Project import generated by Copybara.

GitOrigin-RevId: d603719ec6e294f034936c0d0dc06f689d91b6c3
This commit is contained in:
Default email 2024-06-20 20:27:18 +05:30
parent b2ffaee37b
commit bcb2f287e1
10042 changed files with 114819 additions and 64785 deletions
third_party/nixpkgs
.github
doc
flake.nix
lib
maintainers
nixos

View file

@ -145,6 +145,12 @@
- any-glob-to-any-file:
- lib/**
"6.topic: llvm/clang":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/compilers/llvm/*
"6.topic: lua":
- any:
- changed-files:
@ -212,6 +218,7 @@
- pkgs/development/node-packages/**/*
- pkgs/development/tools/yarn/*
- pkgs/development/tools/yarn2nix-moretea/**/*
- pkgs/development/tools/pnpm/**/*
- pkgs/development/web/nodejs/*
"6.topic: ocaml":

View file

@ -4,6 +4,7 @@ on:
branches:
- 'release-**'
- 'staging-**'
- '!staging-next'
permissions: {}

View file

@ -39,6 +39,9 @@ jobs:
pkgs/development/cuda-modules
pkgs/test/cuda
pkgs/top-level/cuda-packages.nix
NIX_FMT_PATHS_MAINTAINERS: |
maintainers/maintainer-list.nix
maintainers/team-list.nix
NIX_FMT_PATHS_K3S: |
nixos/modules/services/cluster/k3s
nixos/tests/k3s

View file

@ -365,8 +365,8 @@ If `pname` and `version` are specified, `fetchurl` will use those values and wil
_Default value:_ `{}`.
`passthru` (Attribute Set; _optional_)
: Specifies any extra [passthru](#var-stdenv-passthru) attributes for the derivation returned by `fetchurl`.
Note that `fetchurl` defines [passthru attributes of its own](#ssec-pkgs-fetchers-fetchurl-passthru-outputs).
: Specifies any extra [`passthru`](#chap-passthru) attributes for the derivation returned by `fetchurl`.
Note that `fetchurl` defines [`passthru` attributes of its own](#ssec-pkgs-fetchers-fetchurl-passthru-outputs).
Attributes specified in `passthru` can override the default attributes returned by `fetchurl`.
_Default value:_ `{}`.
@ -387,7 +387,7 @@ If `pname` and `version` are specified, `fetchurl` will use those values and wil
### Passthru outputs {#ssec-pkgs-fetchers-fetchurl-passthru-outputs}
`fetchurl` also defines its own [`passthru`](#var-stdenv-passthru) attributes:
`fetchurl` also defines its own [`passthru`](#chap-passthru) attributes:
`url` (String)

View file

@ -191,7 +191,7 @@ Similarly, if you encounter errors similar to `Error_Protocol ("certificate has
### Passthru outputs {#ssec-pkgs-dockerTools-buildImage-passthru-outputs}
`buildImage` defines a few [`passthru`](#var-stdenv-passthru) attributes:
`buildImage` defines a few [`passthru`](#chap-passthru) attributes:
`buildArgs` (Attribute Set)
@ -576,13 +576,13 @@ This allows the function to produce reproducible images.
`passthru` (Attribute Set; _optional_)
: Use this to pass any attributes as [passthru](#var-stdenv-passthru) for the resulting derivation.
: Use this to pass any attributes as [`passthru`](#chap-passthru) for the resulting derivation.
_Default value:_ `{}`
### Passthru outputs {#ssec-pkgs-dockerTools-streamLayeredImage-passthru-outputs}
`streamLayeredImage` also defines its own [`passthru`](#var-stdenv-passthru) attributes:
`streamLayeredImage` also defines its own [`passthru`](#chap-passthru) attributes:
`imageTag` (String)

View file

@ -2,6 +2,7 @@
let
inherit (pkgs) lib;
inherit (lib) hasPrefix removePrefix;
fs = lib.fileset;
common = import ./common.nix;
@ -99,20 +100,30 @@ in pkgs.stdenv.mkDerivation {
nixos-render-docs
];
src = ./.;
src = fs.toSource {
root = ./.;
fileset = fs.unions [
(fs.fileFilter (file:
file.hasExt "md"
|| file.hasExt "md.in"
) ./.)
./style.css
./anchor-use.js
./anchor.min.js
./manpage-urls.json
];
};
postPatch = ''
ln -s ${optionsDoc.optionsJSON}/share/doc/nixos/options.json ./config-options.json
'';
buildPhase = let
pythonInterpreterTable = pkgs.callPackage ./doc-support/python-interpreter-table.nix {};
pythonSection = with lib.strings; replaceStrings
[ "@python-interpreter-table@" ]
[ pythonInterpreterTable ]
(readFile ./languages-frameworks/python.section.md);
in ''
cp ${builtins.toFile "python.section.md" pythonSection} ./languages-frameworks/python.section.md
pythonInterpreterTable = pkgs.callPackage ./doc-support/python-interpreter-table.nix {};
passAsFile = [ "pythonInterpreterTable" ];
buildPhase = ''
substituteInPlace ./languages-frameworks/python.section.md --subst-var-by python-interpreter-table "$(<"$pythonInterpreterTablePath")"
cat \
./functions/library.md.in \

View file

@ -20,10 +20,6 @@ If `wafPath` doesn't exist, then `wafHook` will copy the `waf` provided from Nix
Controls the flags passed to waf tool during build and install phases. For settings specific to build or install phases, use `wafBuildFlags` or `wafInstallFlags` respectively.
#### `dontAddWafCrossFlags` {#dont-add-waf-cross-flags}
When set to `true`, don't add cross compilation flags during configure phase.
#### `dontUseWafConfigure` {#dont-use-waf-configure}
When set to true, don't use the predefined `wafConfigurePhase`.

View file

@ -3,10 +3,36 @@
The Android build environment provides three major features and a number of
supporting features.
## Using androidenv with Android Studio {#using-androidenv-with-android-studio}
Use the `android-studio-full` attribute for a very complete Android SDK, including system images:
```nix
buildInputs = [ android-studio-full ];
```
This is identical to:
```nix
buildInputs = [ androidStudioPackages.stable.full ];
```
Alternatively, you can pass composeAndroidPackages to the `withSdk` passthru:
```nix
buildInputs = [
(android-studio.withSdk (androidenv.composeAndroidPackages {
includeNDK = true;
}).androidsdk)
];
```
These will export ANDROID_SDK_ROOT and ANDROID_NDK_ROOT to the SDK and NDK directories
in the specified Android build environment.
## Deploying an Android SDK installation with plugins {#deploying-an-android-sdk-installation-with-plugins}
The first use case is deploying the SDK with a desired set of plugins or subsets
of an SDK.
Alternatively, you can deploy the SDK separately with a desired set of plugins, or subsets of an SDK.
```nix
with import <nixpkgs> {};
@ -145,16 +171,14 @@ androidComposition.platform-tools
## Using predefined Android package compositions {#using-predefined-android-package-compositions}
In addition to composing an Android package set manually, it is also possible
to use a predefined composition that contains all basic packages for a specific
Android version, such as version 9.0 (API-level 28).
to use a predefined composition that contains a fairly complete set of Android packages:
The following Nix expression can be used to deploy the entire SDK with all basic
plugins:
The following Nix expression can be used to deploy the entire SDK:
```nix
with import <nixpkgs> {};
androidenv.androidPkgs_9_0.androidsdk
androidenv.androidPkgs.androidsdk
```
It is also possible to use one plugin only:
@ -162,50 +186,9 @@ It is also possible to use one plugin only:
```nix
with import <nixpkgs> {};
androidenv.androidPkgs_9_0.platform-tools
androidenv.androidPkgs.platform-tools
```
## Building an Android application {#building-an-android-application}
In addition to the SDK, it is also possible to build an Ant-based Android
project and automatically deploy all the Android plugins that a project
requires.
```nix
with import <nixpkgs> {};
androidenv.buildApp {
name = "MyAndroidApp";
src = ./myappsources;
release = true;
# If release is set to true, you need to specify the following parameters
keyStore = ./keystore;
keyAlias = "myfirstapp";
keyStorePassword = "mykeystore";
keyAliasPassword = "myfirstapp";
# Any Android SDK parameters that install all the relevant plugins that a
# build requires
platformVersions = [ "24" ];
# When we include the NDK, then ndk-build is invoked before Ant gets invoked
includeNDK = true;
}
```
Aside from the app-specific build parameters (`name`, `src`, `release` and
keystore parameters), the `buildApp {}` function supports all the function
parameters that the SDK composition function (the function shown in the
previous section) supports.
This build function is particularly useful when it is desired to use
[Hydra](https://nixos.org/hydra): the Nix-based continuous integration solution
to build Android apps. An Android APK gets exposed as a build product and can be
installed on any Android device with a web browser by navigating to the build
result page.
## Spawning emulator instances {#spawning-emulator-instances}
For testing purposes, it can also be quite convenient to automatically generate
@ -349,3 +332,44 @@ To update the expressions run the `generate.sh` script that is stored in the
```bash
./generate.sh
```
## Building an Android application with Ant {#building-an-android-application-with-ant}
In addition to the SDK, it is also possible to build an Ant-based Android
project and automatically deploy all the Android plugins that a project
requires. Most newer Android projects use Gradle, and this is included for historical
purposes.
```nix
with import <nixpkgs> {};
androidenv.buildApp {
name = "MyAndroidApp";
src = ./myappsources;
release = true;
# If release is set to true, you need to specify the following parameters
keyStore = ./keystore;
keyAlias = "myfirstapp";
keyStorePassword = "mykeystore";
keyAliasPassword = "myfirstapp";
# Any Android SDK parameters that install all the relevant plugins that a
# build requires
platformVersions = [ "24" ];
# When we include the NDK, then ndk-build is invoked before Ant gets invoked
includeNDK = true;
}
```
Aside from the app-specific build parameters (`name`, `src`, `release` and
keystore parameters), the `buildApp {}` function supports all the function
parameters that the SDK composition function (the function shown in the
previous section) supports.
This build function is particularly useful when it is desired to use
[Hydra](https://nixos.org/hydra): the Nix-based continuous integration solution
to build Android apps. An Android APK gets exposed as a build product and can be
installed on any Android device with a web browser by navigating to the build
result page.

View file

@ -98,10 +98,12 @@ The function `buildFlutterApplication` builds Flutter applications.
See the [Dart documentation](#ssec-dart-applications) for more details on required files and arguments.
`flutter` in Nixpkgs always points to `flutterPackages.stable`, which is the latest packaged version. To avoid unforeseen breakage during upgrade, packages in Nixpkgs should use a specific flutter version, such as `flutter319` and `flutter322`, instead of using `flutter` directly.
```nix
{ flutter, fetchFromGitHub }:
flutter.buildFlutterApplication {
flutter322.buildFlutterApplication {
pname = "firmware-updater";
version = "0-unstable-2023-04-30";

View file

@ -0,0 +1,53 @@
# Hare {#sec-language-hare}
## Building Hare programs with `hareHook` {#ssec-language-hare}
The `hareHook` package sets up the environment for building Hare programs by
doing the following:
1. Setting the `HARECACHE`, `HAREPATH` and `NIX_HAREFLAGS` environment variables;
1. Propagating `harec`, `qbe` and two wrapper scripts for the hare binary.
It is not a function as is the case for some other languages --- *e. g.*, Go or
Rust ---, but a package to be added to `nativeBuildInputs`.
## Attributes of `hareHook` {#hareHook-attributes}
The following attributes are accepted by `hareHook`:
1. `hareBuildType`: Either `release` (default) or `debug`. It controls if the
`-R` flag is added to `NIX_HAREFLAGS`.
## Example for `hareHook` {#ex-hareHook}
```nix
{
hareHook,
lib,
stdenv,
}: stdenv.mkDerivation {
pname = "<name>";
version = "<version>";
src = "<src>";
nativeBuildInputs = [ hareHook ];
meta = {
description = "<description>";
inherit (hareHook) badPlatforms platforms;
};
}
```
## Cross Compilation {#hareHook-cross-compilation}
`hareHook` should handle cross compilation out of the box. This is the main
purpose of `NIX_HAREFLAGS`: In it, the `-a` flag is passed with the architecture
of the `hostPlatform`.
However, manual intervention may be needed when a binary compiled by the build
process must be run for the build to complete --- *e. g.*, when using Hare's
`hare` module for code generation.
In those cases, `hareHook` provides the `hare-native` script, which is a wrapper
around the hare binary for using the native (`buildPlatform`) toolchain.

View file

@ -923,14 +923,61 @@ for this to work.
`justStaticExecutables drv`
: Only build and install the executables produced by `drv`, removing everything
that may refer to other Haskell packages' store paths (like libraries and
documentation). This dramatically reduces the closure size of the resulting
derivation. Note that the executables are only statically linked against their
Haskell dependencies, but will still link dynamically against libc, GMP and
other system library dependencies. If dependencies use their Cabal-generated
`Paths_*` module, this may not work as well if GHC's dead code elimination
is unable to remove the references to the dependency's store path that module
contains.
that may refer to other Haskell packages' store paths (like libraries and
documentation). This dramatically reduces the closure size of the resulting
derivation. Note that the executables are only statically linked against their
Haskell dependencies, but will still link dynamically against libc, GMP and
other system library dependencies.
If a library or its dependencies use their Cabal-generated
`Paths_*` module, this may not work as well if GHC's dead code elimination is
unable to remove the references to the dependency's store path that module
contains.
As a consequence, an unused reference may be created from the static binary to such a _library_ store path.
(See [nixpkgs#164630][164630] for more information.)
Importing the `Paths_*` module may cause builds to fail with this message:
```
error: output '/nix/store/64k8iw0ryz76qpijsnl9v87fb26v28z8-my-haskell-package-1.0.0.0' is not allowed to refer to the following paths:
/nix/store/5q5s4a07gaz50h04zpfbda8xjs8wrnhg-ghc-9.6.3
```
If that happens, first disable the check for GHC references and rebuild the
derivation:
```nix
pkgs.haskell.lib.overrideCabal
(pkgs.haskell.lib.justStaticExecutables my-haskell-package)
(drv: {
disallowGhcReference = false;
})
```
Then use `strings` to determine which libraries are responsible:
```
$ nix-build ...
$ strings result/bin/my-haskell-binary | grep /nix/store/
...
/nix/store/n7ciwdlg8yyxdhbrgd6yc2d8ypnwpmgq-hs-opentelemetry-sdk-0.0.3.6/bin
...
```
Finally, use `remove-references-to` to delete those store paths from the produced output:
```nix
pkgs.haskell.lib.overrideCabal
(pkgs.haskell.lib.justStaticExecutables my-haskell-package)
(drv: {
postInstall = ''
${drv.postInstall or ""}
remove-references-to -t ${pkgs.haskellPackages.hs-opentelemetry-sdk}
'';
})
```
[164630]: https://github.com/NixOS/nixpkgs/issues/164630
`enableSeparateBinOutput drv`
: Install executables produced by `drv` to a separate `bin` output. This

View file

@ -19,6 +19,7 @@ dotnet.section.md
emscripten.section.md
gnome.section.md
go.section.md
hare.section.md
haskell.section.md
hy.section.md
idris.section.md

View file

@ -310,6 +310,71 @@ See `node2nix` [docs](https://github.com/svanderburg/node2nix) for more info.
- `node2nix` has some [bugs](https://github.com/svanderburg/node2nix/issues/238) related to working with lock files from npm distributed with `nodejs_16`.
- `node2nix` does not like missing packages from npm. If you see something like `Cannot resolve version: vue-loader-v16@undefined` then you might want to try another tool. The package might have been pulled off of npm.
### pnpm {#javascript-pnpm}
Pnpm is available as the top-level package `pnpm`. Additionally, there are variants pinned to certain major versions, like `pnpm_8` and `pnpm_9`, which support different sets of lock file versions.
When packaging an application that includes a `pnpm-lock.yaml`, you need to fetch the pnpm store for that project using a fixed-output-derivation. The functions `pnpm_8.fetchDeps` and `pnpm_9.fetchDeps` can create this pnpm store derivation. In conjunction, the setup hooks `pnpm_8.configHook` and `pnpm_9.configHook` will prepare the build environment to install the prefetched dependencies store. Here is an example for a package that contains a `package.json` and a `pnpm-lock.yaml` files using the above `pnpm_` attributes:
```nix
{
stdenv,
nodejs,
# This is pinned as { pnpm = pnpm_9; }
pnpm
}:
stdenv.mkDerivation (finalAttrs: {
pname = "foo";
version = "0-unstable-1980-01-01";
src = ...;
nativeBuildInputs = [
nodejs
pnpm.configHook
];
pnpmDeps = pnpm.fetchDeps {
inherit (finalAttrs) pname version src;
hash = "...";
};
})
```
NOTE: It is highly recommended to use a pinned version of pnpm (i.e. `pnpm_8` or `pnpm_9`), to increase future reproducibility. It might also be required to use an older version, if the package needs support for a certain lock file version.
In case you are patching `package.json` or `pnpm-lock.yaml`, make sure to pass `finalAttrs.patches` to the function as well (i.e. `inherit (finalAttrs) patches`.
#### Dealing with `sourceRoot` {#javascript-pnpm-sourceRoot}
NOTE: Nixpkgs pnpm tooling doesn't support building projects with a `pnpm-workspace.yaml`, or building monorepos. It maybe possible to use `pnpm.fetchDeps` for these projects, but it may be hard or impossible to produce a binary from such projects ([an example attempt](https://github.com/NixOS/nixpkgs/pull/290715#issuecomment-2144543728)).
If the pnpm project is in a subdirectory, you can just define `sourceRoot` or `setSourceRoot` for `fetchDeps`. Note, that projects using `pnpm-workspace.yaml` are currently not supported, and will probably not work using this approach.
If `sourceRoot` is different between the parent derivation and `fetchDeps`, you will have to set `pnpmRoot` to effectively be the same location as it is in `fetchDeps`.
Assuming the following directory structure, we can define `sourceRoot` and `pnpmRoot` as follows:
```
.
├── frontend
│   ├── ...
│   ├── package.json
│   └── pnpm-lock.yaml
└── ...
```
```nix
...
pnpmDeps = pnpm.fetchDeps {
...
sourceRoot = "${finalAttrs.src.name}/frontend";
};
# by default the working directory is the extracted source
pnpmRoot = "frontend";
```
### yarn2nix {#javascript-yarn2nix}
#### Preparation {#javascript-yarn2nix-preparation}

