 0; diff --git a/third_party/nixpkgs/maintainers/scripts/update-dotnet-lockfiles.nix b/third_party/nixpkgs/maintainers/scripts/update-dotnet-lockfiles.nix new file mode 100644 index 0000000000..22ceff1ffa --- /dev/null +++ b/third_party/nixpkgs/maintainers/scripts/update-dotnet-lockfiles.nix @@ -0,0 +1,72 @@ +/* + To run: + + nix-shell maintainers/scripts/update-dotnet-lockfiles.nix + + This script finds all the derivations in nixpkgs that have a 'fetch-deps' + attribute, and runs all of them sequentially. This is useful to test changes + to 'fetch-deps', 'nuget-to-nix', or other changes to the dotnet build + infrastructure. Regular updates should be done through the individual packages + update scripts. + */ +let + pkgs = import ../.. {}; + + inherit (pkgs) lib; + + packagesWith = cond: pkgs: + let + packagesWithInner = attrs: + lib.unique ( + lib.concatLists ( + lib.mapAttrsToList (name: elem: + let + result = builtins.tryEval elem; + in + if result.success then + let + value = result.value; + in + if lib.isDerivation value then + lib.optional (cond value) value + else + if lib.isAttrs value && (value.recurseForDerivations or false || value.recurseForRelease or false) then + packagesWithInner value + else [] + else []) attrs)); + in + packagesWithInner pkgs; + + packages = + packagesWith (pkgs: pkgs ? fetch-deps) pkgs; + + helpText = '' + Please run: + + % nix-shell maintainers/scripts/update-dotnet-lockfiles.nix + ''; + + fetchScripts = map (p: p.fetch-deps) packages; + +in pkgs.stdenv.mkDerivation { + name = "nixpkgs-update-dotnet-lockfiles"; + buildCommand = '' + echo "" + echo "----------------------------------------------------------------" + echo "" + echo "Not possible to update packages using \`nix-build\`" + echo "" + echo "${helpText}" + echo "----------------------------------------------------------------" + exit 1 + ''; + shellHook = '' + unset shellHook # do not contaminate nested shells + set -e + for x in $fetchScripts; do + $x + done + exit + ''; + inherit fetchScripts; +} diff --git a/third_party/nixpkgs/maintainers/team-list.nix b/third_party/nixpkgs/maintainers/team-list.nix index cbf4b0dc48..821486d55a 100644 --- a/third_party/nixpkgs/maintainers/team-list.nix +++ b/third_party/nixpkgs/maintainers/team-list.nix @@ -213,7 +213,7 @@ with lib.maintainers; { dhall = { members = [ - Gabriel439 + Gabriella439 ehmry ]; scope = "Maintain Dhall and related packages."; @@ -272,6 +272,14 @@ with lib.maintainers; { enableFeatureFreezePing = true; }; + flutter = { + members = [ gilice mkg20001 RossComputerGuy FlafyDev hacker1024 ]; + scope = "Maintain Flutter and Dart-related packages and build tools"; + shortName = "flutter"; + enableFeatureFreezePing = false; + githubTeams = [ "flutter" ]; + }; + freedesktop = { members = [ jtojnar ]; scope = "Maintain Freedesktop.org packages for graphical desktop."; @@ -292,11 +300,25 @@ with lib.maintainers; { members = [ imincik sikmir + nh2 + willcohen ]; scope = "Maintain geospatial packages."; shortName = "Geospatial"; }; + gitlab = { + members = [ + globin + krav + talyz + yayayayaka + yuka + ]; + scope = "Maintain gitlab packages."; + shortName = "gitlab"; + }; + golang = { members = [ kalbasit @@ -383,7 +405,6 @@ with lib.maintainers; { members = [ cleeyv ryantm - yuka ]; scope = "Maintain Jitsi."; shortName = "Jitsi"; @@ -468,6 +489,15 @@ with lib.maintainers; { enableFeatureFreezePing = true; }; + lomiri = { + members = [ + OPNA2608 + ]; + scope = "Maintain Lomiri desktop environment and related packages."; + shortName = "Lomiri"; + enableFeatureFreezePing = true; + }; + lumiguide = { # Verify additions by approval of an already existing member of the team. members = [ @@ -537,7 +567,6 @@ with lib.maintainers; { ma27 fadenb mguentner - ekleog ralith dandellion sumnerevans @@ -552,11 +581,21 @@ with lib.maintainers; { emilytrau ericson2314 jk + siraben ]; scope = "Maintain the minimal-bootstrap toolchain and related packages."; shortName = "Minimal Bootstrap"; }; + mercury = { + members = [ + _9999years + Gabriella439 + ]; + scope = "Group registry for packages maintained by Mercury"; + shortName = "Mercury Employees"; + }; + mobile = { members = [ samueldr @@ -567,7 +606,6 @@ with lib.maintainers; { nix = { members = [ - Profpatsch eelco grahamc pierron @@ -594,7 +632,6 @@ with lib.maintainers; { lilyinstarlight marsam winter - yuka ]; scope = "Maintain Node.js runtimes and build tooling."; shortName = "Node.js"; @@ -615,7 +652,6 @@ with lib.maintainers; { openstack = { members = [ - emilytrau SuperSandro2000 ]; scope = "Maintain the ecosystem around OpenStack"; diff --git a/third_party/nixpkgs/nixos/doc/manual/configuration/customizing-packages.section.md b/third_party/nixpkgs/nixos/doc/manual/configuration/customizing-packages.section.md index bceeeb2d7a..709a07b09c 100644 --- a/third_party/nixpkgs/nixos/doc/manual/configuration/customizing-packages.section.md +++ b/third_party/nixpkgs/nixos/doc/manual/configuration/customizing-packages.section.md @@ -12,6 +12,29 @@ Unfortunately, Nixpkgs currently lacks a way to query available configuration options. ::: +::: {.note} +Alternatively, many packages come with extensions one might add. +Examples include: +- [`passExtensions.pass-otp`](https://search.nixos.org/packages/query=passExtensions.pass-otp) +- [`python310Packages.requests`](https://search.nixos.org/packages/query=python310Packages.requests) + +You can use them like this: +```nix +environment.systemPackages = with pkgs; [ + sl + (pass.withExtensions (subpkgs: with subpkgs; [ + pass-audit + pass-otp + pass-genphrase + ])) + (python3.withPackages (subpkgs: with subpkgs; [ + requests + ])) + cowsay +]; +``` +::: + Apart from high-level options, it's possible to tweak a package in almost arbitrary ways, such as changing or disabling dependencies of a package. For instance, the Emacs package in Nixpkgs by default has a diff --git a/third_party/nixpkgs/nixos/doc/manual/configuration/gpu-accel.chapter.md b/third_party/nixpkgs/nixos/doc/manual/configuration/gpu-accel.chapter.md index aa41e25e56..40878b5da4 100644 --- a/third_party/nixpkgs/nixos/doc/manual/configuration/gpu-accel.chapter.md +++ b/third_party/nixpkgs/nixos/doc/manual/configuration/gpu-accel.chapter.md @@ -189,7 +189,7 @@ Older Intel GPUs use the i965 driver, which can be installed with: ```nix hardware.opengl.extraPackages = [ - vaapiIntel + intel-vaapi-driver ]; ``` diff --git a/third_party/nixpkgs/nixos/doc/manual/configuration/renaming-interfaces.section.md b/third_party/nixpkgs/nixos/doc/manual/configuration/renaming-interfaces.section.md index 18390c959b..5b515e9f82 100644 --- a/third_party/nixpkgs/nixos/doc/manual/configuration/renaming-interfaces.section.md +++ b/third_party/nixpkgs/nixos/doc/manual/configuration/renaming-interfaces.section.md @@ -37,7 +37,7 @@ even if networkd is disabled. Alternatively, we can use a plain old udev rule: ```nix -services.udev.initrdRules = '' +boot.initrd.services.udev.rules = '' SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \ ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="wan" ''; @@ -45,7 +45,7 @@ services.udev.initrdRules = '' ::: {.warning} The rule must be installed in the initrd using -`services.udev.initrdRules`, not the usual `services.udev.extraRules` +`boot.initrd.services.udev.rules`, not the usual `services.udev.extraRules` option. This is to avoid race conditions with other programs controlling the interface. ::: diff --git a/third_party/nixpkgs/nixos/doc/manual/default.nix b/third_party/nixpkgs/nixos/doc/manual/default.nix index 68132f302e..40af4c1fa0 100644 --- a/third_party/nixpkgs/nixos/doc/manual/default.nix +++ b/third_party/nixpkgs/nixos/doc/manual/default.nix @@ -6,7 +6,6 @@ , extraSources ? [] , baseOptionsJSON ? null , warningsAreErrors ? true -, allowDocBook ? true , prefix ? ../../.. }: @@ -17,10 +16,6 @@ let lib = pkgs.lib; - docbook_xsl_ns = pkgs.docbook-xsl-ns.override { - withManOptDedupPatch = true; - }; - manpageUrls = pkgs.path + "/doc/manpage-urls.json"; # We need to strip references to /nix/store/* from options, @@ -33,7 +28,7 @@ let stripAnyPrefixes = lib.flip (lib.foldr lib.removePrefix) prefixesToStrip; optionsDoc = buildPackages.nixosOptionsDoc { - inherit options revision baseOptionsJSON warningsAreErrors allowDocBook; + inherit options revision baseOptionsJSON warningsAreErrors; transformOptions = opt: opt // { # Clean up declaration sites to not refer to the NixOS source tree. declarations = map stripAnyPrefixes opt.declarations; @@ -68,73 +63,6 @@ let optionIdPrefix = "test-opt-"; }; - toc = builtins.toFile "toc.xml" - '' - - - - - - - ''; - - manualXsltprocOptions = toString [ - "--param chapter.autolabel 0" - "--param part.autolabel 0" - "--param preface.autolabel 0" - "--param reference.autolabel 0" - "--param section.autolabel 0" - "--stringparam html.stylesheet 'style.css overrides.css highlightjs/mono-blue.css'" - "--stringparam html.script './highlightjs/highlight.pack.js ./highlightjs/loader.js'" - "--param xref.with.number.and.title 0" - "--param toc.section.depth 0" - "--param generate.consistent.ids 1" - "--stringparam admon.style ''" - "--stringparam callout.graphics.extension .svg" - "--stringparam current.docid manual" - "--param chunk.section.depth 0" - "--param chunk.first.sections 1" - "--param use.id.as.filename 1" - "--stringparam chunk.toc ${toc}" - ]; - - linterFunctions = '' - # outputs the context of an xmllint error output - # LEN lines around the failing line are printed - function context { - # length of context - local LEN=6 - # lines to print before error line - local BEFORE=4 - - # xmllint output lines are: - # file.xml:1234: there was an error on line 1234 - while IFS=':' read -r file line rest; do - echo - if [[ -n "$rest" ]]; then - echo "$file:$line:$rest" - local FROM=$(($line>$BEFORE ? $line - $BEFORE : 1)) - # number lines & filter context - nl --body-numbering=a "$file" | sed -n "$FROM,+$LEN p" - else - if [[ -n "$line" ]]; then - echo "$file:$line" - else - echo "$file" - fi - fi - done - } - - function lintrng { - xmllint --debug --noout --nonet \ - --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \ - "$1" \ - 2>&1 | context 1>&2 - # ^ redirect assumes xmllint doesn’t print to stdout - } - ''; - prepareManualFromMD = '' cp -r --no-preserve=all $inputs/* . @@ -154,61 +82,13 @@ let ${testOptionsDoc.optionsJSON}/share/doc/nixos/options.json ''; - manual-combined = runCommand "nixos-manual-combined" - { inputs = lib.sourceFilesBySuffices ./. [ ".xml" ".md" ]; - nativeBuildInputs = [ pkgs.nixos-render-docs pkgs.libxml2.bin pkgs.libxslt.bin ]; - meta.description = "The NixOS manual as plain docbook XML"; - } - '' - ${prepareManualFromMD} - - nixos-render-docs -j $NIX_BUILD_CORES manual docbook \ - --manpage-urls ${manpageUrls} \ - --revision ${lib.escapeShellArg revision} \ - ./manual.md \ - ./manual-combined-pre.xml - - xsltproc \ - -o manual-combined.xml ${./../../lib/make-options-doc/postprocess-option-descriptions.xsl} \ - manual-combined-pre.xml - - ${linterFunctions} - - mkdir $out - cp manual-combined.xml $out/ - - lintrng $out/manual-combined.xml - ''; - - manpages-combined = runCommand "nixos-manpages-combined.xml" - { nativeBuildInputs = [ buildPackages.libxml2.bin buildPackages.libxslt.bin ]; - meta.description = "The NixOS manpages as plain docbook XML"; - } - '' - mkdir generated - cp -prd ${./man-pages.xml} man-pages.xml - ln -s ${optionsDoc.optionsDocBook} generated/options-db.xml - - xmllint --xinclude --noxincludenode --output $out ./man-pages.xml - - ${linterFunctions} - - lintrng $out - ''; - in rec { - inherit (optionsDoc) optionsJSON optionsNix optionsDocBook optionsUsedDocbook; + inherit (optionsDoc) optionsJSON optionsNix optionsDocBook; # Generate the NixOS manual. manualHTML = runCommand "nixos-manual-html" - { nativeBuildInputs = - if allowDocBook then [ - buildPackages.libxml2.bin - buildPackages.libxslt.bin - ] else [ - buildPackages.nixos-render-docs - ]; - inputs = lib.optionals (! allowDocBook) (lib.sourceFilesBySuffices ./. [ ".md" ]); + { nativeBuildInputs = [ buildPackages.nixos-render-docs ]; + inputs = lib.sourceFilesBySuffices ./. [ ".md" ]; meta.description = "The NixOS manual in HTML format"; allowedReferences = ["out"]; } @@ -221,38 +101,21 @@ in rec { cp ${../../../doc/overrides.css} $dst/overrides.css cp -r ${pkgs.documentation-highlighter} $dst/highlightjs - ${if allowDocBook then '' - xsltproc \ - ${manualXsltprocOptions} \ - --stringparam id.warnings "1" \ - --nonet --output $dst/ \ - ${docbook_xsl_ns}/xml/xsl/docbook/xhtml/chunktoc.xsl \ - ${manual-combined}/manual-combined.xml \ - |& tee xsltproc.out - grep "^ID recommended on" xsltproc.out &>/dev/null && echo "error: some IDs are missing" && false - rm xsltproc.out + ${prepareManualFromMD} - mkdir -p $dst/images/callouts - cp ${docbook_xsl_ns}/xml/xsl/docbook/images/callouts/*.svg $dst/images/callouts/ - '' else '' - ${prepareManualFromMD} - - # TODO generator is set like this because the docbook/md manual compare workflow will - # trigger if it's different - nixos-render-docs -j $NIX_BUILD_CORES manual html \ - --manpage-urls ${manpageUrls} \ - --revision ${lib.escapeShellArg revision} \ - --generator "DocBook XSL Stylesheets V${docbook_xsl_ns.version}" \ - --stylesheet style.css \ - --stylesheet overrides.css \ - --stylesheet highlightjs/mono-blue.css \ - --script ./highlightjs/highlight.pack.js \ - --script ./highlightjs/loader.js \ - --toc-depth 1 \ - --chunk-toc-depth 1 \ - ./manual.md \ - $dst/index.html - ''} + nixos-render-docs -j $NIX_BUILD_CORES manual html \ + --manpage-urls ${manpageUrls} \ + --revision ${lib.escapeShellArg revision} \ + --generator "nixos-render-docs ${lib.version}" \ + --stylesheet style.css \ + --stylesheet overrides.css \ + --stylesheet highlightjs/mono-blue.css \ + --script ./highlightjs/highlight.pack.js \ + --script ./highlightjs/loader.js \ + --toc-depth 1 \ + --chunk-toc-depth 1 \ + ./manual.md \ + $dst/index.html mkdir -p $out/nix-support echo "nix-build out $out" >> $out/nix-support/hydra-build-products @@ -267,19 +130,41 @@ in rec { manualEpub = runCommand "nixos-manual-epub" { nativeBuildInputs = [ buildPackages.libxml2.bin buildPackages.libxslt.bin buildPackages.zip ]; + doc = '' + + + NixOS Manual + Version ${lib.version} + + + Temporarily unavailable + + The NixOS manual is currently not available in EPUB format, + please use the HTML manual + instead. + + + If you've used the EPUB manual in the past and it has been useful to you, please + let us know. + + + + ''; + passAsFile = [ "doc" ]; } '' # Generate the epub manual. dst=$out/share/doc/nixos xsltproc \ - ${manualXsltprocOptions} \ + --param chapter.autolabel 0 \ --nonet --xinclude --output $dst/epub/ \ ${docbook_xsl_ns}/xml/xsl/docbook/epub/docbook.xsl \ - ${manual-combined}/manual-combined.xml + $docPath - mkdir -p $dst/epub/OEBPS/images/callouts - cp -r ${docbook_xsl_ns}/xml/xsl/docbook/images/callouts/*.svg $dst/epub/OEBPS/images/callouts # */ echo "application/epub+zip" > mimetype manual="$dst/nixos-manual.epub" zip -0Xq "$manual" mimetype @@ -296,10 +181,6 @@ in rec { manpages = runCommand "nixos-manpages" { nativeBuildInputs = [ buildPackages.installShellFiles - ] ++ lib.optionals allowDocBook [ - buildPackages.libxml2.bin - buildPackages.libxslt.bin - ] ++ lib.optionals (! allowDocBook) [ buildPackages.nixos-render-docs ]; allowedReferences = ["out"]; @@ -308,24 +189,11 @@ in rec { # Generate manpages. mkdir -p $out/share/man/man8 installManPage ${./manpages}/* - ${if allowDocBook - then '' - xsltproc --nonet \ - --maxdepth 6000 \ - --param man.output.in.separate.dir 1 \ - --param man.output.base.dir "'$out/share/man/'" \ - --param man.endnotes.are.numbered 0 \ - --param man.break.after.slash 1 \ - ${docbook_xsl_ns}/xml/xsl/docbook/manpages/docbook.xsl \ - ${manpages-combined} - '' - else '' - mkdir -p $out/share/man/man5 - nixos-render-docs -j $NIX_BUILD_CORES options manpage \ - --revision ${lib.escapeShellArg revision} \ - ${optionsJSON}/share/doc/nixos/options.json \ - $out/share/man/man5/configuration.nix.5 - ''} + mkdir -p $out/share/man/man5 + nixos-render-docs -j $NIX_BUILD_CORES options manpage \ + --revision ${lib.escapeShellArg revision} \ + ${optionsJSON}/share/doc/nixos/options.json \ + $out/share/man/man5/configuration.nix.5 ''; } diff --git a/third_party/nixpkgs/nixos/doc/manual/development/option-types.section.md b/third_party/nixpkgs/nixos/doc/manual/development/option-types.section.md index 9e156ebff9..44bb3b4782 100644 --- a/third_party/nixpkgs/nixos/doc/manual/development/option-types.section.md +++ b/third_party/nixpkgs/nixos/doc/manual/development/option-types.section.md @@ -20,6 +20,11 @@ merging is handled. coerced to a string. Even if derivations can be considered as paths, the more specific `types.package` should be preferred. +`types.pathInStore` + +: A path that is contained in the Nix store. This can be a top-level store + path like `pkgs.hello` or a descendant like `"${pkgs.hello}/bin/hello"`. + `types.package` : A top-level store path. This can be an attribute set pointing diff --git a/third_party/nixpkgs/nixos/doc/manual/installation/upgrading.chapter.md b/third_party/nixpkgs/nixos/doc/manual/installation/upgrading.chapter.md index 26b6b8cc23..d39e1b786d 100644 --- a/third_party/nixpkgs/nixos/doc/manual/installation/upgrading.chapter.md +++ b/third_party/nixpkgs/nixos/doc/manual/installation/upgrading.chapter.md @@ -6,7 +6,7 @@ expressions and associated binaries. The NixOS channels are updated automatically from NixOS's Git repository after certain tests have passed and all packages have been built. These channels are: -- *Stable channels*, such as [`nixos-22.11`](https://nixos.org/channels/nixos-22.11). +- *Stable channels*, such as [`nixos-23.05`](https://channels.nixos.org/nixos-23.05). These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not @@ -14,13 +14,13 @@ passed and all packages have been built. These channels are: Stable channels are generally maintained until the next stable branch is created. -- The *unstable channel*, [`nixos-unstable`](https://nixos.org/channels/nixos-unstable). +- The *unstable channel*, [`nixos-unstable`](https://channels.nixos.org/nixos-unstable). This corresponds to NixOS's main development branch, and may thus see radical changes between channel updates. It's not recommended for production systems. -- *Small channels*, such as [`nixos-22.11-small`](https://nixos.org/channels/nixos-22.11-small) - or [`nixos-unstable-small`](https://nixos.org/channels/nixos-unstable-small). +- *Small channels*, such as [`nixos-23.05-small`](https://channels.nixos.org/nixos-23.05-small) + or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small). These are identical to the stable and unstable channels described above, except that they contain fewer binary packages. This means they get updated faster than the regular channels (for instance, when a critical security patch @@ -28,7 +28,7 @@ passed and all packages have been built. These channels are: built from source than usual. They're mostly intended for server environments and as such contain few GUI applications. -To see what channels are available, go to . +To see what channels are available, go to . (Note that the URIs of the various channels redirect to a directory that contains the channel's latest version and includes ISO images and VirtualBox appliances.) Please note that during the release process, @@ -38,38 +38,38 @@ newest supported stable release. When you first install NixOS, you're automatically subscribed to the NixOS channel that corresponds to your installation source. For -instance, if you installed from a 22.11 ISO, you will be subscribed to -the `nixos-22.11` channel. To see which NixOS channel you're subscribed +instance, if you installed from a 23.05 ISO, you will be subscribed to +the `nixos-23.05` channel. To see which NixOS channel you're subscribed to, run the following as root: ```ShellSession # nix-channel --list | grep nixos -nixos https://nixos.org/channels/nixos-unstable +nixos https://channels.nixos.org/nixos-unstable ``` To switch to a different NixOS channel, do ```ShellSession -# nix-channel --add https://nixos.org/channels/channel-name nixos +# nix-channel --add https://channels.nixos.org/channel-name nixos ``` (Be sure to include the `nixos` parameter at the end.) For instance, to -use the NixOS 22.11 stable channel: +use the NixOS 23.05 stable channel: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-22.11 nixos +# nix-channel --add https://channels.nixos.org/nixos-23.05 nixos ``` If you have a server, you may want to use the "small" channel instead: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-22.11-small nixos +# nix-channel --add https://channels.nixos.org/nixos-23.05-small nixos ``` And if you want to live on the bleeding edge: ```ShellSession -# nix-channel --add https://nixos.org/channels/nixos-unstable nixos +# nix-channel --add https://channels.nixos.org/nixos-unstable nixos ``` You can then upgrade NixOS to the latest version in your chosen channel @@ -114,5 +114,5 @@ the new generation contains a different kernel, initrd or kernel modules. You can also specify a channel explicitly, e.g. ```nix -system.autoUpgrade.channel = https://nixos.org/channels/nixos-22.11; +system.autoUpgrade.channel = "https://channels.nixos.org/nixos-23.05"; ``` diff --git a/third_party/nixpkgs/nixos/doc/manual/man-pages.xml b/third_party/nixpkgs/nixos/doc/manual/man-pages.xml deleted file mode 100644 index 52183f1f9e..0000000000 --- a/third_party/nixpkgs/nixos/doc/manual/man-pages.xml +++ /dev/null @@ -1,46 +0,0 @@ - - NixOS Reference Pages - - - EelcoDolstra - Author - - - The Nixpkgs/NixOS contributors - Author - - 2007-2022Eelco Dolstra and the Nixpkgs/NixOS contributors - - - - - configuration.nix - 5 - NixOS - - - - configuration.nix - NixOS system configuration specification - - - Description - - The file /etc/nixos/configuration.nix contains the - declarative specification of your NixOS system configuration. The command - nixos-rebuild takes this file and realises the system - configuration specified therein. - - - - Options - - You can use the following options in configuration.nix. - - - - - diff --git a/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md b/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md index 159881a0ac..400eb1062d 100644 --- a/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md @@ -441,6 +441,8 @@ In addition to numerous new and upgraded packages, this release has the followin - `pkgs.haskell-language-server` will now by default be linked dynamically to improve TemplateHaskell compatibility. To mitigate the increased closure size it will now by default only support our current default ghc (at the moment 9.0.2). Add other ghc versions via e.g. `pkgs.haskell-language-server.override { supportedGhcVersions = [ "90" "92" ]; }`. +- `pkgs.redis` is now built using the system jemalloc. This disables the experimental active defragmentation feature of redis. Users who require this feature can switch back to redis' vendored version of jemalloc by setting `services.redis.package = pkgs.redis.override { useSystemJemalloc = false; };`. + ## Other Notable Changes {#sec-release-21.11-notable-changes} diff --git a/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md b/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md index 9d7387a75a..a31f3511a4 100644 --- a/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2305.section.md @@ -1,65 +1,84 @@ -# Release 23.05 (“Stoat”, 2023.05/??) {#sec-release-23.05} +# Release 23.05 (“Stoat”, 2023.05/31) {#sec-release-23.05} -Support is planned until the end of December 2023, handing over to 23.11. +The NixOS release team is happy to announce a new version of NixOS. The release is called NixOS 23.05 ("Stoat"). + +NixOS is a Linux distribution, whose set of packages can also be used on other Linux systems and macOS. + +Support is planned until the end of December 2023, handing over to NixOS 23.11. + +To upgrade to the latest release, follow the [upgrade chapter](https://nixos.org/manual/nixos/stable/index.html#sec-upgrading). ## Highlights {#sec-release-23.05-highlights} -In addition to numerous new and upgraded packages, this release has the following highlights: +In addition to numerous new and updated packages, this release has the following highlights: - +- The default [Nix](https://github.com/NixOS/nix) version was updated from 2.11 to 2.13. In particular, this includes a [small language alteration](https://github.com/NixOS/nix/issues/8259) in the way floats are represented in `builtins.toJSON`. See the release notes for [2.12](https://nixos.org/manual/nix/stable/release-notes/rl-2.12.html) and [2.13](https://nixos.org/manual/nix/unstable/release-notes/rl-2.13.html) for more information. -- Core version changes: +- The default [Linux Kernel](https://kernel.org/) was updated from version 5.15 to 6.1, see [Kernelnewbies](https://kernelnewbies.org/Linux_6.1) for what has changed. All Kernels currently shown on [kernel.org](https://kernel.org/) are available. - - default linux: 5.15 -\> 6.1, all supported kernels available +- [systemd](https://systemd.io) has been updated from v252 to v253, see [the release notes](https://github.com/systemd/systemd/blob/v253/NEWS#L3-L659) for more information on the changes. + - Updating with `nixos-rebuild boot` and rebooting is recommended, since in some rare cases the `nixos-rebuild switch` into the new generation on a live system might fail due to missing mount units. - - systemd has been updated to v253.1, see [the pull request](https://github.com/NixOS/nixpkgs/pull/216826) for more info. - It's recommended to use `nixos-rebuild boot` and `reboot`, rather than `nixos-rebuild switch` - since in some rare cases - the switch of a live system might fail. +- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.35 to 2.37, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.37) for what was changed. - - glibc: 2.35 -\> 2.37 +- [libxcrypt](https://github.com/besser82/libxcrypt), the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and [many other packages](https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/NixOS/nixpkgs%24+libxcrypt&patternType=standard&sm=1&groupBy=path). -- Cinnamon has been updated to 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what is changed. +- NixOS now defaults to using [nsncd](https://github.com/twosigma/nsncd), a non-caching reimplementation of nscd in Rust, as its NSS lookup dispatcher. This replaces the buggy and deprecated nscd implementation provided through glibc. When you find problems, you can switch back by disabling it: + ```nix + services.nscd.enableNsncd = false; + ``` -- GNOME has been upgraded to version 44. Please see the [release notes](https://release.gnome.org/44/) for details. +- The internal option `boot.bootspec.enable` is now enabled by default because [RFC 0125](https://github.com/NixOS/rfcs/pull/125) was merged. This means you will have a bootspec document called `boot.json` generated for each system and specialisation in the top-level. This is useful to enable advanced boot use cases in NixOS, such as Secure Boot. -- KDE Plasma has been updated to v5.27, see [the release notes](https://kde.org/announcements/plasma/5/5.27.0/) for what is changed. +- Two changes to `nixos-rebuild` are important to highlight as well. + - Support for an extra `--specialisation` option was added that can be used to change specialisation for `switch` and `test` commands. + - The `--target-host` and `--build-host` options no longer treat the `localhost` value specially – to build on resp. deploy to a local machine, omit the relevant flag. -- Python implements [PEP 668](https://peps.python.org/pep-0668/), providing better feedback to users that try to run `pip install` system-wide. +- [Python](https://www.python.org) implements [PEP 668](https://peps.python.org/pep-0668/), providing better feedback to users that try to run `pip install` for system-wide or user home installations. -- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands. +- [Cinnamon](https://github.com/linuxmint/Cinnamon) has been updated to version 5.6, see [the pull request](https://github.com/NixOS/nixpkgs/pull/201328#issue-1449910204) for what was changed. -- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code). +- [GNOME](https://www.gnome.org) has been updated to version 44, see the [the release notes](https://release.gnome.org/44/) for details. -- `boot.bootspec.enable` (internal option) is now enabled by default because [RFC-0125](https://github.com/NixOS/rfcs/pull/125) was merged. This means you will have a bootspec document called `boot.json` generated for each system and specialisation in the top-level. This is useful to enable advanced boot usecases in NixOS such as SecureBoot. +- [KDE Plasma](https://kde.org/de/plasma-desktop/) has been updated to version 5.27, see [the release notes](https://kde.org/announcements/plasma/5/5.27.0/) for what was changed. + +- `openra` was updated to `20230225`. Due to large scope of the update, currently only `openraPackages.engines.release` and `openraPackages.engines.latest` packages are available. + If you want to use the old engine versions or mods, they were moved to the `openraPackages_2019` namespace. ## New Services {#sec-release-23.05-new-services} - - - [Akkoma](https://akkoma.social), an ActivityPub microblogging server. Available as [services.akkoma](options.html#opt-services.akkoma.enable). -- [Pixelfed](https://pixelfed.org/), an Instagram-like ActivityPub server. Available as [services.pixelfed](options.html#opt-services.pixelfed.enable). +- [alertmanager-irc-relay](https://github.com/google/alertmanager-irc-relay), a Prometheus Alertmanager IRC Relay. Available as [services.prometheus.alertmanagerIrcRelay](options.html#opt-services.prometheus.alertmanagerIrcRelay.enable). + +- [alice-lg](github.com/alice-lg/alice-lg), a looking-glass for BGP sessions. Available as [services.alice-lg](#opt-services.alice-lg.enable). + +- [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable). + +- [authelia](https://www.authelia.com/), an open-source authentication and authorization server. Available as [services.authelia](options.html#opt-services.authelia.enable). + +- [birdwatcher](github.com/alice-lg/birdwatcher), a small HTTP server meant to provide an API defined by Barry O'Donovan's birds-eye to the BIRD internet routing daemon. Available as [services.birdwatcher](#opt-services.birdwatcher.enable). - [blesh](https://github.com/akinomyoga/ble.sh), a line editor written in pure bash. Available as [programs.bash.blesh](#opt-programs.bash.blesh.enable). -- [webhook](https://github.com/adnanh/webhook), a lightweight webhook server. Available as [services.webhook](#opt-services.webhook.enable). +- [Budgie Desktop](https://github.com/BuddiesOfBudgie/budgie-desktop), a familiar, modern desktop environment. Available as [services.xserver.desktopManager.budgie](options.html#opt-services.xserver.desktopManager.budgie). -- [cups-pdf-to-pdf](https://github.com/alexivkin/CUPS-PDF-to-PDF), a pdf-generating cups backend based on [cups-pdf](https://www.cups-pdf.de/). Available as [services.printing.cups-pdf](#opt-services.printing.cups-pdf.enable). - -- [clash-verge](https://github.com/zzzgydi/clash-verge), A Clash GUI based on tauri. Available as [programs.clash-verge](#opt-programs.clash-verge.enable). +- [clash-verge](https://github.com/zzzgydi/clash-verge), a Clash GUI based on tauri. Available as [programs.clash-verge](#opt-programs.clash-verge.enable). - [Cloudlog](https://www.magicbug.co.uk/cloudlog/), a web-based Amateur Radio logging application. Available as [services.cloudlog](#opt-services.cloudlog.enable). +- [consul-template](https://github.com/hashicorp/consul-template/), a template renderer, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances). + +- [cups-pdf-to-pdf](https://github.com/alexivkin/CUPS-PDF-to-PDF), a PDF-generating CUPS backend based on [cups-pdf](https://www.cups-pdf.de/). Available as [services.printing.cups-pdf](#opt-services.printing.cups-pdf.enable). + - [Deepin Desktop Environment](https://github.com/linuxdeepin/dde), an elegant, easy to use and reliable desktop environment. Available as [services.xserver.desktopManager.deepin](options.html#opt-services.xserver.desktopManager.deepin). -- [system-repart](https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html), grow and add partitions to a partition table. Available as [systemd.repart](options.html#opt-systemd.repart) and [boot.initrd.systemd.repart](options.html#opt-boot.initrd.systemd.repart) +- [esphome](https://esphome.io), a dashboard to configure ESP8266/ESP32 devices for use with Home Automation systems. Available as [services.esphome](#opt-services.esphome.enable). - [frigate](https://frigate.video), an open source NVR built around real-time AI object detection. Available as [services.frigate](#opt-services.frigate.enable). - [fzf](https://github.com/junegunn/fzf), a command line fuzzyfinder. Available as [programs.fzf](#opt-programs.fzf.fuzzyCompletion). -- [readarr](https://github.com/Readarr/Readarr), Book Manager and Automation (Sonarr for Ebooks). Available as [services.readarr](options.html#opt-services.readarr.enable). - - [gemstash](https://github.com/rubygems/gemstash), a RubyGems.org cache and private gem server. Available as [services.gemstash](#opt-services.gemstash.enable). - [gitea-actions-runner](https://gitea.com/gitea/act_runner), a CI runner for Gitea/Forgejo Actions. Available as [services.gitea-actions-runner](#opt-services.gitea-actions-runner.instances). @@ -68,129 +87,121 @@ In addition to numerous new and upgraded packages, this release has the followin - [go2rtc](https://github.com/AlexxIT/go2rtc), a camera streaming appliation with support for RTSP, WebRTC, HomeKit, FFMPEG, RTMP and other protocols. Available as [services.go2rtc](options.html#opt-services.go2rtc.enable). -- [harmonia](https://github.com/nix-community/harmonia/), Nix binary cache implemented in rust using libnix-store. Available as [services.harmonia](options.html#opt-services.harmonia.enable). - -- [hyprland](https://github.com/hyprwm/hyprland), a dynamic tiling Wayland compositor that doesn't sacrifice on its looks. Available as [programs.hyprland](#opt-programs.hyprland.enable). - -- [minipro](https://gitlab.com/DavidGriffith/minipro/), an open source program for controlling the MiniPRO TL866xx series of chip programmers. Available as [programs.minipro](options.html#opt-programs.minipro.enable). - -- [stevenblack-blocklist](https://github.com/StevenBlack/hosts), A unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable). - -- [Budgie Desktop](https://github.com/BuddiesOfBudgie/budgie-desktop), a familiar, modern desktop environment. Available as [services.xserver.desktopManager.budgie](options.html#opt-services.xserver.desktopManager.budgie). - -- [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable). - -- [opensearch](https://opensearch.org), a search server alternative to Elasticsearch. Available as [services.opensearch](options.html#opt-services.opensearch.enable). - -- [kavita](https://kavitareader.com), a self-hosted digital library. Available as [services.kavita](options.html#opt-services.kavita.enable). - -- [monica](https://www.monicahq.com), an open source personal CRM. Available as [services.monica](options.html#opt-services.monica.enable). - -- [authelia](https://www.authelia.com/), is an open-source authentication and authorization server. Available under [services.authelia](options.html#opt-services.authelia.enable). - -- [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in golang with many filters. Available as [services.goeland](#opt-services.goeland.enable). - -- [alertmanager-irc-relay](https://github.com/google/alertmanager-irc-relay), a Prometheus Alertmanager IRC Relay. Available as [services.prometheus.alertmanagerIrcRelay](options.html#opt-services.prometheus.alertmanagerIrcRelay.enable). - -- [tts](https://github.com/coqui-ai/TTS), a battle-tested deep learning toolkit for Text-to-Speech. Multiple servers may be configured below [services.tts.servers](#opt-services.tts.servers). - -- [atuin](https://github.com/ellie/atuin), a sync server for shell history. Available as [services.atuin](#opt-services.atuin.enable). - -- [esphome](https://esphome.io), a dashboard to configure ESP8266/ESP32 devices for use with Home Automation systems. Available as [services.esphome](#opt-services.esphome.enable). - -- [networkd-dispatcher](https://gitlab.com/craftyguy/networkd-dispatcher), a dispatcher service for systemd-networkd connection status changes. Available as [services.networkd-dispatcher](#opt-services.networkd-dispatcher.enable). +- [goeland](https://github.com/slurdge/goeland), an alternative to rss2email written in Golang with many filters. Available as [services.goeland](#opt-services.goeland.enable). - [gonic](https://github.com/sentriz/gonic), a Subsonic music streaming server. Available as [services.gonic](#opt-services.gonic.enable). -- [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and receives MMSes. Available as [services.mmsd](#opt-services.mmsd.enable). +- [hardware.ipu6](#opt-hardware.ipu6.enable), drivers for IPU6 based webcams on Intel Tiger Lake and Alder Lake. -- [QDMR](https://dm3mat.darc.de/qdmr/), a GUI application and command line tool for programming DMR radios [programs.qdmr](#opt-programs.qdmr.enable) +- [harmonia](https://github.com/nix-community/harmonia/), a Nix binary cache implemented in Rust using [libnixstore](https://docs.rs/libnixstore/latest/libnixstore/). Available as [services.harmonia](options.html#opt-services.harmonia.enable). -- [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for linux. Available as [services.keyd](#opt-services.keyd.enable). +- [hyprland](https://github.com/hyprwm/hyprland), a dynamic tiling Wayland compositor that doesn't sacrifice on its looks. Available as [programs.hyprland](#opt-programs.hyprland.enable). -- [consul-template](https://github.com/hashicorp/consul-template/), a template rendering, notifier, and supervisor for HashiCorp Consul and Vault data. Available as [services.consul-template](#opt-services.consul-template.instances). - -- [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template rendering and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances). - -- [trippy](https://github.com/fujiapple852/trippy), a network diagnostic tool. Available as [programs.trippy](#opt-programs.trippy.enable). - -- [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable). - -- [rshim](https://github.com/Mellanox/rshim-user-space), the user-space rshim driver for the BlueField SoC. Available as [services.rshim](options.html#opt-services.rshim.enable). - -- [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Instances may be configured via [services.wstunnel](options.html#opt-services.wstunnel.enable). - -- [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable). - -- [PufferPanel](https://pufferpanel.com), game server management panel designed to be easy to use. Available as [services.pufferpanel](#opt-services.pufferpanel.enable). - -- [jellyseerr](https://github.com/Fallenbagel/jellyseerr), a web-based requests manager for Jellyfin, forked from Overseerr. Available as [services.jellyseerr](#opt-services.jellyseerr.enable). - -- [stargazer](https://sr.ht/~zethra/stargazer/), a fast and easy to use Gemini server. Available as [services.stargazer](#opt-services.stargazer.enable). - -- [sniffnet](https://github.com/GyulyVGC/sniffnet), an application to monitor your network traffic. Available as [programs.sniffnet](#opt-programs.sniffnet.enable). - -- [photoprism](https://photoprism.app/), a AI-Powered Photos App for the Decentralized Web. Available as [services.photoprism](options.html#opt-services.photoprism.enable). - -- [alice-lg](github.com/alice-lg/alice-lg), a looking-glass for BGP sessions. Available as [services.alice-lg](#opt-services.alice-lg.enable). - -- [birdwatcher](github.com/alice-lg/birdwatcher), a small HTTP server meant to provide an API defined by Barry O'Donovan's birds-eye to the BIRD internet routing daemon. Available as [services.birdwatcher](#opt-services.birdwatcher.enable). - -- [peroxide](https://github.com/ljanyst/peroxide), a fork of the official [ProtonMail bridge](https://github.com/ProtonMail/proton-bridge) that aims to be similar to [Hydroxide](https://github.com/emersion/hydroxide). Available as [services.peroxide](#opt-services.peroxide.enable). - -- [autosuspend](https://github.com/languitar/autosuspend), a python daemon that suspends a system if certain conditions are met, or not met. - -- [sharing](https://github.com/parvardegr/sharing), a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as [programs.sharing](#opt-programs.sharing.enable). - -- [nimdow](https://github.com/avahe-kellenberger/nimdow), a window manager written in Nim, inspired by dwm. - -- [trurl](https://github.com/curl/trurl), a command line tool for URL parsing and manipulation. - -- [wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh), a simple utility to help connect wireguard nodes together in a full mesh topology. Available as [services.wgautomesh](options.html#opt-services.wgautomesh.enable). - -- [woodpecker-agents](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-agents](#opt-services.woodpecker-agents.agents._name_.enable). - -- [woodpecker-server](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable). - -- [lldap](https://github.com/lldap/lldap), a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. Available as [services.lldap](#opt-services.lldap.enable). - -- [ReGreet](https://github.com/rharish101/ReGreet), a clean and customizable greeter for greetd. Available as [programs.regreet](#opt-programs.regreet.enable). - -- [v4l2-relayd](https://git.launchpad.net/v4l2-relayd), a streaming relay for v4l2loopback using gstreamer. Available as [services.v4l2-relayd](#opt-services.v4l2-relayd.instances._name_.enable). - -- [hardware.ipu6](#opt-hardware.ipu6.enable) adds support for ipu6 based webcams on intel tiger lake and alder lake. +- [imaginary](https://github.com/h2non/imaginary), a microservice for high-level image processing that Nextcloud can use to generate previews. Available as [services.imaginary](#opt-services.imaginary.enable). - [ivpn](https://www.ivpn.net/), a secure, private VPN with fast WireGuard connections. Available as [services.ivpn](#opt-services.ivpn.enable). +- [vmalert](https://victoriametrics.com/), an alerting engine for VictoriaMetrics. Available as [services.vmalert](#opt-services.vmalert.enable). + +- [jellyseerr](https://github.com/Fallenbagel/jellyseerr), a web-based requests manager for Jellyfin, forked from Overseerr. Available as [services.jellyseerr](#opt-services.jellyseerr.enable). + +- [kavita](https://kavitareader.com), a self-hosted digital library. Available as [services.kavita](options.html#opt-services.kavita.enable). + +- [keyd](https://github.com/rvaiya/keyd), a key remapping daemon for Linux. Available as [services.keyd](#opt-services.keyd.enable). + +- [lldap](https://github.com/lldap/lldap), a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication. Available as [services.lldap](#opt-services.lldap.enable). + +- [minipro](https://gitlab.com/DavidGriffith/minipro/), an open source program for controlling the MiniPRO TL866xx series of chip programmers. Available as [programs.minipro](options.html#opt-programs.minipro.enable). + +- [mmsd](https://gitlab.com/kop316/mmsd), a lower level daemon that transmits and receives MMSes. Available as [services.mmsd](#opt-services.mmsd.enable). + +- [monica](https://www.monicahq.com), an open source personal CRM. Available as [services.monica](options.html#opt-services.monica.enable). + +- [networkd-dispatcher](https://gitlab.com/craftyguy/networkd-dispatcher), a dispatcher service for systemd-networkd connection status changes. Available as [services.networkd-dispatcher](#opt-services.networkd-dispatcher.enable). + +- [nimdow](https://github.com/avahe-kellenberger/nimdow), a window manager written in Nim, inspired by dwm. Available as [services.xserver.windowManager.nimdow.enable](options.html#opt-services.xserver.windowManager.nimdow.enable). + +- [opensearch](https://opensearch.org), a search server alternative to Elasticsearch. Available as [services.opensearch](options.html#opt-services.opensearch.enable). + - [openvscode-server](https://github.com/gitpod-io/openvscode-server), run VS Code on a remote machine with access through a modern web browser from any device, anywhere. Available as [services.openvscode-server](#opt-services.openvscode-server.enable). +- [peroxide](https://github.com/ljanyst/peroxide), a fork of the official [ProtonMail bridge](https://github.com/ProtonMail/proton-bridge) that aims to be similar to [Hydroxide](https://github.com/emersion/hydroxide). Available as [services.peroxide](#opt-services.peroxide.enable). + +- [photoprism](https://photoprism.app/), a AI-powered photos app for the decentralized web. Available as [services.photoprism](options.html#opt-services.photoprism.enable). + +- [Pixelfed](https://pixelfed.org/), an Instagram-like ActivityPub server. Available as [services.pixelfed](options.html#opt-services.pixelfed.enable). + +- [PufferPanel](https://pufferpanel.com), a game server management panel designed to be easy to use. Available as [services.pufferpanel](#opt-services.pufferpanel.enable). + +- [QDMR](https://dm3mat.darc.de/qdmr/), a GUI application and command line tool for programming DMR radios [programs.qdmr](#opt-programs.qdmr.enable). + +- [readarr](https://github.com/Readarr/Readarr), book manager and automation (Sonarr for ebooks). Available as [services.readarr](options.html#opt-services.readarr.enable). + +- [ReGreet](https://github.com/rharish101/ReGreet), a clean and customizable greeter for greetd. Available as [programs.regreet](#opt-programs.regreet.enable). + +- [rshim](https://github.com/Mellanox/rshim-user-space), the user-space rshim driver for the BlueField SoC. Available as [services.rshim](options.html#opt-services.rshim.enable). + +- [SFTPGo](https://github.com/drakkan/sftpgo), a fully featured and highly configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. Available as [services.sftpgo](options.html#opt-services.sftpgo.enable). + +- [sharing](https://github.com/parvardegr/sharing), a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app. Available as [programs.sharing](#opt-programs.sharing.enable). + +- [sniffnet](https://github.com/GyulyVGC/sniffnet), an application to monitor your network traffic. Available as [programs.sniffnet](#opt-programs.sniffnet.enable). + +- [stargazer](https://sr.ht/~zethra/stargazer/), a fast and easy to use Gemini server. Available as [services.stargazer](#opt-services.stargazer.enable). + +- [stevenblack-blocklist](https://github.com/StevenBlack/hosts), a