Project import generated by Copybara.
GitOrigin-RevId: 4a01ca36d6bfc133bc617e661916a81327c9bbc8
This commit is contained in:
parent
6fa9728205
commit
ca5ab3a501
2175 changed files with 83526 additions and 23949 deletions
5
third_party/nixpkgs/.github/CODEOWNERS
vendored
5
third_party/nixpkgs/.github/CODEOWNERS
vendored
|
@ -48,6 +48,7 @@
|
|||
/pkgs/build-support/writers @lassulus @Profpatsch
|
||||
|
||||
# Nixpkgs documentation
|
||||
/doc @fricklerhandwerk
|
||||
/maintainers/scripts/db-to-md.sh @jtojnar @ryantm
|
||||
/maintainers/scripts/doc @jtojnar @ryantm
|
||||
/doc/build-aux/pandoc-filters @jtojnar
|
||||
|
@ -256,8 +257,8 @@
|
|||
/pkgs/development/go-packages @kalbasit @Mic92 @zowoq
|
||||
|
||||
# GNOME
|
||||
/pkgs/desktops/gnome @jtojnar @hedning
|
||||
/pkgs/desktops/gnome/extensions @piegamesde @jtojnar @hedning
|
||||
/pkgs/desktops/gnome @jtojnar
|
||||
/pkgs/desktops/gnome/extensions @piegamesde @jtojnar
|
||||
|
||||
# Cinnamon
|
||||
/pkgs/desktops/cinnamon @mkg20001
|
||||
|
|
|
@ -8,8 +8,14 @@ on:
|
|||
# the GitHub repository. This means that it should not evaluate user input in a
|
||||
# way that allows code injection.
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
backport:
|
||||
permissions:
|
||||
contents: write # for zeebe-io/backport-action to create branch
|
||||
pull-requests: write # for zeebe-io/backport-action to create PR to backport
|
||||
name: Backport Pull Request
|
||||
if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
@ -10,6 +10,9 @@ on:
|
|||
# branches:
|
||||
# - master
|
||||
# - release-**
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
tests:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
@ -4,8 +4,13 @@ on:
|
|||
branches:
|
||||
- master
|
||||
- release-**
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build:
|
||||
permissions:
|
||||
contents: write # for peter-evans/commit-comment to comment on commit
|
||||
runs-on: ubuntu-latest
|
||||
if: github.repository_owner == 'NixOS'
|
||||
env:
|
||||
|
|
|
@ -23,4 +23,12 @@ jobs:
|
|||
- name: Check DocBook files generated from Markdown are consistent
|
||||
run: |
|
||||
nixos/doc/manual/md-to-db.sh
|
||||
git diff --exit-code
|
||||
git diff --exit-code || {
|
||||
echo
|
||||
echo 'Generated manual files are out of date.'
|
||||
echo 'Please run'
|
||||
echo
|
||||
echo ' nixos/doc/manual/md-to-db.sh'
|
||||
echo
|
||||
exit 1
|
||||
}
|
||||
|
|
|
@ -6,8 +6,13 @@ on:
|
|||
- 'nixos-**'
|
||||
- 'nixpkgs-**'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
fail:
|
||||
permissions:
|
||||
contents: none
|
||||
name: "This PR is is targeting a channel branch"
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
|
|
@ -4,8 +4,13 @@ on:
|
|||
check_suite:
|
||||
types: [ completed ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
action:
|
||||
permissions:
|
||||
statuses: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: clear pending status
|
||||
|
|
|
@ -8,8 +8,13 @@ on:
|
|||
# the GitHub repository. This means that it should not evaluate user input in a
|
||||
# way that allows code injection.
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
action:
|
||||
permissions:
|
||||
statuses: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: set pending status
|
||||
|
|
|
@ -14,8 +14,14 @@ on:
|
|||
# Merge every 24 hours
|
||||
- cron: '0 0 * * *'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
periodic-merge:
|
||||
permissions:
|
||||
contents: write # for devmasx/merge-branch to merge branches
|
||||
issues: write # for peter-evans/create-or-update-comment to create or update comment
|
||||
if: github.repository_owner == 'NixOS'
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
|
@ -28,10 +34,6 @@ jobs:
|
|||
pairs:
|
||||
- from: master
|
||||
into: haskell-updates
|
||||
- from: release-21.11
|
||||
into: staging-next-21.11
|
||||
- from: staging-next-21.11
|
||||
into: staging-21.11
|
||||
- from: release-22.05
|
||||
into: staging-next-22.05
|
||||
- from: staging-next-22.05
|
||||
|
|
|
@ -14,8 +14,14 @@ on:
|
|||
# Merge every 6 hours
|
||||
- cron: '0 */6 * * *'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
periodic-merge:
|
||||
permissions:
|
||||
contents: write # for devmasx/merge-branch to merge branches
|
||||
issues: write # for peter-evans/create-or-update-comment to create or update comment
|
||||
if: github.repository_owner == 'NixOS'
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
|
|
|
@ -2,11 +2,18 @@ name: "Update terraform-providers"
|
|||
|
||||
on:
|
||||
schedule:
|
||||
- cron: "14 3 * * 1"
|
||||
- cron: "14 3 * * 0"
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
tf-providers:
|
||||
permissions:
|
||||
contents: write # for peter-evans/create-pull-request to create branch
|
||||
issues: write # for peter-evans/create-or-update-comment to create or update comment
|
||||
pull-requests: write # for peter-evans/create-pull-request to create a PR
|
||||
if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
|
|
@ -20,7 +20,12 @@ buildImage {
|
|||
fromImageName = null;
|
||||
fromImageTag = "latest";
|
||||
|
||||
contents = pkgs.redis;
|
||||
copyToRoot = pkgs.buildEnv {
|
||||
name = "image-root";
|
||||
paths = [ pkgs.redis ];
|
||||
pathsToLink = [ "/bin" ];
|
||||
};
|
||||
|
||||
runAsRoot = ''
|
||||
#!${pkgs.runtimeShell}
|
||||
mkdir -p /data
|
||||
|
@ -46,7 +51,7 @@ The above example will build a Docker image `redis/latest` from the given base i
|
|||
|
||||
- `fromImageTag` can be used to further specify the tag of the base image within the repository, in case an image contains multiple tags. By default it's `null`, in which case `buildImage` will peek the first tag available for the base image.
|
||||
|
||||
- `contents` is a derivation that will be copied in the new layer of the resulting image. This can be similarly seen as `ADD contents/ /` in a `Dockerfile`. By default it's `null`.
|
||||
- `copyToRoot` is a derivation that will be copied in the new layer of the resulting image. This can be similarly seen as `ADD contents/ /` in a `Dockerfile`. By default it's `null`.
|
||||
|
||||
- `runAsRoot` is a bash script that will run as root in an environment that overlays the existing layers of the base image with the new resulting layer, including the previously copied `contents` derivation. This can be similarly seen as `RUN ...` in a `Dockerfile`.
|
||||
|
||||
|
@ -81,7 +86,11 @@ pkgs.dockerTools.buildImage {
|
|||
name = "hello";
|
||||
tag = "latest";
|
||||
created = "now";
|
||||
contents = pkgs.hello;
|
||||
copyToRoot = pkgs.buildEnv {
|
||||
name = "image-root";
|
||||
paths = [ pkgs.hello ];
|
||||
pathsToLink = [ "/bin" ];
|
||||
};
|
||||
|
||||
config.Cmd = [ "/bin/hello" ];
|
||||
}
|
||||
|
|
|
@ -338,6 +338,10 @@ A (typically large) program with a distinct user interface, primarily used inter
|
|||
|
||||
- `applications/terminal-emulators` (e.g. `alacritty` or `rxvt` or `termite`)
|
||||
|
||||
- **If it’s a _file manager_:**
|
||||
|
||||
- `applications/file-managers` (e.g. `mc` or `ranger` or `pcmanfm`)
|
||||
|
||||
- **If it’s for _video playback / editing_:**
|
||||
|
||||
- `applications/video` (e.g. `vlc`)
|
||||
|
|
|
@ -5,9 +5,11 @@
|
|||
The Coq derivation is overridable through the `coq.override overrides`, where overrides is an attribute set which contains the arguments to override. We recommend overriding either of the following
|
||||
|
||||
* `version` (optional, defaults to the latest version of Coq selected for nixpkgs, see `pkgs/top-level/coq-packages` to witness this choice), which follows the conventions explained in the `coqPackages` section below,
|
||||
* `customOCamlPackage` (optional, defaults to `null`, which lets Coq choose a version automatically), which can be set to any of the ocaml packages attribute of `ocaml-ng` (such as `ocaml-ng.ocamlPackages_4_10` which is the default for Coq 8.11 for example).
|
||||
* `customOCamlPackages` (optional, defaults to `null`, which lets Coq choose a version automatically), which can be set to any of the ocaml packages attribute of `ocaml-ng` (such as `ocaml-ng.ocamlPackages_4_10` which is the default for Coq 8.11 for example).
|
||||
* `coq-version` (optional, defaults to the short version e.g. "8.10"), is a version number of the form "x.y" that indicates which Coq's version build behavior to mimic when using a source which is not a release. E.g. `coq.override { version = "d370a9d1328a4e1cdb9d02ee032f605a9d94ec7a"; coq-version = "8.10"; }`.
|
||||
|
||||
The associated package set can be optained using `mkCoqPackages coq`, where `coq` is the derivation to use.
|
||||
|
||||
## Coq packages attribute sets: `coqPackages` {#coq-packages-attribute-sets-coqpackages}
|
||||
|
||||
The recommended way of defining a derivation for a Coq library, is to use the `coqPackages.mkCoqDerivation` function, which is essentially a specialization of `mkDerivation` taking into account most of the specifics of Coq libraries. The following attributes are supported:
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Perl {#sec-language-perl}
|
||||
|
||||
## Running perl programs on the shell {#ssec-perl-running}
|
||||
## Running Perl programs on the shell {#ssec-perl-running}
|
||||
|
||||
When executing a Perl script, it is possible you get an error such as `./myscript.pl: bad interpreter: /usr/bin/perl: no such file or directory`. This happens when the script expects Perl to be installed at `/usr/bin/perl`, which is not the case when using Perl from nixpkgs. You can fix the script by changing the first line to:
|
||||
|
||||
|
@ -35,15 +35,16 @@ Perl packages from CPAN are defined in [pkgs/top-level/perl-packages.nix](https:
|
|||
|
||||
```nix
|
||||
ClassC3 = buildPerlPackage rec {
|
||||
name = "Class-C3-0.21";
|
||||
pname = "Class-C3";
|
||||
version = "0.21";
|
||||
src = fetchurl {
|
||||
url = "mirror://cpan/authors/id/F/FL/FLORA/${name}.tar.gz";
|
||||
url = "mirror://cpan/authors/id/F/FL/FLORA/${pname}-${version}.tar.gz";
|
||||
sha256 = "1bl8z095y4js66pwxnm7s853pi9czala4sqc743fdlnk27kq94gz";
|
||||
};
|
||||
};
|
||||
```
|
||||
|
||||
Note the use of `mirror://cpan/`, and the `${name}` in the URL definition to ensure that the name attribute is consistent with the source that we’re actually downloading. Perl packages are made available in `all-packages.nix` through the variable `perlPackages`. For instance, if you have a package that needs `ClassC3`, you would typically write
|
||||
Note the use of `mirror://cpan/`, and the `pname` and `version` in the URL definition to ensure that the `pname` attribute is consistent with the source that we’re actually downloading. Perl packages are made available in `all-packages.nix` through the variable `perlPackages`. For instance, if you have a package that needs `ClassC3`, you would typically write
|
||||
|
||||
```nix
|
||||
foo = import ../path/to/foo.nix {
|
||||
|
@ -72,10 +73,11 @@ So what does `buildPerlPackage` do? It does the following:
|
|||
{ buildPerlPackage, fetchurl, db }:
|
||||
|
||||
buildPerlPackage rec {
|
||||
name = "BerkeleyDB-0.36";
|
||||
pname = "BerkeleyDB";
|
||||
version = "0.36";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://cpan/authors/id/P/PM/PMQS/${name}.tar.gz";
|
||||
url = "mirror://cpan/authors/id/P/PM/PMQS/${pname}-${version}.tar.gz";
|
||||
sha256 = "07xf50riarb60l1h6m2dqmql8q5dij619712fsgw7ach04d8g3z1";
|
||||
};
|
||||
|
||||
|
@ -90,9 +92,10 @@ Dependencies on other Perl packages can be specified in the `buildInputs` and `p
|
|||
|
||||
```nix
|
||||
ClassC3Componentised = buildPerlPackage rec {
|
||||
name = "Class-C3-Componentised-1.0004";
|
||||
pname = "Class-C3-Componentised";
|
||||
version = "1.0004";
|
||||
src = fetchurl {
|
||||
url = "mirror://cpan/authors/id/A/AS/ASH/${name}.tar.gz";
|
||||
url = "mirror://cpan/authors/id/A/AS/ASH/${pname}-${version}.tar.gz";
|
||||
sha256 = "0xql73jkcdbq4q9m0b0rnca6nrlvf5hyzy8is0crdk65bynvs8q1";
|
||||
};
|
||||
propagatedBuildInputs = [
|
||||
|
@ -111,7 +114,7 @@ ImageExifTool = buildPerlPackage {
|
|||
version = "11.50";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-11.50.tar.gz";
|
||||
url = "https://www.sno.phy.queensu.ca/~phil/exiftool/${pname}-${version}.tar.gz";
|
||||
sha256 = "0d8v48y94z8maxkmw1rv7v9m0jg2dc8xbp581njb6yhr7abwqdv3";
|
||||
};
|
||||
|
||||
|
@ -139,9 +142,10 @@ This program takes a Perl module name, looks it up on CPAN, fetches and unpacks
|
|||
```ShellSession
|
||||
$ nix-generate-from-cpan XML::Simple
|
||||
XMLSimple = buildPerlPackage rec {
|
||||
name = "XML-Simple-2.22";
|
||||
pname = "XML-Simple";
|
||||
version = "2.22";
|
||||
src = fetchurl {
|
||||
url = "mirror://cpan/authors/id/G/GR/GRANTM/${name}.tar.gz";
|
||||
url = "mirror://cpan/authors/id/G/GR/GRANTM/XML-Simple-2.22.tar.gz";
|
||||
sha256 = "b9450ef22ea9644ae5d6ada086dc4300fa105be050a2030ebd4efd28c198eb49";
|
||||
};
|
||||
propagatedBuildInputs = [ XMLNamespaceSupport XMLSAX XMLSAXExpat ];
|
||||
|
|
|
@ -5,11 +5,9 @@ and additional libraries.
|
|||
|
||||
Loading can be deferred; see examples.
|
||||
|
||||
At the moment we support three different methods for managing plugins:
|
||||
At the moment we support two different methods for managing plugins:
|
||||
|
||||
- Vim packages (*recommend*)
|
||||
- VAM (=vim-addon-manager)
|
||||
- Pathogen
|
||||
- Vim packages (*recommended*)
|
||||
- vim-plug
|
||||
|
||||
## Custom configuration {#custom-configuration}
|
||||
|
@ -45,7 +43,7 @@ neovim.override {
|
|||
```
|
||||
|
||||
If you want to use `neovim-qt` as a graphical editor, you can configure it by overriding Neovim in an overlay
|
||||
or passing it an overridden Neovimn:
|
||||
or passing it an overridden Neovim:
|
||||
|
||||
```nix
|
||||
neovim-qt.override {
|
||||
|
@ -61,7 +59,7 @@ neovim-qt.override {
|
|||
|
||||
## Managing plugins with Vim packages {#managing-plugins-with-vim-packages}
|
||||
|
||||
To store you plugins in Vim packages (the native Vim plugin manager, see `:help packages`) the following example can be used:
|
||||
To store your plugins in Vim packages (the native Vim plugin manager, see `:help packages`) the following example can be used:
|
||||
|
||||
```nix
|
||||
vim_configurable.customize {
|
||||
|
@ -110,7 +108,7 @@ The resulting package can be added to `packageOverrides` in `~/.nixpkgs/config.n
|
|||
};
|
||||
myNeovim = neovim.override {
|
||||
configure = {
|
||||
# add here code from the example section
|
||||
# add code from the example section here
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -161,7 +159,7 @@ in
|
|||
#### Treesitter
|
||||
|
||||
By default `nvim-treesitter` encourages you to download, compile and install
|
||||
the required tree-sitter grammars at run time with `:TSInstall`. This works
|
||||
the required Treesitter grammars at run time with `:TSInstall`. This works
|
||||
poorly on NixOS. Instead, to install the `nvim-treesitter` plugins with a set
|
||||
of precompiled grammars, you can use `nvim-treesitter.withPlugins` function:
|
||||
|
||||
|
@ -204,7 +202,7 @@ For Neovim the syntax is:
|
|||
neovim.override {
|
||||
configure = {
|
||||
customRC = ''
|
||||
# here your custom configuration goes!
|
||||
# your custom configuration goes here!
|
||||
'';
|
||||
plug.plugins = with pkgs.vimPlugins; [
|
||||
vim-go
|
||||
|
@ -213,100 +211,6 @@ neovim.override {
|
|||
}
|
||||
```
|
||||
|
||||
## Managing plugins with VAM {#managing-plugins-with-vam}
|
||||
|
||||
### Handling dependencies of Vim plugins {#handling-dependencies-of-vim-plugins}
|
||||
|
||||
VAM introduced .json files supporting dependencies without versioning
|
||||
assuming that "using latest version" is ok most of the time.
|
||||
|
||||
### Example {#example}
|
||||
|
||||
First create a vim-scripts file having one plugin name per line. Example:
|
||||
|
||||
```vim
|
||||
"tlib"
|
||||
{'name': 'vim-addon-sql'}
|
||||
{'filetype_regex': '\%(vim)$', 'names': ['reload', 'vim-dev-plugin']}
|
||||
```
|
||||
|
||||
Such vim-scripts file can be read by VAM as well like this:
|
||||
|
||||
```vim
|
||||
call vam#Scripts(expand('~/.vim-scripts'), {})
|
||||
```
|
||||
|
||||
Create a default.nix file:
|
||||
|
||||
```nix
|
||||
{ nixpkgs ? import <nixpkgs> {}, compiler ? "ghc7102" }:
|
||||
nixpkgs.vim_configurable.customize { name = "vim"; vimrcConfig.vam.pluginDictionaries = [ "vim-addon-vim2nix" ]; }
|
||||
```
|
||||
|
||||
Create a generate.vim file:
|
||||
|
||||
```vim
|
||||
ActivateAddons vim-addon-vim2nix
|
||||
let vim_scripts = "vim-scripts"
|
||||
call nix#ExportPluginsForNix({
|
||||
\ 'path_to_nixpkgs': eval('{"'.substitute(substitute(substitute($NIX_PATH, ':', ',', 'g'), '=',':', 'g'), '\([:,]\)', '"\1"',"g").'"}')["nixpkgs"],
|
||||
\ 'cache_file': '/tmp/vim2nix-cache',
|
||||
\ 'try_catch': 0,
|
||||
\ 'plugin_dictionaries': ["vim-addon-manager"]+map(readfile(vim_scripts), 'eval(v:val)')
|
||||
\ })
|
||||
```
|
||||
|
||||
Then run
|
||||
|
||||
```bash
|
||||
nix-shell -p vimUtils.vim_with_vim2nix --command "vim -c 'source generate.vim'"
|
||||
```
|
||||
|
||||
You should get a Vim buffer with the nix derivations (output1) and vam.pluginDictionaries (output2).
|
||||
You can add your Vim to your system's configuration file like this and start it by "vim-my":
|
||||
|
||||
```nix
|
||||
my-vim =
|
||||
let plugins = let inherit (vimUtils) buildVimPluginFrom2Nix; in {
|
||||
copy paste output1 here
|
||||
}; in vim_configurable.customize {
|
||||
name = "vim-my";
|
||||
|
||||
vimrcConfig.vam.knownPlugins = plugins; # optional
|
||||
vimrcConfig.vam.pluginDictionaries = [
|
||||
copy paste output2 here
|
||||
];
|
||||
|
||||
};
|
||||
```
|
||||
|
||||
Sample output1:
|
||||
|
||||
```nix
|
||||
"reload" = buildVimPluginFrom2Nix { # created by nix#NixDerivation
|
||||
name = "reload";
|
||||
src = fetchgit {
|
||||
url = "https://github.com/xolox/vim-reload";
|
||||
rev = "0a601a668727f5b675cb1ddc19f6861f3f7ab9e1";
|
||||
sha256 = "0vb832l9yxj919f5hfg6qj6bn9ni57gnjd3bj7zpq7d4iv2s4wdh";
|
||||
};
|
||||
dependencies = ["nim-misc"];
|
||||
|
||||
};
|
||||
[...]
|
||||
```
|
||||
|
||||
Sample output2:
|
||||
|
||||
```nix
|
||||
[
|
||||
''vim-addon-manager''
|
||||
''tlib''
|
||||
{ "name" = ''vim-addon-sql''; }
|
||||
{ "filetype_regex" = ''\%(vim)$$''; "names" = [ ''reload'' ''vim-dev-plugin'' ]; }
|
||||
]
|
||||
```
|
||||
|
||||
## Adding new plugins to nixpkgs {#adding-new-plugins-to-nixpkgs}
|
||||
|
||||
Nix expressions for Vim plugins are stored in [pkgs/applications/editors/vim/plugins](https://github.com/NixOS/nixpkgs/tree/master/pkgs/applications/editors/vim/plugins). For the vast majority of plugins, Nix expressions are automatically generated by running [`./update.py`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/update.py). This creates a [generated.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/generated.nix) file based on the plugins listed in [vim-plugin-names](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/vim-plugin-names). Plugins are listed in alphabetical order in `vim-plugin-names` using the format `[github username]/[repository]@[gitref]`. For example https://github.com/scrooloose/nerdtree becomes `scrooloose/nerdtree`.
|
||||
|
@ -323,7 +227,7 @@ Sometimes plugins require an override that must be changed when the plugin is up
|
|||
|
||||
To add a new plugin, run `./update.py --add "[owner]/[name]"`. **NOTE**: This script automatically commits to your git repository. Be sure to check out a fresh branch before running.
|
||||
|
||||
Finally, there are some plugins that are also packaged in nodePackages because they have Javascript-related build steps, such as running webpack. Those plugins are not listed in `vim-plugin-names` or managed by `update.py` at all, and are included separately in `overrides.nix`. Currently, all these plugins are related to the `coc.nvim` ecosystem of Language Server Protocol integration with vim/neovim.
|
||||
Finally, there are some plugins that are also packaged in nodePackages because they have Javascript-related build steps, such as running webpack. Those plugins are not listed in `vim-plugin-names` or managed by `update.py` at all, and are included separately in `overrides.nix`. Currently, all these plugins are related to the `coc.nvim` ecosystem of the Language Server Protocol integration with vim/neovim.
|
||||
|
||||
## Updating plugins in nixpkgs {#updating-plugins-in-nixpkgs}
|
||||
|
||||
|
|
|
@ -153,6 +153,24 @@ Add the following to your `mkDerivation` invocation.
|
|||
doCheck = stdenv.hostPlatform == stdenv.buildPlatform;
|
||||
```
|
||||
|
||||
#### Package using Meson needs to run binaries for the host platform during build. {#cross-meson-runs-host-code}
|
||||
|
||||
Add `mesonEmulatorHook` cross conditionally to `nativeBuildInputs`.
|
||||
|
||||
e.g.
|
||||
|
||||
```
|
||||
nativeBuildInputs = [
|
||||
meson
|
||||
] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
|
||||
mesonEmulatorHook
|
||||
];
|
||||
```
|
||||
|
||||
Example of an error which this fixes.
|
||||
|
||||
`[Errno 8] Exec format error: './gdk3-scan'`
|
||||
|
||||
## Cross-building packages {#sec-cross-usage}
|
||||
|
||||
Nixpkgs can be instantiated with `localSystem` alone, in which case there is no cross-compiling and everything is built by and for that system, or also with `crossSystem`, in which case packages run on the latter, but all building happens on the former. Both parameters take the same schema as the 3 (build, host, and target) platforms defined in the previous section. As mentioned above, `lib.systems.examples` has some platforms which are used as arguments for these parameters in practice. You can use them programmatically, or on the command line:
|
||||
|
|
|
@ -60,3 +60,8 @@ Some common issues when packaging software for Darwin:
|
|||
```
|
||||
|
||||
The package `xcbuild` can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues.