View file

@ -31,8 +31,8 @@ Each interpreter has the following attributes:
### Building packages and applications {#building-packages-and-applications}
Python libraries and applications that use `setuptools` or
`distutils` are typically built with respectively the [`buildPythonPackage`](#buildpythonpackage-function) and
Python libraries and applications that use tools to follow PEP 517 (e.g. `setuptools` or `hatchling`, etc.) or
previous tools such as `distutils` are typically built with respectively the [`buildPythonPackage`](#buildpythonpackage-function) and
[`buildPythonApplication`](#buildpythonapplication-function) functions. These two functions also support installing a `wheel`.
All Python packages reside in `pkgs/top-level/python-packages.nix` and all
@ -78,6 +78,7 @@ The following is an example:
, fetchPypi
# build-system
, setuptools
, setuptools-scm
# dependencies
@ -107,6 +108,7 @@ buildPythonPackage rec {
'';
build-system = [
setuptools
setuptools-scm
];
@ -134,13 +136,13 @@ buildPythonPackage rec {
The `buildPythonPackage` mainly does four things:
* In the [`buildPhase`](#build-phase), it calls `${python.pythonOnBuildForHost.interpreter} setup.py bdist_wheel` to
* In the [`buildPhase`](#build-phase), it calls `${python.pythonOnBuildForHost.interpreter} -m build --wheel` to
build a wheel binary zipfile.
* In the [`installPhase`](#ssec-install-phase), it installs the wheel file using `pip install *.whl`.
* In the [`installPhase`](#ssec-install-phase), it installs the wheel file using `${python.pythonOnBuildForHost.interpreter} -m installer *.whl`.
* In the [`postFixup`](#var-stdenv-postFixup) phase, the `wrapPythonPrograms` bash function is called to
wrap all programs in the `$out/bin/*` directory to include `$PATH`
environment variable and add dependent libraries to script's `sys.path`.
* In the [`installCheck`](#ssec-installCheck-phase) phase, `${python.interpreter} setup.py test` is run.
* In the [`installCheck`](#ssec-installCheck-phase) phase, `${python.interpreter} -m pytest` is run.
By default tests are run because [`doCheck = true`](#var-stdenv-doCheck). Test dependencies, like
e.g. the test runner, should be added to [`nativeCheckInputs`](#var-stdenv-nativeCheckInputs).
@ -177,10 +179,6 @@ following are specific to `buildPythonPackage`:
`makeWrapperArgs = ["--set FOO BAR" "--set BAZ QUX"]`.
* `namePrefix`: Prepends text to `${name}` parameter. In case of libraries, this
defaults to `"python3.8-"` for Python 3.8, etc., and in case of applications to `""`.
* `pipInstallFlags ? []`: A list of strings. Arguments to be passed to `pip
install`. To pass options to `python setup.py install`, use
`--install-option`. E.g., `pipInstallFlags=["--install-option='--cpp_implementation'"]`.
* `pipBuildFlags ? []`: A list of strings. Arguments to be passed to `pip wheel`.
* `pypaBuildFlags ? []`: A list of strings. Arguments to be passed to `python -m build --wheel`.
* `pythonPath ? []`: List of packages to be added into `$PYTHONPATH`. Packages
in `pythonPath` are not propagated (contrary to [`propagatedBuildInputs`](#var-stdenv-propagatedBuildInputs)).
@ -298,7 +296,6 @@ python3Packages.buildPythonApplication rec {
build-system = with python3Packages; [
setuptools
wheel
];
dependencies = with python3Packages; [
@ -465,13 +462,11 @@ are used in [`buildPythonPackage`](#buildpythonpackage-function).
with the `eggInstallHook`
- `eggBuildHook` to skip building for eggs.
- `eggInstallHook` to install eggs.
- `pipBuildHook` to build a wheel using `pip` and PEP 517. Note a build system
(e.g. `setuptools` or `flit`) should still be added as `build-system`.
- `pypaBuildHook` to build a wheel using
[`pypa/build`](https://pypa-build.readthedocs.io/en/latest/index.html) and
PEP 517/518. Note a build system (e.g. `setuptools` or `flit`) should still
be added as `build-system`.
- `pipInstallHook` to install wheels.
- `pypaInstallHook` to install wheels.
- `pytestCheckHook` to run tests with `pytest`. See [example usage](#using-pytestcheckhook).
- `pythonCatchConflictsHook` to fail if the package depends on two different versions of the same dependency.
- `pythonImportsCheckHook` to check whether importing the listed modules works.
@ -609,7 +604,8 @@ that sets up an interpreter pointing to them. This matters much more for "big"
modules like `pytorch` or `tensorflow`.
Module names usually match their names on [pypi.org](https://pypi.org/), but
you can use the [Nixpkgs search website](https://nixos.org/nixos/packages.html)
normalized according to PEP 503/508. (e.g. Foo__Bar.baz -> foo-bar-baz)
You can use the [Nixpkgs search website](https://nixos.org/nixos/packages.html)
to find them as well (along with non-python packages).
At this point we can create throwaway experimental Python environments with
@ -837,7 +833,6 @@ building Python libraries is [`buildPythonPackage`](#buildpythonpackage-function
, buildPythonPackage
, fetchPypi
, setuptools
, wheel
}:
buildPythonPackage rec {
@ -852,7 +847,6 @@ buildPythonPackage rec {
build-system = [
setuptools
wheel
];
# has no tests
@ -876,7 +870,7 @@ buildPythonPackage rec {
What happens here? The function [`buildPythonPackage`](#buildpythonpackage-function) is called and as argument
it accepts a set. In this case the set is a recursive set, `rec`. One of the
arguments is the name of the package, which consists of a basename (generally
following the name on PyPi) and a version. Another argument, `src` specifies the
following the name on PyPI) and a version. Another argument, `src` specifies the
source, which in this case is fetched from PyPI using the helper function
`fetchPypi`. The argument `doCheck` is used to set whether tests should be run
when building the package. Since there are no tests, we rely on [`pythonImportsCheck`](#using-pythonimportscheck)
@ -911,7 +905,6 @@ with import <nixpkgs> {};
build-system = [
python311.pkgs.setuptools
python311.pkgs.wheel
];
# has no tests
@ -964,13 +957,13 @@ order to build [`datashape`](https://github.com/blaze/datashape).
, fetchPypi
# build dependencies
, setuptools, wheel
, setuptools
# dependencies
, numpy, multipledispatch, python-dateutil
# tests
, pytest
, pytestCheckHook
}:
buildPythonPackage rec {
@ -985,7 +978,6 @@ buildPythonPackage rec {
build-system = [
setuptools
wheel
];
dependencies = [
@ -995,7 +987,7 @@ buildPythonPackage rec {
];
nativeCheckInputs = [
pytest
pytestCheckHook
];
meta = {
@ -1008,8 +1000,8 @@ buildPythonPackage rec {
```
We can see several runtime dependencies, `numpy`, `multipledispatch`, and
`python-dateutil`. Furthermore, we have [`nativeCheckInputs`](#var-stdenv-nativeCheckInputs) with `pytest`.
`pytest` is a test runner and is only used during the [`checkPhase`](#ssec-check-phase) and is
`python-dateutil`. Furthermore, we have [`nativeCheckInputs`](#var-stdenv-nativeCheckInputs) with `pytestCheckHook`.
`pytestCheckHook` is a test runner hook and is only used during the [`checkPhase`](#ssec-check-phase) and is
therefore not added to `dependencies`.
In the previous case we had only dependencies on other Python packages to consider.
@ -1022,7 +1014,6 @@ when building the bindings and are therefore added as [`buildInputs`](#var-stden
, buildPythonPackage
, fetchPypi
, setuptools
, wheel
, libxml2
, libxslt
}:
@ -1039,7 +1030,6 @@ buildPythonPackage rec {
build-system = [
setuptools
wheel
];
buildInputs = [
@ -1047,6 +1037,14 @@ buildPythonPackage rec {
libxslt
];
# tests are meant to be ran "in-place" in the same directory as src
doCheck = false;
pythonImportsCheck = [
"lxml"
"lxml.etree"
];
meta = {
changelog = "https://github.com/lxml/lxml/releases/tag/lxml-${version}";
description = "Pythonic binding for the libxml2 and libxslt libraries";
@ -1074,7 +1072,6 @@ therefore we have to set `LDFLAGS` and `CFLAGS`.
# build dependencies
, setuptools
, wheel
# dependencies
, fftw
@ -1085,7 +1082,7 @@ therefore we have to set `LDFLAGS` and `CFLAGS`.
}:
buildPythonPackage rec {
pname = "pyFFTW";
pname = "pyfftw";
version = "0.9.2";
pyproject = true;
@ -1096,7 +1093,6 @@ buildPythonPackage rec {
build-system = [
setuptools
wheel
];
buildInputs = [
@ -1118,6 +1114,8 @@ buildPythonPackage rec {
# Tests cannot import pyfftw. pyfftw works fine though.
doCheck = false;
pythonImportsCheck = [ "pyfftw" ];
meta = {
changelog = "https://github.com/pyFFTW/pyFFTW/releases/tag/v${version}";
description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
@ -1133,10 +1131,8 @@ Note also the line [`doCheck = false;`](#var-stdenv-doCheck), we explicitly disa
It is highly encouraged to have testing as part of the package build. This
helps to avoid situations where the package was able to build and install,
but is not usable at runtime. Currently, all packages will use the `test`
command provided by the setup.py (i.e. `python setup.py test`). However,
this is currently deprecated https://github.com/pypa/setuptools/pull/1878
and your package should provide its own [`checkPhase`](#ssec-check-phase).
but is not usable at runtime.
Your package should provide its own [`checkPhase`](#ssec-check-phase).
::: {.note}
The [`checkPhase`](#ssec-check-phase) for python maps to the `installCheckPhase` on a
@ -1207,9 +1203,11 @@ been removed, in this case, it's recommended to use `pytestCheckHook`.
#### Using pytestCheckHook {#using-pytestcheckhook}
`pytestCheckHook` is a convenient hook which will substitute the setuptools
`test` command for a [`checkPhase`](#ssec-check-phase) which runs `pytest`. This is also beneficial
`pytestCheckHook` is a convenient hook which will set up (or configure)
a [`checkPhase`](#ssec-check-phase) to run `pytest`. This is also beneficial
when a package may need many items disabled to run the test suite.
Most packages use `pytest` or `unittest`, which is compatible with `pytest`,
so you will most likely use `pytestCheckHook`.
Using the example above, the analogous `pytestCheckHook` usage would be:
@ -1364,10 +1362,12 @@ instead of a dev dependency).
Keep in mind that while the examples above are done with `requirements.txt`,
`pythonRelaxDepsHook` works by modifying the resulting wheel file, so it should
work with any of the [existing hooks](#setup-hooks).
It indicates that `pythonRelaxDepsHook` has no effect on build time dependencies, such as in `build-system`.
If a package requires incompatible build time dependencies, they should be removed in `postPatch` with `substituteInPlace` or something similar.
#### Using unittestCheckHook {#using-unittestcheckhook}
`unittestCheckHook` is a hook which will substitute the setuptools `test` command for a [`checkPhase`](#ssec-check-phase) which runs `python -m unittest discover`:
`unittestCheckHook` is a hook which will set up (or configure) a [`checkPhase`](#ssec-check-phase) to run `python -m unittest discover`:
```nix
{
@ -1381,6 +1381,8 @@ work with any of the [existing hooks](#setup-hooks).
}
```
`pytest` is compatible with `unittest`, so in most cases you can use `pytestCheckHook` instead.
#### Using sphinxHook {#using-sphinxhook}
The `sphinxHook` is a helpful tool to build documentation and manpages
@ -1459,7 +1461,6 @@ We first create a function that builds `toolz` in `~/path/to/toolz/release.nix`
, buildPythonPackage
, fetchPypi
, setuptools
, wheel
}:
buildPythonPackage rec {
@ -1474,7 +1475,6 @@ buildPythonPackage rec {
build-system = [
setuptools
wheel
];
meta = {
@ -1494,10 +1494,9 @@ with import <nixpkgs> {};
( let
toolz = callPackage /path/to/toolz/release.nix {
buildPythonPackage = python310
Packages.buildPythonPackage;
buildPythonPackage = python3Packages.buildPythonPackage;
};
in python310.withPackages (ps: [
in python3.withPackages (ps: [
ps.numpy
toolz
])
@ -1918,6 +1917,8 @@ because we can only provide security support for non-vendored dependencies.
We recommend [nix-init](https://github.com/nix-community/nix-init) for creating new python packages within nixpkgs,
as it already prefetches the source, parses dependencies for common formats and prefills most things in `meta`.
See also [contributing section](#contributing).
### Are Python interpreters built deterministically? {#deterministic-builds}
The Python interpreters are now built deterministically. Minor modifications had
@ -1935,16 +1936,15 @@ Both are also exported in `nix-shell`.
It is recommended to test packages as part of the build process.
Source distributions (`sdist`) often include test files, but not always.
By default the command `python setup.py test` is run as part of the
[`checkPhase`](#ssec-check-phase), but often it is necessary to pass a custom [`checkPhase`](#ssec-check-phase). An
example of such a situation is when `py.test` is used.
The best practice today is to pass a test hook (e.g. pytestCheckHook, unittestCheckHook) into nativeCheckInputs.
This will reconfigure the checkPhase to make use of that particular test framework.
Occasionally packages don't make use of a common test framework, which may then require a custom checkPhase.
#### Common issues {#common-issues}
* Non-working tests can often be deselected. By default [`buildPythonPackage`](#buildpythonpackage-function)
runs `python setup.py test`. which is deprecated. Most Python modules however
do follow the standard test protocol where the pytest runner can be used
instead. `pytest` supports the `-k` and `--ignore` parameters to ignore test
* Non-working tests can often be deselected. Most Python modules
do follow the standard test protocol where the pytest runner can be used.
`pytest` supports the `-k` and `--ignore` parameters to ignore test
methods or classes as well as whole files. For `pytestCheckHook` these are
conveniently exposed as `disabledTests` and `disabledTestPaths` respectively.
@ -1985,14 +1985,25 @@ The following rules are desired to be respected:
* Python applications live outside of `python-packages.nix` and are packaged
with [`buildPythonApplication`](#buildpythonapplication-function).
* Make sure libraries build for all Python interpreters.
* By default we enable tests. Make sure the tests are found and, in the case of
If it fails to build on some Python versions, consider disabling them by setting `disable = pythonAtLeast "3.x"` along with a comment.
* The two parameters, `pyproject` and `build-system` are set to avoid the legacy setuptools/distutils build.
* Only unversioned attributes (e.g. `pydantic`, but not `pypdantic_1`) can be included in `dependencies`,
since due to `PYTHONPATH` limitations we can only ever support a single version for libraries
without running into duplicate module name conflicts.
* The version restrictions of `dependencies` can be relaxed by [`pythonRelaxDepsHook`](#using-pythonrelaxdepshook).
* Make sure the tests are enabled using for example [`pytestCheckHook`](#using-pytestcheckhook) and, in the case of
libraries, are passing for all interpreters. If certain tests fail they can be
disabled individually. Try to avoid disabling the tests altogether. In any
case, when you disable tests, leave a comment explaining why.
* `pythonImportsCheck` is set. This is still a good smoke test even if `pytestCheckHook` is set.
* `meta.platforms` takes the default value in many cases.
It does not need to be set explicitly unless the package requires a specific platform.
* The file is formatted with `nixfmt-rfc-style`.
* Commit names of Python libraries should reflect that they are Python
libraries, so write for example `python311Packages.numpy: 1.11 -> 1.12`.
It is highly recommended to specify the current default version to enable
automatic build by ofborg.
Note that `pythonPackages` is an alias for `python27Packages`.
* Attribute names in `python-packages.nix` as well as `pname`s should match the
library's name on PyPI, but be normalized according to [PEP
0503](https://www.python.org/dev/peps/pep-0503/#normalized-names). This means
@ -2006,6 +2017,8 @@ The following rules are desired to be respected:
* Attribute names in `python-packages.nix` should be sorted alphanumerically to
avoid merge conflicts and ease locating attributes.
This list is useful for reviewers as well as for self-checking when submitting packages.
## Package set maintenance {#python-package-set-maintenance}
The whole Python package set has a lot of packages that do not see regular

View file

@ -254,7 +254,7 @@ By default, it takes the `stdenv.hostPlatform.config` and replaces components
where they are known to differ. But there are ways to customize the argument:
- To choose a different target by name, define
`stdenv.hostPlatform.rustc.config` as that name (a string), and that
`stdenv.hostPlatform.rust.rustcTarget` as that name (a string), and that
name will be used instead.
For example:
@ -262,7 +262,7 @@ where they are known to differ. But there are ways to customize the argument:
```nix
import <nixpkgs> {
crossSystem = (import <nixpkgs/lib>).systems.examples.armhf-embedded // {
rustc.config = "thumbv7em-none-eabi";
rust.rustcTarget = "thumbv7em-none-eabi";
};
}
```
@ -274,10 +274,10 @@ where they are known to differ. But there are ways to customize the argument:
```
- To pass a completely custom target, define
`stdenv.hostPlatform.rustc.config` with its name, and
`stdenv.hostPlatform.rustc.platform` with the value. The value will be
`stdenv.hostPlatform.rust.rustcTarget` with its name, and
`stdenv.hostPlatform.rust.platform` with the value. The value will be
serialized to JSON in a file called
`${stdenv.hostPlatform.rustc.config}.json`, and the path of that file
`${stdenv.hostPlatform.rust.rustcTarget}.json`, and the path of that file
will be used instead.
For example:
@ -285,8 +285,8 @@ where they are known to differ. But there are ways to customize the argument:
```nix
import <nixpkgs> {
crossSystem = (import <nixpkgs/lib>).systems.examples.armhf-embedded // {
rustc.config = "thumb-crazy";
rustc.platform = { foo = ""; bar = ""; };
rust.rustcTarget = "thumb-crazy";
rust.platform = { foo = ""; bar = ""; };
};
}
```

View file

@ -40,31 +40,29 @@ pkgs.linux_latest.override {
## Manual kernel configuration {#sec-manual-kernel-configuration}
Sometimes it may not be desirable to use kernels built with `pkgs.buildLinux`, especially if most of the common configuration has to be altered or disabled to achieve a kernel as expected by the target use case.
An example of this is building a kernel for use in a VM or micro VM. You can use `pkgs.linuxManualConfig` in these cases. It requires the `src`, `version`, and `configfile` attributes to be specified.
An example of this is building a kernel for use in a VM or micro VM. You can use `pkgs.linuxPackages_custom` in these cases. It requires the `src`, `version`, and `configfile` attributes to be specified.
:::{.example #ex-using-linux-manual-config}
# Using `pkgs.linuxManualConfig` with a specific source, version, and config file
# Using `pkgs.linuxPackages_custom` with a specific source, version, and config file
```nix
{ pkgs, ... }: {
{ pkgs, ... }:
pkgs.linuxPackages_custom {
version = "6.1.55";
src = pkgs.fetchurl {
url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
hash = "sha256:1h0mzx52q9pvdv7rhnvb8g68i7bnlc9rf8gy9qn4alsxq4g28zm8";
};
configfile = ./path_to_config_file;
linux = pkgs.linuxManualConfig {
inherit version src configfile;
allowImportFromDerivation = true;
};
}
```
If necessary, the version string can be slightly modified to explicitly mark it as a custom version. If you do so, ensure the `modDirVersion` attribute matches the source's version, otherwise the build will fail.
```nix
{ pkgs, ... }: {
{ pkgs, ... }:
pkgs.linuxPackages_custom {
version = "6.1.55-custom";
modDirVersion = "6.1.55";
src = pkgs.fetchurl {
@ -72,16 +70,12 @@ If necessary, the version string can be slightly modified to explicitly mark it
hash = "sha256:1h0mzx52q9pvdv7rhnvb8g68i7bnlc9rf8gy9qn4alsxq4g28zm8";
};
configfile = ./path_to_config_file;
linux = pkgs.linuxManualConfig {
inherit version modDirVersion src configfile;
allowImportFromDerivation = true;
};
}
```
:::
Additional attributes can be used with `linuxManualConfig` for further customisation. You're encouraged to read [the `pkgs.linuxManualConfig` source code](https://github.com/NixOS/nixpkgs/blob/d77bda728d5041c1294a68fb25c79e2d161f62b9/pkgs/os-specific/linux/kernel/manual-config.nix) to understand how to use them.
Additional attributes can be used with `linuxManualConfig` for further customisation instead of `linuxPackages_custom`. You're encouraged to read [the `pkgs.linuxManualConfig` source code](https://github.com/NixOS/nixpkgs/blob/d77bda728d5041c1294a68fb25c79e2d161f62b9/pkgs/os-specific/linux/kernel/manual-config.nix) to understand how to use them.
To edit the `.config` file for Linux X.Y from within Nix, proceed as follows:

View file

@ -3,6 +3,7 @@
```{=include=} chapters
stdenv/stdenv.chapter.md
stdenv/meta.chapter.md
stdenv/passthru.chapter.md
stdenv/multiple-output.chapter.md
stdenv/cross-compilation.chapter.md
stdenv/platform-notes.chapter.md

View file

@ -110,83 +110,6 @@ Some packages use this to automatically detect the maximum set of features with
For example, `systemd` [requires dynamic linking](https://github.com/systemd/systemd/issues/20600#issuecomment-912338965), and [has a `meta.badPlatforms` setting](https://github.com/NixOS/nixpkgs/blob/b03ac42b0734da3e7be9bf8d94433a5195734b19/pkgs/os-specific/linux/systemd/default.nix#L752) similar to the one above.
Packages which can be built with or without `systemd` support will use `lib.meta.availableOn` to detect whether or not `systemd` is available on the [`hostPlatform`](#ssec-cross-platform-parameters) for which they are being built; if it is not available (e.g. due to a statically-linked host platform like `pkgsStatic`) this support will be disabled by default.
### `tests` {#var-meta-tests}
::: {.warning}
This attribute is special in that it is not actually under the `meta` attribute set but rather under the `passthru` attribute set. This is due to how `meta` attributes work, and the fact that they are supposed to contain only metadata, not derivations.
:::
An attribute set with tests as values. A test is a derivation that builds when the test passes and fails to build otherwise.
You can run these tests with:
```ShellSession
$ cd path/to/nixpkgs
$ nix-build -A your-package.tests
```
#### Package tests {#var-meta-tests-packages}
Tests that are part of the source package are often executed in the `installCheckPhase`.
Prefer `passthru.tests` for tests that are introduced in nixpkgs because:
* `passthru.tests` tests the 'real' package, independently from the environment in which it was built
* we can run `passthru.tests` independently
* `installCheckPhase` adds overhead to each build
For more on how to write and run package tests, see [](#sec-package-tests).
#### NixOS tests {#var-meta-tests-nixos}
The NixOS tests are available as `nixosTests` in parameters of derivations. For instance, the OpenSMTPD derivation includes lines similar to:
```nix
{ /* ... , */ nixosTests }:
{
# ...
passthru.tests = {
basic-functionality-and-dovecot-integration = nixosTests.opensmtpd;
};
}
```
NixOS tests run in a VM, so they are slower than regular package tests. For more information see [NixOS module tests](https://nixos.org/manual/nixos/stable/#sec-nixos-tests).
Alternatively, you can specify other derivations as tests. You can make use of
the optional parameter to inject the correct package without
relying on non-local definitions, even in the presence of `overrideAttrs`.
Here that's `finalAttrs.finalPackage`, but you could choose a different name if
`finalAttrs` already exists in your scope.
`(mypkg.overrideAttrs f).passthru.tests` will be as expected, as long as the
definition of `tests` does not rely on the original `mypkg` or overrides it in
all places.
```nix
# my-package/default.nix
{ stdenv, callPackage }:
stdenv.mkDerivation (finalAttrs: {
# ...
passthru.tests.example = callPackage ./example.nix { my-package = finalAttrs.finalPackage; };
})
```
```nix
# my-package/example.nix
{ runCommand, lib, my-package, ... }:
runCommand "my-package-test" {
nativeBuildInputs = [ my-package ];
src = lib.sources.sourcesByRegex ./. [ ".*.in" ".*.expected" ];
} ''
my-package --help
my-package <example.in >example.actual
diff -U3 --color=auto example.expected example.actual
mkdir $out
''
```
### `timeout` {#var-meta-timeout}
A timeout (in seconds) for building the derivation. If the derivation takes longer than this time to build, Hydra will fail it due to breaking the timeout. However, all computers do not have the same computing power, hence some builders may decide to apply a multiplicative factor to this value. When filling this value in, try to keep it approximately consistent with other values already present in `nixpkgs`.

View file

@ -0,0 +1,157 @@
# Passthru-attributes {#chap-passthru}
[]{#var-stdenv-passthru} []{#special-variables} <!-- legacy anchors -->
As opposed to most other `mkDerivation` input attributes, `passthru` is not passed to the derivation's [`builder` executable](https://nixos.org/manual/nix/stable/expressions/derivations.html#attr-builder).
Changing it will not trigger a rebuild it is "passed through".
Its value can be accessed as if it was set inside a derivation.
::: {.note}
`passthru` attributes follow no particular schema, but there are a few [conventional patterns](#sec-common-passthru-attributes).
:::
:::{.example #ex-accessing-passthru}
## Setting and accessing `passthru` attributes
```nix
{ stdenv, fetchGit }:
let
hello = stdenv.mkDerivation {
pname = "hello";
src = fetchGit { /* ... */ };
passthru = {
foo = "bar";
baz = {
value1 = 4;
value2 = 5;
};
};
};
in
hello.baz.value1
```
```
4
```
:::
## Common `passthru`-attributes {#sec-common-passthru-attributes}
Many `passthru` attributes are situational, so this section only lists recurring patterns.
They fall in one of these categories:
- Global conventions, which are applied almost universally in Nixpkgs.
Generally these don't entail any special support built into the derivation they belong to.
Common examples of this type are [`passthru.tests`](#var-passthru-tests) and [`passthru.updateScript`](#var-passthru-updateScript).
- Conventions for adding extra functionality to a derivation.
These tend to entail support from the derivation or the `passthru` attribute in question.
Common examples of this type are `passthru.optional-dependencies`, `passthru.withPlugins`, and `passthru.withPackages`.
All of those allow associating the package with a set of components built for that specific package, such as when building Python runtime environments using (`python.withPackages`)[#python.withpackages-function].
Attributes that apply only to particular [build helpers](#part-builders) or [language ecosystems](#chap-language-support) are documented there.
### `passthru.tests` {#var-passthru-tests}
[]{#var-meta-tests} <!-- legacy anchor -->
An attribute set with tests as values.
A test is a derivation that builds when the test passes and fails to build otherwise.
Run these tests with:
```ShellSession
$ cd path/to/nixpkgs
$ nix-build -A your-package.tests
```
:::{.note}
The Nixpkgs systems for continuous integration [Hydra](https://hydra.nixos.org/) and [`nixpkgs-review`](https://github.com/Mic92/nixpkgs-review) don't build these derivations by default, and ([`@ofborg`](https://github.com/NixOS/ofborg)) only builds them when evaluating pull requests for that particular package, or when manually instructed.
:::
#### Package tests {#var-passthru-tests-packages}
[]{#var-meta-tests-packages} <!-- legacy anchor -->
Tests that are part of the source package, if they run quickly, are typically executed in the [`installCheckPhase`](#var-stdenv-phases).
This phase is also suitable for performing a `--version` test for packages that support such flag.
Most programs distributed by Nixpkgs support such a `--version` flag, and successfully calling the program with that flag indicates that the package at least got compiled properly.
:::{.example #ex-checking-build-installCheckPhase}
## Checking builds with `installCheckPhase`
When building `git`, a rudimentary test for successful compilation would be running `git --version`:
```nix
stdenv.mkDerivation (finalAttrs: {
pname = "git";
version = "1.2.3";
# ...
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
echo checking if 'git --version' mentions ${finalAttrs.version}
$out/bin/git --version | grep ${finalAttrs.version}
runHook postInstallCheck
'';
# ...
})
```
:::
However, tests that are non-trivial will better fit into `passthru.tests` because they:
- Access the package as consumers would, independently from the environment in which it was built
- Can be run and debugged without rebuilding the package, which is useful if that takes a long time
- Don't add overhad to each build, as opposed to `installCheckPhase`
It is also possible to use `passthru.tests` to test the version with [`testVersion`](#tester-testVersion).
<!-- NOTE(@fricklerhandwerk): one may argue whether that testing guide should rather be in the user's manual -->
For more on how to write and run package tests for Nixpkgs, see the [testing section in the package contributor guide](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests).
#### NixOS tests {#var-passthru-tests-nixos}
[]{#var-meta-tests-nixos} <!-- legacy anchor -->
Tests written for NixOS are available as the `nixosTests` argument to package recipes.
For instance, the [OpenSMTPD derivation](https://search.nixos.org/packages?show=opensmtpd) includes lines similar to:
```nix
{ nixosTests, ... }:
{
# ...
passthru.tests = {
basic-functionality-and-dovecot-integration = nixosTests.opensmtpd;
};
}
```
NixOS tests run in a virtual machine (VM), so they are slower than regular package tests.
For more information see the NixOS manual on [NixOS module tests](https://nixos.org/manual/nixos/stable/#sec-nixos-tests).
### `passthru.updateScript` {#var-passthru-updateScript}
<!-- legacy anchors -->
[]{#var-passthru-updateScript-command}
[]{#var-passthru-updateScript-set-command}
[]{#var-passthru-updateScript-set-attrPath}
[]{#var-passthru-updateScript-set-supportedFeatures}
[]{#var-passthru-updateScript-env-UPDATE_NIX_NAME}
[]{#var-passthru-updateScript-env-UPDATE_NIX_PNAME}
[]{#var-passthru-updateScript-env-UPDATE_NIX_OLD_VERSION}
[]{#var-passthru-updateScript-env-UPDATE_NIX_ATTR_PATH}
[]{#var-passthru-updateScript-execution}
[]{#var-passthru-updateScript-supported-features}
[]{#var-passthru-updateScript-commit}
[]{#var-passthru-updateScript-commit-attrPath}
[]{#var-passthru-updateScript-commit-oldVersion}
[]{#var-passthru-updateScript-commit-newVersion}
[]{#var-passthru-updateScript-commit-files}
[]{#var-passthru-updateScript-commit-commitBody}
[]{#var-passthru-updateScript-commit-commitMessage}
[]{#var-passthru-updateScript-example-commit}
Nixpkgs tries to automatically update all packages that have an `passthru.updateScript` attribute.
See the [section on automatic package updates in the package contributor guide](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#automatic-package-updates) for details.

View file

@ -442,145 +442,6 @@ If set to `true`, `stdenv` will pass specific flags to `make` and other build to
Unless set to `false`, some build systems with good support for parallel building including `cmake`, `meson`, and `qmake` will set it to `true`.
### Special variables {#special-variables}
#### `passthru` {#var-stdenv-passthru}
This is an attribute set which can be filled with arbitrary values. For example:
```nix
{
passthru = {
foo = "bar";
baz = {
value1 = 4;
value2 = 5;
};
};
}
```
Values inside it are not passed to the builder, so you can change them without triggering a rebuild. However, they can be accessed outside of a derivation directly, as if they were set inside a derivation itself, e.g. `hello.baz.value1`. We dont specify any usage or schema of `passthru` - it is meant for values that would be useful outside the derivation in other parts of a Nix expression (e.g. in other derivations). An example would be to convey some specific dependency of your derivation which contains a program with plugins support. Later, others who make derivations with plugins can use passed-through dependency to ensure that their plugin would be binary-compatible with built program.
#### `passthru.updateScript` {#var-passthru-updateScript}
A script to be run by `maintainers/scripts/update.nix` when the package is matched. The attribute can contain one of the following:
- []{#var-passthru-updateScript-command} an executable file, either on the file system:
```nix
{
passthru.updateScript = ./update.sh;
}
```
or inside the expression itself:
```nix
{
passthru.updateScript = writeScript "update-zoom-us" ''
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl pcre2 common-updater-scripts
set -eu -o pipefail
version="$(curl -sI https://zoom.us/client/latest/zoom_x86_64.tar.xz | grep -Fi 'Location:' | pcre2grep -o1 '/(([0-9]\.?)+)/')"
update-source-version zoom-us "$version"
'';
}
```
- a list, a script followed by arguments to be passed to it:
```nix
{
passthru.updateScript = [ ../../update.sh pname "--requested-release=unstable" ];
}
```
- an attribute set containing:
- [`command`]{#var-passthru-updateScript-set-command} a string or list in the [format expected by `passthru.updateScript`](#var-passthru-updateScript-command).
- [`attrPath`]{#var-passthru-updateScript-set-attrPath} (optional) a string containing the canonical attribute path for the package. If present, it will be passed to the update script instead of the attribute path on which the package was discovered during Nixpkgs traversal.
- [`supportedFeatures`]{#var-passthru-updateScript-set-supportedFeatures} (optional) a list of the [extra features](#var-passthru-updateScript-supported-features) the script supports.
```nix
{
passthru.updateScript = {
command = [ ../../update.sh pname ];
attrPath = pname;
supportedFeatures = [ /* ... */ ];
};
}
```
::: {.tip}
A common pattern is to use the [`nix-update-script`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/common-updater/nix-update.nix) attribute provided in Nixpkgs, which runs [`nix-update`](https://github.com/Mic92/nix-update):
```nix
{
passthru.updateScript = nix-update-script { };
}
```
For simple packages, this is often enough, and will ensure that the package is updated automatically by [`nixpkgs-update`](https://ryantm.github.io/nixpkgs-update) when a new version is released. The [update bot](https://nix-community.org/update-bot) runs periodically to attempt to automatically update packages, and will run `passthru.updateScript` if set. While not strictly necessary if the project is listed on [Repology](https://repology.org), using `nix-update-script` allows the package to update via many more sources (e.g. GitHub releases).
:::
##### How update scripts are executed? {#var-passthru-updateScript-execution}
Update scripts are to be invoked by `maintainers/scripts/update.nix` script. You can run `nix-shell maintainers/scripts/update.nix` in the root of Nixpkgs repository for information on how to use it. `update.nix` offers several modes for selecting packages to update (e.g. select by attribute path, traverse Nixpkgs and filter by maintainer, etc.), and it will execute update scripts for all matched packages that have an `updateScript` attribute.
Each update script will be passed the following environment variables:
- [`UPDATE_NIX_NAME`]{#var-passthru-updateScript-env-UPDATE_NIX_NAME} content of the `name` attribute of the updated package.
- [`UPDATE_NIX_PNAME`]{#var-passthru-updateScript-env-UPDATE_NIX_PNAME} content of the `pname` attribute of the updated package.
- [`UPDATE_NIX_OLD_VERSION`]{#var-passthru-updateScript-env-UPDATE_NIX_OLD_VERSION} content of the `version` attribute of the updated package.
- [`UPDATE_NIX_ATTR_PATH`]{#var-passthru-updateScript-env-UPDATE_NIX_ATTR_PATH} attribute path the `update.nix` discovered the package on (or the [canonical `attrPath`](#var-passthru-updateScript-set-attrPath) when available). Example: `pantheon.elementary-terminal`
::: {.note}
An update script will be usually run from the root of the Nixpkgs repository but you should not rely on that. Also note that `update.nix` executes update scripts in parallel by default so you should avoid running `git commit` or any other commands that cannot handle that.
:::
::: {.tip}
While update scripts should not create commits themselves, `maintainers/scripts/update.nix` supports automatically creating commits when running it with `--argstr commit true`. If you need to customize commit message, you can have the update script implement [`commit`](#var-passthru-updateScript-commit) feature.
:::
##### Supported features {#var-passthru-updateScript-supported-features}
###### `commit` {#var-passthru-updateScript-commit}
This feature allows update scripts to *ask* `update.nix` to create Git commits.
When support of this feature is declared, whenever the update script exits with `0` return status, it is expected to print a JSON list containing an object described below for each updated attribute to standard output.
When `update.nix` is run with `--argstr commit true` arguments, it will create a separate commit for each of the objects. An empty list can be returned when the script did not update any files, for example, when the package is already at the latest version.
The commit object contains the following values:
- [`attrPath`]{#var-passthru-updateScript-commit-attrPath} a string containing attribute path.
- [`oldVersion`]{#var-passthru-updateScript-commit-oldVersion} a string containing old version.
- [`newVersion`]{#var-passthru-updateScript-commit-newVersion} a string containing new version.
- [`files`]{#var-passthru-updateScript-commit-files} a non-empty list of file paths (as strings) to add to the commit.
- [`commitBody`]{#var-passthru-updateScript-commit-commitBody} (optional) a string with extra content to be appended to the default commit message (useful for adding changelog links).
- [`commitMessage`]{#var-passthru-updateScript-commit-commitMessage} (optional) a string to use instead of the default commit message.
If the returned array contains exactly one object (e.g. `[{}]`), all values are optional and will be determined automatically.
::: {.example #var-passthru-updateScript-example-commit}
# Standard output of an update script using commit feature
```json
[
{
"attrPath": "volume_key",
"oldVersion": "0.3.11",
"newVersion": "0.3.12",
"files": [
"/path/to/nixpkgs/pkgs/development/libraries/volume-key/default.nix"
]
}
]
```
:::
### Fixed-point arguments of `mkDerivation` {#mkderivation-recursive-attributes}
If you pass a function to `mkDerivation`, it will receive as its argument the final arguments, including the overrides when reinvoked via `overrideAttrs`. For example:
@ -633,7 +494,7 @@ in pkg
Unlike the `pkg` binding in the above example, the `finalAttrs` parameter always references the final attributes. For instance `(pkg.overrideAttrs(x)).finalAttrs.finalPackage` is identical to `pkg.overrideAttrs(x)`, whereas `(pkg.overrideAttrs(x)).original` is the same as the original `pkg`.
See also the section about [`passthru.tests`](#var-meta-tests).
See also the section about [`passthru.tests`](#var-passthru-tests).
## Phases {#sec-stdenv-phases}
@ -1145,7 +1006,7 @@ This setup works as follows:
The installCheck phase checks whether the package was installed correctly by running its test suite against the installed directories. The default `installCheck` calls `make installcheck`.
It is often better to add tests that are not part of the source distribution to `passthru.tests` (see
[](#var-meta-tests)). This avoids adding overhead to every build and enables us to run them independently.
[](#var-passthru-tests)). This avoids adding overhead to every build and enables us to run them independently.
#### Variables controlling the installCheck phase {#variables-controlling-the-installcheck-phase}
@ -1558,6 +1419,8 @@ Both parameters take a list of flags as strings. The special `"all"` flag can be
For more in-depth information on these hardening flags and hardening in general, refer to the [Debian Wiki](https://wiki.debian.org/Hardening), [Ubuntu Wiki](https://wiki.ubuntu.com/Security/Features), [Gentoo Wiki](https://wiki.gentoo.org/wiki/Project:Hardened), and the [Arch Wiki](https://wiki.archlinux.org/title/Security).
Note that support for some hardening flags varies by compiler, CPU architecture, target OS and libc. Combinations of these that don't support a particular hardening flag will silently ignore attempts to enable it. To see exactly which hardening flags are being employed in any invocation, the `NIX_DEBUG` environment variable can be used.
### Hardening flags enabled by default {#sec-hardening-flags-enabled-by-default}
The following flags are enabled by default and might require disabling with `hardeningDisable` if the program to package is incompatible.
@ -1607,6 +1470,16 @@ installwatch.c:3751:5: error: conflicting types for '__open_2'
fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
```
Disabling `fortify` implies disablement of `fortify3`
#### `fortify3` {#fortify3}
Adds the `-O2 -D_FORTIFY_SOURCE=3` compiler options. This expands the cases that can be protected by fortify-checks to include some situations with dynamic-length buffers whose length can be inferred at runtime using compiler hints.
Enabling this flag implies enablement of `fortify`. Disabling this flag does not imply disablement of `fortify`.
This flag can sometimes conflict with a build-system's own attempts at enabling fortify support and result in errors complaining about `redefinition of _FORTIFY_SOURCE`.
#### `pic` {#pic}
Adds the `-fPIC` compiler options. This options adds support for position independent code in shared libraries and thus making ASLR possible.
@ -1655,6 +1528,16 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut
Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
#### `zerocallusedregs` {#zerocallusedregs}
Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call.
#### `trivialautovarinit` {#trivialautovarinit}
Adds the `-ftrivial-auto-var-init=pattern` compiler option. This causes "trivially-initializable" uninitialized stack variables to be forcibly initialized with a nonzero value that is likely to cause a crash (and therefore be noticed). Uninitialized variables generally take on their values based on fragments of previous program state, and attackers can carefully manipulate that state to craft malicious initial values for these variables.
Use of this flag is controversial as it can prevent tools that detect uninitialized variable use (such as valgrind) from operating correctly.
[^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation.
[^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`.
[^footnote-stdenv-propagated-dependencies]: Nix itself already takes a packages transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency.

View file

@ -5,14 +5,15 @@
outputs = { self }:
let
jobs = import ./pkgs/top-level/release.nix {
nixpkgs = self;
};
libVersionInfoOverlay = import ./lib/flake-version-info.nix self;
lib = (import ./lib).extend libVersionInfoOverlay;
forAllSystems = lib.genAttrs lib.systems.flakeExposed;
jobs = forAllSystems (system: import ./pkgs/top-level/release.nix {
nixpkgs = self;
inherit system;
});
in
{
lib = lib.extend (final: prev: {
@ -43,12 +44,15 @@
);
});
checks.x86_64-linux = {
tarball = jobs.tarball;
checks = forAllSystems (system: {
tarball = jobs.${system}.tarball;
# Exclude power64 due to "libressl is not available on the requested hostPlatform" with hostPlatform being power64
} // lib.optionalAttrs (self.legacyPackages.${system}.stdenv.isLinux && !self.legacyPackages.${system}.targetPlatform.isPower64) {
# Test that ensures that the nixosSystem function can accept a lib argument
# Note: prefer not to extend or modify `lib`, especially if you want to share reusable modules
# alternatives include: `import` a file, or put a custom library in an option or in `_module.args.<libname>`
nixosSystemAcceptsLib = (self.lib.nixosSystem {
pkgs = self.legacyPackages.${system};
lib = self.lib.extend (final: prev: {
ifThisFunctionIsMissingTheTestFails = final.id;
});
@ -64,13 +68,13 @@
})
];
}).config.system.build.toplevel;
};
});
htmlDocs = {
nixpkgsManual = jobs.manual;
nixpkgsManual = builtins.mapAttrs (_: jobSet: jobSet.manual) jobs;
nixosManual = (import ./nixos/release-small.nix {
nixpkgs = self;
}).nixos.manual.x86_64-linux;
}).nixos.manual;
};
# The "legacy" in `legacyPackages` doesn't imply that the packages exposed

View file

@ -362,6 +362,12 @@ in mkLicense lset) ({
fullName = "Creative Commons Attribution Share Alike 4.0";
};
cc-sa-10 = {
shortName = "CC-SA-1.0";
fullName = "Creative Commons Share Alike 1.0";
url = "https://creativecommons.org/licenses/sa/1.0";
};
cddl = {
spdxId = "CDDL-1.0";
fullName = "Common Development and Distribution License 1.0";

View file

@ -81,7 +81,7 @@ let
&& final.parsed.kernel == platform.parsed.kernel;
isCompatible = _: throw "2022-05-23: isCompatible has been removed in favor of canExecute, refer to the 22.11 changelog for details";
# Derived meta-data
useLLVM = final.isFreeBSD;
useLLVM = final.isFreeBSD || final.isOpenBSD;
libc =
/**/ if final.isDarwin then "libSystem"

View file

@ -59,7 +59,7 @@ rec {
armv7a-android-prebuilt = {
config = "armv7a-unknown-linux-androideabi";
rustc.config = "armv7-linux-androideabi";
rust.rustcTarget = "armv7-linux-androideabi";
sdkVer = "28";
ndkVer = "24";
useAndroidPrebuilt = true;
@ -67,7 +67,7 @@ rec {
aarch64-android-prebuilt = {
config = "aarch64-unknown-linux-android";
rustc.config = "aarch64-linux-android";
rust.rustcTarget = "aarch64-linux-android";
sdkVer = "28";
ndkVer = "24";
useAndroidPrebuilt = true;
@ -207,7 +207,7 @@ rec {
aarch64-embedded = {
config = "aarch64-none-elf";
libc = "newlib";
rustc.config = "aarch64-unknown-none";
rust.rustcTarget = "aarch64-unknown-none";
};
aarch64be-embedded = {

View file

@ -16,12 +16,12 @@
"armv6l-linux"
"armv7l-linux"
"i686-linux"
"mipsel-linux"
# "mipsel-linux" is excluded because it is not bootstrapped
# Other platforms with sufficient support in stdenv which is not formally
# mandated by their platform tier.
"aarch64-darwin"
"armv5tel-linux"
# "armv5tel-linux" is excluded because it is not bootstrapped
"powerpc64le-linux"
"riscv64-linux"

View file

@ -535,11 +535,9 @@ rec {
name = "riscv-multiplatform";
target = "Image";
autoModules = true;
preferBuiltin = true;
baseConfig = "defconfig";
DTB = true;
extraConfig = ''
SERIAL_OF_PLATFORM y
'';
};
};

View file

@ -24,7 +24,9 @@ in
#
# https://github.com/NixOS/nixpkgs/issues/272591
#
[(import ../../pkgs/test/release {})]
[(import ../../pkgs/test/release {
inherit pkgs lib nix;
})]
;
}

View file

@ -403,7 +403,7 @@ in {
On each release the first letter is bumped and a new animal is chosen
starting with that new letter.
*/
codeName = "Vicuña";
codeName = "Vicuna";
/**
Returns the current nixpkgs version suffix as string.
@ -623,6 +623,37 @@ in {
/**
Reads a JSON file.
# Examples
:::{.example}
## `lib.trivial.importJSON` usage example
example.json
```json
{
"title": "Example JSON",
"hello": {
"world": "foo",
"bar": {
"foobar": true
}
}
}
```
```nix
importJSON ./example.json
=> {
title = "Example JSON";
hello = {
world = "foo";
bar = {
foobar = true;
};
};
}
```
:::
# Inputs
@ -642,6 +673,35 @@ in {
/**
Reads a TOML file.
# Examples
:::{.example}
## `lib.trivial.importTOML` usage example
example.toml
```toml
title = "TOML Example"
[hello]
world = "foo"
[hello.bar]
foobar = true
```
```nix
importTOML ./example.toml
=> {
title = "TOML Example";
hello = {
world = "foo";
bar = {
foobar = true;
};
};
}
```
:::
# Inputs