unified hosts file with base extensions for blocking unwanted websites. Available as [networking.stevenblack](options.html#opt-networking.stevenblack.enable). + +- [systemd-repart](https://www.freedesktop.org/software/systemd/man/systemd-repart.service.html), grow and add partitions to a partition table. Available as [systemd.repart](options.html#opt-systemd.repart) and [boot.initrd.systemd.repart](options.html#opt-boot.initrd.systemd.repart) + +- [trippy](https://github.com/fujiapple852/trippy), a network diagnostic tool. Available as [programs.trippy](#opt-programs.trippy.enable). + +- [tts](https://github.com/coqui-ai/TTS), a battle-tested deep learning toolkit for Text-to-Speech. Multiple servers may be configured below [services.tts.servers](#opt-services.tts.servers). + +- [ulogd](https://www.netfilter.org/projects/ulogd/index.html), a userspace logging daemon for netfilter/iptables related logging. Available as [services.ulogd](options.html#opt-services.ulogd.enable). + +- [v2rayA](https://v2raya.org), a Linux web GUI client of Project V which supports V2Ray, Xray, SS, SSR, Trojan and Pingtunnel. Available as [services.v2raya](options.html#opt-services.v2raya.enable). + +- [v4l2-relayd](https://git.launchpad.net/v4l2-relayd), a streaming relay for v4l2loopback using gstreamer. Available as [services.v4l2-relayd](#opt-services.v4l2-relayd.instances._name_.enable). + +- [vault-agent](https://developer.hashicorp.com/vault/docs/agent), a template renderer and API auth proxy for HashiCorp Vault, similar to `consul-template`. Available as [services.vault-agent](#opt-services.vault-agent.instances). + +- [webhook](https://github.com/adnanh/webhook), a lightweight webhook server. Available as [services.webhook](#opt-services.webhook.enable). + +- [wgautomesh](https://git.deuxfleurs.fr/Deuxfleurs/wgautomesh), a simple utility to help connect wireguard nodes together in a full mesh topology. Available as [services.wgautomesh](options.html#opt-services.wgautomesh.enable). + +- [woodpecker](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable) and [services.woodpecker-agents](#opt-services.woodpecker-agents.agents._name_.enable). + +- [wstunnel](https://github.com/erebe/wstunnel), a proxy tunnelling arbitrary TCP or UDP traffic through a WebSocket connection. Available as [services.wstunnel](options.html#opt-services.wstunnel.enable). + ## Backward Incompatibilities {#sec-release-23.05-incompatibilities} - - -- `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead. - - `services.asusd` configuration now uses strings instead of structured configuration, as upstream switched to the [RON](https://github.com/ron-rs/ron) configuration format. Support for structured configuration may return when [RON](https://github.com/ron-rs/ron) generation is implemented in nixpkgs. -- `checkInputs` have been renamed to `nativeCheckInputs`, because they behave the same as `nativeBuildInputs` when `doCheck` is set. `checkInputs` now denote a new type of dependencies, added to `buildInputs` when `doCheck` is set. As a rule of thumb, `nativeCheckInputs` are tools on `$PATH` used during the tests, and `checkInputs` are libraries which are linked to executables built as part of the tests. Similarly, `installCheckInputs` are renamed to `nativeInstallCheckInputs`, corresponding to `nativeBuildInputs`, and `installCheckInputs` are a new type of dependencies added to `buildInputs` when `doInstallCheck` is set. (Note that this change will not cause breakage to derivations with `strictDeps` unset, which are most packages except python, rust, ocaml and go packages). - -- `buildDunePackage` now defaults to `strictDeps = true` which means that any library should go into `buildInputs` or `checkInputs`. Any executable that is run on the building machine should go into `nativeBuildInputs` or `nativeCheckInputs` respectively. Example of executables are `ocaml`, `findlib` and `menhir`. PPXs are libraries which are built by dune and should therefore not go into `nativeBuildInputs`. - - `borgbackup` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.borgbackup.jobs..inhibitsSleep`](#opt-services.borgbackup.jobs._name_.inhibitsSleep). -- The `ssh` client tool now disables the `~C` escape sequence by default. This can be re-enabled by setting `EnableEscapeCommandline yes` +- The `openssh` client now comes with the `~C` escape sequence disabled by default. It can be re-enabled by setting `EnableEscapeCommandline yes` -- Many `services.syncthing` options have been moved to `services.syncthing.settings`, as part of [RFC 42](https://github.com/NixOS/rfcs/pull/42)'s implementation, see [#226088](https://github.com/NixOS/nixpkgs/pull/226088). +- The `programs.ssh` client module does not read `/etc/ssh/ssh_known_hosts2` anymore, since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2). -- The `ssh` module does not read `/etc/ssh/ssh_known_hosts2` anymore since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2). +- The `services.openssh` server module does not read `~/.ssh/authorized_keys2` anymore, since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2). -- The openssh module does not read `~/.ssh/authorized_keys2` anymore since this location is [deprecated since 2001](https://marc.info/?l=openssh-unix-dev&m=100508718416162&w=2). +- MAC-then-encrypt algorithms were removed from the default selection of `services.openssh.settings.Macs`. If you still require these [MACs](https://en.wikipedia.org/wiki/Message_authentication_code), for example when you are relying on libssh2 (e.g. VLC) or the SSH library shipped on the iPhone, you can re-add them like this: + + ```nix + services.openssh.settings.Macs = [ + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + ``` - `podman` now uses the `netavark` network stack. Users will need to delete all of their local containers, images, volumes, etc, by running `podman system reset --force` once before upgrading their systems. - `git-bug` has been updated to at least version 0.8.0, which includes backwards incompatible changes. The `git-bug-migration` package can be used to upgrade existing repositories. -- `graylog` has been updated to version 5, which can not be upgraded directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the [upgrade path](https://go2docs.graylog.org/5-0/upgrading_graylog/upgrade_path.htm) from 3.3 to 4.0 to 4.3 to 5.0. +- `graylog` has been updated to version 5, which can not be updated directly from the previously packaged version 3.3. If you had installed the previously packaged version 3.3, please follow the [upgrade path](https://go2docs.graylog.org/5-0/upgrading_graylog/upgrade_path.htm) from 3.3 to 4.0 to 4.3 to 5.0. + +- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChroot` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs. - `nushell` has been updated to at least version 0.77.0, which includes potential breaking changes in aliases. The old aliases are now available as `old-alias` but it is recommended you migrate to the new format. See [Reworked aliases](https://www.nushell.sh/blog/2023-03-14-nushell_0_77.html#reworked-aliases-breaking-changes-kubouch). @@ -198,16 +209,16 @@ In addition to numerous new and upgraded packages, this release has the followin - `keepassx` and `keepassx2` have been removed, due to upstream [stopping development](https://www.keepassx.org/index.html%3Fp=636.html). Consider [KeePassXC](https://keepassxc.org) as a maintained alternative. -- The [services.kubo.settings](#opt-services.kubo.settings) option is now no longer stateful. If you changed any of the options in [services.kubo.settings](#opt-services.kubo.settings) in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably /var/lib/ipfs/config) and compare after the update. +- The [services.kubo.settings](#opt-services.kubo.settings) option is now no longer stateful. If you changed any of the options in [services.kubo.settings](#opt-services.kubo.settings) in the past and then removed them from your NixOS configuration again, those changes are still in your Kubo configuration file but will now be reset to the default. If you're unsure, you may want to make a backup of your configuration file (probably `/var/lib/ipfs/config`) and compare after the update. - The Kubo HTTP API will no longer listen on localhost and will instead only listen on a Unix domain socket by default. Read the [services.kubo.settings.Addresses.API](#opt-services.kubo.settings.Addresses.API) option description for more information. - The EC2 image module no longer fetches instance metadata in stage-1. This results in a significantly smaller initramfs, since network drivers no longer need to be included, and faster boots, since metadata fetching can happen in parallel with startup of other services. This breaks services which rely on metadata being present by the time stage-2 is entered. Anything which reads EC2 metadata from `/etc/ec2-metadata` should now have an `after` dependency on `fetch-ec2-metadata.service` -- The mailman service now defaults to using a randomly generated REST API password instead of a hardcoded one. +- The mailman service now defaults to using a randomly generated REST API password instead of a hard-coded one. -- `minio` removed support for its legacy filesystem backend in [RELEASE.2022-10-29T06-21-33Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z). This means if your storage was created with the old format, minio will no longer start. Unfortunately minio doesn't provide a an automatic migration, they only provide [instructions how to manually convert the node](https://min.io/docs/minio/windows/operations/install-deploy-manage/migrate-fs-gateway.html). To facilitate this migration we keep around the last version that still supports the old filesystem backend as `minio_legacy_fs`. Use it via `services.minio.package = minio_legacy_fs;` to export your data before switching to the new version. See the corresponding [issue](https://github.com/NixOS/nixpkgs/issues/199318) for more details. +- `minio` removed support for its legacy filesystem backend in [RELEASE.2022-10-29T06-21-33Z](https://github.com/minio/minio/releases/tag/RELEASE.2022-10-29T06-21-33Z). This means if your storage was created with the old format, minio will no longer start. Unfortunately, minio doesn't provide an automatic migration, they only provide [instructions how to manually convert the node](https://min.io/docs/minio/windows/operations/install-deploy-manage/migrate-fs-gateway.html). To facilitate this migration, we keep around the last version that still supports the old filesystem backend as `minio_legacy_fs`. Use it via `services.minio.package = minio_legacy_fs;` to export your data before switching to the new version. See the corresponding [issue](https://github.com/NixOS/nixpkgs/issues/199318) for more details. - `services.sourcehut.dispatch` and the corresponding package (`sourcehut.dispatchsrht`) have been removed due to [upstream deprecation](https://sourcehut.org/blog/2022-08-01-dispatch-deprecation-plans/). @@ -231,15 +242,20 @@ In addition to numerous new and upgraded packages, this release has the followin }; ``` -- The [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall. +- The default module options for [services.snapserver.openFirewall](#opt-services.snapserver.openFirewall), [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) and [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) have been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall. -- The [services.tmate-ssh-server.openFirewall](#opt-services.tmate-ssh-server.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall. +- The option `i18n.inputMethod.fcitx5.enableRimeData` has been removed. Default RIME data is now included in `fcitx5-rime` by default, and can be customized using -- The [services.unifi-video.openFirewall](#opt-services.unifi-video.openFirewall) module option default value has been changed from `true` to `false`. You will need to explicitly set this option to `true`, or configure your firewall. + ```nix + fcitx5-rime.override { + rimeDataPkgs = [ + pkgs.rime-data + # ... + ]; + } + ``` -- The option `i18n.inputMethod.fcitx5.enableRimeData` has been removed. Default RIME data is now included in `fcitx5-rime` by default, and can be customized using `fcitx5-rime.override { rimeDataPkgs = [ pkgs.rime-data, package2, ... ]; }` - -- The udev hwdb.bin file is now built with systemd-hwdb rather than the [deprecated "udevadm hwdb"](https://github.com/systemd/systemd/pull/25714). This may impact mappings where the same key is defined in multiple matching entries. The updated behavior will select the latest definition in case of conflict. In general, this should be a positive change, as the hwdb source files are designed with this ordering in mind. As an example, the mapping of the HP Dev One keyboard scan code for "mute mic" is corrected by this update. This change may impact users who have worked-around previously incorrect mappings. +- The `udev` hwdb.bin file is now built with systemd-hwdb rather than the [deprecated "udevadm hwdb"](https://github.com/systemd/systemd/pull/25714). This may impact mappings where the same key is defined in multiple matching entries. The updated behavior will select the latest definition in case of conflict. In general, this should be a positive change, as the hwdb source files are designed with this ordering in mind. As an example, the mapping of the HP Dev One keyboard scan code for "mute mic" is corrected by this update. This change may impact users who have worked-around previously incorrect mappings. - Kime has been updated from 2.5.6 to 3.0.2 and the `i18n.inputMethod.kime.config` option has been removed. Users should use `daemonModules`, `iconColor`, and `extraConfig` options under `i18n.inputMethod.kime` instead. @@ -247,28 +263,26 @@ In addition to numerous new and upgraded packages, this release has the followin - `i3status-rust` has been updated from 0.22.0 to 0.30.5, and this brings many changes to its configuration format. Additional information can be found [here](https://github.com/greshake/i3status-rust/blob/v0.30.0/NEWS.md). -- The `wordpress` derivation no longer contains any builtin plugins or themes. If you need them you have to add them back to prevent your site from breaking. You can find them in `wordpressPackages.{plugins,themes}`. +- The `wordpress` derivation no longer contains any built-in plugins or themes. If you need them, you have to add them back to prevent your site from breaking. You can find them in `wordpressPackages.{plugins,themes}`. - `llvmPackages_rocm.llvm` will not contain `clang` or `compiler-rt`. `llvmPackages_rocm.clang` will not contain `llvm`. `llvmPackages_rocm.clangNoCompilerRt` has been removed in favor of using `llvmPackages_rocm.clang-unwrapped`. -- `services.xserver.desktopManager.plasma5.excludePackages` has been moved to `environment.plasma5.excludePackages`, for consistency with other Desktop Environments +- `services.xserver.desktopManager.plasma5.excludePackages` has been moved to `environment.plasma5.excludePackages`, for consistency with other Desktop Environments. + +- `teleport` has been updated from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting `services.teleport.package = pkgs.teleport_11`. Afterwards, this option can be removed to upgrade to the default version (12). - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. -- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting `services.teleport.package = pkgs.teleport_11`. Afterwards, this option can be removed to upgrade to the default version (12). - - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. +- `gitlab` has been upgraded from major version 15 to major version 16 and requires at least PostgreSQL 13.6. Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation. + +- `gitlab` 16 deprecates the use of external container registries, in our case `pkgs.docker-distribution`. Module users who have [`services.gitlab.registry.enable`](#opt-services.gitlab.registry.enable) set to `true` are advised to back up their state and switch to gitlab's fork by setting [`services.gitlab.registry.package`](#opt-services.gitlab.registry.package) to `pkgs.gitlab-container-registry`. + - `fail2ban` has been updated to 1.0.2, which has a few breaking changes compared to 0.11.2 ([changelog for 1.0.1](https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog), [changelog for 1.0.2](https://github.com/fail2ban/fail2ban/blob/1.0.2/ChangeLog)) - `albert` has been updated from 0.17.6 to 0.20.13, and 0.18.0 changed the config format and many plugins ([changelog for 0.18.0](https://github.com/albertlauncher/albert/blob/v0.18.0/CHANGELOG.md)) -- Calling `makeSetupHook` without passing a `name` argument is deprecated. - -- Top-level buildPlatform,hostPlatform,targetPlatform have been deprecated, use stdenv.X instead. - -- `lib.systems.examples.ghcjs` and consequently `pkgsCross.ghcjs` now use the target triplet `javascript-unknown-ghcjs` instead of `js-unknown-ghcjs`. This has been done to match an [upstream decision](https://gitlab.haskell.org/ghc/ghc/-/commit/6636b670233522f01d002c9b97827d00289dbf5c) to follow Cabal's platform naming more closely. Nixpkgs will also reject `js` as an architecture name. - - `dokuwiki` has been updated from 2023-07-31a (Igor) to 2023-04-04 (Jack Jackrum), which has [completely removed](https://www.dokuwiki.org/changes#release_2023-04-04_jack_jackrum) the options to embed HTML and PHP for security reasons. The [htmlok plugin](https://www.dokuwiki.org/plugin:htmlok) can be used to regain this functionality. - The old unsupported version 6.x of the ELK-stack and Elastic beats have been removed. Use OpenSearch instead. @@ -279,10 +293,6 @@ In addition to numerous new and upgraded packages, this release has the followin - The [services.wordpress.sites.<name>.plugins](#opt-services.wordpress.sites._name_.plugins) and [services.wordpress.sites.<name>.themes](#opt-services.wordpress.sites._name_.themes) options have been converted from sets to attribute sets to allow for consumers to specify explicit install paths via attribute name. -- [`services.nextcloud.database.createLocally`](#opt-services.nextcloud.database.createLocally) now uses socket authentication and is no longer compatible with password authentication. - - If you want the module to manage the database for you, unset [`services.nextcloud.config.dbpassFile`](#opt-services.nextcloud.config.dbpassFile) (and [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost), if it's set). - - If you want to use password authentication **and** create the database locally, you will have to use [`services.mysql`](#opt-services.mysql.enable) to set it up. - - `protonmail-bridge` package has been updated to major version 3. - Nebula now runs as a system user and group created for each nebula network, using the `CAP_NET_ADMIN` ambient capability on launch rather than starting as root. Ensure that any files each Nebula instance needs to access are owned by the correct user and group, by default `nebula-${networkName}`. @@ -291,28 +301,22 @@ In addition to numerous new and upgraded packages, this release has the followin - In `mastodon` it is now necessary to specify location of file with `PostgreSQL` database password. In `services.mastodon.database.passwordFile` parameter default value `/var/lib/mastodon/secrets/db-password` has been changed to `null`. -- The `--target-host` and `--build-host` options of `nixos-rebuild` no longer treat the `localhost` value specially – to build on/deploy to local machine, omit the relevant flag. - - The `nix.readOnlyStore` option has been renamed to `boot.readOnlyNixStore` to clarify that it configures the NixOS boot process, not the Nix daemon. -- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constituents: `xorg.libX11`, `freetype` and others. - - The latest available version of Nextcloud is v26 (available as `pkgs.nextcloud26`) which uses PHP 8.2 as interpreter by default. The installation logic is as follows: - If `system.stateVersion` is >=23.05, `pkgs.nextcloud26` will be installed by default. - If `system.stateVersion` is >=22.11, `pkgs.nextcloud25` will be installed by default. - Please note that an upgrade from v24 (or older) to v26 directly is not possible. Please upgrade to `nextcloud25` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud25;`](options.html#opt-services.nextcloud.package). - It's recommended to use the latest version available (i.e. v26) and to specify that using `services.nextcloud.package`. -- .NET 5.0 and .NET 3.1 were removed due to being end-of-life, use a newer, supported .NET version - https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core +- .NET 5.0 and .NET 3.1 were removed due to being end-of-life, use a newer, supported .NET version. Visit the [Support Policy](https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core) for more information. - The iputils package, which is installed by default, no longer provides the - `ninfod`, `rarpd` and `rdisc` tools. See - [upstream's release notes](https://github.com/iputils/iputils/releases/tag/20221126) - for more details and available replacements. + `ninfod`, `rarpd` and `rdisc` tools. See [upstream's release notes](https://github.com/iputils/iputils/releases/tag/20221126) for more details and available replacements. -- The ppp plugin `rp-pppoe.so` has been renamed to `pppoe.so` in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer a alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from `plugin rp-pppoe.so` to `plugin pppoe.so`. See [upstream change](https://github.com/ppp-project/ppp/commit/610a7bd76eb1f99f22317541b35001b1e24877ed). +- The ppp plugin `rp-pppoe.so` has been renamed to `pppoe.so` in ppp 2.4.9. Starting from ppp 2.5.0, there is no longer an alias for backwards compatibility. Configurations that use this plugin must be updated accordingly from `plugin rp-pppoe.so` to `plugin pppoe.so`. See [upstream change](https://github.com/ppp-project/ppp/commit/610a7bd76eb1f99f22317541b35001b1e24877ed). -- [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use. +- [services.xserver.videoDrivers](options.html#opt-services.xserver.videoDrivers) now defaults to the `modesetting` driver over device-specific ones. The `radeon`, `amdgpu` and `nouveau` drivers are still available, but effectively unmaintained and not recommended for use. Note that this __does not__ affect your regular graphics drivers; this only concerns the DDX component of the driver, which most people are not relying on. - [services.xserver.libinput.enable](options.html#opt-services.xserver.libinput.enable) is now set by default, enabling the more actively maintained and consistently behaved input device driver. @@ -320,7 +324,7 @@ In addition to numerous new and upgraded packages, this release has the followin - In `services.fail2ban`, `bantime-increment.` options now default to `null` (except `bantime-increment.enable`) and are used to set the corresponding option in `jail.local` only if not `null`. Also, enforce that `bantime-increment.formula` and `bantime-increment.multipliers` are not both specified. -- The default Asterisk package was changed to v20 from v19. Asterisk versions 16 and 19 have been dropped due to being EOL. You may need to update /var/lib/asterisk to match the template files in `${asterisk-20}/var/lib/asterisk`. +- The default `asterisk` package was changed to v20 from v19. Asterisk versions 16 and 19 have been dropped due to being EOL. You may need to update /var/lib/asterisk to match the template files in `${asterisk-20}/var/lib/asterisk`. - conntrack helper autodetection has been removed from kernels 6.0 and up upstream, and an assertion was added to ensure things don't silently stop working. Migrate your configuration to assign helpers explicitly or use an older LTS kernel branch as a temporary workaround. @@ -338,7 +342,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The `qlandkartegt` and `garmindev` packages were removed due to being unmaintained and insecure. -- `go-ethereum` package has been updated to v1.11.5 and the `puppeth` command is no longer available as of v1.11.0. +- The `go-ethereum` package has been updated to v1.11.5 and the `puppeth` command is no longer available as of v1.11.0. - The `pnpm` package has be updated to from version 7.29.1 to version 8.1.1 and Node.js 14 support has been discontinued (though, there are workarounds if Node.js 14 is still required) - Migration instructions: ["Before updating pnpm to v8 in your CI, regenerate your pnpm-lock.yaml. To upgrade your lockfile, run pnpm install and commit the changes. Existing dependencies will not be updated; however, due to configuration changes in pnpm v8, some missing peer dependencies may be added to the lockfile and some packages may get deduplicated. You can commit the new lockfile even before upgrading Node.js in the CI, as pnpm v7 already supports the new lockfile format."](https://github.com/pnpm/pnpm/releases/tag/v8.0.0) @@ -347,21 +351,21 @@ In addition to numerous new and upgraded packages, this release has the followin - The `pict-rs` package was updated from an 0.3 alpha release to 0.3 stable, and related environment variables now require two underscores instead of one. +- The `shattered-pixel-dungeon` game was updated from 1.1.2 to 2.0.2. + - The location of game data has changed. To migrate it, run `mv ~/.shatteredpixel ~/.local/share/.shatteredpixel` + - The update will delete all your in-progress games. + - `espanso` has been updated to major version 2. Therefore, migration steps may need to be performed. See [the official migration instructions](https://espanso.org/docs/migration/overview/) for how to perform these migrations. Further, `espanso-wayland` can now be used for Wayland support. +- Only `k3s` version 1.26 is included. Users of the `k3s_1_24` or `k3s_1_25` packages should upgrade to use the `1.26` version of the package. + +- The `nerdfonts` package has been updated to major version 3, which includes potential [breaking changes](https://github.com/ryanoasis/nerd-fonts/releases/tag/v3.0.0). + ## Other Notable Changes {#sec-release-23.05-notable-changes} -- `vim_configurable` has been renamed to `vim-full` to avoid confusion: `vim-full`'s build-time features are configurable, but both `vim` and `vim-full` are _customizable_ (in the sense of user configuration, like vimrc). - -- Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates. - -- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules) - -- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package) - -- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follows: +- To follow [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) a few options of `openssh` have been moved from `extraConfig` to the new freeform option `settings` and renamed, e.g.: - `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding` - `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication` - `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication` @@ -373,18 +377,21 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.openssh.ciphers` to `services.openssh.settings.Ciphers` - `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts` + +- `vim_configurable` has been renamed to `vim-full` to avoid confusion: `vim-full`'s build-time features are configurable, but both `vim` and `vim-full` are _customizable_ (in the sense of user configuration, like vimrc). + +- Pantheon now defaults to Mutter 43 and GNOME settings daemon 43, all Pantheon packages are now tracking elementary OS 7 updates. + +- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules) + +- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package) + - `netbox` was updated to 3.5. NixOS' `services.netbox.package` still defaults to 3.3 if `stateVersion` is earlier than 23.05. Please review upstream's breaking changes [for 3.4.0](https://github.com/netbox-community/netbox/releases/tag/v3.4.0) and [for 3.5.0](https://github.com/netbox-community/netbox/releases/tag/v3.5.0), and upgrade NetBox by changing `services.netbox.package`. Database migrations will be run automatically. - `services.netbox` now support RFC42-style options, through `services.netbox.settings`. - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables. -- DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in [](#sec-option-declarations) to silence this warning. - - DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors. - -- NixOS now defaults to using nsncd (a non-caching reimplementation in Rust) as NSS lookup dispatcher, instead of the buggy and deprecated glibc-provided nscd. If you need to switch back, set `services.nscd.enableNsncd = false`, but please open an issue in nixpkgs so your issue can be fixed. - - `services.borgmatic` now allows for multiple configurations, placed in `/etc/borgmatic.d/`, you can define them with `services.borgmatic.configurations`. - `service.openafsServer` features a new backup server `pkgs.fabs` as a @@ -402,8 +409,6 @@ In addition to numerous new and upgraded packages, this release has the followin `services.dnsmasq.extraConfig` will be deprecated when NixOS 22.11 reaches end of life. -- `kube3d` has now been renamed to `k3d` since the 3d editor that originally took that name has been dropped from nixpkgs. `kube3d` will continue to work as an alias for now. - - The `dokuwiki` service is now configured via `services.dokuwiki.sites..settings` attribute set; `extraConfig` has been removed. The `{aclUse,superUser,disableActions}` attributes have been renamed accordingly. `pluginsConfig` now only accepts an attribute set of booleans. Passing plain PHP is no longer possible. @@ -419,106 +424,88 @@ In addition to numerous new and upgraded packages, this release has the followin - The minimal ISO image now uses the `nixos/modules/profiles/minimal.nix` profile. +- NixOS installer ISOs can now be built for `powerpc64le-linux`; see `nixos/modules/installer/sd-card/sd-image-powerpc64le.nix` and [PR 192672](https://github.com/NixOS/nixpkgs/pull/192672). Hydra does not support this platform, so you must build the binaries yourself. + - The `ghcWithPackages` and `ghcWithHoogle` wrappers will now also symlink GHC's and all included libraries' documentation to `$out/share/doc` for convenience. If undesired, the old behavior can be restored by overriding the builders with `{ installDocumentation = false; }`. -- The new option `networking.nftables.checkRuleset` controls whether the ruleset is checked for syntax or not during build. It is `true` by default. The check might fail because it is in a sandbox environment. To circumvent this, the ruleset file can be edited using the `networking.nftables.preCheckRuleset` option. +- The nftables module now validates its ruleset at build time. The new `networking.nftables.checkRuleset` option allows disabling this check, which may fail when rules have very specific requirements, that the sandbox environment, by default, will not cover. The `networking.nftables.preCheckRuleset` option can be used to prepare the environment before the checks are run. -- `mastodon` now supports connection to a remote `PostgreSQL` database. +- The `services.mastodon` module now supports connection to a remote `PostgreSQL` database. -- `nextcloud` has an option to enable SSE-C in S3. +- [`services.nextcloud.database.createLocally`](#opt-services.nextcloud.database.createLocally) now uses socket authentication and is no longer compatible with password authentication. + - If you want the module to manage the database for you, unset [`services.nextcloud.config.dbpassFile`](#opt-services.nextcloud.config.dbpassFile) (and [`services.nextcloud.config.dbhost`](#opt-services.nextcloud.config.dbhost), if it's set). + - If you want to use password authentication **and** create the database locally, you will have to use [`services.mysql`](#opt-services.mysql.enable) to set it up. -- NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to setup the plain encryption device over the - underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so: +- [`services.nextcloud.config.objectstore.s3.sseCKeyFile`](#opt-services.nextcloud.config.objectstore.s3.sseCKeyFile) is a new option to enable server-side encryption with customer provided keys (SSE-C) for your S3 in Nextcloud. + +- NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to set up the plain encryption device over the underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so: ```nix - { - swapDevices = [ - { - device = "/dev/disk/by-partlabel/swapspace"; - - randomEncryption = { - enable = true; - cipher = "aes-xts-plain64"; - keySize = 512; - sectorSize = 4096; - }; - } - ]; - } + swapDevices = [ { + device = "/dev/disk/by-partlabel/swapspace"; + randomEncryption = { + enable = true; + cipher = "aes-xts-plain64"; + keySize = 512; + sectorSize = 4096; + }; + } ]; ``` - New option `security.pam.zfs` to enable unlocking and mounting of encrypted ZFS home dataset at login. -- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`. - Before upgrading, read the release notes for PeerTube: - - [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0) - - And backup your data. +- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`. Before upgrading, check the release notes for [PeerTube v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0).And backup your data. - `services.chronyd` is now started with additional systemd sandbox/hardening options for better security. -- PostgreSQL has opt-in support for [JIT compilation](https://www.postgresql.org/docs/current/jit-reason.html). It can be enabled like this: +- PostgreSQL has added opt-in support for [JIT compilation](https://www.postgresql.org/docs/current/jit-reason.html). It can be enabled like this: ```nix - { - services.postgresql = { - enable = true; - enableJIT = true; - }; - } + services.postgresql.enableJIT = true; ``` -- `services.netdata` offers a `deadlineBeforeStopSec` option which enable users who have netdata instance that takes time to initialize to not have systemd kill them for no reason. +- `services.netdata` offers a [`services.netdata.deadlineBeforeStopSec`](#opt-services.netdata.deadlineBeforeStopSec) option which will control the deadline (in seconds) after which systemd will consider your netdata instance as dead if it didn't start in the elapsed time. It is helpful when your netdata instance takes longer to start because of a large amount of state or upgrades. -- `services.dhcpcd` service now don't solicit or accept IPv6 Router Advertisements on interfaces that use static IPv6 addresses. - If network uses both IPv6 Unique local addresses (ULA) and global IPv6 address auto-configuration with SLAAC, must add the parameter `networking.dhcpcd.IPv6rs = true;`. +- `services.dhcpcd` service stopped soliciting or accepting IPv6 Router Advertisements on interfaces that use static IPv6 addresses. + If your network provides both IPv6 unique local addresses (ULA) and globally unique addresses (GUA) through autoconfiguration with SLAAC, you must add the parameter `networking.dhcpcd.IPv6rs = true;`. - The module `services.headscale` was refactored to be compliant with [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md). To be precise, this means that the following things have changed: - - Most settings has been migrated under [services.headscale.settings](#opt-services.headscale.settings) which is an attribute-set that - will be converted into headscale's YAML config format. This means that the configuration from - [headscale's example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) - can be directly written as attribute-set in Nix within this option. + - Most settings have been migrated below [services.headscale.settings](#opt-services.headscale.settings) which is a freeform attribute-set that will be converted into headscale's YAML config format. This means that the configuration from [headscale's example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) can be directly written as attribute-set in Nix within this option. - `services.kubo` now unmounts `ipfsMountDir` and `ipnsMountDir` even if it is killed unexpectedly when `autoMount` is enabled. -- `nixos/lib/make-disk-image.nix` can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual. - -- `services.grafana` listens only on localhost by default again. This was changed to upstreams default of `0.0.0.0` by accident in the freeform setting conversion. +- `services.grafana` listens only on localhost by default again. This was changed to the upstream default of `0.0.0.0` by accident in the freeform setting conversion. - Grafana Tempo has been updated to version 2.0. See the [upstream upgrade guide](https://grafana.com/docs/tempo/latest/release-notes/v2-0/#upgrade-considerations) for migration instructions. -- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm). +- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple Silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=23.05&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm). - The new option `users.motdFile` allows configuring a Message Of The Day that can be updated dynamically. - The `root` package is now built with the `"-Dgnuinstall=ON"` CMake flag, making the output conform the `bin` `lib` `share` layout. In this layout, `tutorials` is under `share/doc/ROOT/`; `cmake`, `font`, `icons`, `js` and `macro` under `share/root`; `Makefile.comp` and `Makefile.config` under `etc/root`. -- Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option. +- There are various new options in the `services.nginx` module: + - Enabling global redirect in `services.nginx.virtualHosts` now allows one to add exceptions with the `locations` option. + - The `proxyCachePath` option has been added to `services.nginx`. It allows configuring the [`proxy_cache_path`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path), that configures the storage path and various other settings for the cache. + - A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). + - `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections. -- A new option `proxyCachePath` has been added to `services.nginx`. Learn more about proxy_cache_path: . - -- A new option `recommendedBrotliSettings` has been added to `services.nginx`. Learn more about compression in Brotli format [here](https://github.com/google/ngx_brotli/blob/master/README.md). - -- Updated recommended settings in `services.nginx.recommendedGzipSettings`: +- The nginx module also received an update to `services.nginx.recommendedGzipSettings`: - Enables gzip compression for only certain proxied requests. - Allow checking and loading of precompressed files. - Updated gzip mime-types. - Increased the minimum length of a response that will be gzipped. -- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and force [services.garage.package](options.html#opt-services.garage.package) or upgrade accordingly [system.stateVersion](options.html#opt-system.stateVersion). +- [Garage](https://garagehq.deuxfleurs.fr/) version is based on [system.stateVersion](options.html#opt-system.stateVersion), existing installations will keep using version 0.7. New installations will use version 0.8. In order to upgrade a Garage cluster, please follow [upstream instructions](https://garagehq.deuxfleurs.fr/documentation/cookbook/upgrading/) and configure [services.garage.package](options.html#opt-services.garage.package). - Nebula now supports the `services.nebula.networks..isRelay` and `services.nebula.networks..relays` configuration options for setting up or allowing traffic relaying. See the [announcement](https://www.defined.net/blog/announcing-relay-support-in-nebula/) for more details about relays. -- `hip` has been separated into `hip`, `hip-common` and `hipcc`. - -- `services.nginx.recommendedProxySettings` now removes the `Connection` header preventing clients from closing backend connections. - - Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store. -- The `firewall` and `nat` module now has a nftables based implementation. Enable `networking.nftables` to use it. +- The `firewall` and `nat` modules can now optionally rely on an nftables based implementation. Enable `networking.nftables` to use it. - The `services.fwupd` module now allows arbitrary daemon settings to be configured in a structured manner ([`services.fwupd.daemonSettings`](#opt-services.fwupd.daemonSettings)). @@ -532,16 +519,10 @@ In addition to numerous new and upgraded packages, this release has the followin * `apptainer`: From `github.com/apptainer/apptainer`, which is the new repo after renaming. * `singularity`: From `github.com/sylabs/singularity`, which is the fork by Sylabs Inc.. - `programs.singularity` got a new `package` option to specify which package to use. - `singularity-tools.buildImage` got a new input argument `singularity` to specify which package to use. - The new option `programs.singularity.enableFakeroot`, if set to `true`, provides `--fakeroot` support for `apptainer` and `singularity`. -- The `unifi-poller` package and corresponding NixOS module have been renamed to `unpoller` to match upstream. - -- The `rtsp-simple-server` package and corresponding NixOS module have been renamed to `mediamtx` to match upstream. - - The new option `services.tailscale.useRoutingFeatures` controls various settings for using Tailscale features like exit nodes and subnet routers. If you wish to use your machine as an exit node, you can set this setting to `server`, otherwise if you wish to use an exit node you can set this setting to `client`. The strict RPF warning has been removed as the RPF will be loosened automatically based on the value of this setting. - `openjdk` from version 11 and above is not build with `openjfx` (i.e.: JavaFX) support by default anymore. You can re-enable it by overriding, e.g.: `openjdk11.override { enableJavaFX = true; };`. @@ -554,23 +535,50 @@ In addition to numerous new and upgraded packages, this release has the followin - The option `services.prometheus.exporters.pihole.interval` does not exist anymore and has been removed. -- The option `services.gpsd.device` has been replaced with - `services.gpsd.devices`, which supports multiple devices. +- The option `services.gpsd.device` has been replaced with `services.gpsd.devices`, which supports multiple devices. -- `k3s` can now be configured with an EnvironmentFile for its systemd service, allowing secrets to be provided without ending up in the Nix Store. +- `k3s` can now be configured with an `EnvironmentFile` for its systemd service, allowing secrets to be provided without ending up in the Nix Store. -- `gitea` module options have been changed to be RFC042 conforming (i.e. some options were moved to be located under `services.gitea.settings`) +- The `gitea` module options have been moved into a freeform attribute set below `services.gitea.settings`. -- `boot.initrd.luks.device.` has a new `tryEmptyPassphrase` option, this is useful for OEM's who need to install an encrypted disk with a future settable passphrase - -- Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release. +- `boot.initrd.luks.device.` has a new `tryEmptyPassphrase` option, this is useful for OEMs who need to install an encrypted disk with a future settable passphrase - The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility). -- `make-disk-image` handles `contents` arguments that are directories better, fixing a bug where it used to put them in a subdirectory of the intended `target`. - - The option `services.jitsi-videobridge.apis` has been renamed to `colibriRestApi` and turned into a boolean. Setting it to `true` will enable the private rest API, useful for monitoring using `services.prometheus.exporters.jitsi.enable`. Learn more about the API: "[The COLIBRI control interface (/colibri/)](https://github.com/jitsi/jitsi-videobridge/blob/v2.3/doc/rest.md)". +- Booting from a volume managed by the Stratis storage management daemon is now supported. Use `fileSystems..stratis.poolUuid` to configure the pool containing the fs. + +## Nixpkgs internals {#sec-release-23.05-nixpkgs-internals} + +- `buildDunePackage` now defaults to `strictDeps = true` which means that any library should go into `buildInputs` or `checkInputs`. Any executable that is run on the building machine should go into `nativeBuildInputs` or `nativeCheckInputs` respectively. Example of executables are `ocaml`, `findlib` and `menhir`. PPXs are libraries which are built by dune and should therefore not go into `nativeBuildInputs`. + +- `buildFHSUserEnv` is now called `buildFHSEnv` and uses FlatPak's Bubblewrap sandboxing tool rather than Nixpkgs' own chrootenv. The old chrootenv-based implemenation is still available via `buildFHSEnvChroot` but is considered deprecated and will be removed when the remaining uses inside Nixpkgs have been migrated. If your FHSEnv-wrapped application misbehaves when using the new bubblewrap implementation, please create an issue in Nixpkgs. + +- Top-level `buildPlatform`, `hostPlatform`, `targetPlatform` have been deprecated, use `stdenv.X` instead. + +- `carnix` and `cratesIO` has been removed due to being unmaintained, use alternatives such as [naersk](https://github.com/nix-community/naersk) and [crate2nix](https://github.com/kolloch/crate2nix) instead. + +- `checkInputs` have been renamed to `nativeCheckInputs`, because they behave the same as `nativeBuildInputs` when `doCheck` is set. `checkInputs` now denote a new type of dependencies, added to `buildInputs` when `doCheck` is set. As a rule of thumb, `nativeCheckInputs` are tools on `$PATH` used during the tests, and `checkInputs` are libraries which are linked to executables built as part of the tests. Similarly, `installCheckInputs` are renamed to `nativeInstallCheckInputs`, corresponding to `nativeBuildInputs`, and `installCheckInputs` are a new type of dependencies added to `buildInputs` when `doInstallCheck` is set. (Note that this change will not cause breakage to derivations with `strictDeps` unset, which are most packages except python, rust, ocaml and go packages). + +- DocBook option documentation, which has been deprecated since 22.11, will now cause a warning when documentation is built. Out-of-tree modules should migrate to using CommonMark documentation as outlined in [](#sec-option-declarations) to silence this warning. + + DocBook option documentation support will be removed in the next release and CommonMark will become the default. DocBook option documentation that has not been migrated until then will no longer render properly or cause errors. + +- `lib.systems.examples.ghcjs` and consequently `pkgsCross.ghcjs` now use the target triplet `javascript-unknown-ghcjs` instead of `js-unknown-ghcjs`. This has been done to match an [upstream decision](https://gitlab.haskell.org/ghc/ghc/-/commit/6636b670233522f01d002c9b97827d00289dbf5c) to follow Cabal's platform naming more closely. Nixpkgs will also reject `js` as an architecture name. + +- Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release. + +- Calling `makeSetupHook` without passing a `name` argument is deprecated. + +- `nixos/lib/make-disk-image.nix` handles `contents` arguments that are directories better, fixing a bug where it used to put them in a subdirectory of the intended `target`. + +- `nixos/lib/make-disk-image.nix` can now mutate EFI variables, run user-provided EFI firmware or variable templates. This is now extensively documented in the NixOS manual. + +- Nixpkgs now uses [IEEE-standard floating point arithmetic](https://github.com/NixOS/nixpkgs/pull/170215) on `powerpc64le-linux`. + +- Deprecated `xlibsWrapper` transitional package has been removed in favour of direct use of its constituents: `xorg.libX11`, `freetype` and others. + ## Detailed migration information {#sec-release-23.05-migration} ### Pipewire configuration overrides {#sec-release-23.05-migration-pipewire} diff --git a/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md b/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md index 7e260d2eca..5ccaa92914 100644 --- a/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2311.section.md @@ -2,18 +2,140 @@ ## Highlights {#sec-release-23.11-highlights} -- Create the first release note entry in this section! +- FoundationDB now defaults to major version 7. + +- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package, along with a significant rework of the hostapd module. ## New Services {#sec-release-23.11-new-services} -- Create the first release note entry in this section! +- [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable). + +- [acme-dns](https://github.com/joohoi/acme-dns), a limited DNS server to handle ACME DNS challenges easily and securely. Available as [services.acme-dns](#opt-services.acme-dns.enable). +- [river](https://github.com/riverwm/river), A dynamic tiling wayland compositor. Available as [programs.river](#opt-programs.river.enable). + +- [GoToSocial](https://gotosocial.org/), an ActivityPub social network server, written in Golang. Available as [services.gotosocial](#opt-services.gotosocial.enable). + +- [Anuko Time Tracker](https://github.com/anuko/timetracker), a simple, easy to use, open source time tracking system. Available as [services.anuko-time-tracker](#opt-services.anuko-time-tracker.enable). + +- [sitespeed-io](https://sitespeed.io), a tool that can generate metrics (timings, diagnostics) for websites. Available as [services.sitespeed-io](#opt-services.sitespeed-io.enable). + +- [Apache Guacamole](https://guacamole.apache.org/), a cross-platform, clientless remote desktop gateway. Available as [services.guacamole-server](#opt-services.guacamole-server.enable) and [services.guacamole-client](#opt-services.guacamole-client.enable) services. + +- [trust-dns](https://trust-dns.org/), a Rust based DNS server built to be safe and secure from the ground up. Available as [services.trust-dns](#opt-services.trust-dns.enable). + ## Backward Incompatibilities {#sec-release-23.11-incompatibilities} -- Create the first release note entry in this section! +- The `boot.loader.raspberryPi` options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs ([before mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices. + +- `python3.pkgs.sequoia` was removed in favor of `python3.pkgs.pysequoia`. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from [gitlab:sequoia-pgp/sequoia](https://gitlab.com/sequoia-pgp/sequoia) were removed long ago. + +- `writeTextFile` now requires `executable` to be boolean, values like `null` or `""` will now fail to evaluate. + +- The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`. + +- The `services.hostapd` module was rewritten to support `passwordFile` like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations. + - `hostapd` is now started with additional systemd sandbox/hardening options for better security. + - `services.hostapd.interface` was replaced with a per-radio and per-bss configuration scheme using [services.hostapd.radios](#opt-services.hostapd.radios). + - `services.hostapd.wpa` has been replaced by [services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword](#opt-services.hostapd.radios._name_.networks._name_.authentication.wpaPassword) and [services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords](#opt-services.hostapd.radios._name_.networks._name_.authentication.saePasswords) which configure WPA2-PSK and WP3-SAE respectively. + - The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available. + +- `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`. + +- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues. + +- `getent` has been moved from `glibc`'s `bin` output to its own dedicated output, reducing closure size for many dependents. Dependents using the `getent` alias should not be affected; others should move from using `glibc.bin` or `getBin glibc` to `getent` (which also improves compatibility with non-glibc platforms). + +- The `services.ananicy.extraRules` option now has the type of `listOf attrs` instead of `string`. + +- `etcd` has been updated to 3.5, you will want to read the [3.3 to 3.4](https://etcd.io/docs/v3.5/upgrades/upgrade_3_4/) and [3.4 to 3.5](https://etcd.io/docs/v3.5/upgrades/upgrade_3_5/) upgrade guides + +- `consul` has been updated to `1.16.0`. See the [release note](https://github.com/hashicorp/consul/releases/tag/v1.16.0) for more details. Once a new Consul version has started and upgraded its data directory, it generally cannot be downgraded to the previous version. + +- `himalaya` has been updated to `0.8.0`, which drops the native TLS support (in favor of Rustls) and add OAuth 2.0 support. See the [release note](https://github.com/soywod/himalaya/releases/tag/v0.8.0) for more details. + +- The [services.caddy.acmeCA](#opt-services.caddy.acmeCA) option now defaults to `null` instead of `"https://acme-v02.api.letsencrypt.org/directory"`, to use all of Caddy's default ACME CAs and enable Caddy's automatic issuer fallback feature by default, as recommended by upstream. + +- `php80` is no longer supported due to upstream not supporting this version anymore. + +- PHP now defaults to PHP 8.2, updated from 8.1. + +- `util-linux` is now supported on Darwin and is no longer an alias to `unixtools`. Use the `unixtools.util-linux` package for access to the Apple variants of the utilities. + +- `services.keyd` changed API. Now you can create multiple configuration files. + +- `services.ddclient` has been removed on the request of the upstream maintainer because it is unmaintained and has bugs. Please switch to a different software like `inadyn` or `knsupdate`. + +- The `vlock` program from the `kbd` package has been moved into its own package output and should now be referenced explicitly as `kbd.vlock` or replaced with an alternative such as the standalone `vlock` package or `physlock`. + +- `fileSystems..autoFormat` now uses `systemd-makefs`, which does not accept formatting options. Therefore, `fileSystems..formatOptions` has been removed. + +- `fileSystems..autoResize` now uses `systemd-growfs` to resize the file system online in stage 2. This means that `f2fs` and `ext2` can no longer be auto resized, while `xfs` and `btrfs` now can be. + +- The `services.vaultwarden.config` option default value was changed to make Vaultwarden only listen on localhost, following the [secure defaults for most NixOS services](https://github.com/NixOS/nixpkgs/issues/100192). + +- `services.lemmy.settings.federation` was removed in 0.17.0 and no longer has any effect. To enable federation, the hostname must be set in the configuration file and then federation must be enabled in the admin web UI. See the [release notes](https://github.com/LemmyNet/lemmy/blob/c32585b03429f0f76d1e4ff738786321a0a9df98/RELEASES.md#upgrade-instructions) for more details. + +- `pict-rs` was upgraded from 0.3 to 0.4 and contains an incompatible database & configuration change. To upgrade on systems with `stateVersion = "23.05";` or older follow the migration steps from https://git.asonix.dog/asonix/pict-rs#user-content-0-3-to-0-4-migration-guide and set `services.pict-rs.package = pkgs.pict-rs;`. + +- The following packages in `haskellPackages` have now a separate bin output: `cabal-fmt`, `calligraphy`, `eventlog2html`, `ghc-debug-brick`, `hindent`, `nixfmt`, `releaser`. This means you need to replace e.g. `"${pkgs.haskellPackages.nixfmt}/bin/nixfmt"` with `"${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt"` or `"${lib.getExe pkgs.haskellPackages.nixfmt}"`. The binaries also won’t be in scope if you rely on them being installed e.g. via `ghcWithPackages`. `environment.packages` picks the `bin` output automatically, so for normal installation no intervention is required. Also, toplevel attributes like `pkgs.nixfmt` are not impacted negatively by this change. + +- `spamassassin` no longer supports the `Hashcash` module. The module needs to be removed from the `loadplugin` list if it was copied over from the default `initPreConf` option. + +- `services.outline.sequelizeArguments` has been removed, as `outline` no longer executes database migrations via the `sequelize` cli. + +- The Caddy module gained a new option named `services.caddy.enableReload` which is enabled by default. It allows reloading the service instead of restarting it, if only a config file has changed. This option must be disabled if you have turned off the [Caddy admin API](https://caddyserver.com/docs/caddyfile/options#admin). If you keep this option enabled, you should consider setting [`grace_period`](https://caddyserver.com/docs/caddyfile/options#grace-period) to a non-infinite value to prevent Caddy from delaying the reload indefinitely. + +- mdraid support is now optional. This reduces initramfs size and prevents the potentially undesired automatic detection and activation of software RAID pools. It is disabled by default in new configurations (determined by `stateVersion`), but the appropriate settings will be generated by `nixos-generate-config` when installing to a software RAID device, so the standard installation procedure should be unaffected. If you have custom configs relying on mdraid, ensure that you use `stateVersion` correctly or set `boot.swraid.enable` manually. + +- The `go-ethereum` package has been updated to v1.12.0. This drops support for proof-of-work. Its GraphQL API now encodes all numeric values as hex strings and the GraphQL UI is updated to version 2.0. The default database has changed from `leveldb` to `pebble` but `leveldb` can be forced with the --db.engine=leveldb flag. The `checkpoint-admin` command was [removed along with trusted checkpoints](https://github.com/ethereum/go-ethereum/pull/27147). ## Other Notable Changes {#sec-release-23.11-notable-changes} -- Create the first release note entry in this section! +- The Cinnamon module now enables XDG desktop integration by default. If you are experiencing collisions related to xdg-desktop-portal-gtk you can safely remove `xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];` from your NixOS configuration. + +- `fontconfig` now defaults to using greyscale antialiasing instead of subpixel antialiasing because of a [recommendation from one of the downstreams](https://gitlab.freedesktop.org/fontconfig/fontconfig/-/issues/337). You can change this value by configuring [](#opt-fonts.fontconfig.subpixel.rgba) accordingly. + +- The latest available version of Nextcloud is v27 (available as `pkgs.nextcloud27`). The installation logic is as follows: + - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**) + - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.11, `pkgs.nextcloud27` will be installed by default. + - If [`system.stateVersion`](#opt-system.stateVersion) is >=23.05, `pkgs.nextcloud26` will be installed by default. + - Please note that an upgrade from v25 (or older) to v27 directly is not possible. Please upgrade to `nextcloud26` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud26;`](options.html#opt-services.nextcloud.package). + +- New options were added to `services.searx` for better SearXNG support, including options for the built-in rate limiter and bot protection and automatically configuring a local redis server. + +- A new option was added to the virtualisation module that enables specifying explicitly named network interfaces in QEMU VMs. The existing `virtualisation.vlans` is still supported for cases where the name of the network interface is irrelevant. + +- DocBook option documentation is no longer supported, all module documentation now uses markdown. + +- `services.fail2ban.jails` can now be configured with attribute sets defining settings and filters instead of lines. The stringed options `daemonConfig` and `extraSettings` have respectively been replaced by `daemonSettings` and `jails.DEFAULT.settings` which use attribute sets. + +- The module [services.ankisyncd](#opt-services.ankisyncd.package) has been switched to [anki-sync-server-rs](https://github.com/ankicommunity/anki-sync-server-rs) from the old python version, which was difficult to update, had not been updated in a while, and did not support recent versions of anki. +Unfortunately all servers supporting new clients (newer version of anki-sync-server, anki's built in sync server and this new rust package) do not support the older sync protocol that was used in the old server, so such old clients will also need updating and in particular the anki package in nixpkgs is also being updated in this release. +The module update takes care of the new config syntax and the data itself (user login and cards) are compatible, so users of the module will be able to just log in again after updating both client and server without any extra action. + +- `services.nginx` gained a `defaultListen` option at server-level with support for PROXY protocol listeners, also `proxyProtocol` is now exposed in `services.nginx.virtualHosts..listen` option. It is now possible to run PROXY listeners and non-PROXY listeners at a server-level, see [#213510](https://github.com/NixOS/nixpkgs/pull/213510/) for more details. + +- `services.prometheus.exporters` has a new exporter to monitor electrical power consumption based on PowercapRAPL sensor called [Scaphandre](https://github.com/hubblo-org/scaphandre), see [#239803](https://github.com/NixOS/nixpkgs/pull/239803) for more details. + +- The module `services.calibre-server` has new options to configure the `host`, `port`, `auth.enable`, `auth.mode` and `auth.userDb` path, see [#216497](https://github.com/NixOS/nixpkgs/pull/216497/) for more details. + +- `services.prometheus.exporters` has a new [exporter](https://github.com/hipages/php-fpm_exporter) to monitor PHP-FPM processes, see [#240394](https://github.com/NixOS/nixpkgs/pull/240394) for more details. + +- `programs.gnupg.agent.pinentryFlavor` is now set in `/etc/gnupg/gpg-agent.conf`, and will no longer take precedence over a `pinentry-program` set in `~/.gnupg/gpg-agent.conf`. + +## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals} + +- The `qemu-vm.nix` module by default now identifies block devices via + persistent names available in `/dev/disk/by-*`. Because the rootDevice is + identfied by its filesystem label, it needs to be formatted before the VM is + started. The functionality of automatically formatting the rootDevice in the + initrd is removed from the QEMU module. However, for tests that depend on + this functionality, a test utility for the scripted initrd is added + (`nixos/tests/common/auto-format-root-device.nix`). To use this in a NixOS + test, import the module, e.g. `imports = [ + ./common/auto-format-root-device.nix ];` When you use the systemd initrd, you + can automatically format the root device by setting + `virtualisation.fileSystems."/".autoFormat = true;`. diff --git a/third_party/nixpkgs/nixos/lib/eval-config.nix b/third_party/nixpkgs/nixos/lib/eval-config.nix index 058ab7280c..e1242276a7 100644 --- a/third_party/nixpkgs/nixos/lib/eval-config.nix +++ b/third_party/nixpkgs/nixos/lib/eval-config.nix @@ -31,7 +31,7 @@ evalConfigArgs@ , prefix ? [] , lib ? import ../../lib , extraModules ? let e = builtins.getEnv "NIXOS_EXTRA_MODULE_PATH"; - in if e == "" then [] else [(import e)] + in lib.optional (e != "") (import e) }: let pkgs_ = pkgs; diff --git a/third_party/nixpkgs/nixos/lib/make-disk-image.nix b/third_party/nixpkgs/nixos/lib/make-disk-image.nix index 33d834e36b..fc121345d6 100644 --- a/third_party/nixpkgs/nixos/lib/make-disk-image.nix +++ b/third_party/nixpkgs/nixos/lib/make-disk-image.nix @@ -573,6 +573,7 @@ let format' = format; in let # In this throwaway resource, we only have /dev/vda, but the actual VM may refer to another disk for bootloader, e.g. /dev/vdb # Use this option to create a symlink from vda to any arbitrary device you want. ${optionalString (config.boot.loader.grub.device != "/dev/vda") '' + mkdir -p $(dirname ${config.boot.loader.grub.device}) ln -s /dev/vda ${config.boot.loader.grub.device} ''} diff --git a/third_party/nixpkgs/nixos/lib/make-options-doc/default.nix b/third_party/nixpkgs/nixos/lib/make-options-doc/default.nix index a2385582a0..99515b5b82 100644 --- a/third_party/nixpkgs/nixos/lib/make-options-doc/default.nix +++ b/third_party/nixpkgs/nixos/lib/make-options-doc/default.nix @@ -39,12 +39,17 @@ # allow docbook option docs if `true`. only markdown documentation is allowed when set to # `false`, and a different renderer may be used with different bugs and performance # characteristics but (hopefully) indistinguishable output. -, allowDocBook ? true +# deprecated since 23.11. +# TODO remove in a while. +, allowDocBook ? false # whether lib.mdDoc is required for descriptions to be read as markdown. -# !!! when this is eventually flipped to true, `lib.doRename` should also default to emitting Markdown -, markdownByDefault ? false +# deprecated since 23.11. +# TODO remove in a while. +, markdownByDefault ? true }: +assert markdownByDefault && ! allowDocBook; + let rawOpts = lib.optionAttrSetToDocList options; transformedOpts = map transformOptions rawOpts; @@ -134,10 +139,17 @@ in rec { TOUCH_IF_DB=$dst/.used-docbook \ python ${./mergeJSON.py} \ ${lib.optionalString warningsAreErrors "--warnings-are-errors"} \ - ${if allowDocBook then "--warn-on-docbook" else "--error-on-docbook"} \ $baseJSON $options \ > $dst/options.json + if grep /nixpkgs/nixos/modules $dst/options.json; then + echo "The manual appears to depend on the location of Nixpkgs, which is bad" + echo "since this prevents sharing via the NixOS channel. This is typically" + echo "caused by an option default that refers to a relative path (see above" + echo "for hints about the offending path)." + exit 1 + fi + brotli -9 < $dst/options.json > $dst/options.json.br mkdir -p $out/nix-support @@ -145,38 +157,19 @@ in rec { echo "file json-br $dst/options.json.br" >> $out/nix-support/hydra-build-products ''; - optionsUsedDocbook = pkgs.runCommand "options-used-docbook" {} '' - if [ -e ${optionsJSON}/share/doc/nixos/.used-docbook ]; then - echo 1 - else - echo 0 - fi >"$out" - ''; - - optionsDocBook = pkgs.runCommand "options-docbook.xml" { - nativeBuildInputs = [ - pkgs.nixos-render-docs - ]; - } '' - nixos-render-docs -j $NIX_BUILD_CORES options docbook \ - --manpage-urls ${pkgs.path + "/doc/manpage-urls.json"} \ - --revision ${lib.escapeShellArg revision} \ - --document-type ${lib.escapeShellArg documentType} \ - --varlist-id ${lib.escapeShellArg variablelistId} \ - --id-prefix ${lib.escapeShellArg optionIdPrefix} \ - ${lib.optionalString markdownByDefault "--markdown-by-default"} \ - ${optionsJSON}/share/doc/nixos/options.json \ - options.xml - - if grep /nixpkgs/nixos/modules options.xml; then - echo "The manual appears to depend on the location of Nixpkgs, which is bad" - echo "since this prevents sharing via the NixOS channel. This is typically" - echo "caused by an option default that refers to a relative path (see above" - echo "for hints about the offending path)." - exit 1 - fi - - ${pkgs.libxslt.bin}/bin/xsltproc \ - -o "$out" ${./postprocess-option-descriptions.xsl} options.xml - ''; + optionsDocBook = lib.warn "optionsDocBook is deprecated since 23.11 and will be removed in 24.05" + (pkgs.runCommand "options-docbook.xml" { + nativeBuildInputs = [ + pkgs.nixos-render-docs + ]; + } '' + nixos-render-docs -j $NIX_BUILD_CORES options docbook \ + --manpage-urls ${pkgs.path + "/doc/manpage-urls.json"} \ + --revision ${lib.escapeShellArg revision} \ + --document-type ${lib.escapeShellArg documentType} \ + --varlist-id ${lib.escapeShellArg variablelistId} \ + --id-prefix ${lib.escapeShellArg optionIdPrefix} \ + ${optionsJSON}/share/doc/nixos/options.json \ + "$out" + ''); } diff --git a/third_party/nixpkgs/nixos/lib/make-options-doc/mergeJSON.py b/third_party/nixpkgs/nixos/lib/make-options-doc/mergeJSON.py index b4f72b8a3f..4be83fcb82 100644 --- a/third_party/nixpkgs/nixos/lib/make-options-doc/mergeJSON.py +++ b/third_party/nixpkgs/nixos/lib/make-options-doc/mergeJSON.py @@ -43,19 +43,11 @@ def unpivot(options: Dict[Key, Option]) -> Dict[str, JSON]: return result warningsAreErrors = False -warnOnDocbook = False -errorOnDocbook = False optOffset = 0 for arg in sys.argv[1:]: if arg == "--warnings-are-errors": optOffset += 1 warningsAreErrors = True - if arg == "--warn-on-docbook": - optOffset += 1 - warnOnDocbook = True - elif arg == "--error-on-docbook": - optOffset += 1 - errorOnDocbook = True options = pivot(json.load(open(sys.argv[1 + optOffset], 'r'))) overrides = pivot(json.load(open(sys.argv[2 + optOffset], 'r'))) @@ -84,38 +76,10 @@ for (k, v) in overrides.items(): severity = "error" if warningsAreErrors else "warning" -def is_docbook(o, key): - val = o.get(key, {}) - if not isinstance(val, dict): - return False - return val.get('_type', '') == 'literalDocBook' - # check that every option has a description hasWarnings = False hasErrors = False -hasDocBook = False for (k, v) in options.items(): - if warnOnDocbook or errorOnDocbook: - kind = "error" if errorOnDocbook else "warning" - if isinstance(v.value.get('description', {}), str): - hasErrors |= errorOnDocbook - hasDocBook = True - print( - f"\x1b[1;31m{kind}: option {v.name} description uses DocBook\x1b[0m", - file=sys.stderr) - elif is_docbook(v.value, 'defaultText'): - hasErrors |= errorOnDocbook - hasDocBook = True - print( - f"\x1b[1;31m{kind}: option {v.name} default uses DocBook\x1b[0m", - file=sys.stderr) - elif is_docbook(v.value, 'example'): - hasErrors |= errorOnDocbook - hasDocBook = True - print( - f"\x1b[1;31m{kind}: option {v.name} example uses DocBook\x1b[0m", - file=sys.stderr) - if v.value.get('description', None) is None: hasWarnings = True print(f"\x1b[1;31m{severity}: option {v.name} has no description\x1b[0m", file=sys.stderr) @@ -126,30 +90,6 @@ for (k, v) in options.items(): f"\x1b[1;31m{severity}: option {v.name} has no type. Please specify a valid type, see " + "https://nixos.org/manual/nixos/stable/index.html#sec-option-types\x1b[0m", file=sys.stderr) -if hasDocBook: - (why, what) = ( - ("disallowed for in-tree modules", "contribution") if errorOnDocbook - else ("deprecated for option documentation", "module") - ) - print("Explanation: The documentation contains descriptions, examples, or defaults written in DocBook. " + - "NixOS is in the process of migrating from DocBook to Markdown, and " + - f"DocBook is {why}. To change your {what} to "+ - "use Markdown, apply mdDoc and literalMD and use the *MD variants of option creation " + - "functions where they are available. For example:\n" + - "\n" + - " example.foo = mkOption {\n" + - " description = lib.mdDoc ''your description'';\n" + - " defaultText = lib.literalMD ''your description of default'';\n" + - " };\n" + - "\n" + - " example.enable = mkEnableOption (lib.mdDoc ''your thing'');\n" + - " example.package = mkPackageOptionMD pkgs \"your-package\" {};\n" + - " imports = [ (mkAliasOptionModuleMD [ \"example\" \"args\" ] [ \"example\" \"settings\" ]) ];", - file = sys.stderr) - with open(os.getenv('TOUCH_IF_DB'), 'x'): - # just make sure it exists - pass - if hasErrors: sys.exit(1) if hasWarnings and warningsAreErrors: diff --git a/third_party/nixpkgs/nixos/lib/make-options-doc/postprocess-option-descriptions.xsl b/third_party/nixpkgs/nixos/lib/make-options-doc/postprocess-option-descriptions.xsl deleted file mode 100644 index 1201c7612c..0000000000 --- a/third_party/nixpkgs/nixos/lib/make-options-doc/postprocess-option-descriptions.xsl +++ /dev/null @@ -1,115 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/third_party/nixpkgs/nixos/lib/qemu-common.nix b/third_party/nixpkgs/nixos/lib/qemu-common.nix index a8ed27dd60..4fff2e0a6f 100644 --- a/third_party/nixpkgs/nixos/lib/qemu-common.nix +++ b/third_party/nixpkgs/nixos/lib/qemu-common.nix @@ -19,7 +19,7 @@ rec { ]; qemuSerialDevice = - if with pkgs.stdenv.hostPlatform; isx86 || isMips64 || isRiscV then "ttyS0" + if with pkgs.stdenv.hostPlatform; isx86 || isLoongArch64 || isMips64 || isRiscV then "ttyS0" else if (with pkgs.stdenv.hostPlatform; isAarch || isPower) then "ttyAMA0" else throw "Unknown QEMU serial device for system '${pkgs.stdenv.hostPlatform.system}'"; diff --git a/third_party/nixpkgs/nixos/lib/systemd-network-units.nix b/third_party/nixpkgs/nixos/lib/systemd-network-units.nix new file mode 100644 index 0000000000..14ff0b3742 --- /dev/null +++ b/third_party/nixpkgs/nixos/lib/systemd-network-units.nix @@ -0,0 +1,240 @@ +{ lib, systemdUtils }: + +with lib; + +let + attrsToSection = systemdUtils.lib.attrsToSection; + commonMatchText = def: + optionalString (def.matchConfig != { }) '' + [Match] + ${attrsToSection def.matchConfig} + ''; +in { + linkToUnit = def: + commonMatchText def + '' + [Link] + ${attrsToSection def.linkConfig} + '' + def.extraConfig; + + netdevToUnit = def: + commonMatchText def + '' + [NetDev] + ${attrsToSection def.netdevConfig} + '' + optionalString (def.vlanConfig != { }) '' + [VLAN] + ${attrsToSection def.vlanConfig} + '' + optionalString (def.macvlanConfig != { }) '' + [MACVLAN] + ${attrsToSection def.macvlanConfig} + '' + optionalString (def.vxlanConfig != { }) '' + [VXLAN] + ${attrsToSection def.vxlanConfig} + '' + optionalString (def.tunnelConfig != { }) '' + [Tunnel] + ${attrsToSection def.tunnelConfig} + '' + optionalString (def.fooOverUDPConfig != { }) '' + [FooOverUDP] + ${attrsToSection def.fooOverUDPConfig} + '' + optionalString (def.peerConfig != { }) '' + [Peer] + ${attrsToSection def.peerConfig} + '' + optionalString (def.tunConfig != { }) '' + [Tun] + ${attrsToSection def.tunConfig} + '' + optionalString (def.tapConfig != { }) '' + [Tap] + ${attrsToSection def.tapConfig} + '' + optionalString (def.l2tpConfig != { }) '' + [L2TP] + ${attrsToSection def.l2tpConfig} + '' + flip concatMapStrings def.l2tpSessions (x: '' + [L2TPSession] + ${attrsToSection x.l2tpSessionConfig} + '') + optionalString (def.wireguardConfig != { }) '' + [WireGuard] + ${attrsToSection def.wireguardConfig} + '' + flip concatMapStrings def.wireguardPeers (x: '' + [WireGuardPeer] + ${attrsToSection x.wireguardPeerConfig} + '') + optionalString (def.bondConfig != { }) '' + [Bond] + ${attrsToSection def.bondConfig} + '' + optionalString (def.xfrmConfig != { }) '' + [Xfrm] + ${attrsToSection def.xfrmConfig} + '' + optionalString (def.vrfConfig != { }) '' + [VRF] + ${attrsToSection def.vrfConfig} + '' + optionalString (def.batmanAdvancedConfig != { }) '' + [BatmanAdvanced] + ${attrsToSection def.batmanAdvancedConfig} + '' + def.extraConfig; + + networkToUnit = def: + commonMatchText def + optionalString (def.linkConfig != { }) '' + [Link] + ${attrsToSection def.linkConfig} + '' + '' + [Network] + '' + attrsToSection def.networkConfig + + optionalString (def.address != [ ]) '' + ${concatStringsSep "\n" (map (s: "Address=${s}") def.address)} + '' + optionalString (def.gateway != [ ]) '' + ${concatStringsSep "\n" (map (s: "Gateway=${s}") def.gateway)} + '' + optionalString (def.dns != [ ]) '' + ${concatStringsSep "\n" (map (s: "DNS=${s}") def.dns)} + '' + optionalString (def.ntp != [ ]) '' + ${concatStringsSep "\n" (map (s: "NTP=${s}") def.ntp)} + '' + optionalString (def.bridge != [ ]) '' + ${concatStringsSep "\n" (map (s: "Bridge=${s}") def.bridge)} + '' + optionalString (def.bond != [ ]) '' + ${concatStringsSep "\n" (map (s: "Bond=${s}") def.bond)} + '' + optionalString (def.vrf != [ ]) '' + ${concatStringsSep "\n" (map (s: "VRF=${s}") def.vrf)} + '' + optionalString (def.vlan != [ ]) '' + ${concatStringsSep "\n" (map (s: "VLAN=${s}") def.vlan)} + '' + optionalString (def.macvlan != [ ]) '' + ${concatStringsSep "\n" (map (s: "MACVLAN=${s}") def.macvlan)} + '' + optionalString (def.macvtap != [ ]) '' + ${concatStringsSep "\n" (map (s: "MACVTAP=${s}") def.macvtap)} + '' + optionalString (def.vxlan != [ ]) '' + ${concatStringsSep "\n" (map (s: "VXLAN=${s}") def.vxlan)} + '' + optionalString (def.tunnel != [ ]) '' + ${concatStringsSep "\n" (map (s: "Tunnel=${s}") def.tunnel)} + '' + optionalString (def.xfrm != [ ]) '' + ${concatStringsSep "\n" (map (s: "Xfrm=${s}") def.xfrm)} + '' + "\n" + flip concatMapStrings def.addresses (x: '' + [Address] + ${attrsToSection x.addressConfig} + '') + flip concatMapStrings def.routingPolicyRules (x: '' + [RoutingPolicyRule] + ${attrsToSection x.routingPolicyRuleConfig} + '') + flip concatMapStrings def.routes (x: '' + [Route] + ${attrsToSection x.routeConfig} + '') + optionalString (def.dhcpV4Config != { }) '' + [DHCPv4] + ${attrsToSection def.dhcpV4Config} + '' + optionalString (def.dhcpV6Config != { }) '' + [DHCPv6] + ${attrsToSection def.dhcpV6Config} + '' + optionalString (def.dhcpPrefixDelegationConfig != { }) '' + [DHCPPrefixDelegation] + ${attrsToSection def.dhcpPrefixDelegationConfig} + '' + optionalString (def.ipv6AcceptRAConfig != { }) '' + [IPv6AcceptRA] + ${attrsToSection def.ipv6AcceptRAConfig} + '' + optionalString (def.dhcpServerConfig != { }) '' + [DHCPServer] + ${attrsToSection def.dhcpServerConfig} + '' + optionalString (def.ipv6SendRAConfig != { }) '' + [IPv6SendRA] + ${attrsToSection def.ipv6SendRAConfig} + '' + flip concatMapStrings def.ipv6Prefixes (x: '' + [IPv6Prefix] + ${attrsToSection x.ipv6PrefixConfig} + '') + flip concatMapStrings def.ipv6RoutePrefixes (x: '' + [IPv6RoutePrefix] + ${attrsToSection x.ipv6RoutePrefixConfig} + '') + flip concatMapStrings def.dhcpServerStaticLeases (x: '' + [DHCPServerStaticLease] + ${attrsToSection x.dhcpServerStaticLeaseConfig} + '') + optionalString (def.bridgeConfig != { }) '' + [Bridge] + ${attrsToSection def.bridgeConfig} + '' + flip concatMapStrings def.bridgeFDBs (x: '' + [BridgeFDB] + ${attrsToSection x.bridgeFDBConfig} + '') + flip concatMapStrings def.bridgeMDBs (x: '' + [BridgeMDB] + ${attrsToSection x.bridgeMDBConfig} + '') + optionalString (def.lldpConfig != { }) '' + [LLDP] + ${attrsToSection def.lldpConfig} + '' + optionalString (def.canConfig != { }) '' + [CAN] + ${attrsToSection def.canConfig} + '' + optionalString (def.ipoIBConfig != { }) '' + [IPoIB] + ${attrsToSection def.ipoIBConfig} + '' + optionalString (def.qdiscConfig != { }) '' + [QDisc] + ${attrsToSection def.qdiscConfig} + '' + optionalString (def.networkEmulatorConfig != { }) '' + [NetworkEmulator] + ${attrsToSection def.networkEmulatorConfig} + '' + optionalString (def.tokenBucketFilterConfig != { }) '' + [TokenBucketFilter] + ${attrsToSection def.tokenBucketFilterConfig} + '' + optionalString (def.pieConfig != { }) '' + [PIE] + ${attrsToSection def.pieConfig} + '' + optionalString (def.flowQueuePIEConfig != { }) '' + [FlowQueuePIE] + ${attrsToSection def.flowQueuePIEConfig} + '' + optionalString (def.stochasticFairBlueConfig != { }) '' + [StochasticFairBlue] + ${attrsToSection def.stochasticFairBlueConfig} + '' + optionalString (def.stochasticFairnessQueueingConfig != { }) '' + [StochasticFairnessQueueing] + ${attrsToSection def.stochasticFairnessQueueingConfig} + '' + optionalString (def.bfifoConfig != { }) '' + [BFIFO] + ${attrsToSection def.bfifoConfig} + '' + optionalString (def.pfifoConfig != { }) '' + [PFIFO] + ${attrsToSection def.pfifoConfig} + '' + optionalString (def.pfifoHeadDropConfig != { }) '' + [PFIFOHeadDrop] + ${attrsToSection def.pfifoHeadDropConfig} + '' + optionalString (def.pfifoFastConfig != { }) '' + [PFIFOFast] + ${attrsToSection def.pfifoFastConfig} + '' + optionalString (def.cakeConfig != { }) '' + [CAKE] + ${attrsToSection def.cakeConfig} + '' + optionalString (def.controlledDelayConfig != { }) '' + [ControlledDelay] + ${attrsToSection def.controlledDelayConfig} + '' + optionalString (def.deficitRoundRobinSchedulerConfig != { }) '' + [DeficitRoundRobinScheduler] + ${attrsToSection def.deficitRoundRobinSchedulerConfig} + '' + optionalString (def.deficitRoundRobinSchedulerClassConfig != { }) '' + [DeficitRoundRobinSchedulerClass] + ${attrsToSection def.deficitRoundRobinSchedulerClassConfig} + '' + optionalString (def.enhancedTransmissionSelectionConfig != { }) '' + [EnhancedTransmissionSelection] + ${attrsToSection def.enhancedTransmissionSelectionConfig} + '' + optionalString (def.genericRandomEarlyDetectionConfig != { }) '' + [GenericRandomEarlyDetection] + ${attrsToSection def.genericRandomEarlyDetectionConfig} + '' + optionalString (def.fairQueueingControlledDelayConfig != { }) '' + [FairQueueingControlledDelay] + ${attrsToSection def.fairQueueingControlledDelayConfig} + '' + optionalString (def.fairQueueingConfig != { }) '' + [FairQueueing] + ${attrsToSection def.fairQueueingConfig} + '' + optionalString (def.trivialLinkEqualizerConfig != { }) '' + [TrivialLinkEqualizer] + ${attrsToSection def.trivialLinkEqualizerConfig} + '' + optionalString (def.hierarchyTokenBucketConfig != { }) '' + [HierarchyTokenBucket] + ${attrsToSection def.hierarchyTokenBucketConfig} + '' + optionalString (def.hierarchyTokenBucketClassConfig != { }) '' + [HierarchyTokenBucketClass] + ${attrsToSection def.hierarchyTokenBucketClassConfig} + '' + optionalString (def.heavyHitterFilterConfig != { }) '' + [HeavyHitterFilter] + ${attrsToSection def.heavyHitterFilterConfig} + '' + optionalString (def.quickFairQueueingConfig != { }) '' + [QuickFairQueueing] + ${attrsToSection def.quickFairQueueingConfig} + '' + optionalString (def.quickFairQueueingConfigClass != { }) '' + [QuickFairQueueingClass] + ${attrsToSection def.quickFairQueueingConfigClass} + '' + flip concatMapStrings def.bridgeVLANs (x: '' + [BridgeVLAN] + ${attrsToSection x.bridgeVLANConfig} + '') + def.extraConfig; + +} diff --git a/third_party/nixpkgs/nixos/lib/test-driver/test_driver/driver.py b/third_party/nixpkgs/nixos/lib/test-driver/test_driver/driver.py index ea6ba4b65b..835d60ec3b 100644 --- a/third_party/nixpkgs/nixos/lib/test-driver/test_driver/driver.py +++ b/third_party/nixpkgs/nixos/lib/test-driver/test_driver/driver.py @@ -163,11 +163,6 @@ class Driver: machine.wait_for_shutdown() def create_machine(self, args: Dict[str, Any]) -> Machine: - rootlog.warning( - "Using legacy create_machine(), please instantiate the" - "Machine class directly, instead" - ) - tmp_dir = get_tmp_dir() if args.get("startCommand"): diff --git a/third_party/nixpkgs/nixos/lib/test-driver/test_driver/machine.py b/third_party/nixpkgs/nixos/lib/test-driver/test_driver/machine.py index a362e99f98..c315f9b2f5 100644 --- a/third_party/nixpkgs/nixos/lib/test-driver/test_driver/machine.py +++ b/third_party/nixpkgs/nixos/lib/test-driver/test_driver/machine.py @@ -369,8 +369,8 @@ class Machine: @staticmethod def create_startcommand(args: Dict[str, str]) -> StartCommand: rootlog.warning( - "Using legacy create_startcommand()," - "please use proper nix test vm instrumentation, instead" + "Using legacy create_startcommand(), " + "please use proper nix test vm instrumentation, instead " "to generate the appropriate nixos test vm qemu startup script" ) hda = None @@ -514,7 +514,11 @@ class Machine: return "".join(output_buffer) def execute( - self, command: str, check_return: bool = True, timeout: Optional[int] = 900 + self, + command: str, + check_return: bool = True, + check_output: bool = True, + timeout: Optional[int] = 900, ) -> Tuple[int, str]: self.run_callbacks() self.connect() @@ -535,6 +539,9 @@ class Machine: assert self.shell self.shell.send(out_command.encode()) + if not check_output: + return (-2, "") + # Get the output output = base64.b64decode(self._next_newline_closed_block_from_shell()) @@ -641,7 +648,7 @@ class Machine: return status != 0 with self.nested(f"waiting for failure: {command}"): - retry(check_failure) + retry(check_failure, timeout) return output def wait_for_shutdown(self) -> None: @@ -745,7 +752,13 @@ class Machine: while not shell_ready(timeout_secs=30): self.log("Guest root shell did not produce any data yet...") - self.log(self.shell.recv(1024).decode()) + while True: + chunk = self.shell.recv(1024) + self.log(f"Guest shell says: {chunk!r}") + # NOTE: for this to work, nothing must be printed after this line! + if b"Spawning backdoor root shell..." in chunk: + break + toc = time.time() self.log("connected to guest root shell") @@ -855,21 +868,37 @@ class Machine: with self.nested(f"waiting for {regex} to appear on screen"): retry(screen_matches) - def wait_for_console_text(self, regex: str) -> None: + def wait_for_console_text(self, regex: str, timeout: int | None = None) -> None: + """ + Wait for the provided regex to appear on console. + For each reads, + + If timeout is None, timeout is infinite. + + `timeout` is in seconds. + """ + # Buffer the console output, this is needed + # to match multiline regexes. + console = io.StringIO() + + def console_matches(_: Any) -> bool: + nonlocal console + try: + # This will return as soon as possible and + # sleep 1 second. + console.write(self.last_lines.get(block=False)) + except queue.Empty: + pass + console.seek(0) + matches = re.search(regex, console.read()) + return matches is not None + with self.nested(f"waiting for {regex} to appear on console"): - # Buffer the console output, this is needed - # to match multiline regexes. - console = io.StringIO() - while True: - try: - console.write(self.last_lines.get()) - except queue.Empty: - self.sleep(1) - continue - console.seek(0) - matches = re.search(regex, console.read()) - if matches is not None: - return + if timeout is not None: + retry(console_matches, timeout) + else: + while not console_matches(False): + pass def send_key( self, key: str, delay: Optional[float] = 0.01, log: Optional[bool] = True diff --git a/third_party/nixpkgs/nixos/lib/testing/driver.nix b/third_party/nixpkgs/nixos/lib/testing/driver.nix index 25759a91dd..444236efb1 100644 --- a/third_party/nixpkgs/nixos/lib/testing/driver.nix +++ b/third_party/nixpkgs/nixos/lib/testing/driver.nix @@ -12,7 +12,9 @@ let }; - vlans = map (m: m.virtualisation.vlans) (lib.attrValues config.nodes); + vlans = map (m: ( + m.virtualisation.vlans ++ + (lib.mapAttrsToList (_: v: v.vlan) m.virtualisation.interfaces))) (lib.attrValues config.nodes); vms = map (m: m.system.build.vm) (lib.attrValues config.nodes); nodeHostNames = diff --git a/third_party/nixpkgs/nixos/lib/testing/network.nix b/third_party/nixpkgs/nixos/lib/testing/network.nix index 04ea9a2bc9..1edc9e2765 100644 --- a/third_party/nixpkgs/nixos/lib/testing/network.nix +++ b/third_party/nixpkgs/nixos/lib/testing/network.nix @@ -4,7 +4,7 @@ let inherit (lib) attrNames concatMap concatMapStrings flip forEach head listToAttrs mkDefault mkOption nameValuePair optionalString - range types zipListsWith zipLists + range toLower types zipListsWith zipLists mdDoc ; @@ -18,24 +18,41 @@ let networkModule = { config, nodes, pkgs, ... }: let - interfacesNumbered = zipLists config.virtualisation.vlans (range 1 255); - interfaces = forEach interfacesNumbered ({ fst, snd }: - nameValuePair "eth${toString snd}" { - ipv4.addresses = - [{ - address = "192.168.${toString fst}.${toString config.virtualisation.test.nodeNumber}"; + qemu-common = import ../qemu-common.nix { inherit lib pkgs; }; + + # Convert legacy VLANs to named interfaces and merge with explicit interfaces. + vlansNumbered = forEach (zipLists config.virtualisation.vlans (range 1 255)) (v: { + name = "eth${toString v.snd}"; + vlan = v.fst; + assignIP = true; + }); + explicitInterfaces = lib.mapAttrsToList (n: v: v // { name = n; }) config.virtualisation.interfaces; + interfaces = vlansNumbered ++ explicitInterfaces; + interfacesNumbered = zipLists interfaces (range 1 255); + + # Automatically assign IP addresses to requested interfaces. + assignIPs = lib.filter (i: i.assignIP) interfaces; + ipInterfaces = forEach assignIPs (i: + nameValuePair i.name { ipv4.addresses = + [ { address = "192.168.${toString i.vlan}.${toString config.virtualisation.test.nodeNumber}"; prefixLength = 24; }]; }); + qemuOptions = lib.flatten (forEach interfacesNumbered ({ fst, snd }: + qemu-common.qemuNICFlags snd fst.vlan config.virtualisation.test.nodeNumber)); + udevRules = forEach interfacesNumbered ({ fst, snd }: + # MAC Addresses for QEMU network devices are lowercase, and udev string comparison is case-sensitive. + ''SUBSYSTEM=="net",ACTION=="add",ATTR{address}=="${toLower(qemu-common.qemuNicMac fst.vlan config.virtualisation.test.nodeNumber)}",NAME="${fst.name}"''); + networkConfig = { networking.hostName = mkDefault config.virtualisation.test.nodeName; - networking.interfaces = listToAttrs interfaces; + networking.interfaces = listToAttrs ipInterfaces; networking.primaryIPAddress = - optionalString (interfaces != [ ]) (head (head interfaces).value.ipv4.addresses).address; + optionalString (ipInterfaces != [ ]) (head (head ipInterfaces).value.ipv4.addresses).address; # Put the IP addresses of all VMs in this machine's # /etc/hosts file. If a machine has multiple @@ -51,16 +68,13 @@ let "${config.networking.hostName}.${config.networking.domain} " + "${config.networking.hostName}\n")); - virtualisation.qemu.options = - let qemu-common = import ../qemu-common.nix { inherit lib pkgs; }; - in - flip concatMap interfacesNumbered - ({ fst, snd }: qemu-common.qemuNICFlags snd fst config.virtualisation.test.nodeNumber); + virtualisation.qemu.options = qemuOptions; + boot.initrd.services.udev.rules = concatMapStrings (x: x + "\n") udevRules; }; in { - key = "ip-address"; + key = "network-interfaces"; config = networkConfig // { # Expose the networkConfig items for tests like nixops # that need to recreate the network config. diff --git a/third_party/nixpkgs/nixos/lib/testing/nodes.nix b/third_party/nixpkgs/nixos/lib/testing/nodes.nix index 6e439fd814..f58759b4cd 100644 --- a/third_party/nixpkgs/nixos/lib/testing/nodes.nix +++ b/third_party/nixpkgs/nixos/lib/testing/nodes.nix @@ -16,6 +16,7 @@ let baseOS = import ../eval-config.nix { + inherit lib; system = null; # use modularly defined system inherit (config.node) specialArgs; modules = [ config.defaults ]; diff --git a/third_party/nixpkgs/nixos/lib/utils.nix b/third_party/nixpkgs/nixos/lib/utils.nix index def3aa13f3..7ea9d6a5c7 100644 --- a/third_party/nixpkgs/nixos/lib/utils.nix +++ b/third_party/nixpkgs/nixos/lib/utils.nix @@ -226,5 +226,8 @@ rec { lib = import ./systemd-lib.nix { inherit lib config pkgs; }; unitOptions = import ./systemd-unit-options.nix { inherit lib systemdUtils; }; types = import ./systemd-types.nix { inherit lib systemdUtils pkgs; }; + network = { + units = import ./systemd-network-units.nix { inherit lib systemdUtils; }; + }; }; } diff --git a/third_party/nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix b/third_party/nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix index 490a79e0b6..d12339bca1 100644 --- a/third_party/nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix +++ b/third_party/nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix @@ -43,7 +43,7 @@ in { sizeMB = mkOption { type = with types; either (enum [ "auto" ]) int; - default = 2048; + default = 3072; example = 8192; description = lib.mdDoc "The size in MB of the image"; }; diff --git a/third_party/nixpkgs/nixos/modules/config/fonts/fontconfig.nix b/third_party/nixpkgs/nixos/modules/config/fonts/fontconfig.nix index 5781679241..2eee5cd34d 100644 --- a/third_party/nixpkgs/nixos/modules/config/fonts/fontconfig.nix +++ b/third_party/nixpkgs/nixos/modules/config/fonts/fontconfig.nix @@ -77,18 +77,6 @@ let ${fcBool cfg.hinting.autohint} - - ${cfg.hinting.style} - - - ${fcBool cfg.antialias} - - - ${cfg.subpixel.rgba} - - - lcd${cfg.subpixel.lcdfilter} - @@ -177,6 +165,13 @@ let ''; + # Replace default linked config with a different variant + replaceDefaultConfig = defaultConfig: newConfig: '' + rm $dst/${defaultConfig} + ln -s ${pkg.out}/share/fontconfig/conf.avail/${newConfig} \ + $dst/ + ''; + # fontconfig configuration package confPkg = pkgs.runCommand "fontconfig-conf" { preferLocalBuild = true; @@ -196,6 +191,26 @@ let ln -s ${pkg.out}/etc/fonts/conf.d/*.conf \ $dst/ + ${optionalString (!cfg.antialias) + (replaceDefaultConfig "10-yes-antialias.conf" + "10-no-antialias.conf") + } + + ${optionalString (cfg.hinting.style != "slight") + (replaceDefaultConfig "10-hinting-slight.conf" + "10-hinting-${cfg.hinting.style}.conf") + } + + ${optionalString (cfg.subpixel.rgba != "none") + (replaceDefaultConfig "10-sub-pixel-none.conf" + "10-sub-pixel-${cfg.subpixel.rgba}.conf") + } + + ${optionalString (cfg.subpixel.lcdfilter != "default") + (replaceDefaultConfig "11-lcdfilter-default.conf" + "11-lcdfilter-${cfg.subpixel.lcdfilter}.conf") + } + # 00-nixos-cache.conf ln -s ${cacheConf} $dst/00-nixos-cache.conf @@ -367,17 +382,25 @@ in }; style = mkOption { - type = types.enum [ "hintnone" "hintslight" "hintmedium" "hintfull" ]; - default = "hintslight"; + type = types.enum ["none" "slight" "medium" "full"]; + default = "slight"; description = lib.mdDoc '' Hintstyle is the amount of font reshaping done to line up to the grid. - hintslight will make the font more fuzzy to line up to the grid - but will be better in retaining font shape, while hintfull will - be a crisp font that aligns well to the pixel grid but will lose - a greater amount of font shape. + slight will make the font more fuzzy to line up to the grid but + will be better in retaining font shape, while full will be a + crisp font that aligns well to the pixel grid but will lose a + greater amount of font shape. ''; + apply = + val: + let + from = "fonts.fontconfig.hinting.style"; + val' = lib.removePrefix "hint" val; + warning = "The option `${from}` contains a deprecated value `${val}`. Use `${val'}` instead."; + in + lib.warnIf (lib.hasPrefix "hint" val) warning val'; }; }; @@ -394,7 +417,7 @@ in subpixel = { rgba = mkOption { - default = "rgb"; + default = "none"; type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"]; description = lib.mdDoc '' Subpixel order. The overwhelming majority of displays are diff --git a/third_party/nixpkgs/nixos/modules/config/fonts/fontdir.nix b/third_party/nixpkgs/nixos/modules/config/fonts/fontdir.nix index 30e0dfe256..9d41463c94 100644 --- a/third_party/nixpkgs/nixos/modules/config/fonts/fontdir.nix +++ b/third_party/nixpkgs/nixos/modules/config/fonts/fontdir.nix @@ -8,7 +8,7 @@ let x11Fonts = pkgs.runCommand "X11-fonts" { preferLocalBuild = true; } '' mkdir -p "$out/share/X11/fonts" - font_regexp='.