|
||||
|
||||
- x86_64-darwin uses the 10.12 SDK by default, but some software is not compatible with that version of the SDK. In that case,
|
||||
the 11.0 SDK used by aarch64-darwin is available for use on x86_64-darwin. To use it, reference `apple_sdk_11_0` instead of
|
||||
`apple_sdk` in your derivation and use `pkgs.darwin.apple_sdk_11_0.callPackage` instead of `pkgs.callPackage`. On Linux, this will
|
||||
have the same effect as `pkgs.callPackage`, so you can use `pkgs.darwin.apple_sdk_11_0.callPackage` regardless of platform.
|
||||
|
|
77
third_party/nixpkgs/doc/stdenv/stdenv.chapter.md
vendored
77
third_party/nixpkgs/doc/stdenv/stdenv.chapter.md
vendored
|
@ -77,7 +77,7 @@ where the builder can do anything it wants, but typically starts with
|
|||
source $stdenv/setup
|
||||
```
|
||||
|
||||
to let `stdenv` set up the environment (e.g., process the `buildInputs`). If you want, you can still use `stdenv`’s generic builder:
|
||||
to let `stdenv` set up the environment (e.g. by resetting `PATH` and populating it from build inputs). If you want, you can still use `stdenv`’s generic builder:
|
||||
|
||||
```bash
|
||||
source $stdenv/setup
|
||||
|
@ -698,12 +698,12 @@ Hook executed at the end of the install phase.
|
|||
|
||||
### The fixup phase {#ssec-fixup-phase}
|
||||
|
||||
The fixup phase performs some (Nix-specific) post-processing actions on the files installed under `$out` by the install phase. The default `fixupPhase` does the following:
|
||||
The fixup phase performs (Nix-specific) post-processing actions on the files installed under `$out` by the install phase. The default `fixupPhase` does the following:
|
||||
|
||||
- It moves the `man/`, `doc/` and `info/` subdirectories of `$out` to `share/`.
|
||||
- It strips libraries and executables of debug information.
|
||||
- On Linux, it applies the `patchelf` command to ELF executables and libraries to remove unused directories from the `RPATH` in order to prevent unnecessary runtime dependencies.
|
||||
- It rewrites the interpreter paths of shell scripts to paths found in `PATH`. E.g., `/usr/bin/perl` will be rewritten to `/nix/store/some-perl/bin/perl` found in `PATH`.
|
||||
- It rewrites the interpreter paths of shell scripts to paths found in `PATH`. E.g., `/usr/bin/perl` will be rewritten to `/nix/store/some-perl/bin/perl` found in `PATH`. See [](#patch-shebangs.sh) for details.
|
||||
|
||||
#### Variables controlling the fixup phase {#variables-controlling-the-fixup-phase}
|
||||
|
||||
|
@ -749,7 +749,7 @@ If set, the `patchelf` command is not used to remove unnecessary `RPATH` entries
|
|||
|
||||
##### `dontPatchShebangs` {#var-stdenv-dontPatchShebangs}
|
||||
|
||||
If set, scripts starting with `#!` do not have their interpreter paths rewritten to paths in the Nix store.
|
||||
If set, scripts starting with `#!` do not have their interpreter paths rewritten to paths in the Nix store. See [](#patch-shebangs.sh) on how patching shebangs works.
|
||||
|
||||
##### `dontPruneLibtoolFiles` {#var-stdenv-dontPruneLibtoolFiles}
|
||||
|
||||
|
@ -983,7 +983,7 @@ addEnvHooks "$hostOffset" myBashFunction
|
|||
|
||||
The *existence* of setups hooks has long been documented and packages inside Nixpkgs are free to use this mechanism. Other packages, however, should not rely on these mechanisms not changing between Nixpkgs versions. Because of the existing issues with this system, there’s little benefit from mandating it be stable for any period of time.
|
||||
|
||||
First, let’s cover some setup hooks that are part of Nixpkgs default stdenv. This means that they are run for every package built using `stdenv.mkDerivation`. Some of these are platform specific, so they may run on Linux but not Darwin or vice-versa.
|
||||
First, let’s cover some setup hooks that are part of Nixpkgs default `stdenv`. This means that they are run for every package built using `stdenv.mkDerivation` or when using a custom builder that has `source $stdenv/setup`. Some of these are platform specific, so they may run on Linux but not Darwin or vice-versa.
|
||||
|
||||
### `move-docs.sh` {#move-docs.sh}
|
||||
|
||||
|
@ -999,7 +999,70 @@ This runs the strip command on installed binaries and libraries. This removes un
|
|||
|
||||
### `patch-shebangs.sh` {#patch-shebangs.sh}
|
||||
|
||||
This setup hook patches installed scripts to use the full path to the shebang interpreter. A shebang interpreter is the first commented line of a script telling the operating system which program will run the script (e.g `#!/bin/bash`). In Nix, we want an exact path to that interpreter to be used. This often replaces `/bin/sh` with a path in the Nix store.
|
||||
This setup hook patches installed scripts to add Nix store paths to their shebang interpreter as found in the build environment. The [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix)) line tells a Unix-like operating system which interpreter to use to execute the script's contents.
|
||||
|
||||
::: note
|
||||
The [generic builder][generic-builder] populates `PATH` from inputs of the derivation.
|
||||
:::
|
||||
|
||||
[generic-builder]: https://github.com/NixOS/nixpkgs/blob/19d4f7dc485f74109bd66ef74231285ff797a823/pkgs/stdenv/generic/builder.sh
|
||||
|
||||
#### Invocation {#patch-shebangs.sh-invocation}
|
||||
|
||||
Multiple paths can be specified.
|
||||
|
||||
```
|
||||
patchShebangs [--build | --host] PATH...
|
||||
```
|
||||
|
||||
##### Flags
|
||||
|
||||
`--build`
|
||||
: Look up commands available at build time
|
||||
|
||||
`--host`
|
||||
: Look up commands available at run time
|
||||
|
||||
##### Examples
|
||||
|
||||
```sh
|
||||
patchShebangs --host /nix/store/<hash>-hello-1.0/bin
|
||||
```
|
||||
|
||||
```sh
|
||||
patchShebangs --build configure
|
||||
```
|
||||
|
||||
`#!/bin/sh` will be rewritten to `#!/nix/store/<hash>-some-bash/bin/sh`.
|
||||
|
||||
`#!/usr/bin/env` gets special treatment: `#!/usr/bin/env python` is rewritten to `/nix/store/<hash>/bin/python`.
|
||||
|
||||
Interpreter paths that point to a valid Nix store location are not changed.
|
||||
|
||||
::: note
|
||||
A script file must be marked as executable, otherwise it will not be
|
||||
considered.
|
||||
:::
|
||||
|
||||
This mechanism ensures that the interpreter for a given script is always found and is exactly the one specified by the build.
|
||||
|
||||
It can be disabled by setting [`dontPatchShebangs`](#var-stdenv-dontPatchShebangs):
|
||||
|
||||
```nix
|
||||
stdenv.mkDerivation {
|
||||
# ...
|
||||
dontPatchShebangs = true;
|
||||
# ...
|
||||
}
|
||||
```
|
||||
|
||||
The file [`patch-shebangs.sh`][patch-shebangs.sh] defines the [`patchShebangs`][patchShebangs] function. It is used to implement [`patchShebangsAuto`][patchShebangsAuto], the [setup hook](#ssec-setup-hooks) that is registered to run during the [fixup phase](#ssec-fixup-phase) by default.
|
||||
|
||||
If you need to run `patchShebangs` at build time, it must be called explicitly within [one of the build phases](#sec-stdenv-phases).
|
||||
|
||||
[patch-shebangs.sh]: https://github.com/NixOS/nixpkgs/blob/19d4f7dc485f74109bd66ef74231285ff797a823/pkgs/build-support/setup-hooks/patch-shebangs.sh
|
||||
[patchShebangs]: https://github.com/NixOS/nixpkgs/blob/19d4f7dc485f74109bd66ef74231285ff797a823/pkgs/build-support/setup-hooks/patch-shebangs.sh#L24-L105
|
||||
[patchShebangsAuto]: https://github.com/NixOS/nixpkgs/blob/19d4f7dc485f74109bd66ef74231285ff797a823/pkgs/build-support/setup-hooks/patch-shebangs.sh#L107-L119
|
||||
|
||||
### `audit-tmpdir.sh` {#audit-tmpdir.sh}
|
||||
|
||||
|
@ -1316,7 +1379,7 @@ If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
|
|||
|
||||
[^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation.
|
||||
[^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`.
|
||||
[^footnote-stdenv-propagated-dependencies]: Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like setup hooks (mentioned above) also are run as if the propagated dependency.
|
||||
[^footnote-stdenv-propagated-dependencies]: Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency.
|
||||
[^footnote-stdenv-find-inputs-location]: The `findInputs` function, currently residing in `pkgs/stdenv/generic/setup.sh`, implements the propagation logic.
|
||||
[^footnote-stdenv-sys-lib-search-path]: It clears the `sys_lib_*search_path` variables in the Libtool script to prevent Libtool from using libraries in `/usr/lib` and such.
|
||||
[^footnote-stdenv-build-time-guessing-impurity]: Eventually these will be passed building natively as well, to improve determinism: build-time guessing, as is done today, is a risk of impurity.
|
||||
|
|
6
third_party/nixpkgs/lib/licenses.nix
vendored
6
third_party/nixpkgs/lib/licenses.nix
vendored
|
@ -55,6 +55,12 @@ in mkLicense lset) ({
|
|||
fullName = "GNU Affero General Public License v3.0 or later";
|
||||
};
|
||||
|
||||
aladdin = {
|
||||
spdxId = "Aladdin";
|
||||
fullName = "Aladdin Free Public License";
|
||||
free = false;
|
||||
};
|
||||
|
||||
amazonsl = {
|
||||
fullName = "Amazon Software License";
|
||||
url = "https://aws.amazon.com/asl/";
|
||||
|
|
2
third_party/nixpkgs/lib/options.nix
vendored
2
third_party/nixpkgs/lib/options.nix
vendored
|
@ -242,6 +242,8 @@ rec {
|
|||
in if ss != {} then optionAttrSetToDocList' opt.loc ss else [];
|
||||
subOptionsVisible = docOption.visible && opt.visible or null != "shallow";
|
||||
in
|
||||
# To find infinite recursion in NixOS option docs:
|
||||
# builtins.trace opt.loc
|
||||
[ docOption ] ++ optionals subOptionsVisible subOptions) (collect isOption options);
|
||||
|
||||
|
||||
|
|
26
third_party/nixpkgs/lib/systems/examples.nix
vendored
26
third_party/nixpkgs/lib/systems/examples.nix
vendored
|
@ -91,25 +91,23 @@ rec {
|
|||
config = "mipsel-unknown-linux-gnu";
|
||||
} // platforms.fuloong2f_n32;
|
||||
|
||||
# MIPS ABI table transcribed from here: https://wiki.debian.org/Multiarch/Tuples
|
||||
|
||||
# can execute on 32bit chip
|
||||
mips-linux-gnu = { config = "mips-linux-gnu"; } // platforms.gcc_mips32r2_o32;
|
||||
mipsel-linux-gnu = { config = "mipsel-linux-gnu"; } // platforms.gcc_mips32r2_o32;
|
||||
mipsisa32r6-linux-gnu = { config = "mipsisa32r6-linux-gnu"; } // platforms.gcc_mips32r6_o32;
|
||||
mipsisa32r6el-linux-gnu = { config = "mipsisa32r6el-linux-gnu"; } // platforms.gcc_mips32r6_o32;
|
||||
mips-linux-gnu = { config = "mips-unknown-linux-gnu"; } // platforms.gcc_mips32r2_o32;
|
||||
mipsel-linux-gnu = { config = "mipsel-unknown-linux-gnu"; } // platforms.gcc_mips32r2_o32;
|
||||
mipsisa32r6-linux-gnu = { config = "mipsisa32r6-unknown-linux-gnu"; } // platforms.gcc_mips32r6_o32;
|
||||
mipsisa32r6el-linux-gnu = { config = "mipsisa32r6el-unknown-linux-gnu"; } // platforms.gcc_mips32r6_o32;
|
||||
|
||||
# require 64bit chip (for more registers, 64-bit floating point, 64-bit "long long") but use 32bit pointers
|
||||
mips64-linux-gnuabin32 = { config = "mips64-linux-gnuabin32"; } // platforms.gcc_mips64r2_n32;
|
||||
mips64el-linux-gnuabin32 = { config = "mips64el-linux-gnuabin32"; } // platforms.gcc_mips64r2_n32;
|
||||
mipsisa64r6-linux-gnuabin32 = { config = "mipsisa64r6-linux-gnuabin32"; } // platforms.gcc_mips64r6_n32;
|
||||
mipsisa64r6el-linux-gnuabin32 = { config = "mipsisa64r6el-linux-gnuabin32"; } // platforms.gcc_mips64r6_n32;
|
||||
mips64-linux-gnuabin32 = { config = "mips64-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r2_n32;
|
||||
mips64el-linux-gnuabin32 = { config = "mips64el-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r2_n32;
|
||||
mipsisa64r6-linux-gnuabin32 = { config = "mipsisa64r6-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r6_n32;
|
||||
mipsisa64r6el-linux-gnuabin32 = { config = "mipsisa64r6el-unknown-linux-gnuabin32"; } // platforms.gcc_mips64r6_n32;
|
||||
|
||||
# 64bit pointers
|
||||
mips64-linux-gnuabi64 = { config = "mips64-linux-gnuabi64"; } // platforms.gcc_mips64r2_64;
|
||||
mips64el-linux-gnuabi64 = { config = "mips64el-linux-gnuabi64"; } // platforms.gcc_mips64r2_64;
|
||||
mipsisa64r6-linux-gnuabi64 = { config = "mipsisa64r6-linux-gnuabi64"; } // platforms.gcc_mips64r6_64;
|
||||
mipsisa64r6el-linux-gnuabi64 = { config = "mipsisa64r6el-linux-gnuabi64"; } // platforms.gcc_mips64r6_64;
|
||||
mips64-linux-gnuabi64 = { config = "mips64-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r2_64;
|
||||
mips64el-linux-gnuabi64 = { config = "mips64el-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r2_64;
|
||||
mipsisa64r6-linux-gnuabi64 = { config = "mipsisa64r6-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r6_64;
|
||||
mipsisa64r6el-linux-gnuabi64 = { config = "mipsisa64r6el-unknown-linux-gnuabi64"; } // platforms.gcc_mips64r6_64;
|
||||
|
||||
muslpi = raspberryPi // {
|
||||
config = "armv6l-unknown-linux-musleabihf";
|
||||
|
|
2
third_party/nixpkgs/lib/trivial.nix
vendored
2
third_party/nixpkgs/lib/trivial.nix
vendored
|
@ -179,7 +179,7 @@ rec {
|
|||
they take effect as soon as the oldest release reaches end of life. */
|
||||
oldestSupportedRelease =
|
||||
# Update on master only. Do not backport.
|
||||
2111;
|
||||
2205;
|
||||
|
||||
/* Whether a feature is supported in all supported releases (at the time of
|
||||
release branch-off, if applicable). See `oldestSupportedRelease`. */
|
||||
|
|
663
third_party/nixpkgs/maintainers/maintainer-list.nix
vendored
663
third_party/nixpkgs/maintainers/maintainer-list.nix
vendored
File diff suppressed because it is too large
Load diff
52
third_party/nixpkgs/maintainers/scripts/fix-maintainers.pl
vendored
Executable file
52
third_party/nixpkgs/maintainers/scripts/fix-maintainers.pl
vendored
Executable file
|
@ -0,0 +1,52 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i perl -p perl -p perlPackages.LWP -p perlPackages.LWPProtocolHttps -p perlPackages.LWPUserAgent -p perlPackages.JSON -p perlPackages.PathTiny
|
||||
use LWP::UserAgent;
|
||||
use JSON;
|
||||
use Path::Tiny;
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
my $maintainers_list_nix = "../maintainer-list.nix";
|
||||
my $maintainers_json = from_json(`nix-instantiate --json --eval --expr 'builtins.fromJSON (builtins.toJSON (import $maintainers_list_nix))'`);
|
||||
|
||||
STDOUT->autoflush(1);
|
||||
|
||||
my $ua = LWP::UserAgent->new();
|
||||
|
||||
keys %$maintainers_json; # reset the internal iterator so a prior each() doesn't affect the loop
|
||||
while(my($k, $v) = each %$maintainers_json) {
|
||||
my $current_user = %$v{'github'};
|
||||
if (!defined $current_user) {
|
||||
print "$k has no github handle\n";
|
||||
next;
|
||||
}
|
||||
my $github_id = %$v{'githubId'};
|
||||
if (!defined $github_id) {
|
||||
print "$k has no githubId\n";
|
||||
next;
|
||||
}
|
||||
my $url = 'https://api.github.com/user/' . $github_id;
|
||||
my $resp = $ua->get(
|
||||
$url,
|
||||
"Authorization" => "Token $ENV{GH_TOKEN}"
|
||||
);
|
||||
|
||||
if ($resp->header("X-RateLimit-Remaining") == 0) {
|
||||
my $ratelimit_reset = $resp->header("X-RateLimit-Reset");
|
||||
print "Request limit exceeded, waiting until " . scalar localtime $ratelimit_reset . "\n";
|
||||
sleep($ratelimit_reset - time() + 5);
|
||||
}
|
||||
if ($resp->code != 200) {
|
||||
print $current_user . " likely deleted their github account\n";
|
||||
next;
|
||||
}
|
||||
my $resp_json = from_json($resp->content);
|
||||
my $api_user = %$resp_json{"login"};
|
||||
if ($current_user ne $api_user) {
|
||||
print $current_user . " is now known on github as " . $api_user . ". Editing maintainer-list.nix…\n";
|
||||
my $file = path($maintainers_list_nix);
|
||||
my $data = $file->slurp_utf8;
|
||||
$data =~ s/github = "$current_user";$/github = "$api_user";/m;
|
||||
$file->spew_utf8($data);
|
||||
}
|
||||
}
|
83
third_party/nixpkgs/maintainers/scripts/mdize-module.sh
vendored
Executable file
83
third_party/nixpkgs/maintainers/scripts/mdize-module.sh
vendored
Executable file
|
@ -0,0 +1,83 @@
|
|||
#! /usr/bin/env nix-shell
|
||||
#! nix-shell -I nixpkgs=. -i bash -p delta jq perl
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
cat <<'EOF'
|
||||
This script attempts to automatically convert option descriptions from
|
||||
DocBook syntax to markdown. Naturally this process is incomplete and
|
||||
imperfect, so any changes generated by this script MUST be reviewed.
|
||||
|
||||
Possible problems include: incorrectly replaced tags, badly formatted
|
||||
markdown, DocBook tags this script doesn't recognize remaining in the
|
||||
output and crashing the docs build, incorrect escaping of markdown
|
||||
metacharacters, incorrect unescaping of XML entities—and the list goes on.
|
||||
|
||||
Always review the generated changes!
|
||||
|
||||
Some known limitations:
|
||||
- Does not transform literalDocBook items
|
||||
- Replacements can occur in non-option code, such as string literals
|
||||
|
||||
|
||||
EOF
|
||||
|
||||
|
||||
|
||||
build-options-json() {
|
||||
nix-build --no-out-link --expr '
|
||||
let
|
||||
sys = import ./nixos/default.nix {
|
||||
configuration = {};
|
||||
};
|
||||
in
|
||||
[
|
||||
sys.config.system.build.manual.optionsJSON
|
||||
]
|
||||
'
|
||||
}
|
||||
|
||||
|
||||
|
||||
git diff --quiet || {
|
||||
echo "Worktree is dirty. Please stash or commit first."
|
||||
exit 1
|
||||
}
|
||||
|
||||
echo "Building options.json ..."
|
||||
old_options=$(build-options-json)
|
||||
|
||||
echo "Applying replacements ..."
|
||||
perl -pi -e '
|
||||
BEGIN {
|
||||
undef $/;
|
||||
}
|
||||
|
||||
s,<literal>([^`]*?)</literal>,`$1`,smg;
|
||||
s,<replaceable>([^»]*?)</replaceable>,«$1»,smg;
|
||||
s,<filename>([^`]*?)</filename>,{file}`$1`,smg;
|
||||
s,<option>([^`]*?)</option>,{option}`$1`,smg;
|
||||
s,<code>([^`]*?)</code>,`$1`,smg;
|
||||
s,<command>([^`]*?)</command>,{command}`$1`,smg;
|
||||
s,<link xlink:href="(.+?)" ?/>,<$1>,smg;
|
||||
s,<link xlink:href="(.+?)">(.*?)</link>,[$2]($1),smg;
|
||||
s,<package>([^`]*?)</package>,`$1`,smg;
|
||||
s,<emphasis>([^*]*?)</emphasis>,*$1*,smg;
|
||||
s,<citerefentry>\s*
|
||||
<refentrytitle>\s*(.*?)\s*</refentrytitle>\s*
|
||||
<manvolnum>\s*(.*?)\s*</manvolnum>\s*
|
||||
</citerefentry>,{manpage}`$1($2)`,smgx;
|
||||
s,^( +description =),\1 lib.mdDoc,smg;
|
||||
' "$@"
|
||||
|
||||
echo "Building options.json again ..."
|
||||
new_options=$(build-options-json)
|
||||
|
||||
|
||||
! cmp -s {$old_options,$new_options}/share/doc/nixos/options.json && {
|
||||
diff -U10 \
|
||||
<(jq . <$old_options/share/doc/nixos/options.json) \
|
||||
<(jq . <$new_options/share/doc/nixos/options.json) \
|
||||
| delta
|
||||
}
|
|
@ -98,6 +98,7 @@ with lib.maintainers; {
|
|||
members = [
|
||||
astro
|
||||
SuperSandro2000
|
||||
revol-xut
|
||||
];
|
||||
scope = "Maintain packages used in the C3D2 hackspace";
|
||||
shortName = "c3d2";
|
||||
|
@ -325,7 +326,6 @@ with lib.maintainers; {
|
|||
jitsi = {
|
||||
members = [
|
||||
cleeyv
|
||||
petabyteboy
|
||||
ryantm
|
||||
yuka
|
||||
];
|
||||
|
|
|
@ -1,11 +1,18 @@
|
|||
# Adding Custom Packages {#sec-custom-packages}
|
||||
|
||||
It's possible that a package you need is not available in NixOS. In that
|
||||
case, you can do two things. First, you can clone the Nixpkgs
|
||||
repository, add the package to your clone, and (optionally) submit a
|
||||
patch or pull request to have it accepted into the main Nixpkgs repository.
|
||||
This is described in detail in the [Nixpkgs manual](https://nixos.org/nixpkgs/manual).
|
||||
In short, you clone Nixpkgs:
|
||||
case, you can do two things. Either you can package it with Nix, or you can try
|
||||
to use prebuilt packages from upstream. Due to the peculiarities of NixOS, it
|
||||
is important to note that building software from source is often easier than
|
||||
using pre-built executables.
|
||||
|
||||
## Building with Nix {#sec-custom-packages-nix}
|
||||
|
||||
This can be done either in-tree or out-of-tree. For an in-tree build, you can
|
||||
clone the Nixpkgs repository, add the package to your clone, and (optionally)
|
||||
submit a patch or pull request to have it accepted into the main Nixpkgs
|
||||
repository. This is described in detail in the [Nixpkgs
|
||||
manual](https://nixos.org/nixpkgs/manual). In short, you clone Nixpkgs:
|
||||
|
||||
```ShellSession
|
||||
$ git clone https://github.com/NixOS/nixpkgs
|
||||
|
@ -72,3 +79,21 @@ $ nix-build my-hello.nix
|
|||
$ ./result/bin/hello
|
||||
Hello, world!
|
||||
```
|
||||
|
||||
## Using pre-built executables {#sec-custom-packages-prebuilt}
|
||||
|
||||
Most pre-built executables will not work on NixOS. There are two notable
|
||||
exceptions: flatpaks and AppImages. For flatpaks see the [dedicated
|
||||
section](#module-services-flatpak). AppImages will not run "as-is" on NixOS.