File diff suppressed because it is too large Load diff

View file

@ -1,5 +1,5 @@
#! /usr/bin/env nix-shell
#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp perlPackages.JSON perlPackages.LWPProtocolHttps nixUnstable nixUnstable.perl-bindings
#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp perlPackages.JSON perlPackages.LWPProtocolHttps nix nix.perl-bindings
# This command uploads tarballs to tarballs.nixos.org, the
# content-addressed cache used by fetchurl as a fallback for when

View file

@ -27,8 +27,13 @@ import utils
),
default=pathlib.Path(__file__).parent.parent.parent.parent
)
def main(repo_metadata: pathlib.Path, nixpkgs: pathlib.Path):
metadata = utils.KDERepoMetadata.from_repo_metadata_checkout(repo_metadata)
@click.option(
"--unstable",
default=False,
is_flag=True
)
def main(repo_metadata: pathlib.Path, nixpkgs: pathlib.Path, unstable: bool):
metadata = utils.KDERepoMetadata.from_repo_metadata_checkout(repo_metadata, unstable)
out_dir = nixpkgs / "pkgs/kde/generated"
metadata.write_json(out_dir)

View file

@ -104,7 +104,7 @@ class KDERepoMetadata:
return project
@classmethod
def from_repo_metadata_checkout(cls, repo_metadata: pathlib.Path):
def from_repo_metadata_checkout(cls, repo_metadata: pathlib.Path, unstable=False):
projects = [
Project.from_yaml(metadata_file)
for metadata_file in repo_metadata.glob("projects-invent/**/metadata.yaml")
@ -122,29 +122,32 @@ class KDERepoMetadata:
dep_graph={},
)
dep_specs = ["dependency-data-stable-kf6-qt6"]
dep_graph = collections.defaultdict(set)
for spec in dep_specs:
spec_path = repo_metadata / "dependencies" / spec
for line in spec_path.open():
line = line.strip()
if line.startswith("#"):
continue
if not line:
continue
if unstable:
spec_name = "dependency-data-kf6-qt6"
else:
spec_name = "dependency-data-stable-kf6-qt6"
dependent, dependency = line.split(": ")
spec_path = repo_metadata / "dependencies" / spec_name
for line in spec_path.open():
line = line.strip()
if line.startswith("#"):
continue
if not line:
continue
dependent = self.try_lookup_package(dependent)
if dependent is None:
continue
dependent, dependency = line.split(": ")
dependency = self.try_lookup_package(dependency)
if dependency is None:
continue
dependent = self.try_lookup_package(dependent)
if dependent is None:
continue
dep_graph[dependent].add(dependency)
dependency = self.try_lookup_package(dependency)
if dependency is None:
continue
dep_graph[dependent].add(dependency)
self.dep_graph = dep_graph

View file

@ -1,5 +1,6 @@
name,rockspec,ref,server,version,luaversion,maintainers
alt-getopt,,,,,,arobyn
ansicolors,,,,,,Freed-Wu
bit32,,,,5.3.0-1,5.1,lblasc
argparse,,,,,,
basexx,,,,,,
@ -76,6 +77,7 @@ lualdap,,,,,,aanderse
lualogging,,,,,,
luaossl,,,,,5.1,
luaposix,,,,34.1.1-1,,vyp lblasc
luaprompt,,,,,,Freed-Wu
luarepl,,,,,,
luarocks,,,,,,mrcjkb teto
luarocks-build-rust-mlua,,,,,,mrcjkb
@ -98,6 +100,7 @@ luuid,,,,20120509-2,,
luv,,,,1.44.2-1,,
lush.nvim,,,https://luarocks.org/dev,,,teto
lyaml,,,,,,lblasc
lz.n,,,,,,mrcjkb
magick,,,,,5.1,donovanglover
markdown,,,,,,
mediator_lua,,,,,,

1 name rockspec ref server version luaversion maintainers
2 alt-getopt arobyn
3 ansicolors Freed-Wu
4 bit32 5.3.0-1 5.1 lblasc
5 argparse
6 basexx
77 lualogging
78 luaossl 5.1
79 luaposix 34.1.1-1 vyp lblasc
80 luaprompt Freed-Wu
81 luarepl
82 luarocks mrcjkb teto
83 luarocks-build-rust-mlua mrcjkb
100 luv 1.44.2-1
101 lush.nvim https://luarocks.org/dev teto
102 lyaml lblasc
103 lz.n mrcjkb
104 magick 5.1 donovanglover
105 markdown
106 mediator_lua

View file

@ -788,7 +788,10 @@ def update_plugins(editor: Editor, args):
fetch_config = FetchConfig(args.proc, args.github_token)
update = editor.get_update(args.input_file, args.outfile, fetch_config)
start_time = time.time()
redirects = update()
duration = time.time() - start_time
print(f"The plugin update took {duration}s.")
editor.rewrite_input(fetch_config, args.input_file, editor.deprecated, redirects)
autocommit = not args.no_commit

View file

@ -1,4 +1,5 @@
/* List of maintainer teams.
/*
List of maintainer teams.
name = {
# Required
members = [ maintainer1 maintainer2 ];
@ -25,10 +26,11 @@
* keep the list alphabetically sorted
* test the validity of the format with:
nix-build lib/tests/teams.nix
*/
*/
{ lib }:
with lib.maintainers; {
with lib.maintainers;
{
acme = {
members = [
aanderse
@ -67,9 +69,7 @@ with lib.maintainers; {
minijackson
yurrriq
];
githubTeams = [
"beam"
];
githubTeams = [ "beam" ];
scope = "Maintain BEAM-related packages and modules.";
shortName = "BEAM";
enableFeatureFreezePing = true;
@ -95,9 +95,7 @@ with lib.maintainers; {
};
budgie = {
members = [
bobby285271
];
members = [ bobby285271 ];
scope = "Maintain Budgie desktop environment";
shortName = "Budgie";
};
@ -144,9 +142,7 @@ with lib.maintainers; {
};
cloudposse = {
members = [
dudymas
];
members = [ dudymas ];
scope = "Maintain atmos and applications made by the Cloud Posse team.";
shortName = "CloudPosse";
enableFeatureFreezePing = true;
@ -178,12 +174,8 @@ with lib.maintainers; {
};
darwin = {
members = [
toonn
];
githubTeams = [
"darwin-maintainers"
];
members = [ toonn ];
githubTeams = [ "darwin-maintainers" ];
scope = "Maintain Darwin compatibility of packages and Darwin-only packages.";
shortName = "Darwin";
enableFeatureFreezePing = true;
@ -213,9 +205,7 @@ with lib.maintainers; {
};
deepin = {
members = [
rewine
];
members = [ rewine ];
scope = "Maintain deepin desktop environment and related packages.";
shortName = "DDE";
enableFeatureFreezePing = true;
@ -262,29 +252,21 @@ with lib.maintainers; {
docs = {
members = [ ];
githubTeams = [
"documentation-team"
];
githubTeams = [ "documentation-team" ];
scope = "Maintain nixpkgs/NixOS documentation and tools for building it.";
shortName = "Docs";
enableFeatureFreezePing = true;
};
emacs = {
members = [
adisbladis
];
members = [ adisbladis ];
scope = "Maintain the Emacs editor and packages.";
shortName = "Emacs";
};
enlightenment = {
members = [
romildo
];
githubTeams = [
"enlightenment"
];
members = [ romildo ];
githubTeams = [ "enlightenment" ];
scope = "Maintain Enlightenment desktop environment and related packages.";
shortName = "Enlightenment";
enableFeatureFreezePing = true;
@ -303,7 +285,12 @@ with lib.maintainers; {
};
flutter = {
members = [ mkg20001 RossComputerGuy FlafyDev hacker1024 ];
members = [
mkg20001
RossComputerGuy
FlafyDev
hacker1024
];
scope = "Maintain Flutter and Dart-related packages and build tools";
shortName = "flutter";
enableFeatureFreezePing = false;
@ -373,9 +360,7 @@ with lib.maintainers; {
sikmir
willcohen
];
githubTeams = [
"geospatial"
];
githubTeams = [ "geospatial" ];
scope = "Maintain geospatial packages.";
shortName = "Geospatial";
enableFeatureFreezePing = true;
@ -400,9 +385,7 @@ with lib.maintainers; {
qbit
mfrw
];
githubTeams = [
"golang"
];
githubTeams = [ "golang" ];
scope = "Maintain Golang compilers.";
shortName = "Go";
enableFeatureFreezePing = true;
@ -415,9 +398,7 @@ with lib.maintainers; {
jtojnar
dasj19
];
githubTeams = [
"gnome"
];
githubTeams = [ "gnome" ];
scope = "Maintain GNOME desktop environment and platform.";
shortName = "GNOME";
enableFeatureFreezePing = true;
@ -443,9 +424,7 @@ with lib.maintainers; {
ncfavier
sternenseemann
];
githubTeams = [
"haskell"
];
githubTeams = [ "haskell" ];
scope = "Maintain Haskell packages and infrastructure.";
shortName = "Haskell";
enableFeatureFreezePing = true;
@ -472,9 +451,7 @@ with lib.maintainers; {
};
infisical = {
members = [
akhilmhdh
];
members = [ akhilmhdh ];
scope = "Maintain Infisical";
shortName = "Infisical";
};
@ -568,9 +545,7 @@ with lib.maintainers; {
uthar
hraban
];
githubTeams = [
"lisp"
];
githubTeams = [ "lisp" ];
scope = "Maintain the Lisp ecosystem.";
shortName = "lisp";
enableFeatureFreezePing = true;
@ -586,18 +561,14 @@ with lib.maintainers; {
rrbutani
sternenseemann
];
githubTeams = [
"llvm"
];
githubTeams = [ "llvm" ];
scope = "Maintain LLVM package sets and related packages";
shortName = "LLVM";
enableFeatureFreezePing = true;
};
lomiri = {
members = [
OPNA2608
];
members = [ OPNA2608 ];
scope = "Maintain Lomiri desktop environment and related packages.";
shortName = "Lomiri";
enableFeatureFreezePing = true;
@ -614,21 +585,15 @@ with lib.maintainers; {
};
lua = {
githubTeams = [
"lua"
];
githubTeams = [ "lua" ];
scope = "Maintain the lua ecosystem.";
shortName = "lua";
enableFeatureFreezePing = true;
};
lumina = {
members = [
romildo
];
githubTeams = [
"lumina"
];
members = [ romildo ];
githubTeams = [ "lumina" ];
scope = "Maintain lumina desktop environment and related packages.";
shortName = "Lumina";
enableFeatureFreezePing = true;
@ -647,12 +612,8 @@ with lib.maintainers; {
};
lxqt = {
members = [
romildo
];
githubTeams = [
"lxqt"
];
members = [ romildo ];
githubTeams = [ "lxqt" ];
scope = "Maintain LXQt desktop environment and related packages.";
shortName = "LXQt";
enableFeatureFreezePing = true;
@ -717,9 +678,7 @@ with lib.maintainers; {
};
mobile = {
members = [
samueldr
];
members = [ samueldr ];
scope = "Maintain Mobile NixOS.";
shortName = "Mobile";
};
@ -766,21 +725,15 @@ with lib.maintainers; {
};
ocaml = {
members = [
alizter
];
githubTeams = [
"ocaml"
];
members = [ alizter ];
githubTeams = [ "ocaml" ];
scope = "Maintain the OCaml compiler and package set.";
shortName = "OCaml";
enableFeatureFreezePing = true;
};
openstack = {
members = [
SuperSandro2000
];
members = [ SuperSandro2000 ];
scope = "Maintain the ecosystem around OpenStack";
shortName = "OpenStack";
};
@ -801,18 +754,14 @@ with lib.maintainers; {
davidak
bobby285271
];
githubTeams = [
"pantheon"
];
githubTeams = [ "pantheon" ];
scope = "Maintain Pantheon desktop environment and platform.";
shortName = "Pantheon";
enableFeatureFreezePing = true;
};
perl = {
members = [
sgo
];
members = [ sgo ];
scope = "Maintain the Perl interpreter and Perl packages.";
shortName = "Perl";
enableFeatureFreezePing = true;
@ -826,9 +775,7 @@ with lib.maintainers; {
patka
talyz
];
githubTeams = [
"php"
];
githubTeams = [ "php" ];
scope = "Maintain PHP related packages and extensions.";
shortName = "PHP";
enableFeatureFreezePing = true;
@ -839,17 +786,13 @@ with lib.maintainers; {
saschagrunert
vdemeester
];
githubTeams = [
"podman"
];
githubTeams = [ "podman" ];
scope = "Maintain Podman and CRI-O related packages and modules.";
shortName = "Podman";
};
postgres = {
members = [
thoughtpolice
];
members = [ thoughtpolice ];
scope = "Maintain the PostgreSQL package and plugins along with the NixOS module.";
shortName = "PostgreSQL";
};
@ -858,7 +801,7 @@ with lib.maintainers; {
members = [
hexa
jonringer
tjni
natsukium
];
scope = "Maintain the Python interpreter and related packages.";
shortName = "Python";
@ -875,9 +818,7 @@ with lib.maintainers; {
SuperSandro2000
ttuegel
];
githubTeams = [
"qt-kde"
];
githubTeams = [ "qt-kde" ];
scope = "Maintain the Qt framework, KDE application suite, Plasma desktop environment and related projects.";
shortName = "Qt / KDE";
enableFeatureFreezePing = true;
@ -907,9 +848,7 @@ with lib.maintainers; {
release = {
members = [ ];
githubTeams = [
"nixos-release-managers"
];
githubTeams = [ "nixos-release-managers" ];
scope = "Manage the current nixpkgs/NixOS release.";
shortName = "Release";
};
@ -920,16 +859,13 @@ with lib.maintainers; {
Flakebi
mschwaig
];
githubTeams = [
"rocm-maintainers"
];
githubTeams = [ "rocm-maintainers" ];
scope = "Maintain ROCm and related packages.";
shortName = "ROCm";
};
ruby = {
members = [
];
members = [ ];
scope = "Maintain the Ruby interpreter and related packages.";
shortName = "Ruby";
enableFeatureFreezePing = true;
@ -943,9 +879,7 @@ with lib.maintainers; {
winter
zowoq
];
githubTeams = [
"rust"
];
githubTeams = [ "rust" ];
scope = "Maintain the Rust compiler toolchain and nixpkgs integration.";
shortName = "Rust";
enableFeatureFreezePing = true;
@ -962,6 +896,12 @@ with lib.maintainers; {
shortName = "SageMath";
};
sdl = {
members = [ ];
scope = "Maintain SDL libraries.";
shortName = "SDL";
};
sphinx = {
members = [ ];
scope = "Maintain Sphinx related packages.";
@ -970,9 +910,7 @@ with lib.maintainers; {
serokell = {
# Verify additions by approval of an already existing member of the team.
members = [
balsoft
];
members = [ balsoft ];
scope = "Group registration for Serokell employees who collectively maintain packages.";
shortName = "Serokell employees";
};
@ -991,27 +929,21 @@ with lib.maintainers; {
systemd = {
members = [ ];
githubTeams = [
"systemd"
];
githubTeams = [ "systemd" ];
scope = "Maintain systemd for NixOS.";
shortName = "systemd";
enableFeatureFreezePing = true;
};
tests = {
members = [
tfc
];
members = [ tfc ];
scope = "Maintain the NixOS VM test runner.";
shortName = "NixOS tests";
enableFeatureFreezePing = true;
};
tts = {
members = [
mic92
];
members = [ mic92 ];
scope = "coqui-ai TTS (formerly Mozilla TTS) and leaf packages";
shortName = "coqui-ai TTS";
};

View file

@ -30,7 +30,7 @@ $ export \
```
The second mechanism is to add the OpenCL driver package to
[](#opt-hardware.opengl.extraPackages).
[](#opt-hardware.graphics.extraPackages).
This links the ICD file under `/run/opengl-driver`, where it will be visible
to the ICD loader.
@ -51,12 +51,12 @@ Platform Vendor Advanced Micro Devices, Inc.
Modern AMD [Graphics Core
Next](https://en.wikipedia.org/wiki/Graphics_Core_Next) (GCN) GPUs are
supported through the rocmPackages.clr.icd package. Adding this package to
[](#opt-hardware.opengl.extraPackages)
[](#opt-hardware.graphics.extraPackages)
enables OpenCL support:
```nix
{
hardware.opengl.extraPackages = [
hardware.graphics.extraPackages = [
rocmPackages.clr.icd
];
}
@ -71,13 +71,13 @@ intel-compute-runtime package. The proprietary Intel OpenCL runtime, in
the intel-ocl package, is an alternative for Gen7 GPUs.
The intel-compute-runtime or intel-ocl package can be added to
[](#opt-hardware.opengl.extraPackages)
[](#opt-hardware.graphics.extraPackages)
to enable OpenCL support. For example, for Gen8 and later GPUs, the following
configuration can be used:
```nix
{
hardware.opengl.extraPackages = [
hardware.graphics.extraPackages = [
intel-compute-runtime
];
}
@ -90,8 +90,8 @@ compute API for GPUs. It is used directly by games or indirectly though
compatibility layers like
[DXVK](https://github.com/doitsujin/dxvk/wiki).
By default, if [](#opt-hardware.opengl.driSupport)
is enabled, mesa is installed and provides Vulkan for supported hardware.
By default, if [](#opt-hardware.graphics.enable)
is enabled, Mesa is installed and provides Vulkan for supported hardware.
Similar to OpenCL, Vulkan drivers are loaded through the *Installable
Client Driver* (ICD) mechanism. ICD files for Vulkan are JSON files that
@ -110,7 +110,7 @@ $ export \
```
The second mechanism is to add the Vulkan driver package to
[](#opt-hardware.opengl.extraPackages).
[](#opt-hardware.graphics.extraPackages).
This links the ICD file under `/run/opengl-driver`, where it will be
visible to the ICD loader.
@ -140,18 +140,18 @@ Modern AMD [Graphics Core
Next](https://en.wikipedia.org/wiki/Graphics_Core_Next) (GCN) GPUs are
supported through either radv, which is part of mesa, or the amdvlk
package. Adding the amdvlk package to
[](#opt-hardware.opengl.extraPackages)
[](#opt-hardware.graphics.extraPackages)
makes amdvlk the default driver and hides radv and lavapipe from the device list.
A specific driver can be forced as follows:
```nix
{
hardware.opengl.extraPackages = [
hardware.graphics.extraPackages = [
pkgs.amdvlk
];
# To enable Vulkan support for 32-bit applications, also add:
hardware.opengl.extraPackages32 = [
hardware.graphics.extraPackages32 = [
pkgs.driversi686Linux.amdvlk
];
@ -171,7 +171,7 @@ graphics hardware acceleration capabilities for video processing.
VA-API drivers are loaded by `libva`. The version in nixpkgs is built to search
the opengl driver path, so drivers can be installed in
[](#opt-hardware.opengl.extraPackages).
[](#opt-hardware.graphics.extraPackages).
VA-API can be tested using:
@ -185,7 +185,7 @@ Modern Intel GPUs use the iHD driver, which can be installed with:
```nix
{
hardware.opengl.extraPackages = [
hardware.graphics.extraPackages = [
intel-media-driver
];
}
@ -195,7 +195,7 @@ Older Intel GPUs use the i965 driver, which can be installed with:
```nix
{
hardware.opengl.extraPackages = [
hardware.graphics.extraPackages = [
intel-vaapi-driver
];
}

View file

@ -79,7 +79,7 @@ Wine, you should also set the following:
```nix
{
hardware.opengl.driSupport32Bit = true;
hardware.graphics.enable32Bit = true;
}
```
@ -183,23 +183,6 @@ If you have an older card, you may have to use one of the legacy drivers:
You may need to reboot after enabling this driver to prevent a clash
with other kernel modules.
## Proprietary AMD drivers {#sec-x11--graphics-cards-amd}
AMD provides a proprietary driver for its graphics cards that is not
enabled by default because it's not Free Software, is often broken in
nixpkgs and as of this writing doesn't offer more features or
performance. If you still want to use it anyway, you need to explicitly
set:
```nix
{
services.xserver.videoDrivers = [ "amdgpu-pro" ];
}
```
You will need to reboot after enabling this driver to prevent a clash
with other kernel modules.
## Touchpads {#sec-x11-touchpads}
Support for Synaptics touchpads (found in many laptops such as the Dell

View file

@ -44,7 +44,7 @@ As an alternative, you can proxy the guest shell to a local TCP server by first
starting a TCP server in a terminal using the command:
```ShellSession
$ socat 'READLINE,PROMPT=$ ' tcp-listen:4444,reuseaddr`
$ socat 'READLINE,PROMPT=$ ' tcp-listen:4444,reuseaddr
```
In the terminal where the test driver is running, connect to this server by

View file

@ -207,6 +207,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- [xdg-terminal-exec](https://github.com/Vladimir-csp/xdg-terminal-exec), the proposed Default Terminal Execution Specification.
- Convenience options for `amdgpu`, open source driver for Radeon cards, is now available under `hardware.amdgpu`.
- [ydotool](https://github.com/ReimuNotMoe/ydotool), a generic command-line automation tool now has a module. Available as [programs.ydotool](#opt-programs.ydotool.enable).
- [your_spotify](https://github.com/Yooooomi/your_spotify), a self hosted Spotify tracking dashboard. Available as [services.your_spotify](#opt-services.your_spotify.enable)
@ -822,3 +824,4 @@ Module System:
### Internal {#sec-release-24.05-lib-internal}
- `lib` now has [Readme for contributing](https://github.com/NixOS/nixpkgs/tree/master/lib#readme).
- Some function's documentation is now written using the [accepted doc comment syntax](https://github.com/NixOS/rfcs/pull/145).
- `odoo` has been updated from `16.0.20231024` to `17.0.20240507`.

View file

@ -4,7 +4,10 @@
## Highlights {#sec-release-24.11-highlights}
- Create the first release note entry in this section!
- Convenience options for `amdgpu`, open source driver for Radeon cards, is now available under `hardware.amdgpu`.
- [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured as `hardware.amdgpu.amdvlk` option.
This also allows configuring runtime settings of AMDVLK and enabling experimental features.
## New Services {#sec-release-24.11-new-services}
@ -12,8 +15,16 @@
for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable)
service.
- [Quickwit](https://quickwit.io), sub-second search & analytics engine on cloud storage. Available as [services.quickwit](options.html#opt-services.quickwit).
- [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood).
- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
- `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later.
- `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`.
- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can
@ -28,6 +39,12 @@
`services.forgejo.secrets` is a small wrapper over systemd's `LoadCredential=`. It has the same structure (sections/keys) as
`services.forgejo.settings` but takes file paths that will be read before service startup instead of some plaintext value.
- `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.
- `vaultwarden` lost the capability to bind to privileged ports. If you rely on
this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in
your local configuration.
- The Invoiceplane module now only accepts the structured `settings` option.
`extraConfig` is now removed.
@ -36,6 +53,14 @@
before changing the package to `pkgs.stalwart-mail` in
[`services.stalwart-mail.package`](#opt-services.stalwart-mail.package).
- `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in the
output by default, to alert users to closure size issues caused by
[#164630](https://github.com/NixOS/nixpkgs/issues/164630). See ["Packaging
Helpers" in the Haskell section of the Nixpkgs
manual](https://nixos.org/manual/nixpkgs/unstable/#haskell-packaging-helpers)
for information on working around `output '...' is not allowed to refer to
the following paths` errors caused by this change.
- The `stalwart-mail` module now uses RocksDB as the default storage backend
for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
data and the filesystem for blobs).
@ -52,10 +77,18 @@
services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
```
- The `tracy` package no longer works on X11, since it's moved to Wayland
support, which is the intended default behavior by Tracy maintainers.
X11 users have to switch to the new package `tracy-x11`.
## Other Notable Changes {#sec-release-24.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- `hareHook` has been added as the language framework for Hare. From now on, it,
not the `hare` package, should be added to `nativeBuildInputs` when building
Hare programs.
- To facilitate dependency injection, the `imgui` package now builds a static archive using vcpkg' CMake rules.
The derivation now installs "impl" headers selectively instead of by a wildcard.
Use `imgui.src` if you just want to access the unpacked sources.