*\.\(ttf\|ttc\|otf\|pcf\|pfa\|pfb\|bdf\)\(\.gz\)?' + font_regexp='.*\.\(ttf\|ttc\|otb\|otf\|pcf\|pfa\|pfb\|bdf\)\(\.gz\)?' find ${toString config.fonts.fonts} -regex "$font_regexp" \ -exec ln -sf -t "$out/share/X11/fonts" '{}' \; cd "$out/share/X11/fonts" diff --git a/third_party/nixpkgs/nixos/modules/config/i18n.nix b/third_party/nixpkgs/nixos/modules/config/i18n.nix index b1efc00773..b19d38091e 100644 --- a/third_party/nixpkgs/nixos/modules/config/i18n.nix +++ b/third_party/nixpkgs/nixos/modules/config/i18n.nix @@ -66,6 +66,7 @@ with lib; (builtins.map (l: (replaceStrings [ "utf8" "utf-8" "UTF8" ] [ "UTF-8" "UTF-8" "UTF-8" ] l) + "/UTF-8") ( [ "C.UTF-8" + "en_US.UTF-8" config.i18n.defaultLocale ] ++ (attrValues (filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings)) )) diff --git a/third_party/nixpkgs/nixos/modules/config/malloc.nix b/third_party/nixpkgs/nixos/modules/config/malloc.nix index ae0661f472..3d70e09198 100644 --- a/third_party/nixpkgs/nixos/modules/config/malloc.nix +++ b/third_party/nixpkgs/nixos/modules/config/malloc.nix @@ -97,7 +97,7 @@ in }; config = mkIf (cfg.provider != "libc") { - boot.kernel.sysctl."vm.max_map_count" = mkIf (cfg.provider == "graphene-hardened") (mkDefault 1048576); + boot.kernel.sysctl."vm.max_map_count" = mkIf (cfg.provider == "graphene-hardened") (mkDefault 1048576); # TODO: Default vm.max_map_count has been increased system-wide environment.etc."ld-nix.so.preload".text = '' ${providerLibPath} ''; diff --git a/third_party/nixpkgs/nixos/modules/config/nix-channel.nix b/third_party/nixpkgs/nixos/modules/config/nix-channel.nix new file mode 100644 index 0000000000..557f17d8b3 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/config/nix-channel.nix @@ -0,0 +1,70 @@ +/* + Manages the things that are needed for a traditional nix-channel based + configuration to work. + + See also + - ./nix.nix + - ./nix-flakes.nix + */ +{ config, lib, ... }: +let + inherit (lib) + mkIf + mkOption + stringAfter + types + ; + + cfg = config.nix; + +in +{ + options = { + nix = { + nixPath = mkOption { + type = types.listOf types.str; + default = [ + "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" + "nixos-config=/etc/nixos/configuration.nix" + "/nix/var/nix/profiles/per-user/root/channels" + ]; + description = lib.mdDoc '' + The default Nix expression search path, used by the Nix + evaluator to look up paths enclosed in angle brackets + (e.g. ``). + ''; + }; + }; + + system = { + defaultChannel = mkOption { + internal = true; + type = types.str; + default = "https://nixos.org/channels/nixos-unstable"; + description = lib.mdDoc "Default NixOS channel to which the root user is subscribed."; + }; + }; + }; + + config = mkIf cfg.enable { + + environment.extraInit = + '' + if [ -e "$HOME/.nix-defexpr/channels" ]; then + export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" + fi + ''; + + environment.sessionVariables = { + NIX_PATH = cfg.nixPath; + }; + + system.activationScripts.nix-channel = stringAfter [ "etc" "users" ] + '' + # Subscribe the root user to the NixOS channel by default. + if [ ! -e "/root/.nix-channels" ]; then + echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels" + fi + ''; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/config/nix-flakes.nix b/third_party/nixpkgs/nixos/modules/config/nix-flakes.nix new file mode 100644 index 0000000000..242d8d3b82 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/config/nix-flakes.nix @@ -0,0 +1,95 @@ +/* + Manages the flake registry. + + See also + - ./nix.nix + - ./nix-channel.nix + */ +{ config, lib, ... }: +let + inherit (lib) + filterAttrs + literalExpression + mapAttrsToList + mkDefault + mkIf + mkOption + types + ; + + cfg = config.nix; + +in +{ + options = { + nix = { + registry = mkOption { + type = types.attrsOf (types.submodule ( + let + referenceAttrs = with types; attrsOf (oneOf [ + str + int + bool + path + package + ]); + in + { config, name, ... }: + { + options = { + from = mkOption { + type = referenceAttrs; + example = { type = "indirect"; id = "nixpkgs"; }; + description = lib.mdDoc "The flake reference to be rewritten."; + }; + to = mkOption { + type = referenceAttrs; + example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; + description = lib.mdDoc "The flake reference {option}`from` is rewritten to."; + }; + flake = mkOption { + type = types.nullOr types.attrs; + default = null; + example = literalExpression "nixpkgs"; + description = lib.mdDoc '' + The flake input {option}`from` is rewritten to. + ''; + }; + exact = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether the {option}`from` reference needs to match exactly. If set, + a {option}`from` reference like `nixpkgs` does not + match with a reference like `nixpkgs/nixos-20.03`. + ''; + }; + }; + config = { + from = mkDefault { type = "indirect"; id = name; }; + to = mkIf (config.flake != null) (mkDefault ( + { + type = "path"; + path = config.flake.outPath; + } // filterAttrs + (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") + config.flake + )); + }; + } + )); + default = { }; + description = lib.mdDoc '' + A system-wide flake registry. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.etc."nix/registry.json".text = builtins.toJSON { + version = 2; + flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry; + }; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/config/nix-remote-build.nix b/third_party/nixpkgs/nixos/modules/config/nix-remote-build.nix new file mode 100644 index 0000000000..98c8fc06d2 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/config/nix-remote-build.nix @@ -0,0 +1,226 @@ +/* + Manages the remote build configuration, /etc/nix/machines + + See also + - ./nix.nix + - nixos/modules/services/system/nix-daemon.nix + */ +{ config, lib, ... }: + +let + inherit (lib) + any + concatMapStrings + concatStringsSep + filter + getVersion + mkIf + mkMerge + mkOption + optional + optionalString + types + versionAtLeast + ; + + cfg = config.nix; + + nixPackage = cfg.package.out; + + isNixAtLeast = versionAtLeast (getVersion nixPackage); + + buildMachinesText = + concatMapStrings + (machine: + (concatStringsSep " " ([ + "${optionalString (machine.protocol != null) "${machine.protocol}://"}${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}" + (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-") + (if machine.sshKey != null then machine.sshKey else "-") + (toString machine.maxJobs) + (toString machine.speedFactor) + (let res = (machine.supportedFeatures ++ machine.mandatoryFeatures); + in if (res == []) then "-" else (concatStringsSep "," res)) + (let res = machine.mandatoryFeatures; + in if (res == []) then "-" else (concatStringsSep "," machine.mandatoryFeatures)) + ] + ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))) + + "\n" + ) + cfg.buildMachines; + +in +{ + options = { + nix = { + buildMachines = mkOption { + type = types.listOf (types.submodule { + options = { + hostName = mkOption { + type = types.str; + example = "nixbuilder.example.org"; + description = lib.mdDoc '' + The hostname of the build machine. + ''; + }; + protocol = mkOption { + type = types.enum [ null "ssh" "ssh-ng" ]; + default = "ssh"; + example = "ssh-ng"; + description = lib.mdDoc '' + The protocol used for communicating with the build machine. + Use `ssh-ng` if your remote builder and your + local Nix version support that improved protocol. + + Use `null` when trying to change the special localhost builder + without a protocol which is for example used by hydra. + ''; + }; + system = mkOption { + type = types.nullOr types.str; + default = null; + example = "x86_64-linux"; + description = lib.mdDoc '' + The system type the build machine can execute derivations on. + Either this attribute or {var}`systems` must be + present, where {var}`system` takes precedence if + both are set. + ''; + }; + systems = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "x86_64-linux" "aarch64-linux" ]; + description = lib.mdDoc '' + The system types the build machine can execute derivations on. + Either this attribute or {var}`system` must be + present, where {var}`system` takes precedence if + both are set. + ''; + }; + sshUser = mkOption { + type = types.nullOr types.str; + default = null; + example = "builder"; + description = lib.mdDoc '' + The username to log in as on the remote host. This user must be + able to log in and run nix commands non-interactively. It must + also be privileged to build derivations, so must be included in + {option}`nix.settings.trusted-users`. + ''; + }; + sshKey = mkOption { + type = types.nullOr types.str; + default = null; + example = "/root/.ssh/id_buildhost_builduser"; + description = lib.mdDoc '' + The path to the SSH private key with which to authenticate on + the build machine. The private key must not have a passphrase. + If null, the building user (root on NixOS machines) must have an + appropriate ssh configuration to log in non-interactively. + + Note that for security reasons, this path must point to a file + in the local filesystem, *not* to the nix store. + ''; + }; + maxJobs = mkOption { + type = types.int; + default = 1; + description = lib.mdDoc '' + The number of concurrent jobs the build machine supports. The + build machine will enforce its own limits, but this allows hydra + to schedule better since there is no work-stealing between build + machines. + ''; + }; + speedFactor = mkOption { + type = types.int; + default = 1; + description = lib.mdDoc '' + The relative speed of this builder. This is an arbitrary integer + that indicates the speed of this builder, relative to other + builders. Higher is faster. + ''; + }; + mandatoryFeatures = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "big-parallel" ]; + description = lib.mdDoc '' + A list of features mandatory for this builder. The builder will + be ignored for derivations that don't require all features in + this list. All mandatory features are automatically included in + {var}`supportedFeatures`. + ''; + }; + supportedFeatures = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "kvm" "big-parallel" ]; + description = lib.mdDoc '' + A list of features supported by this builder. The builder will + be ignored for derivations that require features not in this + list. + ''; + }; + publicHostKey = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + The (base64-encoded) public host key of this builder. The field + is calculated via {command}`base64 -w0 /etc/ssh/ssh_host_type_key.pub`. + If null, SSH will use its regular known-hosts file when connecting. + ''; + }; + }; + }); + default = [ ]; + description = lib.mdDoc '' + This option lists the machines to be used if distributed builds are + enabled (see {option}`nix.distributedBuilds`). + Nix will perform derivations on those machines via SSH by copying the + inputs to the Nix store on the remote machine, starting the build, + then copying the output back to the local Nix store. + ''; + }; + + distributedBuilds = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to distribute builds to the machines listed in + {option}`nix.buildMachines`. + ''; + }; + }; + }; + + # distributedBuilds does *not* inhibit /etc/machines generation; caller may + # override that nix option. + config = mkIf cfg.enable { + assertions = + let badMachine = m: m.system == null && m.systems == [ ]; + in + [ + { + assertion = !(any badMachine cfg.buildMachines); + message = '' + At least one system type (via system or + systems) must be set for every build machine. + Invalid machine specifications: + '' + " " + + (concatStringsSep "\n " + (map (m: m.hostName) + (filter (badMachine) cfg.buildMachines))); + } + ]; + + # List of machines for distributed Nix builds + environment.etc."nix/machines" = + mkIf (cfg.buildMachines != [ ]) { + text = buildMachinesText; + }; + + # Legacy configuration conversion. + nix.settings = mkIf (!cfg.distributedBuilds) { builders = null; }; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/config/nix.nix b/third_party/nixpkgs/nixos/modules/config/nix.nix new file mode 100644 index 0000000000..cee4f54db0 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/config/nix.nix @@ -0,0 +1,379 @@ +/* + Manages /etc/nix.conf. + + See also + - ./nix-channel.nix + - ./nix-flakes.nix + - ./nix-remote-build.nix + - nixos/modules/services/system/nix-daemon.nix + */ +{ config, lib, pkgs, ... }: + +let + inherit (lib) + concatStringsSep + boolToString + escape + floatToString + getVersion + isBool + isDerivation + isFloat + isInt + isList + isString + literalExpression + mapAttrsToList + mkAfter + mkDefault + mkIf + mkOption + mkRenamedOptionModuleWith + optionalString + optionals + strings + systems + toPretty + types + versionAtLeast + ; + + cfg = config.nix; + + nixPackage = cfg.package.out; + + isNixAtLeast = versionAtLeast (getVersion nixPackage); + + legacyConfMappings = { + useSandbox = "sandbox"; + buildCores = "cores"; + maxJobs = "max-jobs"; + sandboxPaths = "extra-sandbox-paths"; + binaryCaches = "substituters"; + trustedBinaryCaches = "trusted-substituters"; + binaryCachePublicKeys = "trusted-public-keys"; + autoOptimiseStore = "auto-optimise-store"; + requireSignedBinaryCaches = "require-sigs"; + trustedUsers = "trusted-users"; + allowedUsers = "allowed-users"; + systemFeatures = "system-features"; + }; + + semanticConfType = with types; + let + confAtom = nullOr + (oneOf [ + bool + int + float + str + path + package + ]) // { + description = "Nix config atom (null, bool, int, float, str, path or package)"; + }; + in + attrsOf (either confAtom (listOf confAtom)); + + nixConf = + assert isNixAtLeast "2.2"; + let + + mkValueString = v: + if v == null then "" + else if isInt v then toString v + else if isBool v then boolToString v + else if isFloat v then floatToString v + else if isList v then toString v + else if isDerivation v then toString v + else if builtins.isPath v then toString v + else if isString v then v + else if strings.isConvertibleWithToString v then toString v + else abort "The nix conf value: ${toPretty {} v} can not be encoded"; + + mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}"; + + mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); + + in + pkgs.writeTextFile { + name = "nix.conf"; + text = '' + # WARNING: this file is generated from the nix.* options in + # your NixOS configuration, typically + # /etc/nixos/configuration.nix. Do not edit it! + ${mkKeyValuePairs cfg.settings} + ${cfg.extraOptions} + ''; + checkPhase = lib.optionalString cfg.checkConfig ( + if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' + echo "Ignoring validation for cross-compilation" + '' + else '' + echo "Validating generated nix.conf" + ln -s $out ./nix.conf + set -e + set +o pipefail + NIX_CONF_DIR=$PWD \ + ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ + ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ + |& sed -e 's/^warning:/error:/' \ + | (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}') + set -o pipefail + ''); + }; + +in +{ + imports = [ + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) + (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) + ] ++ + mapAttrsToList + (oldConf: newConf: + mkRenamedOptionModuleWith { + sinceRelease = 2205; + from = [ "nix" oldConf ]; + to = [ "nix" "settings" newConf ]; + }) + legacyConfMappings; + + options = { + nix = { + checkConfig = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If enabled, checks that Nix can parse the generated nix.conf. + ''; + }; + + checkAllErrors = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings. + ''; + }; + + extraOptions = mkOption { + type = types.lines; + default = ""; + example = '' + keep-outputs = true + keep-derivations = true + ''; + description = lib.mdDoc "Additional text appended to {file}`nix.conf`."; + }; + + settings = mkOption { + type = types.submodule { + freeformType = semanticConfType; + + options = { + max-jobs = mkOption { + type = types.either types.int (types.enum [ "auto" ]); + default = "auto"; + example = 64; + description = lib.mdDoc '' + This option defines the maximum number of jobs that Nix will try to + build in parallel. The default is auto, which means it will use all + available logical cores. It is recommend to set it to the total + number of logical cores in your system (e.g., 16 for two CPUs with 4 + cores each and hyper-threading). + ''; + }; + + auto-optimise-store = mkOption { + type = types.bool; + default = false; + example = true; + description = lib.mdDoc '' + If set to true, Nix automatically detects files in the store that have + identical contents, and replaces them with hard links to a single copy. + This saves disk space. If set to false (the default), you can still run + nix-store --optimise to get rid of duplicate files. + ''; + }; + + cores = mkOption { + type = types.int; + default = 0; + example = 64; + description = lib.mdDoc '' + This option defines the maximum number of concurrent tasks during + one build. It affects, e.g., -j option for make. + The special value 0 means that the builder should use all + available CPU cores in the system. Some builds may become + non-deterministic with this option; use with care! Packages will + only be affected if enableParallelBuilding is set for them. + ''; + }; + + sandbox = mkOption { + type = types.either types.bool (types.enum [ "relaxed" ]); + default = true; + description = lib.mdDoc '' + If set, Nix will perform builds in a sandboxed environment that it + will set up automatically for each build. This prevents impurities + in builds by disallowing access to dependencies outside of the Nix + store by using network and mount namespaces in a chroot environment. + + This is enabled by default even though it has a possible performance + impact due to the initial setup time of a sandbox for each build. It + doesn't affect derivation hashes, so changing this option will not + trigger a rebuild of packages. + + When set to "relaxed", this option permits derivations that set + `__noChroot = true;` to run outside of the sandboxed environment. + Exercise caution when using this mode of operation! It is intended to + be a quick hack when building with packages that are not easily setup + to be built reproducibly. + ''; + }; + + extra-sandbox-paths = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "/dev" "/proc" ]; + description = lib.mdDoc '' + Directories from the host filesystem to be included + in the sandbox. + ''; + }; + + substituters = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + List of binary cache URLs used to obtain pre-built binaries + of Nix packages. + + By default https://cache.nixos.org/ is added. + ''; + }; + + trusted-substituters = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ "https://hydra.nixos.org/" ]; + description = lib.mdDoc '' + List of binary cache URLs that non-root users can use (in + addition to those specified using + {option}`nix.settings.substituters`) by passing + `--option binary-caches` to Nix commands. + ''; + }; + + require-sigs = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + If enabled (the default), Nix will only download binaries from binary caches if + they are cryptographically signed with any of the keys listed in + {option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither + required nor checked, so it's strongly recommended that you use only + trustworthy caches and https to prevent man-in-the-middle attacks. + ''; + }; + + trusted-public-keys = mkOption { + type = types.listOf types.str; + example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; + description = lib.mdDoc '' + List of public keys used to sign binary caches. If + {option}`nix.settings.trusted-public-keys` is enabled, + then Nix will use a binary from a binary cache if and only + if it is signed by *any* of the keys + listed here. By default, only the key for + `cache.nixos.org` is included. + ''; + }; + + trusted-users = mkOption { + type = types.listOf types.str; + default = [ "root" ]; + example = [ "root" "alice" "@wheel" ]; + description = lib.mdDoc '' + A list of names of users that have additional rights when + connecting to the Nix daemon, such as the ability to specify + additional binary caches, or to import unsigned NARs. You + can also specify groups by prefixing them with + `@`; for instance, + `@wheel` means all users in the wheel + group. + ''; + }; + + system-features = mkOption { + type = types.listOf types.str; + example = [ "kvm" "big-parallel" "gccarch-skylake" ]; + description = lib.mdDoc '' + The set of features supported by the machine. Derivations + can express dependencies on system features through the + `requiredSystemFeatures` attribute. + + By default, pseudo-features `nixos-test`, `benchmark`, + and `big-parallel` used in Nixpkgs are set, `kvm` + is also included if it is available. + ''; + }; + + allowed-users = mkOption { + type = types.listOf types.str; + default = [ "*" ]; + example = [ "@wheel" "@builders" "alice" "bob" ]; + description = lib.mdDoc '' + A list of names of users (separated by whitespace) that are + allowed to connect to the Nix daemon. As with + {option}`nix.settings.trusted-users`, you can specify groups by + prefixing them with `@`. Also, you can + allow all users by specifying `*`. The + default is `*`. Note that trusted users are + always allowed to connect. + ''; + }; + }; + }; + default = { }; + example = literalExpression '' + { + use-sandbox = true; + show-trace = true; + + system-features = [ "big-parallel" "kvm" "recursive-nix" ]; + sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; }; + } + ''; + description = lib.mdDoc '' + Configuration for Nix, see + or + {manpage}`nix.conf(5)` for available options. + The value declared here will be translated directly to the key-value pairs Nix expects. + + You can use {command}`nix-instantiate --eval --strict '' -A config.nix.settings` + to view the current value. By default it is empty. + + Nix configurations defined under {option}`nix.*` will be translated and applied to this + option. In addition, configuration specified in {option}`nix.extraOptions` will be appended + verbatim to the resulting config file. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + environment.etc."nix/nix.conf".source = nixConf; + nix.settings = { + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + substituters = mkAfter [ "https://cache.nixos.org/" ]; + system-features = mkDefault ( + [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ + optionals (pkgs.stdenv.hostPlatform ? gcc.arch) ( + # a builder can run code for `gcc.arch` and inferior architectures + [ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++ + map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or []) + ) + ); + }; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/config/no-x-libs.nix b/third_party/nixpkgs/nixos/modules/config/no-x-libs.nix index dac09bdf46..f8622be59a 100644 --- a/third_party/nixpkgs/nixos/modules/config/no-x-libs.nix +++ b/third_party/nixpkgs/nixos/modules/config/no-x-libs.nix @@ -26,7 +26,12 @@ with lib; fonts.fontconfig.enable = false; - nixpkgs.overlays = singleton (const (super: { + nixpkgs.overlays = singleton (self: super: let + packageOverrides = const (python-prev: { + # tk feature requires wayland which fails to compile + matplotlib = python-prev.matplotlib.override { enableGtk3 = false; enableTk = false; enableQt = false; }; + }); + in { beam = super.beam_nox; cairo = super.cairo.override { x11Support = false; }; dbus = super.dbus.override { x11Support = false; }; @@ -38,7 +43,9 @@ with lib; gpsd = super.gpsd.override { guiSupport = false; }; graphviz = super.graphviz-nox; gst_all_1 = super.gst_all_1 // { - gst-plugins-base = super.gst_all_1.gst-plugins-base.override { enableX11 = false; }; + gst-plugins-bad = super.gst_all_1.gst-plugins-bad.override { guiSupport = false; }; + gst-plugins-base = super.gst_all_1.gst-plugins-base.override { enableWayland = false; enableX11 = false; }; + gst-plugins-good = super.gst_all_1.gst-plugins-good.override { enableX11 = false; }; }; imagemagick = super.imagemagick.override { libX11Support = false; libXtSupport = false; }; imagemagickBig = super.imagemagickBig.override { libX11Support = false; libXtSupport = false; }; @@ -60,6 +67,8 @@ with lib; pango = super.pango.override { x11Support = false; }; pinentry = super.pinentry.override { enabledFlavors = [ "curses" "tty" "emacs" ]; withLibsecret = false; }; pipewire = super.pipewire.override { x11Support = false; }; + python3 = super.python3.override { inherit packageOverrides; }; + python3Packages = self.python3.pkgs; # required otherwise overlays from above are not forwarded qemu = super.qemu.override { gtkSupport = false; spiceSupport = false; sdlSupport = false; }; qrencode = super.qrencode.overrideAttrs (_: { doCheck = false; }); qt5 = super.qt5.overrideScope (const (super': { @@ -70,6 +79,6 @@ with lib; util-linux = super.util-linux.override { translateManpages = false; }; vim-full = super.vim-full.override { guiSupport = false; }; zbar = super.zbar.override { enableVideo = false; withXorg = false; }; - })); + }); }; } diff --git a/third_party/nixpkgs/nixos/modules/config/qt.nix b/third_party/nixpkgs/nixos/modules/config/qt.nix index 6405166920..cf4e9621d7 100644 --- a/third_party/nixpkgs/nixos/modules/config/qt.nix +++ b/third_party/nixpkgs/nixos/modules/config/qt.nix @@ -20,7 +20,7 @@ let pkgs.adwaita-qt6 ] else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ] - else if isQt5ct then [ pkgs.libsForQt5.qt5ct ] + else if isQt5ct then [ pkgs.libsForQt5.qt5ct pkgs.qt6Packages.qt6ct ] else if isLxqt then [ pkgs.lxqt.lxqt-qtplugin pkgs.lxqt.lxqt-config ] else if isKde then [ pkgs.libsForQt5.plasma-integration pkgs.libsForQt5.systemsettings ] else throw "`qt.platformTheme` ${cfg.platformTheme} and `qt.style` ${cfg.style} are not compatible."; diff --git a/third_party/nixpkgs/nixos/modules/config/swap.nix b/third_party/nixpkgs/nixos/modules/config/swap.nix index 0a7e45bffb..8989a64082 100644 --- a/third_party/nixpkgs/nixos/modules/config/swap.nix +++ b/third_party/nixpkgs/nixos/modules/config/swap.nix @@ -252,6 +252,11 @@ in let realDevice' = escapeSystemdPath sw.realDevice; in nameValuePair "mkswap-${sw.deviceName}" { description = "Initialisation of swap device ${sw.device}"; + # The mkswap service fails for file-backed swap devices if the + # loop module has not been loaded before the service runs. + # We add an ordering constraint to run after systemd-modules-load to + # avoid this race condition. + after = [ "systemd-modules-load.service" ]; wantedBy = [ "${realDevice'}.swap" ]; before = [ "${realDevice'}.swap" ]; path = [ pkgs.util-linux pkgs.e2fsprogs ] diff --git a/third_party/nixpkgs/nixos/modules/config/sysctl.nix b/third_party/nixpkgs/nixos/modules/config/sysctl.nix index 4346c88f76..0bc7ab9667 100644 --- a/third_party/nixpkgs/nixos/modules/config/sysctl.nix +++ b/third_party/nixpkgs/nixos/modules/config/sysctl.nix @@ -72,5 +72,8 @@ in # Disable YAMA by default to allow easy debugging. boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0; + # Improve compatibility with applications that allocate + # a lot of memory, like modern games + boot.kernel.sysctl."vm.max_map_count" = mkDefault 1048576; }; } diff --git a/third_party/nixpkgs/nixos/modules/config/update-users-groups.pl b/third_party/nixpkgs/nixos/modules/config/update-users-groups.pl index 54352a517a..75c343523e 100644 --- a/third_party/nixpkgs/nixos/modules/config/update-users-groups.pl +++ b/third_party/nixpkgs/nixos/modules/config/update-users-groups.pl @@ -147,7 +147,7 @@ foreach my $g (@{$spec->{groups}}) { if (defined $existing) { $g->{gid} = $existing->{gid} if !defined $g->{gid}; if ($g->{gid} != $existing->{gid}) { - dry_print("warning: not applying", "warning: would not apply", "GID change of group ‘$name’ ($existing->{gid} -> $g->{gid})"); + dry_print("warning: not applying", "warning: would not apply", "GID change of group ‘$name’ ($existing->{gid} -> $g->{gid}) in /etc/group"); $g->{gid} = $existing->{gid}; } $g->{password} = $existing->{password}; # do we want this? @@ -209,7 +209,7 @@ foreach my $u (@{$spec->{users}}) { if (defined $existing) { $u->{uid} = $existing->{uid} if !defined $u->{uid}; if ($u->{uid} != $existing->{uid}) { - dry_print("warning: not applying", "warning: would not apply", "UID change of user ‘$name’ ($existing->{uid} -> $u->{uid})"); + dry_print("warning: not applying", "warning: would not apply", "UID change of user ‘$name’ ($existing->{uid} -> $u->{uid}) in /etc/passwd"); $u->{uid} = $existing->{uid}; } } else { diff --git a/third_party/nixpkgs/nixos/modules/config/users-groups.nix b/third_party/nixpkgs/nixos/modules/config/users-groups.nix index d1e9c8072e..4c9e286ea5 100644 --- a/third_party/nixpkgs/nixos/modules/config/users-groups.nix +++ b/third_party/nixpkgs/nixos/modules/config/users-groups.nix @@ -539,14 +539,12 @@ in { # systemd initrd boot.initrd.systemd.users = mkOption { - visible = false; description = '' Users to include in initrd. ''; default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { options.uid = mkOption { - visible = false; type = types.int; description = '' ID of the user in initrd. @@ -555,7 +553,6 @@ in { default = cfg.users.${name}.uid; }; options.group = mkOption { - visible = false; type = types.singleLineStr; description = '' Group the user belongs to in initrd. @@ -567,14 +564,12 @@ in { }; boot.initrd.systemd.groups = mkOption { - visible = false; description = '' Groups to include in initrd. ''; default = {}; type = types.attrsOf (types.submodule ({ name, ... }: { options.gid = mkOption { - visible = false; type = types.int; description = '' ID of the group in initrd. @@ -652,7 +647,7 @@ in { deps = [ "users" ]; text = '' users=() - while IFS=: read -r user hash tail; do + while IFS=: read -r user hash _; do if [[ "$hash" = "$"* && ! "$hash" =~ ^\''$${cryptSchemeIdPatternGroup}\$ ]]; then users+=("$user") fi diff --git a/third_party/nixpkgs/nixos/modules/hardware/all-firmware.nix b/third_party/nixpkgs/nixos/modules/hardware/all-firmware.nix index 7524728636..9e7a01c58a 100644 --- a/third_party/nixpkgs/nixos/modules/hardware/all-firmware.nix +++ b/third_party/nixpkgs/nixos/modules/hardware/all-firmware.nix @@ -55,7 +55,6 @@ in { intel2200BGFirmware rtl8192su-firmware rt5677-firmware - rtl8723bs-firmware rtl8761b-firmware rtw88-firmware zd1211fw diff --git a/third_party/nixpkgs/nixos/modules/hardware/i2c.nix b/third_party/nixpkgs/nixos/modules/hardware/i2c.nix index c0423cc5d9..9a5a2e4481 100644 --- a/third_party/nixpkgs/nixos/modules/hardware/i2c.nix +++ b/third_party/nixpkgs/nixos/modules/hardware/i2c.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -31,10 +31,14 @@ in i2c = { }; }; - services.udev.extraRules = '' - # allow group ${cfg.group} and users with a seat use of i2c devices - ACTION=="add", KERNEL=="i2c-[0-9]*", TAG+="uaccess", GROUP="${cfg.group}", MODE="660" - ''; + services.udev.packages = lib.singleton (pkgs.writeTextFile + { name = "i2c-udev-rules"; + text = '' + # allow group ${cfg.group} and users with a seat use of i2c devices + ACTION=="add", KERNEL=="i2c-[0-9]*", TAG+="uaccess", GROUP="${cfg.group}", MODE="660" + ''; + destination = "/etc/udev/rules.d/70-i2c.rules"; + }); }; diff --git a/third_party/nixpkgs/nixos/modules/hardware/opengl.nix b/third_party/nixpkgs/nixos/modules/hardware/opengl.nix index 9108bcbd16..0ff018ddc4 100644 --- a/third_party/nixpkgs/nixos/modules/hardware/opengl.nix +++ b/third_party/nixpkgs/nixos/modules/hardware/opengl.nix @@ -87,13 +87,13 @@ in extraPackages = mkOption { type = types.listOf types.package; default = []; - example = literalExpression "with pkgs; [ intel-media-driver intel-ocl vaapiIntel ]"; + example = literalExpression "with pkgs; [ intel-media-driver intel-ocl intel-vaapi-driver ]"; description = lib.mdDoc '' Additional packages to add to OpenGL drivers. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. ::: {.note} - intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained vaapiIntel driver. + intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver. ::: ''; }; @@ -101,13 +101,13 @@ in extraPackages32 = mkOption { type = types.listOf types.package; default = []; - example = literalExpression "with pkgs.pkgsi686Linux; [ intel-media-driver vaapiIntel ]"; + example = literalExpression "with pkgs.pkgsi686Linux; [ intel-media-driver intel-vaapi-driver ]"; description = lib.mdDoc '' Additional packages to add to 32-bit OpenGL drivers on 64-bit systems. Used when {option}`driSupport32Bit` is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc. ::: {.note} - intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained vaapiIntel driver. + intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver. ::: ''; }; diff --git a/third_party/nixpkgs/nixos/modules/hardware/video/displaylink.nix b/third_party/nixpkgs/nixos/modules/hardware/video/displaylink.nix index 912f53da83..ce5fbeeae5 100644 --- a/third_party/nixpkgs/nixos/modules/hardware/video/displaylink.nix +++ b/third_party/nixpkgs/nixos/modules/hardware/video/displaylink.nix @@ -26,6 +26,7 @@ in Identifier "DisplayLink" MatchDriver "evdi" Driver "modesetting" + Option "TearFree" "true" Option "AccelMethod" "none" EndSection ''; diff --git a/third_party/nixpkgs/nixos/modules/hardware/video/nvidia.nix b/third_party/nixpkgs/nixos/modules/hardware/video/nvidia.nix index 592d11d647..e72194653f 100644 --- a/third_party/nixpkgs/nixos/modules/hardware/video/nvidia.nix +++ b/third_party/nixpkgs/nixos/modules/hardware/video/nvidia.nix @@ -265,7 +265,7 @@ in { assertion = primeEnabled -> pCfg.nvidiaBusId != "" && (pCfg.intelBusId != "" || pCfg.amdgpuBusId != ""); message = '' - When NVIDIA PRIME is enabled, the GPU bus IDs must configured. + When NVIDIA PRIME is enabled, the GPU bus IDs must be configured. ''; } diff --git a/third_party/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix b/third_party/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix index 573b31b439..ea8056ff87 100644 --- a/third_party/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix +++ b/third_party/nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix @@ -6,6 +6,7 @@ imports = [ ./installation-cd-graphical-base.nix ]; isoImage.edition = "gnome"; + isoImage.graphicalGrub = true; services.xserver.desktopManager.gnome = { # Add Firefox and other tools useful for installation to the launcher diff --git a/third_party/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix b/third_party/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix index f9cbafc286..c430048d65 100644 --- a/third_party/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix +++ b/third_party/nixpkgs/nixos/modules/installer/cd-dvd/iso-image.nix @@ -283,7 +283,7 @@ let cat < $out/EFI/boot/grub.cfg set with_fonts=false - set textmode=false + set textmode=${boolToString (!config.isoImage.graphicalGrub)} # If you want to use serial for "terminal_*" commands, you need to set one up: # Example manual configuration: # → serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 @@ -658,6 +658,16 @@ in ''; }; + isoImage.graphicalGrub = mkOption { + default = false; + type = types.bool; + example = true; + description = lib.mdDoc '' + Whether to use textmode or graphical grub. + false means we use textmode grub. + ''; + }; + }; # store them in lib so we can mkImageMediaOverride the diff --git a/third_party/nixpkgs/nixos/modules/installer/netboot/netboot.nix b/third_party/nixpkgs/nixos/modules/installer/netboot/netboot.nix index a55c0ab2d6..a50f22cbe4 100644 --- a/third_party/nixpkgs/nixos/modules/installer/netboot/netboot.nix +++ b/third_party/nixpkgs/nixos/modules/installer/netboot/netboot.nix @@ -39,9 +39,7 @@ with lib; # !!! Hack - attributes expected by other modules. environment.systemPackages = [ pkgs.grub2_efi ] - ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux" - then [] - else [ pkgs.grub2 pkgs.syslinux ]); + ++ (lib.optionals (pkgs.stdenv.hostPlatform.system != "aarch64-linux") [pkgs.grub2 pkgs.syslinux]); fileSystems."/" = mkImageMediaOverride { fsType = "tmpfs"; diff --git a/third_party/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix b/third_party/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix index 1058a34133..582334a5ae 100644 --- a/third_party/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix +++ b/third_party/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix @@ -1,7 +1,7 @@ { - x86_64-linux = "/nix/store/mc43d38fibi94pp5crfwacl5gbslccd0-nix-2.13.3"; - i686-linux = "/nix/store/09m966pj26cgd4ihlg8ihl1106j3vih8-nix-2.13.3"; - aarch64-linux = "/nix/store/7f191d125akld27gc6jl0r13l8pl7x0h-nix-2.13.3"; - x86_64-darwin = "/nix/store/1wn9jkvi2zqfjnjgg7lnp30r2q2y8whd-nix-2.13.3"; - aarch64-darwin = "/nix/store/8w0v2mffa10chrf1h66cbvbpw86qmh85-nix-2.13.3"; + x86_64-linux = "/nix/store/ny9r65799s7xhp605bc2753sjvzkxrrs-nix-2.15.1"; + i686-linux = "/nix/store/ck55dz5klc7szi8rx9ghhm8gi2b5q5bw-nix-2.15.1"; + aarch64-linux = "/nix/store/cl0a02vr28913dgw98hrm45a4baqr3z1-nix-2.15.1"; + x86_64-darwin = "/nix/store/wq228jdbz16pp2lnxf32n8dv27pw53p8-nix-2.15.1"; + aarch64-darwin = "/nix/store/x11cpsjg4q236msfz5scc325pfp9xy64-nix-2.15.1"; } diff --git a/third_party/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl b/third_party/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl index 5d3d0216d2..7d0c5898e2 100644 --- a/third_party/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/third_party/nixpkgs/nixos/modules/installer/tools/nixos-generate-config.pl @@ -85,7 +85,7 @@ sub debug { # nixpkgs.system -push @attrs, "nixpkgs.hostPlatform = lib.mkDefault \"@system@\";"; +push @attrs, "nixpkgs.hostPlatform = lib.mkDefault \"@hostPlatformSystem@\";"; my $cpuinfo = read_file "/proc/cpuinfo"; @@ -335,7 +335,7 @@ sub findStableDevPath { my $st = stat($dev) or return $dev; - foreach my $dev2 (glob("/dev/disk/by-uuid/*"), glob("/dev/mapper/*"), glob("/dev/disk/by-label/*")) { + foreach my $dev2 (glob("/dev/stratis/*/*"), glob("/dev/disk/by-uuid/*"), glob("/dev/mapper/*"), glob("/dev/disk/by-label/*")) { my $st2 = stat($dev2) or next; return $dev2 if $st->rdev == $st2->rdev; } @@ -381,6 +381,7 @@ sub in { my $fileSystems; my %fsByDev; +my $useSwraid = 0; foreach my $fs (read_file("/proc/self/mountinfo")) { chomp $fs; my @fields = split / /, $fs; @@ -467,6 +468,17 @@ EOF } } + # is this a stratis fs? + my $stableDevPath = findStableDevPath $device; + my $stratisPool; + if ($stableDevPath =~ qr#/dev/stratis/(.*)/.*#) { + my $poolName = $1; + my ($header, @lines) = split "\n", qx/stratis pool list/; + my $uuidIndex = index $header, 'UUID'; + my ($line) = grep /^$poolName /, @lines; + $stratisPool = substr $line, $uuidIndex - 32, 36; + } + # Don't emit tmpfs entry for /tmp, because it most likely comes from the # boot.tmp.useTmpfs option in configuration.nix (managed declaratively). next if ($mountPoint eq "/tmp" && $fsType eq "tmpfs"); @@ -474,7 +486,7 @@ EOF # Emit the filesystem. $fileSystems .= < 'quiet') =~ /^CRYPT-LUKS/) + my $dmUuid = read_file("/sys/class/block/$deviceName/dm/uuid", err_mode => 'quiet'); + if ($dmUuid =~ /^CRYPT-LUKS/) { my @slaves = glob("/sys/class/block/$deviceName/slaves/*"); if (scalar @slaves == 1) { @@ -510,8 +528,14 @@ EOF } } } + if (-e "/sys/class/block/$deviceName/md/uuid") { + $useSwraid = 1; + } } } +if ($useSwraid) { + push @attrs, "boot.swraid.enable = true;\n\n"; +} # Generate the hardware configuration file. diff --git a/third_party/nixpkgs/nixos/modules/installer/tools/tools.nix b/third_party/nixpkgs/nixos/modules/installer/tools/tools.nix index 5133ad18f4..54b0f81ee7 100644 --- a/third_party/nixpkgs/nixos/modules/installer/tools/tools.nix +++ b/third_party/nixpkgs/nixos/modules/installer/tools/tools.nix @@ -35,17 +35,14 @@ let name = "nixos-generate-config"; src = ./nixos-generate-config.pl; perl = "${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl"; - system = pkgs.stdenv.hostPlatform.system; + hostPlatformSystem = pkgs.stdenv.hostPlatform.system; detectvirt = "${config.systemd.package}/bin/systemd-detect-virt"; btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; inherit (config.system.nixos-generate-config) configuration desktopConfiguration; xserverEnabled = config.services.xserver.enable; }; - nixos-option = - if lib.versionAtLeast (lib.getVersion config.nix.package) "2.4pre" - then null - else pkgs.nixos-option; + inherit (pkgs) nixos-option; nixos-version = makeProg { name = "nixos-version"; @@ -232,9 +229,10 @@ in nixos-install nixos-rebuild nixos-generate-config + nixos-option nixos-version nixos-enter - ] ++ lib.optional (nixos-option != null) nixos-option; + ]; documentation.man.man-db.skipPackages = [ nixos-version ]; diff --git a/third_party/nixpkgs/nixos/modules/misc/documentation.nix b/third_party/nixpkgs/nixos/modules/misc/documentation.nix index 31486a2216..820450e3ce 100644 --- a/third_party/nixpkgs/nixos/modules/misc/documentation.nix +++ b/third_party/nixpkgs/nixos/modules/misc/documentation.nix @@ -107,7 +107,7 @@ let } >&2 ''; - inherit (cfg.nixos.options) warningsAreErrors allowDocBook; + inherit (cfg.nixos.options) warningsAreErrors; }; @@ -160,6 +160,9 @@ in (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) (mkRenamedOptionModule [ "services" "nixosManual" "enable" ] [ "documentation" "nixos" "enable" ]) + (mkRemovedOptionModule + [ "documentation" "nixos" "options" "allowDocBook" ] + "DocBook option documentation is no longer supported") ]; options = { @@ -264,23 +267,6 @@ in ''; }; - nixos.options.allowDocBook = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - Whether to allow DocBook option docs. When set to `false` all option using - DocBook documentation will cause a manual build error; additionally a new - renderer may be used. - - ::: {.note} - The `false` setting for this option is not yet fully supported. While it - should work fine and produce the same output as the previous toolchain - using DocBook it may not work in all circumstances. Whether markdown option - documentation is allowed is independent of this option. - ::: - ''; - }; - nixos.options.warningsAreErrors = mkOption { type = types.bool; default = true; @@ -359,14 +345,6 @@ in (mkIf cfg.nixos.enable { system.build.manual = manual; - system.activationScripts.check-manual-docbook = '' - if [[ $(cat ${manual.optionsUsedDocbook}) = 1 ]]; then - echo -e "\e[31;1mwarning\e[0m: This configuration contains option documentation in docbook." \ - "Support for docbook is deprecated and will be removed after NixOS 23.05." \ - "See nix-store --read-log ${builtins.unsafeDiscardStringContext manual.optionsJSON.drvPath}" - fi - ''; - environment.systemPackages = [] ++ optional cfg.man.enable manual.manpages ++ optionals cfg.doc.enable [ manual.manualHTML nixos-help ]; diff --git a/third_party/nixpkgs/nixos/modules/misc/ids.nix b/third_party/nixpkgs/nixos/modules/misc/ids.nix index 5b278b5e80..dc59ccb357 100644 --- a/third_party/nixpkgs/nixos/modules/misc/ids.nix +++ b/third_party/nixpkgs/nixos/modules/misc/ids.nix @@ -69,7 +69,7 @@ in #dialout = 27; # unused polkituser = 28; #utmp = 29; # unused - # ddclient = 30; # converted to DynamicUser = true + # ddclient = 30; # software removed davfs2 = 31; disnix = 33; osgi = 34; @@ -394,7 +394,7 @@ in dialout = 27; #polkituser = 28; # currently unused, polkitd doesn't need a group utmp = 29; - # ddclient = 30; # converted to DynamicUser = true + # ddclient = 30; # software removed davfs2 = 31; disnix = 33; osgi = 34; diff --git a/third_party/nixpkgs/nixos/modules/misc/nixpkgs.nix b/third_party/nixpkgs/nixos/modules/misc/nixpkgs.nix index 55ec08acf4..f9d8bccea2 100644 --- a/third_party/nixpkgs/nixos/modules/misc/nixpkgs.nix +++ b/third_party/nixpkgs/nixos/modules/misc/nixpkgs.nix @@ -55,11 +55,6 @@ let description = "An evaluation of Nixpkgs; the top level attribute set of packages"; }; - # Whether `pkgs` was constructed by this module - not if nixpkgs.pkgs or - # _module.args.pkgs is set. However, determining whether _module.args.pkgs - # is defined elsewhere does not seem feasible. - constructedByMe = !opt.pkgs.isDefined; - hasBuildPlatform = opt.buildPlatform.highestPrio < (mkOptionDefault {}).priority; hasHostPlatform = opt.hostPlatform.isDefined; hasPlatform = hasHostPlatform || hasBuildPlatform; @@ -337,10 +332,28 @@ in config = { _module.args = { - pkgs = finalPkgs.__splicedPackages; + pkgs = + # We explicitly set the default override priority, so that we do not need + # to evaluate finalPkgs in case an override is placed on `_module.args.pkgs`. + # After all, to determine a definition priority, we need to evaluate `._type`, + # which is somewhat costly for Nixpkgs. With an explicit priority, we only + # evaluate the wrapper to find out that the priority is lower, and then we + # don't need to evaluate `finalPkgs`. + lib.mkOverride lib.modules.defaultOverridePriority + finalPkgs.