|
||||
First you need to install `appimage-run`: add to `/etc/nixos/configuration.nix`
|
||||
|
||||
```nix
|
||||
environment.systemPackages = [ pkgs.appimage-run ];
|
||||
```
|
||||
|
||||
Then instead of running the AppImage "as-is", run `appimage-run foo.appimage`.
|
||||
|
||||
To make other pre-built executables work on NixOS, you need to package them
|
||||
with Nix and special helpers like `autoPatchelfHook` or `buildFHSUserEnv`. See
|
||||
the [Nixpkgs manual](https://nixos.org/nixpkgs/manual) for details. This
|
||||
is complex and often doing a source build is easier.
|
||||
|
|
|
@ -24,11 +24,16 @@ Some Xfce programs are not installed automatically. To install them
|
|||
manually (system wide), put them into your
|
||||
[](#opt-environment.systemPackages) from `pkgs.xfce`.
|
||||
|
||||
## Thunar Plugins {#sec-xfce-thunar-plugins .unnumbered}
|
||||
## Thunar {#sec-xfce-thunar-plugins .unnumbered}
|
||||
|
||||
Thunar (the Xfce file manager) is automatically enabled when Xfce is
|
||||
enabled. To enable Thunar without enabling Xfce, use the configuration
|
||||
option [](#opt-programs.thunar.enable) instead of simply adding
|
||||
`pkgs.xfce.thunar` to [](#opt-environment.systemPackages).
|
||||
|
||||
If you\'d like to add extra plugins to Thunar, add them to
|
||||
[](#opt-services.xserver.desktopManager.xfce.thunarPlugins).
|
||||
You shouldn\'t just add them to [](#opt-environment.systemPackages).
|
||||
[](#opt-programs.thunar.plugins). You shouldn\'t just add them to
|
||||
[](#opt-environment.systemPackages).
|
||||
|
||||
## Troubleshooting {#sec-xfce-troubleshooting .unnumbered}
|
||||
|
||||
|
|
|
@ -133,12 +133,12 @@ let
|
|||
# ^ redirect assumes xmllint doesn’t print to stdout
|
||||
}
|
||||
|
||||
lintrng manual-combined.xml
|
||||
lintrng man-pages-combined.xml
|
||||
|
||||
mkdir $out
|
||||
cp manual-combined.xml $out/
|
||||
cp man-pages-combined.xml $out/
|
||||
|
||||
lintrng $out/manual-combined.xml
|
||||
lintrng $out/man-pages-combined.xml
|
||||
'';
|
||||
|
||||
olinkDB = runCommand "manual-olinkdb"
|
||||
|
|
|
@ -54,7 +54,7 @@ possiblility into account that they have to create them first.
|
|||
## NixOS snippets {#sec-activation-script-nixos-snippets}
|
||||
|
||||
There are some snippets NixOS enables by default because disabling them would
|
||||
most likely break you system. This section lists a few of them and what they
|
||||
most likely break your system. This section lists a few of them and what they
|
||||
do:
|
||||
|
||||
- `binsh` creates `/bin/sh` which points to the runtime shell
|
||||
|
|
|
@ -2,10 +2,20 @@
|
|||
<title>Adding Custom Packages</title>
|
||||
<para>
|
||||
It’s possible that a package you need is not available in NixOS. In
|
||||
that case, you can do two things. First, you can clone the Nixpkgs
|
||||
repository, add the package to your clone, and (optionally) submit a
|
||||
patch or pull request to have it accepted into the main Nixpkgs
|
||||
repository. This is described in detail in the
|
||||
that case, you can do two things. Either you can package it with
|
||||
Nix, or you can try to use prebuilt packages from upstream. Due to
|
||||
the peculiarities of NixOS, it is important to note that building
|
||||
software from source is often easier than using pre-built
|
||||
executables.
|
||||
</para>
|
||||
<section xml:id="sec-custom-packages-nix">
|
||||
<title>Building with Nix</title>
|
||||
<para>
|
||||
This can be done either in-tree or out-of-tree. For an in-tree
|
||||
build, you can clone the Nixpkgs repository, add the package to
|
||||
your clone, and (optionally) submit a patch or pull request to
|
||||
have it accepted into the main Nixpkgs repository. This is
|
||||
described in detail in the
|
||||
<link xlink:href="https://nixos.org/nixpkgs/manual">Nixpkgs
|
||||
manual</link>. In short, you clone Nixpkgs:
|
||||
</para>
|
||||
|
@ -29,8 +39,8 @@ environment.systemPackages = [ pkgs.my-package ];
|
|||
# nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs
|
||||
</programlisting>
|
||||
<para>
|
||||
The second possibility is to add the package outside of the Nixpkgs
|
||||
tree. For instance, here is how you specify a build of the
|
||||
The second possibility is to add the package outside of the
|
||||
Nixpkgs tree. For instance, here is how you specify a build of the
|
||||
<link xlink:href="https://www.gnu.org/software/hello/">GNU
|
||||
Hello</link> package directly in
|
||||
<literal>configuration.nix</literal>:
|
||||
|
@ -78,3 +88,31 @@ $ ./result/bin/hello
|
|||
Hello, world!
|
||||
</programlisting>
|
||||
</section>
|
||||
<section xml:id="sec-custom-packages-prebuilt">
|
||||
<title>Using pre-built executables</title>
|
||||
<para>
|
||||
Most pre-built executables will not work on NixOS. There are two
|
||||
notable exceptions: flatpaks and AppImages. For flatpaks see the
|
||||
<link linkend="module-services-flatpak">dedicated section</link>.
|
||||
AppImages will not run <quote>as-is</quote> on NixOS. First you
|
||||
need to install <literal>appimage-run</literal>: add to
|
||||
<literal>/etc/nixos/configuration.nix</literal>
|
||||
</para>
|
||||
<programlisting language="bash">
|
||||
environment.systemPackages = [ pkgs.appimage-run ];
|
||||
</programlisting>
|
||||
<para>
|
||||
Then instead of running the AppImage <quote>as-is</quote>, run
|
||||
<literal>appimage-run foo.appimage</literal>.
|
||||
</para>
|
||||
<para>
|
||||
To make other pre-built executables work on NixOS, you need to
|
||||
package them with Nix and special helpers like
|
||||
<literal>autoPatchelfHook</literal> or
|
||||
<literal>buildFHSUserEnv</literal>. See the
|
||||
<link xlink:href="https://nixos.org/nixpkgs/manual">Nixpkgs
|
||||
manual</link> for details. This is complex and often doing a
|
||||
source build is easier.
|
||||
</para>
|
||||
</section>
|
||||
</section>
|
||||
|
|
|
@ -27,12 +27,18 @@ services.picom = {
|
|||
<literal>pkgs.xfce</literal>.
|
||||
</para>
|
||||
<section xml:id="sec-xfce-thunar-plugins">
|
||||
<title>Thunar Plugins</title>
|
||||
<title>Thunar</title>
|
||||
<para>
|
||||
Thunar (the Xfce file manager) is automatically enabled when Xfce
|
||||
is enabled. To enable Thunar without enabling Xfce, use the
|
||||
configuration option <xref linkend="opt-programs.thunar.enable" />
|
||||
instead of simply adding <literal>pkgs.xfce.thunar</literal> to
|
||||
<xref linkend="opt-environment.systemPackages" />.
|
||||
</para>
|
||||
<para>
|
||||
If you'd like to add extra plugins to Thunar, add them to
|
||||
<xref linkend="opt-services.xserver.desktopManager.xfce.thunarPlugins" />.
|
||||
You shouldn't just add them to
|
||||
<xref linkend="opt-environment.systemPackages" />.
|
||||
<xref linkend="opt-programs.thunar.plugins" />. You shouldn't just
|
||||
add them to <xref linkend="opt-environment.systemPackages" />.
|
||||
</para>
|
||||
</section>
|
||||
<section xml:id="sec-xfce-troubleshooting">
|
||||
|
|
|
@ -73,7 +73,7 @@ system.activationScripts.my-activation-script = {
|
|||
<title>NixOS snippets</title>
|
||||
<para>
|
||||
There are some snippets NixOS enables by default because disabling
|
||||
them would most likely break you system. This section lists a few
|
||||
them would most likely break your system. This section lists a few
|
||||
of them and what they do:
|
||||
</para>
|
||||
<itemizedlist spacing="compact">
|
||||
|
|
|
@ -2784,6 +2784,12 @@ sudo cp /var/lib/redis/dump.rdb /var/lib/redis-peertube/dump.rdb
|
|||
runs a PostgreSQL server for the duration of package checks.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>zfs</literal> was updated from 2.1.4 to 2.1.5,
|
||||
enabling it to be used with Linux kernel 5.18.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>stdenv.mkDerivation</literal> now supports a
|
||||
|
|
|
@ -156,6 +156,13 @@
|
|||
<link linkend="opt-services.expressvpn.enable">services.expressvpn</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://www.grafana.com/oss/tempo/">Grafana
|
||||
Tempo</link>, a distributed tracing store. Available as
|
||||
<link linkend="opt-services.tempo.enable">services.tempo</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="sec-release-22.11-incompatibilities">
|
||||
|
@ -192,10 +199,12 @@
|
|||
<listitem>
|
||||
<para>
|
||||
<literal>i18n.supportedLocales</literal> is now by default
|
||||
only generated with the default locale set in
|
||||
<literal>i18n.defaultLocale</literal>. This got copied over
|
||||
from the minimal profile and reduces the final system size by
|
||||
200MB. If you require all locales installed set the option to
|
||||
only generated with the locales set in
|
||||
<literal>i18n.defaultLocale</literal> and
|
||||
<literal>i18n.extraLocaleSettings</literal>. This got
|
||||
partially copied over from the minimal profile and reduces the
|
||||
final system size by up to 200MB. If you require all locales
|
||||
installed set the option to
|
||||
<literal>[ "all" ]</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
|
@ -214,6 +223,14 @@
|
|||
<literal>(with foo; isPower && is32bit && isBigEndian)</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>bsp-layout</literal> no longer uses the command
|
||||
<literal>cycle</literal> to switch to other window layouts, as
|
||||
it got replaced by the commands <literal>previous</literal>
|
||||
and <literal>next</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The Barco ClickShare driver/client package
|
||||
|
@ -240,6 +257,16 @@
|
|||
maintainer to update the package.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>services.graphite.api</literal> and
|
||||
<literal>services.graphite.beacon</literal> NixOS options, and
|
||||
the <literal>python3.pkgs.graphite_api</literal>,
|
||||
<literal>python3.pkgs.graphite_beacon</literal> and
|
||||
<literal>python3.pkgs.influxgraph</literal> packages, have
|
||||
been removed due to lack of upstream maintenance.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
(Neo)Vim can not be configured with
|
||||
|
@ -275,6 +302,13 @@
|
|||
<literal>hardware.saleae-logic.package</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The Redis module now disables RDB persistence when
|
||||
<literal>services.redis.servers.<name>.save = []</literal>
|
||||
instead of using the Redis default.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Matrix Synapse now requires entries in the
|
||||
|
@ -288,8 +322,11 @@
|
|||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>zfs</literal> was updated from 2.1.4 to 2.1.5,
|
||||
enabling it to be used with Linux kernel 5.18.
|
||||
<literal>dockerTools.buildImage</literal> deprecates the
|
||||
misunderstood <literal>contents</literal> parameter, in favor
|
||||
of <literal>copyToRoot</literal>. Use
|
||||
<literal>copyToRoot = buildEnv { ... };</literal> or similar
|
||||
if you intend to add packages to <literal>/bin</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
|
@ -299,6 +336,30 @@
|
|||
as coreboot’s fork is no longer available.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Add udev rules for the Teensy family of microcontrollers.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
There is a new module for the <literal>thunar</literal>
|
||||
program (the Xfce file manager), which depends on the
|
||||
<literal>xfconf</literal> dbus service, and also has a dbus
|
||||
service and a systemd unit. The option
|
||||
<literal>services.xserver.desktopManager.xfce.thunarPlugins</literal>
|
||||
has been renamed to
|
||||
<literal>programs.thunar.plugins</literal>, and in a future
|
||||
release it may be removed.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
There is a new module for the <literal>xfconf</literal>
|
||||
program (the Xfce configuration storage system), which has a
|
||||
dbus service.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
|
|
@ -974,6 +974,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- The new [`postgresqlTestHook`](https://nixos.org/manual/nixpkgs/stable/#sec-postgresqlTestHook) runs a PostgreSQL server for the duration of package checks.
|
||||
|
||||
- `zfs` was updated from 2.1.4 to 2.1.5, enabling it to be used with Linux kernel 5.18.
|
||||
|
||||
- `stdenv.mkDerivation` now supports a self-referencing `finalAttrs:` parameter
|
||||
containing the final `mkDerivation` arguments including overrides.
|
||||
`drv.overrideAttrs` now supports two parameters `finalAttrs: previousAttrs:`.
|
||||
|
|
|
@ -64,6 +64,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable).
|
||||
|
||||
- [Grafana Tempo](https://www.grafana.com/oss/tempo/), a distributed tracing store. Available as [services.tempo](#opt-services.tempo.enable).
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
||||
## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
|
||||
|
@ -80,12 +82,14 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
and [changelog](https://ngrok.com/docs/ngrok-agent/changelog). Notably, breaking changes are that the config file format has
|
||||
changed and support for single hypen arguments was dropped.
|
||||
|
||||
- `i18n.supportedLocales` is now by default only generated with the default locale set in `i18n.defaultLocale`.
|
||||
This got copied over from the minimal profile and reduces the final system size by 200MB.
|
||||
- `i18n.supportedLocales` is now by default only generated with the locales set in `i18n.defaultLocale` and `i18n.extraLocaleSettings`.
|
||||
This got partially copied over from the minimal profile and reduces the final system size by up to 200MB.
|
||||
If you require all locales installed set the option to ``[ "all" ]``.
|
||||
|
||||
- The `isPowerPC` predicate, found on `platform` attrsets (`hostPlatform`, `buildPlatform`, `targetPlatform`, etc) has been removed in order to reduce confusion. The predicate was was defined such that it matches only the 32-bit big-endian members of the POWER/PowerPC family, despite having a name which would imply a broader set of systems. If you were using this predicate, you can replace `foo.isPowerPC` with `(with foo; isPower && is32bit && isBigEndian)`.
|
||||
|
||||
- `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`.
|
||||
|
||||
- The Barco ClickShare driver/client package `pkgs.clickshare-csc1` and the option `programs.clickshare-csc1.enable` have been removed,
|
||||
as it requires `qt4`, which reached its end-of-life 2015 and will no longer be supported by nixpkgs.
|
||||
[According to Barco](https://www.barco.com/de/support/knowledge-base/4380-can-i-use-linux-os-with-clickshare-base-units) many of their base unit models can be used with Google Chrome and the Google Cast extension.
|
||||
|
@ -95,6 +99,11 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- riak package removed along with `services.riak` module, due to lack of maintainer to update the package.
|
||||
|
||||
- The `services.graphite.api` and `services.graphite.beacon` NixOS options, and
|
||||
the `python3.pkgs.graphite_api`, `python3.pkgs.graphite_beacon` and
|
||||
`python3.pkgs.influxgraph` packages, have been removed due to lack of upstream
|
||||
maintenance.
|
||||
|
||||
- (Neo)Vim can not be configured with `configure.pathogen` anymore to reduce maintainance burden.
|
||||
Use `configure.packages` instead.
|
||||
|
||||
|
@ -108,10 +117,19 @@ Use `configure.packages` instead.
|
|||
|
||||
- A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
|
||||
|
||||
- The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default.
|
||||
|
||||
- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
|
||||
|
||||
- `zfs` was updated from 2.1.4 to 2.1.5, enabling it to be used with Linux kernel 5.18.
|
||||
- `dockerTools.buildImage` deprecates the misunderstood `contents` parameter, in favor of `copyToRoot`.
|
||||
Use `copyToRoot = buildEnv { ... };` or similar if you intend to add packages to `/bin`.
|
||||
|
||||
- memtest86+ was updated from 5.00-coreboot-002 to 6.00-beta2. It is now the upstream version from https://www.memtest.org/, as coreboot's fork is no longer available.
|
||||
|
||||
- Add udev rules for the Teensy family of microcontrollers.
|
||||
|
||||
- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed.
|
||||
|
||||
- There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service.
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
|
|
@ -128,7 +128,7 @@ let
|
|||
gptfdisk
|
||||
nix
|
||||
parted
|
||||
utillinux
|
||||
util-linux
|
||||
zfs
|
||||
]
|
||||
);
|
||||
|
|
|
@ -22,6 +22,10 @@
|
|||
, transformOptions ? lib.id # function for additional tranformations of the options
|
||||
, documentType ? "appendix" # TODO deprecate "appendix" in favor of "none"
|
||||
# and/or rename function to moduleOptionDoc for clean slate
|
||||
|
||||
# If you include more than one option list into a document, you need to
|
||||
# provide different ids.
|
||||
, variablelistId ? "configuration-variable-list"
|
||||
, revision ? "" # Specify revision for the options
|
||||
# a set of options the docs we are generating will be merged into, as if by recursiveUpdate.
|
||||
# used to split the options doc build into a static part (nixos/modules) and a dynamic part
|
||||
|
@ -177,6 +181,7 @@ in rec {
|
|||
${pkgs.libxslt.bin}/bin/xsltproc \
|
||||
--stringparam documentType '${documentType}' \
|
||||
--stringparam revision '${revision}' \
|
||||
--stringparam variablelistId '${variablelistId}' \
|
||||
-o intermediate.xml ${./options-to-docbook.xsl} sorted.xml
|
||||
${pkgs.libxslt.bin}/bin/xsltproc \
|
||||
-o "$out" ${./postprocess-option-descriptions.xsl} intermediate.xml
|
||||
|
|
|
@ -57,19 +57,21 @@ def convertMD(options: Dict[str, Any]) -> str:
|
|||
try:
|
||||
return super(Renderer, self)._get_method(name)
|
||||
except AttributeError:
|
||||
def not_supported(children, **kwargs):
|
||||
raise NotImplementedError("md node not supported yet", name, children, **kwargs)
|
||||
def not_supported(*args, **kwargs):
|
||||
raise NotImplementedError("md node not supported yet", name, args, **kwargs)
|
||||
return not_supported
|
||||
|
||||
def text(self, text):
|
||||
return escape(text)
|
||||
def paragraph(self, text):
|
||||
return text + "\n\n"
|
||||
def newline(self):
|
||||
return "<literallayout>\n</literallayout>"
|
||||
def codespan(self, text):
|
||||
return f"<literal>{text}</literal>"
|
||||
return f"<literal>{escape(text)}</literal>"
|
||||
def block_code(self, text, info=None):
|
||||
info = f" language={quoteattr(info)}" if info is not None else ""
|
||||
return f"<programlisting{info}>\n{text}</programlisting>"
|
||||
return f"<programlisting{info}>\n{escape(text)}</programlisting>"
|
||||
def link(self, link, text=None, title=None):
|
||||
if link[0:1] == '#':
|
||||
attr = "linkend"
|
||||
|
@ -102,6 +104,8 @@ def convertMD(options: Dict[str, Any]) -> str:
|
|||
# a single paragraph and the original docbook string is no longer
|
||||
# available to restore the trailer.
|
||||
return f"<{tag}><para>{text.rstrip()}</para></{tag}>"
|
||||
def block_quote(self, text):
|
||||
return f"<blockquote><para>{text}</para></blockquote>"
|
||||
def command(self, text):
|
||||
return f"<command>{escape(text)}</command>"
|
||||
def option(self, text):
|
||||
|
@ -194,7 +198,7 @@ overrides = pivot(json.load(open(sys.argv[2 + optOffset], 'r')))
|
|||
for (k, v) in options.items():
|
||||
# The _module options are not declared in nixos/modules
|
||||
if v.value['loc'][0] != "_module":
|
||||
v.value['declarations'] = list(map(lambda s: f'nixos/modules/{s}', v.value['declarations']))
|
||||
v.value['declarations'] = list(map(lambda s: f'nixos/modules/{s}' if isinstance(s, str) else s, v.value['declarations']))
|
||||
|
||||
# merge both descriptions
|
||||
for (k, v) in overrides.items():
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
<xsl:param name="revision" />
|
||||
<xsl:param name="documentType" />
|
||||
<xsl:param name="program" />
|
||||
<xsl:param name="variablelistId" />
|
||||
|
||||
|
||||
<xsl:template match="/expr/list">
|
||||
|
@ -31,7 +32,8 @@
|
|||
</xsl:template>
|
||||
|
||||
<xsl:template name="variable-list">
|
||||
<variablelist xml:id="configuration-variable-list">
|
||||
<variablelist>
|
||||
<xsl:attribute name="id" namespace="http://www.w3.org/XML/1998/namespace"><xsl:value-of select="$variablelistId"/></xsl:attribute>
|
||||
<xsl:for-each select="attrs">
|
||||
<xsl:variable name="id" select="
|
||||
concat('opt-',
|
||||
|
|
|
@ -116,7 +116,7 @@ let
|
|||
gptfdisk
|
||||
nix
|
||||
parted
|
||||
utillinux
|
||||
util-linux
|
||||
zfs
|
||||
]
|
||||
);
|
||||
|
|
|
@ -65,7 +65,7 @@ let
|
|||
${fcBool cfg.hinting.autohint}
|
||||
</edit>
|
||||
<edit mode="append" name="hintstyle">
|
||||
<const>hintslight</const>
|
||||
<const>${cfg.hinting.style}</const>
|
||||
</edit>
|
||||
<edit mode="append" name="antialias">
|
||||
${fcBool cfg.antialias}
|
||||
|
@ -226,7 +226,6 @@ in
|
|||
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "fonts" "fontconfig" "useEmbeddedBitmaps" ])
|
||||
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "fonts" "fontconfig" "forceAutohint" ])
|
||||
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ])
|
||||
(mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "")
|
||||
(mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
|
||||
(mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
|
||||
(mkRemovedOptionModule [ "fonts" "fontconfig" "dpi" ] "Use display server-specific options")
|
||||
|
@ -349,6 +348,20 @@ in
|
|||
fonts, but better than unhinted fonts.
|
||||
'';
|
||||
};
|
||||
|
||||
style = mkOption {
|
||||
type = types.enum [ "hintnone" "hintslight" "hintmedium" "hintfull" ];
|
||||
default = "hintslight";
|
||||
description = ''
|
||||
Hintstyle is the amount of font reshaping done to line up
|
||||
to the grid.
|
||||
|
||||
hintslight will make the font more fuzzy to line up to the grid
|
||||
but will be better in retaining font shape, while hintfull will
|
||||
be a crisp font that aligns well to the pixel grid but will lose
|
||||
a greater amount of font shape.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
includeUserConf = mkOption {
|
||||
|
|
|
@ -53,8 +53,22 @@ with lib;
|
|||
|
||||
supportedLocales = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ (config.i18n.defaultLocale + "/UTF-8") ];
|
||||
defaultText = literalExpression "[ (config.i18n.defaultLocale + \"/UTF-8\") ]";
|
||||
default = builtins.map (l: l + "/UTF-8")
|
||||
(unique (
|
||||
[
|
||||
"C.UTF-8"
|
||||
config.i18n.defaultLocale
|
||||
] ++ (attrValues (filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings))
|
||||
));
|
||||
defaultText = literalExpression ''
|
||||
builtins.map (l: l + "/UTF-8")
|
||||
(unique (
|
||||
[
|
||||
"C.UTF-8"
|
||||
config.i18n.defaultLocale
|
||||
] ++ (attrValues (filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings))
|
||||
))
|
||||
'';
|
||||
example = ["en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1"];
|
||||
description = ''
|
||||
List of locales that the system should support. The value
|
||||
|
|
33
third_party/nixpkgs/nixos/modules/config/qt5.nix
vendored
33
third_party/nixpkgs/nixos/modules/config/qt5.nix
vendored
|
@ -8,14 +8,21 @@ let
|
|||
|
||||
isQGnome = cfg.platformTheme == "gnome" && builtins.elem cfg.style ["adwaita" "adwaita-dark"];
|
||||
isQtStyle = cfg.platformTheme == "gtk2" && !(builtins.elem cfg.style ["adwaita" "adwaita-dark"]);
|
||||
isQt5ct = cfg.platformTheme == "qt5ct";
|
||||
isLxqt = cfg.platformTheme == "lxqt";
|
||||
isKde = cfg.platformTheme == "kde";
|
||||
|
||||
packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ]
|
||||
else if isQtStyle then [ pkgs.libsForQt5.qtstyleplugins ]
|
||||
else if isQt5ct then [ pkgs.libsForQt5.qt5ct ]
|
||||
else if isLxqt then [ pkgs.lxqt.lxqt-qtplugin pkgs.lxqt.lxqt-config ]
|
||||
else if isKde then [ pkgs.libsForQt5.plasma-integration pkgs.libsForQt5.systemsettings ]
|
||||
else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible.";
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
meta.maintainers = [ maintainers.romildo ];
|
||||
|
||||
options = {
|
||||
qt5 = {
|
||||
|
@ -26,11 +33,17 @@ in
|
|||
type = types.enum [
|
||||
"gtk2"
|
||||
"gnome"
|
||||
"lxqt"
|
||||
"qt5ct"
|
||||
"kde"
|
||||
];
|
||||
example = "gnome";
|
||||
relatedPackages = [
|
||||
"qgnomeplatform"
|
||||
["libsForQt5" "qtstyleplugins"]
|
||||
["libsForQt5" "qt5ct"]
|
||||
["lxqt" "lxqt-qtplugin"]
|
||||
["libsForQt5" "plasma-integration"]
|
||||
];
|
||||
description = ''
|
||||
Selects the platform theme to use for Qt5 applications.</para>
|
||||
|
@ -48,6 +61,24 @@ in
|
|||
<link xlink:href="https://github.com/FedoraQt/QGnomePlatform">qgnomeplatform</link>
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><literal>lxqt</literal></term>
|
||||
<listitem><para>Use LXQt style set using the
|
||||
<link xlink:href="https://github.com/lxqt/lxqt-config">lxqt-config-appearance</link>
|
||||
application.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><literal>qt5ct</literal></term>
|
||||
<listitem><para>Use Qt style set using the
|
||||
<link xlink:href="https://sourceforge.net/projects/qt5ct/">qt5ct</link>
|
||||
application.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
<term><literal>kde</literal></term>
|
||||
<listitem><para>Use Qt settings from Plasma.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
'';
|
||||
};
|
||||
|
@ -96,7 +127,7 @@ in
|
|||
|
||||
environment.variables.QT_QPA_PLATFORMTHEME = cfg.platformTheme;
|
||||
|
||||
environment.variables.QT_STYLE_OVERRIDE = cfg.style;
|
||||
environment.variables.QT_STYLE_OVERRIDE = mkIf (! (isQt5ct || isLxqt || isKde)) cfg.style;
|
||||
|
||||
environment.systemPackages = packages;
|
||||
|
||||
|
|
|
@ -50,7 +50,20 @@ in
|
|||
default = !(config.environment.etc ? "resolv.conf");
|
||||
defaultText = literalExpression ''!(config.environment.etc ? "resolv.conf")'';
|
||||
description = ''
|
||||
DNS configuration is managed by resolvconf.
|
||||
Whether DNS configuration is managed by resolvconf.