View file

@ -147,7 +147,10 @@ in {
'' + optionalString (def.ipv6SendRAConfig != { }) ''
[IPv6SendRA]
${attrsToSection def.ipv6SendRAConfig}
'' + flip concatMapStrings def.ipv6Prefixes (x: ''
'' + flip concatMapStrings def.ipv6PREF64Prefixes (x: ''
[IPv6PREF64Prefix]
${attrsToSection x}
'') + flip concatMapStrings def.ipv6Prefixes (x: ''
[IPv6Prefix]
${attrsToSection x}
'') + flip concatMapStrings def.ipv6RoutePrefixes (x: ''

View file

@ -13,11 +13,20 @@
, extraPythonPackages ? (_ : [])
, nixosTests
}:
let
fs = lib.fileset;
in
python3Packages.buildPythonApplication {
pname = "nixos-test-driver";
version = "1.1";
src = ./.;
src = fs.toSource {
root = ./.;
fileset = fs.unions [
./pyproject.toml
./test_driver
./extract-docstrings.py
];
};
pyproject = true;
propagatedBuildInputs = [

View file

@ -106,7 +106,6 @@ class Driver:
with self.logger.subtest(name):
try:
yield
return True
except Exception as e:
self.logger.error(f'Test "{name}" failed with error: "{e}"')
raise e

View file

@ -39,7 +39,7 @@ with lib;
# dep of graphviz, libXpm is optional for Xpm support
gd = super.gd.override { withXorg = false; };
ghostscript = super.ghostscript.override { cupsSupport = false; x11Support = false; };
gjs = super.gjs.overrideAttrs { doCheck = false; installTests = false; }; # avoid test dependency on gtk3
gjs = (super.gjs.override { installTests = false; }).overrideAttrs { doCheck = false; }; # avoid test dependency on gtk3
gobject-introspection = super.gobject-introspection.override { x11Support = false; };
gpg-tui = super.gpg-tui.override { x11Support = false; };
gpsd = super.gpsd.override { guiSupport = false; };

View file

@ -0,0 +1,126 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.graphics;
driversEnv = pkgs.buildEnv {
name = "graphics-drivers";
paths = [ cfg.package ] ++ cfg.extraPackages;
};
driversEnv32 = pkgs.buildEnv {
name = "graphics-drivers-32bit";
paths = [ cfg.package32 ] ++ cfg.extraPackages32;
};
in
{
imports = [
(lib.mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ])
(lib.mkRemovedOptionModule [ "hardware" "opengl" "s3tcSupport" ] "S3TC support is now always enabled in Mesa.")
(lib.mkRemovedOptionModule [ "hardware" "opengl" "driSupport"] "The setting can be removed.")
(lib.mkRenamedOptionModule [ "hardware" "opengl" "enable"] [ "hardware" "graphics" "enable" ])
(lib.mkRenamedOptionModule [ "hardware" "opengl" "driSupport32Bit"] [ "hardware" "graphics" "enable32Bit" ])
(lib.mkRenamedOptionModule [ "hardware" "opengl" "package"] [ "hardware" "graphics" "package" ])
(lib.mkRenamedOptionModule [ "hardware" "opengl" "package32"] [ "hardware" "graphics" "package32" ])
(lib.mkRenamedOptionModule [ "hardware" "opengl" "extraPackages"] [ "hardware" "graphics" "extraPackages" ])
(lib.mkRenamedOptionModule [ "hardware" "opengl" "extraPackages32"] [ "hardware" "graphics" "extraPackages32" ])
];
options.hardware.graphics = {
enable = lib.mkOption {
description = ''
Whether to enable hardware accelerated graphics drivers.
This is required to allow most graphical applications and
environments to use hardware rendering, video encode/decode
acceleration, etc.
This option should be enabled by default by the corresponding modules,
so you do not usually have to set it yourself.
'';
type = lib.types.bool;
default = false;
};
enable32Bit = lib.mkOption {
description = ''
On 64-bit systems, whether to also install 32-bit drivers for
32-bit applications (such as Wine).
'';
type = lib.types.bool;
default = false;
};
package = lib.mkOption {
description = ''
The package that provides the default driver set.
'';
type = lib.types.package;
internal = true;
};
package32 = lib.mkOption {
description = ''
The package that provides the 32-bit driver set. Used when {option}`enable32Bit` is enabled.
set.
'';
type = lib.types.package;
internal = true;
};
extraPackages = lib.mkOption {
description = ''
Additional packages to add to the default graphics driver lookup path.
This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc.
::: {.note}
intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver.
:::
'';
type = lib.types.listOf lib.types.package;
default = [];
example = lib.literalExpression "with pkgs; [ intel-media-driver intel-ocl intel-vaapi-driver ]";
};
extraPackages32 = lib.mkOption {
description = ''
Additional packages to add to 32-bit graphics driver lookup path on 64-bit systems.
Used when {option}`enable32Bit` is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc.
::: {.note}
intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver.
:::
'';
type = lib.types.listOf lib.types.package;
default = [];
example = lib.literalExpression "with pkgs.pkgsi686Linux; [ intel-media-driver intel-vaapi-driver ]";
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.enable32Bit -> pkgs.stdenv.isx86_64;
message = "`hardware.graphics.enable32Bit` only makes sense on a 64-bit system.";
}
{
assertion = cfg.enable32Bit -> (config.boot.kernelPackages.kernel.features.ia32Emulation or false);
message = "`hardware.graphics.enable32Bit` requires a kernel that supports 32-bit emulation";
}
];
systemd.tmpfiles.settings.graphics-driver = {
"/run/opengl-driver"."L+".argument = toString driversEnv;
"/run/opengl-driver-32" =
if pkgs.stdenv.isi686 then
{ "L+".argument = "opengl-driver"; }
else if cfg.enable32Bit then
{ "L+".argument = toString driversEnv32; }
else
{ "r" = {}; };
};
hardware.graphics.package = lib.mkDefault pkgs.mesa.drivers;
hardware.graphics.package32 = lib.mkDefault pkgs.pkgsi686Linux.mesa.drivers;
};
}

View file

@ -1,161 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.opengl;
kernelPackages = config.boot.kernelPackages;
videoDrivers = config.services.xserver.videoDrivers;
package = pkgs.buildEnv {
name = "opengl-drivers";
paths = [ cfg.package ] ++ cfg.extraPackages;
};
package32 = pkgs.buildEnv {
name = "opengl-drivers-32bit";
paths = [ cfg.package32 ] ++ cfg.extraPackages32;
};
in
{
imports = [
(mkRenamedOptionModule [ "services" "xserver" "vaapiDrivers" ] [ "hardware" "opengl" "extraPackages" ])
(mkRemovedOptionModule [ "hardware" "opengl" "s3tcSupport" ] "S3TC support is now always enabled in Mesa.")
];
options = {
hardware.opengl = {
enable = mkOption {
description = ''
Whether to enable OpenGL drivers. This is needed to enable
OpenGL support in X11 systems, as well as for Wayland compositors
like sway and Weston. It is enabled by default
by the corresponding modules, so you do not usually have to
set it yourself, only if there is no module for your wayland
compositor of choice. See services.xserver.enable and
programs.sway.enable.
'';
type = types.bool;
default = false;
};
driSupport = mkOption {
type = types.bool;
default = true;
description = ''
Whether to enable accelerated OpenGL rendering through the
Direct Rendering Interface (DRI).
'';
};
driSupport32Bit = mkOption {
type = types.bool;
default = false;
description = ''
On 64-bit systems, whether to support Direct Rendering for
32-bit applications (such as Wine). This is currently only
supported for the `nvidia` as well as
`Mesa`.
'';
};
package = mkOption {
type = types.package;
internal = true;
description = ''
The package that provides the OpenGL implementation.
'';
};
package32 = mkOption {
type = types.package;
internal = true;
description = ''
The package that provides the 32-bit OpenGL implementation on
64-bit systems. Used when {option}`driSupport32Bit` is
set.
'';
};
extraPackages = mkOption {
type = types.listOf types.package;
default = [];
example = literalExpression "with pkgs; [ intel-media-driver intel-ocl intel-vaapi-driver ]";
description = ''
Additional packages to add to OpenGL drivers.
This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc.
::: {.note}
intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver.
:::
'';
};
extraPackages32 = mkOption {
type = types.listOf types.package;
default = [];
example = literalExpression "with pkgs.pkgsi686Linux; [ intel-media-driver intel-vaapi-driver ]";
description = ''
Additional packages to add to 32-bit OpenGL drivers on 64-bit systems.
Used when {option}`driSupport32Bit` is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc.
::: {.note}
intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver.
:::
'';
};
setLdLibraryPath = mkOption {
type = types.bool;
internal = true;
default = false;
description = ''
Whether the `LD_LIBRARY_PATH` environment variable
should be set to the locations of driver libraries. Drivers which
rely on overriding libraries should set this to true. Drivers which
support `libglvnd` and other dispatch libraries
instead of overriding libraries should not set this.
'';
};
};
};
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.driSupport32Bit -> pkgs.stdenv.isx86_64;
message = "Option driSupport32Bit only makes sense on a 64-bit system.";
}
{ assertion = cfg.driSupport32Bit -> (config.boot.kernelPackages.kernel.features.ia32Emulation or false);
message = "Option driSupport32Bit requires a kernel that supports 32bit emulation";
}
];
systemd.tmpfiles.rules = [
"L+ /run/opengl-driver - - - - ${package}"
(
if pkgs.stdenv.isi686 then
"L+ /run/opengl-driver-32 - - - - opengl-driver"
else if cfg.driSupport32Bit then
"L+ /run/opengl-driver-32 - - - - ${package32}"
else
"r /run/opengl-driver-32"
)
];
environment.sessionVariables.LD_LIBRARY_PATH = mkIf cfg.setLdLibraryPath
([ "/run/opengl-driver/lib" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/lib");
hardware.opengl.package = mkDefault pkgs.mesa.drivers;
hardware.opengl.package32 = mkDefault pkgs.pkgsi686Linux.mesa.drivers;
boot.extraModulePackages = optional (elem "virtualbox" videoDrivers) kernelPackages.virtualboxGuestAdditions;
};
}

View file

@ -1,69 +0,0 @@
# This module provides the proprietary AMDGPU-PRO drivers.
{ config, lib, pkgs, ... }:
with lib;
let
drivers = config.services.xserver.videoDrivers;
enabled = elem "amdgpu-pro" drivers;
package = config.boot.kernelPackages.amdgpu-pro;
package32 = pkgs.pkgsi686Linux.linuxPackages.amdgpu-pro.override { kernel = null; };
opengl = config.hardware.opengl;
in
{
config = mkIf enabled {
services.xserver.drivers = singleton
{ name = "amdgpu"; modules = [ package ]; display = true; };
hardware.opengl.package = package;
hardware.opengl.package32 = package32;
hardware.opengl.setLdLibraryPath = true;
boot.extraModulePackages = [ package.kmod ];
boot.kernelPackages = pkgs.linuxKernel.packagesFor
(pkgs.linuxKernel.kernels.linux_5_10.override {
structuredExtraConfig = {
DEVICE_PRIVATE = kernel.yes;
KALLSYMS_ALL = kernel.yes;
};
});
hardware.firmware = [ package.fw ];
systemd.tmpfiles.settings.amdgpu-pro = {
"/run/amdgpu"."L+".argument = "${package}/opt/amdgpu";
"/run/amdgpu-pro"."L+".argument = "${package}/opt/amdgpu-pro";
};
system.requiredKernelConfig = with config.lib.kernelConfig; [
(isYes "DEVICE_PRIVATE")
(isYes "KALLSYMS_ALL")
];
boot.initrd.extraUdevRulesCommands = mkIf (!config.boot.initrd.systemd.enable) ''
cp -v ${package}/etc/udev/rules.d/*.rules $out/
'';
boot.initrd.services.udev.packages = [ package ];
environment.systemPackages =
[ package.vulkan ] ++
# this isn't really DRI, but we'll reuse this option for now
optional config.hardware.opengl.driSupport32Bit package32.vulkan;
environment.etc = {
"modprobe.d/blacklist-radeon.conf".source = package + "/etc/modprobe.d/blacklist-radeon.conf";
amd.source = package + "/etc/amd";
};
};
}

View file

@ -206,6 +206,19 @@ in
option is supported is used
'';
prime.reverseSync.setupCommands.enable =
(lib.mkEnableOption ''
configure the display manager to be able to use the outputs
attached to the NVIDIA GPU.
Disable in order to configure the NVIDIA GPU outputs manually using xrandr.
Note that this configuration will only be successful when a display manager
for which the {option}`services.xserver.displayManager.setupCommands`
option is supported is used
'')
// {
default = true;
};
nvidiaSettings =
(lib.mkEnableOption ''
nvidia-settings, NVIDIA's GUI configuration tool
@ -275,7 +288,7 @@ in
softdep nvidia post: nvidia-uvm
'';
};
systemd.tmpfiles.rules = lib.optional config.virtualisation.docker.enableNvidia "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin";
systemd.tmpfiles.rules = lib.mkIf config.virtualisation.docker.enableNvidia [ "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin" ];
services.udev.extraRules = ''
# Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
KERNEL=="nvidia", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidiactl c 195 255'"
@ -284,12 +297,13 @@ in
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 0'"
KERNEL=="nvidia_uvm", RUN+="${pkgs.runtimeShell} -c 'mknod -m 666 /dev/nvidia-uvm-tools c $$(grep nvidia-uvm /proc/devices | cut -d \ -f 1) 1'"
'';
hardware.opengl = {
extraPackages = [ nvidia_x11.out ] ++ (lib.optional (builtins.hasAttr "libXNVCtrl" nvidia_x11.settings) nvidia_x11.settings.libXNVCtrl);
hardware.graphics = {
extraPackages = [ nvidia_x11.out ];
extraPackages32 = [ nvidia_x11.lib32 ];
};
environment.systemPackages = [ nvidia_x11.bin ];
})
# X11
(lib.mkIf nvidiaEnabled {
assertions = [
@ -436,11 +450,13 @@ in
providerCmdParams =
if syncCfg.enable then "\"${gpuProviderName}\" NVIDIA-0" else "NVIDIA-G0 \"${gpuProviderName}\"";
in
lib.optionalString (syncCfg.enable || reverseSyncCfg.enable) ''
# Added by nvidia configuration module for Optimus/PRIME.
${lib.getExe pkgs.xorg.xrandr} --setprovideroutputsource ${providerCmdParams}
${lib.getExe pkgs.xorg.xrandr} --auto
'';
lib.optionalString
(syncCfg.enable || (reverseSyncCfg.enable && reverseSyncCfg.setupCommands.enable))
''
# Added by nvidia configuration module for Optimus/PRIME.
${lib.getExe pkgs.xorg.xrandr} --setprovideroutputsource ${providerCmdParams}
${lib.getExe pkgs.xorg.xrandr} --auto
'';
environment.etc = {
"nvidia/nvidia-application-profiles-rc" = lib.mkIf nvidia_x11.useProfiles {
@ -451,10 +467,11 @@ in
"egl/egl_external_platform.d".source = "/run/opengl-driver/share/egl/egl_external_platform.d/";
};
hardware.opengl = {
hardware.graphics = {
extraPackages = [ pkgs.nvidia-vaapi-driver ];
extraPackages32 = [ pkgs.pkgsi686Linux.nvidia-vaapi-driver ];
};
environment.systemPackages =
lib.optional cfg.nvidiaSettings nvidia_x11.settings
++ lib.optional cfg.nvidiaPersistenced nvidia_x11.persistenced
@ -527,16 +544,12 @@ in
};
})
];
services.acpid.enable = true;
services.dbus.packages = lib.optional cfg.dynamicBoost.enable nvidia_x11.bin;
hardware.firmware =
let
isOpen = cfg.open;
isNewUnfree = lib.versionAtLeast nvidia_x11.version "555";
in
lib.optional (isOpen || isNewUnfree) nvidia_x11.firmware;
hardware.firmware = lib.optional (cfg.open || lib.versionAtLeast nvidia_x11.version "555") nvidia_x11.firmware;
systemd.tmpfiles.rules =
[

View file

@ -0,0 +1,7 @@
{ lib, config, ... }:
let
inherit (config.boot) kernelPackages;
inherit (config.services.xserver) videoDrivers;
in {
boot.extraModulePackages = lib.mkIf (lib.elem "virtualbox" videoDrivers) [ kernelPackages.virtualboxGuestAdditions ];
}

View file

@ -37,11 +37,6 @@ with lib;
# here and it causes a cyclic dependency.
boot.loader.grub.enable = false;
# !!! Hack - attributes expected by other modules.
environment.systemPackages = [ pkgs.grub2_efi ]
++ (lib.optionals (lib.meta.availableOn pkgs.stdenv.hostPlatform pkgs.syslinux)
[pkgs.grub2 pkgs.syslinux]);
fileSystems."/" = mkImageMediaOverride
{ fsType = "tmpfs";
options = [ "mode=0755" ];