__splicedPackages; }; - assertions = [ + assertions = let + # Whether `pkgs` was constructed by this module. This is false when any of + # nixpkgs.pkgs or _module.args.pkgs is set. + constructedByMe = + # We set it with default priority and it can not be merged, so if the + # pkgs module argument has that priority, it's from us. + (lib.modules.mergeAttrDefinitionsWithPrio options._module.args).pkgs.highestPrio + == lib.modules.defaultOverridePriority + # Although, if nixpkgs.pkgs is set, we did forward it, but we did not construct it. + && !opt.pkgs.isDefined; + in [ ( let nixosExpectedSystem = diff --git a/third_party/nixpkgs/nixos/modules/misc/version.nix b/third_party/nixpkgs/nixos/modules/misc/version.nix index 780a6b2a83..0a66eafe93 100644 --- a/third_party/nixpkgs/nixos/modules/misc/version.nix +++ b/third_party/nixpkgs/nixos/modules/misc/version.nix @@ -32,7 +32,7 @@ let VARIANT_ID = cfg.variant_id; }; - initrdReleaseContents = osReleaseContents // { + initrdReleaseContents = (removeAttrs osReleaseContents [ "BUILD_ID" ]) // { PRETTY_NAME = "${osReleaseContents.PRETTY_NAME} (Initrd)"; }; initrdRelease = pkgs.writeText "initrd-release" (attrsToText initrdReleaseContents); @@ -140,13 +140,6 @@ in ''; }; - defaultChannel = mkOption { - internal = true; - type = types.str; - default = "https://nixos.org/channels/nixos-unstable"; - description = lib.mdDoc "Default NixOS channel to which the root user is subscribed."; - }; - configurationRevision = mkOption { type = types.nullOr types.str; default = null; diff --git a/third_party/nixpkgs/nixos/modules/module-list.nix b/third_party/nixpkgs/nixos/modules/module-list.nix index ff06a72ff9..97abbe2191 100644 --- a/third_party/nixpkgs/nixos/modules/module-list.nix +++ b/third_party/nixpkgs/nixos/modules/module-list.nix @@ -16,6 +16,10 @@ ./config/malloc.nix ./config/mysql.nix ./config/networking.nix + ./config/nix.nix + ./config/nix-channel.nix + ./config/nix-flakes.nix + ./config/nix-remote-build.nix ./config/no-x-libs.nix ./config/nsswitch.nix ./config/power-management.nix @@ -156,6 +160,7 @@ ./programs/darling.nix ./programs/dconf.nix ./programs/digitalbitbox/default.nix + ./programs/direnv.nix ./programs/dmrconfig.nix ./programs/droidcam.nix ./programs/environment.nix @@ -241,7 +246,6 @@ ./programs/starship.nix ./programs/steam.nix ./programs/streamdeck-ui.nix - ./programs/sway.nix ./programs/sysdig.nix ./programs/system-config-printer.nix ./programs/systemtap.nix @@ -256,7 +260,9 @@ ./programs/usbtop.nix ./programs/vim.nix ./programs/wavemon.nix - ./programs/waybar.nix + ./programs/wayland/river.nix + ./programs/wayland/sway.nix + ./programs/wayland/waybar.nix ./programs/weylus.nix ./programs/wireshark.nix ./programs/xastir.nix @@ -327,6 +333,8 @@ ./services/audio/spotifyd.nix ./services/audio/squeezelite.nix ./services/audio/tts.nix + ./services/audio/wyoming/faster-whisper.nix + ./services/audio/wyoming/piper.nix ./services/audio/ympd.nix ./services/backup/automysqlbackup.nix ./services/backup/bacula.nix @@ -473,6 +481,7 @@ ./services/games/deliantra-server.nix ./services/games/factorio.nix ./services/games/freeciv.nix + ./services/games/mchprs.nix ./services/games/minecraft-server.nix ./services/games/minetest-server.nix ./services/games/openarena.nix @@ -622,7 +631,6 @@ ./services/misc/etcd.nix ./services/misc/etebase-server.nix ./services/misc/etesync-dav.nix - ./services/misc/exhibitor.nix ./services/misc/felix.nix ./services/misc/freeswitch.nix ./services/misc/fstrim.nix @@ -638,6 +646,7 @@ ./services/misc/greenclip.nix ./services/misc/headphones.nix ./services/misc/heisenbridge.nix + ./services/misc/homepage-dashboard.nix ./services/misc/ihaskell.nix ./services/misc/input-remapper.nix ./services/misc/irkerd.nix @@ -658,7 +667,6 @@ ./services/misc/moonraker.nix ./services/misc/n8n.nix ./services/misc/nitter.nix - ./services/misc/nix-daemon.nix ./services/misc/nix-gc.nix ./services/misc/nix-optimise.nix ./services/misc/nix-ssh-serve.nix @@ -723,6 +731,7 @@ ./services/monitoring/alerta.nix ./services/monitoring/apcupsd.nix ./services/monitoring/arbtt.nix + ./services/monitoring/below.nix ./services/monitoring/bosun.nix ./services/monitoring/cadvisor.nix ./services/monitoring/cockpit.nix @@ -751,6 +760,7 @@ ./services/monitoring/munin.nix ./services/monitoring/nagios.nix ./services/monitoring/netdata.nix + ./services/monitoring/opentelemetry-collector.nix ./services/monitoring/parsedmarc.nix ./services/monitoring/prometheus/alertmanager-irc-relay.nix ./services/monitoring/prometheus/alertmanager.nix @@ -776,6 +786,7 @@ ./services/monitoring/uptime-kuma.nix ./services/monitoring/uptime.nix ./services/monitoring/vmagent.nix + ./services/monitoring/vmalert.nix ./services/monitoring/vnstat.nix ./services/monitoring/zabbix-agent.nix ./services/monitoring/zabbix-proxy.nix @@ -806,6 +817,7 @@ ./services/network-filesystems/xtreemfs.nix ./services/network-filesystems/yandex-disk.nix ./services/networking/3proxy.nix + ./services/networking/acme-dns.nix ./services/networking/adguardhome.nix ./services/networking/alice-lg.nix ./services/networking/amuled.nix @@ -842,7 +854,6 @@ ./services/networking/create_ap.nix ./services/networking/croc.nix ./services/networking/dante.nix - ./services/networking/ddclient.nix ./services/networking/dhcpcd.nix ./services/networking/dhcpd.nix ./services/networking/dnscache.nix @@ -911,6 +922,7 @@ ./services/networking/knot.nix ./services/networking/kresd.nix ./services/networking/lambdabot.nix + ./services/networking/legit.nix ./services/networking/libreswan.nix ./services/networking/lldpd.nix ./services/networking/logmein-hamachi.nix @@ -1006,6 +1018,8 @@ ./services/networking/shorewall.nix ./services/networking/shorewall6.nix ./services/networking/shout.nix + ./services/networking/sing-box.nix + ./services/networking/sitespeed-io.nix ./services/networking/skydns.nix ./services/networking/smartdns.nix ./services/networking/smokeping.nix @@ -1045,6 +1059,7 @@ ./services/networking/tox-node.nix ./services/networking/toxvpn.nix ./services/networking/trickster.nix + ./services/networking/trust-dns.nix ./services/networking/tvheadend.nix ./services/networking/twingate.nix ./services/networking/ucarp.nix @@ -1095,6 +1110,7 @@ ./services/security/clamav.nix ./services/security/endlessh-go.nix ./services/security/endlessh.nix + ./services/security/esdm.nix ./services/security/fail2ban.nix ./services/security/fprintd.nix ./services/security/haka.nix @@ -1133,6 +1149,7 @@ ./services/system/earlyoom.nix ./services/system/kerberos/default.nix ./services/system/localtimed.nix + ./services/system/nix-daemon.nix ./services/system/nscd.nix ./services/system/saslauthd.nix ./services/system/self-deploy.nix @@ -1160,6 +1177,7 @@ ./services/wayland/cage.nix ./services/web-apps/akkoma.nix ./services/web-apps/alps.nix + ./services/web-apps/anuko-time-tracker.nix ./services/web-apps/atlassian/confluence.nix ./services/web-apps/atlassian/crowd.nix ./services/web-apps/atlassian/jira.nix @@ -1183,8 +1201,11 @@ ./services/web-apps/galene.nix ./services/web-apps/gerrit.nix ./services/web-apps/gotify-server.nix + ./services/web-apps/gotosocial.nix ./services/web-apps/grocy.nix ./services/web-apps/pixelfed.nix + ./services/web-apps/guacamole-client.nix + ./services/web-apps/guacamole-server.nix ./services/web-apps/healthchecks.nix ./services/web-apps/hedgedoc.nix ./services/web-apps/hledger-web.nix @@ -1230,6 +1251,7 @@ ./services/web-apps/powerdns-admin.nix ./services/web-apps/prosody-filer.nix ./services/web-apps/restya-board.nix + ./services/web-apps/sftpgo.nix ./services/web-apps/rss-bridge.nix ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix @@ -1266,7 +1288,9 @@ ./services/web-servers/nginx/gitweb.nix ./services/web-servers/phpfpm/default.nix ./services/web-servers/pomerium.nix + ./services/web-servers/rustus.nix ./services/web-servers/stargazer.nix + ./services/web-servers/static-web-server.nix ./services/web-servers/tomcat.nix ./services/web-servers/traefik.nix ./services/web-servers/trafficserver/default.nix @@ -1308,7 +1332,6 @@ ./services/x11/window-managers/default.nix ./services/x11/window-managers/fluxbox.nix ./services/x11/window-managers/icewm.nix - ./services/x11/window-managers/bspwm.nix ./services/x11/window-managers/katriawm.nix ./services/x11/window-managers/metacity.nix ./services/x11/window-managers/nimdow.nix @@ -1321,6 +1344,7 @@ ./services/x11/xbanish.nix ./services/x11/xfs.nix ./services/x11/xserver.nix + ./system/activation/activatable-system.nix ./system/activation/activation-script.nix ./system/activation/specialisation.nix ./system/activation/bootspec.nix @@ -1345,6 +1369,7 @@ ./system/boot/loader/raspberrypi/raspberrypi.nix ./system/boot/loader/systemd-boot/systemd-boot.nix ./system/boot/luksroot.nix + ./system/boot/stratisroot.nix ./system/boot/modprobe.nix ./system/boot/networkd.nix ./system/boot/plymouth.nix @@ -1389,6 +1414,7 @@ ./tasks/filesystems/nfs.nix ./tasks/filesystems/ntfs.nix ./tasks/filesystems/reiserfs.nix + ./tasks/filesystems/squashfs.nix ./tasks/filesystems/unionfs-fuse.nix ./tasks/filesystems/vboxsf.nix ./tasks/filesystems/vfat.nix diff --git a/third_party/nixpkgs/nixos/modules/profiles/headless.nix b/third_party/nixpkgs/nixos/modules/profiles/headless.nix index c17cb287b7..eb29f3d651 100644 --- a/third_party/nixpkgs/nixos/modules/profiles/headless.nix +++ b/third_party/nixpkgs/nixos/modules/profiles/headless.nix @@ -6,8 +6,6 @@ with lib; { - boot.vesa = false; - # Don't start a tty on the serial consoles. systemd.services."serial-getty@ttyS0".enable = lib.mkDefault false; systemd.services."serial-getty@hvc0".enable = false; @@ -15,7 +13,7 @@ with lib; systemd.services."autovt@".enable = false; # Since we can't manually respond to a panic, just reboot. - boot.kernelParams = [ "panic=1" "boot.panic_on_fail" ]; + boot.kernelParams = [ "panic=1" "boot.panic_on_fail" "vga=0x317" "nomodeset" ]; # Don't allow emergency mode, because we don't have a console. systemd.enableEmergencyMode = false; diff --git a/third_party/nixpkgs/nixos/modules/profiles/installation-device.nix b/third_party/nixpkgs/nixos/modules/profiles/installation-device.nix index 32884f4b87..4120d5919d 100644 --- a/third_party/nixpkgs/nixos/modules/profiles/installation-device.nix +++ b/third_party/nixpkgs/nixos/modules/profiles/installation-device.nix @@ -106,6 +106,8 @@ with lib; systemdStage1Network ]; + boot.swraid.enable = true; + # Show all debug messages from the kernel but don't log refused packets # because we have the firewall enabled. This makes installs from the # console less cumbersome if the machine has a public IP. diff --git a/third_party/nixpkgs/nixos/modules/profiles/macos-builder.nix b/third_party/nixpkgs/nixos/modules/profiles/macos-builder.nix index 768c673e7f..83a8499561 100644 --- a/third_party/nixpkgs/nixos/modules/profiles/macos-builder.nix +++ b/third_party/nixpkgs/nixos/modules/profiles/macos-builder.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: let keysDirectory = "/var/keys"; @@ -67,9 +67,9 @@ in ''; }; hostPort = mkOption { - default = 22; + default = 31022; type = types.int; - example = 31022; + example = 22; description = '' The localhost host port to forward TCP to the guest port. ''; @@ -139,13 +139,13 @@ in hostPkgs = config.virtualisation.host.pkgs; - script = hostPkgs.writeShellScriptBin "create-builder" ( + script = hostPkgs.writeShellScriptBin "create-builder" ( # When running as non-interactively as part of a DarwinConfiguration the working directory # must be set to a writeable directory. (if cfg.workingDirectory != "." then '' ${hostPkgs.coreutils}/bin/mkdir --parent "${cfg.workingDirectory}" cd "${cfg.workingDirectory}" - '' else "") + '' + '' else "") + '' KEYS="''${KEYS:-./keys}" ${hostPkgs.coreutils}/bin/mkdir --parent "''${KEYS}" PRIVATE_KEY="''${KEYS}/${user}_${keyType}" @@ -157,7 +157,7 @@ in if ! ${hostPkgs.diffutils}/bin/cmp "''${PUBLIC_KEY}" ${publicKey}; then (set -x; sudo --reset-timestamp ${installCredentials} "''${KEYS}") fi - KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${config.system.build.vm}/bin/run-nixos-vm + KEYS="$(${hostPkgs.nix}/bin/nix-store --add "$KEYS")" ${lib.getExe config.system.build.vm} ''); in @@ -177,7 +177,7 @@ in Please inspect the trace of the following command to figure out which module has a dependency on stateVersion. - nix-instantiate --attr darwin.builder --show-trace + nix-instantiate --attr darwin.linux-builder --show-trace ''); }; @@ -234,6 +234,10 @@ in # This ensures that anything built on the guest isn't lost when the guest is # restarted. writableStoreUseTmpfs = false; + + # Pass certificates from host to the guest otherwise when custom CA certificates + # are required we can't use the cached builder. + useHostCerts = true; }; }; } diff --git a/third_party/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix b/third_party/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix index 97c2570475..fc05bcd11e 100644 --- a/third_party/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix +++ b/third_party/nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix @@ -23,6 +23,12 @@ in config = mkIf cfg.enable { systemd.packages = [ pkgs.cfs-zen-tweaks ]; - systemd.services.set-cfs-tweak.wantedBy = [ "multi-user.target" "suspend.target" "hibernate.target" "hybrid-sleep.target" "suspend-then-hibernate.target" ]; + systemd.services.set-cfs-tweaks.wantedBy = [ + "multi-user.target" + "suspend.target" + "hibernate.target" + "hybrid-sleep.target" + "suspend-then-hibernate.target" + ]; }; } diff --git a/third_party/nixpkgs/nixos/modules/programs/direnv.nix b/third_party/nixpkgs/nixos/modules/programs/direnv.nix new file mode 100644 index 0000000000..53717fae11 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/programs/direnv.nix @@ -0,0 +1,147 @@ +{ + lib, + config, + pkgs, + ... +}: let + cfg = config.programs.direnv; +in { + options.programs.direnv = { + + enable = lib.mkEnableOption (lib.mdDoc '' + direnv integration. Takes care of both installation and + setting up the sourcing of the shell. Additionally enables nix-direnv + integration. Note that you need to logout and login for this change to apply. + ''); + + package = lib.mkPackageOptionMD pkgs "direnv" {}; + + direnvrcExtra = lib.mkOption { + type = lib.types.lines; + default = ""; + example = '' + export FOO="foo" + echo "loaded direnv!" + ''; + description = lib.mdDoc '' + Extra lines to append to the sourced direnvrc + ''; + }; + + silent = lib.mkEnableOption (lib.mdDoc '' + the hiding of direnv logging + ''); + + persistDerivations = + (lib.mkEnableOption (lib.mdDoc '' + setting keep-derivations and keep-outputs to true + to prevent shells from getting garbage collected + '')) + // { + default = true; + }; + + loadInNixShell = + lib.mkEnableOption (lib.mdDoc '' + loading direnv in `nix-shell` `nix shell` or `nix develop` + '') + // { + default = true; + }; + + nix-direnv = { + enable = + (lib.mkEnableOption (lib.mdDoc '' + a faster, persistent implementation of use_nix and use_flake, to replace the built-in one + '')) + // { + default = true; + }; + + package = lib.mkPackageOptionMD pkgs "nix-direnv" {}; + }; + }; + + config = lib.mkIf cfg.enable { + + programs = { + zsh.interactiveShellInit = '' + if ${lib.boolToString cfg.loadInNixShell} || printenv PATH | grep -vqc '/nix/store'; then + eval "$(${lib.getExe cfg.package} hook zsh)" + fi + ''; + + #$NIX_GCROOT for "nix develop" https://github.com/NixOS/nix/blob/6db66ebfc55769edd0c6bc70fcbd76246d4d26e0/src/nix/develop.cc#L530 + #$IN_NIX_SHELL for "nix-shell" + bash.interactiveShellInit = '' + if ${lib.boolToString cfg.loadInNixShell} || [ -z "$IN_NIX_SHELL$NIX_GCROOT$(printenv PATH | grep '/nix/store')" ] ; then + eval "$(${lib.getExe cfg.package} hook bash)" + fi + ''; + + fish.interactiveShellInit = '' + if ${lib.boolToString cfg.loadInNixShell}; + or printenv PATH | grep -vqc '/nix/store'; + ${lib.getExe cfg.package} hook fish | source + end + ''; + }; + + nix.settings = lib.mkIf cfg.persistDerivations { + keep-outputs = true; + keep-derivations = true; + }; + + environment = { + systemPackages = + if cfg.loadInNixShell then [cfg.package] + else [ + #direnv has a fish library which sources direnv for some reason + (cfg.package.overrideAttrs (old: { + installPhase = + (old.installPhase or "") + + '' + rm -rf $out/share/fish + ''; + })) + ]; + + variables = { + DIRENV_CONFIG = "/etc/direnv"; + DIRENV_LOG_FORMAT = lib.mkIf cfg.silent ""; + }; + + etc = { + "direnv/direnvrc".text = '' + ${lib.optionalString cfg.nix-direnv.enable '' + #Load nix-direnv + source ${cfg.nix-direnv.package}/share/nix-direnv/direnvrc + ''} + + #Load direnvrcExtra + ${cfg.direnvrcExtra} + + #Load user-configuration if present (~/.direnvrc or ~/.config/direnv/direnvrc) + direnv_config_dir_home="''${DIRENV_CONFIG_HOME:-''${XDG_CONFIG_HOME:-$HOME/.config}/direnv}" + if [[ -f $direnv_config_dir_home/direnvrc ]]; then + source "$direnv_config_dir_home/direnvrc" >&2 + elif [[ -f $HOME/.direnvrc ]]; then + source "$HOME/.direnvrc" >&2 + fi + + unset direnv_config_dir_home + ''; + + "direnv/lib/zz-user.sh".text = '' + direnv_config_dir_home="''${DIRENV_CONFIG_HOME:-''${XDG_CONFIG_HOME:-$HOME/.config}/direnv}" + + for lib in "$direnv_config_dir_home/lib/"*.sh; do + source "$lib" + done + + unset direnv_config_dir_home + ''; + }; + }; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/programs/gnupg.nix b/third_party/nixpkgs/nixos/modules/programs/gnupg.nix index 764a67a160..697b6e9a0b 100644 --- a/third_party/nixpkgs/nixos/modules/programs/gnupg.nix +++ b/third_party/nixpkgs/nixos/modules/programs/gnupg.nix @@ -75,9 +75,7 @@ in defaultText = literalMD ''matching the configured desktop environment''; description = lib.mdDoc '' Which pinentry interface to use. If not null, the path to the - pinentry binary will be passed to gpg-agent via commandline and - thus overrides the pinentry option in gpg-agent.conf in the user's - home directory. + pinentry binary will be set in /etc/gnupg/gpg-agent.conf. If not set at all, it'll pick an appropriate flavor depending on the system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce 4.12, gnome3 on all other systems with X enabled, ncurses otherwise). @@ -94,38 +92,111 @@ in }; config = mkIf cfg.agent.enable { + environment.etc."gnupg/gpg-agent.conf".text = + lib.optionalString (cfg.agent.pinentryFlavor != null) '' + pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry + ''; + # This overrides the systemd user unit shipped with the gnupg package - systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) { - serviceConfig.ExecStart = [ "" '' - ${cfg.package}/bin/gpg-agent --supervised \ - --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry - '' ]; + systemd.user.services.gpg-agent = { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache"; + Documentation = "man:gpg-agent(1)"; + Requires = [ "gpg-agent.socket" ]; + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/gpg-agent --supervised"; + ExecReload = "${cfg.package}/bin/gpgconf --reload gpg-agent"; + }; }; systemd.user.sockets.gpg-agent = { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache"; + Documentation = "man:gpg-agent(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent"; + FileDescriptorName = "std"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport { + unitConfig = { + Description = "GnuPG cryptographic agent (ssh-agent emulation)"; + Documentation = "man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent.ssh"; + FileDescriptorName = "ssh"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache (restricted)"; + Documentation = "man:gpg-agent(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent.extra"; + FileDescriptorName = "extra"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket { + unitConfig = { + Description = "GnuPG cryptographic agent and passphrase cache (access for web browsers)"; + Documentation = "man:gpg-agent(1)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.gpg-agent.browser"; + FileDescriptorName = "browser"; + Service = "gpg-agent.service"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; + systemd.user.services.dirmngr = mkIf cfg.dirmngr.enable { + unitConfig = { + Description = "GnuPG network certificate management daemon"; + Documentation = "man:dirmngr(8)"; + Requires = "dirmngr.socket"; + }; + serviceConfig = { + ExecStart = "${cfg.package}/bin/dirmngr --supervised"; + ExecReload = "${cfg.package}/bin/gpgconf --reload dirmngr"; + }; + }; + systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable { + unitConfig = { + Description = "GnuPG network certificate management daemon"; + Documentation = "man:dirmngr(8)"; + }; + socketConfig = { + ListenStream = "%t/gnupg/S.dirmngr"; + SocketMode = "0600"; + DirectoryMode = "0700"; + }; wantedBy = [ "sockets.target" ]; }; services.dbus.packages = mkIf (cfg.agent.pinentryFlavor == "gnome3") [ pkgs.gcr ]; environment.systemPackages = with pkgs; [ cfg.package ]; - systemd.packages = [ cfg.package ]; environment.interactiveShellInit = '' # Bind gpg-agent to this TTY if gpg commands are used. diff --git a/third_party/nixpkgs/nixos/modules/programs/nano.nix b/third_party/nixpkgs/nixos/modules/programs/nano.nix index 16bab620d6..7705bf0ddc 100644 --- a/third_party/nixpkgs/nixos/modules/programs/nano.nix +++ b/third_party/nixpkgs/nixos/modules/programs/nano.nix @@ -35,8 +35,17 @@ in ###### implementation config = lib.mkIf (cfg.nanorc != "" || cfg.syntaxHighlight) { - environment.etc.nanorc.text = lib.concatStrings [ cfg.nanorc - (lib.optionalString cfg.syntaxHighlight ''${LF}include "${pkgs.nano}/share/nano/*.nanorc"'') ]; + environment.etc.nanorc.text = lib.concatStringsSep LF ( + ( lib.optionals cfg.syntaxHighlight [ + "# The line below is added because value of programs.nano.syntaxHighlight is set to true" + ''include "${pkgs.nano}/share/nano/*.nanorc"'' + "" + ]) + ++ ( lib.optionals (cfg.nanorc != "") [ + "# The lines below have been set from value of programs.nano.nanorc" + cfg.nanorc + ]) + ); }; } diff --git a/third_party/nixpkgs/nixos/modules/programs/nix-ld.nix b/third_party/nixpkgs/nixos/modules/programs/nix-ld.nix index f0c265f0e5..d54b3917f8 100644 --- a/third_party/nixpkgs/nixos/modules/programs/nix-ld.nix +++ b/third_party/nixpkgs/nixos/modules/programs/nix-ld.nix @@ -2,15 +2,14 @@ let cfg = config.programs.nix-ld; - # TODO make glibc here configurable? - nix-ld-so = pkgs.runCommand "ld.so" {} '' - ln -s "$(cat '${pkgs.stdenv.cc}/nix-support/dynamic-linker')" $out - ''; - nix-ld-libraries = pkgs.buildEnv { name = "lb-library-path"; pathsToLink = [ "/lib" ]; paths = map lib.getLib cfg.libraries; + # TODO make glibc here configurable? + postBuild = '' + ln -s ${pkgs.stdenv.cc.bintools.dynamicLinker} $out/share/nix-ld/lib/ld.so + ''; extraPrefix = "/share/nix-ld"; ignoreCollisions = true; }; @@ -38,12 +37,7 @@ in meta.maintainers = [ lib.maintainers.mic92 ]; options.programs.nix-ld = { enable = lib.mkEnableOption (lib.mdDoc ''nix-ld, Documentation: ''); - package = lib.mkOption { - type = lib.types.package; - description = lib.mdDoc "Which package to use for the nix-ld."; - default = pkgs.nix-ld; - defaultText = lib.literalExpression "pkgs.nix-ld"; - }; + package = lib.mkPackageOptionMD pkgs "nix-ld" { }; libraries = lib.mkOption { type = lib.types.listOf lib.types.package; description = lib.mdDoc "Libraries that automatically become available to all programs. The default set includes common libraries."; @@ -60,7 +54,7 @@ in environment.pathsToLink = [ "/share/nix-ld" ]; environment.variables = { - NIX_LD = toString nix-ld-so; + NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so"; NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib"; }; }; diff --git a/third_party/nixpkgs/nixos/modules/programs/shadow.nix b/third_party/nixpkgs/nixos/modules/programs/shadow.nix index 35267acd6b..00895db03f 100644 --- a/third_party/nixpkgs/nixos/modules/programs/shadow.nix +++ b/third_party/nixpkgs/nixos/modules/programs/shadow.nix @@ -1,67 +1,131 @@ # Configuration for the pwdutils suite of tools: passwd, useradd, etc. - { config, lib, utils, pkgs, ... }: - with lib; - let + cfg = config.security.loginDefs; +in +{ + options = with types; { + security.loginDefs = { + package = mkPackageOptionMD pkgs "shadow" { }; - /* - There are three different sources for user/group id ranges, each of which gets - used by different programs: - - The login.defs file, used by the useradd, groupadd and newusers commands - - The update-users-groups.pl file, used by NixOS in the activation phase to - decide on which ids to use for declaratively defined users without a static - id - - Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used - by systemd for features like ConditionUser=@system and systemd-sysusers - */ - loginDefs = - '' - DEFAULT_HOME yes + chfnRestrict = mkOption { + description = mdDoc '' + Use chfn SUID to allow non-root users to change their account GECOS information. + ''; + type = nullOr str; + default = null; + }; - SYS_UID_MIN 400 - SYS_UID_MAX 999 - UID_MIN 1000 - UID_MAX 29999 + settings = mkOption { + description = mdDoc '' + Config options for the /etc/login.defs file, that defines + the site-specific configuration for the shadow password suite. + See login.defs(5) man page for available options. + ''; + type = submodule { + freeformType = (pkgs.formats.keyValue { }).type; + /* There are three different sources for user/group id ranges, each of which gets + used by different programs: + - The login.defs file, used by the useradd, groupadd and newusers commands + - The update-users-groups.pl file, used by NixOS in the activation phase to + decide on which ids to use for declaratively defined users without a static + id + - Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used + by systemd for features like ConditionUser=@system and systemd-sysusers + */ + options = { + DEFAULT_HOME = mkOption { + description = mdDoc "Indicate if login is allowed if we can't cd to the home directory."; + default = "yes"; + type = enum [ "yes" "no" ]; + }; - SYS_GID_MIN 400 - SYS_GID_MAX 999 - GID_MIN 1000 - GID_MAX 29999 + ENCRYPT_METHOD = mkOption { + description = mdDoc "This defines the system default encryption algorithm for encrypting passwords."; + # The default crypt() method, keep in sync with the PAM default + default = "YESCRYPT"; + type = enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"]; + }; - TTYGROUP tty - TTYPERM 0620 + SYS_UID_MIN = mkOption { + description = mdDoc "Range of user IDs used for the creation of system users by useradd or newusers."; + default = 400; + type = int; + }; - # Ensure privacy for newly created home directories. - UMASK 077 + SYS_UID_MAX = mkOption { + description = mdDoc "Range of user IDs used for the creation of system users by useradd or newusers."; + default = 999; + type = int; + }; - # Uncomment this and install chfn SUID to allow non-root - # users to change their account GECOS information. - # This should be made configurable. - #CHFN_RESTRICT frwh + UID_MIN = mkOption { + description = mdDoc "Range of user IDs used for the creation of regular users by useradd or newusers."; + default = 1000; + type = int; + }; - # The default crypt() method, keep in sync with the PAM default - ENCRYPT_METHOD YESCRYPT - ''; + UID_MAX = mkOption { + description = mdDoc "Range of user IDs used for the creation of regular users by useradd or newusers."; + default = 29999; + type = int; + }; - mkSetuidRoot = source: - { setuid = true; - owner = "root"; - group = "root"; - inherit source; + SYS_GID_MIN = mkOption { + description = mdDoc "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; + default = 400; + type = int; + }; + + SYS_GID_MAX = mkOption { + description = mdDoc "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers"; + default = 999; + type = int; + }; + + GID_MIN = mkOption { + description = mdDoc "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; + default = 1000; + type = int; + }; + + GID_MAX = mkOption { + description = mdDoc "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers."; + default = 29999; + type = int; + }; + + TTYGROUP = mkOption { + description = mdDoc '' + The terminal permissions: the login tty will be owned by the TTYGROUP group, + and the permissions will be set to TTYPERM''; + default = "tty"; + type = str; + }; + + TTYPERM = mkOption { + description = mdDoc '' + The terminal permissions: the login tty will be owned by the TTYGROUP group, + and the permissions will be set to TTYPERM''; + default = "0620"; + type = str; + }; + + # Ensure privacy for newly created home directories. + UMASK = mkOption { + description = mdDoc "The file mode creation mask is initialized to this value."; + default = "077"; + type = str; + }; + }; + }; + default = { }; + }; }; -in - -{ - - ###### interface - - options = { - - users.defaultUserShell = lib.mkOption { - description = lib.mdDoc '' + users.defaultUserShell = mkOption { + description = mdDoc '' This option defines the default shell assigned to user accounts. This can be either a full system path or a shell package. @@ -69,63 +133,107 @@ in used outside the store (in particular in /etc/passwd). ''; example = literalExpression "pkgs.zsh"; - type = types.either types.path types.shellPackage; + type = either path shellPackage; }; - }; - ###### implementation config = { + assertions = [ + { + assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX; + message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX"; + } + { + assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX; + message = "UID_MIN must be less than or equal to UID_MAX"; + } + { + assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX; + message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX"; + } + { + assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX; + message = "GID_MIN must be less than or equal to GID_MAX"; + } + ]; - environment.systemPackages = - lib.optional config.users.mutableUsers pkgs.shadow ++ - lib.optional (types.shellPackage.check config.users.defaultUserShell) - config.users.defaultUserShell; + security.loginDefs.settings.CHFN_RESTRICT = + mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict; + + environment.systemPackages = optional config.users.mutableUsers cfg.package + ++ optional (types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell + ++ optional (cfg.chfnRestrict != null) pkgs.util-linux; environment.etc = - { # /etc/login.defs: global configuration for pwdutils. You - # cannot login without it! - "login.defs".source = pkgs.writeText "login.defs" loginDefs; + # Create custom toKeyValue generator + # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification + let + toKeyValue = generators.toKeyValue { + mkKeyValue = generators.mkKeyValueDefault { } " "; + }; + in + { + # /etc/login.defs: global configuration for pwdutils. + # You cannot login without it! + "login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings); # /etc/default/useradd: configuration for useradd. - "default/useradd".source = pkgs.writeText "useradd" - '' - GROUP=100 - HOME=/home - SHELL=${utils.toShellPath config.users.defaultUserShell} - ''; + "default/useradd".source = pkgs.writeText "useradd" '' + GROUP=100 + HOME=/home + SHELL=${utils.toShellPath config.users.defaultUserShell} + ''; }; - security.pam.services = - { chsh = { rootOK = true; }; - chfn = { rootOK = true; }; - su = { rootOK = true; forwardXAuth = true; logFailures = true; }; - passwd = {}; - # Note: useradd, groupadd etc. aren't setuid root, so it - # doesn't really matter what the PAM config says as long as it - # lets root in. - useradd = { rootOK = true; }; - usermod = { rootOK = true; }; - userdel = { rootOK = true; }; - groupadd = { rootOK = true; }; - groupmod = { rootOK = true; }; - groupmems = { rootOK = true; }; - groupdel = { rootOK = true; }; - login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; }; - chpasswd = { rootOK = true; }; + security.pam.services = { + chsh = { rootOK = true; }; + chfn = { rootOK = true; }; + su = { + rootOK = true; + forwardXAuth = true; + logFailures = true; }; - - security.wrappers = { - su = mkSetuidRoot "${pkgs.shadow.su}/bin/su"; - sg = mkSetuidRoot "${pkgs.shadow.out}/bin/sg"; - newgrp = mkSetuidRoot "${pkgs.shadow.out}/bin/newgrp"; - newuidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newuidmap"; - newgidmap = mkSetuidRoot "${pkgs.shadow.out}/bin/newgidmap"; - } // lib.optionalAttrs config.users.mutableUsers { - chsh = mkSetuidRoot "${pkgs.shadow.out}/bin/chsh"; - passwd = mkSetuidRoot "${pkgs.shadow.out}/bin/passwd"; + passwd = { }; + # Note: useradd, groupadd etc. aren't setuid root, so it + # doesn't really matter what the PAM config says as long as it + # lets root in. + useradd.rootOK = true; + usermod.rootOK = true; + userdel.rootOK = true; + groupadd.rootOK = true; + groupmod.rootOK = true; + groupmems.rootOK = true; + groupdel.rootOK = true; + login = { + startSession = true; + allowNullPassword = true; + showMotd = true; + updateWtmp = true; + }; + chpasswd = { rootOK = true; }; }; + + security.wrappers = + let + mkSetuidRoot = source: { + setuid = true; + owner = "root"; + group = "root"; + inherit source; + }; + in + { + su = mkSetuidRoot "${cfg.package.su}/bin/su"; + sg = mkSetuidRoot "${cfg.package.out}/bin/sg"; + newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp"; + newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap"; + newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap"; + } + // optionalAttrs config.users.mutableUsers { + chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh"; + passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd"; + }; }; } diff --git a/third_party/nixpkgs/nixos/modules/programs/starship.nix b/third_party/nixpkgs/nixos/modules/programs/starship.nix index cacad8eafe..9dca39da5e 100644 --- a/third_party/nixpkgs/nixos/modules/programs/starship.nix +++ b/third_party/nixpkgs/nixos/modules/programs/starship.nix @@ -43,21 +43,21 @@ in config = mkIf cfg.enable { programs.bash.${initOption} = '' - if [[ $TERM != "dumb" && (-z $INSIDE_EMACS || $INSIDE_EMACS == "vterm") ]]; then + if [[ $TERM != "dumb" ]]; then export STARSHIP_CONFIG=${settingsFile} eval "$(${pkgs.starship}/bin/starship init bash)" fi ''; programs.fish.${initOption} = '' - if test "$TERM" != "dumb" -a \( -z "$INSIDE_EMACS" -o "$INSIDE_EMACS" = "vterm" \) + if test "$TERM" != "dumb" set -x STARSHIP_CONFIG ${settingsFile} eval (${pkgs.starship}/bin/starship init fish) end ''; programs.zsh.${initOption} = '' - if [[ $TERM != "dumb" && (-z $INSIDE_EMACS || $INSIDE_EMACS == "vterm") ]]; then + if [[ $TERM != "dumb" ]]; then export STARSHIP_CONFIG=${settingsFile} eval "$(${pkgs.starship}/bin/starship init zsh)" fi diff --git a/third_party/nixpkgs/nixos/modules/programs/wayland/river.nix b/third_party/nixpkgs/nixos/modules/programs/wayland/river.nix new file mode 100644 index 0000000000..71232a7d26 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/programs/wayland/river.nix @@ -0,0 +1,59 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; let + cfg = config.programs.river; +in { + options.programs.river = { + enable = mkEnableOption (lib.mdDoc "river, a dynamic tiling Wayland compositor"); + + package = mkOption { + type = with types; nullOr package; + default = pkgs.river; + defaultText = literalExpression "pkgs.river"; + description = lib.mdDoc '' + River package to use. + Set to `null` to not add any River package to your path. + This should be done if you want to use the Home Manager River module to install River. + ''; + }; + + extraPackages = mkOption { + type = with types; listOf package; + default = with pkgs; [ + swaylock + foot + dmenu + ]; + defaultText = literalExpression '' + with pkgs; [ swaylock foot dmenu ]; + ''; + example = literalExpression '' + with pkgs; [ + termite rofi light + ] + ''; + description = lib.mdDoc '' + Extra packages to be installed system wide. See + [Common X11 apps used on i3 with Wayland alternatives](https://github.com/swaywm/sway/wiki/i3-Migration-Guide#common-x11-apps-used-on-i3-with-wayland-alternatives) + for a list of useful software. + ''; + }; + }; + + config = + mkIf cfg.enable (mkMerge [ + { + environment.systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages; + + # To make a river session available if a display manager like SDDM is enabled: + services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; + } + (import ./wayland-session.nix { inherit lib pkgs; }) + ]); + + meta.maintainers = with lib.maintainers; [ GaetanLepage ]; +} diff --git a/third_party/nixpkgs/nixos/modules/programs/sway.nix b/third_party/nixpkgs/nixos/modules/programs/wayland/sway.nix similarity index 70% rename from third_party/nixpkgs/nixos/modules/programs/sway.nix rename to third_party/nixpkgs/nixos/modules/programs/wayland/sway.nix index 3b2e69bd37..698d9c2b46 100644 --- a/third_party/nixpkgs/nixos/modules/programs/sway.nix +++ b/third_party/nixpkgs/nixos/modules/programs/wayland/sway.nix @@ -49,7 +49,7 @@ in { description = lib.mdDoc '' Sway package to use. Will override the options 'wrapperFeatures', 'extraSessionCommands', and 'extraOptions'. - Set to null to not add any Sway package to your + Set to `null` to not add any Sway package to your path. This should be done if you want to use the Home Manager Sway module to install Sway. ''; @@ -123,41 +123,36 @@ in { }; - config = mkIf cfg.enable { - assertions = [ + config = mkIf cfg.enable + (mkMerge [ { - assertion = cfg.extraSessionCommands != "" -> cfg.wrapperFeatures.base; - message = '' - The extraSessionCommands for Sway will not be run if - wrapperFeatures.base is disabled. - ''; - } - ]; - environment = { - systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages; - # Needed for the default wallpaper: - pathsToLink = optionals (cfg.package != null) [ "/share/backgrounds/sway" ]; - etc = { - "sway/config.d/nixos.conf".source = pkgs.writeText "nixos.conf" '' - # Import the most important environment variables into the D-Bus and systemd - # user environments (e.g. required for screen sharing and Pinentry prompts): - exec dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP - ''; - } // optionalAttrs (cfg.package != null) { - "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config"; - }; - }; - security.polkit.enable = true; - security.pam.services.swaylock = {}; - hardware.opengl.enable = mkDefault true; - fonts.enableDefaultFonts = mkDefault true; - programs.dconf.enable = mkDefault true; - # To make a Sway session available if a display manager like SDDM is enabled: - services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; - programs.xwayland.enable = mkDefault true; - # For screen sharing (this option only has an effect with xdg.portal.enable): - xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-wlr ]; - }; + assertions = [ + { + assertion = cfg.extraSessionCommands != "" -> cfg.wrapperFeatures.base; + message = '' + The extraSessionCommands for Sway will not be run if + wrapperFeatures.base is disabled. + ''; + } + ]; + environment = { + systemPackages = optional (cfg.package != null) cfg.package ++ cfg.extraPackages; + # Needed for the default wallpaper: + pathsToLink = optionals (cfg.package != null) [ "/share/backgrounds/sway" ]; + etc = { + "sway/config.d/nixos.conf".source = pkgs.writeText "nixos.conf" '' + # Import the most important environment variables into the D-Bus and systemd + # user environments (e.g. required for screen sharing and Pinentry prompts): + exec dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP + ''; + } // optionalAttrs (cfg.package != null) { + "sway/config".source = mkOptionDefault "${cfg.package}/etc/sway/config"; + }; + }; + # To make a Sway session available if a display manager like SDDM is enabled: + services.xserver.displayManager.sessionPackages = optionals (cfg.package != null) [ cfg.package ]; } + (import ./wayland-session.nix { inherit lib pkgs; }) + ]); meta.maintainers = with lib.maintainers; [ primeos colemickens ]; } diff --git a/third_party/nixpkgs/nixos/modules/programs/waybar.nix b/third_party/nixpkgs/nixos/modules/programs/wayland/waybar.nix similarity index 100% rename from third_party/nixpkgs/nixos/modules/programs/waybar.nix rename to third_party/nixpkgs/nixos/modules/programs/wayland/waybar.nix diff --git a/third_party/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix b/third_party/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix new file mode 100644 index 0000000000..3cbfef4d61 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/programs/wayland/wayland-session.nix @@ -0,0 +1,23 @@ +{ lib, pkgs, ... }: with lib; { + security = { + polkit.enable = true; + pam.services.swaylock = {}; + }; + + hardware.opengl.enable = mkDefault true; + fonts.enableDefaultFonts = mkDefault true; + + programs = { + dconf.enable = mkDefault true; + xwayland.enable = mkDefault true; + }; + + xdg.portal = { + enable = mkDefault true; + + extraPortals = [ + # For screen sharing + pkgs.xdg-desktop-portal-wlr + ]; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/programs/xonsh.nix b/third_party/nixpkgs/nixos/modules/programs/xonsh.nix index 7202ed06c6..167c953f5f 100644 --- a/third_party/nixpkgs/nixos/modules/programs/xonsh.nix +++ b/third_party/nixpkgs/nixos/modules/programs/xonsh.nix @@ -28,7 +28,7 @@ in type = types.package; default = pkgs.xonsh; defaultText = literalExpression "pkgs.xonsh"; - example = literalExpression "pkgs.xonsh.override { configFile = \"/path/to/xonshrc\"; }"; + example = literalExpression "pkgs.xonsh.override { extraPackages = ps: [ ps.requests ]; }"; description = lib.mdDoc '' xonsh package to use. ''; @@ -83,4 +83,3 @@ in }; } - diff --git a/third_party/nixpkgs/nixos/modules/rename.nix b/third_party/nixpkgs/nixos/modules/rename.nix index c8e540932e..0e8b823c2b 100644 --- a/third_party/nixpkgs/nixos/modules/rename.nix +++ b/third_party/nixpkgs/nixos/modules/rename.nix @@ -54,7 +54,9 @@ in (mkRemovedOptionModule [ "services" "chronos" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "couchpotato" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "dd-agent" ] "dd-agent was removed from nixpkgs in favor of the newer datadog-agent.") + (mkRemovedOptionModule [ "services" "ddclient" ] "ddclient has been removed on the request of the upstream maintainer because it is unmaintained and has bugs. Please switch to a different software like `inadyn` or `knsupdate`.") # Added 2023-07-04 (mkRemovedOptionModule [ "services" "dnscrypt-proxy" ] "Use services.dnscrypt-proxy2 instead") + (mkRemovedOptionModule [ "services" "exhibitor" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "firefox" "syncserver" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.") (mkRemovedOptionModule [ "services" "fourStore" ] "The fourStore module has been removed") diff --git a/third_party/nixpkgs/nixos/modules/security/ca.nix b/third_party/nixpkgs/nixos/modules/security/ca.nix index c704e2c1f5..3cd56bff04 100644 --- a/third_party/nixpkgs/nixos/modules/security/ca.nix +++ b/third_party/nixpkgs/nixos/modules/security/ca.nix @@ -18,6 +18,10 @@ in { options = { + security.pki.installCACerts = mkEnableOption "Add CA certificates to system" // { + default = true; + internal = true; + }; security.pki.certificateFiles = mkOption { type = types.listOf types.path; @@ -70,7 +74,7 @@ in }; - config = { + config = mkIf cfg.installCACerts { # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. environment.etc."ssl/certs/ca-certificates.crt".source = caBundle; diff --git a/third_party/nixpkgs/nixos/modules/security/lock-kernel-modules.nix b/third_party/nixpkgs/nixos/modules/security/lock-kernel-modules.nix index 674ba85781..333b648014 100644 --- a/third_party/nixpkgs/nixos/modules/security/lock-kernel-modules.nix +++ b/third_party/nixpkgs/nixos/modules/security/lock-kernel-modules.nix @@ -22,12 +22,11 @@ with lib; config = mkIf config.security.lockKernelModules { boot.kernelModules = concatMap (x: - if x.device != null - then - if x.fsType == "vfat" - then [ "vfat" "nls-cp437" "nls-iso8859-1" ] - else [ x.fsType ] - else []) config.system.build.fileSystems; + optionals (x.device != null) ( + if x.fsType == "vfat" + then [ "vfat" "nls-cp437" "nls-iso8859-1" ] + else [ x.fsType ]) + ) config.system.build.fileSystems; systemd.services.disable-kernel-module-loading = { description = "Disable kernel module loading"; diff --git a/third_party/nixpkgs/nixos/modules/security/pam.nix b/third_party/nixpkgs/nixos/modules/security/pam.nix index eac67cfdec..ac9da4a823 100644 --- a/third_party/nixpkgs/nixos/modules/security/pam.nix +++ b/third_party/nixpkgs/nixos/modules/security/pam.nix @@ -484,6 +484,9 @@ let optionalString cfg.mysqlAuth '' account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + + optionalString (config.services.kanidm.enablePam) '' + account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user + '' + optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) '' account sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + @@ -545,6 +548,9 @@ let (let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth '' auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"} '') + + (let dp9ik = config.security.pam.dp9ik; in optionalString dp9ik.enable '' + auth ${dp9ik.control} ${pkgs.pam_dp9ik}/lib/security/pam_p9.so ${dp9ik.authserver} + '') + optionalString cfg.fprintAuth '' auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so '' + @@ -617,6 +623,9 @@ let optionalString use_ldap '' auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass '' + + optionalString config.services.kanidm.enablePam '' + auth sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass + '' + optionalString config.services.sssd.enable '' auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass '' + @@ -653,6 +662,9 @@ let optionalString cfg.mysqlAuth '' password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + + optionalString config.services.kanidm.enablePam '' + password sufficient ${pkgs.kanidm}/lib/pam_kanidm.so + '' + optionalString config.services.sssd.enable '' password sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + @@ -714,6 +726,9 @@ let optionalString cfg.mysqlAuth '' session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + + optionalString config.services.kanidm.enablePam '' + session optional ${pkgs.kanidm}/lib/pam_kanidm.so + '' + optionalString config.services.sssd.enable '' session optional ${pkgs.sssd}/lib/security/pam_sss.so '' + @@ -901,6 +916,32 @@ in security.pam.enableOTPW = mkEnableOption (lib.mdDoc "the OTPW (one-time password) PAM module"); + security.pam.dp9ik = { + enable = mkEnableOption ( + lib.mdDoc '' + the dp9ik pam module provided by tlsclient. + + If set, users can be authenticated against the 9front + authentication server given in {option}`security.pam.dp9ik.authserver`. + '' + ); + control = mkOption { + default = "sufficient"; + type = types.str; + description = lib.mdDoc '' + This option sets the pam "control" used for this module. + ''; + }; + authserver = mkOption { + default = null; + type = with types; nullOr string; + description = lib.mdDoc '' + This controls the hostname for the 9front authentication server + that users will be authenticated against. + ''; + }; + }; + security.pam.krb5 = { enable = mkOption { default = config.krb5.enable; @@ -1298,6 +1339,7 @@ in # Include the PAM modules in the system path mostly for the manpages. [ pkgs.pam ] ++ optional config.users.ldap.enable pam_ldap + ++ optional config.services.kanidm.enablePam pkgs.kanidm ++ optional config.services.sssd.enable pkgs.sssd ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] @@ -1364,6 +1406,9 @@ in optionalString use_ldap '' mr ${pam_ldap}/lib/security/pam_ldap.so, '' + + optionalString config.services.kanidm.enablePam '' + mr ${pkgs.kanidm}/lib/pam_kanidm.so, + '' + optionalString config.services.sssd.enable '' mr ${pkgs.sssd}/lib/security/pam_sss.so, '' + diff --git a/third_party/nixpkgs/nixos/modules/security/pam_mount.nix b/third_party/nixpkgs/nixos/modules/security/pam_mount.nix index a17f38f933..ad78f38b08 100644 --- a/third_party/nixpkgs/nixos/modules/security/pam_mount.nix +++ b/third_party/nixpkgs/nixos/modules/security/pam_mount.nix @@ -167,9 +167,11 @@ in - ${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ${concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])} + + ${pkgs.fuse}/bin/mount.fuse %(VOLUME) %(MNTPT) -o ,${concatStringsSep "," (cfg.fuseMountOptions ++ [ "%(OPTIONS)" ])}' ${pkgs.fuse}/bin/fusermount -u %(MNTPT) - ${pkgs.pam_mount}/bin/mount.crypt -o ${concatStringsSep "," (cfg.cryptMountOptions ++ [ "%(OPTIONS)" ])} %(VOLUME) %(MNTPT) + + ${pkgs.pam_mount}/bin/mount.crypt -o ,${concatStringsSep "," (cfg.cryptMountOptions ++ [ "%(OPTIONS)" ])} %(VOLUME) %(MNTPT) ${pkgs.pam_mount}/bin/umount.crypt %(MNTPT) ${pkgs.pam_mount}/bin/pmvarrun -u %(USER) -o %(OPERATION) ${optionalString oflRequired "${fake_ofl}/bin/fake_ofl %(SIGNAL) %(MNTPT)"} diff --git a/third_party/nixpkgs/nixos/modules/security/sudo.nix b/third_party/nixpkgs/nixos/modules/security/sudo.nix index 296b61fd70..9ac91bd0d3 100644 --- a/third_party/nixpkgs/nixos/modules/security/sudo.nix +++ b/third_party/nixpkgs/nixos/modules/security/sudo.nix @@ -216,10 +216,10 @@ in ${concatStringsSep "\n" ( lists.flatten ( map ( - rule: if (length rule.commands != 0) then [ + rule: optionals (length rule.commands != 0) [ (map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users) (map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups) - ] else [] + ] ) cfg.extraRules ) )} diff --git a/third_party/nixpkgs/nixos/modules/services/audio/roon-bridge.nix b/third_party/nixpkgs/nixos/modules/services/audio/roon-bridge.nix index 70392b647c..027b0332fd 100644 --- a/third_party/nixpkgs/nixos/modules/services/audio/roon-bridge.nix +++ b/third_party/nixpkgs/nixos/modules/services/audio/roon-bridge.nix @@ -70,12 +70,11 @@ in { users.groups.