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.openresolv;
|
||||
defaultText = literalExpression "pkgs.openresolv";
|
||||
description = ''
|
||||
The package that provides the system-wide resolvconf command. Defaults to <literal>openresolv</literal>
|
||||
if this module is enabled. Otherwise, can be used by other modules (for example <option>services.resolved</option>) to
|
||||
provide a compatibility layer.
|
||||
|
||||
This option generally shouldn't be set by the user.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -119,10 +132,12 @@ in
|
|||
exit 1
|
||||
''
|
||||
else configText;
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
}
|
||||
|
||||
(mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.openresolv ];
|
||||
networking.resolvconf.package = pkgs.openresolv;
|
||||
|
||||
systemd.services.resolvconf = {
|
||||
description = "resolvconf update";
|
||||
|
@ -134,7 +149,7 @@ in
|
|||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${pkgs.openresolv}/bin/resolvconf -u";
|
||||
ExecStart = "${cfg.package}/bin/resolvconf -u";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,10 +1,30 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
inherit (lib)
|
||||
mkEnableOption
|
||||
mkIf
|
||||
mkOption
|
||||
mkRenamedOptionModule
|
||||
teams
|
||||
types;
|
||||
in
|
||||
|
||||
{
|
||||
imports = [
|
||||
(mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ])
|
||||
|
||||
({ config, lib, options, ... }:
|
||||
let
|
||||
from = [ "xdg" "portal" "gtkUsePortal" ];
|
||||
fromOpt = lib.getAttrFromPath from options;
|
||||
in
|
||||
{
|
||||
warnings = lib.mkIf config.xdg.portal.gtkUsePortal [
|
||||
"The option `${lib.showOption from}' defined in ${lib.showFiles fromOpt.files} has been deprecated. Setting the variable globally with `environment.sessionVariables' NixOS option can have unforseen side-effects."
|
||||
];
|
||||
}
|
||||
)
|
||||
];
|
||||
|
||||
meta = {
|
||||
|
@ -32,11 +52,12 @@ with lib;
|
|||
|
||||
gtkUsePortal = mkOption {
|
||||
type = types.bool;
|
||||
visible = false;
|
||||
default = false;
|
||||
description = ''
|
||||
Sets environment variable <literal>GTK_USE_PORTAL</literal> to <literal>1</literal>.
|
||||
This is needed for packages ran outside Flatpak to respect and use XDG Desktop Portals.
|
||||
For example, you'd need to set this for non-flatpak Firefox to use native filechoosers.
|
||||
This will force GTK-based programs ran outside Flatpak to respect and use XDG Desktop Portals
|
||||
for features like file chooser but it is an unsupported hack that can easily break things.
|
||||
Defaults to <literal>false</literal> to respect its opt-in nature.
|
||||
'';
|
||||
};
|
||||
|
|
49
third_party/nixpkgs/nixos/modules/config/xdg/portals/lxqt.nix
vendored
Normal file
49
third_party/nixpkgs/nixos/modules/config/xdg/portals/lxqt.nix
vendored
Normal file
|
@ -0,0 +1,49 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.xdg.portal.lxqt;
|
||||
|
||||
in
|
||||
{
|
||||
meta = {
|
||||
maintainers = teams.lxqt.members;
|
||||
};
|
||||
|
||||
options.xdg.portal.lxqt = {
|
||||
enable = mkEnableOption ''
|
||||
the desktop portal for the LXQt desktop environment.
|
||||
|
||||
This will add the <package>lxqt.xdg-desktop-portal-lxqt</package>
|
||||
package (with the extra Qt styles) into the
|
||||
<option>xdg.portal.extraPortals</option> option
|
||||
'';
|
||||
|
||||
styles = mkOption {
|
||||
type = types.listOf types.package;
|
||||
default = [];
|
||||
example = literalExpression ''[
|
||||
pkgs.libsForQt5.qtstyleplugin-kvantum
|
||||
pkgs.breeze-qt5
|
||||
pkgs.qtcurve
|
||||
];
|
||||
'';
|
||||
description = ''
|
||||
Extra Qt styles that will be available to the
|
||||
<package>lxqt.xdg-desktop-portal-lxqt</package>.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
xdg.portal = {
|
||||
enable = true;
|
||||
extraPortals = [
|
||||
(pkgs.lxqt.xdg-desktop-portal-lxqt.override { extraQtStyles = cfg.styles; })
|
||||
];
|
||||
};
|
||||
|
||||
environment.systemPackages = cfg.styles;
|
||||
};
|
||||
}
|
|
@ -48,6 +48,6 @@ in
|
|||
};
|
||||
|
||||
meta = {
|
||||
maintainers = with lib.maintainers; [ kierdavis ];
|
||||
maintainers = with lib.maintainers; [ superherointj ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -40,7 +40,7 @@ let
|
|||
homepage = "https://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/";
|
||||
license = licenses.unfreeRedistributable;
|
||||
platforms = [ "x86_64-linux" ];
|
||||
maintainers = with maintainers; [ volth ];
|
||||
maintainers = with maintainers; [ ];
|
||||
};
|
||||
};
|
||||
in {
|
||||
|
|
|
@ -24,7 +24,7 @@ let
|
|||
primeEnabled = syncCfg.enable || offloadCfg.enable;
|
||||
nvidiaPersistencedEnabled = cfg.nvidiaPersistenced;
|
||||
nvidiaSettings = cfg.nvidiaSettings;
|
||||
busIDType = types.strMatching "([[:print:]]+\:[0-9]{1,3}\:[0-9]{1,2}\:[0-9])?";
|
||||
busIDType = types.strMatching "([[:print:]]+[\:\@][0-9]{1,3}\:[0-9]{1,2}\:[0-9])?";
|
||||
in
|
||||
|
||||
{
|
||||
|
|
|
@ -1,160 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
# A dummy /etc/nixos/configuration.nix in the booted CD that
|
||||
# rebuilds the CD's configuration (and allows the configuration to
|
||||
# be modified, of course, providing a true live CD). Problem is
|
||||
# that we don't really know how the CD was built - the Nix
|
||||
# expression language doesn't allow us to query the expression being
|
||||
# evaluated. So we'll just hope for the best.
|
||||
dummyConfiguration = pkgs.writeText "configuration.nix"
|
||||
''
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{ # Add your own options below, e.g.:
|
||||
# services.openssh.enable = true;
|
||||
nixpkgs.config.platform = pkgs.platforms.fuloong2f_n32;
|
||||
}
|
||||
'';
|
||||
|
||||
|
||||
pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
|
||||
|
||||
# A clue for the kernel loading
|
||||
kernelParams = pkgs.writeText "kernel-params.txt" ''
|
||||
Kernel Parameters:
|
||||
init=/boot/init ${toString config.boot.kernelParams}
|
||||
'';
|
||||
|
||||
# System wide nixpkgs config
|
||||
nixpkgsUserConfig = pkgs.writeText "config.nix" ''
|
||||
pkgs:
|
||||
{
|
||||
platform = pkgs.platforms.fuloong2f_n32;
|
||||
}
|
||||
'';
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
imports = [ ./system-tarball.nix ];
|
||||
|
||||
# Disable some other stuff we don't need.
|
||||
security.sudo.enable = false;
|
||||
|
||||
# Include only the en_US locale. This saves 75 MiB or so compared to
|
||||
# the full glibcLocales package.
|
||||
i18n.supportedLocales = ["en_US.UTF-8/UTF-8" "en_US/ISO-8859-1"];
|
||||
|
||||
# Include some utilities that are useful for installing or repairing
|
||||
# the system.
|
||||
environment.systemPackages =
|
||||
[ pkgs.w3m # needed for the manual anyway
|
||||
pkgs.testdisk # useful for repairing boot problems
|
||||
pkgs.ms-sys # for writing Microsoft boot sectors / MBRs
|
||||
pkgs.parted
|
||||
pkgs.ddrescue
|
||||
pkgs.ccrypt
|
||||
pkgs.cryptsetup # needed for dm-crypt volumes
|
||||
|
||||
# Some networking tools.
|
||||
pkgs.sshfs-fuse
|
||||
pkgs.socat
|
||||
pkgs.screen
|
||||
pkgs.wpa_supplicant # !!! should use the wpa module
|
||||
|
||||
# Hardware-related tools.
|
||||
pkgs.sdparm
|
||||
pkgs.hdparm
|
||||
pkgs.dmraid
|
||||
|
||||
# Tools to create / manipulate filesystems.
|
||||
pkgs.ntfsprogs # for resizing NTFS partitions
|
||||
pkgs.btrfs-progs
|
||||
pkgs.jfsutils
|
||||
|
||||
# Some compression/archiver tools.
|
||||
pkgs.unzip
|
||||
pkgs.zip
|
||||
pkgs.xz
|
||||
pkgs.dar # disk archiver
|
||||
|
||||
# Some editors.
|
||||
pkgs.nvi
|
||||
pkgs.bvi # binary editor
|
||||
pkgs.joe
|
||||
];
|
||||
|
||||
# The initrd has to contain any module that might be necessary for
|
||||
# mounting the CD/DVD.
|
||||
boot.initrd.availableKernelModules =
|
||||
[ "vfat" "reiserfs" ];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxKernel.packages.linux_3_10;
|
||||
boot.kernelParams = [ "console=tty1" ];
|
||||
|
||||
boot.postBootCommands =
|
||||
''
|
||||
mkdir -p /mnt
|
||||
|
||||
cp ${dummyConfiguration} /etc/nixos/configuration.nix
|
||||
'';
|
||||
|
||||
# Some more help text.
|
||||
services.getty.helpLine =
|
||||
''
|
||||
|
||||
Log in as "root" with an empty password. ${
|
||||
if config.services.xserver.enable then
|
||||
"Type `start xserver' to start\nthe graphical user interface."
|
||||
else ""
|
||||
}
|
||||
'';
|
||||
|
||||
# Include the firmware for various wireless cards.
|
||||
networking.enableRalinkFirmware = true;
|
||||
networking.enableIntel2200BGFirmware = true;
|
||||
|
||||
# To speed up further installation of packages, include the complete stdenv
|
||||
# in the Nix store of the tarball.
|
||||
tarball.storeContents = pkgs2storeContents [ pkgs.stdenv ]
|
||||
++ [
|
||||
{
|
||||
object = config.system.build.bootStage2;
|
||||
symlink = "/boot/init";
|
||||
}
|
||||
{
|
||||
object = config.system.build.toplevel;
|
||||
symlink = "/boot/system";
|
||||
}
|
||||
];
|
||||
|
||||
tarball.contents = [
|
||||
{ source = kernelParams;
|
||||
target = "/kernelparams.txt";
|
||||
}
|
||||
{ source = config.boot.kernelPackages.kernel + "/" + config.system.boot.loader.kernelFile;
|
||||
target = "/boot/" + config.system.boot.loader.kernelFile;
|
||||
}
|
||||
{ source = nixpkgsUserConfig;
|
||||
target = "/root/.nixpkgs/config.nix";
|
||||
}
|
||||
];
|
||||
|
||||
# Allow sshd to be started manually through "start sshd". It should
|
||||
# not be started by default on the installation CD because the
|
||||
# default root password is empty.
|
||||
services.openssh.enable = true;
|
||||
systemd.services.openssh.wantedBy = lib.mkOverride 50 [];
|
||||
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.generationsDir.enable = false;
|
||||
system.boot.loader.kernelFile = "vmlinux";
|
||||
|
||||
nixpkgs.config = {
|
||||
platform = pkgs.platforms.fuloong2f_n32;
|
||||
};
|
||||
}
|
|
@ -1,89 +0,0 @@
|
|||
Let all the files in the system tarball sit in a directory served by NFS (the
|
||||
NFS root) like this in exportfs:
|
||||
/home/pcroot 192.168.1.0/24(rw,no_root_squash,no_all_squash)
|
||||
|
||||
Run "exportfs -a" after editing /etc/exportfs, for the nfs server to be aware
|
||||
of the changes.
|
||||
|
||||
Use a tftp server serving the root of boot/ (from the system tarball).
|
||||
|
||||
In order to have PXE boot, use the boot/dhcpd.conf-example file for your dhcpd
|
||||
server, as it will point your PXE clients to pxelinux.0 from the tftp server.
|
||||
Adapt the configuration to your network.
|
||||
|
||||
Adapt the pxelinux configuration (boot/pxelinux.cfg/default) to set the path to
|
||||
your nfrroot. If you use ip=dhcp in the kernel, the nfs server ip will be taken
|
||||
from dhcp and so you don't have to specify it.
|
||||
|
||||
The linux in bzImage includes network drivers for some usual cards.
|
||||
|
||||
|
||||
QEMU Testing
|
||||
---------------
|
||||
|
||||
You can test qemu pxe boot without having a DHCP server adapted, but having
|
||||
nfsroot, like this:
|
||||
qemu-system-x86_64 -tftp /home/pcroot/boot -net nic -net user,bootfile=pxelinux.0 -boot n
|
||||
|
||||
I don't know how to use NFS through the qemu '-net user' though.
|
||||
|
||||
|
||||
QEMU Testing with NFS root and bridged network
|
||||
-------------------------------------------------
|
||||
|
||||
This allows testing with qemu as any other host in your LAN.
|
||||
|
||||
Testing with the real dhcpd server requires setting up a bridge and having a
|
||||
tap device.
|
||||
tunctl -t tap0
|
||||
brctl addbr br0
|
||||
brctl addif br0 eth0
|
||||
brctl addif tap0 eth0
|
||||
ifconfig eth0 0.0.0.0 up
|
||||
ifconfig tap0 0.0.0.0 up
|
||||
ifconfig br0 up # With your ip configuration
|
||||
|
||||
Then you can run qemu:
|
||||
qemu-system-x86_64 -boot n -net tap,ifname=tap0,script=no -net nic,model=e1000
|
||||
|
||||
|
||||
Using the system-tarball-pc in a chroot
|
||||
--------------------------------------------------
|
||||
|
||||
Installation:
|
||||
mkdir nixos-chroot && cd nixos-chroot
|
||||
tar xf your-system-tarball.tar.xz
|
||||
mkdir sys dev proc tmp root var run
|
||||
mount --bind /sys sys
|
||||
mount --bind /dev dev
|
||||
mount --bind /proc proc
|
||||
|
||||
Activate the system: look for a directory in nix/store similar to:
|
||||
"/nix/store/y0d1lcj9fppli0hl3x0m0ba5g1ndjv2j-nixos-feb97bx-53f008"
|
||||
Having found it, activate that nixos system *twice*:
|
||||
chroot . /nix/store/SOMETHING-nixos-SOMETHING/activate
|
||||
chroot . /nix/store/SOMETHING-nixos-SOMETHING/activate
|
||||
|
||||
This runs a 'hostname' command. Restore your old hostname with:
|
||||
hostname OLDHOSTNAME
|
||||
|
||||
Copy your system resolv.conf to the /etc/resolv.conf inside the chroot:
|
||||
cp /etc/resolv.conf etc
|
||||
|
||||
Then you can get an interactive shell in the nixos chroot. '*' means
|
||||
to run inside the chroot interactive shell
|
||||
chroot . /bin/sh
|
||||
* source /etc/profile
|
||||
|
||||
Populate the nix database: that should be done in the init script if you
|
||||
had booted this nixos. Run:
|
||||
* `grep local-cmds run/current-system/init`
|
||||
|
||||
Then you can proceed normally subscribing to a nixos channel:
|
||||
nix-channel --add https://nixos.org/channels/nixos-unstable
|
||||
nix-channel --update
|
||||
|
||||
Testing:
|
||||
nix-env -i hello
|
||||
which hello
|
||||
hello
|
|
@ -1,163 +0,0 @@
|
|||
# This module contains the basic configuration for building a NixOS
|
||||
# tarball, that can directly boot, maybe using PXE or unpacking on a fs.
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
|
||||
|
||||
# For PXE kernel loading
|
||||
pxeconfig = pkgs.writeText "pxeconfig-default" ''
|
||||
default menu.c32
|
||||
prompt 0
|
||||
|
||||
label bootlocal
|
||||
menu default
|
||||
localboot 0
|
||||
timeout 80
|
||||
TOTALTIMEOUT 9000
|
||||
|
||||
label nixos
|
||||
MENU LABEL ^NixOS using nfsroot
|
||||
KERNEL bzImage
|
||||
append ip=dhcp nfsroot=/home/pcroot init=${config.system.build.toplevel}/init rw
|
||||
|
||||
# I don't know how to make this boot with nfsroot (using the initrd)
|
||||
label nixos_initrd
|
||||
MENU LABEL NixOS booting the poor ^initrd.
|
||||
KERNEL bzImage
|
||||
append initrd=initrd ip=dhcp nfsroot=/home/pcroot init=${config.system.build.toplevel}/init rw
|
||||
|
||||
label memtest
|
||||
MENU LABEL ^${pkgs.memtest86.name}
|
||||
KERNEL memtest
|
||||
'';
|
||||
|
||||
dhcpdExampleConfig = pkgs.writeText "dhcpd.conf-example" ''
|
||||
# Example configuration for booting PXE.
|
||||
allow booting;
|
||||
allow bootp;
|
||||
|
||||
# Adapt this to your network configuration.
|
||||
option domain-name "local";
|
||||
option subnet-mask 255.255.255.0;
|
||||
option broadcast-address 192.168.1.255;
|
||||
option domain-name-servers 192.168.1.1;
|
||||
option routers 192.168.1.1;
|
||||
|
||||
# PXE-specific configuration directives...
|
||||
# Some BIOS don't accept slashes for paths inside the tftp servers,
|
||||
# and will report Access Violation if they see slashes.
|
||||
filename "pxelinux.0";
|
||||
# For the TFTP and NFS root server. Set the IP of your server.
|
||||
next-server 192.168.1.34;
|
||||
|
||||
subnet 192.168.1.0 netmask 255.255.255.0 {
|
||||
range 192.168.1.50 192.168.1.55;
|
||||
}
|
||||
'';
|
||||
|
||||
readme = ./system-tarball-pc-readme.txt;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
imports =
|
||||
[ ./system-tarball.nix
|
||||
|
||||
# Profiles of this basic installation.
|
||||
../../profiles/all-hardware.nix
|
||||
../../profiles/base.nix
|
||||
../../profiles/installation-device.nix
|
||||
];
|
||||
|
||||
# To speed up further installation of packages, include the complete stdenv
|
||||
# in the Nix store of the tarball.
|
||||
tarball.storeContents = pkgs2storeContents [ pkgs.stdenv ];
|
||||
|
||||
tarball.contents =
|
||||
[ { source = config.boot.kernelPackages.kernel + "/" + config.system.boot.loader.kernelFile;
|
||||
target = "/boot/" + config.system.boot.loader.kernelFile;
|
||||
}
|
||||
{ source = "${pkgs.syslinux}/share/syslinux/pxelinux.0";
|
||||
target = "/boot/pxelinux.0";
|
||||
}
|
||||
{ source = "${pkgs.syslinux}/share/syslinux/menu.c32";
|
||||
target = "/boot/menu.c32";
|
||||
}
|
||||
{ source = pxeconfig;
|
||||
target = "/boot/pxelinux.cfg/default";
|
||||
}
|
||||
{ source = readme;
|
||||
target = "/readme.txt";
|
||||
}
|
||||
{ source = dhcpdExampleConfig;
|
||||
target = "/boot/dhcpd.conf-example";
|
||||
}
|
||||
{ source = "${pkgs.memtest86}/memtest.bin";
|
||||
# We can't leave '.bin', because pxelinux interprets this specially,
|
||||
# and it would not load the image fine.
|
||||
# http://forum.canardpc.com/threads/46464-0104-when-launched-via-pxe
|
||||
target = "/boot/memtest";
|
||||
}
|
||||
];
|
||||
|
||||
# Allow sshd to be started manually through "start sshd". It should
|
||||
# not be started by default on the installation CD because the
|
||||
# default root password is empty.
|
||||
services.openssh.enable = true;
|
||||
systemd.services.openssh.wantedBy = lib.mkOverride 50 [];
|
||||
|
||||
# To be able to use the systemTarball to catch troubles.
|
||||
boot.crashDump = {
|
||||
enable = true;
|
||||
kernelPackages = pkgs.linuxKernel.packages.linux_3_4;
|
||||
};
|
||||
|
||||
# No grub for the tarball.
|
||||
boot.loader.grub.enable = false;
|
||||
|
||||
/* fake entry, just to have a happy stage-1. Users
|
||||
may boot without having stage-1 though */
|
||||
fileSystems.fake =
|
||||
{ mountPoint = "/";
|
||||
device = "/dev/something";
|
||||
};
|
||||
|
||||
nixpkgs.config = {
|
||||
packageOverrides = p: {
|
||||
linux_3_4 = p.linux_3_4.override {
|
||||
extraConfig = ''