View file

@ -1,24 +1,22 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.locate;
isMLocate = hasPrefix "mlocate" cfg.package.name;
isPLocate = hasPrefix "plocate" cfg.package.name;
isMLocate = lib.hasPrefix "mlocate" cfg.package.name;
isPLocate = lib.hasPrefix "plocate" cfg.package.name;
isMorPLocate = isMLocate || isPLocate;
isFindutils = hasPrefix "findutils" cfg.package.name;
isFindutils = lib.hasPrefix "findutils" cfg.package.name;
in
{
imports = [
(mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ])
(mkRenamedOptionModule [ "services" "locate" "locate" ] [ "services" "locate" "package" ])
(mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths")
(lib.mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ])
(lib.mkRenamedOptionModule [ "services" "locate" "locate" ] [ "services" "locate" "package" ])
(lib.mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths")
];
options.services.locate = with types; {
enable = mkOption {
type = bool;
options.services.locate = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
If enabled, NixOS will periodically update the database of
@ -26,12 +24,12 @@ in
'';
};
package = mkPackageOption pkgs [ "findutils" "locate" ] {
package = lib.mkPackageOption pkgs [ "findutils" "locate" ] {
example = "mlocate";
};
interval = mkOption {
type = str;
interval = lib.mkOption {
type = lib.types.str;
default = "02:15";
example = "hourly";
description = ''
@ -46,24 +44,24 @@ in
'';
};
extraFlags = mkOption {
type = listOf str;
extraFlags = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
Extra flags to pass to {command}`updatedb`.
'';
};
output = mkOption {
type = path;
output = lib.mkOption {
type = lib.types.path;
default = "/var/cache/locatedb";
description = ''
The database file to build.
'';
};
localuser = mkOption {
type = nullOr str;
localuser = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "nobody";
description = ''
The user to search non-network directories as, using
@ -71,8 +69,8 @@ in
'';
};
pruneFS = mkOption {
type = listOf str;
pruneFS = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [
"afs"
"anon_inodefs"
@ -158,8 +156,8 @@ in
'';
};
prunePaths = mkOption {
type = listOf path;
prunePaths = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [
"/tmp"
"/var/tmp"
@ -175,10 +173,10 @@ in
'';
};
pruneNames = mkOption {
type = listOf str;
pruneNames = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = lib.optionals (!isFindutils) [ ".bzr" ".cache" ".git" ".hg" ".svn" ];
defaultText = literalMD ''
defaultText = lib.literalMD ''
`[ ".bzr" ".cache" ".git" ".hg" ".svn" ]`, if
supported by the locate implementation (i.e. mlocate or plocate).
'';
@ -187,8 +185,8 @@ in
'';
};
pruneBindMounts = mkOption {
type = bool;
pruneBindMounts = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether not to index bind mounts
@ -197,10 +195,10 @@ in
};
config = mkIf cfg.enable {
users.groups = mkMerge [
(mkIf isMLocate { mlocate = { }; })
(mkIf isPLocate { plocate = { }; })
config = lib.mkIf cfg.enable {
users.groups = lib.mkMerge [
(lib.mkIf isMLocate { mlocate = { }; })
(lib.mkIf isPLocate { plocate = { }; })
];
security.wrappers =
@ -211,46 +209,46 @@ in
setgid = true;
setuid = false;
};
mlocate = mkIf isMLocate {
mlocate = lib.mkIf isMLocate {
group = "mlocate";
source = "${cfg.package}/bin/locate";
};
plocate = mkIf isPLocate {
plocate = lib.mkIf isPLocate {
group = "plocate";
source = "${cfg.package}/bin/plocate";
};
in
mkIf isMorPLocate {
locate = mkMerge [ common mlocate plocate ];
plocate = mkIf isPLocate (mkMerge [ common plocate ]);
lib.mkIf isMorPLocate {
locate = lib.mkMerge [ common mlocate plocate ];
plocate = lib.mkIf isPLocate (lib.mkMerge [ common plocate ]);
};
environment.systemPackages = [ cfg.package ];
environment.variables.LOCATE_PATH = cfg.output;
environment.etc = {
environment = {
# write /etc/updatedb.conf for manual calls to `updatedb`
"updatedb.conf" = {
text = ''
PRUNEFS="${lib.concatStringsSep " " cfg.pruneFS}"
PRUNENAMES="${lib.concatStringsSep " " cfg.pruneNames}"
PRUNEPATHS="${lib.concatStringsSep " " cfg.prunePaths}"
PRUNE_BIND_MOUNTS="${if cfg.pruneBindMounts then "yes" else "no"}"
'';
etc."updatedb.conf".text = ''
PRUNEFS="${lib.concatStringsSep " " cfg.pruneFS}"
PRUNENAMES="${lib.concatStringsSep " " cfg.pruneNames}"
PRUNEPATHS="${lib.concatStringsSep " " cfg.prunePaths}"
PRUNE_BIND_MOUNTS="${if cfg.pruneBindMounts then "yes" else "no"}"
'';
systemPackages = [ cfg.package ];
variables = lib.mkIf isFindutils {
LOCATE_PATH = cfg.output;
};
};
warnings = optional (isMorPLocate && cfg.localuser != null)
warnings = lib.optional (isMorPLocate && cfg.localuser != null)
"mlocate and plocate do not support the services.locate.localuser option. updatedb will run as root. Silence this warning by setting services.locate.localuser = null."
++ optional (isFindutils && cfg.pruneNames != [ ])
++ lib.optional (isFindutils && cfg.pruneNames != [ ])
"findutils locate does not support pruning by directory component"
++ optional (isFindutils && cfg.pruneBindMounts)
++ lib.optional (isFindutils && cfg.pruneBindMounts)
"findutils locate does not support skipping bind mounts";
systemd.services.update-locatedb = {
description = "Update Locate Database";
path = mkIf (!isMorPLocate) [ pkgs.su ];
path = lib.mkIf (!isMorPLocate) [ pkgs.su ];
# mlocate's updatedb takes flags via a configuration file or
# on the command line, but not by environment variable.
@ -258,42 +256,44 @@ in
if isMorPLocate then
let
toFlags = x:
optional (cfg.${x} != [ ])
"--${lib.toLower x} '${concatStringsSep " " cfg.${x}}'";
args = concatLists (map toFlags [ "pruneFS" "pruneNames" "prunePaths" ]);
lib.optional (cfg.${x} != [ ])
"--${lib.toLower x} '${lib.concatStringsSep " " cfg.${x}}'";
args = lib.concatLists (map toFlags [ "pruneFS" "pruneNames" "prunePaths" ]);
in
''
exec ${cfg.package}/bin/updatedb \
--output ${toString cfg.output} ${concatStringsSep " " args} \
--output ${toString cfg.output} ${lib.concatStringsSep " " args} \
--prune-bind-mounts ${if cfg.pruneBindMounts then "yes" else "no"} \
${concatStringsSep " " cfg.extraFlags}
${lib.concatStringsSep " " cfg.extraFlags}
''
else ''
exec ${cfg.package}/bin/updatedb \
${optionalString (cfg.localuser != null && !isMorPLocate) "--localuser=${cfg.localuser}"} \
--output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
${lib.optionalString (cfg.localuser != null && !isMorPLocate) "--localuser=${cfg.localuser}"} \
--output=${toString cfg.output} ${lib.concatStringsSep " " cfg.extraFlags}
'';
environment = optionalAttrs (!isMorPLocate) {
PRUNEFS = concatStringsSep " " cfg.pruneFS;
PRUNEPATHS = concatStringsSep " " cfg.prunePaths;
PRUNENAMES = concatStringsSep " " cfg.pruneNames;
environment = lib.optionalAttrs (!isMorPLocate) {
PRUNEFS = lib.concatStringsSep " " cfg.pruneFS;
PRUNEPATHS = lib.concatStringsSep " " cfg.prunePaths;
PRUNENAMES = lib.concatStringsSep " " cfg.pruneNames;
PRUNE_BIND_MOUNTS = if cfg.pruneBindMounts then "yes" else "no";
};
serviceConfig.Nice = 19;
serviceConfig.IOSchedulingClass = "idle";
serviceConfig.PrivateTmp = "yes";
serviceConfig.PrivateNetwork = "yes";
serviceConfig.NoNewPrivileges = "yes";
serviceConfig.ReadOnlyPaths = "/";
# Use dirOf cfg.output because mlocate creates temporary files next to
# the actual database. We could specify and create them as well,
# but that would make this quite brittle when they change something.
# NOTE: If /var/cache does not exist, this leads to the misleading error message:
# update-locatedb.service: Failed at step NAMESPACE spawning …/update-locatedb-start: No such file or directory
serviceConfig.ReadWritePaths = dirOf cfg.output;
serviceConfig = {
Nice = 19;
IOSchedulingClass = "idle";
PrivateTmp = "yes";
PrivateNetwork = "yes";
NoNewPrivileges = "yes";
ReadOnlyPaths = "/";
# Use dirOf cfg.output because mlocate creates temporary files next to
# the actual database. We could specify and create them as well,
# but that would make this quite brittle when they change something.
# NOTE: If /var/cache does not exist, this leads to the misleading error message:
# update-locatedb.service: Failed at step NAMESPACE spawning …/update-locatedb-start: No such file or directory
ReadWritePaths = dirOf cfg.output;
};
};
systemd.timers.update-locatedb = mkIf (cfg.interval != "never") {
systemd.timers.update-locatedb = lib.mkIf (cfg.interval != "never") {
description = "Update timer for locate database";
partOf = [ "update-locatedb.service" ];
wantedBy = [ "timers.target" ];

View file

@ -67,6 +67,7 @@
./hardware/gkraken.nix
./hardware/glasgow.nix
./hardware/gpgsmartcards.nix
./hardware/graphics.nix
./hardware/hackrf.nix
./hardware/i2c.nix
./hardware/infiniband.nix
@ -84,7 +85,6 @@
./hardware/new-lg4ff.nix
./hardware/nitrokey.nix
./hardware/onlykey/default.nix
./hardware/opengl.nix
./hardware/openrazer.nix
./hardware/opentabletdriver.nix
./hardware/pcmcia.nix
@ -103,7 +103,6 @@
./hardware/uni-sync.nix
./hardware/usb-modeswitch.nix
./hardware/usb-storage.nix
./hardware/video/amdgpu-pro.nix
./hardware/video/bumblebee.nix
./hardware/video/capture/mwprocapture.nix
./hardware/video/displaylink.nix
@ -111,6 +110,7 @@
./hardware/video/nvidia.nix
./hardware/video/switcheroo-control.nix
./hardware/video/uvcvideo/default.nix
./hardware/video/virtualbox.nix
./hardware/video/webcam/facetimehd.nix
./hardware/video/webcam/ipu6.nix
./hardware/wooting.nix
@ -196,6 +196,7 @@
./programs/fzf.nix
./programs/gamemode.nix
./programs/gamescope.nix
./programs/gdk-pixbuf.nix
./programs/geary.nix
./programs/git.nix
./programs/gnome-disks.nix
@ -548,6 +549,8 @@
./services/games/xonotic.nix
./services/hardware/acpid.nix
./services/hardware/actkbd.nix
./services/hardware/amdgpu.nix
./services/hardware/amdvlk.nix
./services/hardware/argonone.nix
./services/hardware/asusd.nix
./services/hardware/auto-cpufreq.nix
@ -778,6 +781,7 @@
./services/misc/paperless.nix
./services/misc/parsoid.nix
./services/misc/persistent-evdev.nix
./services/misc/pghero.nix
./services/misc/pinnwand.nix
./services/misc/plex.nix
./services/misc/plikd.nix
@ -792,6 +796,7 @@
./services/misc/radarr.nix
./services/misc/readarr.nix
./services/misc/redmine.nix
./services/misc/renovate.nix
./services/misc/ripple-data-api.nix
./services/misc/rippled.nix
./services/misc/rmfakecloud.nix
@ -834,6 +839,7 @@
./services/misc/zoneminder.nix
./services/misc/zookeeper.nix
./services/monitoring/alerta.nix
./services/monitoring/alloy.nix
./services/monitoring/apcupsd.nix
./services/monitoring/arbtt.nix
./services/monitoring/below.nix
@ -1248,6 +1254,7 @@
./services/search/meilisearch.nix
./services/search/opensearch.nix
./services/search/qdrant.nix
./services/search/quickwit.nix
./services/search/sonic-server.nix
./services/search/typesense.nix
./services/security/aesmd.nix
@ -1310,6 +1317,7 @@
./services/system/zram-generator.nix
./services/torrent/deluge.nix
./services/torrent/flexget.nix
./services/torrent/flood.nix
./services/torrent/magnetico.nix
./services/torrent/opentracker.nix
./services/torrent/peerflix.nix
@ -1496,7 +1504,6 @@
./services/x11/display-managers/xpra.nix
./services/x11/extra-layouts.nix
./services/x11/fractalart.nix
./services/x11/gdk-pixbuf.nix
./services/x11/hardware/cmt.nix
./services/x11/hardware/digimend.nix
./services/x11/hardware/synaptics.nix

View file

@ -1,16 +1,22 @@
{ config, lib, pkgs, ... }:
let
enable = config.programs.bash.enableCompletion;
cfg = config.programs.bash;
in
{
options = {
programs.bash.enableCompletion = lib.mkEnableOption "Bash completion for all interactive bash shells" // {
options.programs.bash.completion = {
enable = lib.mkEnableOption "Bash completion for all interactive bash shells" // {
default = true;
};
package = lib.mkPackageOption pkgs "bash-completion" { };
};
config = lib.mkIf enable {
imports = [
(lib.mkRenamedOptionModule [ "programs" "bash" "enableCompletion" ] [ "programs" "bash" "completion" "enable" ])
];
config = lib.mkIf cfg.completion.enable {
programs.bash.promptPluginInit = ''
# Check whether we're running a version of Bash that has support for
# programmable completion. If we do, enable all modules installed in
@ -19,7 +25,7 @@ in
# $XDG_DATA_DIRS/bash-completion/completions/
# on demand, so they do not need to be sourced here.
if shopt -q progcomp &>/dev/null; then
. "${pkgs.bash-completion}/etc/profile.d/bash_completion.sh"
. "${cfg.completion.package}/etc/profile.d/bash_completion.sh"
nullglobStatus=$(shopt -p nullglob)
shopt -s nullglob
for p in $NIX_PROFILES; do

View file

@ -198,7 +198,7 @@ in
users.defaultUserShell = lib.mkDefault pkgs.bashInteractive;
environment.pathsToLink = lib.optionals cfg.enableCompletion [
environment.pathsToLink = lib.optionals cfg.completion.enable [
"/etc/bash_completion.d"
"/share/bash-completion"
];

View file

@ -15,7 +15,7 @@ in
environment.systemPackages = lib.mkIf (cfg.keybindings || cfg.fuzzyCompletion) [ pkgs.fzf ];
programs = {
# load after programs.bash.enableCompletion
# load after programs.bash.completion.enable
bash.promptPluginInit = lib.mkAfter (lib.optionalString cfg.fuzzyCompletion ''
source ${pkgs.fzf}/share/fzf/completion.bash
'' + lib.optionalString cfg.keybindings ''

View file

@ -1,16 +1,20 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.xserver.gdk-pixbuf;
cfg = config.programs.gdk-pixbuf;
loadersCache = pkgs.gnome._gdkPixbufCacheBuilder_DO_NOT_USE {
extraLoaders = lib.unique (cfg.modulePackages);
extraLoaders = lib.unique cfg.modulePackages;
};
in
{
imports = [
(lib.mkRenamedOptionModule [ "services" "xserver" "gdk-pixbuf" ] [ "programs" "gdk-pixbuf" ])
];
options = {
services.xserver.gdk-pixbuf.modulePackages = lib.mkOption {
programs.gdk-pixbuf.modulePackages = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [ ];
description = "Packages providing GDK-Pixbuf modules, for cache generation.";
@ -22,7 +26,7 @@ in
# GDK_PIXBUF_MODULE_FILE to point to it.
config = lib.mkIf (cfg.modulePackages != []) {
environment.sessionVariables = {
GDK_PIXBUF_MODULE_FILE = "${loadersCache}";
GDK_PIXBUF_MODULE_FILE = loadersCache;
};
};
}

View file

@ -29,17 +29,13 @@ in
config =
let
shell_files = pkgs.stdenv.mkDerivation rec {
name = "kubeswitch-shell-files";
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out/share
for shell in bash zsh; do
${cfg.package}/bin/switcher init $shell | sed 's/switch(/${cfg.commandName}(/' > $out/share/${cfg.commandName}_init.$shell
${cfg.package}/bin/switcher --cmd ${cfg.commandName} completion $shell > $out/share/${cfg.commandName}_completion.$shell
done
'';
};
shell_files = pkgs.runCommand "kubeswitch-shell-files" {} ''
mkdir -p $out/share
for shell in bash zsh; do
${cfg.package}/bin/switcher init $shell | sed 's/switch(/${cfg.commandName}(/' > $out/share/${cfg.commandName}_init.$shell
${cfg.package}/bin/switcher --cmd ${cfg.commandName} completion $shell > $out/share/${cfg.commandName}_completion.$shell
done
'';
in
lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];

View file

@ -65,7 +65,7 @@ in {
};
};
hardware.opengl.enable = lib.mkDefault true;
hardware.graphics.enable = lib.mkDefault true;
fonts.enableDefaultPackages = lib.mkDefault true;
programs.dconf.enable = lib.mkDefault true;
programs.xwayland.enable = lib.mkDefault true;

View file

@ -4,7 +4,18 @@ let
cfg = config.security.loginDefs;
in
{
options = with lib.types; {
options = {
security.shadow.enable = lib.mkEnableOption "" // {
default = true;
description = ''
Enable the shadow authentication suite, which provides critical programs such as su, login, passwd.
Note: This is currently experimental. Only disable this if you're
confident that you can recover your system if it breaks.
'';
};
security.loginDefs = {
package = lib.mkPackageOption pkgs "shadow" { };
@ -12,7 +23,7 @@ in
description = ''
Use chfn SUID to allow non-root users to change their account GECOS information.
'';
type = nullOr str;
type = lib.types.nullOr lib.types.str;
default = null;
};
@ -22,7 +33,7 @@ in
the site-specific configuration for the shadow password suite.
See login.defs(5) man page for available options.
'';
type = submodule {
type = lib.types.submodule {
freeformType = (pkgs.formats.keyValue { }).type;
/* There are three different sources for user/group id ranges, each of which gets
used by different programs:
@ -37,62 +48,62 @@ in
DEFAULT_HOME = lib.mkOption {
description = "Indicate if login is allowed if we can't cd to the home directory.";
default = "yes";
type = enum [ "yes" "no" ];
type = lib.types.enum [ "yes" "no" ];
};
ENCRYPT_METHOD = lib.mkOption {
description = "This defines the system default encryption algorithm for encrypting passwords.";
# The default crypt() method, keep in sync with the PAM default
default = "YESCRYPT";
type = enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"];
type = lib.types.enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"];
};
SYS_UID_MIN = lib.mkOption {
description = "Range of user IDs used for the creation of system users by useradd or newusers.";
default = 400;
type = int;
type = lib.types.int;
};
SYS_UID_MAX = lib.mkOption {
description = "Range of user IDs used for the creation of system users by useradd or newusers.";
default = 999;
type = int;
type = lib.types.int;
};
UID_MIN = lib.mkOption {
description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
default = 1000;
type = int;
type = lib.types.int;
};
UID_MAX = lib.mkOption {
description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
default = 29999;
type = int;
type = lib.types.int;
};
SYS_GID_MIN = lib.mkOption {
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
default = 400;
type = int;
type = lib.types.int;
};
SYS_GID_MAX = lib.mkOption {
description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
default = 999;
type = int;
type = lib.types.int;
};
GID_MIN = lib.mkOption {
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
default = 1000;
type = int;
type = lib.types.int;
};
GID_MAX = lib.mkOption {
description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
default = 29999;
type = int;
type = lib.types.int;
};
TTYGROUP = lib.mkOption {
@ -100,7 +111,7 @@ in
The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM'';
default = "tty";
type = str;
type = lib.types.str;
};
TTYPERM = lib.mkOption {
@ -108,14 +119,14 @@ in
The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM'';
default = "0620";
type = str;
type = lib.types.str;
};
# Ensure privacy for newly created home directories.
UMASK = lib.mkOption {
description = "The file mode creation mask is initialized to this value.";
default = "077";
type = str;
type = lib.types.str;
};
};
};
@ -132,107 +143,115 @@ in
used outside the store (in particular in /etc/passwd).
'';
example = lib.literalExpression "pkgs.zsh";
type = either path shellPackage;
type = lib.types.either lib.types.path lib.types.shellPackage;
};
};
###### implementation
config = {
assertions = [
{
assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX";
}
{
assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX;
message = "UID_MIN must be less than or equal to UID_MAX";
}
{
assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX;
message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX";
}
{
assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX;
message = "GID_MIN must be less than or equal to GID_MAX";
}
];
config = lib.mkMerge [
{
assertions = [
{
assertion = config.security.shadow.enable || config.services.greetd.enable;
message = "You must enable at least one VT login method, either security.shadow.enable or services.greetd.enable";
}
];
}
(lib.mkIf config.security.shadow.enable {
assertions = [
{
assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX";
}
{
assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX;
message = "UID_MIN must be less than or equal to UID_MAX";
}
{
assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX;
message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX";
}
{
assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX;
message = "GID_MIN must be less than or equal to GID_MAX";
}
];
security.loginDefs.settings.CHFN_RESTRICT =
lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
security.loginDefs.settings.CHFN_RESTRICT = lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;
environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;
environment.etc =
# Create custom toKeyValue generator
# see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification
let
toKeyValue = lib.generators.toKeyValue {
mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
environment.etc =
# Create custom toKeyValue generator
# see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification
let
toKeyValue = lib.generators.toKeyValue {
mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
};
in {
# /etc/login.defs: global configuration for pwdutils.
# You cannot login without it!
"login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
# /etc/default/useradd: configuration for useradd.
"default/useradd".source = pkgs.writeText "useradd" ''
GROUP=100
HOME=/home
SHELL=${utils.toShellPath config.users.defaultUserShell}
'';
};
in
{
# /etc/login.defs: global configuration for pwdutils.
# You cannot login without it!
"login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);
# /etc/default/useradd: configuration for useradd.
"default/useradd".source = pkgs.writeText "useradd" ''
GROUP=100
HOME=/home
SHELL=${utils.toShellPath config.users.defaultUserShell}
'';
};
security.pam.services = {
chsh = { rootOK = true; };
chfn = { rootOK = true; };
su = {
rootOK = true;
forwardXAuth = true;
logFailures = true;
};
passwd = { };
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
useradd.rootOK = true;
usermod.rootOK = true;
userdel.rootOK = true;
groupadd.rootOK = true;
groupmod.rootOK = true;
groupmems.rootOK = true;
groupdel.rootOK = true;
login = {
startSession = true;
allowNullPassword = true;
showMotd = true;
updateWtmp = true;
};
chpasswd = { rootOK = true; };
};
security.wrappers =
let
mkSetuidRoot = source: {
setuid = true;
owner = "root";
group = "root";
inherit source;
security.pam.services = {
chsh.rootOK = true;
chfn.rootOK = true;
su = {
rootOK = true;
forwardXAuth = true;
logFailures = true;
};
in
{
su = mkSetuidRoot "${cfg.package.su}/bin/su";
sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
}
// lib.optionalAttrs config.users.mutableUsers {
chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
passwd = { };
# Note: useradd, groupadd etc. aren't setuid root, so it
# doesn't really matter what the PAM config says as long as it
# lets root in.
useradd.rootOK = true;
usermod.rootOK = true;
userdel.rootOK = true;
groupadd.rootOK = true;
groupmod.rootOK = true;
groupmems.rootOK = true;
groupdel.rootOK = true;
login = {
startSession = true;
allowNullPassword = true;
showMotd = true;
updateWtmp = true;
};
chpasswd.rootOK = true;
};
};
security.wrappers =
let
mkSetuidRoot = source: {
setuid = true;
owner = "root";
group = "root";
inherit source;
};
in
{
su = mkSetuidRoot "${cfg.package.su}/bin/su";
sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
}
// lib.optionalAttrs config.users.mutableUsers {
chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
};
})
];
}