${cfg.group} = {}; users.users.${cfg.user} = - if cfg.user == "roon-bridge" then { + optionalAttrs (cfg.user == "roon-bridge") { isSystemUser = true; description = "Roon Bridge user"; group = cfg.group; extraGroups = [ "audio" ]; - } - else {}; + }; }; } diff --git a/third_party/nixpkgs/nixos/modules/services/audio/roon-server.nix b/third_party/nixpkgs/nixos/modules/services/audio/roon-server.nix index fbe74f63b9..8691c08b0d 100644 --- a/third_party/nixpkgs/nixos/modules/services/audio/roon-server.nix +++ b/third_party/nixpkgs/nixos/modules/services/audio/roon-server.nix @@ -76,12 +76,11 @@ in { users.groups.${cfg.group} = {}; users.users.${cfg.user} = - if cfg.user == "roon-server" then { + optionalAttrs (cfg.user == "roon-server") { isSystemUser = true; description = "Roon Server user"; group = cfg.group; extraGroups = [ "audio" ]; - } - else {}; + }; }; } diff --git a/third_party/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix b/third_party/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix new file mode 100644 index 0000000000..6317709b24 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/services/audio/wyoming/faster-whisper.nix @@ -0,0 +1,186 @@ +{ config +, lib +, pkgs +, ... +}: + +let + cfg = config.services.wyoming.faster-whisper; + + inherit (lib) + escapeShellArgs + mkOption + mdDoc + mkEnableOption + mkPackageOptionMD + types + ; + + inherit (builtins) + toString + ; + +in + +{ + options.services.wyoming.faster-whisper = with types; { + package = mkPackageOptionMD pkgs "wyoming-faster-whisper" { }; + + servers = mkOption { + default = {}; + description = mdDoc '' + Attribute set of faster-whisper instances to spawn. + ''; + type = types.attrsOf (types.submodule ( + { ... }: { + options = { + enable = mkEnableOption (mdDoc "Wyoming faster-whisper server"); + + model = mkOption { + type = enum [ + "tiny" + "tiny-int8" + "base" + "base-int8" + "small" + "small-int8" + "medium" + "medium-int8" + ]; + default = "tiny-int8"; + example = "medium-int8"; + description = mdDoc '' + Name of the voice model to use. + ''; + }; + + uri = mkOption { + type = strMatching "^(tcp|unix)://.*$"; + example = "tcp://0.0.0.0:10300"; + description = mdDoc '' + URI to bind the wyoming server to. + ''; + }; + + device = mkOption { + # https://opennmt.net/CTranslate2/python/ctranslate2.models.Whisper.html# + type = types.enum [ + "cpu" + "cuda" + "auto" + ]; + default = "cpu"; + description = mdDoc '' + Id of a speaker in a multi-speaker model. + ''; + }; + + language = mkOption { + type = enum [ + # https://github.com/home-assistant/addons/blob/master/whisper/config.yaml#L20 + "auto" "af" "am" "ar" "as" "az" "ba" "be" "bg" "bn" "bo" "br" "bs" "ca" "cs" "cy" "da" "de" "el" "en" "es" "et" "eu" "fa" "fi" "fo" "fr" "gl" "gu" "ha" "haw" "he" "hi" "hr" "ht" "hu" "hy" "id" "is" "it" "ja" "jw" "ka" "kk" "km" "kn" "ko" "la" "lb" "ln" "lo" "lt" "lv" "mg" "mi" "mk" "ml" "mn" "mr" "ms" "mt" "my" "ne" "nl" "nn" "no" "oc" "pa" "pl" "ps" "pt" "ro" "ru" "sa" "sd" "si" "sk" "sl" "sn" "so" "sq" "sr" "su" "sv" "sw" "ta" "te" "tg" "th" "tk" "tl" "tr" "tt" "uk" "ur" "uz" "vi" "yi" "yo" "zh" + ]; + example = "en"; + description = mdDoc '' + The language used to to parse words and sentences. + ''; + }; + + beamSize = mkOption { + type = ints.unsigned; + default = 1; + example = 5; + description = mdDoc '' + The number of beams to use in beam search. + ''; + apply = toString; + }; + + extraArgs = mkOption { + type = listOf str; + default = [ ]; + description = mdDoc '' + Extra arguments to pass to the server commandline. + ''; + apply = escapeShellArgs; + }; + }; + } + )); + }; + }; + + config = let + inherit (lib) + mapAttrs' + mkIf + nameValuePair + ; + in mkIf (cfg.servers != {}) { + systemd.services = mapAttrs' (server: options: + nameValuePair "wyoming-faster-whisper-${server}" { + description = "Wyoming faster-whisper server instance ${server}"; + after = [ + "network-online.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + serviceConfig = { + DynamicUser = true; + User = "wyoming-faster-whisper"; + StateDirectory = "wyoming/faster-whisper"; + # https://github.com/home-assistant/addons/blob/master/whisper/rootfs/etc/s6-overlay/s6-rc.d/whisper/run + ExecStart = '' + ${cfg.package}/bin/wyoming-faster-whisper \ + --data-dir $STATE_DIRECTORY \ + --download-dir $STATE_DIRECTORY \ + --uri ${options.uri} \ + --model ${options.model} \ + --language ${options.language} \ + --beam-size ${options.beamSize} ${options.extraArgs} + ''; + CapabilityBoundingSet = ""; + DeviceAllow = if builtins.elem options.device [ "cuda" "auto" ] then [ + # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf + "/dev/nvidia1" + "/dev/nvidia2" + "/dev/nvidia3" + "/dev/nvidia4" + "/dev/nvidia-caps/nvidia-cap1" + "/dev/nvidia-caps/nvidia-cap2" + "/dev/nvidiactl" + "/dev/nvidia-modeset" + "/dev/nvidia-uvm" + "/dev/nvidia-uvm-tools" + ] else ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + }) cfg.servers; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/services/audio/wyoming/piper.nix b/third_party/nixpkgs/nixos/modules/services/audio/wyoming/piper.nix new file mode 100644 index 0000000000..ed50bd9f48 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/services/audio/wyoming/piper.nix @@ -0,0 +1,174 @@ +{ config +, lib +, pkgs +, ... +}: + +let + cfg = config.services.wyoming.piper; + + inherit (lib) + escapeShellArgs + mkOption + mdDoc + mkEnableOption + mkPackageOptionMD + types + ; + + inherit (builtins) + toString + ; + +in + +{ + meta.buildDocsInSandbox = false; + + options.services.wyoming.piper = with types; { + package = mkPackageOptionMD pkgs "wyoming-piper" { }; + + servers = mkOption { + default = {}; + description = mdDoc '' + Attribute set of piper instances to spawn. + ''; + type = types.attrsOf (types.submodule ( + { ... }: { + options = { + enable = mkEnableOption (mdDoc "Wyoming Piper server"); + + piper = mkPackageOptionMD pkgs "piper-tts" { }; + + voice = mkOption { + type = str; + example = "en-us-ryan-medium"; + description = mdDoc '' + Name of the voice model to use. See the following website for samples: + https://rhasspy.github.io/piper-samples/ + ''; + }; + + uri = mkOption { + type = strMatching "^(tcp|unix)://.*$"; + example = "tcp://0.0.0.0:10200"; + description = mdDoc '' + URI to bind the wyoming server to. + ''; + }; + + speaker = mkOption { + type = ints.unsigned; + default = 0; + description = mdDoc '' + ID of a specific speaker in a multi-speaker model. + ''; + apply = toString; + }; + + noiseScale = mkOption { + type = float; + default = 0.667; + description = mdDoc '' + Generator noise value. + ''; + apply = toString; + }; + + noiseWidth = mkOption { + type = float; + default = 0.333; + description = mdDoc '' + Phoneme width noise value. + ''; + apply = toString; + }; + + lengthScale = mkOption { + type = float; + default = 1.0; + description = mdDoc '' + Phoneme length value. + ''; + apply = toString; + }; + + extraArgs = mkOption { + type = listOf str; + default = [ ]; + description = mdDoc '' + Extra arguments to pass to the server commandline. + ''; + apply = escapeShellArgs; + }; + }; + } + )); + }; + }; + + config = let + inherit (lib) + mapAttrs' + mkIf + nameValuePair + ; + in mkIf (cfg.servers != {}) { + systemd.services = mapAttrs' (server: options: + nameValuePair "wyoming-piper-${server}" { + description = "Wyoming Piper server instance ${server}"; + after = [ + "network-online.target" + ]; + wantedBy = [ + "multi-user.target" + ]; + serviceConfig = { + DynamicUser = true; + User = "wyoming-piper"; + StateDirectory = "wyoming/piper"; + # https://github.com/home-assistant/addons/blob/master/piper/rootfs/etc/s6-overlay/s6-rc.d/piper/run + ExecStart = '' + ${cfg.package}/bin/wyoming-piper \ + --data-dir $STATE_DIRECTORY \ + --download-dir $STATE_DIRECTORY \ + --uri ${options.uri} \ + --piper ${options.piper}/bin/piper \ + --voice ${options.voice} \ + --speaker ${options.speaker} \ + --length-scale ${options.lengthScale} \ + --noise-scale ${options.noiseScale} \ + --noise-w ${options.noiseWidth} ${options.extraArgs} + ''; + CapabilityBoundingSet = ""; + DeviceAllow = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; + }; + }) cfg.servers; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/services/backup/restic.nix b/third_party/nixpkgs/nixos/modules/services/backup/restic.nix index 3a951f7cbc..1620770e5b 100644 --- a/third_party/nixpkgs/nixos/modules/services/backup/restic.nix +++ b/third_party/nixpkgs/nixos/modules/services/backup/restic.nix @@ -298,7 +298,7 @@ in let extraOptions = concatMapStrings (arg: " -o ${arg}") backup.extraOptions; resticCmd = "${backup.package}/bin/restic${extraOptions}"; - excludeFlags = if (backup.exclude != []) then ["--exclude-file=${pkgs.writeText "exclude-patterns" (concatStringsSep "\n" backup.exclude)}"] else []; + excludeFlags = optional (backup.exclude != []) "--exclude-file=${pkgs.writeText "exclude-patterns" (concatStringsSep "\n" backup.exclude)}"; filesFromTmpFile = "/run/restic-backups-${name}/includes"; backupPaths = if (backup.dynamicFilesFrom == null) diff --git a/third_party/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix b/third_party/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix index 7c8f77580f..a40b939a16 100644 --- a/third_party/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix +++ b/third_party/nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix @@ -11,7 +11,7 @@ let default = null; description = lib.mdDoc description; type = types.nullOr types.lines; - } // (if example == null then {} else { inherit example; }); + } // (lib.optionalAttrs (example != null) { inherit example; }); }; mkHookOptions = hooks: listToAttrs (map mkHookOption hooks); diff --git a/third_party/nixpkgs/nixos/modules/services/continuous-integration/github-runner.nix b/third_party/nixpkgs/nixos/modules/services/continuous-integration/github-runner.nix index 67e71659d6..27cfee92c7 100644 --- a/third_party/nixpkgs/nixos/modules/services/continuous-integration/github-runner.nix +++ b/third_party/nixpkgs/nixos/modules/services/continuous-integration/github-runner.nix @@ -21,5 +21,5 @@ in services.github-runners.${cfg.name} = cfg; }; - meta.maintainers = with maintainers; [ veehaitch newam ]; + meta.maintainers = with maintainers; [ veehaitch newam thomasjm ]; } diff --git a/third_party/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix b/third_party/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix index 53f39f40da..10a2fe8a44 100644 --- a/third_party/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/third_party/nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -611,4 +611,6 @@ in { (mkRenamedOptionModule [ "services" "gitlab-runner" "sessionServer" "advertiseAddress" ] [ "services" "gitlab-runner" "settings" "session_server" "advertise_address" ] ) (mkRenamedOptionModule [ "services" "gitlab-runner" "sessionServer" "sessionTimeout" ] [ "services" "gitlab-runner" "settings" "session_server" "session_timeout" ] ) ]; + + meta.maintainers = teams.gitlab.members; } diff --git a/third_party/nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix b/third_party/nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix index d6a8c2a3f7..a8e3effd1f 100644 --- a/third_party/nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix +++ b/third_party/nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix @@ -9,25 +9,20 @@ let in { options = { services.jenkins.jobBuilder = { - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether or not to enable the Jenkins Job Builder (JJB) service. It - allows defining jobs for Jenkins in a declarative manner. + enable = mkEnableOption (mdDoc '' + the Jenkins Job Builder (JJB) service. It + allows defining jobs for Jenkins in a declarative manner. - Jobs managed through the Jenkins WebUI (or by other means) are left - unchanged. + Jobs managed through the Jenkins WebUI (or by other means) are left + unchanged. - Note that it really is declarative configuration; if you remove a - previously defined job, the corresponding job directory will be - deleted. + Note that it really is declarative configuration; if you remove a + previously defined job, the corresponding job directory will be + deleted. - Please see the Jenkins Job Builder documentation for more info: - [ - http://docs.openstack.org/infra/jenkins-job-builder/](http://docs.openstack.org/infra/jenkins-job-builder/) - ''; - }; + Please see the Jenkins Job Builder documentation for more info: + + ''); accessUser = mkOption { default = "admin"; diff --git a/third_party/nixpkgs/nixos/modules/services/databases/foundationdb.md b/third_party/nixpkgs/nixos/modules/services/databases/foundationdb.md index f852c6888d..0815c13915 100644 --- a/third_party/nixpkgs/nixos/modules/services/databases/foundationdb.md +++ b/third_party/nixpkgs/nixos/modules/services/databases/foundationdb.md @@ -6,7 +6,7 @@ *Maintainer:* Austin Seipp -*Available version(s):* 5.1.x, 5.2.x, 6.0.x +*Available version(s):* 7.1.x FoundationDB (or "FDB") is an open source, distributed, transactional key-value store. @@ -17,7 +17,7 @@ To enable FoundationDB, add the following to your {file}`configuration.nix`: ``` services.foundationdb.enable = true; -services.foundationdb.package = pkgs.foundationdb52; # FoundationDB 5.2.x +services.foundationdb.package = pkgs.foundationdb71; # FoundationDB 7.1.x ``` The {option}`services.foundationdb.package` option is required, and @@ -66,7 +66,7 @@ necessary Python modules). ```ShellSession a@link> cat fdb-status.py #! /usr/bin/env nix-shell -#! nix-shell -i python -p python pythonPackages.foundationdb52 +#! nix-shell -i python -p python pythonPackages.foundationdb71 import fdb import json diff --git a/third_party/nixpkgs/nixos/modules/services/games/factorio.nix b/third_party/nixpkgs/nixos/modules/services/games/factorio.nix index 9b15cac149..b349ffa237 100644 --- a/third_party/nixpkgs/nixos/modules/services/games/factorio.nix +++ b/third_party/nixpkgs/nixos/modules/services/games/factorio.nix @@ -294,6 +294,6 @@ in }; }; - networking.firewall.allowedUDPPorts = if cfg.openFirewall then [ cfg.port ] else []; + networking.firewall.allowedUDPPorts = optional cfg.openFirewall cfg.port; }; } diff --git a/third_party/nixpkgs/nixos/modules/services/games/freeciv.nix b/third_party/nixpkgs/nixos/modules/services/games/freeciv.nix index f33ea5c08a..bba27ae4cb 100644 --- a/third_party/nixpkgs/nixos/modules/services/games/freeciv.nix +++ b/third_party/nixpkgs/nixos/modules/services/games/freeciv.nix @@ -16,7 +16,7 @@ let generate = name: value: let mkParam = k: v: if v == null then [] - else if isBool v then if v then [("--"+k)] else [] + else if isBool v then optional v ("--"+k) else [("--"+k) v]; mkParams = k: v: map (mkParam k) (if isList v then v else [v]); in escapeShellArgs (concatLists (concatLists (mapAttrsToList mkParams value))); diff --git a/third_party/nixpkgs/nixos/modules/services/games/mchprs.nix b/third_party/nixpkgs/nixos/modules/services/games/mchprs.nix new file mode 100644 index 0000000000..a65001b0b3 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/services/games/mchprs.nix @@ -0,0 +1,341 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.mchprs; + settingsFormat = pkgs.formats.toml { }; + + whitelistFile = pkgs.writeText "whitelist.json" + (builtins.toJSON + (mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist.list)); + + configToml = + (removeAttrs cfg.settings [ "address" "port" ]) // + { + bind_address = cfg.settings.address + ":" + toString cfg.settings.port; + whitelist = cfg.whitelist.enable; + }; + + configTomlFile = settingsFormat.generate "Config.toml" configToml; +in +{ + options = { + services.mchprs = { + enable = mkEnableOption "MCHPRS"; + + declarativeSettings = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Whether to use a declarative configuration for MCHPRS. + ''; + }; + + declarativeWhitelist = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Whether to use a declarative whitelist. + The options {option}`services.mchprs.whitelist.list` + will be applied if and only if set to `true`. + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/mchprs"; + description = mdDoc '' + Directory to store MCHPRS database and other state/data files. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Whether to open ports in the firewall for the server. + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + maxRuntime = mkOption { + type = types.str; + default = "infinity"; + example = "7d"; + description = mdDoc '' + Automatically restart the server after + {option}`services.mchprs.maxRuntime`. + The time span format is described here: + https://www.freedesktop.org/software/systemd/man/systemd.time.html#Parsing%20Time%20Spans. + If `null`, then the server is not restarted automatically. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.mchprs; + defaultText = literalExpression "pkgs.mchprs"; + description = mdDoc "Version of MCHPRS to run."; + }; + + settings = mkOption { + type = types.submodule { + freeformType = settingsFormat.type; + + options = { + port = mkOption { + type = types.port; + default = 25565; + description = mdDoc '' + Port for the server. + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = mdDoc '' + Address for the server. + Please use enclosing square brackets when using ipv6. + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + motd = mkOption { + type = types.str; + default = "Minecraft High Performance Redstone Server"; + description = mdDoc '' + Message of the day. + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + chat_format = mkOption { + type = types.str; + default = "<{username}> {message}"; + description = mdDoc '' + How to format chat message interpolating `username` + and `message` with curly braces. + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + max_players = mkOption { + type = types.ints.positive; + default = 99999; + description = mdDoc '' + Maximum number of simultaneous players. + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + view_distance = mkOption { + type = types.ints.positive; + default = 8; + description = mdDoc '' + Maximal distance (in chunks) between players and loaded chunks. + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + bungeecord = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Enable compatibility with + [BungeeCord](https://github.com/SpigotMC/BungeeCord). + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + schemati = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Mimic the verification and directory layout used by the + Open Redstone Engineers + [Schemati plugin](https://github.com/OpenRedstoneEngineers/Schemati). + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + block_in_hitbox = mkOption { + type = types.bool; + default = true; + description = mdDoc '' + Allow placing blocks inside of players + (hitbox logic is simplified). + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + auto_redpiler = mkOption { + type = types.bool; + default = true; + description = mdDoc '' + Use redpiler automatically. + Only has effect when + {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + }; + }; + default = { }; + + description = mdDoc '' + Configuration for MCHPRS via `Config.toml`. + See https://github.com/MCHPR/MCHPRS/blob/master/README.md for documentation. + ''; + }; + + whitelist = { + enable = mkOption { + type = types.bool; + default = false; + description = mdDoc '' + Whether or not the whitelist (in `whitelist.json`) shoud be enabled. + Only has effect when {option}`services.mchprs.declarativeSettings` is `true`. + ''; + }; + + list = mkOption { + type = + let + minecraftUUID = types.strMatching + "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // { + description = "Minecraft UUID"; + }; + in + types.attrsOf minecraftUUID; + default = { }; + example = literalExpression '' + { + username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"; + username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"; + }; + ''; + description = mdDoc '' + Whitelisted players, only has an effect when + {option}`services.mchprs.declarativeWhitelist` is + `true` and the whitelist is enabled + via {option}`services.mchprs.whitelist.enable`. + This is a mapping from Minecraft usernames to UUIDs. + You can use to get a + Minecraft UUID for a username. + ''; + }; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.mchprs = { + description = "MCHPRS service user"; + home = cfg.dataDir; + createHome = true; + isSystemUser = true; + group = "mchprs"; + }; + users.groups.mchprs = { }; + + systemd.services.mchprs = { + description = "MCHPRS Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${lib.getExe cfg.package}"; + Restart = "always"; + RuntimeMaxSec = cfg.maxRuntime; + User = "mchprs"; + WorkingDirectory = cfg.dataDir; + + StandardOutput = "journal"; + StandardError = "journal"; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + }; + + preStart = + (if cfg.declarativeSettings then '' + if [ -e .declarativeSettings ]; then + + # Settings were declarative before, no need to back up anything + cp -f ${configTomlFile} Config.toml + + else + + # Declarative settings for the first time, backup stateful files + cp -b --suffix=.stateful ${configTomlFile} Config.toml + + echo "Autogenerated file that implies that this server configuration is managed declaratively by NixOS" \ + > .declarativeSettings + + fi + '' else '' + if [ -e .declarativeSettings ]; then + rm .declarativeSettings + fi + '') + (if cfg.declarativeWhitelist then '' + if [ -e .declarativeWhitelist ]; then + + # Whitelist was declarative before, no need to back up anything + ln -sf ${whitelistFile} whitelist.json + + else + + # Declarative whitelist for the first time, backup stateful files + ln -sb --suffix=.stateful ${whitelistFile} whitelist.json + + echo "Autogenerated file that implies that this server's whitelist is managed declaratively by NixOS" \ + > .declarativeWhitelist + + fi + '' else '' + if [ -e .declarativeWhitelist ]; then + rm .declarativeWhitelist + fi + ''); + }; + + networking.firewall = mkIf (cfg.declarativeSettings && cfg.openFirewall) { + allowedUDPPorts = [ cfg.settings.port ]; + allowedTCPPorts = [ cfg.settings.port ]; + }; + }; + + meta.maintainers = with maintainers; [ gdd ]; +} diff --git a/third_party/nixpkgs/nixos/modules/services/games/minetest-server.nix b/third_party/nixpkgs/nixos/modules/services/games/minetest-server.nix index 578364ec54..8dc3601534 100644 --- a/third_party/nixpkgs/nixos/modules/services/games/minetest-server.nix +++ b/third_party/nixpkgs/nixos/modules/services/games/minetest-server.nix @@ -3,15 +3,52 @@ with lib; let + CONTAINS_NEWLINE_RE = ".*\n.*"; + # The following values are reserved as complete option values: + # { - start of a group. + # """ - start of a multi-line string. + RESERVED_VALUE_RE = "[[:space:]]*(\"\"\"|\\{)[[:space:]]*"; + NEEDS_MULTILINE_RE = "${CONTAINS_NEWLINE_RE}|${RESERVED_VALUE_RE}"; + + # There is no way to encode """ on its own line in a Minetest config. + UNESCAPABLE_RE = ".*\n\"\"\"\n.*"; + + toConfMultiline = name: value: + assert lib.assertMsg + ((builtins.match UNESCAPABLE_RE value) == null) + ''""" can't be on its own line in a minetest config.''; + "${name} = \"\"\"\n${value}\n\"\"\"\n"; + + toConf = values: + lib.concatStrings + (lib.mapAttrsToList + (name: value: { + bool = "${name} = ${toString value}\n"; + int = "${name} = ${toString value}\n"; + null = ""; + set = "${name} = {\n${toConf value}}\n"; + string = + if (builtins.match NEEDS_MULTILINE_RE value) != null + then toConfMultiline name value + else "${name} = ${value}\n"; + }.${builtins.typeOf value}) + values); + cfg = config.services.minetest-server; - flag = val: name: optionalString (val != null) "--${name} ${toString val} "; + flag = val: name: lib.optionals (val != null) ["--${name}" "${toString val}"]; + flags = [ - (flag cfg.gameId "gameid") - (flag cfg.world "world") - (flag cfg.configPath "config") - (flag cfg.logPath "logfile") - (flag cfg.port "port") - ]; + "--server" + ] + ++ ( + if cfg.configPath != null + then ["--config" cfg.configPath] + else ["--config" (builtins.toFile "minetest.conf" (toConf cfg.config))]) + ++ (flag cfg.gameId "gameid") + ++ (flag cfg.world "world") + ++ (flag cfg.logPath "logfile") + ++ (flag cfg.port "port") + ++ cfg.extraArgs; in { options = { @@ -55,6 +92,16 @@ in ''; }; + config = mkOption { + type = types.attrsOf types.anything; + default = {}; + description = lib.mdDoc '' + Settings to add to the minetest config file. + + This option is ignored if `configPath` is set. + ''; + }; + logPath = mkOption { type = types.nullOr types.path; default = null; @@ -75,6 +122,14 @@ in If set to null, the default 30000 will be used. ''; }; + + extraArgs = mkOption { + type = types.listOf types.str; + default = []; + description = lib.mdDoc '' + Additional command line flags to pass to the minetest executable. + ''; + }; }; }; @@ -100,7 +155,7 @@ in script = '' cd /var/lib/minetest - exec ${pkgs.minetest}/bin/minetest --server ${concatStrings flags} + exec ${pkgs.minetest}/bin/minetest ${lib.escapeShellArgs flags} ''; }; }; diff --git a/third_party/nixpkgs/nixos/modules/services/hardware/fwupd.nix b/third_party/nixpkgs/nixos/modules/services/hardware/fwupd.nix index b8c2ac9484..4e5913fd27 100644 --- a/third_party/nixpkgs/nixos/modules/services/hardware/fwupd.nix +++ b/third_party/nixpkgs/nixos/modules/services/hardware/fwupd.nix @@ -13,16 +13,13 @@ let }; customEtc = { - "fwupd/daemon.conf" = { - source = format.generate "daemon.conf" { + "fwupd/fwupd.conf" = { + source = format.generate "fwupd.conf" { fwupd = cfg.daemonSettings; - }; - }; - - "fwupd/uefi_capsule.conf" = { - source = format.generate "uefi_capsule.conf" { uefi_capsule = cfg.uefiCapsuleSettings; }; + # fwupd tries to chmod the file if it doesn't have the right permissions + mode = "0640"; }; }; @@ -53,7 +50,7 @@ let # to install it because it would create a cyclic dependency between # the outputs. We also need to enable the remote, # which should not be done by default. - if cfg.enableTestRemote then (enableRemote cfg.package.installedTests "fwupd-tests") else {} + lib.optionalAttrs cfg.enableTestRemote (enableRemote cfg.package.installedTests "fwupd-tests") ); in { diff --git a/third_party/nixpkgs/nixos/modules/services/hardware/keyd.nix b/third_party/nixpkgs/nixos/modules/services/hardware/keyd.nix index d17b0e4303..969383fd4d 100644 --- a/third_party/nixpkgs/nixos/modules/services/hardware/keyd.nix +++ b/third_party/nixpkgs/nixos/modules/services/hardware/keyd.nix @@ -3,12 +3,9 @@ with lib; let cfg = config.services.keyd; settingsFormat = pkgs.formats.ini { }; -in -{ - options = { - services.keyd = { - enable = mkEnableOption (lib.mdDoc "keyd, a key remapping daemon"); + keyboardOptions = { ... }: { + options = { ids = mkOption { type = types.listOf types.string; default = [ "*" ]; @@ -35,24 +32,71 @@ in }; }; description = lib.mdDoc '' - Configuration, except `ids` section, that is written to {file}`/etc/keyd/default.conf`. + Configuration, except `ids` section, that is written to {file}`/etc/keyd/.conf`. + Appropriate names can be used to write non-alpha keys, for example "equal" instead of "=" sign (see ). See how to configure. ''; }; }; }; +in +{ + imports = [ + (mkRemovedOptionModule [ "services" "keyd" "ids" ] + ''Use keyboards..ids instead. If you don't need a multi-file configuration, just add keyboards.default before the ids. See https://github.com/NixOS/nixpkgs/pull/243271.'') + (mkRemovedOptionModule [ "services" "keyd" "settings" ] + ''Use keyboards..settings instead. If you don't need a multi-file configuration, just add keyboards.default before the settings. See https://github.com/NixOS/nixpkgs/pull/243271.'') + ]; + + options.services.keyd = { + enable = mkEnableOption (lib.mdDoc "keyd, a key remapping daemon"); + + keyboards = mkOption { + type = types.attrsOf (types.submodule keyboardOptions); + default = { }; + example = literalExpression '' + { + default = { + ids = [ "*" ]; + settings = { + main = { + capslock = "overload(control, esc)"; + }; + }; + }; + externalKeyboard = { + ids = [ "1ea7:0907" ]; + settings = { + main = { + esc = capslock; + }; + }; + }; + } + ''; + description = mdDoc '' + Configuration for one or more device IDs. Corresponding files in the /etc/keyd/ directory are created according to the name of the keys (like `default` or `externalKeyboard`). + ''; + }; + }; config = mkIf cfg.enable { - environment.etc."keyd/default.conf".source = pkgs.runCommand "default.conf" - { - ids = '' - [ids] - ${concatStringsSep "\n" cfg.ids} - ''; - passAsFile = [ "ids" ]; - } '' - cat $idsPath <(echo) ${settingsFormat.generate "keyd-main.conf" cfg.settings} >$out - ''; + # Creates separate files in the `/etc/keyd/` directory for each key in the dictionary + environment.etc = mapAttrs' + (name: options: + nameValuePair "keyd/${name}.conf" { + source = pkgs.runCommand "${name}.conf" + { + ids = '' + [ids] + ${concatStringsSep "\n" options.ids} + ''; + passAsFile = [ "ids" ]; + } '' + cat $idsPath <(echo) ${settingsFormat.generate "keyd-${name}.conf" options.settings} >$out + ''; + }) + cfg.keyboards; hardware.uinput.enable = lib.mkDefault true; @@ -62,9 +106,11 @@ in wantedBy = [ "multi-user.target" ]; - restartTriggers = [ - config.environment.etc."keyd/default.conf".source - ]; + restartTriggers = mapAttrsToList + (name: options: + config.environment.etc."keyd/${name}.conf".source + ) + cfg.keyboards; # this is configurable in 2.4.2, later versions seem to remove this option. # post-2.4.2 may need to set makeFlags in the derivation: diff --git a/third_party/nixpkgs/nixos/modules/services/hardware/pcscd.nix b/third_party/nixpkgs/nixos/modules/services/hardware/pcscd.nix index a09c64645c..a9e4998efe 100644 --- a/third_party/nixpkgs/nixos/modules/services/hardware/pcscd.nix +++ b/third_party/nixpkgs/nixos/modules/services/hardware/pcscd.nix @@ -24,7 +24,6 @@ in plugins = mkOption { type = types.listOf types.package; - default = [ pkgs.ccid ]; defaultText = literalExpression "[ pkgs.ccid ]"; example = literalExpression "[ pkgs.pcsc-cyberjack ]"; description = lib.mdDoc "Plugin packages to be used for PCSC-Lite."; @@ -56,6 +55,8 @@ in environment.systemPackages = [ package ]; systemd.packages = [ (getBin package) ]; + services.pcscd.plugins = [ pkgs.ccid ]; + systemd.sockets.pcscd.wantedBy = [ "sockets.target" ]; systemd.services.pcscd = { diff --git a/third_party/nixpkgs/nixos/modules/services/hardware/supergfxd.nix b/third_party/nixpkgs/nixos/modules/services/hardware/supergfxd.nix index 5ea05ac277..bd82775e82 100644 --- a/third_party/nixpkgs/nixos/modules/services/hardware/supergfxd.nix +++ b/third_party/nixpkgs/nixos/modules/services/hardware/supergfxd.nix @@ -32,7 +32,7 @@ in systemd.packages = [ pkgs.supergfxctl ]; systemd.services.supergfxd.wantedBy = [ "multi-user.target" ]; - systemd.services.supergfxd.path = [ pkgs.kmod ]; + systemd.services.supergfxd.path = [ pkgs.kmod pkgs.pciutils ]; services.dbus.packages = [ pkgs.supergfxctl ]; services.udev.packages = [ pkgs.supergfxctl ]; diff --git a/third_party/nixpkgs/nixos/modules/services/hardware/udev.nix b/third_party/nixpkgs/nixos/modules/services/hardware/udev.nix index 94406b60b2..5612009487 100644 --- a/third_party/nixpkgs/nixos/modules/services/hardware/udev.nix +++ b/third_party/nixpkgs/nixos/modules/services/hardware/udev.nix @@ -72,7 +72,7 @@ let --replace \"/sbin/blkid \"${pkgs.util-linux}/sbin/blkid \ --replace \"/bin/mount \"${pkgs.util-linux}/bin/mount \ --replace /usr/bin/readlink ${pkgs.coreutils}/bin/readlink \ - --replace /usr/bin/basename ${pkgs.coreutils}/bin/basename + --replace /usr/bin/basename ${pkgs.coreutils}/bin/basename 2>/dev/null ${optionalString (initrdBin != null) '' substituteInPlace $i --replace '/run/current-system/systemd' "${removeSuffix "/bin" initrdBin}" ''} @@ -296,7 +296,6 @@ in packages = mkOption { type = types.listOf types.path; default = []; - visible = false; description = lib.mdDoc '' *This will only be used when systemd is used in stage 1.* @@ -311,7 +310,6 @@ in binPackages = mkOption { type = types.listOf types.path; default = []; - visible = false; description = lib.mdDoc '' *This will only be used when systemd is used in stage 1.* diff --git a/third_party/nixpkgs/nixos/modules/services/home-automation/evcc.nix b/third_party/nixpkgs/nixos/modules/services/home-automation/evcc.nix index efa2cf2443..d0ce3fb4a1 100644 --- a/third_party/nixpkgs/nixos/modules/services/home-automation/evcc.nix +++ b/third_party/nixpkgs/nixos/modules/services/home-automation/evcc.nix @@ -50,7 +50,7 @@ in ]; environment.HOME = "/var/lib/evcc"; path = with pkgs; [ - glibc # requires getent + getent ]; serviceConfig = { ExecStart = "${package}/bin/evcc --config ${configFile} ${escapeShellArgs cfg.extraArgs}"; diff --git a/third_party/nixpkgs/nixos/modules/services/mail/davmail.nix b/third_party/nixpkgs/nixos/modules/services/mail/davmail.nix index 483f591a72..9cdb435af4 100644 --- a/third_party/nixpkgs/nixos/modules/services/mail/davmail.nix +++ b/third_party/nixpkgs/nixos/modules/services/mail/davmail.nix @@ -91,6 +91,33 @@ in Restart = "on-failure"; DynamicUser = "yes"; LogsDirectory = "davmail"; + + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectSystem = "strict"; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + SystemCallErrorNumber = "EPERM"; + UMask = "0077"; + }; }; diff --git a/third_party/nixpkgs/nixos/modules/services/mail/exim.nix b/third_party/nixpkgs/nixos/modules/services/mail/exim.nix index a9504acee3..1d1258913b 100644 --- a/third_party/nixpkgs/nixos/modules/services/mail/exim.nix +++ b/third_party/nixpkgs/nixos/modules/services/mail/exim.nix @@ -116,8 +116,8 @@ in wantedBy = [ "multi-user.target" ]; restartTriggers = [ config.environment.etc."exim.conf".source ]; serviceConfig = { - ExecStart = "+${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; - ExecReload = "+${coreutils}/bin/kill -HUP $MAINPID"; + ExecStart = "!${cfg.package}/bin/exim -bdf -q${cfg.queueRunnerInterval}"; + ExecReload = "!${coreutils}/bin/kill -HUP $MAINPID"; User = cfg.user; }; preStart = '' diff --git a/third_party/nixpkgs/nixos/modules/services/mail/maddy.nix b/third_party/nixpkgs/nixos/modules/services/mail/maddy.nix index 701d57f18e..3b4a517fb8 100644 --- a/third_party/nixpkgs/nixos/modules/services/mail/maddy.nix +++ b/third_party/nixpkgs/nixos/modules/services/mail/maddy.nix @@ -335,12 +335,13 @@ in { }; secrets = lib.mkOption { - type = lib.types.path; + type = with types; listOf path; description = lib.mdDoc '' - A file containing the various secrets. Should be in the format + A list of files containing the various secrets. Should be in the format expected by systemd's `EnvironmentFile` directory. Secrets can be referenced in the format `{env:VAR}`. ''; + default = [ ]; }; }; @@ -379,7 +380,7 @@ in { User = cfg.user; Group = cfg.group; StateDirectory = [ "maddy" ]; - EnvironmentFile = lib.mkIf (cfg.secrets != null) "${cfg.secrets}"; + EnvironmentFile = cfg.secrets; }; restartTriggers = [ config.environment.etc."maddy/maddy.conf".source ]; wantedBy = [ "multi-user.target" ]; diff --git a/third_party/nixpkgs/nixos/modules/services/mail/nullmailer.nix b/third_party/nixpkgs/nixos/modules/services/mail/nullmailer.nix index 7c72229efb..f6befe246b 100644 --- a/third_party/nixpkgs/nixos/modules/services/mail/nullmailer.nix +++ b/third_party/nixpkgs/nixos/modules/services/mail/nullmailer.nix @@ -203,7 +203,7 @@ with lib; users = { users.${cfg.user} = { description = "Nullmailer relay-only mta user"; - group = cfg.group; + inherit (cfg) group; isSystemUser = true; }; @@ -211,10 +211,10 @@ with lib; }; systemd.tmpfiles.rules = [ - "d /var/spool/nullmailer - ${cfg.user} - - -" - "d /var/spool/nullmailer/failed 750 ${cfg.user} - - -" - "d /var/spool/nullmailer/queue 750 ${cfg.user} - - -" - "d /var/spool/nullmailer/tmp 750 ${cfg.user} - - -" + "d /var/spool/nullmailer - ${cfg.user} ${cfg.group} - -" + "d /var/spool/nullmailer/failed 770 ${cfg.user} ${cfg.group} - -" + "d /var/spool/nullmailer/queue 770 ${cfg.user} ${cfg.group} - -" + "d /var/spool/nullmailer/tmp 770 ${cfg.user} ${cfg.group} - -" ]; systemd.services.nullmailer = { @@ -238,7 +238,7 @@ with lib; program = "sendmail"; source = "${pkgs.nullmailer}/bin/sendmail"; owner = cfg.user; - group = cfg.group; + inherit (cfg) group; setuid = true; setgid = true; }; diff --git a/third_party/nixpkgs/nixos/modules/services/mail/public-inbox.nix b/third_party/nixpkgs/nixos/modules/services/mail/public-inbox.nix index 9cd6726e6c..4944d46fbd 100644 --- a/third_party/nixpkgs/nixos/modules/services/mail/public-inbox.nix +++ b/third_party/nixpkgs/nixos/modules/services/mail/public-inbox.nix @@ -89,7 +89,7 @@ let PrivateNetwork = mkDefault (!needNetwork); ProcSubset = "pid"; ProtectClock = true; - ProtectHome = mkDefault true; + ProtectHome = "tmpfs"; ProtectHostname = true; ProtectKernelLogs = true; ProtectProc = "invisible"; @@ -177,8 +177,7 @@ in description = lib.mdDoc "The email addresses of the public-inbox."; }; options.url = mkOption { - type = with types; nullOr str; - default = null; + type = types.nonEmptyStr; example = "https://example.org/lists/example-discuss"; description = lib.mdDoc "URL where this inbox can be accessed over HTTP."; }; @@ -275,9 +274,8 @@ in default = {}; description = lib.mdDoc "public inboxes"; type = types.submodule { - # Keeping in line with the tradition of unnecessarily specific types, allow users to set - # freeform settings either globally under the `publicinbox` section, or for specific - # inboxes through additional nesting. + # Support both global options like `services.public-inbox.settings.publicinbox.imapserver` + # and inbox specific options like `services.public-inbox.settings.publicinbox.foo.address`. freeformType = with types; attrsOf (oneOf [ iniAtom (attrsOf iniAtom) ]); options.css = mkOption { @@ -285,12 +283,24 @@ in default = []; description = lib.mdDoc "The local path name of a CSS file for the PSGI web interface."; }; + options.imapserver = mkOption { + type = with types; listOf str; + default = []; + example = [ "imap.public-inbox.org" ]; + description = lib.mdDoc "IMAP URLs to this public-inbox instance"; + }; options.nntpserver = mkOption { type = with types; listOf str; default = []; example = [ "nntp://news.public-inbox.org" "nntps://news.public-inbox.org" ]; description = lib.mdDoc "NNTP URLs to this public-inbox instance"; }; + options.pop3server = mkOption { + type = with types; listOf str; + default = []; + example = [ "pop.public-inbox.org" ]; + description = lib.mdDoc "POP3 URLs to this public-inbox instance"; + }; options.wwwlisting = mkOption { type = with types; enum [ "all" "404" "match=domain" ]; default = "404"; @@ -450,6 +460,8 @@ in after = [ "public-inbox-init.service" "public-inbox-watch.service" ]; requires = [ "public-inbox-init.service" ]; serviceConfig = { + BindPathsReadOnly = + map (c: c.dir) (lib.attrValues cfg.settings.coderepo); ExecStart = escapeShellArgs ( [ "${cfg.package}/bin/public-inbox-httpd" ] ++ cfg.http.args ++ @@ -553,16 +565,7 @@ in ${pkgs.git}/bin/git config core.sharedRepository 0640 fi '') cfg.inboxes - ) + '' - shopt -s nullglob - for inbox in ${stateDir}/inboxes/*/; do - # This should be idempotent, but only do it for new - # inboxes anyway because it's only needed once, and could - # be slow for large pre-existing inboxes. - ls -1 "$inbox" | grep -q '^xap' || - ${cfg.package}/bin/public-inbox-index "$inbox" - done - ''; + ); serviceConfig = { Type = "oneshot"; RemainAfterExit = true; diff --git a/third_party/nixpkgs/nixos/modules/services/mail/rspamd.nix b/third_party/nixpkgs/nixos/modules/services/mail/rspamd.nix index f9be9024dd..ca88d81221 100644 --- a/third_party/nixpkgs/nixos/modules/services/mail/rspamd.nix +++ b/third_party/nixpkgs/nixos/modules/services/mail/rspamd.nix @@ -215,7 +215,7 @@ let text = v.extraConfig; }) (filterAttrs (n: v: v.extraConfig != "") cfg.workers)) - // (if cfg.extraConfig == "" then {} else { + // (lib.optionalAttrs (cfg.extraConfig != "") { "extra-config.inc".text = cfg.extraConfig; }); in diff --git a/third_party/nixpkgs/nixos/modules/services/mail/spamassassin.nix b/third_party/nixpkgs/nixos/modules/services/mail/spamassassin.nix index 49d1d93159..072172e314 100644 --- a/third_party/nixpkgs/nixos/modules/services/mail/spamassassin.nix +++ b/third_party/nixpkgs/nixos/modules/services/mail/spamassassin.nix @@ -77,9 +77,9 @@ in loadplugin Mail::SpamAssassin::Plugin::Check #loadplugin Mail::SpamAssassin::Plugin::DCC loadplugin Mail::SpamAssassin::Plugin::DKIM + loadplugin Mail::SpamAssassin::Plugin::DMARC loadplugin Mail::SpamAssassin::Plugin::DNSEval loadplugin Mail::SpamAssassin::Plugin::FreeMail - loadplugin Mail::SpamAssassin::Plugin::Hashcash loadplugin Mail::SpamAssassin::Plugin::HeaderEval loadplugin Mail::SpamAssassin::Plugin::HTMLEval loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch diff --git a/third_party/nixpkgs/nixos/modules/services/matrix/appservice-irc.nix b/third_party/nixpkgs/nixos/modules/services/matrix/appservice-irc.nix index 388553d418..5526df785c 100644 --- a/third_party/nixpkgs/nixos/modules/services/matrix/appservice-irc.nix +++ b/third_party/nixpkgs/nixos/modules/services/matrix/appservice-irc.nix @@ -187,7 +187,7 @@ in { sed -i "s/^as_token:.*$/$as_token/g" ${registrationFile} fi # Allow synapse access to the registration - if ${getBin pkgs.glibc}/bin/getent group matrix-synapse > /dev/null; then + if ${pkgs.getent}/bin/getent group matrix-synapse > /dev/null; then chgrp matrix-synapse ${registrationFile} chmod g+r ${registrationFile} fi diff --git a/third_party/nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix b/third_party/nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix index e995f1aecf..bab6865496 100644 --- a/third_party/nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix +++ b/third_party/nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix @@ -29,6 +29,7 @@ in { }; appservice = rec { + id = "facebook"; address = "http://${hostname}:${toString port}"; hostname = "localhost"; port = 29319; @@ -171,7 +172,7 @@ in { services.mautrix-facebook = { registrationData = { - id = "mautrix-facebook"; + id = cfg.settings.appservice.id; namespaces = { users = [ diff --git a/third_party/nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix b/third_party/nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix index b64cc71d98..17032ed808 100644 --- a/third_party/nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix +++ b/third_party/nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix @@ -80,6 +80,9 @@ in { "example.com" = "full"; "@admin:example.com" = "admin"; }; + telegram = { + connection.use_ipv6 = true; + }; } ''; description = lib.mdDoc '' diff --git a/third_party/nixpkgs/nixos/modules/services/matrix/synapse.nix b/third_party/nixpkgs/nixos/modules/services/matrix/synapse.nix index 2a4104a4ec..3dca3ff94f 100644 --- a/third_party/nixpkgs/nixos/modules/services/matrix/synapse.nix +++ b/third_party/nixpkgs/nixos/modules/services/matrix/synapse.nix @@ -636,6 +636,7 @@ in { trusted_key_servers = mkOption { type = types.listOf (types.submodule { + freeformType = format.type; options = { server_name = mkOption { type = types.str; @@ -644,22 +645,6 @@ in { Hostname of the trusted server. ''; }; - - verify_keys = mkOption { - type = types.nullOr (types.attrsOf types.str); - default = null; - example = literalExpression '' - { - "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - ''; - description = lib.mdDoc '' - Attribute set from key id to base64 encoded public key. - - If specified synapse will check that the response is signed - by at least one of the given keys. - ''; - }; }; }); default = [ { diff --git a/third_party/nixpkgs/nixos/modules/services/misc/ananicy.nix b/third_party/nixpkgs/nixos/modules/services/misc/ananicy.nix index d2287fba6a..bc1b28efc0 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/ananicy.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/ananicy.nix @@ -5,7 +5,9 @@ with lib; let cfg = config.services.ananicy; configFile = pkgs.writeText "ananicy.conf" (generators.toKeyValue { } cfg.settings); - extraRules = pkgs.writeText "extraRules" cfg.extraRules; + extraRules = pkgs.writeText "extraRules" (concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.extraRules); + extraTypes = pkgs.writeText "extraTypes" (concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.extraTypes); + extraCgroups = pkgs.writeText "extraCgroups" (concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.extraCgroups); servicename = if ((lib.getName cfg.package) == (lib.getName pkgs.ananicy-cpp)) then "ananicy-cpp" else "ananicy"; in { @@ -23,6 +25,16 @@ in ''; }; + rulesProvider = mkOption { + type = types.package; + default = pkgs.ananicy; + defaultText = literalExpression "pkgs.ananicy"; + example = literalExpression "pkgs.ananicy-cpp"; + description = lib.mdDoc '' + Which package to copy default rules,types,cgroups from. + ''; + }; + settings = mkOption { type = with types; attrsOf (oneOf [ int bool str ]); default = { }; @@ -35,20 +47,40 @@ in }; extraRules = mkOption { - type = types.str; - default = ""; + type = with types; listOf attrs; + default = [ ]; description = lib.mdDoc '' - Extra rules in json format on separate lines. See: + Rules to write in 'nixRules.rules'. See: ''; - example = literalExpression '' - ''' - { "name": "eog", "type": "Image-View" } - { "name": "fdupes", "type": "BG_CPUIO" } - ''' + example = [ + { name = "eog"; type = "Image-Viewer"; } + { name = "fdupes"; type = "BG_CPUIO"; } + ]; + }; + extraTypes = mkOption { + type = with types; listOf attrs; + default = [ ]; + description = lib.mdDoc '' + Types to write in 'nixTypes.types'. See: + ''; - + example = [ + { type = "my_type"; nice = 19; other_parameter = "value"; } + { type = "compiler"; nice = 19; sched = "batch"; ioclass = "idle"; } + ]; + }; + extraCgroups = mkOption { + type = with types; listOf attrs; + default = [ ]; + description = lib.mdDoc '' + Cgroups to write in 'nixCgroups.cgroups'. See: + + ''; + example = [ + { cgroup = "cpu80"; CPUQuota = 80; } + ]; }; }; }; @@ -59,10 +91,18 @@ in etc."ananicy.d".source = pkgs.runCommandLocal "ananicyfiles" { } '' mkdir -p $out # ananicy-cpp does not include rules or settings on purpose - cp -r ${pkgs.ananicy}/etc/ananicy.d/* $out - rm $out/ananicy.conf + if [[ -d "${cfg.rulesProvider}/etc/ananicy.d/00-default" ]]; then + cp -r ${cfg.rulesProvider}/etc/ananicy.d/* $out + else + cp -r ${cfg.rulesProvider}/* $out + fi + + # configured through .setings + rm -f $out/ananicy.conf cp ${configFile} $out/ananicy.conf - ${optionalString (cfg.extraRules != "") "cp ${extraRules} $out/nixRules.rules"} + ${optionalString (cfg.extraRules != [ ]) "cp ${extraRules} $out/nixRules.rules"} + ${optionalString (cfg.extraTypes != [ ]) "cp ${extraTypes} $out/nixTypes.types"} + ${optionalString (cfg.extraCgroups != [ ]) "cp ${extraCgroups} $out/nixCgroups.cgroups"} ''; }; @@ -85,6 +125,7 @@ in # https://gitlab.com/ananicy-cpp/ananicy-cpp/-/blob/master/src/config.cpp#L12 loglevel = mkOD "warn"; # default is info but its spammy cgroup_realtime_workaround = mkOD config.systemd.enableUnifiedCgroupHierarchy; + log_applied_rule = mkOD false; } else { # https://github.com/Nefelim4ag/Ananicy/blob/master/ananicy.d/ananicy.conf check_disks_schedulers = mkOD true; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/ankisyncd.nix b/third_party/nixpkgs/nixos/modules/services/misc/ankisyncd.nix index 5198b82420..7be8dc7dab 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/ankisyncd.