|
||||
# Enable drivers in kernel for most NICs.
|
||||
E1000 y
|
||||
# E1000E y
|
||||
# ATH5K y
|
||||
8139TOO y
|
||||
NE2K_PCI y
|
||||
ATL1 y
|
||||
ATL1E y
|
||||
ATL1C y
|
||||
VORTEX y
|
||||
VIA_RHINE y
|
||||
R8169 y
|
||||
|
||||
# Enable nfs root boot
|
||||
UNIX y # http://www.linux-mips.org/archives/linux-mips/2006-11/msg00113.html
|
||||
IP_PNP y
|
||||
IP_PNP_DHCP y
|
||||
FSCACHE y
|
||||
NFS_FS y
|
||||
NFS_FSCACHE y
|
||||
ROOT_NFS y
|
||||
|
||||
# Enable devtmpfs
|
||||
DEVTMPFS y
|
||||
DEVTMPFS_MOUNT y
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,172 +0,0 @@
|
|||
# This module contains the basic configuration for building a NixOS
|
||||
# tarball for the sheevaplug.
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
# A dummy /etc/nixos/configuration.nix in the booted CD that
|
||||
# rebuilds the CD's configuration (and allows the configuration to
|
||||
# be modified, of course, providing a true live CD). Problem is
|
||||
# that we don't really know how the CD was built - the Nix
|
||||
# expression language doesn't allow us to query the expression being
|
||||
# evaluated. So we'll just hope for the best.
|
||||
dummyConfiguration = pkgs.writeText "configuration.nix"
|
||||
''
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
# Add your own options below and run "nixos-rebuild switch".
|
||||
# E.g.,
|
||||
# services.openssh.enable = true;
|
||||
}
|
||||
'';
|
||||
|
||||
|
||||
pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
|
||||
|
||||
# A clue for the kernel loading
|
||||
kernelParams = pkgs.writeText "kernel-params.txt" ''
|
||||
Kernel Parameters:
|
||||
init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}
|
||||
'';
|
||||
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
imports = [ ./system-tarball.nix ];
|
||||
|
||||
# Disable some other stuff we don't need.
|
||||
security.sudo.enable = false;
|
||||
|
||||
# Include only the en_US locale. This saves 75 MiB or so compared to
|
||||
# the full glibcLocales package.
|
||||
i18n.supportedLocales = ["en_US.UTF-8/UTF-8" "en_US/ISO-8859-1"];
|
||||
|
||||
# Include some utilities that are useful for installing or repairing
|
||||
# the system.
|
||||
environment.systemPackages =
|
||||
[ pkgs.w3m # needed for the manual anyway
|
||||
pkgs.ddrescue
|
||||
pkgs.ccrypt
|
||||
pkgs.cryptsetup # needed for dm-crypt volumes
|
||||
|
||||
# Some networking tools.
|
||||
pkgs.sshfs-fuse
|
||||
pkgs.socat
|
||||
pkgs.screen
|
||||
pkgs.wpa_supplicant # !!! should use the wpa module
|
||||
|
||||
# Hardware-related tools.
|
||||
pkgs.sdparm
|
||||
pkgs.hdparm
|
||||
pkgs.dmraid
|
||||
|
||||
# Tools to create / manipulate filesystems.
|
||||
pkgs.btrfs-progs
|
||||
|
||||
# Some compression/archiver tools.
|
||||
pkgs.unzip
|
||||
pkgs.zip
|
||||
pkgs.xz
|
||||
pkgs.dar # disk archiver
|
||||
|
||||
# Some editors.
|
||||
pkgs.nvi
|
||||
pkgs.bvi # binary editor
|
||||
pkgs.joe
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = false;
|
||||
boot.loader.generationsDir.enable = false;
|
||||
system.boot.loader.kernelFile = "uImage";
|
||||
|
||||
boot.initrd.availableKernelModules =
|
||||
[ "mvsdio" "reiserfs" "ext3" "ums-cypress" "rtc_mv" "ext4" ];
|
||||
|
||||
boot.postBootCommands = lib.mkIf (!boot.initrd.systemd.enable)
|
||||
''
|
||||
mkdir -p /mnt
|
||||
|
||||
cp ${dummyConfiguration} /etc/nixos/configuration.nix
|
||||
'';
|
||||
|
||||
boot.initrd.extraUtilsCommands = lib.mkIf (!boot.initrd.systemd.enable)
|
||||
''
|
||||
copy_bin_and_libs ${pkgs.util-linux}/sbin/hwclock
|
||||
'';
|
||||
|
||||
boot.initrd.postDeviceCommands = lib.mkIf (!boot.initrd.systemd.enable)
|
||||
''
|
||||
hwclock -s
|
||||
'';
|
||||
|
||||
boot.kernelParams =
|
||||
[
|
||||
"selinux=0"
|
||||
"console=tty1"
|
||||
# "console=ttyS0,115200n8" # serial console
|
||||
];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxKernel.packages.linux_3_4;
|
||||
|
||||
boot.supportedFilesystems = [ "reiserfs" ];
|
||||
|
||||
/* fake entry, just to have a happy stage-1. Users
|
||||
may boot without having stage-1 though */
|
||||
fileSystems.fake =
|
||||
{ mountPoint = "/";
|
||||
device = "/dev/something";
|
||||
};
|
||||
|
||||
services.getty = {
|
||||
# Some more help text.
|
||||
helpLine = ''
|
||||
Log in as "root" with an empty password. ${
|
||||
if config.services.xserver.enable then
|
||||
"Type `start xserver' to start\nthe graphical user interface."
|
||||
else ""
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
# Setting vesa, we don't get the nvidia driver, which can't work in arm.
|
||||
services.xserver.videoDrivers = [ "vesa" ];
|
||||
|
||||
documentation.nixos.enable = false;
|
||||
|
||||
# Include the firmware for various wireless cards.
|
||||
networking.enableRalinkFirmware = true;
|
||||
networking.enableIntel2200BGFirmware = true;
|
||||
|
||||
# To speed up further installation of packages, include the complete stdenv
|
||||
# in the Nix store of the tarball.
|
||||
tarball.storeContents = pkgs2storeContents [ pkgs.stdenv ];
|
||||
tarball.contents = [
|
||||
{ source = kernelParams;
|
||||
target = "/kernelparams.txt";
|
||||
}
|
||||
{ source = config.boot.kernelPackages.kernel + "/" + config.system.boot.loader.kernelFile;
|
||||
target = "/boot/" + config.system.boot.loader.kernelFile;
|
||||
}
|
||||
{ source = pkgs.ubootSheevaplug;
|
||||
target = "/boot/uboot";
|
||||
}
|
||||
];
|
||||
|
||||
# Allow sshd to be started manually through "start sshd". It should
|
||||
# not be started by default on the installation CD because the
|
||||
# default root password is empty.
|
||||
services.openssh.enable = true;
|
||||
systemd.services.openssh.wantedBy = lib.mkOverride 50 [];
|
||||
|
||||
# cpufrequtils fails to build on non-pc
|
||||
powerManagement.enable = false;
|
||||
|
||||
nixpkgs.config = {
|
||||
platform = pkgs.platforms.sheevaplug;
|
||||
};
|
||||
}
|
|
@ -1,93 +0,0 @@
|
|||
# This module creates a bootable ISO image containing the given NixOS
|
||||
# configuration. The derivation for the ISO image will be placed in
|
||||
# config.system.build.tarball.
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
versionFile = pkgs.writeText "nixos-label" config.system.nixos.label;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
tarball.contents = mkOption {
|
||||
example = literalExpression ''
|
||||
[ { source = pkgs.memtest86 + "/memtest.bin";
|
||||
target = "boot/memtest.bin";
|
||||
}
|
||||
]
|
||||
'';
|
||||
description = ''
|
||||
This option lists files to be copied to fixed locations in the
|
||||
generated ISO image.
|
||||
'';
|
||||
};
|
||||
|
||||
tarball.storeContents = mkOption {
|
||||
example = literalExpression "[ pkgs.stdenv ]";
|
||||
description = ''
|
||||
This option lists additional derivations to be included in the
|
||||
Nix store in the generated ISO image.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = {
|
||||
|
||||
# In stage 1 of the boot, mount the CD/DVD as the root FS by label
|
||||
# so that we don't need to know its device.
|
||||
fileSystems = { };
|
||||
|
||||
# boot.initrd.availableKernelModules = [ "mvsdio" "reiserfs" "ext3" "ext4" ];
|
||||
|
||||
# boot.initrd.kernelModules = [ "rtc_mv" ];
|
||||
|
||||
# Closures to be copied to the Nix store on the CD, namely the init
|
||||
# script and the top-level system configuration directory.
|
||||
tarball.storeContents =
|
||||
[ { object = config.system.build.toplevel;
|
||||
symlink = "/run/current-system";
|
||||
}
|
||||
];
|
||||
|
||||
# Individual files to be included on the CD, outside of the Nix
|
||||
# store on the CD.
|
||||
tarball.contents =
|
||||
[ { source = config.system.build.initialRamdisk + "/" + config.system.boot.loader.initrdFile;
|
||||
target = "/boot/" + config.system.boot.loader.initrdFile;
|
||||
}
|
||||
{ source = versionFile;
|
||||
target = "/nixos-version.txt";
|
||||
}
|
||||
];
|
||||
|
||||
# Create the tarball
|
||||
system.build.tarball = import ../../../lib/make-system-tarball.nix {
|
||||
inherit (pkgs) stdenv closureInfo pixz;
|
||||
|
||||
inherit (config.tarball) contents storeContents;
|
||||
};
|
||||
|
||||
boot.postBootCommands =
|
||||
''
|
||||
# After booting, register the contents of the Nix store on the
|
||||
# CD in the Nix database in the tmpfs.
|
||||
if [ -f /nix-path-registration ]; then
|
||||
${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration &&
|
||||
rm /nix-path-registration
|
||||
fi
|
||||
|
||||
# nixos-rebuild also requires a "system" profile and an
|
||||
# /etc/NIXOS tag.
|
||||
touch /etc/NIXOS
|
||||
${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
}
|
|
@ -81,7 +81,7 @@ with lib;
|
|||
|
||||
|
||||
# Create the initrd
|
||||
system.build.netbootRamdisk = pkgs.makeInitrd {
|
||||
system.build.netbootRamdisk = pkgs.makeInitrdNG {
|
||||
inherit (config.boot.initrd) compressor;
|
||||
prepend = [ "${config.system.build.initialRamdisk}/initrd" ];
|
||||
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
getVersion() {
|
||||
local dir="$1"
|
||||
rev=
|
||||
if [ -e "$dir/.git" ]; then
|
||||
gitDir="$dir/.git"
|
||||
if [ -e "$gitDir" ]; then
|
||||
if [ -z "$(type -P git)" ]; then
|
||||
echo "warning: Git not found; cannot figure out revision of $dir" >&2
|
||||
return
|
||||
fi
|
||||
cd "$dir"
|
||||
rev=$(git rev-parse --short HEAD)
|
||||
if git describe --always --dirty | grep -q dirty; then
|
||||
rev=$(git --git-dir="$gitDir" rev-parse --short HEAD)
|
||||
if git --git-dir="$gitDir" describe --always --dirty | grep -q dirty; then
|
||||
rev+=M
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -300,6 +300,12 @@ if ($virt eq "oracle") {
|
|||
push @attrs, "virtualisation.virtualbox.guest.enable = true;"
|
||||
}
|
||||
|
||||
# Check if we're a Parallels guest. If so, enable the guest additions.
|
||||
# It is blocked by https://github.com/systemd/systemd/pull/23859
|
||||
if ($virt eq "parallels") {
|
||||
push @attrs, "hardware.parallels.enable = true;";
|
||||
push @attrs, "nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ \"prl-tools\" ];";
|
||||
}
|
||||
|
||||
# Likewise for QEMU.
|
||||
if ($virt eq "qemu" || $virt eq "kvm" || $virt eq "bochs") {
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
# IMPORTANT!
|
||||
# We only add static uids and gids for services where it is not feasible
|
||||
# to change uids/gids on service start, in example a service with a lot of
|
||||
# to change uids/gids on service start, for example a service with a lot of
|
||||
# files. Please also check if the service is applicable for systemd's
|
||||
# DynamicUser option and does not need a uid/gid allocation at all.
|
||||
# Systemd can also change ownership of service directories using the
|
||||
|
|
|
@ -10,6 +10,7 @@
|
|||
./config/xdg/mime.nix
|
||||
./config/xdg/portal.nix
|
||||
./config/xdg/portals/wlr.nix
|
||||
./config/xdg/portals/lxqt.nix
|
||||
./config/appstream.nix
|
||||
./config/console.nix
|
||||
./config/xdg/sounds.nix
|
||||
|
@ -217,6 +218,7 @@
|
|||
./programs/sway.nix
|
||||
./programs/system-config-printer.nix
|
||||
./programs/thefuck.nix
|
||||
./programs/thunar.nix
|
||||
./programs/tmux.nix
|
||||
./programs/traceroute.nix
|
||||
./programs/tsm-client.nix
|
||||
|
@ -229,6 +231,7 @@
|
|||
./programs/weylus.nix
|
||||
./programs/wireshark.nix
|
||||
./programs/wshowkeys.nix
|
||||
./programs/xfconf.nix
|
||||
./programs/xfs_quota.nix
|
||||
./programs/xonsh.nix
|
||||
./programs/xss-lock.nix
|
||||
|
@ -350,6 +353,7 @@
|
|||
./services/databases/cockroachdb.nix
|
||||
./services/databases/couchdb.nix
|
||||
./services/databases/dragonflydb.nix
|
||||
./services/databases/dgraph.nix
|
||||
./services/databases/firebird.nix
|
||||
./services/databases/foundationdb.nix
|
||||
./services/databases/hbase.nix
|
||||
|
@ -612,6 +616,7 @@
|
|||
./services/misc/plex.nix
|
||||
./services/misc/plikd.nix
|
||||
./services/misc/podgrab.nix
|
||||
./services/misc/polaris.nix
|
||||
./services/misc/prowlarr.nix
|
||||
./services/misc/tautulli.nix
|
||||
./services/misc/pinnwand.nix
|
||||
|
@ -824,6 +829,7 @@
|
|||
./services/networking/libreswan.nix
|
||||
./services/networking/lldpd.nix
|
||||
./services/networking/logmein-hamachi.nix
|
||||
./services/networking/lokinet.nix
|
||||
./services/networking/lxd-image-server.nix
|
||||
./services/networking/magic-wormhole-mailbox-server.nix
|
||||
./services/networking/matterbridge.nix
|
||||
|
@ -1028,6 +1034,7 @@
|
|||
./services/torrent/peerflix.nix
|
||||
./services/torrent/rtorrent.nix
|
||||
./services/torrent/transmission.nix
|
||||
./services/tracing/tempo.nix
|
||||
./services/ttys/getty.nix
|
||||
./services/ttys/gpm.nix
|
||||
./services/ttys/kmscon.nix
|
||||
|
@ -1043,7 +1050,6 @@
|
|||
./services/web-apps/code-server.nix
|
||||
./services/web-apps/baget.nix
|
||||
./services/web-apps/convos.nix
|
||||
./services/web-apps/cryptpad.nix
|
||||
./services/web-apps/dex.nix
|
||||
./services/web-apps/discourse.nix
|
||||
./services/web-apps/documize.nix
|
||||
|
@ -1055,6 +1061,7 @@
|
|||
./services/web-apps/gerrit.nix
|
||||
./services/web-apps/gotify-server.nix
|
||||
./services/web-apps/grocy.nix
|
||||
./services/web-apps/healthchecks.nix
|
||||
./services/web-apps/hedgedoc.nix
|
||||
./services/web-apps/hledger-web.nix
|
||||
./services/web-apps/icingaweb2/icingaweb2.nix
|
||||
|
@ -1078,6 +1085,7 @@
|
|||
./services/web-apps/nexus.nix
|
||||
./services/web-apps/nifi.nix
|
||||
./services/web-apps/node-red.nix
|
||||
./services/web-apps/phylactery.nix
|
||||
./services/web-apps/pict-rs.nix
|
||||
./services/web-apps/peertube.nix
|
||||
./services/web-apps/plantuml-server.nix
|
||||
|
@ -1269,7 +1277,6 @@
|
|||
./virtualisation/parallels-guest.nix
|
||||
./virtualisation/podman/default.nix
|
||||
./virtualisation/qemu-guest-agent.nix
|
||||
./virtualisation/railcar.nix
|
||||
./virtualisation/spice-usb-redirection.nix
|
||||
./virtualisation/virtualbox-guest.nix
|
||||
./virtualisation/virtualbox-host.nix
|
||||
|
|
|
@ -1,31 +1,9 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
meta.maintainers = [ maintainers.romildo ];
|
||||
|
||||
###### interface
|
||||
options = {
|
||||
programs.qt5ct = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Whether to enable the Qt5 Configuration Tool (qt5ct), a
|
||||
program that allows users to configure Qt5 settings (theme,
|
||||
font, icons, etc.) under desktop environments or window
|
||||
manager without Qt integration.
|
||||
|
||||
Official home page: <link xlink:href="https://sourceforge.net/projects/qt5ct/">https://sourceforge.net/projects/qt5ct/</link>
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkIf config.programs.qt5ct.enable {
|
||||
environment.variables.QT_QPA_PLATFORMTHEME = "qt5ct";
|
||||
environment.systemPackages = with pkgs; [ libsForQt5.qt5ct ];
|
||||
};
|
||||
imports = [
|
||||
(mkRemovedOptionModule [ "programs" "qt5ct" "enable" ] "Use qt5.platformTheme = \"qt5ct\" instead.")
|
||||
];
|
||||
}
|
||||
|
|
45
third_party/nixpkgs/nixos/modules/programs/thunar.nix
vendored
Normal file
45
third_party/nixpkgs/nixos/modules/programs/thunar.nix
vendored
Normal file
|
@ -0,0 +1,45 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.programs.thunar;
|
||||
|
||||
in {
|
||||
meta = {
|
||||
maintainers = teams.xfce.members;
|
||||
};
|
||||
|
||||
options = {
|
||||
programs.thunar = {
|
||||
enable = mkEnableOption "Thunar, the Xfce file manager";
|
||||
|
||||
plugins = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.package;
|
||||
description = "List of thunar plugins to install.";
|
||||
example = literalExpression "with pkgs.xfce; [ thunar-archive-plugin thunar-volman ]";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (
|
||||
let package = pkgs.xfce.thunar.override { thunarPlugins = cfg.plugins; };
|
||||
|
||||
in {
|
||||
environment.systemPackages = [
|
||||
package
|
||||
];
|
||||
|
||||
services.dbus.packages = [
|
||||
package
|
||||
];
|
||||
|
||||
systemd.packages = [
|
||||
package
|
||||
];
|
||||
|
||||
programs.xfconf.enable = true;
|
||||
}
|
||||
);
|
||||
}
|
27
third_party/nixpkgs/nixos/modules/programs/xfconf.nix
vendored
Normal file
27
third_party/nixpkgs/nixos/modules/programs/xfconf.nix
vendored
Normal file
|
@ -0,0 +1,27 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.programs.xfconf;
|
||||
|
||||
in {
|
||||
meta = {
|
||||
maintainers = teams.xfce.members;
|
||||
};
|
||||
|
||||
options = {
|
||||
programs.xfconf = {
|
||||
enable = mkEnableOption "Xfconf, the Xfce configuration storage system";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [
|
||||
pkgs.xfce.xfconf
|
||||
];
|
||||
|
||||
services.dbus.packages = [
|
||||
pkgs.xfce.xfconf
|
||||
];
|
||||
};
|
||||
}
|
2
third_party/nixpkgs/nixos/modules/rename.nix
vendored
2
third_party/nixpkgs/nixos/modules/rename.nix
vendored
|
@ -68,6 +68,7 @@ with lib;
|
|||
prey-bash-client is deprecated upstream
|
||||
'')
|
||||
(mkRemovedOptionModule [ "services" "quagga" ] "the corresponding package has been removed from nixpkgs")
|
||||
(mkRemovedOptionModule [ "services" "railcar" ] "the corresponding package has been removed from nixpkgs")
|
||||
(mkRemovedOptionModule [ "services" "seeks" ] "")
|
||||
(mkRemovedOptionModule [ "services" "ssmtp" ] ''
|
||||
The ssmtp package and the corresponding module have been removed due to
|
||||
|
@ -98,6 +99,7 @@ with lib;
|
|||
(mkRemovedOptionModule [ "services" "virtuoso" ] "The corresponding package was removed from nixpkgs.")
|
||||
(mkRemovedOptionModule [ "services" "openfire" ] "The corresponding package was removed from nixpkgs.")
|
||||
(mkRemovedOptionModule [ "services" "riak" ] "The corresponding package was removed from nixpkgs.")
|
||||
(mkRemovedOptionModule [ "services" "cryptpad" ] "The corresponding package was removed from nixpkgs.")
|
||||
|
||||
# Do NOT add any option renames here, see top of the file
|
||||
];
|
||||
|
|
|
@ -48,6 +48,7 @@ in {
|
|||
# navidrome uses online services to download additional album metadata / covers
|
||||
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
|
||||
builtins.storeDir
|
||||
"/etc"
|
||||
] ++ lib.optional (cfg.settings ? MusicFolder) cfg.settings.MusicFolder;
|
||||
CapabilityBoundingSet = "";
|
||||
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
||||
|
|
|
@ -17,8 +17,8 @@ let
|
|||
|
||||
compressCmd = getAttr cfg.compression {
|
||||
"none" = "cat";
|
||||
"gzip" = "${pkgs.gzip}/bin/gzip -c";
|
||||
"zstd" = "${pkgs.zstd}/bin/zstd -c";
|
||||
"gzip" = "${pkgs.gzip}/bin/gzip -c -${toString cfg.compressionLevel}";
|
||||
"zstd" = "${pkgs.zstd}/bin/zstd -c -${toString cfg.compressionLevel}";
|
||||
};
|
||||
|
||||
mkSqlPath = prefix: suffix: "${cfg.location}/${db}${prefix}.sql${suffix}";
|
||||
|
@ -130,16 +130,33 @@ in {
|
|||
The type of compression to use on the generated database dump.
|
||||
'';
|
||||
};
|
||||
|
||||
compressionLevel = mkOption {
|
||||
type = types.ints.between 1 19;
|
||||
default = 6;
|
||||
description = ''
|
||||
The compression level used when compression is enabled.
|
||||
gzip accepts levels 1 to 9. zstd accepts levels 1 to 19.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
{
|
||||
assertions = [{
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.backupAll -> cfg.databases == [];
|
||||
message = "config.services.postgresqlBackup.backupAll cannot be used together with config.services.postgresqlBackup.databases";
|
||||
}];
|
||||
}
|
||||
{
|
||||
assertion = cfg.compression == "none" ||
|
||||
(cfg.compression == "gzip" && cfg.compressionLevel >= 1 && cfg.compressionLevel <= 9) ||
|
||||
(cfg.compression == "zstd" && cfg.compressionLevel >= 1 && cfg.compressionLevel <= 19);
|
||||
message = "config.services.postgresqlBackup.compressionLevel must be set between 1 and 9 for gzip and 1 and 19 for zstd";
|
||||
}
|
||||
];
|
||||
}
|
||||
(mkIf cfg.enable {
|
||||
systemd.tmpfiles.rules = [
|
||||
|
|
|
@ -13,6 +13,13 @@ in
|
|||
services.zrepl = {
|
||||
enable = mkEnableOption "zrepl";
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.zrepl;
|
||||
defaultText = literalExpression "pkgs.zrepl";
|
||||
description = "Which package to use for zrepl";
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
default = { };
|
||||
description = ''
|
||||
|
@ -30,14 +37,14 @@ in
|
|||
### Implementation ###
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.zrepl ];
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
# zrepl looks for its config in this location by default. This
|
||||
# allows the use of e.g. `zrepl signal wakeup <job>` without having
|
||||
# to specify the storepath of the config.
|
||||
environment.etc."zrepl/zrepl.yml".source = configFile;
|
||||
|
||||
systemd.packages = [ pkgs.zrepl ];
|
||||
systemd.packages = [ cfg.package ];
|
||||
|
||||
# Note that pkgs.zrepl copies and adapts the upstream systemd unit, and
|
||||
# the fields defined here only override certain fields from that unit.
|
||||
|
|
|
@ -298,6 +298,7 @@ in
|
|||
environment = env // {
|
||||
HYDRA_DBI = "${env.HYDRA_DBI};application_name=hydra-init";
|
||||
};
|
||||
path = [ pkgs.util-linux ];
|
||||
preStart = ''
|
||||
mkdir -p ${baseDir}
|
||||
chown hydra:hydra ${baseDir}
|
||||
|
@ -318,11 +319,11 @@ in
|
|||
|
||||
${optionalString haveLocalDB ''
|
||||
if ! [ -e ${baseDir}/.db-created ]; then
|
||||
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createuser hydra
|
||||
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O hydra hydra
|
||||
runuser -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createuser hydra
|
||||
runuser -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O hydra hydra
|
||||
touch ${baseDir}/.db-created
|
||||
fi
|
||||
echo "create extension if not exists pg_trgm" | ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} -- ${config.services.postgresql.package}/bin/psql hydra
|
||||
echo "create extension if not exists pg_trgm" | runuser -u ${config.services.postgresql.superUser} -- ${config.services.postgresql.package}/bin/psql hydra
|
||||
''}
|
||||
|
||||
if [ ! -e ${cfg.gcRootsDir} ]; then
|
||||
|
|
148
third_party/nixpkgs/nixos/modules/services/databases/dgraph.nix
vendored
Normal file
148
third_party/nixpkgs/nixos/modules/services/databases/dgraph.nix
vendored
Normal file
|
@ -0,0 +1,148 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.dgraph;
|
||||
settingsFormat = pkgs.formats.json {};
|
||||
configFile = settingsFormat.generate "config.json" cfg.settings;
|
||||
dgraphWithNode = pkgs.runCommand "dgraph" {
|
||||
nativeBuildInputs = [ pkgs.makeWrapper ];
|
||||
}
|
||||
''
|
||||
mkdir -p $out/bin
|
||||
makeWrapper ${cfg.package}/bin/dgraph $out/bin/dgraph \
|
||||
--set PATH '${lib.makeBinPath [ pkgs.nodejs ]}:$PATH' \
|
||||
'';
|
||||
securityOptions = {
|
||||
NoNewPrivileges = true;
|
||||
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
|
||||
DeviceAllow = "";
|
||||
|
||||
LockPersonality = true;
|
||||
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
|
||||
RemoveIPC = true;
|
||||
|
||||
RestrictNamespaces = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallErrorNumber = "EPERM";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.dgraph = {
|
||||
enable = mkEnableOption "Dgraph native GraphQL database with a graph backend";
|
||||
|
||||
package = lib.mkPackageOption pkgs "dgraph" { };
|
||||
|
||||
settings = mkOption {
|
||||
type = settingsFormat.type;
|
||||
default = {};
|
||||
description = ''
|
||||
Contents of the dgraph config. For more details see https://dgraph.io/docs/deploy/config
|
||||
'';
|
||||
};
|
||||
|
||||
alpha = {
|
||||
host = mkOption {
|
||||
type = types.str;
|
||||
default = "localhost";
|
||||
description = ''
|
||||
The host which dgraph alpha will be run on.