View file

@ -50,7 +50,7 @@ in {
}) // (prev.extraEnv or {});
extraLibraries = pkgs: let
prevLibs = if prev ? extraLibraries then prev.extraLibraries pkgs else [ ];
additionalLibs = with config.hardware.opengl;
additionalLibs = with config.hardware.graphics;
if pkgs.stdenv.hostPlatform.is64bit
then [ package ] ++ extraPackages
else [ package32 ] ++ extraPackages32;
@ -176,10 +176,9 @@ in {
};
config = lib.mkIf cfg.enable {
hardware.opengl = { # this fixes the "glXChooseVisual failed" bug, context: https://github.com/NixOS/nixpkgs/issues/47932
hardware.graphics = { # this fixes the "glXChooseVisual failed" bug, context: https://github.com/NixOS/nixpkgs/issues/47932
enable = true;
driSupport = true;
driSupport32Bit = true;
enable32Bit = true;
};
security.wrappers = lib.mkIf (cfg.gamescopeSession.enable && gamescopeCfg.capSysNice) {

View file

@ -17,7 +17,7 @@ in
Whether to set up NixOS such that TurboVNC's built-in software OpenGL
implementation works.
This will enable {option}`hardware.opengl.enable` so that OpenGL
This will enable {option}`hardware.graphics.enable` so that OpenGL
programs can find Mesa's llvmpipe drivers.
Setting this option to `false` does not mean that software
@ -46,7 +46,7 @@ in
# can find the llvmpipe `swrast.so` software rendering DRI lib via `libglvnd`.
# This comment exists to explain why `hardware.` is involved,
# even though 100% software rendering is used.
hardware.opengl.enable = true;
hardware.graphics.enable = true;
};
}

View file

@ -56,6 +56,7 @@ in
services.displayManager.sessionPackages = [ cfg.package ];
xdg.portal = {
enable = true;
extraPortals = [ cfg.portalPackage ];
configPackages = lib.mkDefault [ cfg.package ];
};
@ -70,7 +71,7 @@ in
(import ./wayland-session.nix {
inherit lib pkgs;
enableXWayland = cfg.xwayland.enable;
enableWlrPortal = false; # Hyprland has its own portal, wlr is not needed
enableWlrPortal = lib.mkDefault false; # Hyprland has its own portal, wlr is not needed
})
]);

View file

@ -11,7 +11,7 @@
pam.services.swaylock = {};
};
hardware.opengl.enable = lib.mkDefault true;
hardware.graphics.enable = lib.mkDefault true;
fonts.enableDefaultPackages = lib.mkDefault true;
programs = {

View file

@ -14,23 +14,32 @@ in
options.programs.ydotool = {
enable = lib.mkEnableOption ''
ydotoold system service and install ydotool.
Add yourself to the 'ydotool' group to be able to use it.
ydotoold system service and {command}`ydotool` for members of
{option}`programs.ydotool.group`.
'';
group = lib.mkOption {
type = lib.types.str;
default = "ydotool";
description = ''
Group which users must be in to use {command}`ydotool`.
'';
};
};
config = lib.mkIf cfg.enable {
users.groups.ydotool = { };
config = let
runtimeDirectory = "ydotoold";
in lib.mkIf cfg.enable {
users.groups."${config.programs.ydotool.group}" = { };
systemd.services.ydotoold = {
description = "ydotoold - backend for ydotool";
wantedBy = [ "multi-user.target" ];
partOf = [ "multi-user.target" ];
serviceConfig = {
Group = "ydotool";
RuntimeDirectory = "ydotoold";
Group = config.programs.ydotool.group;
RuntimeDirectory = runtimeDirectory;
RuntimeDirectoryMode = "0750";
ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=/run/ydotoold/socket --socket-perm=0660";
ExecStart = "${lib.getExe' pkgs.ydotool "ydotoold"} --socket-path=${config.environment.variables.YDOTOOL_SOCKET} --socket-perm=0660";
# hardening
@ -76,7 +85,7 @@ in
};
environment.variables = {
YDOTOOL_SOCKET = "/run/ydotoold/socket";
YDOTOOL_SOCKET = "/run/${runtimeDirectory}/socket";
};
environment.systemPackages = with pkgs; [ ydotool ];
};

View file

@ -77,8 +77,22 @@ in {
};
};
config = mkIf cfg.enable {
environment = {
config = {
assertions = mkIf (cfg.enable || config.services.kerberos_server.enable) [(let
implementation = cfg.package.passthru.implementation or "<NOT SET>";
in {
assertion = lib.elem implementation [ "krb5" "heimdal" ];
message = ''
`security.krb5.package` must be one of:
- krb5
- heimdal
Currently chosen implementation: ${implementation}
'';
})];
environment = mkIf cfg.enable {
systemPackages = [ cfg.package ];
etc."krb5.conf".source = format.generate "krb5.conf" cfg.settings;
};

View file

@ -7,17 +7,61 @@
let
inherit (lib) boolToString concatMapStringsSep concatStringsSep filter
isAttrs isBool isList mapAttrsToList mkOption singleton splitString;
inherit (lib.types) attrsOf bool coercedTo either int listOf oneOf path
str submodule;
inherit (lib.types) attrsOf bool coercedTo either enum int listOf oneOf
path str submodule;
in
{ }: {
type = let
section = attrsOf relation;
relation = either (attrsOf value) value;
{
enableKdcACLEntries ? false
}: rec {
sectionType = let
relation = oneOf [
(listOf (attrsOf value))
(attrsOf value)
value
];
value = either (listOf atom) atom;
atom = oneOf [int str bool];
in attrsOf relation;
type = let
aclEntry = submodule {
options = {
principal = mkOption {
type = str;
description = "Which principal the rule applies to";
};
access = mkOption {
type = either
(listOf (enum ["add" "cpw" "delete" "get" "list" "modify"]))
(enum ["all"]);
default = "all";
description = "The changes the principal is allowed to make.";
};
target = mkOption {
type = str;
default = "*";
description = "The principals that 'access' applies to.";
};
};
};
realm = submodule ({ name, ... }: {
freeformType = sectionType;
options = {
acl = mkOption {
type = listOf aclEntry;
default = [
{ principal = "*/admin"; access = "all"; }
{ principal = "admin"; access = "all"; }
];
description = ''
The privileges granted to a user.
'';
};
};
});
in submodule {
freeformType = attrsOf section;
freeformType = attrsOf sectionType;
options = {
include = mkOption {
default = [ ];
@ -40,7 +84,17 @@ in
'';
type = coercedTo path singleton (listOf path);
};
};
}
//
(lib.optionalAttrs enableKdcACLEntries {
realms = mkOption {
type = attrsOf realm;
description = ''
The realm(s) to serve keys for.
'';
};
});
};
generate = let
@ -71,6 +125,9 @@ in
${name} = {
${indent (concatStringsSep "\n" (mapAttrsToList formatValue relation))}
}''
else if isList relation
then
concatMapStringsSep "\n" (formatRelation name) relation
else formatValue name relation;
formatValue = name: value:

View file

@ -2,7 +2,7 @@
let
cfg = config.services.docuum;
inherit (lib) mkIf mkEnableOption mkOption getExe types;
inherit (lib) mkIf mkEnableOption mkOption getExe types optionals concatMap;
in
{
options.services.docuum = {
@ -14,6 +14,27 @@ in
default = "10 GB";
example = "50%";
};
minAge = mkOption {
description = "Sets the minimum age of images to be considered for deletion.";
type = types.nullOr types.str;
default = null;
example = "1d";
};
keep = mkOption {
description = "Prevents deletion of images for which repository:tag matches the specified regex.";
type = types.listOf types.str;
default = [];
example = [ "^my-image" ];
};
deletionChunkSize = mkOption {
description = "Removes specified quantity of images at a time.";
type = types.int;
default = 1;
example = 10;
};
};
config = mkIf cfg.enable {
@ -35,10 +56,13 @@ in
DynamicUser = true;
StateDirectory = "docuum";
SupplementaryGroups = [ "docker" ];
ExecStart = utils.escapeSystemdExecArgs [
ExecStart = utils.escapeSystemdExecArgs ([
(getExe pkgs.docuum)
"--threshold" cfg.threshold
];
"--deletion-chunk-size" cfg.deletionChunkSize
] ++ (concatMap (keep: [ "--keep" keep ]) cfg.keep)
++ (optionals (cfg.minAge != null) [ "--min-age" cfg.minAge ])
);
};
};
};

View file

@ -106,7 +106,8 @@ in
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.coreutils}/bin/mkdir -p /var/lib/alsa";
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p /var/lib/alsa";
ExecStart = "${alsa-utils}/sbin/alsactl restore --ignore";
ExecStop = "${alsa-utils}/sbin/alsactl store --ignore";
};
};

View file

@ -157,5 +157,5 @@ in
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.Port ];
};
meta.maintainers = with maintainers; [ nu-nu-ko ];
meta.maintainers = with maintainers; [ fsnkty ];
}