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/ankisyncd.nix @@ -9,22 +9,16 @@ let stateDir = "/var/lib/${name}"; - authDbPath = "${stateDir}/auth.db"; + toml = pkgs.formats.toml {}; - sessionDbPath = "${stateDir}/session.db"; - - configFile = pkgs.writeText "ankisyncd.conf" (lib.generators.toINI {} { - sync_app = { + configFile = toml.generate "ankisyncd.conf" { + listen = { host = cfg.host; port = cfg.port; - data_root = stateDir; - auth_db_path = authDbPath; - session_db_path = sessionDbPath; - - base_url = "/sync/"; - base_media_url = "/msync/"; }; - }); + paths.root_dir = stateDir; + # encryption.ssl_enable / cert_file / key_file + }; in { options.services.ankisyncd = { @@ -59,8 +53,6 @@ in config = mkIf cfg.enable { networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; - environment.etc."ankisyncd/ankisyncd.conf".source = configFile; - systemd.services.ankisyncd = { description = "ankisyncd - Anki sync server"; after = [ "network.target" ]; @@ -71,7 +63,7 @@ in Type = "simple"; DynamicUser = true; StateDirectory = name; - ExecStart = "${cfg.package}/bin/ankisyncd"; + ExecStart = "${cfg.package}/bin/ankisyncd --config ${configFile}"; Restart = "always"; }; }; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/atuin.nix b/third_party/nixpkgs/nixos/modules/services/misc/atuin.nix index c603042fb3..202bd4dfca 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/atuin.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/atuin.nix @@ -46,6 +46,13 @@ in description = mdDoc "Open ports in the firewall for the atuin server."; }; + database = { + createLocally = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc "Create the database and database user locally."; + }; + }; }; }; @@ -65,7 +72,8 @@ in systemd.services.atuin = { description = "atuin server"; - after = [ "network.target" "postgresql.service" ]; + requires = lib.optionals cfg.database.createLocally [ "postgresql.service" ]; + after = [ "network.target" ] ++ lib.optionals cfg.database.createLocally [ "postgresql.service" ] ; wantedBy = [ "multi-user.target" ]; serviceConfig = { @@ -80,7 +88,7 @@ in ATUIN_PORT = toString cfg.port; ATUIN_MAX_HISTORY_LENGTH = toString cfg.maxHistoryLength; ATUIN_OPEN_REGISTRATION = boolToString cfg.openRegistration; - ATUIN_DB_URI = "postgresql:///atuin"; + ATUIN_DB_URI = mkIf cfg.database.createLocally "postgresql:///atuin"; ATUIN_PATH = cfg.path; ATUIN_CONFIG_DIR = "/run/atuin"; # required to start, but not used as configuration is via environment variables }; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/calibre-server.nix b/third_party/nixpkgs/nixos/modules/services/misc/calibre-server.nix index 77c60381a3..e1ddae1de1 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/calibre-server.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/calibre-server.nix @@ -6,6 +6,17 @@ let cfg = config.services.calibre-server; + documentationLink = "https://manual.calibre-ebook.com"; + generatedDocumentationLink = documentationLink + "/generated/en/calibre-server.html"; + + execFlags = (concatStringsSep " " + (mapAttrsToList (k: v: "${k} ${toString v}") (filterAttrs (name: value: value != null) { + "--listen-on" = cfg.host; + "--port" = cfg.port; + "--auth-mode" = cfg.auth.mode; + "--userdb" = cfg.auth.userDb; + }) ++ [(optionalString (cfg.auth.enable == true) "--enable-auth")]) + ); in { @@ -18,52 +29,100 @@ in ) ]; - ###### interface - options = { services.calibre-server = { enable = mkEnableOption (lib.mdDoc "calibre-server"); + package = lib.mkPackageOptionMD pkgs "calibre" { }; libraries = mkOption { - description = lib.mdDoc '' - The directories of the libraries to serve. They must be readable for the user under which the server runs. - ''; type = types.listOf types.path; + default = [ "/var/lib/calibre-server" ]; + description = lib.mdDoc '' + Make sure each library path is initialized before service startup. + The directories of the libraries to serve. They must be readable for the user under which the server runs. + See the [calibredb documentation](${documentationLink}/generated/en/calibredb.html#add) for details. + ''; }; user = mkOption { - description = lib.mdDoc "The user under which calibre-server runs."; type = types.str; default = "calibre-server"; + description = lib.mdDoc "The user under which calibre-server runs."; }; group = mkOption { - description = lib.mdDoc "The group under which calibre-server runs."; type = types.str; default = "calibre-server"; + description = lib.mdDoc "The group under which calibre-server runs."; }; + host = mkOption { + type = types.str; + default = "0.0.0.0"; + example = "::1"; + description = lib.mdDoc '' + The interface on which to listen for connections. + See the [calibre-server documentation](${generatedDocumentationLink}#cmdoption-calibre-server-listen-on) for details. + ''; + }; + + port = mkOption { + default = 8080; + type = types.port; + description = lib.mdDoc '' + The port on which to listen for connections. + See the [calibre-server documentation](${generatedDocumentationLink}#cmdoption-calibre-server-port) for details. + ''; + }; + + auth = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Password based authentication to access the server. + See the [calibre-server documentation](${generatedDocumentationLink}#cmdoption-calibre-server-enable-auth) for details. + ''; + }; + + mode = mkOption { + type = types.enum [ "auto" "basic" "digest" ]; + default = "auto"; + description = lib.mdDoc '' + Choose the type of authentication used. + Set the HTTP authentication mode used by the server. + See the [calibre-server documentation](${generatedDocumentationLink}#cmdoption-calibre-server-auth-mode) for details. + ''; + }; + + userDb = mkOption { + default = null; + type = types.nullOr types.path; + description = lib.mdDoc '' + Choose users database file to use for authentication. + Make sure users database file is initialized before service startup. + See the [calibre-server documentation](${documentationLink}/server.html#managing-user-accounts-from-the-command-line-only) for details. + ''; + }; + }; }; }; - - ###### implementation - config = mkIf cfg.enable { systemd.services.calibre-server = { - description = "Calibre Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = cfg.user; - Restart = "always"; - ExecStart = "${pkgs.calibre}/bin/calibre-server ${lib.concatStringsSep " " cfg.libraries}"; - }; - + description = "Calibre Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Restart = "always"; + ExecStart = "${cfg.package}/bin/calibre-server ${lib.concatStringsSep " " cfg.libraries} ${execFlags}"; }; + }; + environment.systemPackages = [ pkgs.calibre ]; users.users = optionalAttrs (cfg.user == "calibre-server") { @@ -83,4 +142,5 @@ in }; + meta.maintainers = with lib.maintainers; [ gaelreyrol ]; } diff --git a/third_party/nixpkgs/nixos/modules/services/misc/disnix.nix b/third_party/nixpkgs/nixos/modules/services/misc/disnix.nix index 1cdfeef57c..13c57ce6b8 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/disnix.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/disnix.nix @@ -87,8 +87,8 @@ in environment = { HOME = "/root"; } - // (if config.environment.variables ? DYSNOMIA_CONTAINERS_PATH then { inherit (config.environment.variables) DYSNOMIA_CONTAINERS_PATH; } else {}) - // (if config.environment.variables ? DYSNOMIA_MODULES_PATH then { inherit (config.environment.variables) DYSNOMIA_MODULES_PATH; } else {}); + // (optionalAttrs (config.environment.variables ? DYSNOMIA_CONTAINERS_PATH) { inherit (config.environment.variables) DYSNOMIA_CONTAINERS_PATH; }) + // (optionalAttrs (config.environment.variables ? DYSNOMIA_MODULES_PATH) { inherit (config.environment.variables) DYSNOMIA_MODULES_PATH; }); serviceConfig.ExecStart = "${cfg.package}/bin/disnix-service"; }; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/docker-registry.nix b/third_party/nixpkgs/nixos/modules/services/misc/docker-registry.nix index 98edb413f3..b0e9106346 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/docker-registry.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/docker-registry.nix @@ -15,9 +15,7 @@ let storage = { cache.blobdescriptor = blobCache; delete.enabled = cfg.enableDelete; - } // (if cfg.storagePath != null - then { filesystem.rootdirectory = cfg.storagePath; } - else {}); + } // (optionalAttrs (cfg.storagePath != null) { filesystem.rootdirectory = cfg.storagePath; }); http = { addr = "${cfg.listenAddress}:${builtins.toString cfg.port}"; headers.X-Content-Type-Options = ["nosniff"]; @@ -49,6 +47,14 @@ in { options.services.dockerRegistry = { enable = mkEnableOption (lib.mdDoc "Docker Registry"); + package = mkOption { + type = types.package; + description = mdDoc "Which Docker registry package to use."; + default = pkgs.docker-distribution; + defaultText = literalExpression "pkgs.docker-distribution"; + example = literalExpression "pkgs.gitlab-container-registry"; + }; + listenAddress = mkOption { description = lib.mdDoc "Docker registry host or ip to bind to."; default = "127.0.0.1"; @@ -117,7 +123,7 @@ in { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; script = '' - ${pkgs.docker-distribution}/bin/registry serve ${configFile} + ${cfg.package}/bin/registry serve ${configFile} ''; serviceConfig = { @@ -136,7 +142,7 @@ in { serviceConfig.Type = "oneshot"; script = '' - ${pkgs.docker-distribution}/bin/registry garbage-collect ${configFile} + ${cfg.package}/bin/registry garbage-collect ${configFile} /run/current-system/systemd/bin/systemctl restart docker-registry.service ''; @@ -144,12 +150,10 @@ in { }; users.users.docker-registry = - (if cfg.storagePath != null - then { + (optionalAttrs (cfg.storagePath != null) { createHome = true; home = cfg.storagePath; - } - else {}) // { + }) // { group = "docker-registry"; isSystemUser = true; }; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/etcd.nix b/third_party/nixpkgs/nixos/modules/services/misc/etcd.nix index 17a7cca917..7bc7a94991 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/etcd.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/etcd.nix @@ -15,6 +15,8 @@ in { type = types.bool; }; + package = mkPackageOptionMD pkgs "etcd" { }; + name = mkOption { description = lib.mdDoc "Etcd unique node name."; default = config.networking.hostName; @@ -187,13 +189,13 @@ in { serviceConfig = { Type = "notify"; - ExecStart = "${pkgs.etcd}/bin/etcd"; + ExecStart = "${cfg.package}/bin/etcd"; User = "etcd"; LimitNOFILE = 40000; }; }; - environment.systemPackages = [ pkgs.etcd ]; + environment.systemPackages = [ cfg.package ]; users.users.etcd = { isSystemUser = true; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/exhibitor.nix b/third_party/nixpkgs/nixos/modules/services/misc/exhibitor.nix deleted file mode 100644 index 91a87b55af..0000000000 --- a/third_party/nixpkgs/nixos/modules/services/misc/exhibitor.nix +++ /dev/null @@ -1,417 +0,0 @@ -{ config, lib, options, pkgs, ... }: - -with lib; - -let - cfg = config.services.exhibitor; - opt = options.services.exhibitor; - exhibitorConfig = '' - zookeeper-install-directory=${cfg.baseDir}/zookeeper - zookeeper-data-directory=${cfg.zkDataDir} - zookeeper-log-directory=${cfg.zkLogDir} - zoo-cfg-extra=${cfg.zkExtraCfg} - client-port=${toString cfg.zkClientPort} - connect-port=${toString cfg.zkConnectPort} - election-port=${toString cfg.zkElectionPort} - cleanup-period-ms=${toString cfg.zkCleanupPeriod} - servers-spec=${concatStringsSep "," cfg.zkServersSpec} - auto-manage-instances=${toString cfg.autoManageInstances} - ${cfg.extraConf} - ''; - # NB: toString rather than lib.boolToString on cfg.autoManageInstances is intended. - # Exhibitor tests if it's an integer not equal to 0, so the empty string (toString false) - # will operate in the same fashion as a 0. - configDir = pkgs.writeTextDir "exhibitor.properties" exhibitorConfig; - cliOptionsCommon = { - configtype = cfg.configType; - defaultconfig = "${configDir}/exhibitor.properties"; - port = toString cfg.port; - hostname = cfg.hostname; - headingtext = if (cfg.headingText != null) then (lib.escapeShellArg cfg.headingText) else null; - nodemodification = lib.boolToString cfg.nodeModification; - configcheckms = toString cfg.configCheckMs; - jquerystyle = cfg.jqueryStyle; - loglines = toString cfg.logLines; - servo = lib.boolToString cfg.servo; - timeout = toString cfg.timeout; - }; - s3CommonOptions = { s3region = cfg.s3Region; s3credentials = cfg.s3Credentials; }; - cliOptionsPerConfig = { - s3 = { - s3config = "${cfg.s3Config.bucketName}:${cfg.s3Config.objectKey}"; - s3configprefix = cfg.s3Config.configPrefix; - }; - zookeeper = { - zkconfigconnect = concatStringsSep "," cfg.zkConfigConnect; - zkconfigexhibitorpath = cfg.zkConfigExhibitorPath; - zkconfigpollms = toString cfg.zkConfigPollMs; - zkconfigretry = "${toString cfg.zkConfigRetry.sleepMs}:${toString cfg.zkConfigRetry.retryQuantity}"; - zkconfigzpath = cfg.zkConfigZPath; - zkconfigexhibitorport = toString cfg.zkConfigExhibitorPort; # NB: This might be null - }; - file = { - fsconfigdir = cfg.fsConfigDir; - fsconfiglockprefix = cfg.fsConfigLockPrefix; - fsConfigName = fsConfigName; - }; - none = { - noneconfigdir = configDir; - }; - }; - cliOptions = concatStringsSep " " (mapAttrsToList (k: v: "--${k} ${v}") (filterAttrs (k: v: v != null && v != "") (cliOptionsCommon // - cliOptionsPerConfig.${cfg.configType} // - s3CommonOptions // - optionalAttrs cfg.s3Backup { s3backup = "true"; } // - optionalAttrs cfg.fileSystemBackup { filesystembackup = "true"; } - ))); -in -{ - options = { - services.exhibitor = { - enable = mkEnableOption (lib.mdDoc "exhibitor server"); - - # See https://github.com/soabase/exhibitor/wiki/Running-Exhibitor for what these mean - # General options for any type of config - port = mkOption { - type = types.port; - default = 8080; - description = lib.mdDoc '' - The port for exhibitor to listen on and communicate with other exhibitors. - ''; - }; - baseDir = mkOption { - type = types.str; - default = "/var/exhibitor"; - description = lib.mdDoc '' - Baseline directory for exhibitor runtime config. - ''; - }; - configType = mkOption { - type = types.enum [ "file" "s3" "zookeeper" "none" ]; - description = lib.mdDoc '' - Which configuration type you want to use. Additional config will be - required depending on which type you are using. - ''; - }; - hostname = mkOption { - type = types.nullOr types.str; - description = lib.mdDoc '' - Hostname to use and advertise - ''; - default = null; - }; - nodeModification = mkOption { - type = types.bool; - description = lib.mdDoc '' - Whether the Explorer UI will allow nodes to be modified (use with caution). - ''; - default = true; - }; - configCheckMs = mkOption { - type = types.int; - description = lib.mdDoc '' - Period (ms) to check for shared config updates. - ''; - default = 30000; - }; - headingText = mkOption { - type = types.nullOr types.str; - description = lib.mdDoc '' - Extra text to display in UI header - ''; - default = null; - }; - jqueryStyle = mkOption { - type = types.enum [ "red" "black" "custom" ]; - description = lib.mdDoc '' - Styling used for the JQuery-based UI. - ''; - default = "red"; - }; - logLines = mkOption { - type = types.int; - description = lib.mdDoc '' - Max lines of logging to keep in memory for display. - ''; - default = 1000; - }; - servo = mkOption { - type = types.bool; - description = lib.mdDoc '' - ZooKeeper will be queried once a minute for its state via the 'mntr' four - letter word (this requires ZooKeeper 3.4.x+). Servo will be used to publish - this data via JMX. - ''; - default = false; - }; - timeout = mkOption { - type = types.int; - description = lib.mdDoc '' - Connection timeout (ms) for ZK connections. - ''; - default = 30000; - }; - autoManageInstances = mkOption { - type = types.bool; - description = lib.mdDoc '' - Automatically manage ZooKeeper instances in the ensemble - ''; - default = false; - }; - zkDataDir = mkOption { - type = types.str; - default = "${cfg.baseDir}/zkData"; - defaultText = literalExpression ''"''${config.${opt.baseDir}}/zkData"''; - description = lib.mdDoc '' - The Zookeeper data directory - ''; - }; - zkLogDir = mkOption { - type = types.path; - default = "${cfg.baseDir}/zkLogs"; - defaultText = literalExpression ''"''${config.${opt.baseDir}}/zkLogs"''; - description = lib.mdDoc '' - The Zookeeper logs directory - ''; - }; - extraConf = mkOption { - type = types.str; - default = ""; - description = lib.mdDoc '' - Extra Exhibitor configuration to put in the ZooKeeper config file. - ''; - }; - zkExtraCfg = mkOption { - type = types.str; - default = "initLimit=5&syncLimit=2&tickTime=2000"; - description = lib.mdDoc '' - Extra options to pass into Zookeeper - ''; - }; - zkClientPort = mkOption { - type = types.int; - default = 2181; - description = lib.mdDoc '' - Zookeeper client port - ''; - }; - zkConnectPort = mkOption { - type = types.int; - default = 2888; - description = lib.mdDoc '' - The port to use for followers to talk to each other. - ''; - }; - zkElectionPort = mkOption { - type = types.int; - default = 3888; - description = lib.mdDoc '' - The port for Zookeepers to use for leader election. - ''; - }; - zkCleanupPeriod = mkOption { - type = types.int; - default = 0; - description = lib.mdDoc '' - How often (in milliseconds) to run the Zookeeper log cleanup task. - ''; - }; - zkServersSpec = mkOption { - type = types.listOf types.str; - default = []; - description = lib.mdDoc '' - Zookeeper server spec for all servers in the ensemble. - ''; - example = [ "S:1:zk1.example.com" "S:2:zk2.example.com" "S:3:zk3.example.com" "O:4:zk-observer.example.com" ]; - }; - - # Backup options - s3Backup = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to enable backups to S3 - ''; - }; - fileSystemBackup = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Enables file system backup of ZooKeeper log files - ''; - }; - - # Options for using zookeeper configType - zkConfigConnect = mkOption { - type = types.listOf types.str; - description = lib.mdDoc '' - The initial connection string for ZooKeeper shared config storage - ''; - example = ["host1:2181" "host2:2181"]; - }; - zkConfigExhibitorPath = mkOption { - type = types.str; - description = lib.mdDoc '' - If the ZooKeeper shared config is also running Exhibitor, the URI path for the REST call - ''; - default = "/"; - }; - zkConfigExhibitorPort = mkOption { - type = types.nullOr types.int; - description = lib.mdDoc '' - If the ZooKeeper shared config is also running Exhibitor, the port that - Exhibitor is listening on. IMPORTANT: if this value is not set it implies - that Exhibitor is not being used on the ZooKeeper shared config. - ''; - }; - zkConfigPollMs = mkOption { - type = types.int; - description = lib.mdDoc '' - The period in ms to check for changes in the config ensemble - ''; - default = 10000; - }; - zkConfigRetry = { - sleepMs = mkOption { - type = types.int; - default = 1000; - description = lib.mdDoc '' - Retry sleep time connecting to the ZooKeeper config - ''; - }; - retryQuantity = mkOption { - type = types.int; - default = 3; - description = lib.mdDoc '' - Retries connecting to the ZooKeeper config - ''; - }; - }; - zkConfigZPath = mkOption { - type = types.str; - description = lib.mdDoc '' - The base ZPath that Exhibitor should use - ''; - example = "/exhibitor/config"; - }; - - # Config options for s3 configType - s3Config = { - bucketName = mkOption { - type = types.str; - description = lib.mdDoc '' - Bucket name to store config - ''; - }; - objectKey = mkOption { - type = types.str; - description = lib.mdDoc '' - S3 key name to store the config - ''; - }; - configPrefix = mkOption { - type = types.str; - description = lib.mdDoc '' - When using AWS S3 shared config files, the prefix to use for values such as locks - ''; - default = "exhibitor-"; - }; - }; - - # The next two are used for either s3backup or s3 configType - s3Credentials = mkOption { - type = types.nullOr types.path; - description = lib.mdDoc '' - Optional credentials to use for s3backup or s3config. Argument is the path - to an AWS credential properties file with two properties: - com.netflix.exhibitor.s3.access-key-id and com.netflix.exhibitor.s3.access-secret-key - ''; - default = null; - }; - s3Region = mkOption { - type = types.nullOr types.str; - description = lib.mdDoc '' - Optional region for S3 calls - ''; - default = null; - }; - - # Config options for file config type - fsConfigDir = mkOption { - type = types.path; - description = lib.mdDoc '' - Directory to store Exhibitor properties (cannot be used with s3config). - Exhibitor uses file system locks so you can specify a shared location - so as to enable complete ensemble management. - ''; - }; - fsConfigLockPrefix = mkOption { - type = types.str; - description = lib.mdDoc '' - A prefix for a locking mechanism used in conjunction with fsconfigdir - ''; - default = "exhibitor-lock-"; - }; - fsConfigName = mkOption { - type = types.str; - description = lib.mdDoc '' - The name of the file to store config in - ''; - default = "exhibitor.properties"; - }; - }; - }; - - config = mkIf cfg.enable { - systemd.services.exhibitor = { - description = "Exhibitor Daemon"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - environment = { - ZOO_LOG_DIR = cfg.baseDir; - }; - serviceConfig = { - /*** - Exhibitor is a bit un-nixy. It wants to present to you a user interface in order to - mutate the configuration of both itself and ZooKeeper, and to coordinate changes - among the members of the Zookeeper ensemble. I'm going for a different approach here, - which is to manage all the configuration via nix and have it write out the configuration - files that exhibitor will use, and to reduce the amount of inter-exhibitor orchestration. - ***/ - ExecStart = '' - ${pkgs.exhibitor}/bin/startExhibitor.sh ${cliOptions} - ''; - User = "zookeeper"; - PermissionsStartOnly = true; - }; - # This is a bit wonky, but the reason for this is that Exhibitor tries to write to - # ${cfg.baseDir}/zookeeper/bin/../conf/zoo.cfg - # I want everything but the conf directory to be in the immutable nix store, and I want defaults - # from the nix store - # If I symlink the bin directory in, then bin/../ will resolve to the parent of the symlink in the - # immutable nix store. Bind mounting a writable conf over the existing conf might work, but it gets very - # messy with trying to copy the existing out into a mutable store. - # Another option is to try to patch upstream exhibitor, but the current package just pulls down the - # prebuild JARs off of Maven, rather than building them ourselves, as Maven support in Nix isn't - # very mature. So, it seems like a reasonable compromise is to just copy out of the immutable store - # just before starting the service, so we're running binaries from the immutable store, but we work around - # Exhibitor's desire to mutate its current installation. - preStart = '' - mkdir -m 0700 -p ${cfg.baseDir}/zookeeper - # Not doing a chown -R to keep the base ZK files owned by root - chown zookeeper ${cfg.baseDir} ${cfg.baseDir}/zookeeper - cp -Rf ${pkgs.zookeeper}/* ${cfg.baseDir}/zookeeper - chown -R zookeeper ${cfg.baseDir}/zookeeper/conf - chmod -R u+w ${cfg.baseDir}/zookeeper/conf - replace_what=$(echo ${pkgs.zookeeper} | sed 's/[\/&]/\\&/g') - replace_with=$(echo ${cfg.baseDir}/zookeeper | sed 's/[\/&]/\\&/g') - sed -i 's/'"$replace_what"'/'"$replace_with"'/g' ${cfg.baseDir}/zookeeper/bin/zk*.sh - ''; - }; - users.users.zookeeper = { - uid = config.ids.uids.zookeeper; - description = "Zookeeper daemon user"; - home = cfg.baseDir; - }; - }; -} diff --git a/third_party/nixpkgs/nixos/modules/services/misc/gitea.nix b/third_party/nixpkgs/nixos/modules/services/misc/gitea.nix index 0c414c2466..945009f005 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/gitea.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/gitea.nix @@ -467,10 +467,8 @@ in systemd.tmpfiles.rules = [ "d '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.dump.backupDir}' 0750 ${cfg.user} ${cfg.group} - -" - "Z '${cfg.dump.backupDir}' - ${cfg.user} ${cfg.group} - -" "d '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.repositoryRoot}' 0750 ${cfg.user} ${cfg.group} - -" - "Z '${cfg.repositoryRoot}' - ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.customDir}' 0750 ${cfg.user} ${cfg.group} - -" @@ -484,7 +482,6 @@ in "z '${cfg.customDir}/conf' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/data' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" - "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" # If we have a folder or symlink with gitea locales, remove it # And symlink the current gitea locales in place @@ -493,12 +490,12 @@ in ] ++ lib.optionals cfg.lfs.enable [ "d '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" "z '${cfg.lfs.contentDir}' 0750 ${cfg.user} ${cfg.group} - -" - "Z '${cfg.lfs.contentDir}' - ${cfg.user} ${cfg.group} - -" ]; systemd.services.gitea = { description = "gitea"; - after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service"; + after = [ "network.target" ] ++ optional usePostgresql "postgresql.service" ++ optional useMysql "mysql.service"; + requires = optional (cfg.database.createDatabase && usePostgresql) "postgresql.service" ++ optional (cfg.database.createDatabase && useMysql) "mysql.service"; wantedBy = [ "multi-user.target" ]; path = [ cfg.package pkgs.git pkgs.gnupg ]; @@ -586,7 +583,10 @@ in Restart = "always"; # Runtime directory and mode RuntimeDirectory = "gitea"; - RuntimeDirectoryMode = "0755"; + RuntimeDirectoryMode = "0750"; + # Proc filesystem + ProcSubset = "pid"; + ProtectProc = "invisible"; # Access write directories ReadWritePaths = [ cfg.customDir cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ]; UMask = "0027"; @@ -606,15 +606,17 @@ in ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; - RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; + RemoveIPC = true; PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" "setrlimit" ]; }; environment = { diff --git a/third_party/nixpkgs/nixos/modules/services/misc/gitlab.nix b/third_party/nixpkgs/nixos/modules/services/misc/gitlab.nix index 12c67c5f5a..a497fbb300 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/gitlab.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/gitlab.nix @@ -9,12 +9,10 @@ let toml = pkgs.formats.toml {}; yaml = pkgs.formats.yaml {}; - ruby = cfg.packages.gitlab.ruby; - postgresqlPackage = if config.services.postgresql.enable then config.services.postgresql.package else - pkgs.postgresql_12; + pkgs.postgresql_13; gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; @@ -47,9 +45,6 @@ let [git] bin_path = "${pkgs.git}/bin/git" - [gitaly-ruby] - dir = "${cfg.packages.gitaly.ruby}" - [gitlab-shell] dir = "${cfg.packages.gitlab-shell}" @@ -89,6 +84,9 @@ let }; }; + # Redis configuration file + resqueYml = pkgs.writeText "resque.yml" (builtins.toJSON redisConfig); + gitlabConfig = { # These are the default settings from config/gitlab.example.yml production = flip recursiveUpdate cfg.extraConfig { @@ -154,6 +152,7 @@ let api_url = "http://${config.services.dockerRegistry.listenAddress}:${toString config.services.dockerRegistry.port}/"; issuer = cfg.registry.issuer; }; + elasticsearch.indexer_path = "${pkgs.gitlab-elasticsearch-indexer}/bin/gitlab-elasticsearch-indexer"; extra = {}; uploads.storage_path = cfg.statePath; pages = optionalAttrs cfg.pages.enable { @@ -172,7 +171,6 @@ let SCHEMA = "${cfg.statePath}/db/structure.sql"; GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads"; GITLAB_LOG_PATH = "${cfg.statePath}/log"; - GITLAB_REDIS_CONFIG_FILE = pkgs.writeText "redis.yml" (builtins.toJSON redisConfig); prometheus_multiproc_dir = "/run/gitlab"; RAILS_ENV = "production"; MALLOC_ARENA_MAX = "2"; @@ -556,6 +554,20 @@ in { default = false; description = lib.mdDoc "Enable GitLab container registry."; }; + package = mkOption { + type = types.package; + default = + if versionAtLeast config.system.stateVersion "23.11" + then pkgs.gitlab-container-registry + else pkgs.docker-distribution; + defaultText = literalExpression "pkgs.docker-distribution"; + description = lib.mdDoc '' + Container registry package to use. + + External container registries such as `pkgs.docker-distribution` are not supported + anymore since GitLab 16.0.0. + ''; + }; host = mkOption { type = types.str; default = config.services.gitlab.host; @@ -1070,6 +1082,13 @@ in { }; config = mkIf cfg.enable { + warnings = [ + (mkIf + (cfg.registry.enable && versionAtLeast (getVersion cfg.packages.gitlab) "16.0.0" && cfg.registry.package == pkgs.docker-distribution) + ''Support for container registries other than gitlab-container-registry has ended since GitLab 16.0.0 and is scheduled for removal in a future release. + Please back up your data and migrate to the gitlab-container-registry package.'' + ) + ]; assertions = [ { @@ -1101,8 +1120,8 @@ in { message = "services.gitlab.secrets.jwsFile must be set!"; } { - assertion = versionAtLeast postgresqlPackage.version "12.0.0"; - message = "PostgreSQL >=12 is required to run GitLab 14. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading"; + assertion = versionAtLeast postgresqlPackage.version "13.6.0"; + message = "PostgreSQL >=13.6 is required to run GitLab 16. Follow the instructions in the manual section for upgrading PostgreSQL here: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading"; } ]; @@ -1213,6 +1232,7 @@ in { services.dockerRegistry = optionalAttrs cfg.registry.enable { enable = true; enableDelete = true; # This must be true, otherwise GitLab won't manage it correctly + package = cfg.registry.package; extraConfig = { auth.token = { realm = "http${optionalString (cfg.https == true) "s"}://${cfg.host}/jwt/auth"; @@ -1262,6 +1282,7 @@ in { "d ${gitlabConfig.production.shared.path}/pages 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/registry 0750 ${cfg.user} ${cfg.group} -" "d ${gitlabConfig.production.shared.path}/terraform_state 0750 ${cfg.user} ${cfg.group} -" + "d ${gitlabConfig.production.shared.path}/ci_secure_files 0750 ${cfg.user} ${cfg.group} -" "L+ /run/gitlab/config - - - - ${cfg.statePath}/config" "L+ /run/gitlab/log - - - - ${cfg.statePath}/log" "L+ /run/gitlab/tmp - - - - ${cfg.statePath}/tmp" @@ -1315,6 +1336,7 @@ in { cp -rf --no-preserve=mode ${cfg.packages.gitlab}/share/gitlab/db/* ${cfg.statePath}/db ln -sf ${extraGitlabRb} ${cfg.statePath}/config/initializers/extra-gitlab.rb ln -sf ${cableYml} ${cfg.statePath}/config/cable.yml + ln -sf ${resqueYml} ${cfg.statePath}/config/resque.yml ${cfg.packages.gitlab-shell}/bin/install @@ -1462,10 +1484,7 @@ in { partOf = [ "gitlab.target" ]; path = with pkgs; [ openssh - procps # See https://gitlab.com/gitlab-org/gitaly/issues/1562 git - cfg.packages.gitaly.rubyEnv - cfg.packages.gitaly.rubyEnv.wrappedRuby gzip bzip2 ]; @@ -1626,6 +1645,7 @@ in { nodejs procps gnupg + gzip ]; serviceConfig = { Type = "notify"; @@ -1665,5 +1685,5 @@ in { }; meta.doc = ./gitlab.md; - + meta.maintainers = teams.gitlab.members; } diff --git a/third_party/nixpkgs/nixos/modules/services/misc/gollum.nix b/third_party/nixpkgs/nixos/modules/services/misc/gollum.nix index 4eec9610b5..d607e92e5e 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/gollum.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/gollum.nix @@ -91,18 +91,30 @@ in The package used in the service ''; }; + + user = mkOption { + type = types.str; + default = "gollum"; + description = lib.mdDoc "Specifies the owner of the wiki directory"; + }; + + group = mkOption { + type = types.str; + default = "gollum"; + description = lib.mdDoc "Specifies the owner group of the wiki directory"; + }; }; config = mkIf cfg.enable { - users.users.gollum = { - group = config.users.users.gollum.name; + users.users.gollum = mkIf (cfg.user == "gollum") { + group = cfg.group; description = "Gollum user"; createHome = false; isSystemUser = true; }; - users.groups.gollum = { }; + users.groups."${cfg.group}" = { }; systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -" @@ -120,8 +132,8 @@ in ''; serviceConfig = { - User = config.users.users.gollum.name; - Group = config.users.groups.gollum.name; + User = cfg.user; + Group = cfg.group; WorkingDirectory = cfg.stateDir; ExecStart = '' ${cfg.package}/bin/gollum \ @@ -142,5 +154,5 @@ in }; }; - meta.maintainers = with lib.maintainers; [ erictapen bbenno ]; + meta.maintainers = with lib.maintainers; [ erictapen bbenno joscha ]; } diff --git a/third_party/nixpkgs/nixos/modules/services/misc/heisenbridge.nix b/third_party/nixpkgs/nixos/modules/services/misc/heisenbridge.nix index d07e0e4204..822a09d7cd 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/heisenbridge.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/heisenbridge.nix @@ -137,7 +137,7 @@ in mv -f ${registrationFile}.new ${registrationFile} # Grant Synapse access to the registration - if ${getBin pkgs.glibc}/bin/getent group matrix-synapse > /dev/null; then + if ${pkgs.getent}/bin/getent group matrix-synapse > /dev/null; then chgrp -v matrix-synapse ${registrationFile} chmod -v g+r ${registrationFile} fi diff --git a/third_party/nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix b/third_party/nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix new file mode 100644 index 0000000000..e685712534 --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix @@ -0,0 +1,55 @@ +{ config +, pkgs +, lib +, ... +}: + +let + cfg = config.services.homepage-dashboard; +in +{ + options = { + services.homepage-dashboard = { + enable = lib.mkEnableOption (lib.mdDoc "Homepage Dashboard"); + + package = lib.mkPackageOptionMD pkgs "homepage-dashboard" { }; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "Open ports in the firewall for Homepage."; + }; + + listenPort = lib.mkOption { + type = lib.types.int; + default = 8082; + description = lib.mdDoc "Port for Homepage to bind to."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.homepage-dashboard = { + description = "Homepage Dashboard"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = { + HOMEPAGE_CONFIG_DIR = "/var/lib/homepage-dashboard"; + PORT = "${toString cfg.listenPort}"; + }; + + serviceConfig = { + Type = "simple"; + DynamicUser = true; + StateDirectory = "homepage-dashboard"; + ExecStart = "${lib.getExe cfg.package}"; + Restart = "on-failure"; + }; + }; + + networking.firewall = lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.listenPort ]; + }; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/services/misc/klipper.nix b/third_party/nixpkgs/nixos/modules/services/misc/klipper.nix index ad881d4462..67a217c994 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/klipper.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/klipper.nix @@ -111,8 +111,11 @@ in (submodule { options = { enable = mkEnableOption (lib.mdDoc '' - building of firmware and addition of klipper-flash tools for manual flashing. - This will add `klipper-flash-$mcu` scripts to your environment which can be called to flash the firmware. + building of firmware for manual flashing. + ''); + enableKlipperFlash = mkEnableOption (lib.mdDoc '' + flashings scripts for firmware. This will add `klipper-flash-$mcu` scripts to your environment which can be called to flash the firmware. + Please check the configs at [klipper](https://github.com/Klipper3d/klipper/tree/master/config) whether your board supports flashing via `make flash`. ''); serial = mkOption { type = types.nullOr path; @@ -213,11 +216,14 @@ in with pkgs; let default = a: b: if a != null then a else b; - firmwares = filterAttrs (n: v: v!= null) (mapAttrs - (mcu: { enable, configFile, serial }: if enable then pkgs.klipper-firmware.override { - mcu = lib.strings.sanitizeDerivationName mcu; - firmwareConfig = configFile; - } else null) + firmwares = filterAttrs (n: v: v != null) (mapAttrs + (mcu: { enable, enableKlipperFlash, configFile, serial }: + if enable then + pkgs.klipper-firmware.override + { + mcu = lib.strings.sanitizeDerivationName mcu; + firmwareConfig = configFile; + } else null) cfg.firmwares); firmwareFlasher = mapAttrsToList (mcu: firmware: pkgs.klipper-flash.override { @@ -226,7 +232,7 @@ in flashDevice = default cfg.firmwares."${mcu}".serial cfg.settings."${mcu}".serial; firmwareConfig = cfg.firmwares."${mcu}".configFile; }) - firmwares; + (filterAttrs (mcu: firmware: cfg.firmwares."${mcu}".enableKlipperFlash) firmwares); in [ klipper-genconf ] ++ firmwareFlasher ++ attrValues firmwares; }; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/n8n.nix b/third_party/nixpkgs/nixos/modules/services/misc/n8n.nix index cdfe9dc848..2af37fba91 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/n8n.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/n8n.nix @@ -26,6 +26,15 @@ in ''; }; + webhookUrl = mkOption { + type = types.str; + default = ""; + description = lib.mdDoc '' + WEBHOOK_URL for n8n, in case we're running behind a reverse proxy. + This cannot be set through configuration and must reside in an environment variable. + ''; + }; + }; config = mkIf cfg.enable { @@ -44,6 +53,7 @@ in N8N_USER_FOLDER = "/var/lib/n8n"; HOME = "/var/lib/n8n"; N8N_CONFIG_FILES = "${configFile}"; + WEBHOOK_URL = "${cfg.webhookUrl}"; # Don't phone home N8N_DIAGNOSTICS_ENABLED = "false"; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/nitter.nix b/third_party/nixpkgs/nixos/modules/services/misc/nitter.nix index d00efe3dd4..77f5459d11 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/nitter.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/nitter.nix @@ -165,14 +165,14 @@ in enableDebug = mkEnableOption (lib.mdDoc "request logs and debug endpoints"); proxy = mkOption { - type = types.nullOr types.str; - default = null; + type = types.str; + default = ""; description = lib.mdDoc "URL to a HTTP/HTTPS proxy."; }; proxyAuth = mkOption { - type = types.nullOr types.str; - default = null; + type = types.str; + default = ""; description = lib.mdDoc "Credentials for proxy."; }; @@ -334,7 +334,8 @@ in systemd.services.nitter = { description = "Nitter (An alternative Twitter front-end)"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; serviceConfig = { DynamicUser = true; StateDirectory = "nitter"; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/nix-daemon.nix b/third_party/nixpkgs/nixos/modules/services/misc/nix-daemon.nix deleted file mode 100644 index f37d197f16..0000000000 --- a/third_party/nixpkgs/nixos/modules/services/misc/nix-daemon.nix +++ /dev/null @@ -1,837 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.nix; - - nixPackage = cfg.package.out; - - isNixAtLeast = versionAtLeast (getVersion nixPackage); - - makeNixBuildUser = nr: { - name = "nixbld${toString nr}"; - value = { - description = "Nix build user ${toString nr}"; - - /* - For consistency with the setgid(2), setuid(2), and setgroups(2) - calls in `libstore/build.cc', don't add any supplementary group - here except "nixbld". - */ - uid = builtins.add config.ids.uids.nixbld nr; - isSystemUser = true; - group = "nixbld"; - extraGroups = [ "nixbld" ]; - }; - }; - - nixbldUsers = listToAttrs (map makeNixBuildUser (range 1 cfg.nrBuildUsers)); - - nixConf = - assert isNixAtLeast "2.2"; - let - - mkValueString = v: - if v == null then "" - else if isInt v then toString v - else if isBool v then boolToString v - else if isFloat v then floatToString v - else if isList v then toString v - else if isDerivation v then toString v - else if builtins.isPath v then toString v - else if isString v then v - else if strings.isConvertibleWithToString v then toString v - else abort "The nix conf value: ${toPretty {} v} can not be encoded"; - - mkKeyValue = k: v: "${escape [ "=" ] k} = ${mkValueString v}"; - - mkKeyValuePairs = attrs: concatStringsSep "\n" (mapAttrsToList mkKeyValue attrs); - - in - pkgs.writeTextFile { - name = "nix.conf"; - text = '' - # WARNING: this file is generated from the nix.