|
||||
'';
|
||||
};
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 7080;
|
||||
description = ''
|
||||
The port which to run dgraph alpha on.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
zero = {
|
||||
host = mkOption {
|
||||
type = types.str;
|
||||
default = "localhost";
|
||||
description = ''
|
||||
The host which dgraph zero will be run on.
|
||||
'';
|
||||
};
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 5080;
|
||||
description = ''
|
||||
The port which to run dgraph zero on.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.dgraph.settings = {
|
||||
badger.compression = mkDefault "zstd:3";
|
||||
};
|
||||
|
||||
systemd.services.dgraph-zero = {
|
||||
description = "Dgraph native GraphQL database with a graph backend. Zero controls node clustering";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
StateDirectory = "dgraph-zero";
|
||||
WorkingDirectory = "/var/lib/dgraph-zero";
|
||||
DynamicUser = true;
|
||||
ExecStart = "${cfg.package}/bin/dgraph zero --my ${cfg.zero.host}:${toString cfg.zero.port}";
|
||||
Restart = "on-failure";
|
||||
} // securityOptions;
|
||||
};
|
||||
|
||||
systemd.services.dgraph-alpha = {
|
||||
description = "Dgraph native GraphQL database with a graph backend. Alpha serves data";
|
||||
after = [ "network.target" "dgraph-zero.service" ];
|
||||
requires = [ "dgraph-zero.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
StateDirectory = "dgraph-alpha";
|
||||
WorkingDirectory = "/var/lib/dgraph-alpha";
|
||||
DynamicUser = true;
|
||||
ExecStart = "${dgraphWithNode}/bin/dgraph alpha --config ${configFile} --my ${cfg.alpha.host}:${toString cfg.alpha.port} --zero ${cfg.zero.host}:${toString cfg.zero.port}";
|
||||
ExecStop = ''
|
||||
${pkgs.curl}/bin/curl --data "mutation { shutdown { response { message code } } }" \
|
||||
--header 'Content-Type: application/graphql' \
|
||||
-X POST \
|
||||
http://localhost:8080/admin
|
||||
'';
|
||||
Restart = "on-failure";
|
||||
} // securityOptions;
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ happysalada ];
|
||||
}
|
|
@ -166,7 +166,11 @@ in {
|
|||
save = mkOption {
|
||||
type = with types; listOf (listOf int);
|
||||
default = [ [900 1] [300 10] [60 10000] ];
|
||||
description = "The schedule in which data is persisted to disk, represented as a list of lists where the first element represent the amount of seconds and the second the number of changes.";
|
||||
description = mdDoc ''
|
||||
The schedule in which data is persisted to disk, represented as a list of lists where the first element represent the amount of seconds and the second the number of changes.
|
||||
|
||||
If set to the empty list (`[]`) then RDB persistence will be disabled (useful if you are using AOF or don't want any persistence).
|
||||
'';
|
||||
};
|
||||
|
||||
slaveOf = mkOption {
|
||||
|
@ -268,7 +272,11 @@ in {
|
|||
syslog-enabled = config.syslog;
|
||||
databases = config.databases;
|
||||
maxclients = config.maxclients;
|
||||
save = map (d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}") config.save;
|
||||
save = if config.save == []
|
||||
then ''""'' # Disable saving with `save = ""`
|
||||
else map
|
||||
(d: "${toString (builtins.elemAt d 0)} ${toString (builtins.elemAt d 1)}")
|
||||
config.save;
|
||||
dbfilename = "dump.rdb";
|
||||
dir = "/var/lib/${redisName name}";
|
||||
appendOnly = config.appendOnly;
|
||||
|
|
|
@ -50,6 +50,12 @@ in
|
|||
default_access.properties["enable-flatpak-portal"] = false
|
||||
'';
|
||||
};
|
||||
environment.etc."wireplumber/bluetooth.lua.d/80-systemwide.lua" = lib.mkIf config.services.pipewire.systemWide {
|
||||
text = ''
|
||||
-- When running system-wide, logind-integration needs to be disabled.
|
||||
bluez_monitor.properties["with-logind"] = false
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.packages = [ cfg.package ];
|
||||
|
||||
|
|
|
@ -143,6 +143,9 @@ in {
|
|||
language = "python";
|
||||
logo32 = "''${env.sitePackages}/ipykernel/resources/logo-32x32.png";
|
||||
logo64 = "''${env.sitePackages}/ipykernel/resources/logo-64x64.png";
|
||||
extraPaths = {
|
||||
"cool.txt" = pkgs.writeText "cool" "cool content";
|
||||
};
|
||||
};
|
||||
}
|
||||
'';
|
||||
|
|
|
@ -56,5 +56,14 @@ with lib;
|
|||
Path to 64x64 logo png.
|
||||
'';
|
||||
};
|
||||
|
||||
extraPaths = mkOption {
|
||||
type = types.attrsOf types.path;
|
||||
default = { };
|
||||
example = literalExpression ''"{ examples = ''${env.sitePack}/IRkernel/kernelspec/kernel.js"; }'';
|
||||
description = ''
|
||||
Extra paths to link in kernel directory
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -389,10 +389,9 @@ in {
|
|||
"mysql.service"
|
||||
"postgresql.service"
|
||||
];
|
||||
reloadTriggers = [
|
||||
configFile
|
||||
lovelaceConfigFile
|
||||
];
|
||||
reloadTriggers = lib.optional (cfg.config != null) configFile
|
||||
++ lib.optional (cfg.lovelaceConfig != null) lovelaceConfigFile;
|
||||
|
||||
preStart = let
|
||||
copyConfig = if cfg.configWritable then ''
|
||||
cp --no-preserve=mode ${configFile} "${cfg.configDir}/configuration.yaml"
|
||||
|
|
|
@ -167,22 +167,23 @@ let
|
|||
sed -e "s/\bsu\s.*/su $user $group/" \
|
||||
-e "s/\b\(create\s\+[0-9]*\s*\|createolddir\s\+[0-9]*\s\+\).*/\1$user $group/" \
|
||||
-e "1imissingok" -e "s/\bnomissingok\b//" \
|
||||
$out > /tmp/logrotate.conf
|
||||
$out > logrotate.conf
|
||||
# Since this makes for very verbose builds only show real error.
|
||||
# There is no way to control log level, but logrotate hardcodes
|
||||
# 'error:' at common log level, so we can use grep, taking care
|
||||
# to keep error codes
|
||||
set -o pipefail
|
||||
if ! ${pkgs.buildPackages.logrotate}/sbin/logrotate --debug /tmp/logrotate.conf 2>&1 \
|
||||
| ( ! grep "error:" ) > /tmp/logrotate-error; then
|
||||
if ! ${pkgs.buildPackages.logrotate}/sbin/logrotate -s logrotate.status \
|
||||
--debug logrotate.conf 2>&1 \
|
||||
| ( ! grep "error:" ) > logrotate-error; then
|
||||
echo "Logrotate configuration check failed."
|
||||
echo "The failing configuration (after adjustments to pass tests in sandbox) was:"
|
||||
printf "%s\n" "-------"
|
||||
cat /tmp/logrotate.conf
|
||||
cat logrotate.conf
|
||||
printf "%s\n" "-------"
|
||||
echo "The error reported by logrotate was as follow:"
|
||||
printf "%s\n" "-------"
|
||||
cat /tmp/logrotate-error
|
||||
cat logrotate-error
|
||||
printf "%s\n" "-------"
|
||||
echo "You can disable this check with services.logrotate.checkConfig = false,"
|
||||
echo "but if you think it should work please report this failure along with"
|
||||
|
@ -193,7 +194,7 @@ let
|
|||
};
|
||||
|
||||
mailOption =
|
||||
if foldr (n: a: a || n ? mail) false (attrValues cfg.settings)
|
||||
if foldr (n: a: a || (n.mail or false) != false) false (attrValues cfg.settings)
|
||||
then "--mail=${pkgs.mailutils}/bin/mail"
|
||||
else "";
|
||||
in
|
||||
|
|
|
@ -6,7 +6,7 @@ let
|
|||
|
||||
cfg = config.services.mailman;
|
||||
|
||||
inherit (pkgs.mailmanPackages.buildEnvs { withHyperkitty = cfg.hyperkitty.enable; })
|
||||
inherit (pkgs.mailmanPackages.buildEnvs { withHyperkitty = cfg.hyperkitty.enable; withLDAP = cfg.ldap.enable; })
|
||||
mailmanEnv webEnv;
|
||||
|
||||
withPostgresql = config.services.postgresql.enable;
|
||||
|
@ -87,6 +87,114 @@ in {
|
|||
description = "Enable Mailman on this host. Requires an active MTA on the host (e.g. Postfix).";
|
||||
};
|
||||
|
||||
ldap = {
|
||||
enable = mkEnableOption "LDAP auth";
|
||||
serverUri = mkOption {
|
||||
type = types.str;
|
||||
example = "ldaps://ldap.host";
|
||||
description = ''
|
||||
LDAP host to connect against.
|
||||
'';
|
||||
};
|
||||
bindDn = mkOption {
|
||||
type = types.str;
|
||||
example = "cn=root,dc=nixos,dc=org";
|
||||
description = ''
|
||||
Service account to bind against.
|
||||
'';
|
||||
};
|
||||
bindPasswordFile = mkOption {
|
||||
type = types.str;
|
||||
example = "/run/secrets/ldap-bind";
|
||||
description = ''
|
||||
Path to the file containing the bind password of the servie account
|
||||
defined by <xref linkend="opt-services.mailman.ldap.bindDn" />.
|
||||
'';
|
||||
};
|
||||
superUserGroup = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "cn=admin,ou=groups,dc=nixos,dc=org";
|
||||
description = ''
|
||||
Group where a user must be a member of to gain superuser rights.
|
||||
'';
|
||||
};
|
||||
userSearch = {
|
||||
query = mkOption {
|
||||
type = types.str;
|
||||
example = "(&(objectClass=inetOrgPerson)(|(uid=%(user)s)(mail=%(user)s)))";
|
||||
description = ''
|
||||
Query to find a user in the LDAP database.
|
||||
'';
|
||||
};
|
||||
ou = mkOption {
|
||||
type = types.str;
|
||||
example = "ou=users,dc=nixos,dc=org";
|
||||
description = ''
|
||||
Organizational unit to look up a user.
|
||||
'';
|
||||
};
|
||||
};
|
||||
groupSearch = {
|
||||
type = mkOption {
|
||||
type = types.enum [
|
||||
"posixGroup" "groupOfNames" "memberDNGroup" "nestedMemberDNGroup" "nestedGroupOfNames"
|
||||
"groupOfUniqueNames" "nestedGroupOfUniqueNames" "activeDirectoryGroup" "nestedActiveDirectoryGroup"
|
||||
"organizationalRoleGroup" "nestedOrganizationalRoleGroup"
|
||||
];
|
||||
default = "posixGroup";
|
||||
apply = v: "${toUpper (substring 0 1 v)}${substring 1 (stringLength v) v}Type";
|
||||
description = ''
|
||||
Type of group to perform a group search against.
|
||||
'';
|
||||
};
|
||||
query = mkOption {
|
||||
type = types.str;
|
||||
example = "(objectClass=groupOfNames)";
|
||||
description = ''
|
||||
Query to find a group associated to a user in the LDAP database.
|
||||
'';
|
||||
};
|
||||
ou = mkOption {
|
||||
type = types.str;
|
||||
example = "ou=groups,dc=nixos,dc=org";
|
||||
description = ''
|
||||
Organizational unit to look up a group.
|
||||
'';
|
||||
};
|
||||
};
|
||||
attrMap = {
|
||||
username = mkOption {
|
||||
default = "uid";
|
||||
type = types.str;
|
||||
description = ''
|
||||
LDAP-attribute that corresponds to the <literal>username</literal>-attribute in mailman.
|
||||
'';
|
||||
};
|
||||
firstName = mkOption {
|
||||
default = "givenName";
|
||||
type = types.str;
|
||||
description = ''
|
||||
LDAP-attribute that corresponds to the <literal>firstName</literal>-attribute in mailman.
|
||||
'';
|
||||
};
|
||||
lastName = mkOption {
|
||||
default = "sn";
|
||||
type = types.str;
|
||||
description = ''
|
||||
LDAP-attribute that corresponds to the <literal>lastName</literal>-attribute in mailman.
|
||||
'';
|
||||
};
|
||||
email = mkOption {
|
||||
default = "mail";
|
||||
type = types.str;
|
||||
description = ''
|
||||
LDAP-attribute that corresponds to the <literal>email</literal>-attribute in mailman.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
enablePostfix = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
|
@ -274,6 +382,34 @@ in {
|
|||
|
||||
with open('/var/lib/mailman-web/settings_local.json') as f:
|
||||
globals().update(json.load(f))
|
||||
|
||||
${optionalString (cfg.ldap.enable) ''
|
||||
import ldap
|
||||
from django_auth_ldap.config import LDAPSearch, ${cfg.ldap.groupSearch.type}
|
||||
AUTH_LDAP_SERVER_URI = "${cfg.ldap.serverUri}"
|
||||
AUTH_LDAP_BIND_DN = "${cfg.ldap.bindDn}"
|
||||
with open("${cfg.ldap.bindPasswordFile}") as f:
|
||||
AUTH_LDAP_BIND_PASSWORD = f.read().rstrip('\n')
|
||||
AUTH_LDAP_USER_SEARCH = LDAPSearch("${cfg.ldap.userSearch.ou}",
|
||||
ldap.SCOPE_SUBTREE, "${cfg.ldap.userSearch.query}")
|
||||
AUTH_LDAP_GROUP_TYPE = ${cfg.ldap.groupSearch.type}()
|
||||
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("${cfg.ldap.groupSearch.ou}",
|
||||
ldap.SCOPE_SUBTREE, "${cfg.ldap.groupSearch.query}")
|
||||
AUTH_LDAP_USER_ATTR_MAP = {
|
||||
${concatStrings (flip mapAttrsToList cfg.ldap.attrMap (key: value: ''
|
||||
"${key}": "${value}",
|
||||
''))}
|
||||
}
|
||||
${optionalString (cfg.ldap.superUserGroup != null) ''
|
||||
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
|
||||
"is_superuser": "${cfg.ldap.superUserGroup}"
|
||||
}
|
||||
''}
|
||||
AUTHENTICATION_BACKENDS = (
|
||||
"django_auth_ldap.backend.LDAPBackend",
|
||||
"django.contrib.auth.backends.ModelBackend"
|
||||
)
|
||||
''}
|
||||
'';
|
||||
|
||||
services.nginx = mkIf (cfg.serve.enable && cfg.webHosts != []) {
|
||||
|
|
|
@ -33,21 +33,26 @@
|
|||
<link xlink:href="https://github.com/matrix-org/synapse#synapse-installation">
|
||||
installation instructions of Synapse </link>.
|
||||
<programlisting>
|
||||
{ pkgs, lib, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
fqdn =
|
||||
let
|
||||
join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
|
||||
in join config.networking.hostName config.networking.domain;
|
||||
in {
|
||||
networking = {
|
||||
<link linkend="opt-networking.hostName">hostName</link> = "myhostname";
|
||||
<link linkend="opt-networking.domain">domain</link> = "example.org";
|
||||
fqdn = "${config.networking.hostName}.${config.networking.domain}";
|
||||
clientConfig = {
|
||||
"m.homeserver".base_url = "https://${fqdn}";
|
||||
"m.identity_server" = {};
|
||||
};
|
||||
<link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
|
||||
serverConfig."m.server" = "${config.services.matrix-synapse.settings.server_name}:443";
|
||||
mkWellKnown = data: ''
|
||||
add_header Content-Type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
return 200 '${builtins.toJSON data}';
|
||||
'';
|
||||
in {
|
||||
<xref linkend="opt-networking.hostName" /> = "myhostname";
|
||||
<xref linkend="opt-networking.domain" /> = "example.org";
|
||||
<xref linkend="opt-networking.firewall.allowedTCPPorts" /> = [ 80 443 ];
|
||||
|
||||
<link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true;
|
||||
<link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> = pkgs.writeText "synapse-init.sql" ''
|
||||
<xref linkend="opt-services.postgresql.enable" /> = true;
|
||||
<xref linkend="opt-services.postgresql.initialScript" /> = pkgs.writeText "synapse-init.sql" ''
|
||||
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
|
||||
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
||||
TEMPLATE template0
|
||||
|
@ -57,78 +62,41 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
<link linkend="opt-services.nginx.enable">enable</link> = true;
|
||||
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
|
||||
# but the rest make sense as well
|
||||
<link linkend="opt-services.nginx.recommendedTlsSettings">recommendedTlsSettings</link> = true;
|
||||
<link linkend="opt-services.nginx.recommendedOptimisation">recommendedOptimisation</link> = true;
|
||||
<link linkend="opt-services.nginx.recommendedGzipSettings">recommendedGzipSettings</link> = true;
|
||||
<link linkend="opt-services.nginx.recommendedProxySettings">recommendedProxySettings</link> = true;
|
||||
|
||||
<link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
|
||||
# This host section can be placed on a different host than the rest,
|
||||
# i.e. to delegate from the host being accessible as ${config.networking.domain}
|
||||
# to another host actually running the Matrix homeserver.
|
||||
"${config.networking.domain}" = {
|
||||
"${config.networking.domain}" = { <co xml:id='ex-matrix-synapse-dns' />
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
|
||||
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/server".extraConfig</link> =
|
||||
let
|
||||
# use 443 instead of the default 8448 port to unite
|
||||
# the client-server and server-server port for simplicity
|
||||
server = { "m.server" = "${fqdn}:443"; };
|
||||
in ''
|
||||
add_header Content-Type application/json;
|
||||
return 200 '${builtins.toJSON server}';
|
||||
'';
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/client".extraConfig</link> =
|
||||
let
|
||||
client = {
|
||||
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
|
||||
"m.identity_server" = { "base_url" = "https://vector.im"; };
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/server".extraConfig</link> = mkWellKnown serverConfig; <co xml:id='ex-matrix-synapse-well-known-server' />
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/client".extraConfig</link> = mkWellKnown clientConfig; <co xml:id='ex-matrix-synapse-well-known-client' />
|
||||
};
|
||||
# ACAO required to allow element-web on any URL to request this json file
|
||||
in ''
|
||||
add_header Content-Type application/json;
|
||||
add_header Access-Control-Allow-Origin *;
|
||||
return 200 '${builtins.toJSON client}';
|
||||
'';
|
||||
};
|
||||
|
||||
# Reverse proxy for Matrix client-server and server-server communication
|
||||
${fqdn} = {
|
||||
"${fqdn}" = {
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
|
||||
|
||||
# Or do a redirect instead of the 404, or whatever is appropriate for you.
|
||||
# But do not put a Matrix Web client here! See the Element web section below.
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."/".extraConfig</link> = ''
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."/".extraConfig</link> = '' <co xml:id='ex-matrix-synapse-rev-default' />
|
||||
return 404;
|
||||
'';
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">locations."/_matrix".proxyPass</link> = "http://[::1]:8008"; <co xml:id='ex-matrix-synapse-rev-proxy-pass' />
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">locations."/_synapse/client".proxyPass</link> = "http://[::1]:8008"; <co xml:id='ex-matrix-synapse-rev-client' />
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# forward all Matrix API calls to the synapse Matrix homeserver
|
||||
locations."/_matrix" = {
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">proxyPass</link> = "http://[::1]:8008"; # without a trailing /
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
services.matrix-synapse = {
|
||||
<link linkend="opt-services.matrix-synapse.enable">enable</link> = true;
|
||||
<link linkend="opt-services.matrix-synapse.settings.server_name">server_name</link> = config.networking.domain;
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners">listeners</link> = [
|
||||
{
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.port">port</link> = 8008;
|
||||
<link linkend="opt-services.matrix-synapse.settings.server_name">settings.server_name</link> = config.networking.domain;
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners">settings.listeners</link> = [
|
||||
{ <link linkend="opt-services.matrix-synapse.settings.listeners._.port">port</link> = 8008;
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.bind_addresses">bind_addresses</link> = [ "::1" ];
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.type">type</link> = "http";
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.tls">tls</link> = false;
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.x_forwarded">x_forwarded</link> = true;
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.resources">resources</link> = [ {
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.names">names</link> = [ "client" ];
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.names">names</link> = [ "client" "federation" ];
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.compress">compress</link> = true;
|
||||
} {
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.names">names</link> = [ "federation" ];
|
||||
<link linkend="opt-services.matrix-synapse.settings.listeners._.resources._.compress">compress</link> = false;
|
||||
} ];
|
||||
}
|
||||
];
|
||||
|
@ -136,7 +104,8 @@ in {
|
|||
}
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<calloutlist>
|
||||
<callout arearefs='ex-matrix-synapse-dns'>
|
||||
<para>
|
||||
If the <code>A</code> and <code>AAAA</code> DNS records on
|
||||
<literal>example.org</literal> do not point on the same host as the records
|
||||
|
@ -149,7 +118,45 @@ in {
|
|||
<literal>myotherhost.example.org</literal> by only changing the
|
||||
<code>/.well-known</code> redirection target.
|
||||
</para>
|
||||
|
||||
</callout>
|
||||
<callout arearefs='ex-matrix-synapse-well-known-server'>
|
||||
<para>
|
||||
This section is not needed if the <link linkend="opt-services.matrix-synapse.settings.server_name">server_name</link>
|
||||
of <package>matrix-synapse</package> is equal to the domain (i.e.
|
||||
<literal>example.org</literal> from <literal>@foo:example.org</literal>)
|
||||
and the federation port is 8448.
|
||||
Further reference can be found in the <link xlink:href="https://matrix-org.github.io/synapse/latest/delegate.html">docs
|
||||
about delegation</link>.
|
||||
</para>
|
||||
</callout>
|
||||
<callout arearefs='ex-matrix-synapse-well-known-client'>
|
||||
<para>
|
||||
This is usually needed for homeserver discovery (from e.g. other Matrix clients).