View file

@ -244,6 +244,27 @@ The upgrade process is:
$ ./delete_old_cluster.sh
```
## Versioning and End-of-Life {#module-services-postgres-versioning}
PostgreSQL's versioning policy is described [here](https://www.postgresql.org/support/versioning/). TLDR:
- Each major version is supported for 5 years.
- Every three months there will be a new minor release, containing bug and security fixes.
- For criticial/security fixes there could be more minor releases inbetween. This happens *very* infrequently.
- After five years, a final minor version is released. This usually happens in early November.
- After that a version is considered end-of-life (EOL).
- Around February each year is the first time an EOL-release will not have received regular updates anymore.
Technically, we'd not want to have EOL'ed packages in a stable NixOS release, which is to be supported until one month after the previous release. Thus, with NixOS' release schedule in May and November, the oldest PostgreSQL version in nixpkgs would have to be supported until December. It could be argued that a soon-to-be-EOL-ed version should thus be removed in May for the .05 release already. But since new security vulnerabilities are first disclosed in Februrary of the following year, we agreed on keeping the oldest PostgreSQL major version around one more cycle in [#310580](https://github.com/NixOS/nixpkgs/pull/310580#discussion_r1597284693).
Thus:
- In September/October the new major version will be released and added to nixos-unstable.
- In November the last minor version for the oldest major will be released.
- Both the current stable .05 release and nixos-unstable should be updated to the latest minor.
- In November, before branch-off for the .11 release, the EOL-ed major will be removed from nixos-unstable.
This leaves a small gap of a couple of weeks after the latest minor release and the end of our support window for the .05 release, in which there could be an emergency release to other major versions of PostgreSQL - but not the oldest major we have in that branch. In that case: If we can't trivially patch the issue, we will mark the package/version as insecure **immediately**.
## Options {#module-services-postgres-options}
A complete list of options for the PostgreSQL module may be found [here](#opt-services.postgresql.enable).

View file

@ -22,6 +22,7 @@ in {
libusermetrics
lomiri
lomiri-download-manager
lomiri-filemanager-app
lomiri-schemas # exposes some required dbus interfaces
lomiri-session # wrappers to properly launch the session
lomiri-sounds
@ -36,6 +37,10 @@ in {
suru-icon-theme
# telephony-service # currently broken: https://github.com/NixOS/nixpkgs/pull/314043
]);
variables = {
# To override the keyboard layouts in Lomiri
NIXOS_XKB_LAYOUTS = config.services.xserver.xkb.layout;
};
};
hardware.pulseaudio.enable = lib.mkDefault true;
@ -58,7 +63,7 @@ in {
];
# Copy-pasted basic stuff
hardware.opengl.enable = lib.mkDefault true;
hardware.graphics.enable = lib.mkDefault true;
fonts.enableDefaultPackages = lib.mkDefault true;
programs.dconf.enable = lib.mkDefault true;

View file

@ -146,6 +146,7 @@ in {
dolphin-plugins
spectacle
ffmpegthumbs
krdp
];
in
requiredPackages
@ -202,7 +203,7 @@ in {
environment.sessionVariables.KPACKAGE_DEP_RESOLVERS_PATH = "${kdePackages.frameworkintegration.out}/libexec/kf6/kpackagehandlers";
# Enable GTK applications to load SVG icons
services.xserver.gdk-pixbuf.modulePackages = [pkgs.librsvg];
programs.gdk-pixbuf.modulePackages = [pkgs.librsvg];
fonts.packages = [cfg.notoPackage pkgs.hack-font];
fonts.fontconfig.defaultFonts = {

View file

@ -15,7 +15,6 @@ in {
};
config = mkIf cfg.enable {
services.espanso.package = mkIf cfg.wayland pkgs.espanso-wayland;
systemd.user.services.espanso = {
description = "Espanso daemon";
serviceConfig = {

View file

@ -212,9 +212,7 @@ in
after = [ "acpid.service" "systemd-logind.service" "systemd-user-sessions.service" ];
restartIfChanged = false;
environment = lib.optionalAttrs config.hardware.opengl.setLdLibraryPath {
LD_LIBRARY_PATH = lib.makeLibraryPath [ pkgs.addOpenGLRunpath.driverLink ];
} // cfg.environment;
environment = cfg.environment;
preStart = cfg.preStart;
script = lib.mkIf (config.systemd.services.display-manager.enable == true) cfg.execCmd;

View file

@ -196,7 +196,7 @@ in
Group = "archisteamfarm";
WorkingDirectory = cfg.dataDir;
Type = "simple";
ExecStart = "${lib.getExe cfg.package} --no-restart --process-required --service --system-required --path ${cfg.dataDir}";
ExecStart = "${lib.getExe cfg.package} --no-restart --service --system-required --path ${cfg.dataDir}";
Restart = "always";
# copied from the default systemd service at

View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.amdgpu;
in {
options.hardware.amdgpu = {
legacySupport.enable = lib.mkEnableOption ''
using `amdgpu` kernel driver instead of `radeon` for Southern Islands
(Radeon HD 7000) series and Sea Islands (Radeon HD 8000)
series cards. Note: this removes support for analog video outputs,
which is only available in the `radeon` driver
'';
initrd.enable = lib.mkEnableOption ''
loading `amdgpu` kernelModule in stage 1.
Can fix lower resolution in boot screen during initramfs phase
'';
opencl.enable = lib.mkEnableOption ''OpenCL support using ROCM runtime library'';
# cfg.amdvlk option is defined in ./amdvlk.nix module
};
config = {
boot.kernelParams = lib.optionals cfg.legacySupport.enable [
"amdgpu.si_support=1"
"amdgpu.cik_support=1"
"radeon.si_support=0"
"radeon.cik_support=0"
];
boot.initrd.kernelModules = lib.optionals cfg.initrd.enable [ "amdgpu" ];
hardware.opengl = lib.mkIf cfg.opencl.enable {
enable = lib.mkDefault true;
extraPackages = [
pkgs.rocmPackages.clr
pkgs.rocmPackages.clr.icd
];
};
};
meta = {
maintainers = with lib.maintainers; [ johnrtitor ];
};
}

View file

@ -0,0 +1,59 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.amdgpu.amdvlk;
in {
options.hardware.amdgpu.amdvlk = {
enable = lib.mkEnableOption "AMDVLK Vulkan driver";
package = lib.mkPackageOption pkgs "amdvlk" { };
supportExperimental.enable = lib.mkEnableOption "Experimental features support";
support32Bit.enable = lib.mkEnableOption "32-bit driver support";
support32Bit.package = lib.mkPackageOption pkgs [ "driversi686Linux" "amdvlk" ] { };
settings = lib.mkOption {
type = with lib.types; attrsOf (either str int);
default = { };
example = {
AllowVkPipelineCachingToDisk = 1;
ShaderCacheMode = 1;
IFH = 0;
EnableVmAlwaysValid = 1;
IdleAfterSubmitGpuMask = 1;
};
description = ''
Runtime settings for AMDVLK to be configured {file}`/etc/amd/amdVulkanSettings.cfg`.
See [AMDVLK GitHub page](https://github.com/GPUOpen-Drivers/AMDVLK?tab=readme-ov-file#runtime-settings).
'';
};
};
config = lib.mkIf cfg.enable {
hardware.graphics = {
enable = true;
extraPackages = [ cfg.package ];
extraPackages32 = [ cfg.support32Bit.package ];
};
services.xserver.videoDrivers = [ "amdgpu" ];
environment.sessionVariables = lib.mkIf cfg.supportExperimental.enable {
AMDVLK_ENABLE_DEVELOPING_EXT = "all";
};
environment.etc = lib.mkIf (cfg.settings != { }) {
"amd/amdVulkanSettings.cfg".text = lib.concatStrings
(lib.mapAttrsToList
(n: v: ''
${n},${builtins.toString v}
'')
cfg.settings);
};
};
meta = {
maintainers = with lib.maintainers; [ johnrtitor ];
};
}

View file

@ -39,6 +39,12 @@ in
which conflicts with services.tlp.enable = true;
'';
}
{ assertion = !config.services.auto-cpufreq.enable;
message = ''
You have set services.power-profiles-daemon.enable = true;
which conflicts with services.auto-cpufreq.enable = true;
'';
}
];
environment.systemPackages = [ cfg.package ];

View file

@ -56,6 +56,8 @@ in {
'';
};
package = mkPackageOption pkgs "journalwatch" { };
priority = mkOption {
type = types.int;
default = 6;
@ -240,7 +242,7 @@ in {
# requires a relative directory name to create beneath /var/lib
StateDirectory = user;
StateDirectoryMode = "0750";
ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail";
ExecStart = "${getExe cfg.package} mail";
# lowest CPU and IO priority, but both still in best-effort class to prevent starvation
Nice=19;
IOSchedulingPriority=7;

View file

@ -120,14 +120,9 @@ in {
if [ ! -e "${cfg.secretsFile}" ]; then
echo "WARNING: secrets file not found, autogenerating!"
DIR="$(dirname "${cfg.secretsFile}")"
if [ ! -d "$DIR" ]; then
mkdir -p -m750 "$DIR"
chown "${cfg.user}:${cfg.group}" "$DIR"
fi
dd if=/dev/random bs=18 count=1 | base64 > "${cfg.secretsFile}"
chmod 600 "${cfg.secretsFile}"
install -m 750 -o ${cfg.user} -g ${cfg.group} -d "$DIR"
install -m 600 -o ${cfg.user} -g ${cfg.group} <(dd if=/dev/random bs=18 count=1 | base64) "${cfg.secretsFile}"
fi
chown "${cfg.user}:${cfg.group}" "${cfg.secretsFile}"
'';
};

View file

@ -455,7 +455,7 @@ in
after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
requires = [ "public-inbox-init.service" ];
serviceConfig = {
BindPathsReadOnly =
BindReadOnlyPaths =
map (c: c.dir) (lib.attrValues cfg.settings.coderepo);
ExecStart = escapeShellArgs (
[ "${cfg.package}/bin/public-inbox-httpd" ] ++

View file

@ -1121,7 +1121,7 @@ in {
The client listener on matrix-synapse is configured to use UNIX domain sockets.
This configuration is incompatible with the `register_new_matrix_user` script.
Disable `services.mastrix-synapse.enableRegistrationScript` to continue.
Disable `services.matrix-synapse.enableRegistrationScript` to continue.
'';
}
]

View file

@ -28,13 +28,7 @@ in {
options.services.amazon-ssm-agent = {
enable = mkEnableOption "Amazon SSM agent";
package = mkOption {
type = types.path;
description = "The Amazon SSM agent package to use";
default = pkgs.amazon-ssm-agent.override { overrideEtc = false; };
defaultText = literalExpression "pkgs.amazon-ssm-agent.override { overrideEtc = false; }";
};
package = mkPackageOption pkgs "amazon-ssm-agent" {};
};
config = mkIf cfg.enable {

View file

@ -52,7 +52,7 @@ following options:
```nix
{
services.anki-sync-server.host = "0.0.0.0";
services.anki-sync-server.address = "0.0.0.0";
services.anki-sync-server.openFirewall = true;
}
```

View file

@ -38,7 +38,7 @@ in
fonts.enableDefaultPackages = lib.mkDefault true;
hardware.opengl.enable = lib.mkDefault true;
hardware.graphics.enable = lib.mkDefault true;
programs.gnupg.agent.pinentryPackage = lib.mkOverride 1100 pkgs.pinentry-gnome3;

View file

@ -160,5 +160,5 @@ in
};
meta.maintainers = with maintainers; [ minijackson nu-nu-ko ];
meta.maintainers = with maintainers; [ minijackson fsnkty ];
}

View file

@ -125,6 +125,7 @@ in {
options = {
services.mqtt2influxdb = {
enable = mkEnableOption "BigClown MQTT to InfluxDB bridge.";
package = mkPackageOption pkgs ["python3Packages" "mqtt2influxdb"] {};
environmentFiles = mkOption {
type = types.listOf types.path;
default = [];
@ -245,7 +246,7 @@ in {
'';
serviceConfig = {
EnvironmentFile = cfg.environmentFiles;
ExecStart = "${cfg.package}/bin/mqtt2influxdb -dc ${finalConfig}";
ExecStart = "${lib.getExe cfg.package} -dc ${finalConfig}";
RuntimeDirectory = "mqtt2influxdb";
};
};

View file

@ -77,6 +77,8 @@ in
environment = {
STATIC_DIR = ".";
DATA_DIR = ".";
HF_HOME = ".";
SENTENCE_TRANSFORMERS_HOME = ".";
} // cfg.environment;
serviceConfig = {

View file

@ -0,0 +1,142 @@
{ config, pkgs, lib, utils, ... }:
let
cfg = config.services.pghero;
settingsFormat = pkgs.formats.yaml { };
settingsFile = settingsFormat.generate "pghero.yaml" cfg.settings;
in
{
options.services.pghero = {
enable = lib.mkEnableOption "PgHero service";
package = lib.mkPackageOption pkgs "pghero" { };
listenAddress = lib.mkOption {
type = lib.types.str;
example = "[::1]:3000";
description = ''
`hostname:port` to listen for HTTP traffic.
This is bound using the systemd socket activation.
'';
};
extraArgs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
Additional command-line arguments for the systemd service.
Refer to the [Puma web server documentation] for available arguments.
[Puma web server documentation]: https://puma.io/puma#configuration
'';
};
settings = lib.mkOption {
type = settingsFormat.type;
default = { };
example = {
databases = {
primary = {
url = "<%= ENV['PRIMARY_DATABASE_URL'] %>";
};
};
};
description = ''
PgHero configuration. Refer to the [PgHero documentation] for more
details.
[PgHero documentation]: https://github.com/ankane/pghero/blob/master/guides/Linux.md#multiple-databases
'';
};
environment = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = { };
description = ''
Environment variables to set for the service. Secrets should be
specified using {option}`environmentFile`.
'';
};
environmentFiles = lib.mkOption {
type = lib.types.listOf lib.types.path;
default = [ ];
description = ''
File to load environment variables from. Loaded variables override
values set in {option}`environment`.
'';
};
extraGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "tlskeys" ];
description = ''
Additional groups for the systemd service.
'';
};
};
config = lib.mkIf cfg.enable {
systemd.sockets.pghero = {
unitConfig.Description = "PgHero HTTP socket";
wantedBy = [ "sockets.target" ];
listenStreams = [ cfg.listenAddress ];
};
systemd.services.pghero = {
description = "PgHero performance dashboard for PostgreSQL";
wantedBy = [ "multi-user.target" ];
requires = [ "pghero.socket" ];
after = [ "pghero.socket" "network.target" ];
environment = {
RAILS_ENV = "production";
PGHERO_CONFIG_PATH = settingsFile;
} // cfg.environment;
serviceConfig = {
Type = "notify";
WatchdogSec = "10";
ExecStart = utils.escapeSystemdExecArgs ([
(lib.getExe cfg.package)
"--bind-to-activated-sockets"
"only"
] ++ cfg.extraArgs);
Restart = "always";
WorkingDirectory = "${cfg.package}/share/pghero";
EnvironmentFile = cfg.environmentFiles;
SupplementaryGroups = cfg.extraGroups;
DynamicUser = true;
UMask = "0077";
ProtectHome = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectClock = true;
ProtectHostname = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateUsers = true;
PrivateDevices = true;
RestrictRealtime = true;
RestrictNamespaces = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
DeviceAllow = [ "" ];
DevicePolicy = "closed";
CapabilityBoundingSet = [ "" ];
MemoryDenyWriteExecute = true;
LockPersonality = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [ "@system-service" ];
};
};
};
}

View file

@ -0,0 +1,153 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkEnableOption
mkPackageOption
mkOption
types
mkIf
;
json = pkgs.formats.json { };
cfg = config.services.renovate;
generateValidatedConfig =
name: value:
pkgs.callPackage (
{ runCommand, jq }:
runCommand name
{
nativeBuildInputs = [
jq
cfg.package
];
value = builtins.toJSON value;
passAsFile = [ "value" ];
preferLocalBuild = true;
}
''
jq . "$valuePath"> $out
renovate-config-validator $out
''
) { };
generateConfig = if cfg.validateSettings then generateValidatedConfig else json.generate;
in
{
meta.maintainers = with lib.maintainers; [ marie natsukium ];
options.services.renovate = {
enable = mkEnableOption "renovate";
package = mkPackageOption pkgs "renovate" { };
schedule = mkOption {
type = with types; nullOr str;
description = "How often to run renovate. See {manpage}`systemd.time(7)` for the format.";
example = "*:0/10";
default = null;
};
credentials = mkOption {
type = with types; attrsOf path;
description = ''
Allows configuring environment variable credentials for renovate, read from files.
This should always be used for passing confidential data to renovate.
'';
example = {
RENOVATE_TOKEN = "/etc/renovate/token";
};
default = { };
};
runtimePackages = mkOption {
type = with types; listOf package;
description = "Packages available to renovate.";
default = [ ];
};
validateSettings = mkOption {
type = types.bool;
default = true;
description = "Weither to run renovate's config validator on the built configuration.";
};
settings = mkOption {
type = json.type;
default = { };
example = {
platform = "gitea";
endpoint = "https://git.example.com";
gitAuthor = "Renovate <renovate@example.com>";
};
description = ''
Renovate's global configuration.
If you want to pass secrets to renovate, please use {option}`services.renovate.credentials` for that.
'';
};
};
config = mkIf cfg.enable {
services.renovate.settings = {
cacheDir = "/var/cache/renovate";
baseDir = "/var/lib/renovate";
};
systemd.services.renovate = {
description = "Renovate dependency updater";
documentation = [ "https://docs.renovatebot.com/" ];
after = [ "network.target" ];
startAt = lib.optional (cfg.schedule != null) cfg.schedule;
path = [
config.systemd.package
pkgs.git
] ++ cfg.runtimePackages;
serviceConfig = {
Type = "oneshot";
User = "renovate";
Group = "renovate";
DynamicUser = true;
LoadCredential = lib.mapAttrsToList (name: value: "SECRET-${name}:${value}") cfg.credentials;
RemainAfterExit = false;
Restart = "on-failure";
CacheDirectory = "renovate";
StateDirectory = "renovate";
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
UMask = "0077";
};
script = ''
${lib.concatStringsSep "\n" (
builtins.map (name: "export ${name}=$(systemd-creds cat 'SECRET-${name}')") (
lib.attrNames cfg.credentials
)
)}
exec ${lib.escapeShellArg (lib.getExe cfg.package)}
'';
environment = {
RENOVATE_CONFIG_FILE = generateConfig "renovate-config.json" cfg.settings;
HOME = "/var/lib/renovate";
};
};
};
}

View file

@ -235,7 +235,7 @@ in
timerConfig.OnUnitActiveSec = cfg.cleanupInterval;
};
systemd.services.snapper-boot = lib.optionalAttrs cfg.snapshotRootOnBoot {
systemd.services.snapper-boot = lib.mkIf cfg.snapshotRootOnBoot {
description = "Take snapper snapshot of root on boot";
inherit documentation;
serviceConfig.ExecStart = "${pkgs.snapper}/bin/snapper --config root create --cleanup-algorithm number --description boot";

View file

@ -0,0 +1,80 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.services.alloy;
in
{
meta = {
maintainers = with maintainers; [ flokli hbjydev ];
};
options.services.alloy = {
enable = mkEnableOption "Grafana Alloy";
package = mkPackageOption pkgs "grafana-alloy" { };
configPath = mkOption {
type = lib.types.path;
default = "/etc/alloy";
description = ''
Alloy configuration file/directory path.
We default to `/etc/alloy` here, and expect the user to configure a
configuration file via `environment.etc."alloy/config.alloy"`.
This allows config reload, contrary to specifying a store path.
A `reloadTrigger` for `config.alloy` is configured.
Other `*.alloy` files in the same directory (ignoring subdirs) are also
honored, but it's necessary to manually extend
`systemd.services.alloy.reloadTriggers` to enable config reload
during nixos-rebuild switch.
This can also point to another directory containing `*.alloy` files, or
a single Alloy file in the Nix store (at the cost of reload).
Component names must be unique across all Alloy configuration files, and
configuration blocks must not be repeated.
Alloy will continue to run if subsequent reloads of the configuration
file fail, potentially marking components as unhealthy depending on
the nature of the failure. When this happens, Alloy will continue
functioning in the last valid state.
'';
};
extraFlags = mkOption {
type = with lib.types; listOf str;
default = [ ];
example = [ "--server.http.listen-addr=127.0.0.1:12346" "--disable-reporting" ];
description = ''
Extra command-line flags passed to {command}`alloy run`.
See <https://grafana.com/docs/alloy/latest/reference/cli/run/>
'';
};
};
config = mkIf cfg.enable {
systemd.services.alloy = {
wantedBy = [ "multi-user.target" ];
reloadTriggers = [ config.environment.etc."alloy/config.alloy".source or null ];
serviceConfig = {
Restart = "always";
DynamicUser = true;
RestartSec = 2;
SupplementaryGroups = [
# allow to read the systemd journal for loki log forwarding
"systemd-journal"
];
ExecStart = "${lib.getExe cfg.package} run ${cfg.configPath} ${escapeShellArgs cfg.extraFlags}";
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
ConfigurationDirectory = "alloy";
StateDirectory = "alloy";
WorkingDirectory = "%S/alloy";
Type = "simple";
};
};
};
}

View file

@ -94,6 +94,7 @@ in {
systemd.services.loki = {
description = "Loki Service Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = let
conf = if cfg.configFile == null

View file

@ -140,8 +140,8 @@ in
options.api.endpoint = mkOption {
type = str;
default = "http://localhost:${toString cfg.settings.web.listen.port}";
defaultText = literalExpression ''"http://localhost:''${config.services.scrutiny.settings.web.listen.port}"'';
default = "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}";
defaultText = literalExpression ''"http://''${config.services.scrutiny.settings.web.listen.host}:''${config.services.scrutiny.settings.web.listen.port}"'';
description = "Scrutiny app API endpoint for sending metrics to.";
};

View file

@ -103,7 +103,7 @@ in
port = mkOption {
type = types.port;
default = if cfg.database.type == "mysql" then mysql.port else pgsql.services.port;
default = if cfg.database.type == "mysql" then mysql.port else pgsql.settings.port;
defaultText = literalExpression ''
if config.${opt.database.type} == "mysql"
then config.${options.services.mysql.port}

View file

@ -20,14 +20,10 @@ let
else toString value;
configFile = pkgs.writeText "davfs2.conf" (
if (cfg.settings != { }) then
(toINIWithGlobalSection {
mkSectionName = escapeString;
mkKeyValue = k: v: "${k} ${formatValue v}";
} cfg.settings)
else
cfg.extraConfig
);
toINIWithGlobalSection {
mkSectionName = escapeString;
mkKeyValue = k: v: "${k} ${formatValue v}";
} cfg.settings);
in
{
@ -53,29 +49,6 @@ in
'';
};
extraConfig = mkOption {
type = lines;
default = "";
example = ''
proxy foo.bar:8080
use_locks 0
[/media/dav]
use_locks 1
[/home/otto/mywebspace]
gui_optimize 1
'';
description = ''
Extra lines appended to the configuration of davfs2.
See {manpage}`davfs2.conf(5)` for available settings.
**Note**: Please pass structured settings via
{option}`settings` instead, this option
will get deprecated in the future.
'' ;
};
settings = mkOption {
type = submodule {
freeformType = let
@ -109,21 +82,6 @@ in
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.extraConfig != "" -> cfg.settings == { };
message = ''
services.davfs2.extraConfig and services.davfs2.settings cannot be used together.
Please prefer using services.davfs2.settings.
'';
}
];
warnings = optional (cfg.extraConfig != "") ''
services.davfs2.extraConfig will be deprecated in future releases;
please use services.davfs2.settings instead.
'';
environment.systemPackages = [ pkgs.davfs2 ];
environment.etc."davfs2/davfs2.conf".source = configFile;

View file

@ -201,14 +201,10 @@ in
message = "If samba.nsswins is enabled, then samba.enableWinbindd must also be enabled";
}
];
# Always provide a smb.conf to shut up programs like smbclient and smbspool.
environment.etc."samba/smb.conf".source = mkOptionDefault (
if cfg.enable then configFile
else pkgs.writeText "smb-dummy.conf" "# Samba is disabled."
);
}
(mkIf cfg.enable {
environment.etc."samba/smb.conf".source = configFile;
system.nssModules = optional cfg.nsswins samba;
system.nssDatabases.hosts = optional cfg.nsswins "wins";

View file

@ -167,8 +167,13 @@ in {
preStart = optionalString (settings != null) ''
if [ -e "$STATE_DIRECTORY/AdGuardHome.yaml" ] \
&& [ "${toString cfg.mutableSettings}" = "1" ]; then
# First run a schema_version update on the existing configuration
# This ensures that both the new config and the existing one have the same schema_version
# Note: --check-config has the side effect of modifying the file at rest!
${lib.getExe cfg.package} -c "$STATE_DIRECTORY/AdGuardHome.yaml" --check-config
# Writing directly to AdGuardHome.yaml results in empty file
${pkgs.yaml-merge}/bin/yaml-merge "$STATE_DIRECTORY/AdGuardHome.yaml" "${configFile}" > "$STATE_DIRECTORY/AdGuardHome.yaml.tmp"
${lib.getExe pkgs.yaml-merge} "$STATE_DIRECTORY/AdGuardHome.yaml" "${configFile}" > "$STATE_DIRECTORY/AdGuardHome.yaml.tmp"
mv "$STATE_DIRECTORY/AdGuardHome.yaml.tmp" "$STATE_DIRECTORY/AdGuardHome.yaml"
else
cp --force "${configFile}" "$STATE_DIRECTORY/AdGuardHome.yaml"
@ -178,7 +183,7 @@ in {
serviceConfig = {
DynamicUser = true;
ExecStart = "${cfg.package}/bin/adguardhome ${args}";
ExecStart = "${lib.getExe cfg.package} ${args}";
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]
++ optionals cfg.allowDHCP [ "CAP_NET_RAW" ];
Restart = "always";

View file

@ -1,98 +1,132 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.aria2;
homeDir = "/var/lib/aria2";
defaultRpcListenPort = 6800;
defaultDir = "${homeDir}/Downloads";
settingsDir = "${homeDir}";
sessionFile = "${homeDir}/aria2.session";
downloadDir = "${homeDir}/Downloads";
rangesToStringList = map (x: builtins.toString x.from +"-"+ builtins.toString x.to);
settingsFile = pkgs.writeText "aria2.conf"
''
dir=${cfg.downloadDir}
listen-port=${concatStringsSep "," (rangesToStringList cfg.listenPortRange)}
rpc-listen-port=${toString cfg.rpcListenPort}
'';
portRangesToString = ranges: lib.concatStringsSep "," (map
(x:
if x.from == x.to
then builtins.toString x.from
else builtins.toString x.from + "-" + builtins.toString x.to
)
ranges);
customToKeyValue = lib.generators.toKeyValue {
mkKeyValue = lib.generators.mkKeyValueDefault
{
mkValueString = v:
if builtins.isList v then portRangesToString v
else lib.generators.mkValueStringDefault { } v;
} "=";
};
in
{
imports = [
(mkRemovedOptionModule [ "services" "aria2" "rpcSecret" ] "Use services.aria2.rpcSecretFile instead")
(lib.mkRemovedOptionModule [ "services" "aria2" "rpcSecret" ] "Use services.aria2.rpcSecretFile instead")
(lib.mkRemovedOptionModule [ "services" "aria2" "extraArguments" ] "Use services.aria2.settings instead")
(lib.mkRenamedOptionModule [ "services" "aria2" "downloadDir" ] [ "services" "aria2" "settings" "dir" ])
(lib.mkRenamedOptionModule [ "services" "aria2" "listenPortRange" ] [ "services" "aria2" "settings" "listen-port" ])
(lib.mkRenamedOptionModule [ "services" "aria2" "rpcListenPort" ] [ "services" "aria2" "settings" "rpc-listen-port" ])
];
options = {
services.aria2 = {
enable = mkOption {
type = types.bool;
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether or not to enable the headless Aria2 daemon service.
Aria2 daemon can be controlled via the RPC interface using
one of many WebUI (http://localhost:6800/ by default).
Aria2 daemon can be controlled via the RPC interface using one of many
WebUIs (http://localhost:${toString defaultRpcListenPort}/ by default).
Targets are downloaded to ${downloadDir} by default and are
accessible to users in the "aria2" group.
Targets are downloaded to `${defaultDir}` by default and are
accessible to users in the `aria2` group.
'';
};
openPorts = mkOption {
type = types.bool;
openPorts = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Open listen and RPC ports found in listenPortRange and rpcListenPort
options in the firewall.
Open listen and RPC ports found in `settings.listen-port` and
`settings.rpc-listen-port` options in the firewall.
'';
};
downloadDir = mkOption {
type = types.path;
default = downloadDir;
description = ''
Directory to store downloaded files.
'';
};
listenPortRange = mkOption {
type = types.listOf types.attrs;
default = [ { from = 6881; to = 6999; } ];
description = ''
Set UDP listening port range used by DHT(IPv4, IPv6) and UDP tracker.
'';
};
rpcListenPort = mkOption {
type = types.int;
default = 6800;
description = "Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535";
};
rpcSecretFile = mkOption {
type = types.path;
rpcSecretFile = lib.mkOption {
type = lib.types.path;
example = "/run/secrets/aria2-rpc-token.txt";
description = ''
A file containing the RPC secret authorization token.
Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used.
'';
};
extraArguments = mkOption {
type = types.separatedString " ";
example = "--rpc-listen-all --remote-time=true";
default = "";
settings = lib.mkOption {
description = ''
Additional arguments to be passed to Aria2.
Generates the `aria2.conf` file. Refer to [the documentation][0] for
all possible settings.
[0]: https://aria2.github.io/manual/en/html/aria2c.html#synopsis
'';
default = { };
type = lib.types.submodule {
freeformType = with lib.types; attrsOf (oneOf [ bool int float singleLineStr ]);
options = {
save-session = lib.mkOption {
type = lib.types.singleLineStr;
default = "${homeDir}/aria2.session";
description = "Save error/unfinished downloads to FILE on exit.";
};
dir = lib.mkOption {
type = lib.types.singleLineStr;
default = defaultDir;
description = "Directory to store downloaded files.";
};
conf-path = lib.mkOption {
type = lib.types.singleLineStr;
default = "${homeDir}/aria2.conf";
description = "Configuration file path.";
};
enable-rpc = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable JSON-RPC/XML-RPC server.";
};
listen-port = lib.mkOption {
type = with lib.types; listOf (attrsOf port);
default = [{ from = 6881; to = 6999; }];
description = "Set UDP listening port range used by DHT(IPv4, IPv6) and UDP tracker.";
};
rpc-listen-port = lib.mkOption {
type = lib.types.port;
default = defaultRpcListenPort;
description = "Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535";
};
};
};
};
};
};
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.settings.enable-rpc;
message = "RPC has to be enabled, the default module option takes care of that.";
}
{
assertion = !(cfg.settings ? rpc-secret);
message = "Set the RPC secret through services.aria2.rpcSecretFile so it will not end up in the world-readable nix store.";
}
];
# Need to open ports for proper functioning
networking.firewall = mkIf cfg.openPorts {
allowedUDPPortRanges = config.services.aria2.listenPortRange;
allowedTCPPorts = [ config.services.aria2.rpcListenPort ];
networking.firewall = lib.mkIf cfg.openPorts {
allowedUDPPortRanges = config.services.aria2.settings.listen-port;
allowedTCPPorts = [ config.services.aria2.settings.rpc-listen-port ];
};
users.users.aria2 = {
@ -107,7 +141,7 @@ in
systemd.tmpfiles.rules = [
"d '${homeDir}' 0770 aria2 aria2 - -"
"d '${config.services.aria2.downloadDir}' 0770 aria2 aria2 - -"
"d '${config.services.aria2.settings.dir}' 0770 aria2 aria2 - -"
];
systemd.services.aria2 = {
@ -115,22 +149,25 @@ in
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
if [[ ! -e "${sessionFile}" ]]
if [[ ! -e "${cfg.settings.save-session}" ]]
then
touch "${sessionFile}"
touch "${cfg.settings.save-session}"
fi
cp -f "${settingsFile}" "${settingsDir}/aria2.conf"
echo "rpc-secret=$(cat "$CREDENTIALS_DIRECTORY/rpcSecretFile")" >> "${settingsDir}/aria2.conf"
cp -f "${pkgs.writeText "aria2.conf" (customToKeyValue cfg.settings)}" "${cfg.settings.conf-path}"
chmod +w "${cfg.settings.conf-path}"
echo "rpc-secret=$(cat "$CREDENTIALS_DIRECTORY/rpcSecretFile")" >> "${cfg.settings.conf-path}"
'';
serviceConfig = {
Restart = "on-abort";
ExecStart = "${pkgs.aria2}/bin/aria2c --enable-rpc --conf-path=${settingsDir}/aria2.conf ${config.services.aria2.extraArguments} --save-session=${sessionFile}";
ExecStart = "${pkgs.aria2}/bin/aria2c --conf-path=${cfg.settings.conf-path}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "aria2";
Group = "aria2";
LoadCredential="rpcSecretFile:${cfg.rpcSecretFile}";
LoadCredential = "rpcSecretFile:${cfg.rpcSecretFile}";
};
};
};
meta.maintainers = [ lib.maintainers.timhae ];
}

Some files were not shown because too many files have changed in this diff Show more