* options in - # your NixOS configuration, typically - # /etc/nixos/configuration.nix. Do not edit it! - ${mkKeyValuePairs cfg.settings} - ${cfg.extraOptions} - ''; - checkPhase = lib.optionalString cfg.checkConfig ( - if pkgs.stdenv.hostPlatform != pkgs.stdenv.buildPlatform then '' - echo "Ignoring validation for cross-compilation" - '' - else '' - echo "Validating generated nix.conf" - ln -s $out ./nix.conf - set -e - set +o pipefail - NIX_CONF_DIR=$PWD \ - ${cfg.package}/bin/nix show-config ${optionalString (isNixAtLeast "2.3pre") "--no-net"} \ - ${optionalString (isNixAtLeast "2.4pre") "--option experimental-features nix-command"} \ - |& sed -e 's/^warning:/error:/' \ - | (! grep '${if cfg.checkAllErrors then "^error:" else "^error: unknown setting"}') - set -o pipefail - ''); - }; - - legacyConfMappings = { - useSandbox = "sandbox"; - buildCores = "cores"; - maxJobs = "max-jobs"; - sandboxPaths = "extra-sandbox-paths"; - binaryCaches = "substituters"; - trustedBinaryCaches = "trusted-substituters"; - binaryCachePublicKeys = "trusted-public-keys"; - autoOptimiseStore = "auto-optimise-store"; - requireSignedBinaryCaches = "require-sigs"; - trustedUsers = "trusted-users"; - allowedUsers = "allowed-users"; - systemFeatures = "system-features"; - }; - - semanticConfType = with types; - let - confAtom = nullOr - (oneOf [ - bool - int - float - str - path - package - ]) // { - description = "Nix config atom (null, bool, int, float, str, path or package)"; - }; - in - attrsOf (either confAtom (listOf confAtom)); - -in - -{ - imports = [ - (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "useChroot" ]; to = [ "nix" "useSandbox" ]; }) - (mkRenamedOptionModuleWith { sinceRelease = 2003; from = [ "nix" "chrootDirs" ]; to = [ "nix" "sandboxPaths" ]; }) - (mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" "daemonIONiceLevel" ]; to = [ "nix" "daemonIOSchedPriority" ]; }) - (mkRenamedOptionModuleWith { sinceRelease = 2211; from = [ "nix" "readOnlyStore" ]; to = [ "boot" "readOnlyNixStore" ]; }) - (mkRemovedOptionModule [ "nix" "daemonNiceLevel" ] "Consider nix.daemonCPUSchedPolicy instead.") - ] ++ mapAttrsToList (oldConf: newConf: mkRenamedOptionModuleWith { sinceRelease = 2205; from = [ "nix" oldConf ]; to = [ "nix" "settings" newConf ]; }) legacyConfMappings; - - ###### interface - - options = { - - nix = { - - enable = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - Whether to enable Nix. - Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself. - ''; - }; - - package = mkOption { - type = types.package; - default = pkgs.nix; - defaultText = literalExpression "pkgs.nix"; - description = lib.mdDoc '' - This option specifies the Nix package instance to use throughout the system. - ''; - }; - - distributedBuilds = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to distribute builds to the machines listed in - {option}`nix.buildMachines`. - ''; - }; - - daemonCPUSchedPolicy = mkOption { - type = types.enum [ "other" "batch" "idle" ]; - default = "other"; - example = "batch"; - description = lib.mdDoc '' - Nix daemon process CPU scheduling policy. This policy propagates to - build processes. `other` is the default scheduling - policy for regular tasks. The `batch` policy is - similar to `other`, but optimised for - non-interactive tasks. `idle` is for extremely - low-priority tasks that should only be run when no other task - requires CPU time. - - Please note that while using the `idle` policy may - greatly improve responsiveness of a system performing expensive - builds, it may also slow down and potentially starve crucial - configuration updates during load. - - `idle` may therefore be a sensible policy for - systems that experience only intermittent phases of high CPU load, - such as desktop or portable computers used interactively. Other - systems should use the `other` or - `batch` policy instead. - - For more fine-grained resource control, please refer to - {manpage}`systemd.resource-control(5)` and adjust - {option}`systemd.services.nix-daemon` directly. - ''; - }; - - daemonIOSchedClass = mkOption { - type = types.enum [ "best-effort" "idle" ]; - default = "best-effort"; - example = "idle"; - description = lib.mdDoc '' - Nix daemon process I/O scheduling class. This class propagates to - build processes. `best-effort` is the default - class for regular tasks. The `idle` class is for - extremely low-priority tasks that should only perform I/O when no - other task does. - - Please note that while using the `idle` scheduling - class can improve responsiveness of a system performing expensive - builds, it might also slow down or starve crucial configuration - updates during load. - - `idle` may therefore be a sensible class for - systems that experience only intermittent phases of high I/O load, - such as desktop or portable computers used interactively. Other - systems should use the `best-effort` class. - ''; - }; - - daemonIOSchedPriority = mkOption { - type = types.int; - default = 4; - example = 1; - description = lib.mdDoc '' - Nix daemon process I/O scheduling priority. This priority propagates - to build processes. The supported priorities depend on the - scheduling policy: With idle, priorities are not used in scheduling - decisions. best-effort supports values in the range 0 (high) to 7 - (low). - ''; - }; - - buildMachines = mkOption { - type = types.listOf (types.submodule { - options = { - hostName = mkOption { - type = types.str; - example = "nixbuilder.example.org"; - description = lib.mdDoc '' - The hostname of the build machine. - ''; - }; - protocol = mkOption { - type = types.enum [ null "ssh" "ssh-ng" ]; - default = "ssh"; - example = "ssh-ng"; - description = lib.mdDoc '' - The protocol used for communicating with the build machine. - Use `ssh-ng` if your remote builder and your - local Nix version support that improved protocol. - - Use `null` when trying to change the special localhost builder - without a protocol which is for example used by hydra. - ''; - }; - system = mkOption { - type = types.nullOr types.str; - default = null; - example = "x86_64-linux"; - description = lib.mdDoc '' - The system type the build machine can execute derivations on. - Either this attribute or {var}`systems` must be - present, where {var}`system` takes precedence if - both are set. - ''; - }; - systems = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "x86_64-linux" "aarch64-linux" ]; - description = lib.mdDoc '' - The system types the build machine can execute derivations on. - Either this attribute or {var}`system` must be - present, where {var}`system` takes precedence if - both are set. - ''; - }; - sshUser = mkOption { - type = types.nullOr types.str; - default = null; - example = "builder"; - description = lib.mdDoc '' - The username to log in as on the remote host. This user must be - able to log in and run nix commands non-interactively. It must - also be privileged to build derivations, so must be included in - {option}`nix.settings.trusted-users`. - ''; - }; - sshKey = mkOption { - type = types.nullOr types.str; - default = null; - example = "/root/.ssh/id_buildhost_builduser"; - description = lib.mdDoc '' - The path to the SSH private key with which to authenticate on - the build machine. The private key must not have a passphrase. - If null, the building user (root on NixOS machines) must have an - appropriate ssh configuration to log in non-interactively. - - Note that for security reasons, this path must point to a file - in the local filesystem, *not* to the nix store. - ''; - }; - maxJobs = mkOption { - type = types.int; - default = 1; - description = lib.mdDoc '' - The number of concurrent jobs the build machine supports. The - build machine will enforce its own limits, but this allows hydra - to schedule better since there is no work-stealing between build - machines. - ''; - }; - speedFactor = mkOption { - type = types.int; - default = 1; - description = lib.mdDoc '' - The relative speed of this builder. This is an arbitrary integer - that indicates the speed of this builder, relative to other - builders. Higher is faster. - ''; - }; - mandatoryFeatures = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "big-parallel" ]; - description = lib.mdDoc '' - A list of features mandatory for this builder. The builder will - be ignored for derivations that don't require all features in - this list. All mandatory features are automatically included in - {var}`supportedFeatures`. - ''; - }; - supportedFeatures = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "kvm" "big-parallel" ]; - description = lib.mdDoc '' - A list of features supported by this builder. The builder will - be ignored for derivations that require features not in this - list. - ''; - }; - publicHostKey = mkOption { - type = types.nullOr types.str; - default = null; - description = lib.mdDoc '' - The (base64-encoded) public host key of this builder. The field - is calculated via {command}`base64 -w0 /etc/ssh/ssh_host_type_key.pub`. - If null, SSH will use its regular known-hosts file when connecting. - ''; - }; - }; - }); - default = [ ]; - description = lib.mdDoc '' - This option lists the machines to be used if distributed builds are - enabled (see {option}`nix.distributedBuilds`). - Nix will perform derivations on those machines via SSH by copying the - inputs to the Nix store on the remote machine, starting the build, - then copying the output back to the local Nix store. - ''; - }; - - # Environment variables for running Nix. - envVars = mkOption { - type = types.attrs; - internal = true; - default = { }; - description = lib.mdDoc "Environment variables used by Nix."; - }; - - nrBuildUsers = mkOption { - type = types.int; - description = lib.mdDoc '' - Number of `nixbld` user accounts created to - perform secure concurrent builds. If you receive an error - message saying that “all build users are currently in use”, - you should increase this value. - ''; - }; - - nixPath = mkOption { - type = types.listOf types.str; - default = [ - "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" - "nixos-config=/etc/nixos/configuration.nix" - "/nix/var/nix/profiles/per-user/root/channels" - ]; - description = lib.mdDoc '' - The default Nix expression search path, used by the Nix - evaluator to look up paths enclosed in angle brackets - (e.g. ``). - ''; - }; - - checkConfig = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - If enabled, checks that Nix can parse the generated nix.conf. - ''; - }; - - checkAllErrors = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings. - ''; - }; - - registry = mkOption { - type = types.attrsOf (types.submodule ( - let - referenceAttrs = with types; attrsOf (oneOf [ - str - int - bool - path - package - ]); - in - { config, name, ... }: - { - options = { - from = mkOption { - type = referenceAttrs; - example = { type = "indirect"; id = "nixpkgs"; }; - description = lib.mdDoc "The flake reference to be rewritten."; - }; - to = mkOption { - type = referenceAttrs; - example = { type = "github"; owner = "my-org"; repo = "my-nixpkgs"; }; - description = lib.mdDoc "The flake reference {option}`from` is rewritten to."; - }; - flake = mkOption { - type = types.nullOr types.attrs; - default = null; - example = literalExpression "nixpkgs"; - description = lib.mdDoc '' - The flake input {option}`from` is rewritten to. - ''; - }; - exact = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - Whether the {option}`from` reference needs to match exactly. If set, - a {option}`from` reference like `nixpkgs` does not - match with a reference like `nixpkgs/nixos-20.03`. - ''; - }; - }; - config = { - from = mkDefault { type = "indirect"; id = name; }; - to = mkIf (config.flake != null) (mkDefault ( - { - type = "path"; - path = config.flake.outPath; - } // filterAttrs - (n: _: n == "lastModified" || n == "rev" || n == "revCount" || n == "narHash") - config.flake - )); - }; - } - )); - default = { }; - description = lib.mdDoc '' - A system-wide flake registry. - ''; - }; - - extraOptions = mkOption { - type = types.lines; - default = ""; - example = '' - keep-outputs = true - keep-derivations = true - ''; - description = lib.mdDoc "Additional text appended to {file}`nix.conf`."; - }; - - settings = mkOption { - type = types.submodule { - freeformType = semanticConfType; - - options = { - max-jobs = mkOption { - type = types.either types.int (types.enum [ "auto" ]); - default = "auto"; - example = 64; - description = lib.mdDoc '' - This option defines the maximum number of jobs that Nix will try to - build in parallel. The default is auto, which means it will use all - available logical cores. It is recommend to set it to the total - number of logical cores in your system (e.g., 16 for two CPUs with 4 - cores each and hyper-threading). - ''; - }; - - auto-optimise-store = mkOption { - type = types.bool; - default = false; - example = true; - description = lib.mdDoc '' - If set to true, Nix automatically detects files in the store that have - identical contents, and replaces them with hard links to a single copy. - This saves disk space. If set to false (the default), you can still run - nix-store --optimise to get rid of duplicate files. - ''; - }; - - cores = mkOption { - type = types.int; - default = 0; - example = 64; - description = lib.mdDoc '' - This option defines the maximum number of concurrent tasks during - one build. It affects, e.g., -j option for make. - The special value 0 means that the builder should use all - available CPU cores in the system. Some builds may become - non-deterministic with this option; use with care! Packages will - only be affected if enableParallelBuilding is set for them. - ''; - }; - - sandbox = mkOption { - type = types.either types.bool (types.enum [ "relaxed" ]); - default = true; - description = lib.mdDoc '' - If set, Nix will perform builds in a sandboxed environment that it - will set up automatically for each build. This prevents impurities - in builds by disallowing access to dependencies outside of the Nix - store by using network and mount namespaces in a chroot environment. - This is enabled by default even though it has a possible performance - impact due to the initial setup time of a sandbox for each build. It - doesn't affect derivation hashes, so changing this option will not - trigger a rebuild of packages. - ''; - }; - - extra-sandbox-paths = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "/dev" "/proc" ]; - description = lib.mdDoc '' - Directories from the host filesystem to be included - in the sandbox. - ''; - }; - - substituters = mkOption { - type = types.listOf types.str; - description = lib.mdDoc '' - List of binary cache URLs used to obtain pre-built binaries - of Nix packages. - - By default https://cache.nixos.org/ is added. - ''; - }; - - trusted-substituters = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "https://hydra.nixos.org/" ]; - description = lib.mdDoc '' - List of binary cache URLs that non-root users can use (in - addition to those specified using - {option}`nix.settings.substituters`) by passing - `--option binary-caches` to Nix commands. - ''; - }; - - require-sigs = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - If enabled (the default), Nix will only download binaries from binary caches if - they are cryptographically signed with any of the keys listed in - {option}`nix.settings.trusted-public-keys`. If disabled, signatures are neither - required nor checked, so it's strongly recommended that you use only - trustworthy caches and https to prevent man-in-the-middle attacks. - ''; - }; - - trusted-public-keys = mkOption { - type = types.listOf types.str; - example = [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; - description = lib.mdDoc '' - List of public keys used to sign binary caches. If - {option}`nix.settings.trusted-public-keys` is enabled, - then Nix will use a binary from a binary cache if and only - if it is signed by *any* of the keys - listed here. By default, only the key for - `cache.nixos.org` is included. - ''; - }; - - trusted-users = mkOption { - type = types.listOf types.str; - default = [ "root" ]; - example = [ "root" "alice" "@wheel" ]; - description = lib.mdDoc '' - A list of names of users that have additional rights when - connecting to the Nix daemon, such as the ability to specify - additional binary caches, or to import unsigned NARs. You - can also specify groups by prefixing them with - `@`; for instance, - `@wheel` means all users in the wheel - group. - ''; - }; - - system-features = mkOption { - type = types.listOf types.str; - example = [ "kvm" "big-parallel" "gccarch-skylake" ]; - description = lib.mdDoc '' - The set of features supported by the machine. Derivations - can express dependencies on system features through the - `requiredSystemFeatures` attribute. - - By default, pseudo-features `nixos-test`, `benchmark`, - and `big-parallel` used in Nixpkgs are set, `kvm` - is also included if it is available. - ''; - }; - - allowed-users = mkOption { - type = types.listOf types.str; - default = [ "*" ]; - example = [ "@wheel" "@builders" "alice" "bob" ]; - description = lib.mdDoc '' - A list of names of users (separated by whitespace) that are - allowed to connect to the Nix daemon. As with - {option}`nix.settings.trusted-users`, you can specify groups by - prefixing them with `@`. Also, you can - allow all users by specifying `*`. The - default is `*`. Note that trusted users are - always allowed to connect. - ''; - }; - }; - }; - default = { }; - example = literalExpression '' - { - use-sandbox = true; - show-trace = true; - - system-features = [ "big-parallel" "kvm" "recursive-nix" ]; - sandbox-paths = { "/bin/sh" = "''${pkgs.busybox-sandbox-shell.out}/bin/busybox"; }; - } - ''; - description = lib.mdDoc '' - Configuration for Nix, see - or - {manpage}`nix.conf(5)` for available options. - The value declared here will be translated directly to the key-value pairs Nix expects. - - You can use {command}`nix-instantiate --eval --strict '' -A config.nix.settings` - to view the current value. By default it is empty. - - Nix configurations defined under {option}`nix.*` will be translated and applied to this - option. In addition, configuration specified in {option}`nix.extraOptions` which will be appended - verbatim to the resulting config file. - ''; - }; - }; - }; - - - ###### implementation - - config = mkIf cfg.enable { - environment.systemPackages = - [ - nixPackage - pkgs.nix-info - ] - ++ optional (config.programs.bash.enableCompletion) pkgs.nix-bash-completions; - - environment.etc."nix/nix.conf".source = nixConf; - - environment.etc."nix/registry.json".text = builtins.toJSON { - version = 2; - flakes = mapAttrsToList (n: v: { inherit (v) from to exact; }) cfg.registry; - }; - - # List of machines for distributed Nix builds in the format - # expected by build-remote.pl. - environment.etc."nix/machines" = mkIf (cfg.buildMachines != [ ]) { - text = - concatMapStrings - (machine: - (concatStringsSep " " ([ - "${optionalString (machine.protocol != null) "${machine.protocol}://"}${optionalString (machine.sshUser != null) "${machine.sshUser}@"}${machine.hostName}" - (if machine.system != null then machine.system else if machine.systems != [ ] then concatStringsSep "," machine.systems else "-") - (if machine.sshKey != null then machine.sshKey else "-") - (toString machine.maxJobs) - (toString machine.speedFactor) - (let res = (machine.supportedFeatures ++ machine.mandatoryFeatures); - in if (res == []) then "-" else (concatStringsSep "," res)) - (let res = machine.mandatoryFeatures; - in if (res == []) then "-" else (concatStringsSep "," machine.mandatoryFeatures)) - ] - ++ optional (isNixAtLeast "2.4pre") (if machine.publicHostKey != null then machine.publicHostKey else "-"))) - + "\n" - ) - cfg.buildMachines; - }; - - assertions = - let badMachine = m: m.system == null && m.systems == [ ]; - in - [ - { - assertion = !(any badMachine cfg.buildMachines); - message = '' - At least one system type (via system or - systems) must be set for every build machine. - Invalid machine specifications: - '' + " " + - (concatStringsSep "\n " - (map (m: m.hostName) - (filter (badMachine) cfg.buildMachines))); - } - ]; - - systemd.packages = [ nixPackage ]; - - # Will only work once https://github.com/NixOS/nix/pull/6285 is merged - # systemd.tmpfiles.packages = [ nixPackage ]; - - # Can be dropped for Nix > https://github.com/NixOS/nix/pull/6285 - systemd.tmpfiles.rules = [ - "d /nix/var/nix/daemon-socket 0755 root root - -" - ]; - - systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ]; - - systemd.services.nix-daemon = - { - path = [ nixPackage pkgs.util-linux config.programs.ssh.package ] - ++ optionals cfg.distributedBuilds [ pkgs.gzip ]; - - environment = cfg.envVars - // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; } - // config.networking.proxy.envVars; - - unitConfig.RequiresMountsFor = "/nix/store"; - - serviceConfig = - { - CPUSchedulingPolicy = cfg.daemonCPUSchedPolicy; - IOSchedulingClass = cfg.daemonIOSchedClass; - IOSchedulingPriority = cfg.daemonIOSchedPriority; - LimitNOFILE = 1048576; - }; - - restartTriggers = [ nixConf ]; - - # `stopIfChanged = false` changes to switch behavior - # from stop -> update units -> start - # to update units -> restart - # - # The `stopIfChanged` setting therefore controls a trade-off between a - # more predictable lifecycle, which runs the correct "version" of - # the `ExecStop` line, and on the other hand the availability of - # sockets during the switch, as the effectiveness of the stop operation - # depends on the socket being stopped as well. - # - # As `nix-daemon.service` does not make use of `ExecStop`, we prefer - # to keep the socket up and available. This is important for machines - # that run Nix-based services, such as automated build, test, and deploy - # services, that expect the daemon socket to be available at all times. - # - # Notably, the Nix client does not retry on failure to connect to the - # daemon socket, and the in-process RemoteStore instance will disable - # itself. This makes retries infeasible even for services that are - # aware of the issue. Failure to connect can affect not only new client - # processes, but also new RemoteStore instances in existing processes, - # as well as existing RemoteStore instances that have not saturated - # their connection pool. - # - # Also note that `stopIfChanged = true` does not kill existing - # connection handling daemons, as one might wish to happen before a - # breaking Nix upgrade (which is rare). The daemon forks that handle - # the individual connections split off into their own sessions, causing - # them not to be stopped by systemd. - # If a Nix upgrade does require all existing daemon processes to stop, - # nix-daemon must do so on its own accord, and only when the new version - # starts and detects that Nix's persistent state needs an upgrade. - stopIfChanged = false; - - }; - - # Set up the environment variables for running Nix. - environment.sessionVariables = cfg.envVars // { NIX_PATH = cfg.nixPath; }; - - environment.extraInit = - '' - if [ -e "$HOME/.nix-defexpr/channels" ]; then - export NIX_PATH="$HOME/.nix-defexpr/channels''${NIX_PATH:+:$NIX_PATH}" - fi - ''; - - nix.nrBuildUsers = mkDefault ( - if cfg.settings.auto-allocate-uids or false then 0 - else max 32 (if cfg.settings.max-jobs == "auto" then 0 else cfg.settings.max-jobs) - ); - - users.users = nixbldUsers; - - services.xserver.displayManager.hiddenUsers = attrNames nixbldUsers; - - system.activationScripts.nix = stringAfter [ "etc" "users" ] - '' - install -m 0755 -d /nix/var/nix/{gcroots,profiles}/per-user - - # Subscribe the root user to the NixOS channel by default. - if [ ! -e "/root/.nix-channels" ]; then - echo "${config.system.defaultChannel} nixos" > "/root/.nix-channels" - fi - ''; - - # Legacy configuration conversion. - nix.settings = mkMerge [ - { - trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; - substituters = mkAfter [ "https://cache.nixos.org/" ]; - - system-features = mkDefault ( - [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ - optionals (pkgs.stdenv.hostPlatform ? gcc.arch) ( - # a builder can run code for `gcc.arch` and inferior architectures - [ "gccarch-${pkgs.stdenv.hostPlatform.gcc.arch}" ] ++ - map (x: "gccarch-${x}") (systems.architectures.inferiors.${pkgs.stdenv.hostPlatform.gcc.arch} or []) - ) - ); - } - - (mkIf (!cfg.distributedBuilds) { builders = null; }) - - (mkIf (isNixAtLeast "2.3pre") { sandbox-fallback = false; }) - ]; - - }; - -} diff --git a/third_party/nixpkgs/nixos/modules/services/misc/nix-optimise.nix b/third_party/nixpkgs/nixos/modules/services/misc/nix-optimise.nix index db8148c060..0398229a13 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/nix-optimise.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/nix-optimise.nix @@ -1,28 +1,21 @@ { config, lib, ... }: -with lib; - let cfg = config.nix.optimise; in { - - ###### interface - options = { - nix.optimise = { - - automatic = mkOption { + automatic = lib.mkOption { default = false; - type = types.bool; + type = lib.types.bool; description = lib.mdDoc "Automatically run the nix store optimiser at a specific time."; }; - dates = mkOption { + dates = lib.mkOption { default = ["03:45"]; - type = types.listOf types.str; + type = with lib.types; listOf str; description = lib.mdDoc '' Specification (in the format described by {manpage}`systemd.time(7)`) of the time at @@ -32,9 +25,6 @@ in }; }; - - ###### implementation - config = { assertions = [ { @@ -43,14 +33,19 @@ in } ]; - systemd.services.nix-optimise = lib.mkIf config.nix.enable - { description = "Nix Store Optimiser"; + systemd = lib.mkIf config.nix.enable { + services.nix-optimise = { + description = "Nix Store Optimiser"; # No point this if the nix daemon (and thus the nix store) is outside unitConfig.ConditionPathIsReadWrite = "/nix/var/nix/daemon-socket"; serviceConfig.ExecStart = "${config.nix.package}/bin/nix-store --optimise"; - startAt = optionals cfg.automatic cfg.dates; + startAt = lib.optionals cfg.automatic cfg.dates; }; + timers.nix-optimise.timerConfig = { + Persistent = true; + RandomizedDelaySec = 1800; + }; + }; }; - } diff --git a/third_party/nixpkgs/nixos/modules/services/misc/ntfy-sh.nix b/third_party/nixpkgs/nixos/modules/services/misc/ntfy-sh.nix index d66b47a2d6..8fc1df93af 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/ntfy-sh.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/ntfy-sh.nix @@ -32,7 +32,25 @@ in }; settings = mkOption { - type = types.submodule { freeformType = settingsFormat.type; }; + type = types.submodule { + freeformType = settingsFormat.type; + options = { + base-url = mkOption { + type = types.str; + example = "https://ntfy.example"; + description = lib.mdDoc '' + Public facing base URL of the service + + This setting is required for any of the following features: + - attachments (to return a download URL) + - e-mail sending (for the topic URL in the email footer) + - iOS push notifications for self-hosted servers + (to calculate the Firebase poll_request topic) + - Matrix Push Gateway (to validate that the pushkey is correct) + ''; + }; + }; + }; default = { }; @@ -61,8 +79,17 @@ in services.ntfy-sh.settings = { auth-file = mkDefault "/var/lib/ntfy-sh/user.db"; + listen-http = mkDefault "127.0.0.1:2586"; + attachment-cache-dir = mkDefault "/var/lib/ntfy-sh/attachments"; + cache-file = mkDefault "/var/lib/ntfy-sh/cache-file.db"; }; + systemd.tmpfiles.rules = [ + "f ${cfg.settings.auth-file} 0600 ${cfg.user} ${cfg.group} - -" + "d ${cfg.settings.attachment-cache-dir} 0700 ${cfg.user} ${cfg.group} - -" + "f ${cfg.settings.cache-file} 0600 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.ntfy-sh = { description = "Push notifications server"; @@ -74,6 +101,7 @@ in User = cfg.user; StateDirectory = "ntfy-sh"; + DynamicUser = true; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; PrivateTmp = true; NoNewPrivileges = true; @@ -88,6 +116,8 @@ in RestrictNamespaces = true; RestrictRealtime = true; MemoryDenyWriteExecute = true; + # Upstream Recommandation + LimitNOFILE = 20500; }; }; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/paperless.nix b/third_party/nixpkgs/nixos/modules/services/misc/paperless.nix index 4199e77133..8fe628a408 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/paperless.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/paperless.nix @@ -86,12 +86,11 @@ let SupplementaryGroups = optional enableRedis redisServer.user; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ]; - # Does not work well with the temporary root - #UMask = "0066"; + UMask = "0066"; }; in { - meta.maintainers = with maintainers; [ erikarvstedt Flakebi ]; + meta.maintainers = with maintainers; [ erikarvstedt Flakebi leona ]; imports = [ (mkRenamedOptionModule [ "services" "paperless-ng" ] [ "services" "paperless" ]) diff --git a/third_party/nixpkgs/nixos/modules/services/misc/prowlarr.nix b/third_party/nixpkgs/nixos/modules/services/misc/prowlarr.nix index 77b8ec9894..836280d3e5 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/prowlarr.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/prowlarr.nix @@ -11,6 +11,8 @@ in services.prowlarr = { enable = mkEnableOption (lib.mdDoc "Prowlarr"); + package = mkPackageOptionMD pkgs "prowlarr" { }; + openFirewall = mkOption { type = types.bool; default = false; @@ -29,7 +31,7 @@ in Type = "simple"; DynamicUser = true; StateDirectory = "prowlarr"; - ExecStart = "${pkgs.prowlarr}/bin/Prowlarr -nobrowser -data=/var/lib/prowlarr"; + ExecStart = "${lib.getExe cfg.package} -nobrowser -data=/var/lib/prowlarr"; Restart = "on-failure"; }; }; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/pufferpanel.nix b/third_party/nixpkgs/nixos/modules/services/misc/pufferpanel.nix index 78ec356469..2022406c83 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/pufferpanel.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/pufferpanel.nix @@ -19,7 +19,7 @@ in services.pufferpanel = { enable = true; extraPackages = with pkgs; [ bash curl gawk gnutar gzip ]; - package = pkgs.buildFHSUserEnv { + package = pkgs.buildFHSEnv { name = "pufferpanel-fhs"; runScript = lib.getExe pkgs.pufferpanel; targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ]; @@ -162,7 +162,7 @@ in PrivateUsers = true; PrivateDevices = true; RestrictRealtime = true; - RestrictNamespaces = [ "user" "mnt" ]; # allow buildFHSUserEnv + RestrictNamespaces = [ "user" "mnt" ]; # allow buildFHSEnv RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; LockPersonality = true; DeviceAllow = [ "" ]; diff --git a/third_party/nixpkgs/nixos/modules/services/misc/zoneminder.nix b/third_party/nixpkgs/nixos/modules/services/misc/zoneminder.nix index 1172297985..616a60a123 100644 --- a/third_party/nixpkgs/nixos/modules/services/misc/zoneminder.nix +++ b/third_party/nixpkgs/nixos/modules/services/misc/zoneminder.nix @@ -351,7 +351,7 @@ in { CacheDirectory = dirs cacheDirs; RuntimeDirectory = dirName; ReadWriteDirectories = lib.mkIf useCustomDir [ cfg.storageDir ]; - StateDirectory = dirs (if useCustomDir then [] else libDirs); + StateDirectory = dirs (lib.optional (!useCustomDir) libDirs); LogsDirectory = dirName; PrivateTmp = true; ProtectSystem = "strict"; diff --git a/third_party/nixpkgs/nixos/modules/services/monitoring/below.nix b/third_party/nixpkgs/nixos/modules/services/monitoring/below.nix new file mode 100644 index 0000000000..92ee3882ca --- /dev/null +++ b/third_party/nixpkgs/nixos/modules/services/monitoring/below.nix @@ -0,0 +1,106 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.below; + cfgContents = concatStringsSep "\n" ( + mapAttrsToList (n: v: ''${n} = "${v}"'') (filterAttrs (_k: v: v != null) { + log_dir = cfg.dirs.log; + store_dir = cfg.dirs.store; + cgroup_filter_out = cfg.cgroupFilterOut; + }) + ); + + mkDisableOption = n: mkOption { + type = types.bool; + default = true; + description = mdDoc "Whether to enable ${n}."; + }; + optionalType = ty: x: mkOption (x // { + description = mdDoc x.description; + type = (types.nullOr ty); + default = null; + }); + optionalPath = optionalType types.path; + optionalStr = optionalType types.str; + optionalInt = optionalType types.int; +in { + options = { + services.below = { + enable = mkEnableOption (mdDoc "'below' resource monitor"); + + cgroupFilterOut = optionalStr { + description = "A regexp matching the full paths of cgroups whose data shouldn't be collected"; + example = "user.slice.*"; + }; + collect = { + diskStats = mkDisableOption "dist_stat collection"; + ioStats = mkEnableOption (mdDoc "io.stat collection for cgroups"); + exitStats = mkDisableOption "eBPF-based exitstats"; + }; + compression.enable = mkEnableOption (mdDoc "data compression"); + retention = { + size = optionalInt { + description = '' + Size limit for below's data, in bytes. Data is deleted oldest-first, in 24h 'shards'. + + ::: {.note} + The size limit may be exceeded by at most the size of the active shard, as: + - the active shard cannot be deleted; + - the size limit is only enforced when a new shard is created. + ::: + ''; + }; + time = optionalInt { + description = '' + Retention time, in seconds. + + ::: {.note} + As data is stored in 24 hour shards which are discarded as a whole, + only data expired by 24h (or more) is guaranteed to be discarded. + ::: + + ::: {.note} + If `retention.size` is set, data may be discarded earlier than the specified time. + ::: + ''; + }; + }; + dirs = { + log = optionalPath { description = "Where to store below's logs"; }; + store = optionalPath { + description = "Where to store below's data"; + example = "/var/lib/below"; + }; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.below ]; + # /etc/below.conf is also refered to by the `below` CLI tool, + # so this can't be a store-only file whose path is passed to the service + environment.etc."below/below.conf".text = cfgContents; + + systemd = { + packages = [ pkgs.below ]; + services.below = { + # Workaround for https://github.com/NixOS/nixpkgs/issues/81138 + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ cfgContents ]; + + serviceConfig.ExecStart = [ + "" + ("${lib.getExe pkgs.below} record " + (concatStringsSep " " ( + optional (!cfg.collect.diskStats) "--disable-disk-stat" ++ + optional cfg.collect.ioStats "--collect-io-stat" ++ + optional (!cfg.collect.exitStats) "--disable-exitstats" ++ + optional cfg.compression.enable "--compress" ++ + + optional (cfg.retention.size != null) "--store-size-limit ${toString cfg.retention.size}" ++ + optional (cfg.retention.time != null) "--retain-for-s ${toString cfg.retention.time}" + ))) + ]; + }; + }; + }; +} diff --git a/third_party/nixpkgs/nixos/modules/services/monitoring/grafana.nix b/third_party/nixpkgs/nixos/modules/services/monitoring/grafana.nix index e74ee641db..571b9a3aee 100644 --- a/third_party/nixpkgs/nixos/modules/services/monitoring/grafana.nix +++ b/third_party/nixpkgs/nixos/modules/services/monitoring/grafana.nix @@ -5,25 +5,44 @@ with lib; let cfg = config.services.grafana; opt = options.services.grafana; - provisioningSettingsFormat = pkgs.formats.yaml {}; + provisioningSettingsFormat = pkgs.formats.yaml { }; declarativePlugins = pkgs.linkFarm "grafana-plugins" (builtins.map (pkg: { name = pkg.pname; path = pkg; }) cfg.declarativePlugins); useMysql = cfg.settings.database.type == "mysql"; usePostgresql = cfg.settings.database.type == "postgres"; - settingsFormatIni = pkgs.formats.ini {}; + # Prefer using the values from the default config file[0] directly. This way, + # people reading the NixOS manual can see them without cross-referencing the + # official documentation. + # + # However, if there is no default entry or if the setting is optional, use + # `null` as the default value. It will be turned into the empty string. + # + # If a setting is a list, always allow setting it as a plain string as well. + # + # [0]: https://github.com/grafana/grafana/blob/main/conf/defaults.ini + settingsFormatIni = pkgs.formats.ini { + listToValue = concatMapStringsSep " " (generators.mkValueStringDefault { }); + mkKeyValue = generators.mkKeyValueDefault + { + mkValueString = v: + if v == null then "" + else generators.mkValueStringDefault { } v; + } + "="; + }; configFile = settingsFormatIni.generate "config.ini" cfg.settings; mkProvisionCfg = name: attr: provisionCfg: if provisionCfg.path != null - then provisionCfg.path + then provisionCfg.path else provisioningSettingsFormat.generate "${name}.yaml" (if provisionCfg.settings != null - then provisionCfg.settings - else { - apiVersion = 1; - ${attr} = []; - }); + then provisionCfg.settings + else { + apiVersion = 1; + ${attr} = [ ]; + }); datasourceFileOrDir = mkProvisionCfg "datasource" "datasources" cfg.provision.datasources; dashboardFileOrDir = mkProvisionCfg "dashboard" "providers" cfg.provision.dashboards; @@ -35,9 +54,10 @@ let notifierFileOrDir = pkgs.writeText "notifier.yaml" (builtins.toJSON notifierConfiguration); - generateAlertingProvisioningYaml = x: if (cfg.provision.alerting."${x}".path == null) - then provisioningSettingsFormat.generate "${x}.yaml" cfg.provision.alerting."${x}".settings - else cfg.provision.alerting."${x}".path; + generateAlertingProvisioningYaml = x: + if (cfg.provision.alerting."${x}".path == null) + then provisioningSettingsFormat.generate "${x}.yaml" cfg.provision.alerting."${x}".settings + else cfg.provision.alerting."${x}".path; rulesFileOrDir = generateAlertingProvisioningYaml "rules"; contactPointsFileOrDir = generateAlertingProvisioningYaml "contactPoints"; policiesFileOrDir = generateAlertingProvisioningYaml "policies"; @@ -102,7 +122,7 @@ let description = lib.mdDoc "Datasource type. Required."; }; access = mkOption { - type = types.enum ["proxy" "direct"]; + type = types.enum [ "proxy" "direct" ]; default = "proxy"; description = lib.mdDoc "Access mode. proxy or direct (Server or Browser in the UI). Required."; }; @@ -121,6 +141,11 @@ let default = false; description = lib.mdDoc "Allow users to edit datasources from the UI."; }; + jsonData = mkOption { + type = types.nullOr types.attrs; + default = null; + description = lib.mdDoc "Extra data for datasource plugins."; + }; secureJsonData = mkOption { type = types.nullOr types.attrs; default = null; @@ -165,7 +190,7 @@ let description = lib.mdDoc "Notifier name."; }; type = mkOption { - type = types.enum ["dingding" "discord" "email" "googlechat" "hipchat" "kafka" "line" "teams" "opsgenie" "pagerduty" "prometheus-alertmanager" "pushover" "sensu" "sensugo" "slack" "telegram" "threema" "victorops" "webhook"]; + type = types.enum [ "dingding" "discord" "email" "googlechat" "hipchat" "kafka" "line" "teams" "opsgenie" "pagerduty" "prometheus-alertmanager" "pushover" "sensu" "sensugo" "slack" "telegram" "threema" "victorops" "webhook" ]; description = lib.mdDoc "Notifier type."; }; uid = mkOption { @@ -220,7 +245,8 @@ let }; }; }; -in { +in +{ imports = [ (mkRenamedOptionModule [ "services" "grafana" "protocol" ] [ "services" "grafana" "settings" "server" "protocol" ]) (mkRenamedOptionModule [ "services" "grafana" "addr" ] [ "services" "grafana" "settings" "server" "http_addr" ]) @@ -349,7 +375,7 @@ in { protocol = mkOption { description = lib.mdDoc "Which protocol to listen."; default = "http"; - type = types.enum ["http" "https" "h2" "socket"]; + type = types.enum [ "http" "https" "h2" "socket" ]; }; http_addr = mkOption { @@ -371,17 +397,60 @@ in { }; domain = mkOption { - description = lib.mdDoc "The public facing domain name used to access grafana from a browser."; + description = lib.mdDoc '' + The public facing domain name used to access grafana from a browser. + + This setting is only used in the default value of the `root_url` setting. + If you set the latter manually, this option does not have to be specified. + ''; default = "localhost"; type = types.str; }; + enforce_domain = mkOption { + description = lib.mdDoc '' + Redirect to correct domain if the host header does not match the domain. + Prevents DNS rebinding attacks. + ''; + default = false; + type = types.bool; + }; + root_url = mkOption { - description = lib.mdDoc "Full public facing url."; + description = lib.mdDoc '' + This is the full URL used to access Grafana from a web browser. + This is important if you use Google or GitHub OAuth authentication (for the callback URL to be correct). + + This setting is also important if you have a reverse proxy in front of Grafana that exposes it through a subpath. + In that case add the subpath to the end of this URL setting. + ''; default = "%(protocol)s://%(domain)s:%(http_port)s/"; type = types.str; }; + serve_from_sub_path = mkOption { + description = lib.mdDoc '' + Serve Grafana from subpath specified in the `root_url` setting. + By default it is set to `false` for compatibility reasons. + + By enabling this setting and using a subpath in `root_url` above, + e.g. `root_url = "http://localhost:3000/grafana"`, + Grafana is accessible on `http://localhost:3000/grafana`. + If accessed without subpath, Grafana will redirect to an URL with the subpath. + ''; + default = false; + type = types.bool; + }; + + router_logging = mkOption { + description = lib.mdDoc '' + Set to `true` for Grafana to log all HTTP requests (not just errors). + These are logged as Info level events to the Grafana log. + ''; + default = false; + type = types.bool; + }; + static_root_path = mkOption { description = lib.mdDoc "Root path for static assets."; default = "${cfg.package}/share/grafana/public"; @@ -391,60 +460,119 @@ in { enable_gzip = mkOption { description = lib.mdDoc '' - Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization. - It is recommended that most users set it to true. By default it is set to false for compatibility reasons. + Set this option to `true` to enable HTTP compression, this can improve transfer speed and bandwidth utilization. + It is recommended that most users set it to `true`. By default it is set to `false` for compatibility reasons. ''; default = false; type = types.bool; }; cert_file = mkOption { - description = lib.mdDoc "Cert file for ssl."; - default = ""; - type = types.str; + description = lib.mdDoc '' + Path to the certificate file (if `protocol` is set to `https` or `h2`). + ''; + default = null; + type = types.nullOr types.str; }; cert_key = mkOption { - description = lib.mdDoc "Cert key for ssl."; - default = ""; + description = lib.mdDoc '' + Path to the certificate key file (if `protocol` is set to `https` or `h2`). + ''; + default = null; + type = types.nullOr types.str; + }; + + socket_gid = mkOption { + description = lib.mdDoc '' + GID where the socket should be set when `protocol=socket`. + Make sure that the target group is in the group of Grafana process and that Grafana process is the file owner before you change this setting. + It is recommended to set the gid as http server user gid. + Not set when the value is -1. + ''; + default = -1; + type = types.int; + }; + + socket_mode = mkOption { + description = lib.mdDoc '' + Mode where the socket should be set when `protocol=socket`. + Make sure that Grafana process is the file owner before you change this setting. + ''; + # I assume this value is interpreted as octal literal by grafana. + # If this was an int, people following tutorials or porting their + # old config could stumble across nix not having octal literals. + default = "0660"; type = types.str; }; socket = mkOption { - description = lib.mdDoc "Path where the socket should be created when protocol=socket. Make sure that Grafana has appropriate permissions before you change this setting."; + description = lib.mdDoc '' + Path where the socket should be created when `protocol=socket`. + Make sure that Grafana has appropriate permissions before you change this setting. + ''; default = "/run/grafana/grafana.sock"; type = types.str; }; + + cdn_url = mkOption { + description = lib.mdDoc '' + Specify a full HTTP URL address to the root of your Grafana CDN assets. + Grafana will add edition and version paths. + + For example, given a cdn url like `https://cdn.myserver.com` + grafana will try to load a javascript file from `http://cdn.myserver.com/grafana-oss/7.4.0/public/build/app..js`. + ''; + default = null; + type = types.nullOr types.str; + }; + + read_timeout = mkOption { + description = lib.mdDoc '' + Sets the maximum time using a duration format (5s/5m/5ms) + before timing out read of an incoming request and closing idle connections. + 0 means there is no timeout for reading the request. + ''; + default = "0"; + type = types.str; + }; }; database = { type = mkOption { description = lib.mdDoc "Database type."; default = "sqlite3"; - type = types.enum ["mysql" "sqlite3" "postgres"]; + type = types.enum [ "mysql" "sqlite3" "postgres" ]; }; host = mkOption { - description = lib.mdDoc "Database host."; + description = lib.mdDoc '' + Only applicable to MySQL or Postgres. + Includes IP or hostname and port or in case of Unix sockets the path to it. + For example, for MySQL running on the same host as Grafana: `host = "127.0.0.1:3306"` + or with Unix sockets: `host = "/var/run/mysqld/mysqld.sock"` + ''; default = "127.0.0.1:3306"; type = types.str; }; name = mkOption { - description = lib.mdDoc "Database name."; + description = lib.mdDoc "The name of the Grafana database."; default = "grafana"; type = types.str; }; user = mkOption { - description = lib.mdDoc "Database user."; + description = lib.mdDoc "The database user (not applicable for `sqlite3`)."; default = "root"; type = types.str; }; password = mkOption { description = lib.mdDoc '' - Database password. Please note that the contents of this option + The database user's password (not applicable for `sqlite3`). + + Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: @@ -454,15 +582,144 @@ in { type = types.str; }; + max_idle_conn = mkOption { + description = lib.mdDoc "The maximum number of connections in the idle connection pool."; + default = 2; + type = types.int; + }; + + max_open_conn = mkOption { + description = lib.mdDoc "The maximum number of open connections to the database."; + default = 0; + type = types.int; + }; + + conn_max_lifetime = mkOption { + description = lib.mdDoc '' + Sets the maximum amount of time a connection may be reused. + The default is 14400 (which means 14400 seconds or 4 hours). + For MySQL, this setting should be shorter than the `wait_timeout` variable. + ''; + default = 14400; + type = types.int; + }; + + locking_attempt_timeout_sec = mkOption { + description = lib.mdDoc '' + For `mysql`, if the `migrationLocking` feature toggle is set, + specify the time (in seconds) to wait before failing to lock the database for the migrations. + ''; + default = 0; + type = types.int; + }; + + log_queries = mkOption { + description = lib.mdDoc "Set to `true` to log the sql calls and execution times"; + default = false; + type = types.bool; + }; + + ssl_mode = mkOption { + description = lib.mdDoc '' + For Postgres, use either `disable`, `require` or `verify-full`. + For MySQL, use either `true`, `false`, or `skip-verify`. + ''; + default = "disable"; + type = types.enum [ "disable" "require" "verify-full" "true" "false" "skip-verify" ]; + }; + + isolation_level = mkOption { + description = lib.mdDoc '' + Only the MySQL driver supports isolation levels in Grafana. + In case the value is empty, the driver's default isolation level is applied. + ''; + default = null; + type = types.nullOr (types.enum [ "READ-UNCOMMITTED" "READ-COMMITTED" "REPEATABLE-READ" "SERIALIZABLE" ]); + }; + + ca_cert_path = mkOption { + description = lib.mdDoc "The path to the CA certificate to use."; + default = null; + type = types.nullOr types.str; + }; + + client_key_path = mkOption { + description = lib.mdDoc "The path to the client key. Only if server requires client authentication."; + default = null; + type = types.nullOr types.str; + }; + + client_cert_path = mkOption { + description = lib.mdDoc "The path to the client cert. Only if server requires client authentication."; + default = null; + type = types.nullOr types.str; + }; + + server_cert_name = mkOption { + description = lib.mdDoc '' + The common name field of the certificate used by the `mysql` or `postgres` server. + Not necessary if `ssl_mode` is set to `skip-verify`. + ''; + default = null; + type = types.nullOr types.str; + }; + path = mkOption { - description = lib.mdDoc "Only applicable to sqlite3 database. The file path where the database will be stored."; + description = lib.mdDoc "Only applicable to `sqlite3` database. The file path where the database will be stored."; default = "${cfg.dataDir}/data/grafana.db"; defaultText = literalExpression ''"''${config.${opt.dataDir}}/data/grafana.db"''; type = types.path; }; + + cache_mode = mkOption { + description = lib.mdDoc '' + For `sqlite3` only. + [Shared cache](https://www.sqlite.org/sharedcache.html) setting used for connecting to the database. + ''; + default = "private"; + type = types.enum [ "private" "shared" ]; + }; + + wal = mkOption { + description = lib.mdDoc '' + For `sqlite3` only. + Setting to enable/disable [Write-Ahead Logging](https://sqlite.org/wal.html). + ''; + default = false; + type = types.bool; + }; + + query_retries = mkOption { + description = lib.mdDoc '' + This setting applies to `sqlite3` only and controls the number of times the system retries a query when the database is locked. + ''; + default = 0; + type = types.int; + }; + + transaction_retries = mkOption { + description = lib.mdDoc '' + This setting applies to `sqlite3` only and controls the number of times the system retries a transaction when the database is locked. + ''; + default = 5; + type = types.int; + }; + + # TODO Add "instrument_queries" option when upgrading to grafana 10.0 + # instrument_queries = mkOption { + # description = lib.mdDoc "Set to `true` to add metrics and tracing for database queries."; + # default = false; + # type = types.bool; + # }; }; security = { + disable_initial_admin_creation = mkOption { + description = lib.mdDoc "Disable creation of admin user on first start of Grafana."; + default = false; + type = types.bool; + }; + admin_user = mkOption { description = lib.mdDoc "Default admin username."; default = "admin"; @@ -481,6 +738,12 @@ in { type = types.str; }; + admin_email = mkOption { + description = lib.mdDoc "The email of the default Grafana Admin, created on startup."; + default = "admin@localhost"; + type = types.str; + }; + secret_key = mkOption { description = lib.mdDoc '' Secret key used for signing. Please note that the contents of this option @@ -492,6 +755,160 @@ in { default = "SW2YcwTIb9zpOOhoPsMm"; type = types.str; }; + + disable_gravatar = mkOption { + description = lib.mdDoc "Set to `true` to disable the use of Gravatar for user profile images."; + default = false; + type = types.bool; + }; + + data_source_proxy_whitelist = mkOption { + description = lib.mdDoc '' + Define a whitelist of allowed IP addresses or domains, with ports, + to be used in data source URLs with the Grafana data source proxy. + Format: `ip_or_domain:port` separated by spaces. + PostgreSQL, MySQL, and MSSQL data sources do not use the proxy and are therefore unaffected by this setting. + ''; + default = [ ]; + type = types.oneOf [ types.str (types.listOf types.str) ]; + }; + + disable_brute_force_login_protection = mkOption { + description = lib.mdDoc "Set to `true` to disable [brute force login protection](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#account-lockout)."; + default = false; + type = types.bool; + }; + + cookie_secure = mkOption { + description = lib.mdDoc "Set to `true` if you host Grafana behind HTTPS."; + default = false; + type = types.bool; + }; + + cookie_samesite = mkOption { + description = lib.mdDoc '' + Sets the `SameSite` cookie attribute and prevents the browser from sending this cookie along with cross-site requests. + The main goal is to mitigate the risk of cross-origin information leakage. + This setting also provides some protection against cross-site request forgery attacks (CSRF), + [read more about SameSite here](https://owasp.org/www-community/SameSite). + Using value `disabled` does not add any `SameSite` attribute to cookies. + ''; + default = "lax"; + type = types.enum [ "lax" "strict" "none" "disabled" ]; + }; + + allow_embedding = mkOption { + description = lib.mdDoc '' + When `false`, the HTTP header `X-Frame-Options: deny` will be set in Grafana HTTP responses + which will instruct browsers to not allow rendering Grafana in a ``, `