|
||||
Further reference can be found in the <link xlink:href="https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient">upstream docs</link>
|
||||
</para>
|
||||
</callout>
|
||||
<callout arearefs='ex-matrix-synapse-rev-default'>
|
||||
<para>
|
||||
It's also possible to do a redirect here or something else, this vhost is not
|
||||
needed for Matrix. It's recommended though to <emphasis>not put</emphasis> element
|
||||
here, see also the <link linkend='ex-matrix-synapse-rev-default'>section about Element</link>.
|
||||
</para>
|
||||
</callout>
|
||||
<callout arearefs='ex-matrix-synapse-rev-proxy-pass'>
|
||||
<para>
|
||||
Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
|
||||
<emphasis>must not</emphasis> be used here.
|
||||
</para>
|
||||
</callout>
|
||||
<callout arearefs='ex-matrix-synapse-rev-client'>
|
||||
<para>
|
||||
Forward requests for e.g. SSO and password-resets.
|
||||
</para>
|
||||
</callout>
|
||||
</calloutlist>
|
||||
</section>
|
||||
<section xml:id="module-services-matrix-register-users">
|
||||
<title>Registering Matrix users</title>
|
||||
<para>
|
||||
If you want to run a server with public registration by anybody, you can
|
||||
then enable <literal><link linkend="opt-services.matrix-synapse.settings.enable_registration">services.matrix-synapse.settings.enable_registration</link> =
|
||||
|
@ -159,7 +166,7 @@ in {
|
|||
To create a new user or admin, run the following after you have set the secret
|
||||
and have rebuilt NixOS:
|
||||
<screen>
|
||||
<prompt>$ </prompt>nix run nixpkgs.matrix-synapse
|
||||
<prompt>$ </prompt>nix-shell -p matrix-synapse
|
||||
<prompt>$ </prompt>register_new_matrix_user -k <replaceable>your-registration-shared-secret</replaceable> http://localhost:8008
|
||||
<prompt>New user localpart: </prompt><replaceable>your-username</replaceable>
|
||||
<prompt>Password:</prompt>
|
||||
|
@ -168,12 +175,51 @@ in {
|
|||
Success!
|
||||
</screen>
|
||||
In the example, this would create a user with the Matrix Identifier
|
||||
<literal>@your-username:example.org</literal>. Note that the registration
|
||||
secret ends up in the nix store and therefore is world-readable by any user
|
||||
on your machine, so it makes sense to only temporarily activate the
|
||||
<link linkend="opt-services.matrix-synapse.settings.registration_shared_secret">registration_shared_secret</link>
|
||||
option until a better solution for NixOS is in place.
|
||||
<literal>@your-username:example.org</literal>.
|
||||
<warning>
|
||||
<para>
|
||||
When using <xref linkend="opt-services.matrix-synapse.settings.registration_shared_secret" />, the secret
|
||||
will end up in the world-readable store. Instead it's recommended to deploy the secret
|
||||
in an additional file like this:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Create a file with the following contents:
|
||||
<programlisting>registration_shared_secret: your-very-secret-secret</programlisting>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Deploy the file with a secret-manager such as <link xlink:href="https://nixops.readthedocs.io/en/latest/overview.html#managing-keys"><option>deployment.keys</option></link>
|
||||
from <citerefentry><refentrytitle>nixops</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
or <link xlink:href="https://github.com/Mic92/sops-nix/">sops-nix</link> to
|
||||
e.g. <filename>/run/secrets/matrix-shared-secret</filename> and ensure that it's readable
|
||||
by <package>matrix-synapse</package>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Include the file like this in your configuration:
|
||||
<programlisting>
|
||||
{
|
||||
<xref linkend="opt-services.matrix-synapse.extraConfigFiles" /> = [
|
||||
"/run/secrets/matrix-shared-secret"
|
||||
];
|
||||
}
|
||||
</programlisting>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
</warning>
|
||||
</para>
|
||||
<note>
|
||||
<para>
|
||||
It's also possible to user alternative authentication mechanism such as
|
||||
<link xlink:href="https://github.com/matrix-org/matrix-synapse-ldap3">LDAP (via <literal>matrix-synapse-ldap3</literal>)</link>
|
||||
or <link xlink:href="https://matrix-org.github.io/synapse/latest/openid.html">OpenID</link>.
|
||||
</para>
|
||||
</note>
|
||||
</section>
|
||||
<section xml:id="module-services-matrix-element-web">
|
||||
<title>Element (formerly known as Riot) Web Client</title>
|
||||
|
@ -206,10 +252,7 @@ Success!
|
|||
|
||||
<link linkend="opt-services.nginx.virtualHosts._name_.root">root</link> = pkgs.element-web.override {
|
||||
conf = {
|
||||
default_server_config."m.homeserver" = {
|
||||
"base_url" = "https://${fqdn}";
|
||||
"server_name" = "${fqdn}";
|
||||
};
|
||||
default_server_config = clientConfig; # see `clientConfig` from the snippet above.
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -217,15 +260,17 @@ Success!
|
|||
</programlisting>
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
Note that the Element developers do not recommend running Element and your Matrix
|
||||
The Element developers do not recommend running Element and your Matrix
|
||||
homeserver on the same fully-qualified domain name for security reasons. In
|
||||
the example, this means that you should not reuse the
|
||||
<literal>myhostname.example.org</literal> virtualHost to also serve Element,
|
||||
but instead serve it on a different subdomain, like
|
||||
<literal>element.example.org</literal> in the example. See the
|
||||
<link xlink:href="https://github.com/vector-im/riot-web#important-security-note">Element
|
||||
<link xlink:href="https://github.com/vector-im/element-web/tree/v1.10.0#important-security-notes">Element
|
||||
Important Security Notes</link> for more information on this subject.
|
||||
</para>
|
||||
</note>
|
||||
</section>
|
||||
</chapter>
|
||||
|
|
|
@ -45,6 +45,10 @@ in
|
|||
# get the command line client on system path to make some use of the service
|
||||
environment.systemPackages = [ pkgs.dict ];
|
||||
|
||||
environment.etc."dict.conf".text = ''
|
||||
server localhost
|
||||
'';
|
||||
|
||||
users.users.dictd =
|
||||
{ group = "dictd";
|
||||
description = "DICT.org dictd server";
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
let
|
||||
cfg = config.services.geoipupdate;
|
||||
inherit (builtins) isAttrs isString isInt isList typeOf hashString;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
|
@ -27,11 +28,30 @@ in
|
|||
};
|
||||
|
||||
settings = lib.mkOption {
|
||||
example = lib.literalExpression ''
|
||||
{
|
||||
AccountID = 200001;
|
||||
DatabaseDirectory = "/var/lib/GeoIP";
|
||||
LicenseKey = { _secret = "/run/keys/maxmind_license_key"; };
|
||||
Proxy = "10.0.0.10:8888";
|
||||
ProxyUserPassword = { _secret = "/run/keys/proxy_pass"; };
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
<productname>geoipupdate</productname> configuration
|
||||
options. See
|
||||
<link xlink:href="https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md" />
|
||||
for a full list of available options.
|
||||
|
||||
Settings containing secret data should be set to an
|
||||
attribute set containing the attribute
|
||||
<literal>_secret</literal> - a string pointing to a file
|
||||
containing the value the option should be set to. See the
|
||||
example to get a better picture of this: in the resulting
|
||||
<filename>GeoIP.conf</filename> file, the
|
||||
<literal>ProxyUserPassword</literal> key will be set to the
|
||||
contents of the
|
||||
<filename>/run/keys/proxy_pass</filename> file.
|
||||
'';
|
||||
type = lib.types.submodule {
|
||||
freeformType =
|
||||
|
@ -65,11 +85,18 @@ in
|
|||
};
|
||||
|
||||
LicenseKey = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
type = with lib.types; either path (attrsOf path);
|
||||
description = ''
|
||||
A file containing the <productname>MaxMind</productname>
|
||||
license key.
|
||||
A file containing the
|
||||
<productname>MaxMind</productname> license key.
|
||||
|
||||
Always handled as a secret whether the value is
|
||||
wrapped in a <literal>{ _secret = ...; }</literal>
|
||||
attrset or not (refer to <xref
|
||||
linkend="opt-services.geoipupdate.settings" /> for
|
||||
details).
|
||||
'';
|
||||
apply = x: if isAttrs x then x else { _secret = x; };
|
||||
};
|
||||
|
||||
DatabaseDirectory = lib.mkOption {
|
||||
|
@ -102,6 +129,9 @@ in
|
|||
systemd.services.geoipupdate-create-db-dir = {
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
set -o errexit -o pipefail -o nounset -o errtrace
|
||||
shopt -s inherit_errexit
|
||||
|
||||
mkdir -p ${cfg.settings.DatabaseDirectory}
|
||||
chmod 0755 ${cfg.settings.DatabaseDirectory}
|
||||
'';
|
||||
|
@ -115,32 +145,41 @@ in
|
|||
"network-online.target"
|
||||
"nss-lookup.target"
|
||||
];
|
||||
path = [ pkgs.replace-secret ];
|
||||
wants = [ "network-online.target" ];
|
||||
startAt = cfg.interval;
|
||||
serviceConfig = {
|
||||
ExecStartPre =
|
||||
let
|
||||
isSecret = v: isAttrs v && v ? _secret && isString v._secret;
|
||||
geoipupdateKeyValue = lib.generators.toKeyValue {
|
||||
mkKeyValue = lib.flip lib.generators.mkKeyValueDefault " " rec {
|
||||
mkValueString = v: with builtins;
|
||||
mkValueString = v:
|
||||
if isInt v then toString v
|
||||
else if isString v then v
|
||||
else if true == v then "1"
|
||||
else if false == v then "0"
|
||||
else if isList v then lib.concatMapStringsSep " " mkValueString v
|
||||
else if isSecret v then hashString "sha256" v._secret
|
||||
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
|
||||
};
|
||||
};
|
||||
secretPaths = lib.catAttrs "_secret" (lib.collect isSecret cfg.settings);
|
||||
mkSecretReplacement = file: ''
|
||||
replace-secret ${lib.escapeShellArgs [ (hashString "sha256" file) file "/run/geoipupdate/GeoIP.conf" ]}
|
||||
'';
|
||||
secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
|
||||
|
||||
geoipupdateConf = pkgs.writeText "geoipupdate.conf" (geoipupdateKeyValue cfg.settings);
|
||||
|
||||
script = ''
|
||||
set -o errexit -o pipefail -o nounset -o errtrace
|
||||
shopt -s inherit_errexit
|
||||
|
||||
chown geoip "${cfg.settings.DatabaseDirectory}"
|
||||
|
||||
cp ${geoipupdateConf} /run/geoipupdate/GeoIP.conf
|
||||
${pkgs.replace-secret}/bin/replace-secret '${cfg.settings.LicenseKey}' \
|
||||
'${cfg.settings.LicenseKey}' \
|
||||
/run/geoipupdate/GeoIP.conf
|
||||
${secretReplacements}
|
||||
'';
|
||||
in
|
||||
"+${pkgs.writeShellScript "start-pre-full-privileges" script}";
|
||||
|
|
|
@ -1063,7 +1063,7 @@ in {
|
|||
chown ${cfg.user}:${cfg.group} ${cfg.registry.certFile}
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
unitConfig = {
|
||||
ConditionPathExists = "!${cfg.registry.certFile}";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -83,7 +83,7 @@ let
|
|||
};
|
||||
in
|
||||
{
|
||||
meta.maintainers = with maintainers; [ earvstedt Flakebi ];
|
||||
meta.maintainers = with maintainers; [ erikarvstedt Flakebi ];
|
||||
|
||||
imports = [
|
||||
(mkRenamedOptionModule [ "services" "paperless-ng" ] [ "services" "paperless" ])
|
||||
|
|
151
third_party/nixpkgs/nixos/modules/services/misc/polaris.nix
vendored
Normal file
151
third_party/nixpkgs/nixos/modules/services/misc/polaris.nix
vendored
Normal file
|
@ -0,0 +1,151 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, ...}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.polaris;
|
||||
settingsFormat = pkgs.formats.toml {};
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.polaris = {
|
||||
enable = mkEnableOption "Polaris Music Server";
|
||||
|
||||
package = mkPackageOption pkgs "polaris" { };
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "polaris";
|
||||
description = "User account under which Polaris runs.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "polaris";
|
||||
description = "Group under which Polaris is run.";
|
||||
};
|
||||
|
||||
extraGroups = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = "Polaris' auxiliary groups.";
|
||||
example = literalExpression ''["media" "music"]'';
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 5050;
|
||||
description = ''
|
||||
The port which the Polaris REST api and web UI should listen to.
|
||||
Note: polaris is hardcoded to listen to the hostname "0.0.0.0".
|
||||
'';
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type = settingsFormat.type;
|
||||
default = {};
|
||||
description = ''
|
||||
Contents for the TOML Polaris config, applied each start.
|
||||
Although poorly documented, an example may be found here:
|
||||
<link xlink:href="https://github.com/agersant/polaris/blob/374d0ca56fc0a466d797a4b252e2078607476797/test-data/config.toml">test-config.toml</link>
|
||||
'';
|
||||
example = literalExpression ''
|
||||
{
|
||||
settings.reindex_every_n_seconds = 7*24*60*60; # weekly, default is 1800
|
||||
settings.album_art_pattern =
|
||||
"(cover|front|folder)\.(jpeg|jpg|png|bmp|gif)";
|
||||
mount_dirs = [
|
||||
{
|
||||
name = "NAS";
|
||||
source = "/mnt/nas/music";
|
||||
}
|
||||
{
|
||||
name = "Local";
|
||||
source = "/home/my_user/Music";
|
||||
}
|
||||
];
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Open the configured port in the firewall.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.polaris = {
|
||||
description = "Polaris Music Server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = rec {
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
DynamicUser = true;
|
||||
SupplementaryGroups = cfg.extraGroups;
|
||||
StateDirectory = "polaris";
|
||||
CacheDirectory = "polaris";
|
||||
ExecStart = escapeShellArgs ([
|
||||
"${cfg.package}/bin/polaris"
|
||||
"--foreground"
|
||||
"--port" cfg.port
|
||||
"--database" "/var/lib/${StateDirectory}/db.sqlite"
|
||||
"--cache" "/var/cache/${CacheDirectory}"
|
||||
] ++ optionals (cfg.settings != {}) [
|
||||
"--config" (settingsFormat.generate "polaris-config.toml" cfg.settings)
|
||||
]);
|
||||
Restart = "on-failure";
|
||||
|
||||
# Security options:
|
||||
|
||||
#NoNewPrivileges = true; # implied by DynamicUser
|
||||
#RemoveIPC = true; # implied by DynamicUser
|
||||
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
|
||||
DeviceAllow = "";
|
||||
|
||||
LockPersonality = true;
|
||||
|
||||
#PrivateTmp = true; # implied by DynamicUser
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
|
||||
RestrictNamespaces = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||
RestrictRealtime = true;
|
||||
#RestrictSUIDSGID = true; # implied by DynamicUser
|
||||
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallErrorNumber = "EPERM";
|
||||
SystemCallFilter = [
|
||||
"@system-service"
|
||||
"~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall = mkIf cfg.openFirewall {
|
||||
allowedTCPPorts = [ cfg.port ];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ pbsds ];
|
||||
}
|
|
@ -11,6 +11,14 @@ in
|
|||
services.radarr = {
|
||||
enable = mkEnableOption "Radarr";
|
||||
|
||||
package = mkOption {
|
||||
description = "Radarr package to use";
|
||||
default = pkgs.radarr;
|
||||
defaultText = literalExpression "pkgs.radarr";
|
||||
example = literalExpression "pkgs.radarr";
|
||||
type = types.package;
|
||||
};
|
||||
|
||||
dataDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/radarr/.config/Radarr";
|
||||
|
@ -51,7 +59,7 @@ in
|
|||
Type = "simple";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
ExecStart = "${pkgs.radarr}/bin/Radarr -nobrowser -data='${cfg.dataDir}'";
|
||||
ExecStart = "${cfg.package}/bin/Radarr -nobrowser -data='${cfg.dataDir}'";
|
||||
Restart = "on-failure";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -24,16 +24,6 @@ let
|
|||
+ cfg.web.extraConfig
|
||||
);
|
||||
|
||||
graphiteApiConfig = pkgs.writeText "graphite-api.yaml" ''
|
||||
search_index: ${dataDir}/index
|
||||
${optionalString (config.time.timeZone != null) "time_zone: ${config.time.timeZone}"}
|
||||
${optionalString (cfg.api.finders != []) "finders:"}
|
||||
${concatMapStringsSep "\n" (f: " - " + f.moduleName) cfg.api.finders}
|
||||
${optionalString (cfg.api.functions != []) "functions:"}
|
||||
${concatMapStringsSep "\n" (f: " - " + f) cfg.api.functions}
|
||||
${cfg.api.extraConfig}
|
||||
'';
|
||||
|
||||
seyrenConfig = {
|
||||
SEYREN_URL = cfg.seyren.seyrenUrl;
|
||||
MONGO_URL = cfg.seyren.mongoUrl;
|
||||
|
@ -72,6 +62,8 @@ let
|
|||
in {
|
||||
|
||||
imports = [
|
||||
(mkRemovedOptionModule ["services" "graphite" "api"] "")
|
||||
(mkRemovedOptionModule ["services" "graphite" "beacon"] "")
|
||||
(mkRemovedOptionModule ["services" "graphite" "pager"] "")
|
||||
];
|
||||
|
||||
|
@ -115,88 +107,6 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
api = {
|
||||
enable = mkOption {
|
||||
description = ''
|
||||
Whether to enable graphite api. Graphite api is lightweight alternative
|
||||
to graphite web, with api and without dashboard. It's advised to use
|
||||
grafana as alternative dashboard and influxdb as alternative to
|
||||
graphite carbon.
|
||||
|
||||
For more information visit
|
||||
<link xlink:href="https://graphite-api.readthedocs.org/en/latest/"/>
|
||||
'';
|
||||
default = false;
|
||||
type = types.bool;
|
||||
};
|
||||
|
||||
finders = mkOption {
|
||||
description = "List of finder plugins to load.";
|
||||
default = [];
|
||||
example = literalExpression "[ pkgs.python3Packages.influxgraph ]";
|
||||
type = types.listOf types.package;
|
||||
};
|
||||
|
||||
functions = mkOption {
|
||||
description = "List of functions to load.";
|
||||
default = [
|
||||
"graphite_api.functions.SeriesFunctions"
|
||||
"graphite_api.functions.PieFunctions"
|
||||
];
|
||||
type = types.listOf types.str;
|
||||
};
|
||||
|
||||
listenAddress = mkOption {
|
||||
description = "Graphite web service listen address.";
|
||||
default = "127.0.0.1";
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
description = "Graphite api service port.";
|
||||
default = 8080;
|
||||
type = types.int;
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
description = "Package to use for graphite api.";
|
||||
default = pkgs.python3Packages.graphite_api;
|
||||
defaultText = literalExpression "pkgs.python3Packages.graphite_api";
|
||||
type = types.package;
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
description = "Extra configuration for graphite api.";
|
||||
default = ''
|
||||
whisper:
|
||||
directories:
|
||||
- ${dataDir}/whisper
|
||||
'';
|
||||
defaultText = literalExpression ''
|
||||
'''
|
||||
whisper:
|
||||
directories:
|
||||
- ''${config.${opt.dataDir}}/whisper
|
||||
'''
|
||||
'';
|
||||
example = ''
|
||||
allowed_origins:
|
||||
- dashboard.example.com
|
||||
cheat_times: true
|
||||
influxdb:
|
||||
host: localhost
|
||||
port: 8086
|
||||
user: influxdb
|
||||
pass: influxdb
|
||||
db: metrics
|
||||
cache:
|
||||
CACHE_TYPE: 'filesystem'
|
||||
CACHE_DIR: '/tmp/graphite-api-cache'
|
||||
'';
|
||||
type = types.lines;
|
||||
};
|
||||
};
|
||||
|
||||
carbon = {
|
||||
config = mkOption {
|
||||
description = "Content of carbon configuration file.";
|
||||
|
@ -354,16 +264,6 @@ in {
|
|||
'';
|
||||
};
|
||||
};
|
||||
|
||||
beacon = {
|
||||
enable = mkEnableOption "graphite beacon";
|
||||
|
||||
config = mkOption {
|
||||
description = "Graphite beacon configuration.";
|
||||
default = {};
|
||||
type = types.attrs;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
@ -489,44 +389,6 @@ in {
|
|||
environment.systemPackages = [ pkgs.python3Packages.graphite-web ];
|
||||
}))
|
||||
|
||||
(mkIf cfg.api.enable {
|
||||
systemd.services.graphiteApi = {
|
||||
description = "Graphite Api Interface";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
environment = {
|
||||
PYTHONPATH = let
|
||||
aenv = pkgs.python3.buildEnv.override {
|
||||
extraLibs = [ cfg.api.package pkgs.cairo pkgs.python3Packages.cffi ] ++ cfg.api.finders;
|
||||
};
|
||||
in "${aenv}/${pkgs.python3.sitePackages}";
|
||||
GRAPHITE_API_CONFIG = graphiteApiConfig;
|
||||
LD_LIBRARY_PATH = "${pkgs.cairo.out}/lib";
|
||||
};
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${pkgs.python3Packages.waitress}/bin/waitress-serve \
|
||||
--host=${cfg.api.listenAddress} --port=${toString cfg.api.port} \
|
||||
graphite_api.app:app
|
||||
'';
|
||||
User = "graphite";
|
||||
Group = "graphite";
|
||||
PermissionsStartOnly = true;
|
||||
};
|
||||
preStart = ''
|
||||
if ! test -e ${dataDir}/db-created; then
|
||||
mkdir -p ${dataDir}/cache/
|
||||
chmod 0700 ${dataDir}/cache/
|
||||
|
||||
chown graphite:graphite ${cfg.dataDir}
|
||||
chown -R graphite:graphite ${cfg.dataDir}/cache
|
||||
|
||||
touch ${dataDir}/db-created
|
||||
fi
|
||||
'';
|
||||
};
|
||||
})
|
||||
|
||||
(mkIf cfg.seyren.enable {
|
||||
systemd.services.seyren = {
|
||||
description = "Graphite Alerting Dashboard";
|
||||
|
@ -550,25 +412,9 @@ in {
|
|||
services.mongodb.enable = mkDefault true;
|
||||
})
|
||||
|
||||
(mkIf cfg.beacon.enable {
|
||||
systemd.services.graphite-beacon = {
|
||||
description = "Grpahite Beacon Alerting Daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${pkgs.python3Packages.graphite_beacon}/bin/graphite-beacon \
|
||||
--config=${pkgs.writeText "graphite-beacon.json" (builtins.toJSON cfg.beacon.config)}
|
||||
'';
|
||||
User = "graphite";
|
||||
Group = "graphite";
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
(mkIf (
|
||||
cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay ||
|
||||
cfg.web.enable || cfg.api.enable ||
|
||||
cfg.seyren.enable || cfg.beacon.enable
|
||||
cfg.web.enable || cfg.seyren.enable
|
||||
) {
|
||||
users.users.graphite = {
|
||||
uid = config.ids.uids.graphite;
|
||||
|
|
|
@ -3,7 +3,19 @@
|
|||
let
|
||||
cfg = config.services.parsedmarc;
|
||||
opt = options.services.parsedmarc;
|
||||
ini = pkgs.formats.ini {};
|
||||
isSecret = v: isAttrs v && v ? _secret && isString v._secret;
|
||||
ini = pkgs.formats.ini {
|
||||
mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" rec {
|
||||
mkValueString = v:
|
||||
if isInt v then toString v
|
||||
else if isString v then v
|
||||
else if true == v then "True"
|
||||
else if false == v then "False"
|
||||
else if isSecret v then hashString "sha256" v._secret
|
||||
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
|
||||
};
|
||||
};
|
||||
inherit (builtins) elem isAttrs isString isInt isList typeOf hashString;
|
||||
in
|
||||
{
|
||||
options.services.parsedmarc = {
|
||||
|
@ -107,11 +119,35 @@ in
|
|||
};
|
||||
|
||||
settings = lib.mkOption {
|
||||
example = lib.literalExpression ''
|
||||
{
|
||||
imap = {
|
||||
host = "imap.example.com";
|
||||
user = "alice@example.com";
|
||||
password = { _secret = "/run/keys/imap_password" };
|
||||
watch = true;
|
||||
};
|
||||
splunk_hec = {
|
||||
url = "https://splunkhec.example.com";
|
||||
token = { _secret = "/run/keys/splunk_token" };
|
||||
index = "email";
|
||||
};
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Configuration parameters to set in
|
||||
<filename>parsedmarc.ini</filename>. For a full list of
|
||||
available parameters, see
|
||||
<link xlink:href="https://domainaware.github.io/parsedmarc/#configuration-file" />.
|
||||
|
||||
Settings containing secret data should be set to an attribute
|
||||
set containing the attribute <literal>_secret</literal> - a
|
||||
string pointing to a file containing the value the option
|
||||
should be set to. See the example to get a better picture of
|
||||
this: in the resulting <filename>parsedmarc.ini</filename>
|
||||
file, the <literal>splunk_hec.token</literal> key will be set
|
||||
to the contents of the
|
||||
<filename>/run/keys/splunk_token</filename> file.
|
||||
'';
|
||||
|
||||
type = lib.types.submodule {
|
||||
|
@ -170,11 +206,18 @@ in
|
|||
};
|
||||
|
||||
password = lib.mkOption {
|
||||
type = with lib.types; nullOr path;
|
||||
type = with lib.types; nullOr (either path (attrsOf path));
|
||||
default = null;
|
||||
description = ''
|
||||
The path to a file containing the IMAP server password.
|
||||
The IMAP server password.
|
||||
|
||||
Always handled as a secret whether the value is
|
||||
wrapped in a <literal>{ _secret = ...; }</literal>
|
||||
attrset or not (refer to <xref
|
||||
linkend="opt-services.parsedmarc.settings" /> for
|
||||
details).
|
||||
'';
|
||||
apply = x: if isAttrs x || x == null then x else { _secret = x; };
|
||||
};
|
||||
|
||||
watch = lib.mkOption {
|
||||
|
@ -228,11 +271,18 @@ in
|
|||
};
|
||||
|
||||
password = lib.mkOption {
|
||||
type = with lib.types; nullOr path;
|
||||
type = with lib.types; nullOr (either path (attrsOf path));
|
||||
default = null;
|
||||
description = ''
|
||||
The path to a file containing the SMTP server password.
|
||||
The SMTP server password.
|
||||
|
||||
Always handled as a secret whether the value is
|
||||
wrapped in a <literal>{ _secret = ...; }</literal>
|
||||
attrset or not (refer to <xref
|
||||
linkend="opt-services.parsedmarc.settings" /> for
|
||||
details).
|
||||
'';
|
||||
apply = x: if isAttrs x || x == null then x else { _secret = x; };
|
||||
};
|
||||
|
||||
from = lib.mkOption {
|
||||
|
@ -274,12 +324,19 @@ in
|
|||
};
|
||||
|
||||
password = lib.mkOption {
|
||||
type = with lib.types; nullOr path;
|
||||
type = with lib.types; nullOr (either path (attrsOf path));
|
||||
default = null;
|
||||
description = ''
|
||||
The path to a file containing the password to use when
|
||||
connecting to Elasticsearch, if required.
|
||||
The password to use when connecting to Elasticsearch,
|
||||
if required.
|
||||
|
||||
Always handled as a secret whether the value is
|
||||
wrapped in a <literal>{ _secret = ...; }</literal>
|
||||
attrset or not (refer to <xref
|
||||
linkend="opt-services.parsedmarc.settings" /> for
|
||||
details).
|
||||
'';
|
||||
apply = x: if isAttrs x || x == null then x else { _secret = x; };
|
||||
};
|
||||
|
||||
ssl = lib.mkOption {
|
||||
|
@ -299,63 +356,6 @@ in
|
|||
'';
|
||||
};
|
||||
};
|
||||
|
||||
kafka = {
|
||||
hosts = lib.mkOption {
|
||||
default = [];
|
||||
type = with lib.types; listOf str;
|
||||
apply = x: if x == [] then null else lib.concatStringsSep "," x;
|
||||
description = ''
|
||||
A list of Apache Kafka hosts to publish parsed reports
|
||||
to.
|
||||
'';
|
||||
};
|
||||
|
||||
user = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
Username to use when connecting to Kafka, if
|
||||
required.
|
||||
'';
|
||||
};
|
||||
|
||||
password = lib.mkOption {
|
||||
type = with lib.types; nullOr path;
|
||||
default = null;
|
||||
description = ''
|
||||
The path to a file containing the password to use when
|
||||
connecting to Kafka, if required.
|
||||
'';
|
||||
};
|
||||
|
||||
ssl = lib.mkOption {
|
||||
type = with lib.types; nullOr bool;
|
||||
default = null;
|
||||
description = ''
|
||||
Whether to use an encrypted SSL/TLS connection.
|
||||
'';
|
||||
};
|
||||
|
||||
aggregate_topic = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
example = "aggregate";
|
||||
description = ''
|
||||
The Kafka topic to publish aggregate reports on.
|
||||
'';
|
||||
};
|
||||
|
||||
forensic_topic = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
example = "forensic";
|
||||
description = ''
|
||||
The Kafka topic to publish forensic reports on.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -404,21 +404,14 @@ in
|
|||
enable = cfg.provision.grafana.datasource || cfg.provision.grafana.dashboard;
|
||||
datasources =
|
||||
let
|
||||
pkgVer = lib.getVersion config.services.elasticsearch.package;
|
||||
esVersion =
|
||||
if lib.versionOlder pkgVer "7" then
|
||||
"60"
|
||||
else if lib.versionOlder pkgVer "8" then
|
||||
"70"
|
||||
else
|
||||
throw "When provisioning parsedmarc grafana datasources: unknown Elasticsearch version.";
|
||||
esVersion = lib.getVersion config.services.elasticsearch.package;
|
||||
in
|
||||
lib.mkIf cfg.provision.grafana.datasource [
|
||||
{
|
||||
name = "dmarc-ag";
|
||||
type = "elasticsearch";
|
||||
access = "proxy";
|
||||
url = "localhost:9200";
|
||||
url = "http://localhost:9200";
|
||||
jsonData = {
|
||||
timeField = "date_range";
|
||||
inherit esVersion;
|
||||
|
@ -428,7 +421,7 @@ in
|
|||
name = "dmarc-fo";
|
||||
type = "elasticsearch";
|
||||
access = "proxy";
|
||||
url = "localhost:9200";
|
||||
url = "http://localhost:9200";
|
||||
jsonData = {
|
||||
timeField = "date_range";
|
||||
inherit esVersion;
|
||||
|
@ -467,12 +460,17 @@ in
|
|||
# lists, empty attrsets and null. This makes it possible to
|
||||
# list interesting options in `settings` without them always
|
||||
# ending up in the resulting config.
|
||||
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! builtins.elem v [ null [] {} ])) cfg.settings;
|
||||
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null [] {} ])) cfg.settings;
|
||||
|
||||
# Extract secrets (attributes set to an attrset with a
|
||||
# "_secret" key) from the settings and generate the commands
|
||||
# to run to perform the secret replacements.
|
||||
secretPaths = lib.catAttrs "_secret" (lib.collect isSecret filteredConfig);
|
||||
parsedmarcConfig = ini.generate "parsedmarc.ini" filteredConfig;
|
||||
mkSecretReplacement = file:
|
||||
lib.optionalString (file != null) ''
|
||||
replace-secret '${file}' '${file}' /run/parsedmarc/parsedmarc.ini
|
||||
mkSecretReplacement = file: ''
|
||||
replace-secret ${lib.escapeShellArgs [ (hashString "sha256" file) file "/run/parsedmarc/parsedmarc.ini" ]}
|
||||
'';
|
||||
secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
|
||||
in
|
||||
{
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
@ -487,10 +485,7 @@ in
|
|||
umask u=rwx,g=,o=
|
||||
cp ${parsedmarcConfig} /run/parsedmarc/parsedmarc.ini
|
||||
chown parsedmarc:parsedmarc /run/parsedmarc/parsedmarc.ini
|
||||
${mkSecretReplacement cfg.settings.smtp.password}
|
||||
${mkSecretReplacement cfg.settings.imap.password}
|
||||
${mkSecretReplacement cfg.settings.elasticsearch.password}
|
||||
${mkSecretReplacement cfg.settings.kafka.password}
|
||||
${secretReplacements}
|
||||
'' + lib.optionalString cfg.provision.localMail.enable ''
|
||||
openssl rand -hex 64 >/run/parsedmarc/dmarc_user_passwd
|
||||
replace-secret '@imap-password@' '/run/parsedmarc/dmarc_user_passwd' /run/parsedmarc/parsedmarc.ini
|
||||
|
|
|
@ -44,6 +44,8 @@ in
|
|||
];
|
||||
# The timex collector needs to access clock APIs
|
||||
ProtectClock = any (collector: collector == "timex") cfg.disabledCollectors;
|
||||
# Allow space monitoring under /home
|
||||
ProtectHome = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -283,7 +283,7 @@ in
|
|||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
StateDirectory = "";
|
||||
ReadWritePaths = [ "" cfg.dataDir ];
|
||||
ReadWritePaths = optionals (!cfg.autoMount) [ "" cfg.dataDir ];
|
||||
} // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
|
||||
} // optionalAttrs (!cfg.startWhenNeeded) {
|
||||
wantedBy = [ "default.target" ];
|
||||
|
|
|
@ -13,7 +13,7 @@ let
|
|||
foreground=YES
|
||||
use=${cfg.use}
|
||||
login=${cfg.username}
|
||||
password=${lib.optionalString (cfg.protocol == "nsupdate") "/run/${RuntimeDirectory}/ddclient.key"}
|
||||
password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"}
|
||||
protocol=${cfg.protocol}
|
||||
${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
|
||||
${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
|
||||
|
@ -33,10 +33,9 @@ let
|
|||
${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then ''
|
||||
install ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
|
||||
'' else if (cfg.passwordFile != null) then ''
|
||||
password=$(printf "%q" "$(head -n 1 "${cfg.passwordFile}")")
|
||||
sed -i "s|^password=$|password=$password|" /run/${RuntimeDirectory}/ddclient.conf
|
||||
"${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
|
||||
'' else ''
|
||||
sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf
|
||||
sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
|
||||
'')}
|
||||
'';
|
||||
|
||||
|
|
|
@ -215,7 +215,7 @@ in
|
|||
# dhcpcd. So do a "systemctl restart" instead.
|
||||
stopIfChanged = false;
|
||||
|
||||
path = [ dhcpcd pkgs.nettools pkgs.openresolv ];
|
||||
path = [ dhcpcd pkgs.nettools config.networking.resolvconf.package ];
|
||||
|
||||
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
|
||||
|
||||
|
|
|
@ -158,6 +158,10 @@ let
|
|||
(sec "addressbook")
|
||||
(strOpt "defaulturl" cfg.addressbook.defaulturl)
|
||||
] ++ (optionalEmptyList "subscriptions" cfg.addressbook.subscriptions)
|
||||
++ [
|
||||
(sec "meshnets")
|
||||
(boolOpt "yggdrasil" cfg.yggdrasil.enable)
|
||||
] ++ (optionalNullString "yggaddress" cfg.yggdrasil.address)
|
||||
++ (flip map
|
||||
(collect (proto: proto ? port && proto ? address) cfg.proto)
|
||||
(proto: let protoOpts = [
|
||||
|
@ -546,6 +550,17 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
yggdrasil.enable = mkEnableOption "Yggdrasil";
|
||||
|
||||
yggdrasil.address = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = ''
|
||||
Your local yggdrasil address. Specify it if you want to bind your router to a
|
||||
particular address.
|
||||
'';
|
||||
};
|
||||
|
||||
proto.http = (mkEndpointOpt "http" "127.0.0.1" 7070) // {
|
||||
|
||||
auth = mkEnableOption "Webconsole authentication";
|
||||
|
|
157
third_party/nixpkgs/nixos/modules/services/networking/lokinet.nix
vendored
Normal file
157
third_party/nixpkgs/nixos/modules/services/networking/lokinet.nix
vendored
Normal file
|
@ -0,0 +1,157 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.lokinet;
|
||||
dataDir = "/var/lib/lokinet";
|
||||
settingsFormat = pkgs.formats.ini { listsAsDuplicateKeys = true; };
|
||||
configFile = settingsFormat.generate "lokinet.ini" (lib.filterAttrsRecursive (n: v: v != null) cfg.settings);
|
||||
in with lib; {
|
||||
options.services.lokinet = {
|
||||
enable = mkEnableOption "Lokinet daemon";
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.lokinet;
|
||||
defaultText = literalExpression "pkgs.lokinet";
|
||||
description = "Lokinet package to use.";
|
||||
};
|
||||
|
||||
useLocally = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
example = true;
|
||||
description = "Whether to use Lokinet locally.";
|
||||
};
|
||||
|
||||
settings = mkOption {
|
||||
type = with types;
|
||||
submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
|
||||
options = {
|
||||
dns = {
|
||||
bind = mkOption {
|
||||
type = str;
|
||||
default = "127.3.2.1";
|
||||
description = "Address to bind to for handling DNS requests.";
|
||||
};
|
||||
|
||||
upstream = mkOption {
|
||||
type = listOf str;
|
||||
default = [ "9.9.9.10" ];
|
||||
example = [ "1.1.1.1" "8.8.8.8" ];
|
||||
description = ''
|
||||
Upstream resolver(s) to use as fallback for non-loki addresses.
|
||||
Multiple values accepted.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
network = {
|
||||
exit = mkOption {
|
||||
type = bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to act as an exit node. Beware that this
|
||||
increases demand on the server and may pose liability concerns.
|
||||
Enable at your own risk.
|
||||
'';
|
||||
};
|
||||
|
||||
exit-node = mkOption {
|
||||
type = nullOr (listOf str);
|
||||
default = null;
|
||||
example = ''
|
||||
exit-node = [ "example.loki" ]; # maps all exit traffic to example.loki
|
||||
exit-node = [ "example.loki:100.0.0.0/24" ]; # maps 100.0.0.0/24 to example.loki
|
||||
'';
|
||||
description = ''
|
||||
Specify a `.loki` address and an optional ip range to use as an exit broker.
|
||||
See <link xlink:href="http://probably.loki/wiki/index.php?title=Exit_Nodes"/> for
|
||||
a list of exit nodes.
|
||||
'';
|
||||
};
|
||||
|
||||
keyfile = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
example = "snappkey.private";
|
||||
description = ''
|
||||
The private key to persist address with. If not specified the address will be ephemeral.
|
||||
This keyfile is generated automatically if the specified file doesn't exist.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
default = { };
|
||||
example = literalExpression ''
|
||||
{
|
||||
dns = {
|
||||
bind = "127.3.2.1";
|
||||
upstream = [ "1.1.1.1" "8.8.8.8" ];
|
||||
};
|
||||
|
||||
network.exit-node = [ "example.loki" "example2.loki" ];
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
Configuration for Lokinet.
|
||||
Currently, the best way to view the available settings is by
|
||||
generating a config file using `lokinet -g`.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.resolvconf.extraConfig = mkIf cfg.useLocally ''
|
||||
name_servers="${cfg.settings.dns.bind}"
|
||||
'';
|
||||
|
||||
systemd.services.lokinet = {
|
||||
description = "Lokinet";
|
||||
after = [ "network-online.target" "network.target" ];
|
||||
wants = [ "network-online.target" "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
preStart = ''
|
||||
ln -sf ${cfg.package}/share/bootstrap.signed ${dataDir}
|
||||
${pkgs.coreutils}/bin/install -m 600 ${configFile} ${dataDir}/lokinet.ini
|
||||
|
||||
${optionalString (cfg.settings.network.keyfile != null) ''
|
||||
${pkgs.crudini}/bin/crudini --set ${dataDir}/lokinet.ini network keyfile "${dataDir}/${cfg.settings.network.keyfile}"
|
||||
''}
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
StateDirectory = "lokinet";
|
||||
AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ];
|
||||
ExecStart = "${cfg.package}/bin/lokinet ${dataDir}/lokinet.ini";
|
||||
Restart = "always";
|
||||
RestartSec = "5s";
|
||||
|
||||
# hardening
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
PrivateMounts = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
ReadWritePaths = "/dev/net/tun";
|
||||
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
};
|
||||
}
|
|
@ -511,8 +511,13 @@ in
|
|||
|
||||
dataDir = mkOption {
|
||||
type = types.path;
|
||||
description = "Directory where Prosody stores its data";
|
||||
default = "/var/lib/prosody";
|
||||
description = ''
|
||||
The prosody home directory used to store all data. If left as the default value
|
||||
this directory will automatically be created before the prosody server starts, otherwise
|
||||
you are responsible for ensuring the directory exists with appropriate ownership
|
||||
and permissions.
|
||||
'';
|
||||
};
|
||||
|
||||
disco_items = mkOption {
|
||||
|
@ -524,13 +529,29 @@ in
|
|||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "prosody";
|
||||
description = "User account under which prosody runs.";
|
||||
description = ''
|
||||
User account under which prosody runs.
|
||||
|
||||
<note><para>
|
||||
If left as the default value this user will automatically be created
|
||||
on system activation, otherwise you are responsible for
|
||||
ensuring the user exists before the prosody service starts.
|
||||
</para></note>
|
||||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "prosody";
|
||||
description = "Group account under which prosody runs.";
|
||||
description = ''
|
||||
Group account under which prosody runs.
|
||||
|
||||
<note><para>
|
||||
If left as the default value this group will automatically be created
|
||||
on system activation, otherwise you are responsible for
|
||||
ensuring the group exists before the prosody service starts.
|
||||
</para></note>
|
||||
'';
|
||||
};
|
||||
|
||||
allowRegistration = mkOption {
|
||||
|
@ -839,9 +860,8 @@ in
|
|||
users.users.prosody = mkIf (cfg.user == "prosody") {
|
||||
uid = config.ids.uids.prosody;
|
||||
description = "Prosody user";
|
||||
createHome = true;
|
||||
inherit (cfg) group;
|
||||
home = "${cfg.dataDir}";
|
||||
home = cfg.dataDir;
|
||||
};
|
||||
|
||||
users.groups.prosody = mkIf (cfg.group == "prosody") {
|
||||
|
@ -854,7 +874,8 @@ in
|
|||
wants = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
restartTriggers = [ config.environment.etc."prosody/prosody.cfg.lua".source ];
|
||||
serviceConfig = {
|
||||
serviceConfig = mkMerge [
|
||||
{
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
Type = "forking";
|
||||
|
@ -875,7 +896,11 @@ in
|
|||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
};
|
||||
}
|
||||
(mkIf (cfg.dataDir == "/var/lib/prosody") {
|
||||
StateDirectory = "prosody";
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
|
|
|
@ -16,9 +16,9 @@ in
|
|||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
options.services.radvd = {
|
||||
|
||||
services.radvd.enable = mkOption {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description =
|
||||
|
@ -32,7 +32,16 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
services.radvd.config = mkOption {
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.radvd;
|
||||
defaultText = literalExpression "pkgs.radvd";
|
||||
description = ''
|
||||
The RADVD package to use for the RADVD service.
|
||||
'';
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
type = types.lines;
|
||||
example =
|
||||
''
|
||||
|
@ -67,7 +76,7 @@ in
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig =
|
||||
{ ExecStart = "@${pkgs.radvd}/bin/radvd radvd -n -u radvd -C ${confFile}";
|
||||
{ ExecStart = "@${cfg.package}/bin/radvd radvd -n -u radvd -C ${confFile}";
|
||||
Restart = "always";
|
||||
};
|
||||
};
|
||||
|
|
|
@ -179,8 +179,8 @@ in {
|
|||
description = mdDoc ''
|
||||
Folders which should be shared by Syncthing.
|
||||
|
||||
Note that you can still add devices manually, but those changes
|
||||
will be reverted on restart if [overrideDevices](#opt-services.syncthing.overrideDevices)
|
||||
Note that you can still add folders manually, but those changes
|
||||
will be reverted on restart if [overrideFolders](#opt-services.syncthing.overrideFolders)
|
||||
is enabled.
|
||||
'';
|
||||
example = literalExpression ''
|
||||
|
|
|
@ -47,7 +47,7 @@ in {
|
|||
systemd.services.tailscaled = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [
|
||||
pkgs.openresolv # for configuring DNS in some configs
|
||||
config.networking.resolvconf.package # for configuring DNS in some configs
|
||||
pkgs.procps # for collecting running services (opt-in feature)
|
||||
pkgs.glibc # for `getent` to look up user shells
|
||||
];
|
||||
|
|
|
@ -273,7 +273,7 @@ let
|
|||
after = [ "network.target" "network-online.target" ];
|
||||
wantedBy = optional values.autostart "multi-user.target";
|
||||
environment.DEVICE = name;
|
||||
path = [ pkgs.kmod pkgs.wireguard-tools ];
|
||||
path = [ pkgs.kmod pkgs.wireguard-tools config.networking.resolvconf.package ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
|
@ -332,5 +332,11 @@ in {
|
|||
# breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard.
|
||||
networking.firewall.checkReversePath = false;
|
||||
systemd.services = mapAttrs' generateUnit cfg.interfaces;
|
||||
|
||||
# Prevent networkd from clearing the rules set by wg-quick when restarted (e.g. when waking up from suspend).
|
||||
systemd.network.config.networkConfig.ManageForeignRoutingPolicyRules = mkDefault false;
|
||||
|
||||
# WireGuard interfaces should be ignored in determining whether the network is online.
|
||||
systemd.network.wait-online.ignoredInterfaces = builtins.attrNames cfg.interfaces;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -6,7 +6,7 @@ let
|
|||
cfg = config.services.privacyidea;
|
||||
opt = options.services.privacyidea;
|
||||
|
||||
uwsgi = pkgs.uwsgi.override { plugins = [ "python3" ]; };
|
||||
uwsgi = pkgs.uwsgi.override { plugins = [ "python3" ]; python3 = pkgs.python39; };
|
||||
python = uwsgi.python3;
|
||||
penv = python.withPackages (const [ pkgs.privacyidea ]);
|
||||
logCfg = pkgs.writeText "privacyidea-log.cfg" ''
|
||||
|
|
|
@ -7,6 +7,8 @@ let
|
|||
opt = options.services.vault;
|
||||
|
||||
configFile = pkgs.writeText "vault.hcl" ''
|
||||
# vault in dev mode will refuse to start if its configuration sets listener
|
||||
${lib.optionalString (!cfg.dev) ''
|
||||
listener "tcp" {
|
||||
address = "${cfg.address}"
|
||||
${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
|
||||
|
@ -17,6 +19,7 @@ let
|
|||
''}
|
||||
${cfg.listenerExtraConfig}
|
||||
}
|
||||
''}
|
||||
storage "${cfg.storageBackend}" {
|
||||
${optionalString (cfg.storagePath != null) ''path = "${cfg.storagePath}"''}
|
||||
${optionalString (cfg.storageConfig != null) cfg.storageConfig}
|
||||
|
@ -30,8 +33,10 @@ let
|
|||
'';
|
||||
|
||||
allConfigPaths = [configFile] ++ cfg.extraSettingsPaths;
|
||||
|
||||
configOptions = escapeShellArgs (concatMap (p: ["-config" p]) allConfigPaths);
|
||||
configOptions = escapeShellArgs
|
||||
(lib.optional cfg.dev "-dev" ++
|
||||
lib.optional (cfg.dev && cfg.devRootTokenID != null) "-dev-root-token-id=${cfg.devRootTokenID}"
|
||||
++ (concatMap (p: ["-config" p]) allConfigPaths));
|
||||
|
||||
in
|
||||
|
||||
|
@ -47,6 +52,22 @@ in
|
|||
description = "This option specifies the vault package to use.";
|
||||
};
|
||||
|
||||
dev = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.
|
||||
'';
|
||||
};
|
||||
|
||||
devRootTokenID = mkOption {
|
||||
type = types.str;
|
||||
default = false;
|
||||
description = ''
|
||||
Initial root token. This only applies when <option>services.vault.dev</option> is true
|
||||
'';
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
default = "127.0.0.1:8200";
|
||||
|
@ -186,6 +207,9 @@ in
|
|||
Group = "vault";
|
||||
ExecStart = "${cfg.package}/bin/vault server ${configOptions}";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
|
||||
StateDirectory = "vault";
|
||||
# In `dev` mode vault will put its token here
|
||||
Environment = lib.optional (cfg.dev) "HOME=/var/lib/vault";
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "full";
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue