Project import generated by Copybara.

GitOrigin-RevId: 9480bae337095fd24f61380bce3174fdfe926a00
This commit is contained in:
Default email 2020-06-18 09:06:33 +02:00
parent d32ee29a2d
commit d7dbe45cea
1599 changed files with 22835 additions and 22668 deletions

View file

@ -67,7 +67,17 @@ A derivation can then be written using `agdaPackages.mkDerivation`. This has sim
+ `libraryName` should be the name that appears in the `*.agda-lib` file, defaulting to `pname`.
+ `libraryFile` should be the file name of the `*.agda-lib` file, defaulting to `${libraryName}.agda-lib`.
The build phase for `agdaPackages.mkDerivation` simply runs `agda` on the `Everything.agda` file. If something else is needed to build the package (e.g. `make`) then the `buildPhase` should be overridden (or a `preBuild` or `configurePhase` can be used if there are steps that need to be done prior to checking the `Everything.agda` file). `agda` and the Agda libraries contained in `buildInputs` are made available during the build phase. The install phase simply copies all `.agda`, `.agdai` and `.agda-lib` files to the output directory. Again, this can be overridden.
### Building Agda packages
The default build phase for `agdaPackages.mkDerivation` simply runs `agda` on the `Everything.agda` file.
If something else is needed to build the package (e.g. `make`) then the `buildPhase` should be overridden.
Additionally, a `preBuild` or `configurePhase` can be used if there are steps that need to be done prior to checking the `Everything.agda` file.
`agda` and the Agda libraries contained in `buildInputs` are made available during the build phase.
### Installing Agda packages
The default install phase copies agda source files, agda interface files (`*.agdai`) and `*.agda-lib` files to the output directory.
This can be overridden.
By default, agda sources are files ending on `.agda`, or literate agda files ending on `.lagda`, `.lagda.tex`, `.lagda.org`, `.lagda.md`, `.lagda.rst`. The list of recognised agda source extensions can be extended by setting the `extraExtensions` config variable.
To add an agda package to `nixpkgs`, the derivation should be written to `pkgs/development/libraries/agda/${library-name}/` and an entry should be added to `pkgs/top-level/agda-packages.nix`. Here it is called in a scope with access to all other agda libraries, so the top line of the `default.nix` can look like:
```

View file

@ -18,7 +18,7 @@
<xi:include href="idris.section.xml" />
<xi:include href="ios.section.xml" />
<xi:include href="java.xml" />
<xi:include href="lua.xml" />
<xi:include href="lua.section.xml" />
<xi:include href="node.section.xml" />
<xi:include href="ocaml.xml" />
<xi:include href="perl.xml" />

View file

@ -0,0 +1,252 @@
---
title: Lua
author: Matthieu Coudron
date: 2019-02-05
---
# User's Guide to Lua Infrastructure
## Using Lua
### Overview of Lua
Several versions of the Lua interpreter are available: luajit, lua 5.1, 5.2, 5.3.
The attribute `lua` refers to the default interpreter, it is also possible to refer to specific versions, e.g. `lua5_2` refers to Lua 5.2.
Lua libraries are in separate sets, with one set per interpreter version.
The interpreters have several common attributes. One of these attributes is
`pkgs`, which is a package set of Lua libraries for this specific
interpreter. E.g., the `busted` package corresponding to the default interpreter
is `lua.pkgs.busted`, and the lua 5.2 version is `lua5_2.pkgs.busted`.
The main package set contains aliases to these package sets, e.g.
`luaPackages` refers to `lua5_1.pkgs` and `lua52Packages` to
`lua5_2.pkgs`.
### Installing Lua and packages
#### Lua environment defined in separate `.nix` file
Create a file, e.g. `build.nix`, with the following expression
```nix
with import <nixpkgs> {};
lua5_2.withPackages (ps: with ps; [ busted luafilesystem ])
```
and install it in your profile with
```shell
nix-env -if build.nix
```
Now you can use the Lua interpreter, as well as the extra packages (`busted`,
`luafilesystem`) that you added to the environment.
#### Lua environment defined in `~/.config/nixpkgs/config.nix`
If you prefer to, you could also add the environment as a package override to the Nixpkgs set, e.g.
using `config.nix`,
```nix
{ # ...
packageOverrides = pkgs: with pkgs; {
myLuaEnv = lua5_2.withPackages (ps: with ps; [ busted luafilesystem ]);
};
}
```
and install it in your profile with
```shell
nix-env -iA nixpkgs.myLuaEnv
```
The environment is is installed by referring to the attribute, and considering
the `nixpkgs` channel was used.
#### Lua environment defined in `/etc/nixos/configuration.nix`
For the sake of completeness, here's another example how to install the environment system-wide.
```nix
{ # ...
environment.systemPackages = with pkgs; [
(lua.withPackages(ps: with ps; [ busted luafilesystem ]))
];
}
```
### How to override a Lua package using overlays?
Use the following overlay template:
```nix
final: prev:
{
lua = prev.lua.override {
packageOverrides = luaself: luaprev: {
luarocks-nix = luaprev.luarocks-nix.overrideAttrs(oa: {
pname = "luarocks-nix";
src = /home/my_luarocks/repository;
});
};
luaPackages = lua.pkgs;
}
```
### Temporary Lua environment with `nix-shell`
There are two methods for loading a shell with Lua packages. The first and recommended method
is to create an environment with `lua.buildEnv` or `lua.withPackages` and load that. E.g.
```sh
$ nix-shell -p 'lua.withPackages(ps: with ps; [ busted luafilesystem ])'
```
opens a shell from which you can launch the interpreter
```sh
[nix-shell:~] lua
```
The other method, which is not recommended, does not create an environment and requires you to list the packages directly,
```sh
$ nix-shell -p lua.pkgs.busted lua.pkgs.luafilesystem
```
Again, it is possible to launch the interpreter from the shell.
The Lua interpreter has the attribute `pkgs` which contains all Lua libraries for that specific interpreter.
## Developing with Lua
Now that you know how to get a working Lua environment with Nix, it is time
to go forward and start actually developing with Lua. There are two ways to
package lua software, either it is on luarocks and most of it can be taken care
of by the luarocks2nix converter or the packaging has to be done manually.
Let's present the luarocks way first and the manual one in a second time.
### Packaging a library on luarocks
[Luarocks.org](www.luarocks.org) is the main repository of lua packages.
The site proposes two types of packages, the rockspec and the src.rock
(equivalent of a [rockspec](https://github.com/luarocks/luarocks/wiki/Rockspec-format) but with the source).
These packages can have different build types such as `cmake`, `builtin` etc .
Luarocks-based packages are generated in pkgs/development/lua-modules/generated-packages.nix from
the whitelist maintainers/scripts/luarocks-packages.csv and updated by running maintainers/scripts/update-luarocks-packages.
[luarocks2nix](https://github.com/nix-community/luarocks) is a tool capable of generating nix derivations from both rockspec and src.rock (and favors the src.rock).
The automation only goes so far though and some packages need to be customized.
These customizations go in `pkgs/development/lua-modules/overrides.nix`.
For instance if the rockspec defines `external_dependencies`, these need to be manually added in in its rockspec file then it won't work.
You can try converting luarocks packages to nix packages with the command `nix-shell -p luarocks-nix` and then `luarocks nix PKG_NAME`.
Nix rely on luarocks to install lua packages, basically it runs:
`luarocks make --deps-mode=none --tree $out`
#### Packaging a library manually
You can develop your package as you usually would, just don't forget to wrap it
within a `toLuaModule` call, for instance
```nix
mynewlib = toLuaModule ( stdenv.mkDerivation { ... });
```
There is also the `buildLuaPackage` function that can be used when lua modules
are not packaged for luarocks. You can see a few examples at `pkgs/top-level/lua-packages.nix`.
## Lua Reference
### Lua interpreters
Versions 5.1, 5.2 and 5.3 of the lua interpreter are available as
respectively `lua5_1`, `lua5_2` and `lua5_3`. Luajit is available too.
The Nix expressions for the interpreters can be found in `pkgs/development/interpreters/lua-5`.
#### Attributes on lua interpreters packages
Each interpreter has the following attributes:
- `interpreter`. Alias for `${pkgs.lua}/bin/lua`.
- `buildEnv`. Function to build lua interpreter environments with extra packages bundled together. See section *lua.buildEnv function* for usage and documentation.
- `withPackages`. Simpler interface to `buildEnv`.
- `pkgs`. Set of Lua packages for that specific interpreter. The package set can be modified by overriding the interpreter and passing `packageOverrides`.
#### `buildLuarocksPackage` function
The `buildLuarocksPackage` function is implemented in `pkgs/development/interpreters/lua-5/build-lua-package.nix`
The following is an example:
```nix
luaposix = buildLuarocksPackage {
pname = "luaposix";
version = "34.0.4-1";
src = fetchurl {
url = "https://raw.githubusercontent.com/rocks-moonscript-org/moonrocks-mirror/master/luaposix-34.0.4-1.src.rock";
sha256 = "0yrm5cn2iyd0zjd4liyj27srphvy0gjrjx572swar6zqr4dwjqp2";
};
disabled = (luaOlder "5.1") || (luaAtLeast "5.4");
propagatedBuildInputs = [ bit32 lua std_normalize ];
meta = with stdenv.lib; {
homepage = "https://github.com/luaposix/luaposix/";
description = "Lua bindings for POSIX";
maintainers = with maintainers; [ vyp lblasc ];
license.fullName = "MIT/X11";
};
};
```
The `buildLuarocksPackage` delegates most tasks to luarocks:
* it adds `luarocks` as an unpacker for `src.rock` files (zip files really).
* configurePhase` writes a temporary luarocks configuration file which location
is exported via the environment variable `LUAROCKS_CONFIG`.
* the `buildPhase` does nothing.
* `installPhase` calls `luarocks make --deps-mode=none --tree $out` to build and
install the package
* In the `postFixup` phase, the `wrapLuaPrograms` bash function is called to
wrap all programs in the `$out/bin/*` directory to include `$PATH`
environment variable and add dependent libraries to script's `LUA_PATH` and
`LUA_CPATH`.
By default `meta.platforms` is set to the same value as the interpreter unless overridden otherwise.
#### `buildLuaApplication` function
The `buildLuaApplication` function is practically the same as `buildLuaPackage`.
The difference is that `buildLuaPackage` by default prefixes the names of the packages with the version of the interpreter.
Because with an application we're not interested in multiple version the prefix is dropped.
#### lua.withPackages function
The `lua.withPackages` takes a function as an argument that is passed the set of lua packages and returns the list of packages to be included in the environment.
Using the `withPackages` function, the previous example for the luafilesystem environment can be written like this:
```nix
with import <nixpkgs> {};
lua.withPackages (ps: [ps.luafilesystem])
```
`withPackages` passes the correct package set for the specific interpreter version as an argument to the function. In the above example, `ps` equals `luaPackages`.
But you can also easily switch to using `lua5_2`:
```nix
with import <nixpkgs> {};
lua5_2.withPackages (ps: [ps.lua])
```
Now, `ps` is set to `lua52Packages`, matching the version of the interpreter.
### Possible Todos
* export/use version specific variables such as `LUA_PATH_5_2`/`LUAROCKS_CONFIG_5_2`
* let luarocks check for dependencies via exporting the different rocktrees in temporary config
### Lua Contributing guidelines
Following rules should be respected:
* Make sure libraries build for all Lua interpreters.
* Commit names of Lua libraries should reflect that they are Lua libraries, so write for example `luaPackages.luafilesystem: 1.11 -> 1.12`.

View file

@ -1,36 +0,0 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="sec-language-lua">
<title>Lua</title>
<para>
Lua packages are built by the <varname>buildLuaPackage</varname> function. This function is implemented in <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/lua-modules/generic/default.nix"> <filename>pkgs/development/lua-modules/generic/default.nix</filename></link> and works similarly to <varname>buildPerlPackage</varname>. (See <xref linkend="sec-language-perl"/> for details.)
</para>
<para>
Lua packages are defined in <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/lua-packages.nix"><filename>pkgs/top-level/lua-packages.nix</filename></link>. Most of them are simple. For example:
<programlisting>
fileSystem = buildLuaPackage {
name = "filesystem-1.6.2";
src = fetchurl {
url = "https://github.com/keplerproject/luafilesystem/archive/v1_6_2.tar.gz";
sha256 = "1n8qdwa20ypbrny99vhkmx8q04zd2jjycdb5196xdhgvqzk10abz";
};
meta = {
homepage = "https://github.com/keplerproject/luafilesystem";
hydraPlatforms = stdenv.lib.platforms.linux;
maintainers = with maintainers; [ flosse ];
};
};
</programlisting>
</para>
<para>
Though, more complicated package should be placed in a seperate file in <link
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/lua-modules"><filename>pkgs/development/lua-modules</filename></link>.
</para>
<para>
Lua packages accept additional parameter <varname>disabled</varname>, which defines the condition of disabling package from luaPackages. For example, if package has <varname>disabled</varname> assigned to <literal>lua.luaversion != "5.1"</literal>, it will not be included in any luaPackages except lua51Packages, making it only be built for lua 5.1.
</para>
</section>

View file

@ -643,7 +643,7 @@ and in this case the `python38` interpreter is automatically used.
Versions 2.7, 3.5, 3.6, 3.7 and 3.8 of the CPython interpreter are available as
respectively `python27`, `python35`, `python36`, `python37` and `python38`. The
aliases `python2` and `python3` correspond to respectively `python27` and
`python37`. The default interpreter, `python`, maps to `python2`. The PyPy
`python38`. The default interpreter, `python`, maps to `python2`. The PyPy
interpreters compatible with Python 2.7 and 3 are available as `pypy27` and
`pypy3`, with aliases `pypy2` mapping to `pypy27` and `pypy` mapping to `pypy2`.
The Nix expressions for the interpreters can be found in
@ -764,9 +764,6 @@ following are specific to `buildPythonPackage`:
* `dontWrapPythonPrograms ? false`: Skip wrapping of Python programs.
* `permitUserSite ? false`: Skip setting the `PYTHONNOUSERSITE` environment
variable in wrapped programs.
* `installFlags ? []`: A list of strings. Arguments to be passed to `pip
install`. To pass options to `python setup.py install`, use
`--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"]`.
* `format ? "setuptools"`: Format of the source. Valid options are
`"setuptools"`, `"pyproject"`, `"flit"`, `"wheel"`, and `"other"`.
`"setuptools"` is for when the source has a `setup.py` and `setuptools` is
@ -782,6 +779,9 @@ following are specific to `buildPythonPackage`:
* `namePrefix`: Prepends text to `${name}` parameter. In case of libraries, this
defaults to `"python3.8-"` for Python 3.8, etc., and in case of applications
to `""`.
* `pipInstallFlags ? []`: A list of strings. Arguments to be passed to `pip
install`. To pass options to `python setup.py install`, use
`--install-option`. E.g., `pipInstallFlags=["--install-option='--cpp_implementation'"]`.
* `pythonPath ? []`: List of packages to be added into `$PYTHONPATH`. Packages
in `pythonPath` are not propagated (contrary to `propagatedBuildInputs`).
* `preShellHook`: Hook to execute commands before `shellHook`.

View file

@ -75,6 +75,90 @@ pkgs.rustPlatform.buildRustPackage {
}
```
### Running package tests
When using `buildRustPackage`, the `checkPhase` is enabled by default and runs
`cargo test` on the package to build. To make sure that we don't compile the
sources twice and to actually test the artifacts that will be used at runtime,
the tests will be ran in the `release` mode by default.
However, in some cases the test-suite of a package doesn't work properly in the
`release` mode. For these situations, the mode for `checkPhase` can be changed like
so:
```nix
rustPlatform.buildRustPackage {
/* ... */
checkType = "debug";
}
```
Please note that the code will be compiled twice here: once in `release` mode
for the `buildPhase`, and again in `debug` mode for the `checkPhase`.
#### Tests relying on the structure of the `target/` directory
Some tests may rely on the structure of the `target/` directory. Those tests
are likely to fail because we use `cargo --target` during the build. This means that
the artifacts
[are stored in `target/<architecture>/release/`](https://doc.rust-lang.org/cargo/guide/build-cache.html),
rather than in `target/release/`.
This can only be worked around by patching the affected tests accordingly.
#### Disabling package-tests
In some instances, it may be necessary to disable testing altogether (with `doCheck = false;`):
* If no tests exist -- the `checkPhase` should be explicitly disabled to skip
unnecessary build steps to speed up the build.
* If tests are highly impure (e.g. due to network usage).
There will obviously be some corner-cases not listed above where it's sensible to disable tests.
The above are just guidelines, and exceptions may be granted on a case-by-case basis.
However, please check if it's possible to disable a problematic subset of the
test suite and leave a comment explaining your reasoning.
### Building a package in `debug` mode
By default, `buildRustPackage` will use `release` mode for builds. If a package
should be built in `debug` mode, it can be configured like so:
```nix
rustPlatform.buildRustPackage {
/* ... */
buildType = "debug";
}
```
In this scenario, the `checkPhase` will be ran in `debug` mode as well.
### Custom `build`/`install`-procedures
Some packages may use custom scripts for building/installing, e.g. with a `Makefile`.
In these cases, it's recommended to override the `buildPhase`/`installPhase`/`checkPhase`.
Otherwise, some steps may fail because of the modified directory structure of `target/`.
### Building a crate with an absent or out-of-date Cargo.lock file
`buildRustPackage` needs a `Cargo.lock` file to get all dependencies in the
source code in a reproducible way. If it is missing or out-of-date one can use
the `cargoPatches` attribute to update or add it.
```
{ lib, rustPlatform, fetchFromGitHub }:
rustPlatform.buildRustPackage rec {
(...)
cargoPatches = [
# a patch file to add/update Cargo.lock in the source code
./add-Cargo.lock.patch
];
}
```
## Compiling Rust crates using Nix instead of Cargo
### Simple operation

View file

@ -2081,6 +2081,16 @@ postInstall = ''
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
validatePkgConfig
</term>
<listitem>
<para>
The <literal>validatePkgConfig</literal> hook validates all pkg-config (<filename>.pc</filename>) files in a package. This helps catching some common errors in pkg-config files, such as undefined variables.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
cmake

View file

@ -387,7 +387,7 @@ fi
</screen>
<para>
Now just run <literal>source $HOME/.profile</literal> and you can starting loading man pages from your environent.
Now just run <literal>source $HOME/.profile</literal> and you can starting loading man pages from your environment.
</para>
</section>

View file

@ -1,8 +1,6 @@
# Experimental flake interface to Nixpkgs.
# See https://github.com/NixOS/rfcs/pull/49 for details.
{
edition = 201909;
description = "A collection of packages for the Nix package manager";
outputs = { self }:

View file

@ -253,7 +253,7 @@ rec {
/* Like `mapAttrsRecursive', but it takes an additional predicate
function that tells it whether to recursive into an attribute
set. If it returns false, `mapAttrsRecursiveCond' does not
recurse, but does apply the map function. It is returns true, it
recurse, but does apply the map function. If it returns true, it
does recurse, and does not apply the map function.
Type:

View file

@ -8,10 +8,10 @@ with lib;
option = x:
x // { optional = true; };
yes = { tristate = "y"; };
no = { tristate = "n"; };
module = { tristate = "m"; };
freeform = x: { freeform = x; };
yes = { tristate = "y"; optional = false; };
no = { tristate = "n"; optional = false; };
module = { tristate = "m"; optional = false; };
freeform = x: { freeform = x; optional = false; };
/*
Common patterns/legacy used in common-config/hardened/config.nix

View file

@ -276,6 +276,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) {
fullName = "European Union Public License 1.2";
};
fdl11 = spdx {
spdxId = "GFDL-1.1-only";
fullName = "GNU Free Documentation License v1.1 only";
};
fdl12 = spdx {
spdxId = "GFDL-1.2-only";
fullName = "GNU Free Documentation License v1.2 only";

View file

@ -1,2 +1,2 @@
# Expose the minimum required version for evaluating Nixpkgs
"2.0"
"2.2"

View file

@ -193,12 +193,6 @@
githubId = 315003;
name = "Adam Saponara";
};
aepsil0n = {
email = "eduard.bopp@aepsil0n.de";
github = "aepsil0n";
githubId = 3098430;
name = "Eduard Bopp";
};
aerialx = {
email = "aaron+nixos@aaronlindsay.com";
github = "AerialX";
@ -1163,6 +1157,12 @@
githubId = 24417923;
name = "Renaud";
};
c00w = {
email = "nix@daedrum.net";
github = "c00w";
githubId = 486199;
name = "Colin";
};
c0deaddict = {
email = "josvanbakel@protonmail.com";
github = "c0deaddict";
@ -1616,6 +1616,12 @@
githubId = 12202789;
name = "CrazedProgrammer";
};
cript0nauta = {
email = "shareman1204@gmail.com";
github = "cript0nauta";
githubId = 1222362;
name = "Matías Lang";
};
cryptix = {
email = "cryptix@riseup.net";
github = "cryptix";
@ -2182,6 +2188,12 @@
githubId = 50854;
name = "edef";
};
edibopp = {
email = "eduard.bopp@aepsil0n.de";
github = "edibopp";
githubId = 3098430;
name = "Eduard Bopp";
};
emantor = {
email = "rouven+nixos@czerwinskis.de";
github = "emantor";
@ -2540,6 +2552,16 @@
githubId = 11909469;
name = "Fabian Geiselhart";
};
fabianhauser = {
email = "fabian.nixos@fh2.ch";
github = "fabianhauser";
githubId = 368799;
name = "Fabian Hauser";
keys = [{
longkeyid = "rsa4096/0x8A52A140BEBF7D2C";
fingerprint = "50B7 11F4 3DFD 2018 DCE6 E8D0 8A52 A140 BEBF 7D2C";
}];
};
fadenb = {
email = "tristan.helmich+nixos@gmail.com";
github = "fadenb";
@ -3514,6 +3536,12 @@
githubId = 1608697;
name = "Jens Binkert";
};
jeremyschlatter = {
email = "github@jeremyschlatter.com";
github = "jeremyschlatter";
githubId = 5741620;
name = "Jeremy Schlatter";
};
jerith666 = {
email = "github@matt.mchenryfamily.org";
github = "jerith666";
@ -3855,6 +3883,12 @@
githubId = 11947756;
name = "Julien Dehos";
};
julm = {
email = "julm+nix@sourcephile.fr";
github = "ju1m";
githubId = 21160136;
name = "Julien Moutinho";
};
jumper149 = {
email = "felixspringer149@gmail.com";
github = "jumper149";
@ -3867,6 +3901,12 @@
githubId = 2396926;
name = "Justin Woo";
};
jwatt = {
email = "jwatt@broken.watch";
github = "jjwatt";
githubId = 2397327;
name = "Jesse Wattenbarger";
};
jwiegley = {
email = "johnw@newartisans.com";
github = "jwiegley";
@ -4649,6 +4689,16 @@
githubId = 26020062;
name = "lumi";
};
lunik1 = {
email = "ch.nixpkgs@themaw.xyz";
github = "lunik1";
githubId = 13547699;
name = "Corin Hoad";
keys = [{
longkeyid = "rsa2048/0x6A37DF9483188492";
fingerprint = "BA3A 5886 AE6D 526E 20B4 57D6 6A37 DF94 8318 8492";
}];
};
luz = {
email = "luz666@daum.net";
github = "Luz";
@ -5017,6 +5067,12 @@
githubId = 223323;
name = "Miguel de la Cruz";
};
mgdm = {
email = "michael@mgdm.net";
github = "mgdm";
githubId = 71893;
name = "Michael Maclean";
};
mgregoire = {
email = "gregoire@martinache.net";
github = "M-Gregoire";
@ -5144,6 +5200,12 @@
fingerprint = "3196 83D3 9A1B 4DE1 3DC2 51FD FEA8 88C9 F5D6 4F62";
}];
};
mir06 = {
email = "armin.leuprecht@uni-graz.at";
github = "mir06";
githubId = 8479244;
name = "Armin Leuprecht";
};
mirdhyn = {
email = "mirdhyn@gmail.com";
github = "mirdhyn";
@ -6308,10 +6370,6 @@
githubId = 23097564;
name = "Nora Widdecke";
};
pxc = {
email = "patrick.callahan@latitudeengineering.com";
name = "Patrick Callahan";
};
pyrolagus = {
email = "pyrolagus@gmail.com";
github = "PyroLagus";
@ -6980,6 +7038,12 @@
githubId = 2343853;
name = "Sean Zicari";
};
seb314 = {
email = "sebastian@seb314.com";
github = "seb314";
githubId = 19472270;
name = "Sebastian";
};
sellout = {
email = "greg@technomadic.org";
github = "sellout";
@ -7050,6 +7114,12 @@
githubId = 1588288;
name = "Shahrukh Khan";
};
shamilton = {
email = "sgn.hamilton@protonmail.com";
github = "SCOTT-HAMILTON";
githubId = 24496705;
name = "Scott Hamilton";
};
shanemikel = {
email = "shanepearlman@pm.me";
github = "shanemikel";

View file

@ -12,12 +12,13 @@ compat53,,,,,vcunat
cosmo,,,,,marsam
coxpcall,,,1.17.0-1,,
cqueues,,,,,vcunat
cyrussasl,,,,,vcunat
cyrussasl,,,,,
digestif,,,,lua5_3,
dkjson,,,,,
fifo,,,,,
http,,,,,vcunat
inspect,,,,,
ldbus,,http://luarocks.org/dev,,,
ldoc,,,,,
lgi,,,,,
linenoise,,,,,
@ -50,9 +51,9 @@ luaepnf,,,,,
luaevent,,,,,
luaexpat,,,1.3.0-1,,arobyn flosse
luaffi,,http://luarocks.org/dev,,,
luafilesystem,,,1.7.0-2,,flosse vcunat
luafilesystem,,,1.7.0-2,,flosse
lualogging,,,,,
luaossl,,,,lua5_1,vcunat
luaossl,,,,lua5_1,
luaposix,,,,,vyp lblasc
luarepl,,,,,
luasec,,,,,flosse
@ -65,6 +66,7 @@ luazip,,,,,
lua-yajl,,,,,pstn
luuid,,,,,
luv,,,,,
lyaml,,,,,lblasc
markdown,,,,,
mediator_lua,,,,,
mpack,,,,,

1 # nix name luarocks name server version luaversion maintainers
12 cosmo marsam
13 coxpcall 1.17.0-1
14 cqueues vcunat
15 cyrussasl vcunat
16 digestif lua5_3
17 dkjson
18 fifo
19 http vcunat
20 inspect
21 ldbus http://luarocks.org/dev
22 ldoc
23 lgi
24 linenoise
51 luaevent
52 luaexpat 1.3.0-1 arobyn flosse
53 luaffi http://luarocks.org/dev
54 luafilesystem 1.7.0-2 flosse vcunat flosse
55 lualogging
56 luaossl lua5_1 vcunat
57 luaposix vyp lblasc
58 luarepl
59 luasec flosse
66 lua-yajl pstn
67 luuid
68 luv
69 lyaml lblasc
70 markdown
71 mediator_lua
72 mpack

View file

@ -34,6 +34,20 @@ with lib.maintainers; {
scope = "Maintain Freedesktop.org packages for graphical desktop.";
};
golang = {
members = [
c00w
cstrahan
Frostman
kalbasit
mic92
orivej
rvolosatovs
zowoq
];
scope = "Maintain Golang compilers.";
};
gnome = {
members = [
hedning
@ -43,6 +57,18 @@ with lib.maintainers; {
scope = "Maintain GNOME desktop environment and platform.";
};
matrix = {
members = [
ma27
pacien
fadenb
mguentner
ekleog
ralith
];
scope = "Maintain the ecosystem around Matrix, a decentralized messenger.";
};
php = {
members = [
aanderse

View file

@ -19,9 +19,9 @@
</term>
<listitem>
<para>
Start a root shell if something goes wrong in stage 1 of the boot process
(the initial ramdisk). This is disabled by default because there is no
authentication for the root shell.
Allows the user to start a root shell if something goes wrong in stage 1
of the boot process (the initial ramdisk). This is disabled by default
because there is no authentication for the root shell.
</para>
</listitem>
</varlistentry>
@ -49,6 +49,22 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<literal>boot.debug1mounts</literal>
</term>
<listitem>
<para>
Like <literal>boot.debug1</literal> or
<literal>boot.debug1devices</literal>, but runs stage1 until all
filesystems that are mounted during initrd are mounted (see
<option><link linkend="opt-fileSystems._name__.neededForBoot">neededForBoot</link></option>
). As a motivating example, this could be useful if you've forgotten to set
<option><link linkend="opt-fileSystems._name__.neededForBoot">neededForBoot</link></option>
on a file system.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<literal>boot.trace</literal>
@ -90,6 +106,15 @@
<manvolnum>1</manvolnum></citerefentry>.
</para>
<para>
Notice that for <literal>boot.shell_on_fail</literal>,
<literal>boot.debug1</literal>, <literal>boot.debug1devices</literal>, and
<literal>boot.debug1mounts</literal>, if you did <emphasis>not</emphasis>
select "start the new shell as pid 1", and you <literal>exit</literal> from
the new shell, boot will proceed normally from the point where it failed, as
if you'd chosen "ignore the error and continue".
</para>
<para>
If no login prompts or X11 login screens appear (e.g. due to hanging
dependencies), you can press Alt+ArrowUp. If youre lucky, this will start

View file

@ -89,7 +89,7 @@ nixpkgs https://nixos.org/channels/nixpkgs-unstable</screen>
NixOS partition. They are installed by default on NixOS, but you don't have
NixOS yet..
</para>
<screen><prompt>$ </prompt>nix-env -iE "_: with import &lt;nixpkgs/nixos&gt; { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]"</screen>
<screen><prompt>$ </prompt>nix-env -f '&lt;nixpkgs/nixos&gt;' --arg configuration {} -iA config.system.build.{nixos-generate-config,nixos-install,nixos-enter,manual.manpages}</screen>
</listitem>
<listitem>
<note>

View file

@ -42,6 +42,11 @@
PHP now defaults to PHP 7.4, updated from 7.3.
</para>
</listitem>
<listitem>
<para>
Python 3 now defaults to Python 3.8 instead of 3.7.
</para>
</listitem>
<listitem>
<para>
Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
@ -89,6 +94,22 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
When MariaDB data directory is just upgraded (not initialized), the users are not created or modified.
</para>
</listitem>
<listitem>
<para>
MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options
may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when
calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required:
- allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal>
<programlisting>
systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only";
</programlisting>
- allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write
access to <literal>/var/data</literal>
<programlisting>
systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ];
</programlisting>
</para>
</listitem>
</itemizedlist>
</section>
@ -176,6 +197,12 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" ''
<link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
</para>
</listitem>
<listitem>
<para>
<literal>vmware</literal> has been removed from the <literal>services.x11.videoDrivers</literal> defaults.
For VMWare guests set <literal>virtualisation.vmware.guest.enable</literal> to <literal>true</literal> which will include the appropriate drivers.
</para>
</listitem>
<listitem>
<para>
The initrd SSH support now uses OpenSSH rather than Dropbear to
@ -441,6 +468,28 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
recommended to only use lower-case characters.
</para>
</listitem>
<listitem>
<para>
The GRUB specific option <option>boot.loader.grub.extraInitrd</option>
has been replaced with the generic option
<option>boot.initrd.secrets</option>. This option creates a secondary
initrd from the specified files, rather than using a manually created
initrd file.
Due to an existing bug with <option>boot.loader.grub.extraInitrd</option>,
it is not possible to directly boot an older generation that used that
option. It is still possible to rollback to that generation if the required
initrd file has not been deleted.
</para>
</listitem>
<listitem>
<para>
The <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link>
package and NixOS module have been removed from Nixpkgs as the software is
unmaintained and can't be built. For more information see issue
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>.
</para>
</listitem>
</itemizedlist>
</section>
@ -452,6 +501,9 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
<title>Other Notable Changes</title>
<itemizedlist>
<listitem>
<para>SD images are now compressed by default using <literal>zstd</literal>. The compression for ISO images has also been changed to <literal>zstd</literal>, but ISO images are still not compressed by default.</para>
</listitem>
<listitem>
<para>
<option>services.journald.rateLimitBurst</option> was updated from
@ -468,9 +520,32 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
the <literal>notmuch.emacs</literal> output.
</para>
</listitem>
<listitem>
<para>
The default output of <literal>buildGoPackage</literal> is now <literal>$out</literal> instead of <literal>$bin</literal>.
</para>
</listitem>
<listitem>
<para>
Packages built using <literal>buildRustPackage</literal> now use <literal>release</literal>
mode for the <literal>checkPhase</literal> by default.
</para>
<para>
Please note that Rust packages utilizing a custom build/install procedure
(e.g. by using a <filename>Makefile</filename>) or test suites that rely on the
structure of the <filename>target/</filename> directory may break due to those assumptions.
For further information, please read the Rust section in the Nixpkgs manual.
</para>
</listitem>
<listitem>
<para>
The default output of <literal>buildGoPackage</literal> is now <literal>$out</literal> instead of <literal>$bin</literal>.
The cc- and binutils-wrapper's "infix salt" and <literal>_BUILD_</literal> and <literal>_TARGET_</literal> user infixes have been replaced with with a "suffix salt" and suffixes and <literal>_FOR_BUILD</literal> and <literal>_FOR_TARGET</literal>.
This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier.
</para>
</listitem>
<listitem>
<para>
Additional Git documentation (HTML and text files) is now available via the <literal>git-doc</literal> package.
</para>
</listitem>
<listitem>
@ -501,6 +576,72 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
<link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in the Grafana documentation</link>.
</para>
</listitem>
<listitem>
<para>
The <literal>hardware.u2f</literal> module, which was installing udev rules
was removed, as udev gained native support to handle FIDO security tokens.
</para>
</listitem>
<listitem>
<para>
With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>)
has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over
socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual)
devices the default buffer size (currently 128MB) is not enough.
</para>
<para>
On a machine with &gt;100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to
be brought up during system startup, the receive buffer size will spike for a brief period.
Eventually some of the message will be dropped since there is not enough (permitted) buffer
space available.
</para>
<para>
By having <literal>systemd-networkd</literal> start with a netlink socket created by
<literal>systemd</literal> we can configure the <literal>ReceiveBufferSize=</literal> parameter
in the socket options (i.e. <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>)
without recompiling <literal>systemd-networkd</literal>.
</para>
<para>
Since the actual memory requirements depend on hardware, timing, exact
configurations etc. it isn't currently possible to infer a good default
from within the NixOS module system. Administrators are advised to
monitor the logs of <literal>systemd-networkd</literal> for <literal>rtnl: kernel receive buffer
overrun</literal> spam and increase the memory limit as they see fit.
</para>
<para>
Note: Increasing the <literal>ReceiveBufferSize=</literal> doesn't allocate any memory. It just increases
the upper bound on the kernel side. The memory allocation depends on the amount of messages that are
queued on the kernel side of the netlink socket.
</para>
</listitem>
<listitem>
<para>
Specifying <link linkend="opt-services.dovecot2.mailboxes">mailboxes</link> in the <package>dovecot2</package> module
as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the <literal>name</literal>
should be the key of the attribute.
</para>
<para>
This means that a configuration like this
<programlisting>{
<link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = [
{ name = "Junk";
auto = "create";
}
];
}</programlisting>
should now look like this:
<programlisting>{
<link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = {
Junk.auto = "create";
};
}</programlisting>
</para>
</listitem>
<listitem>
<para>
<package>netbeans</package> was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11.
</para>
</listitem>
</itemizedlist>
</section>
</section>

View file

@ -39,7 +39,7 @@
, name ? "nixos-disk-image"
, # Disk image format, one of qcow2, qcow2-compressed, vpc, raw.
, # Disk image format, one of qcow2, qcow2-compressed, vdi, vpc, raw.
format ? "raw"
}:
@ -57,6 +57,7 @@ let format' = format; in let
filename = "nixos." + {
qcow2 = "qcow2";
vdi = "vdi";
vpc = "vhd";
raw = "img";
}.${format};

View file

@ -34,8 +34,8 @@
, # The path (outside the ISO file system) of the isohybrid-mbr image.
isohybridMbrImage ? ""
, # Whether to compress the resulting ISO image with bzip2.
compressImage ? false
, # Whether to compress the resulting ISO image with zstd.
compressImage ? false, zstd
, # The volume ID.
volumeID ? ""
@ -48,7 +48,7 @@ assert usbBootable -> isohybridMbrImage != "";
stdenv.mkDerivation {
name = isoName;
builder = ./make-iso9660-image.sh;
buildInputs = [ xorriso syslinux ];
buildInputs = [ xorriso syslinux zstd ];
inherit isoName bootable bootImage compressImage volumeID efiBootImage efiBootable isohybridMbrImage usbBootable;

View file

@ -129,9 +129,14 @@ fi
if test -n "$compressImage"; then
echo "Compressing image..."
bzip2 $out/iso/$isoName
zstd -T$NIX_BUILD_CORES --rm $out/iso/$isoName
fi
mkdir -p $out/nix-support
echo $system > $out/nix-support/system
echo "file iso $out/iso/$isoName" >> $out/nix-support/hydra-build-products
if test -n "$compressImage"; then
echo "file iso $out/iso/$isoName.zst" >> $out/nix-support/hydra-build-products
else
echo "file iso $out/iso/$isoName" >> $out/nix-support/hydra-build-products
fi

View file

@ -68,7 +68,8 @@ with lib;
config = {
environment.systemPackages =
optional (config.i18n.supportedLocales != []) config.i18n.glibcLocales;
# We increase the priority a little, so that plain glibc in systemPackages can't win.
optional (config.i18n.supportedLocales != []) (lib.setPrio (-1) config.i18n.glibcLocales);
environment.sessionVariables =
{ LANG = config.i18n.defaultLocale;

View file

@ -8,8 +8,7 @@ with lib;
let
requiredPackages = map (pkg: setPrio ((pkg.meta.priority or 5) + 3) pkg)
[ config.nix.package
pkgs.acl
[ pkgs.acl
pkgs.attr
pkgs.bashInteractive # bash with ncurses support
pkgs.bzip2
@ -33,7 +32,6 @@ let
pkgs.nano
pkgs.ncurses
pkgs.netcat
pkgs.nix-info
config.programs.ssh.package
pkgs.perl
pkgs.procps
@ -43,6 +41,7 @@ let
pkgs.time
pkgs.utillinux
pkgs.which # 88K size
pkgs.zstd
];
in

View file

@ -600,6 +600,38 @@ in {
}
];
warnings =
builtins.filter (x: x != null) (
flip mapAttrsToList cfg.users (name: user:
# This regex matches a subset of the Modular Crypto Format (MCF)[1]
# informal standard. Since this depends largely on the OS or the
# specific implementation of crypt(3) we only support the (sane)
# schemes implemented by glibc and BSDs. In particular the original
# DES hash is excluded since, having no structure, it would validate
# common mistakes like typing the plaintext password.
#
# [1]: https://en.wikipedia.org/wiki/Crypt_(C)
let
sep = "\\$";
base64 = "[a-zA-Z0-9./]+";
id = "[a-z0-9-]+";
value = "[a-zA-Z0-9/+.-]+";
options = "${id}(=${value})?(,${id}=${value})*";
scheme = "${id}(${sep}${options})?";
content = "${base64}${sep}${base64}";
mcf = "^${sep}${scheme}${sep}${content}$";
in
if (user.hashedPassword != null
&& builtins.match mcf user.hashedPassword == null)
then
''
The password hash of user "${name}" may be invalid. You must set a
valid hash or the user will be locked out of his account. Please
check the value of option `users.users."${name}".hashedPassword`.
''
else null
));
};
}

View file

@ -413,7 +413,7 @@ in
default = false;
description = ''
Whether the ISO image should be compressed using
<command>bzip2</command>.
<command>zstd</command>.
'';
};

View file

@ -105,7 +105,7 @@ in
default = true;
description = ''
Whether the SD image should be compressed using
<command>bzip2</command>.
<command>zstd</command>.
'';
};
@ -130,10 +130,10 @@ in
sdImage.storePaths = [ config.system.build.toplevel ];
system.build.sdImage = pkgs.callPackage ({ stdenv, dosfstools, e2fsprogs,
mtools, libfaketime, utillinux, bzip2, zstd }: stdenv.mkDerivation {
mtools, libfaketime, utillinux, zstd }: stdenv.mkDerivation {
name = config.sdImage.imageName;
nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime utillinux bzip2 zstd ];
nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime utillinux zstd ];
inherit (config.sdImage) compressImage;
@ -143,7 +143,7 @@ in
echo "${pkgs.stdenv.buildPlatform.system}" > $out/nix-support/system
if test -n "$compressImage"; then
echo "file sd-image $img.bz2" >> $out/nix-support/hydra-build-products
echo "file sd-image $img.zst" >> $out/nix-support/hydra-build-products
else
echo "file sd-image $img" >> $out/nix-support/hydra-build-products
fi
@ -190,7 +190,7 @@ in
fsck.vfat -vn firmware_part.img
dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS
if test -n "$compressImage"; then
bzip2 $img
zstd -T$NIX_BUILD_CORES --rm $img
fi
'';
}) {};

View file

@ -1,6 +1,6 @@
{
x86_64-linux = "/nix/store/xb0nl3z356n0sfrhswfli2g19a19slys-nix-2.3.5";
i686-linux = "/nix/store/k8kdd4yy1yap6lai5idyhmzcwsjh1fik-nix-2.3.5";
aarch64-linux = "/nix/store/dr86cbipxqjcb8pf2k0v8wvw0h0adfpz-nix-2.3.5";
x86_64-darwin = "/nix/store/n6dqdndkv9kac66kdr988kaiyavl44x8-nix-2.3.5";
x86_64-linux = "/nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6";
i686-linux = "/nix/store/9fqvbdisahqp0238vrs7wn5anpri0a65-nix-2.3.6";
aarch64-linux = "/nix/store/72pwn0nm9bjqx9vpi8sgh4bl6g5wh814-nix-2.3.6";
x86_64-darwin = "/nix/store/g37vk77m90p5zcl5nixjlzp3vqpisfn5-nix-2.3.6";
}

View file

@ -239,7 +239,6 @@ in
shout = 206;
gateone = 207;
namecoin = 208;
dnschain = 209;
#lxd = 210; # unused
kibana = 211;
xtreemfs = 212;
@ -549,7 +548,6 @@ in
#shout = 206; #unused
gateone = 207;
namecoin = 208;
#dnschain = 209; #unused
lxd = 210; # unused
#kibana = 211;
xtreemfs = 212;

View file

@ -126,6 +126,7 @@
./programs/gpaste.nix
./programs/gnupg.nix
./programs/gphoto2.nix
./programs/hamster.nix
./programs/iftop.nix
./programs/iotop.nix
./programs/java.nix
@ -334,6 +335,7 @@
./services/games/minecraft-server.nix
./services/games/minetest-server.nix
./services/games/openarena.nix
./services/games/teeworlds.nix
./services/games/terraria.nix
./services/hardware/acpid.nix
./services/hardware/actkbd.nix
@ -361,7 +363,6 @@
./services/hardware/throttled.nix
./services/hardware/trezord.nix
./services/hardware/triggerhappy.nix
./services/hardware/u2f.nix
./services/hardware/udev.nix
./services/hardware/udisks2.nix
./services/hardware/upower.nix
@ -601,7 +602,6 @@
./services/networking/dhcpcd.nix
./services/networking/dhcpd.nix
./services/networking/dnscache.nix
./services/networking/dnschain.nix
./services/networking/dnscrypt-proxy2.nix
./services/networking/dnscrypt-wrapper.nix
./services/networking/dnsdist.nix
@ -624,6 +624,7 @@
./services/networking/gdomap.nix
./services/networking/git-daemon.nix
./services/networking/gnunet.nix
./services/networking/go-neb.nix
./services/networking/go-shadowsocks2.nix
./services/networking/gogoclient.nix
./services/networking/gvpe.nix
@ -806,7 +807,6 @@
./services/security/torsocks.nix
./services/security/usbguard.nix
./services/security/vault.nix
./services/system/cgmanager.nix
./services/system/cloud-init.nix
./services/system/dbus.nix
./services/system/earlyoom.nix

View file

@ -238,9 +238,6 @@ in
"/share/bash-completion"
];
environment.systemPackages = optional cfg.enableCompletion
pkgs.nix-bash-completions;
environment.shells =
[ "/run/current-system/sw/bin/bash"
"/run/current-system/sw/bin/sh"

View file

@ -0,0 +1,15 @@
{ config, lib, pkgs, ... }:
with lib;
{
meta.maintainers = maintainers.fabianhauser;
options.programs.hamster.enable =
mkEnableOption "Whether to enable hamster time tracking.";
config = lib.mkIf config.programs.hamster.enable {
environment.systemPackages = [ pkgs.hamster ];
services.dbus.packages = [ pkgs.hamster ];
};
}

View file

@ -194,6 +194,33 @@ in
'';
};
kexAlgorithms = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
description = ''
Specifies the available KEX (Key Exchange) algorithms.
'';
};
ciphers = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ];
description = ''
Specifies the ciphers allowed and their order of preference.
'';
};
macs = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
example = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha1" ];
description = ''
Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used
for data integrity protection.
'';
};
};
};
@ -232,6 +259,9 @@ in
${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"}
${optionalString (cfg.kexAlgorithms != null) "KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}"}
${optionalString (cfg.ciphers != null) "Ciphers ${concatStringsSep "," cfg.ciphers}"}
${optionalString (cfg.macs != null) "MACs ${concatStringsSep "," cfg.macs}"}
'';
environment.etc."ssh/ssh_known_hosts".text = knownHostsText;

View file

@ -21,9 +21,11 @@ in
(mkRenamedOptionModule [ "networking" "defaultMailServer" "useTLS" ] [ "services" "ssmtp" "useTLS" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "useSTARTTLS" ] [ "services" "ssmtp" "useSTARTTLS" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "authUser" ] [ "services" "ssmtp" "authUser" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "authPass" ] [ "services" "ssmtp" "authPass" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "authPassFile" ] [ "services" "ssmtp" "authPassFile" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "setSendmail" ] [ "services" "ssmtp" "setSendmail" ])
(mkRemovedOptionModule [ "networking" "defaultMailServer" "authPass" ] "authPass has been removed since it leaks the clear-text password into the world-readable store. Use authPassFile instead and make sure it's not a store path")
(mkRemovedOptionModule [ "services" "ssmtp" "authPass" ] "authPass has been removed since it leaks the clear-text password into the world-readable store. Use authPassFile instead and make sure it's not a store path")
];
options = {
@ -45,6 +47,21 @@ in
'';
};
settings = mkOption {
type = with types; attrsOf (oneOf [ bool str ]);
default = {};
description = ''
<citerefentry><refentrytitle>ssmtp</refentrytitle><manvolnum>5</manvolnum></citerefentry> configuration. Refer
to <link xlink:href="https://linux.die.net/man/5/ssmtp.conf"/> for details on supported values.
'';
example = literalExample ''
{
Debug = true;
FromLineOverride = false;
}
'';
};
hostName = mkOption {
type = types.str;
example = "mail.example.org";
@ -101,18 +118,6 @@ in
'';
};
authPass = mkOption {
type = types.str;
default = "";
example = "correctHorseBatteryStaple";
description = ''
Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
It's recommended to use <option>authPassFile</option>
which takes precedence over <option>authPass</option>.
'';
};
authPassFile = mkOption {
type = types.nullOr types.str;
default = null;
@ -121,11 +126,6 @@ in
Path to a file that contains the password used for SMTP auth. The file
should not contain a trailing newline, if the password does not contain one.
This file should be readable by the users that need to execute ssmtp.
<option>authPassFile</option> takes precedence over <option>authPass</option>.
Warning: when <option>authPass</option> is non-empty <option>authPassFile</option>
defaults to a file in the WORLD-READABLE Nix store containing that password.
'';
};
@ -142,25 +142,28 @@ in
config = mkIf cfg.enable {
services.ssmtp.authPassFile = mkIf (cfg.authPass != "")
(mkDefault (toString (pkgs.writeTextFile {
name = "ssmtp-authpass";
text = cfg.authPass;
})));
services.ssmtp.settings = mkMerge [
({
MailHub = cfg.hostName;
FromLineOverride = mkDefault true;
UseTLS = cfg.useTLS;
UseSTARTTLS = cfg.useSTARTTLS;
})
(mkIf (cfg.root != "") { root = cfg.root; })
(mkIf (cfg.domain != "") { rewriteDomain = cfg.domain; })
(mkIf (cfg.authUser != "") { AuthUser = cfg.authUser; })
(mkIf (cfg.authPassFile != null) { AuthPassFile = cfg.authPassFile; })
];
environment.etc."ssmtp/ssmtp.conf".text =
let yesNo = yes : if yes then "YES" else "NO"; in
''
MailHub=${cfg.hostName}
FromLineOverride=YES
${optionalString (cfg.root != "") "root=${cfg.root}"}
${optionalString (cfg.domain != "") "rewriteDomain=${cfg.domain}"}
UseTLS=${yesNo cfg.useTLS}
UseSTARTTLS=${yesNo cfg.useSTARTTLS}
#Debug=YES
${optionalString (cfg.authUser != "") "AuthUser=${cfg.authUser}"}
${optionalString (cfg.authPassFile != null) "AuthPassFile=${cfg.authPassFile}"}
'';
environment.etc."ssmtp/ssmtp.conf".source =
let
toStr = value:
if value == true then "YES"
else if value == false then "NO"
else builtins.toString value
;
in
pkgs.writeText "ssmtp.conf" (concatStringsSep "\n" (mapAttrsToList (key: value: "${key}=${toStr value}") cfg.settings));
environment.systemPackages = [pkgs.ssmtp];

View file

@ -24,6 +24,7 @@ with lib;
(mkRemovedOptionModule [ "environment" "blcr" "enable" ] "The BLCR module has been removed")
(mkRemovedOptionModule [ "services" "beegfsEnable" ] "The BeeGFS module has been removed")
(mkRemovedOptionModule [ "services" "beegfs" ] "The BeeGFS module has been removed")
(mkRemovedOptionModule ["services" "cgmanager" "enable"] "cgmanager was deprecated by lxc and therefore removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed")
(mkRemovedOptionModule [ "services" "fourStore" ] "The fourStore module has been removed")
(mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
@ -54,6 +55,12 @@ with lib;
prey-bash-client is deprecated upstream
'')
(mkRemovedOptionModule ["hardware" "u2f" ] ''
The U2F modules module was removed, as all it did was adding the
udev rules from libu2f-host to the system. Udev gained native support
to handle FIDO security tokens, so this isn't necessary anymore.
'')
# Do NOT add any option renames here, see top of the file
];
}

View file

@ -436,6 +436,8 @@ let
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
${optionalString config.security.pam.enableEcryptfs
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
${optionalString cfg.pamMount
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString use_ldap
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.services.sssd.enable
@ -452,8 +454,6 @@ let
"session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
${optionalString (cfg.showMotd && config.users.motd != null)
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
${optionalString cfg.pamMount
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
${optionalString (cfg.enableKwallet)

View file

@ -173,7 +173,9 @@ in
config = mkIf cfg.enable {
security.sudo.extraRules = [
# We `mkOrder 600` so that the default rule shows up first, but there is
# still enough room for a user to `mkBefore` it.
security.sudo.extraRules = mkOrder 600 [
{ groups = [ "wheel" ];
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
}

View file

@ -16,7 +16,7 @@ let
factory = util.BuildFactory()
c = BuildmasterConfig = dict(
workers = [${concatStringsSep "," cfg.workers}],
protocols = { 'pb': {'port': ${toString cfg.bpPort} } },
protocols = { 'pb': {'port': ${toString cfg.pbPort} } },
title = '${escapeStr cfg.title}',
titleURL = '${escapeStr cfg.titleUrl}',
buildbotURL = '${escapeStr cfg.buildbotUrl}',
@ -155,10 +155,20 @@ in {
description = "Specifies the Buildbot directory.";
};
bpPort = mkOption {
pbPort = mkOption {
default = 9989;
type = types.int;
description = "Port where the master will listen to Buildbot Worker.";
type = types.either types.str types.int;
example = "'tcp:9990:interface=127.0.0.1'";
description = ''
The buildmaster will listen on a TCP port of your choosing
for connections from workers.
It can also use this port for connections from remote Change Sources,
status clients, and debug tools.
This port should be visible to the outside world, and youll need to tell
your worker admins about your choice.
If put in (single) quotes, this can also be used as a connection string,
as defined in the <link xlink:href="https://twistedmatrix.com/documents/current/core/howto/endpoints.html">ConnectionStrings guide</link>.
'';
};
listenAddress = mkOption {
@ -264,5 +274,9 @@ in {
};
};
imports = [
(mkRenamedOptionModule [ "services" "buildbot-master" "bpPort" ] [ "services" "buildbot-master" "pbPort" ])
];
meta.maintainers = with lib.maintainers; [ nand0p mic92 ];
}

View file

@ -334,7 +334,8 @@ in
environment.etc."my.cnf".source = cfg.configFile;
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} mysql -"
"d '${cfg.dataDir}' 0700 ${cfg.user} mysql - -"
"z '${cfg.dataDir}' 0700 ${cfg.user} mysql - -"
];
systemd.services.mysql = let
@ -357,21 +358,17 @@ in
preStart = if isMariaDB then ''
if ! test -e ${cfg.dataDir}/mysql; then
${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions}
touch /tmp/mysql_init
touch ${cfg.dataDir}/mysql_init
fi
'' else ''
if ! test -e ${cfg.dataDir}/mysql; then
${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure
touch /tmp/mysql_init
touch ${cfg.dataDir}/mysql_init
fi
'';
serviceConfig = {
User = cfg.user;
Group = "mysql";
Type = if hasNotify then "notify" else "simple";
RuntimeDirectory = "mysqld";
RuntimeDirectoryMode = "0755";
Restart = "on-abort";
RestartSec = "5s";
# The last two environment variables are used for starting Galera clusters
@ -398,7 +395,7 @@ in
done
''}
if [ -f /tmp/mysql_init ]
if [ -f ${cfg.dataDir}/mysql_init ]
then
${concatMapStrings (database: ''
# Create initial databases
@ -452,7 +449,7 @@ in
cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N
''}
rm /tmp/mysql_init
rm ${cfg.dataDir}/mysql_init
fi
${optionalString (cfg.ensureDatabases != []) ''
@ -476,6 +473,35 @@ in
# ensureDatbases & ensureUsers depends on this script being run as root
# when the user has secured their mysql install
"+${setupScript}";
# User and group
User = cfg.user;
Group = "mysql";
# Runtime directory and mode
RuntimeDirectory = "mysqld";
RuntimeDirectoryMode = "0755";
# Access write directories
ReadWritePaths = [ cfg.dataDir ];
# Capabilities
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
};
};

View file

@ -218,6 +218,7 @@ in
description = "Redis database user";
isSystemUser = true;
};
users.groups.redis = {};
environment.systemPackages = [ cfg.package ];
@ -240,6 +241,7 @@ in
StateDirectory = "redis";
Type = "notify";
User = "redis";
Group = "redis";
};
};
};

View file

@ -0,0 +1,119 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.teeworlds;
register = cfg.register;
teeworldsConf = pkgs.writeText "teeworlds.cfg" ''
sv_port ${toString cfg.port}
sv_register ${if cfg.register then "1" else "0"}
${optionalString (cfg.name != null) "sv_name ${cfg.name}"}
${optionalString (cfg.motd != null) "sv_motd ${cfg.motd}"}
${optionalString (cfg.password != null) "password ${cfg.password}"}
${optionalString (cfg.rconPassword != null) "sv_rcon_password ${cfg.rconPassword}"}
${concatStringsSep "\n" cfg.extraOptions}
'';
in
{
options = {
services.teeworlds = {
enable = mkEnableOption "Teeworlds Server";
openPorts = mkOption {
type = types.bool;
default = false;
description = "Whether to open firewall ports for Teeworlds";
};
name = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Name of the server. Defaults to 'unnamed server'.
'';
};
register = mkOption {
type = types.bool;
example = true;
default = false;
description = ''
Whether the server registers as public server in the global server list. This is disabled by default because of privacy.
'';
};
motd = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Set the server message of the day text.
'';
};
password = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Password to connect to the server.
'';
};
rconPassword = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Password to access the remote console. If not set, a randomly generated one is displayed in the server log.
'';
};
port = mkOption {
type = types.int;
default = 8303;
description = ''
Port the server will listen on.
'';
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Extra configuration lines for the <filename>teeworlds.cfg</filename>. See <link xlink:href="https://www.teeworlds.com/?page=docs&amp;wiki=server_settings">Teeworlds Documentation</link>.
'';
example = [ "sv_map dm1" "sv_gametype dm" ];
};
};
};
config = mkIf cfg.enable {
networking.firewall = mkIf cfg.openPorts {
allowedUDPPorts = [ cfg.port ];
};
systemd.services.teeworlds = {
description = "Teeworlds Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
DynamicUser = true;
ExecStart = "${pkgs.teeworlds}/bin/teeworlds_srv -f ${teeworldsConf}";
# Hardening
CapabilityBoundingSet = false;
PrivateDevices = true;
PrivateUsers = true;
ProtectHome = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
SystemCallArchitectures = "native";
};
};
};
}

View file

@ -6,6 +6,23 @@ with lib;
let
cfg = config.services.fwupd;
customEtc = {
"fwupd/daemon.conf" = {
source = pkgs.writeText "daemon.conf" ''
[fwupd]
BlacklistDevices=${lib.concatStringsSep ";" cfg.blacklistDevices}
BlacklistPlugins=${lib.concatStringsSep ";" cfg.blacklistPlugins}
'';
};
"fwupd/uefi.conf" = {
source = pkgs.writeText "uefi.conf" ''
[uefi]
OverrideESPMountPoint=${config.boot.loader.efi.efiSysMountPoint}
'';
};
};
originalEtc =
let
mkEtcFile = n: nameValuePair n { source = "${cfg.package}/etc/${n}"; };
@ -96,22 +113,8 @@ in {
environment.systemPackages = [ cfg.package ];
environment.etc = {
"fwupd/daemon.conf" = {
source = pkgs.writeText "daemon.conf" ''
[fwupd]
BlacklistDevices=${lib.concatStringsSep ";" cfg.blacklistDevices}
BlacklistPlugins=${lib.concatStringsSep ";" cfg.blacklistPlugins}
'';
};
"fwupd/uefi.conf" = {
source = pkgs.writeText "uefi.conf" ''
[uefi]
OverrideESPMountPoint=${config.boot.loader.efi.efiSysMountPoint}
'';
};
} // originalEtc // extraTrustedKeys // testRemote;
# customEtc overrides some files from the package
environment.etc = originalEtc // customEtc // extraTrustedKeys // testRemote;
services.dbus.packages = [ cfg.package ];

View file

@ -1,23 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.u2f;
in {
options = {
hardware.u2f = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable U2F hardware support.
'';
};
};
};
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.libu2f-host ];
};
}

View file

@ -125,6 +125,8 @@ let
mailboxConfig = mailbox: ''
mailbox "${mailbox.name}" {
auto = ${toString mailbox.auto}
'' + optionalString (mailbox.autoexpunge != null) ''
autoexpunge = ${mailbox.autoexpunge}
'' + optionalString (mailbox.specialUse != null) ''
special_use = \${toString mailbox.specialUse}
'' + "}";
@ -132,8 +134,9 @@ let
mailboxes = { ... }: {
options = {
name = mkOption {
type = types.strMatching ''[^"]+'';
type = types.nullOr (types.strMatching ''[^"]+'');
example = "Spam";
default = null;
description = "The name of the mailbox.";
};
auto = mkOption {
@ -148,6 +151,15 @@ let
example = "Junk";
description = "Null if no special use flag is set. Other than that every use flag mentioned in the RFC is valid.";
};
autoexpunge = mkOption {
type = types.nullOr types.str;
default = null;
example = "60d";
description = ''
To automatically remove all email from the mailbox which is older than the
specified time.
'';
};
};
};
in
@ -323,9 +335,24 @@ in
};
mailboxes = mkOption {
type = types.listOf (types.submodule mailboxes);
default = [];
example = [ { name = "Spam"; specialUse = "Junk"; auto = "create"; } ];
type = with types; let m = submodule mailboxes; in either (listOf m) (attrsOf m);
default = {};
apply = x:
if isList x then warn "Declaring `services.dovecot2.mailboxes' as a list is deprecated and will break eval in 21.03!" x
else mapAttrsToList (name: value:
if value.name != null
then throw ''
When specifying dovecot2 mailboxes as attributes, declaring
a `name'-attribute is prohibited! The name ${value.name} should
be the attribute key!
''
else value // { inherit name; }
) x;
example = literalExample ''
{
Spam = { specialUse = "Junk"; auto = "create"; };
}
'';
description = "Configure mailboxes and auto create or subscribe them.";
};

View file

@ -17,6 +17,10 @@ in {
###### interface
imports = [
(mkRenamedOptionModule [ "services" "opensmtpd" "addSendmailToSystemPath" ] [ "services" "opensmtpd" "setSendmail" ])
];
options = {
services.opensmtpd = {
@ -34,13 +38,10 @@ in {
description = "The OpenSMTPD package to use.";
};
addSendmailToSystemPath = mkOption {
setSendmail = mkOption {
type = types.bool;
default = true;
description = ''
Whether to add OpenSMTPD's sendmail binary to the
system path or not.
'';
description = "Whether to set the system sendmail to OpenSMTPD's.";
};
extraServerArgs = mkOption {
@ -82,7 +83,7 @@ in {
###### implementation
config = mkIf cfg.enable {
config = mkIf cfg.enable rec {
users.groups = {
smtpd.gid = config.ids.gids.smtpd;
smtpq.gid = config.ids.gids.smtpq;
@ -101,6 +102,14 @@ in {
};
};
security.wrappers.smtpctl = {
group = "smtpq";
setgid = true;
source = "${cfg.package}/bin/smtpctl";
};
services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail security.wrappers.smtpctl;
systemd.tmpfiles.rules = [
"d /var/spool/smtpd 711 root - - -"
"d /var/spool/smtpd/offline 770 root smtpq - -"
@ -119,7 +128,5 @@ in {
serviceConfig.ExecStart = "${cfg.package}/sbin/smtpd -d -f ${conf} ${args}";
environment.OPENSMTPD_PROC_PATH = "${procEnv}/libexec/opensmtpd";
};
environment.systemPackages = mkIf cfg.addSendmailToSystemPath [ sendmail ];
};
}

View file

@ -95,9 +95,11 @@ in {
-conf ${configPath} \\
-base /var/lib/freeswitch";
ExecReload = "${pkg}/bin/fs_cli -x reloadxml";
Restart = "always";
Restart = "on-failure";
RestartSec = "5s";
CPUSchedulingPolicy = "fifo";
};
};
environment.systemPackages = [ pkg ];
};
}

View file

@ -43,6 +43,9 @@ let
[gitlab-shell]
dir = "${cfg.packages.gitlab-shell}"
secret_file = "${cfg.statePath}/gitlab_shell_secret"
gitlab_url = "http+unix://${pathUrlQuote gitlabSocket}"
http_settings = { self_signed_cert = false }
${concatStringsSep "\n" (attrValues (mapAttrs (k: v: ''
[[storage]]

View file

@ -11,9 +11,9 @@ let
(recursiveUpdate defaultConfig cfg.config) else cfg.config));
configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } ''
${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out
# Hack to support secrets, that are encoded as custom yaml objects,
# https://www.home-assistant.io/docs/configuration/secrets/
sed -i -e "s/'\!secret \(.*\)'/\!secret \1/" $out
# Hack to support custom yaml objects,
# i.e. secrets: https://www.home-assistant.io/docs/configuration/secrets/
sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out
'';
lovelaceConfigJSON = pkgs.writeText "ui-lovelace.json"
@ -120,7 +120,9 @@ in {
unit_system = "metric";
time_zone = "UTC";
};
frontend = { };
frontend = {
themes = "!include_dir_merge_named themes";
};
http = { };
feedreader.urls = [ "https://nixos.org/blogs.xml" ];
}

View file

@ -9,6 +9,9 @@ let
logConfigFile = pkgs.writeText "log_config.yaml" cfg.logConfig;
mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${boolToString r.compress}}'';
mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${boolToString l.tls}, x_forwarded: ${boolToString l.x_forwarded}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';
pluginsEnv = cfg.package.python.buildEnv.override {
extraLibs = cfg.plugins;
};
configFile = pkgs.writeText "homeserver.yaml" ''
${optionalString (cfg.tls_certificate_path != null) ''
tls_certificate_path: "${cfg.tls_certificate_path}"
@ -125,6 +128,14 @@ in {
Overridable attribute of the matrix synapse server package to use.
'';
};
plugins = mkOption {
type = types.listOf types.package;
default = [ ];
defaultText = "with config.services.matrix-synapse.package.plugins [ matrix-synapse-ldap3 matrix-synapse-pam ]";
description = ''
List of additional Matrix plugins to make available.
'';
};
no_tls = mkOption {
type = types.bool;
default = false;
@ -686,6 +697,7 @@ in {
--keys-directory ${cfg.dataDir} \
--generate-keys
'';
environment.PYTHONPATH = makeSearchPathOutput "lib" cfg.package.python.sitePackages [ pluginsEnv ];
serviceConfig = {
Type = "notify";
User = "matrix-synapse";
@ -715,5 +727,6 @@ in {
];
meta.doc = ./matrix-synapse.xml;
meta.maintainers = teams.matrix.members;
}

View file

@ -442,6 +442,12 @@ in
nix.binaryCachePublicKeys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
nix.binaryCaches = [ "https://cache.nixos.org/" ];
environment.systemPackages =
[ nix
pkgs.nix-info
]
++ optional (config.programs.bash.enableCompletion && !versionAtLeast nixVersion "2.4pre") pkgs.nix-bash-completions;
environment.etc."nix/nix.conf".source = nixConf;
environment.etc."nix/registry.json".text = builtins.toJSON {

View file

@ -21,6 +21,7 @@ let
# `serviceOpts.script` or `serviceOpts.serviceConfig.ExecStart`
exporterOpts = genAttrs [
"apcupsd"
"bind"
"blackbox"
"collectd"
@ -28,6 +29,8 @@ let
"dovecot"
"fritzbox"
"json"
"keylight"
"lnd"
"mail"
"mikrotik"
"minio"

View file

@ -0,0 +1,38 @@
{ config, lib, pkgs, options }:
with lib;
let
cfg = config.services.prometheus.exporters.apcupsd;
in
{
port = 9162;
extraOpts = {
apcupsdAddress = mkOption {
type = types.str;
default = ":3551";
description = ''
Address of the apcupsd Network Information Server (NIS).
'';
};
apcupsdNetwork = mkOption {
type = types.enum ["tcp" "tcp4" "tcp6"];
default = "tcp";
description = ''
Network of the apcupsd Network Information Server (NIS): one of "tcp", "tcp4", or "tcp6".
'';
};
};
serviceOpts = {
serviceConfig = {
ExecStart = ''
${pkgs.prometheus-apcupsd-exporter}/bin/apcupsd_exporter \
-telemetry.addr ${cfg.listenAddress}:${toString cfg.port} \
-apcupsd.addr ${cfg.apcupsdAddress} \
-apcupsd.network ${cfg.apcupsdNetwork} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
};
};
}

View file

@ -0,0 +1,19 @@
{ config, lib, pkgs, options }:
with lib;
let
cfg = config.services.prometheus.exporters.keylight;
in
{
port = 9288;
serviceOpts = {
serviceConfig = {
ExecStart = ''
${pkgs.prometheus-keylight-exporter}/bin/keylight_exporter \
-metrics.addr ${cfg.listenAddress}:${toString cfg.port} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
};
};
}

View file

@ -0,0 +1,46 @@
{ config, lib, pkgs, options }:
with lib;
let
cfg = config.services.prometheus.exporters.lnd;
in
{
port = 9092;
extraOpts = {
lndHost = mkOption {
type = types.str;
default = "localhost:10009";
description = ''
lnd instance gRPC address:port.
'';
};
lndTlsPath = mkOption {
type = types.path;
description = ''
Path to lnd TLS certificate.
'';
};
lndMacaroonDir = mkOption {
type = types.path;
description = ''
Path to lnd macaroons.
'';
};
};
serviceOpts.serviceConfig = {
ExecStart = ''
${pkgs.prometheus-lnd-exporter}/bin/lndmon \
--prometheus.listenaddr=${cfg.listenAddress}:${toString cfg.port} \
--prometheus.logdir=/var/log/prometheus-lnd-exporter \
--lnd.host=${cfg.lndHost} \
--lnd.tlspath=${cfg.lndTlsPath} \
--lnd.macaroondir=${cfg.lndMacaroonDir} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
LogsDirectory = "prometheus-lnd-exporter";
ReadOnlyPaths = [ cfg.lndTlsPath cfg.lndMacaroonDir ];
};
}

View file

@ -1,69 +1,17 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, options, ... }:
with lib;
let
inherit (pkgs) ipfs runCommand makeWrapper;
cfg = config.services.ipfs;
opt = options.services.ipfs;
ipfsFlags = toString ([
(optionalString cfg.autoMount "--mount")
#(optionalString cfg.autoMigrate "--migrate")
(optionalString cfg.enableGC "--enable-gc")
(optionalString (cfg.serviceFdlimit != null) "--manage-fdlimit=false")
(optionalString (cfg.defaultMode == "offline") "--offline")
(optionalString (cfg.defaultMode == "norouting") "--routing=none")
] ++ cfg.extraFlags);
defaultDataDir = if versionAtLeast config.system.stateVersion "17.09" then
"/var/lib/ipfs" else
"/var/lib/ipfs/.ipfs";
# Wrapping the ipfs binary with the environment variable IPFS_PATH set to dataDir because we can't set it in the user environment
wrapped = runCommand "ipfs" { buildInputs = [ makeWrapper ]; preferLocalBuild = true; } ''
mkdir -p "$out/bin"
makeWrapper "${ipfs}/bin/ipfs" "$out/bin/ipfs" \
--set IPFS_PATH ${cfg.dataDir} \
--prefix PATH : /run/wrappers/bin
'';
commonEnv = {
environment.IPFS_PATH = cfg.dataDir;
path = [ wrapped ];
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
};
baseService = recursiveUpdate commonEnv {
wants = [ "ipfs-init.service" ];
# NB: migration must be performed prior to pre-start, else we get the failure message!
preStart = optionalString cfg.autoMount ''
ipfs --local config Mounts.FuseAllowOther --json true
ipfs --local config Mounts.IPFS ${cfg.ipfsMountDir}
ipfs --local config Mounts.IPNS ${cfg.ipnsMountDir}
'' + concatStringsSep "\n" (collect
isString
(mapAttrsRecursive
(path: value:
# Using heredoc below so that the value is never improperly quoted
''
read value <<EOF
${builtins.toJSON value}
EOF
ipfs --local config --json "${concatStringsSep "." path}" "$value"
'')
({ Addresses.API = cfg.apiAddress;
Addresses.Gateway = cfg.gatewayAddress;
Addresses.Swarm = cfg.swarmAddress;
} //
cfg.extraConfig))
);
serviceConfig = {
ExecStart = "${wrapped}/bin/ipfs daemon ${ipfsFlags}";
Restart = "on-failure";
RestartSec = 1;
} // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
};
in {
###### interface
@ -88,7 +36,9 @@ in {
dataDir = mkOption {
type = types.str;
default = defaultDataDir;
default = if versionAtLeast config.system.stateVersion "17.09"
then "/var/lib/ipfs"
else "/var/lib/ipfs/.ipfs";
description = "The data dir for IPFS";
};
@ -98,18 +48,6 @@ in {
description = "systemd service that is enabled by default";
};
/*
autoMigrate = mkOption {
type = types.bool;
default = false;
description = ''
Whether IPFS should try to migrate the file system automatically.
The daemon will need to be able to download a binary from https://ipfs.io to perform the migration.
'';
};
*/
autoMount = mkOption {
type = types.bool;
default = false;
@ -199,13 +137,21 @@ in {
example = 64*1024;
};
startWhenNeeded = mkOption {
type = types.bool;
default = false;
description = "Whether to use socket activation to start IPFS when needed.";
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ wrapped ];
environment.systemPackages = [ pkgs.ipfs ];
environment.variables.IPFS_PATH = cfg.dataDir;
programs.fuse = mkIf cfg.autoMount {
userAllowOther = true;
};
@ -234,10 +180,14 @@ in {
"d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -"
];
systemd.services.ipfs-init = recursiveUpdate commonEnv {
systemd.packages = [ pkgs.ipfs ];
systemd.services.ipfs-init = {
description = "IPFS Initializer";
before = [ "ipfs.service" "ipfs-offline.service" "ipfs-norouting.service" ];
environment.IPFS_PATH = cfg.dataDir;
path = [ pkgs.ipfs ];
script = ''
if [[ ! -f ${cfg.dataDir}/config ]]; then
@ -251,34 +201,63 @@ in {
fi
'';
wantedBy = [ "default.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = cfg.user;
Group = cfg.group;
};
};
# TODO These 3 definitions possibly be further abstracted through use of a function
# like: mutexServices "ipfs" [ "", "offline", "norouting" ] { ... shared conf here ... }
systemd.services.ipfs = {
path = [ "/run/wrappers" pkgs.ipfs ];
environment.IPFS_PATH = cfg.dataDir;
systemd.services.ipfs = recursiveUpdate baseService {
description = "IPFS Daemon";
wantedBy = mkIf (cfg.defaultMode == "online") [ "multi-user.target" ];
after = [ "network.target" "ipfs-init.service" ];
conflicts = [ "ipfs-offline.service" "ipfs-norouting.service"];
wants = [ "ipfs-init.service" ];
after = [ "ipfs-init.service" ];
preStart = optionalString cfg.autoMount ''
ipfs --local config Mounts.FuseAllowOther --json true
ipfs --local config Mounts.IPFS ${cfg.ipfsMountDir}
ipfs --local config Mounts.IPNS ${cfg.ipnsMountDir}
'' + concatStringsSep "\n" (collect
isString
(mapAttrsRecursive
(path: value:
# Using heredoc below so that the value is never improperly quoted
''
read value <<EOF
${builtins.toJSON value}
EOF
ipfs --local config --json "${concatStringsSep "." path}" "$value"
'')
({ Addresses.API = cfg.apiAddress;
Addresses.Gateway = cfg.gatewayAddress;
Addresses.Swarm = cfg.swarmAddress;
} //
cfg.extraConfig))
);
serviceConfig = {
ExecStart = ["" "${pkgs.ipfs}/bin/ipfs daemon ${ipfsFlags}"];
User = cfg.user;
Group = cfg.group;
} // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
} // optionalAttrs (!cfg.startWhenNeeded) {
wantedBy = [ "default.target" ];
};
systemd.services.ipfs-offline = recursiveUpdate baseService {
description = "IPFS Daemon (offline mode)";
wantedBy = mkIf (cfg.defaultMode == "offline") [ "multi-user.target" ];
after = [ "ipfs-init.service" ];
conflicts = [ "ipfs.service" "ipfs-norouting.service"];
systemd.sockets.ipfs-gateway = {
wantedBy = [ "sockets.target" ];
socketConfig.ListenStream = [ "" ]
++ lib.optional (cfg.gatewayAddress == opt.gatewayAddress.default) [ "127.0.0.1:8080" "[::1]:8080" ];
};
systemd.services.ipfs-norouting = recursiveUpdate baseService {
description = "IPFS Daemon (no routing mode)";
wantedBy = mkIf (cfg.defaultMode == "norouting") [ "multi-user.target" ];
after = [ "ipfs-init.service" ];
conflicts = [ "ipfs.service" "ipfs-offline.service"];
systemd.sockets.ipfs-api = {
wantedBy = [ "sockets.target" ];
socketConfig.ListenStream = [ "" "%t/ipfs.sock" ]
++ lib.optional (cfg.apiAddress == opt.apiAddress.default) [ "127.0.0.1:5001" "[::1]:5001" ];
};
};

View file

@ -4,14 +4,50 @@ with lib;
let
cfg = config.services.corerad;
writeTOML = name: x:
pkgs.runCommandNoCCLocal name {
passAsFile = ["config"];
config = builtins.toJSON x;
buildInputs = [ pkgs.go-toml ];
} "jsontoml < $configPath > $out";
in {
meta = {
maintainers = with maintainers; [ mdlayher ];
};
meta.maintainers = with maintainers; [ mdlayher ];
options.services.corerad = {
enable = mkEnableOption "CoreRAD IPv6 NDP RA daemon";
settings = mkOption {
type = types.uniq types.attrs;
example = literalExample ''
{
interfaces = [
# eth0 is an upstream interface monitoring for IPv6 router advertisements.
{
name = "eth0";
monitor = true;
}
# eth1 is a downstream interface advertising IPv6 prefixes for SLAAC.
{
name = "eth1";
advertise = true;
prefix = [{ prefix = "::/64"; }];
}
];
# Optionally enable Prometheus metrics.
debug = {
address = "localhost:9430";
prometheus = true;
};
}
'';
description = ''
Configuration for CoreRAD, see <link xlink:href="https://github.com/mdlayher/corerad/blob/master/internal/config/default.toml"/>
for supported values. Ignored if configFile is set.
'';
};
configFile = mkOption {
type = types.path;
example = literalExample "\"\${pkgs.corerad}/etc/corerad/corerad.toml\"";
@ -27,6 +63,9 @@ in {
};
config = mkIf cfg.enable {
# Prefer the config file over settings if both are set.
services.corerad.configFile = mkDefault (writeTOML "corerad.toml" cfg.settings);
systemd.services.corerad = {
description = "CoreRAD IPv6 NDP RA daemon";
after = [ "network.target" ];

View file

@ -1,184 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfgs = config.services;
cfg = cfgs.dnschain;
dataDir = "/var/lib/dnschain";
username = "dnschain";
configFile = pkgs.writeText "dnschain.conf" ''
[log]
level = info
[dns]
host = ${cfg.dns.address}
port = ${toString cfg.dns.port}
oldDNSMethod = NO_OLD_DNS
externalIP = ${cfg.dns.externalAddress}
[http]
host = ${cfg.api.hostname}
port = ${toString cfg.api.port}
tlsPort = ${toString cfg.api.tlsPort}
${cfg.extraConfig}
'';
in
{
###### interface
options = {
services.dnschain = {
enable = mkEnableOption ''
DNSChain, a blockchain based DNS + HTTP server.
To resolve .bit domains set <literal>services.namecoind.enable = true;</literal>
and an RPC username/password.
'';
dns.address = mkOption {
type = types.str;
default = "127.0.0.1";
description = ''
The IP address the DNSChain resolver will bind to.
Leave this unchanged if you do not wish to directly expose the resolver.
'';
};
dns.externalAddress = mkOption {
type = types.str;
default = cfg.dns.address;
description = ''
The IP address used by clients to reach the resolver and the value of
the <literal>namecoin.dns</literal> record. Set this in case the bind address
is not the actual IP address (e.g. the machine is behind a NAT).
'';
};
dns.port = mkOption {
type = types.int;
default = 5333;
description = ''
The port the DNSChain resolver will bind to.
'';
};
api.hostname = mkOption {
type = types.str;
default = "0.0.0.0";
description = ''
The hostname (or IP address) the DNSChain API server will bind to.
'';
};
api.port = mkOption {
type = types.int;
default = 8080;
description = ''
The port the DNSChain API server (HTTP) will bind to.
'';
};
api.tlsPort = mkOption {
type = types.int;
default = 4433;
description = ''
The port the DNSChain API server (HTTPS) will bind to.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
example = ''
[log]
level = debug
'';
description = ''
Additional options that will be appended to the configuration file.
'';
};
};
services.dnsmasq.resolveDNSChainQueries = mkOption {
type = types.bool;
default = false;
description = ''
Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin.
'';
};
services.pdns-recursor.resolveDNSChainQueries = mkOption {
type = types.bool;
default = false;
description = ''
Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin.
'';
};
};
###### implementation
config = mkIf cfg.enable {
services.dnsmasq.servers = optionals cfgs.dnsmasq.resolveDNSChainQueries
[ "/.bit/127.0.0.1#${toString cfg.dns.port}"
"/.dns/127.0.0.1#${toString cfg.dns.port}"
];
services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveDNSChainQueries {
forwardZonesRecurse =
{ bit = "127.0.0.1:${toString cfg.dns.port}";
dns = "127.0.0.1:${toString cfg.dns.port}";
};
luaConfig =''
addNTA("bit", "namecoin doesn't support DNSSEC")
addNTA("dns", "namecoin doesn't support DNSSEC")
'';
};
users.users.${username} = {
description = "DNSChain daemon user";
home = dataDir;
createHome = true;
uid = config.ids.uids.dnschain;
extraGroups = optional cfgs.namecoind.enable "namecoin";
};
systemd.services.dnschain = {
description = "DNSChain daemon";
after = optional cfgs.namecoind.enable "namecoind.target";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "dnschain";
Restart = "on-failure";
ExecStart = "${pkgs.nodePackages.dnschain}/bin/dnschain";
};
preStart = ''
# Link configuration file into dnschain home directory
configPath=${dataDir}/.dnschain/dnschain.conf
mkdir -p ${dataDir}/.dnschain
if [ "$(realpath $configPath)" != "${configFile}" ]; then
rm -f $configPath
ln -s ${configFile} $configPath
fi
'';
};
};
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
}

View file

@ -0,0 +1,53 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.go-neb;
configFile = pkgs.writeText "config.yml" (builtins.toJSON cfg.config);
in {
options.services.go-neb = {
enable = mkEnableOption "Extensible matrix bot written in Go";
bindAddress = mkOption {
type = types.str;
description = "Port (and optionally address) to listen on.";
default = ":4050";
};
baseUrl = mkOption {
type = types.str;
description = "Public-facing endpoint that can receive webhooks.";
};
config = mkOption {
type = types.uniq types.attrs;
description = ''
Your <filename>config.yaml</filename> as a Nix attribute set.
See <link xlink:href="https://github.com/matrix-org/go-neb/blob/master/config.sample.yaml">config.sample.yaml</link>
for possible options.
'';
};
};
config = mkIf cfg.enable {
systemd.services.go-neb = {
description = "Extensible matrix bot written in Go";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
BASE_URL = cfg.baseUrl;
BIND_ADDRESS = cfg.bindAddress;
CONFIG_FILE = configFile;
};
serviceConfig = {
ExecStart = "${pkgs.go-neb}/bin/go-neb";
DynamicUser = true;
};
};
};
meta.maintainers = with maintainers; [ hexa maralorn ];
}

View file

@ -149,11 +149,6 @@ in
config = mkIf cfg.enable {
services.dnschain.extraConfig = ''
[namecoin]
config = ${configFile}
'';
users.users.namecoin = {
uid = config.ids.uids.namecoin;
description = "Namecoin daemon user";

View file

@ -107,6 +107,7 @@ in
++ cfg.lockOn.extraTargets;
before = optional cfg.lockOn.suspend "systemd-suspend.service"
++ optional cfg.lockOn.hibernate "systemd-hibernate.service"
++ optional (cfg.lockOn.hibernate || cfg.lockOn.suspend) "systemd-suspend-then-hibernate.service"
++ cfg.lockOn.extraTargets;
serviceConfig = {
Type = "forking";

View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.cgmanager;
in {
meta.maintainers = [ maintainers.mic92 ];
###### interface
options.services.cgmanager.enable = mkEnableOption "cgmanager";
###### implementation
config = mkIf cfg.enable {
systemd.services.cgmanager = {
wantedBy = [ "multi-user.target" ];
description = "Cgroup management daemon";
restartIfChanged = false;
serviceConfig = {
ExecStart = "${pkgs.cgmanager}/bin/cgmanager -m name=systemd";
KillMode = "process";
Restart = "on-failure";
};
};
};
}

View file

@ -179,6 +179,8 @@ in
${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so.* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so.* mr,
${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so.* mr,
${getLib pkgs.gcc.cc.lib}/lib/libstdc++.so.* mr,
${getLib pkgs.gcc.cc.lib}/lib/libgcc_s.so.* mr,
@{PROC}/sys/kernel/random/uuid r,
@{PROC}/sys/vm/overcommit_memory r,

View file

@ -34,7 +34,7 @@ let
cd ${cfg.package}
sudo=exec
if [[ "$USER" != nextcloud ]]; then
sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR'
sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
fi
export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config"
$sudo \

View file

@ -37,10 +37,10 @@ let
chmod -R a+w $out/share/gsettings-schemas/nixos-gsettings-overrides
cat - > $out/share/gsettings-schemas/nixos-gsettings-overrides/glib-2.0/schemas/nixos-defaults.gschema.override <<- EOF
[org.gnome.desktop.background]
picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray}/share/artwork/gnome/nix-wallpaper-simple-dark-gray.png'
picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray.gnomeFilePath}'
[org.gnome.desktop.screensaver]
picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom}/share/artwork/gnome/nix-wallpaper-simple-dark-gray_bottom.png'
picture-uri='file://${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath}'
[org.gnome.shell]
favorite-apps=[ 'org.gnome.Epiphany.desktop', 'org.gnome.Geary.desktop', 'org.gnome.Music.desktop', 'org.gnome.Photos.desktop', 'org.gnome.Nautilus.desktop', 'org.gnome.Software.desktop' ]
@ -320,6 +320,8 @@ in
gnome-shell
gnome-shell-extensions
gnome-themes-extra
pkgs.nixos-artwork.wallpapers.simple-dark-gray
pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom
pkgs.gnome-user-docs
pkgs.orca
pkgs.glib # for gsettings

View file

@ -180,6 +180,7 @@ in
gtk3.out
hicolor-icon-theme
lightlocker
nixos-artwork.wallpapers.simple-dark-gray
onboard
qgnomeplatform
shared-mime-info

View file

@ -132,8 +132,9 @@ in
};
background = mkOption {
type = types.str;
default = "${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom}/share/artwork/gnome/nix-wallpaper-simple-dark-gray_bottom.png";
type = types.path;
# Manual cannot depend on packages, we are actually setting the default in config below.
defaultText = "pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath";
description = ''
The background image or color to use.
'';
@ -212,6 +213,9 @@ in
}
];
# Keep in sync with the defaultText value from the option definition.
services.xserver.displayManager.lightdm.background = mkDefault pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath;
# Set default session in session chooser to a specified values basically ignore session history.
# Auto-login is already covered by a config value.
services.xserver.displayManager.job.preStart = optionalString (!cfg.autoLogin.enable && dmcfg.defaultSession != null) ''

View file

@ -246,7 +246,7 @@ in
videoDrivers = mkOption {
type = types.listOf types.str;
# !!! We'd like "nv" here, but it segfaults the X server.
default = [ "radeon" "cirrus" "vesa" "vmware" "modesetting" ];
default = [ "radeon" "cirrus" "vesa" "modesetting" ];
example = [
"ati_unfree" "amdgpu" "amdgpu-pro"
"nv" "nvidia" "nvidiaLegacy390" "nvidiaLegacy340" "nvidiaLegacy304"

View file

@ -22,7 +22,7 @@ let
mergeFalseByDefault = locs: defs:
if defs == [] then abort "This case should never happen."
else if any (x: x == false) defs then false
else if any (x: x == false) (getValues defs) then false
else true;
kernelItem = types.submodule {
@ -55,6 +55,7 @@ let
default = false;
description = ''
Wether option should generate a failure when unused.
Upon merging values, mandatory wins over optional.
'';
};
};
@ -121,7 +122,7 @@ in
type = types.attrsOf kernelItem;
example = literalExample '' with lib.kernel; {
"9P_NET" = yes;
USB = optional yes;
USB = option yes;
MMC_BLOCK_MINORS = freeform "32";
}'';
description = ''

View file

@ -60,7 +60,7 @@ let
inherit (efi) canTouchEfiVariables;
inherit (cfg)
version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber
extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels
extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios gfxpayloadEfi gfxpayloadBios;
path = with pkgs; makeBinPath (
[ coreutils gnused gnugrep findutils diffutils btrfs-progs utillinux mdadm ]
@ -83,7 +83,7 @@ let
] ++ (optional (cfg.fontSize!=null) "--size ${toString cfg.fontSize}")))
);
defaultSplash = "${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bootloader}/share/artwork/gnome/nix-wallpaper-simple-dark-gray_bootloader.png";
defaultSplash = pkgs.nixos-artwork.wallpapers.simple-dark-gray-bootloader.gnomeFilePath;
in
{
@ -292,19 +292,6 @@ in
'';
};
extraInitrd = mkOption {
type = types.nullOr types.path;
default = null;
example = "/boot/extra_initramfs.gz";
description = ''
The path to a second initramfs to be supplied to the kernel.
This ramfs will not be copied to the store, so that it can
contain secrets such as LUKS keyfiles or ssh keys.
This implies that rolling back to a previous configuration
won't rollback the state of this file.
'';
};
useOSProber = mkOption {
default = false;
type = types.bool;
@ -608,6 +595,8 @@ in
{ path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; }
];
boot.loader.supportsInitrdSecrets = true;
system.build.installBootLoader =
let
install-grub-pl = pkgs.substituteAll {
@ -705,6 +694,24 @@ in
(mkRenamedOptionModule [ "boot" "grubDevice" ] [ "boot" "loader" "grub" "device" ])
(mkRenamedOptionModule [ "boot" "bootMount" ] [ "boot" "loader" "grub" "bootDevice" ])
(mkRenamedOptionModule [ "boot" "grubSplashImage" ] [ "boot" "loader" "grub" "splashImage" ])
(mkRemovedOptionModule [ "boot" "loader" "grub" "extraInitrd" ] ''
This option has been replaced with the bootloader agnostic
boot.initrd.secrets option. To migrate to the initrd secrets system,
extract the extraInitrd archive into your main filesystem:
# zcat /boot/extra_initramfs.gz | cpio -idvmD /etc/secrets/initrd
/path/to/secret1
/path/to/secret2
then replace boot.loader.grub.extraInitrd with boot.initrd.secrets:
boot.initrd.secrets = {
"/path/to/secret1" = "/etc/secrets/initrd/path/to/secret1";
"/path/to/secret2" = "/etc/secrets/initrd/path/to/secret2";
};
See the boot.initrd.secrets option documentation for more information.
'')
];
}

View file

@ -49,7 +49,6 @@ my $extraPrepareConfig = get("extraPrepareConfig");
my $extraPerEntryConfig = get("extraPerEntryConfig");
my $extraEntries = get("extraEntries");
my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true";
my $extraInitrd = get("extraInitrd");
my $splashImage = get("splashImage");
my $splashMode = get("splashMode");
my $backgroundColor = get("backgroundColor");
@ -232,13 +231,6 @@ my $grubStore;
if ($copyKernels == 0) {
$grubStore = GrubFs($storePath);
}
my $extraInitrdPath;
if ($extraInitrd) {
if (! -f $extraInitrd) {
print STDERR "Warning: the specified extraInitrd " . $extraInitrd . " doesn't exist. Your system won't boot without it.\n";
}
$extraInitrdPath = GrubFs($extraInitrd);
}
# Generate the header.
my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n";
@ -363,9 +355,30 @@ sub addEntry {
my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel"));
my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd"));
if ($extraInitrd) {
$initrd .= " " .$extraInitrdPath->path;
# Include second initrd with secrets
if (-e -x "$path/append-initrd-secrets") {
my $initrdName = basename($initrd);
my $initrdSecretsPath = "$bootPath/kernels/$initrdName-secrets";
mkpath(dirname($initrdSecretsPath), 0, 0755);
my $oldUmask = umask;
# Make sure initrd is not world readable (won't work if /boot is FAT)
umask 0137;
my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX");
system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets\n";
# Check whether any secrets were actually added
if (-e $initrdSecretsPathTemp && ! -z _) {
rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place\n";
$copied{$initrdSecretsPath} = 1;
$initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$initrdName-secrets";
} else {
unlink $initrdSecretsPathTemp;
rmdir dirname($initrdSecretsPathTemp);
}
umask $oldUmask;
}
my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef;
# FIXME: $confName
@ -388,9 +401,6 @@ sub addEntry {
if ($copyKernels == 0) {
$conf .= $grubStore->search . "\n";
}
if ($extraInitrd) {
$conf .= $extraInitrdPath->search . "\n";
}
$conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig;
$conf .= " multiboot $xen $xenParams\n" if $xen;
$conf .= " " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n";

View file

@ -47,9 +47,9 @@ def write_loader_conf(profile, generation):
if "@timeout@" != "":
f.write("timeout @timeout@\n")
if profile:
f.write("default nixos-%s-generation-%d\n" % (profile, generation))
f.write("default nixos-%s-generation-%d.conf\n".format(profile, generation))
else:
f.write("default nixos-generation-%d\n" % (generation))
f.write("default nixos-generation-%d.conf\n".format(generation))
if not @editor@:
f.write("editor 0\n");
f.write("console-mode @consoleMode@\n");
@ -197,6 +197,22 @@ def main():
subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "install"])
else:
subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "--no-variables", "install"])
else:
# Update bootloader to latest if needed
systemd_version = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[1]
sdboot_status = subprocess.check_output(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "status"], universal_newlines=True)
# See status_binaries() in systemd bootctl.c for code which generates this
m = re.search("^\W+File:.*/EFI/(BOOT|systemd)/.*\.efi \(systemd-boot (\d+)\)$",
sdboot_status, re.IGNORECASE | re.MULTILINE)
if m is None:
print("could not find any previously installed systemd-boot")
else:
sdboot_version = m.group(2)
if systemd_version > sdboot_version:
print("updating systemd-boot from %s to %s" % (sdboot_version, systemd_version))
subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "update"])
mkdir_p("@efiSysMountPoint@/efi/nixos")
mkdir_p("@efiSysMountPoint@/loader/entries")

View file

@ -1178,14 +1178,22 @@ in
users.users.systemd-network.group = "systemd-network";
systemd.additionalUpstreamSystemUnits = [
"systemd-networkd.service" "systemd-networkd-wait-online.service"
"systemd-networkd-wait-online.service"
"systemd-networkd.service"
"systemd-networkd.socket"
];
systemd.network.units = mapAttrs' (n: v: nameValuePair "${n}.netdev" (netdevToUnit n v)) cfg.netdevs
// mapAttrs' (n: v: nameValuePair "${n}.network" (networkToUnit n v)) cfg.networks;
# systemd-networkd is socket-activated by kernel netlink route change
# messages. It is important to have systemd buffer those on behalf of
# networkd.
systemd.sockets.systemd-networkd.wantedBy = [ "sockets.target" ];
systemd.services.systemd-networkd = {
wantedBy = [ "multi-user.target" ];
aliases = [ "dbus-org.freedesktop.network1.service" ];
restartTriggers = map (x: x.source) (attrValues unitFiles);
# prevent race condition with interface renaming (#39069)
requires = [ "systemd-udev-settle.service" ];

View file

@ -148,6 +148,7 @@ in
systemd.services.systemd-resolved = {
wantedBy = [ "multi-user.target" ];
aliases = [ "dbus-org.freedesktop.resolve1.service" ];
restartTriggers = [ config.environment.etc."systemd/resolved.conf".source ];
};

View file

@ -517,8 +517,7 @@ in
};
boot.initrd.secrets = mkOption
{ internal = true;
default = {};
{ default = {};
type = types.attrsOf (types.nullOr types.path);
description =
''
@ -585,7 +584,7 @@ in
{ assertion = !config.boot.loader.supportsInitrdSecrets ->
all (source:
builtins.isPath source ||
(builtins.isString source && hasPrefix source builtins.storeDir))
(builtins.isString source && hasPrefix builtins.storeDir source))
(attrValues config.boot.initrd.secrets);
message = ''
boot.loader.initrd.secrets values must be unquoted paths when

View file

@ -826,8 +826,13 @@ in
config = {
warnings = concatLists (mapAttrsToList (name: service:
optional (service.serviceConfig.Type or "" == "oneshot" && service.serviceConfig.Restart or "no" != "no")
"Service ${name}.service with Type=oneshot must have Restart=no") cfg.services);
let
type = service.serviceConfig.Type or "";
restart = service.serviceConfig.Restart or "no";
in optional
(type == "oneshot" && (restart == "always" || restart == "on-success"))
"Service '${name}.service' with 'Type=oneshot' cannot have 'Restart=always' or 'Restart=on-success'")
cfg.services);
system.build.units = cfg.units;

View file

@ -41,6 +41,7 @@ with lib;
systemd.services.systemd-timesyncd = {
wantedBy = [ "sysinit.target" ];
aliases = [ "dbus-org.freedesktop.timesync1.service" ];
restartTriggers = [ config.environment.etc."systemd/timesyncd.conf".source ];
};

View file

@ -232,18 +232,22 @@ let
'';
preStop = ''
state="/run/nixos/network/routes/${i.name}"
while read cidr; do
echo -n "deleting route $cidr... "
ip route del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed"
done < "$state"
rm -f "$state"
if [ -e "$state" ]; then
while read cidr; do
echo -n "deleting route $cidr... "
ip route del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed"
done < "$state"
rm -f "$state"
fi
state="/run/nixos/network/addresses/${i.name}"
while read cidr; do
echo -n "deleting address $cidr... "
ip addr del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed"
done < "$state"
rm -f "$state"
if [ -e "$state" ]; then
while read cidr; do
echo -n "deleting address $cidr... "
ip addr del "$cidr" dev "${i.name}" >/dev/null 2>&1 && echo "done" || echo "failed"
done < "$state"
rm -f "$state"
fi
'';
};

View file

@ -381,7 +381,7 @@ in
# syntax). Note: We also allow underscores for compatibility/legacy
# reasons (as undocumented feature):
type = types.strMatching
"^[[:alpha:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$";
"^$|^[[:alpha:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$";
description = ''
The name of the machine. Leave it empty if you want to obtain it from a
DHCP server (if using DHCP). The hostname must be a valid DNS label (see

View file

@ -15,7 +15,6 @@ in
###### interface
options = {
virtualisation.lxd = {
enable = mkOption {
type = types.bool;
@ -25,12 +24,18 @@ in
containers. Users in the "lxd" group can interact with
the daemon (e.g. to start or stop containers) using the
<command>lxc</command> command line tool, among others.
Most of the time, you'll also want to start lxcfs, so
that containers can "see" the limits:
<code>
virtualisation.lxc.lxcfs.enable = true;
</code>
'';
};
package = mkOption {
type = types.package;
default = pkgs.lxd;
default = pkgs.lxd.override { nftablesSupport = config.networking.nftables.enable; };
defaultText = "pkgs.lxd";
description = ''
The LXD package to use.
@ -65,6 +70,7 @@ in
with nixos.
'';
};
recommendedSysctlSettings = mkOption {
type = types.bool;
default = false;
@ -83,7 +89,6 @@ in
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
security.apparmor = {
@ -115,6 +120,12 @@ in
LimitNOFILE = "1048576";
LimitNPROC = "infinity";
TasksMax = "infinity";
# By default, `lxd` loads configuration files from hard-coded
# `/usr/share/lxc/config` - since this is a no-go for us, we have to
# explicitly tell it where the actual configuration files are
Environment = mkIf (config.virtualisation.lxc.lxcfs.enable)
"LXD_LXC_TEMPLATE_CONFIG=${pkgs.lxcfs}/share/lxc/config";
};
};

View file

@ -441,6 +441,18 @@ in
'';
};
virtualisation.bios =
mkOption {
default = null;
type = types.nullOr types.package;
description =
''
An alternate BIOS (such as <package>qboot</package>) with which to start the VM.
Should contain a file named <literal>bios.bin</literal>.
If <literal>null</literal>, QEMU's builtin SeaBIOS will be used.
'';
};
};
config = {
@ -521,6 +533,9 @@ in
(mkIf cfg.useEFIBoot [
"-pflash $TMPDIR/bios.bin"
])
(mkIf (cfg.bios != null) [
"-bios ${cfg.bios}/bios.bin"
])
(mkIf (!cfg.graphics) [
"-nographic"
])

View file

@ -119,6 +119,7 @@ in
installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {});
gocd-agent = handleTest ./gocd-agent.nix {};
gocd-server = handleTest ./gocd-server.nix {};
go-neb = handleTest ./go-neb.nix {};
google-oslogin = handleTest ./google-oslogin {};
grafana = handleTest ./grafana.nix {};
graphite = handleTest ./graphite.nix {};
@ -178,6 +179,8 @@ in
limesurvey = handleTest ./limesurvey.nix {};
login = handleTest ./login.nix {};
loki = handleTest ./loki.nix {};
lxd = handleTest ./lxd.nix {};
lxd-nftables = handleTest ./lxd-nftables.nix {};
#logstash = handleTest ./logstash.nix {};
lorri = handleTest ./lorri/default.nix {};
magnetico = handleTest ./magnetico.nix {};
@ -273,6 +276,7 @@ in
prosody = handleTest ./xmpp/prosody.nix {};
prosodyMysql = handleTest ./xmpp/prosody-mysql.nix {};
proxy = handleTest ./proxy.nix {};
qboot = handleTestOn ["x86_64-linux" "i686-linux"] ./qboot.nix {};
quagga = handleTest ./quagga.nix {};
quorum = handleTest ./quorum.nix {};
rabbitmq = handleTest ./rabbitmq.nix {};

View file

@ -3,7 +3,7 @@ import ./make-test-python.nix (
nodes = {
router = {config, pkgs, ...}: {
config = {
# This machines simulates a router with IPv6 forwarding and a static IPv6 address.
# This machine simulates a router with IPv6 forwarding and a static IPv6 address.
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = true;
};
@ -14,13 +14,25 @@ import ./make-test-python.nix (
enable = true;
# Serve router advertisements to the client machine with prefix information matching
# any IPv6 /64 prefixes configured on this interface.
configFile = pkgs.writeText "corerad.toml" ''
[[interfaces]]
name = "eth1"
advertise = true
[[interfaces.prefix]]
prefix = "::/64"
'';
#
# This configuration is identical to the example in the CoreRAD NixOS module.
settings = {
interfaces = [
{
name = "eth0";
monitor = true;
}
{
name = "eth1";
advertise = true;
prefix = [{ prefix = "::/64"; }];
}
];
debug = {
address = "localhost:9430";
prometheus = true;
};
};
};
};
};
@ -66,5 +78,12 @@ import ./make-test-python.nix (
assert (
"/64 scope global temporary" in addrs
), "SLAAC temporary address was not configured on client after router advertisement"
with subtest("Verify HTTP debug server is configured"):
out = router.succeed("curl localhost:9430/metrics")
assert (
"corerad_build_info" in out
), "Build info metric was not found in Prometheus output"
'';
})

View file

@ -0,0 +1,44 @@
import ./make-test-python.nix ({ pkgs, ... }:
{
name = "go-neb";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ hexa maralorn ];
};
nodes = {
server = {
services.go-neb = {
enable = true;
baseUrl = "http://localhost";
config = {
clients = [ {
UserId = "@test:localhost";
AccessToken = "changeme";
HomeServerUrl = "http://localhost";
Sync = false;
AutoJoinRooms = false;
DisplayName = "neverbeseen";
} ];
services = [ {
ID = "wikipedia_service";
Type = "wikipedia";
UserID = "@test:localhost";
Config = { };
} ];
};
};
};
};
testScript = ''
start_all()
server.wait_for_unit("go-neb.service")
server.wait_until_succeeds(
"curl -L http://localhost:4050/services/hooks/d2lraXBlZGlhX3NlcnZpY2U"
)
server.wait_until_succeeds(
"journalctl -eu go-neb -o cat | grep -q service_id=wikipedia_service"
)
'';
})

View file

@ -61,7 +61,7 @@ with pkgs.lib;
'curl -L -s http://localhost:3000/build/1 -H "Accept: application/json" | jq .buildstatus | xargs test 0 -eq'
)
out = original.succeed("su -l postgres -c 'psql -d hydra <<< \"\\d+ jobs\" -A'")
out = original.succeed("su -l postgres -c 'psql -d hydra <<< \"\\d+ builds\" -A'")
assert "jobset_id" not in out
original.succeed(
@ -69,7 +69,7 @@ with pkgs.lib;
)
original.wait_for_unit("hydra-init.service")
out = original.succeed("su -l postgres -c 'psql -d hydra <<< \"\\d+ jobs\" -A'")
out = original.succeed("su -l postgres -c 'psql -d hydra <<< \"\\d+ builds\" -A'")
assert "jobset_id|integer|||" in out
original.succeed("hydra-backfill-ids")
@ -79,7 +79,7 @@ with pkgs.lib;
)
original.wait_for_unit("hydra-init.service")
out = original.succeed("su -l postgres -c 'psql -d hydra <<< \"\\d+ jobs\" -A'")
out = original.succeed("su -l postgres -c 'psql -d hydra <<< \"\\d+ builds\" -A'")
assert "jobset_id|integer||not null|" in out
original.wait_until_succeeds(

View file

@ -21,5 +21,12 @@ import ./make-test-python.nix ({ pkgs, ...} : {
)
machine.succeed(f"ipfs cat /ipfs/{ipfs_hash.strip()} | grep fnord")
ipfs_hash = machine.succeed(
"echo fnord2 | ipfs --api /unix/run/ipfs.sock add | awk '{ print $2 }'"
)
machine.succeed(
f"ipfs --api /unix/run/ipfs.sock cat /ipfs/{ipfs_hash.strip()} | grep fnord2"
)
'';
})

View file

@ -0,0 +1,50 @@
# This test makes sure that lxd stops implicitly depending on iptables when
# user enabled nftables.
#
# It has been extracted from `lxd.nix` for clarity, and because switching from
# iptables to nftables requires a full reboot, which is a bit hard inside NixOS
# tests.
import ./make-test-python.nix ({ pkgs, ...} : {
name = "lxd-nftables";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ patryk27 ];
};
machine = { lib, ... }: {
virtualisation = {
lxd.enable = true;
};
networking = {
firewall.enable = false;
nftables.enable = true;
nftables.ruleset = ''
table inet filter {
chain incoming {
type filter hook input priority 0;
policy accept;
}
chain forward {
type filter hook forward priority 0;
policy accept;
}
chain output {
type filter hook output priority 0;
policy accept;
}
}
'';
};
};
testScript = ''
machine.wait_for_unit("network.target")
with subtest("When nftables are enabled, lxd doesn't depend on iptables anymore"):
machine.succeed("lsmod | grep nf_tables")
machine.fail("lsmod | grep ip_tables")
'';
})

135
third_party/nixpkgs/nixos/tests/lxd.nix vendored Normal file
View file

@ -0,0 +1,135 @@
import ./make-test-python.nix ({ pkgs, ...} :
let
# Since we don't have access to the internet during the tests, we have to
# pre-fetch lxd containers beforehand.
#
# I've chosen to import Alpine Linux, because its image is turbo-tiny and,
# generally, sufficient for our tests.
alpine-meta = pkgs.fetchurl {
url = "https://uk.images.linuxcontainers.org/images/alpine/3.11/i386/default/20200608_13:00/lxd.tar.xz";
sha256 = "1hkvaj3rr333zmx1759njy435lps33gl4ks8zfm7m4nqvipm26a0";
};
alpine-rootfs = pkgs.fetchurl {
url = "https://uk.images.linuxcontainers.org/images/alpine/3.11/i386/default/20200608_13:00/rootfs.tar.xz";
sha256 = "1v82zdra4j5xwsff09qlp7h5vbsg54s0j7rdg4rynichfid3r347";
};
lxd-config = pkgs.writeText "config.yaml" ''
storage_pools:
- name: default
driver: dir
config:
source: /var/lxd-pool
networks:
- name: lxdbr0
type: bridge
config:
ipv4.address: auto
ipv6.address: none
profiles:
- name: default
devices:
eth0:
name: eth0
network: lxdbr0
type: nic
root:
path: /
pool: default
type: disk
'';
in {
name = "lxd";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ patryk27 ];
};
machine = { lib, ... }: {
virtualisation = {
# Since we're testing `limits.cpu`, we've gotta have a known number of
# cores to lay on
cores = 2;
# Ditto, for `limits.memory`
memorySize = 512;
lxc.lxcfs.enable = true;
lxd.enable = true;
};
};
testScript = ''
machine.wait_for_unit("sockets.target")
machine.wait_for_unit("lxd.service")
# It takes additional second for lxd to settle
machine.sleep(1)
# lxd expects the pool's directory to already exist
machine.succeed("mkdir /var/lxd-pool")
machine.succeed(
"cat ${lxd-config} | lxd init --preseed"
)
machine.succeed(
"lxc image import ${alpine-meta} ${alpine-rootfs} --alias alpine"
)
with subtest("Containers can be launched and destroyed"):
machine.succeed("lxc launch alpine test")
machine.succeed("lxc exec test true")
machine.succeed("lxc delete -f test")
with subtest("Containers are being mounted with lxcfs inside"):
machine.succeed("lxc launch alpine test")
## ---------- ##
## limits.cpu ##
machine.succeed("lxc config set test limits.cpu 1")
# Since Alpine doesn't have `nproc` pre-installed, we've gotta resort
# to the primal methods
assert (
"1"
== machine.succeed("lxc exec test grep -- -c ^processor /proc/cpuinfo").strip()
)
machine.succeed("lxc config set test limits.cpu 2")
assert (
"2"
== machine.succeed("lxc exec test grep -- -c ^processor /proc/cpuinfo").strip()
)
## ------------- ##
## limits.memory ##
machine.succeed("lxc config set test limits.memory 64MB")
assert (
"MemTotal: 62500 kB"
== machine.succeed("lxc exec test grep -- MemTotal /proc/meminfo").strip()
)
machine.succeed("lxc config set test limits.memory 128MB")
assert (
"MemTotal: 125000 kB"
== machine.succeed("lxc exec test grep -- MemTotal /proc/meminfo").strip()
)
machine.succeed("lxc delete -f test")
with subtest("Unless explicitly changed, lxd leans on iptables"):
machine.succeed("lsmod | grep ip_tables")
machine.fail("lsmod | grep nf_tables")
'';
})

View file

@ -29,8 +29,8 @@ import ./make-test-python.nix ({ pkgs, ... } : let
in {
name = "matrix-synapse";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ corngood ];
meta = with pkgs.stdenv.lib; {
maintainers = teams.matrix.members;
};
nodes = {

View file

@ -5,20 +5,34 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
};
nodes = {
mysql =
mysql57 =
{ pkgs, ... }:
{
users.users.testuser = { };
users.users.testuser2 = { };
services.mysql.enable = true;
services.mysql.initialDatabases = [
{ name = "testdb"; schema = ./testdb.sql; }
{ name = "empty_testdb"; }
{ name = "testdb3"; schema = ./testdb.sql; }
];
# note that using pkgs.writeText here is generally not a good idea,
# as it will store the password in world-readable /nix/store ;)
services.mysql.initialScript = pkgs.writeText "mysql-init.sql" ''
CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123';
CREATE USER 'testuser3'@'localhost' IDENTIFIED BY 'secure';
GRANT ALL PRIVILEGES ON testdb3.* TO 'testuser3'@'localhost';
'';
services.mysql.ensureDatabases = [ "testdb" "testdb2" ];
services.mysql.ensureUsers = [{
name = "testuser";
ensurePermissions = {
"testdb.*" = "ALL PRIVILEGES";
};
} {
name = "testuser2";
ensurePermissions = {
"testdb2.*" = "ALL PRIVILEGES";
};
}];
services.mysql.package = pkgs.mysql57;
};
@ -30,16 +44,30 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
# Kernel panic - not syncing: Out of memory: compulsory panic_on_oom is enabled
virtualisation.memorySize = 1024;
users.users.testuser = { };
users.users.testuser2 = { };
services.mysql.enable = true;
services.mysql.initialDatabases = [
{ name = "testdb"; schema = ./testdb.sql; }
{ name = "empty_testdb"; }
{ name = "testdb3"; schema = ./testdb.sql; }
];
# note that using pkgs.writeText here is generally not a good idea,
# as it will store the password in world-readable /nix/store ;)
services.mysql.initialScript = pkgs.writeText "mysql-init.sql" ''
CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123';
CREATE USER 'testuser3'@'localhost' IDENTIFIED BY 'secure';
GRANT ALL PRIVILEGES ON testdb3.* TO 'testuser3'@'localhost';
'';
services.mysql.ensureDatabases = [ "testdb" "testdb2" ];
services.mysql.ensureUsers = [{
name = "testuser";
ensurePermissions = {
"testdb.*" = "ALL PRIVILEGES";
};
} {
name = "testuser2";
ensurePermissions = {
"testdb2.*" = "ALL PRIVILEGES";
};
}];
services.mysql.package = pkgs.mysql80;
};
@ -81,17 +109,49 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
testScript = ''
start_all()
mysql.wait_for_unit("mysql")
mysql.succeed("echo 'use empty_testdb;' | mysql -u root")
mysql.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4")
# ';' acts as no-op, just check whether login succeeds with the user created from the initialScript
mysql.succeed("echo ';' | mysql -u passworduser --password=password123")
mysql57.wait_for_unit("mysql")
mysql57.succeed(
"echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser"
)
mysql57.succeed(
"echo 'use testdb; insert into tests values (41);' | sudo -u testuser mysql -u testuser"
)
# Ensure testuser2 is not able to insert into testdb as mysql testuser2
mysql57.fail(
"echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser2"
)
# Ensure testuser2 is not able to authenticate as mysql testuser
mysql57.fail(
"echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser"
)
mysql57.succeed(
"echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 41"
)
mysql57.succeed(
"echo 'use testdb3; select * from tests;' | mysql -u testuser3 --password=secure -N | grep 4"
)
mysql80.wait_for_unit("mysql")
mysql80.succeed("echo 'use empty_testdb;' | mysql -u root")
mysql80.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4")
# ';' acts as no-op, just check whether login succeeds with the user created from the initialScript
mysql80.succeed("echo ';' | mysql -u passworduser --password=password123")
mysql80.succeed(
"echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser"
)
mysql80.succeed(
"echo 'use testdb; insert into tests values (41);' | sudo -u testuser mysql -u testuser"
)
# Ensure testuser2 is not able to insert into testdb as mysql testuser2
mysql80.fail(
"echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser2"
)
# Ensure testuser2 is not able to authenticate as mysql testuser
mysql80.fail(
"echo 'use testdb; insert into tests values (22);' | sudo -u testuser2 mysql -u testuser"
)
mysql80.succeed(
"echo 'use testdb; select test_id from tests;' | sudo -u testuser mysql -u testuser -N | grep 41"
)
mysql80.succeed(
"echo 'use testdb3; select * from tests;' | mysql -u testuser3 --password=secure -N | grep 4"
)
mariadb.wait_for_unit("mysql")
mariadb.succeed(

View file

@ -56,6 +56,21 @@ let
*/
exporterTests = {
apcupsd = {
exporterConfig = {
enable = true;
};
metricProvider = {
services.apcupsd.enable = true;
};
exporterTest = ''
wait_for_unit("apcupsd.service")
wait_for_open_port(3551)
wait_for_unit("prometheus-apcupsd-exporter.service")
wait_for_open_port(9162)
succeed("curl -sSf http://localhost:9162/metrics | grep -q 'apcupsd_info'")
'';
};
bind = {
exporterConfig = {
@ -202,6 +217,69 @@ let
'';
};
keylight = {
# A hardware device is required to properly test this exporter, so just
# perform a couple of basic sanity checks that the exporter is running
# and requires a target, but cannot reach a specified target.
exporterConfig = {
enable = true;
};
exporterTest = ''
wait_for_unit("prometheus-keylight-exporter.service")
wait_for_open_port(9288)
succeed(
"curl -sS --write-out '%{http_code}' -o /dev/null http://localhost:9288/metrics | grep -q '400'"
)
succeed(
"curl -sS --write-out '%{http_code}' -o /dev/null http://localhost:9288/metrics?target=nosuchdevice | grep -q '500'"
)
'';
};
lnd = {
exporterConfig = {
enable = true;
lndTlsPath = "/var/lib/lnd/tls.cert";
lndMacaroonDir = "/var/lib/lnd";
};
metricProvider = {
systemd.services.prometheus-lnd-exporter.serviceConfig.DynamicUser = false;
services.bitcoind.enable = true;
services.bitcoind.extraConfig = ''
rpcauth=bitcoinrpc:e8fe33f797e698ac258c16c8d7aadfbe$872bdb8f4d787367c26bcfd75e6c23c4f19d44a69f5d1ad329e5adf3f82710f7
bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332
bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333
'';
systemd.services.lnd = {
serviceConfig.ExecStart = ''
${pkgs.lnd}/bin/lnd \
--datadir=/var/lib/lnd \
--tlscertpath=/var/lib/lnd/tls.cert \
--tlskeypath=/var/lib/lnd/tls.key \
--logdir=/var/log/lnd \
--bitcoin.active \
--bitcoin.mainnet \
--bitcoin.node=bitcoind \
--bitcoind.rpcuser=bitcoinrpc \
--bitcoind.rpcpass=hunter2 \
--bitcoind.zmqpubrawblock=tcp://127.0.0.1:28332 \
--bitcoind.zmqpubrawtx=tcp://127.0.0.1:28333 \
--readonlymacaroonpath=/var/lib/lnd/readonly.macaroon
'';
serviceConfig.StateDirectory = "lnd";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
};
};
exporterTest = ''
wait_for_unit("lnd.service")
wait_for_open_port(10009)
wait_for_unit("prometheus-lnd-exporter.service")
wait_for_open_port(9092)
succeed("curl -sSf localhost:9092/metrics | grep -q '^promhttp_metric_handler'")
'';
};
mail = {
exporterConfig = {
enable = true;

View file

@ -0,0 +1,13 @@
import ./make-test-python.nix ({ pkgs, ...} : {
name = "qboot";
machine = { ... }: {
virtualisation.bios = pkgs.qboot;
};
testScript =
''
start_all()
machine.wait_for_unit("multi-user.target")
'';
})

View file

@ -6,26 +6,53 @@
with import ../lib/testing-python.nix { inherit system pkgs; };
with pkgs.lib;
makeTest {
name = "systemd-boot";
meta.maintainers = with pkgs.stdenv.lib.maintainers; [ danielfullmer ];
machine = { pkgs, lib, ... }: {
let
common = {
virtualisation.useBootLoader = true;
virtualisation.useEFIBoot = true;
boot.loader.systemd-boot.enable = true;
};
in
{
basic = makeTest {
name = "systemd-boot";
meta.maintainers = with pkgs.stdenv.lib.maintainers; [ danielfullmer ];
testScript = ''
machine.start()
machine.wait_for_unit("multi-user.target")
machine = common;
machine.succeed("test -e /boot/loader/entries/nixos-generation-1.conf")
testScript = ''
machine.start()
machine.wait_for_unit("multi-user.target")
# Ensure we actually booted using systemd-boot.
# Magic number is the vendor UUID used by systemd-boot.
machine.succeed(
"test -e /sys/firmware/efi/efivars/LoaderEntrySelected-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f"
)
'';
machine.succeed("test -e /boot/loader/entries/nixos-generation-1.conf")
# Ensure we actually booted using systemd-boot
# Magic number is the vendor UUID used by systemd-boot.
machine.succeed(
"test -e /sys/firmware/efi/efivars/LoaderEntrySelected-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f"
)
'';
};
update = makeTest {
name = "systemd-boot-update";
meta.maintainers = with pkgs.stdenv.lib.maintainers; [ danielfullmer ];
machine = common;
testScript = ''
machine.succeed("mount -o remount,rw /boot")
# Replace version inside sd-boot with something older. See magic[] string in systemd src/boot/efi/boot.c
machine.succeed(
"""
find /boot -iname '*.efi' -print0 | \
xargs -0 -I '{}' sed -i 's/#### LoaderInfo: systemd-boot .* ####/#### LoaderInfo: systemd-boot 001 ####/' '{}'
"""
)
output = machine.succeed("/run/current-system/bin/switch-to-configuration boot")
assert "updating systemd-boot from 001 to " in output
'';
};
}

View file

@ -0,0 +1,55 @@
import ./make-test-python.nix ({ pkgs, ... }:
let
client =
{ pkgs, ... }:
{ imports = [ ./common/x11.nix ];
environment.systemPackages = [ pkgs.teeworlds ];
};
in {
name = "teeworlds";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ hax404 ];
};
nodes =
{ server =
{ services.teeworlds = {
enable = true;
openPorts = true;
};
};
client1 = client;
client2 = client;
};
testScript =
''
start_all()
server.wait_for_unit("teeworlds.service")
server.wait_until_succeeds("ss --numeric --udp --listening | grep -q 8303")
client1.wait_for_x()
client2.wait_for_x()
client1.execute("teeworlds 'player_name Alice;connect server'&")
server.wait_until_succeeds(
'journalctl -u teeworlds -e | grep --extended-regexp -q "team_join player=\'[0-9]:Alice"'
)
client2.execute("teeworlds 'player_name Bob;connect server'&")
server.wait_until_succeeds(
'journalctl -u teeworlds -e | grep --extended-regexp -q "team_join player=\'[0-9]:Bob"'
)
server.sleep(10) # wait for a while to get a nice screenshot
client1.screenshot("screen_client1")
client2.screenshot("screen_client2")
'';
})

View file

@ -3,21 +3,21 @@
, qca-qt5, qjson, qtquickcontrols2, qtscript, qtwebengine
, karchive, kcmutils, kconfig, kdnssd, kguiaddons, kinit, kirigami2, knewstuff, knotifyconfig, ktexteditor, kwindowsystem
, fftw, phonon, plasma-framework, threadweaver
, curl, ffmpeg, gdk-pixbuf, libaio, libmtp, loudmouth, lzo, lz4, mysql57, pcre, snappy, taglib, taglib_extras
, curl, ffmpeg_3, gdk-pixbuf, libaio, liblastfm, libmtp, loudmouth, lzo, lz4, mysql57, pcre, snappy, taglib, taglib_extras
}:
mkDerivation rec {
pname = "amarok";
version = "2.9.0-20190824";
pname = "amarok-unstable";
version = "2020-06-12";
src = fetchgit {
# master has the Qt5 version as of April 2018 but a formal release has not
# yet been made so change this back to the proper upstream when such a
# release is out
url = "git://anongit.kde.org/amarok.git";
url = "https://invent.kde.org/multimedia/amarok.git";
# url = "mirror://kde/stable/${pname}/${version}/src/${name}.tar.xz";
rev = "457fbda25a85a102bfda92aa7137e7ef5e4c8b00";
sha256 = "1ig2mg8pqany6m2zplkrvldcv4ibxwsypnyv5igm7nz7ax82cd5j";
rev = "fece39b0e81db310b6a6e08f93d83b0d498cd02b";
sha256 = "12casnq6w5yp2jlvnr466pjpkn0vriry8jzfq2qkjl564y0vhy9x";
};
nativeBuildInputs = [ extra-cmake-modules kdoctools ];
@ -26,7 +26,7 @@ mkDerivation rec {
qca-qt5 qjson qtquickcontrols2 qtscript qtwebengine
karchive kcmutils kconfig kdnssd kguiaddons kinit kirigami2 knewstuff knotifyconfig ktexteditor kwindowsystem
phonon plasma-framework threadweaver
curl fftw ffmpeg gdk-pixbuf libaio libmtp loudmouth lz4 lzo mysql57.server mysql57.server.static
curl fftw ffmpeg_3 gdk-pixbuf libaio liblastfm libmtp loudmouth lz4 lzo mysql57.server mysql57.server.static
pcre snappy taglib taglib_extras
];

View file

@ -8,7 +8,7 @@
, curl
, dbus
, doxygen
, ffmpeg
, ffmpeg_3
, fftw
, fftwSinglePrec
, flac
@ -87,7 +87,7 @@ stdenv.mkDerivation rec {
cppunit
curl
dbus
ffmpeg
ffmpeg_3
fftw
fftwSinglePrec
flac
@ -149,8 +149,8 @@ stdenv.mkDerivation rec {
sed 's|/usr/include/libintl.h|${glibc.dev}/include/libintl.h|' -i wscript
patchShebangs ./tools/
substituteInPlace libs/ardour/video_tools_paths.cc \
--replace 'ffmpeg_exe = X_("");' 'ffmpeg_exe = X_("${ffmpeg}/bin/ffmpeg");' \
--replace 'ffprobe_exe = X_("");' 'ffprobe_exe = X_("${ffmpeg}/bin/ffprobe");'
--replace 'ffmpeg_exe = X_("");' 'ffmpeg_exe = X_("${ffmpeg_3}/bin/ffmpeg");' \
--replace 'ffprobe_exe = X_("");' 'ffprobe_exe = X_("${ffmpeg_3}/bin/ffprobe");'
'';
postInstall = ''

View file

@ -2,13 +2,14 @@
stdenv.mkDerivation rec {
pname = "artyFX";
version = "1.3";
# Fix build with lv2 1.18: https://github.com/openAVproductions/openAV-ArtyFX/pull/41/commits/492587461b50d140455aa3c98d915eb8673bebf0
version = "unstable-2020-04-28";
src = fetchFromGitHub {
owner = "openAVproductions";
repo = "openAV-ArtyFX";
rev = "release-${version}";
sha256 = "012hcy1mxl7gs2lipfcqp5x0xv1azb9hjrwf0h59yyxnzx96h7c9";
rev = "492587461b50d140455aa3c98d915eb8673bebf0";
sha256 = "0wwg8ivnpyy0235bapjy4g0ij85zq355jwi6c1nkrac79p4z9ail";
};
nativeBuildInputs = [ pkgconfig ];

View file

@ -12,11 +12,11 @@
with stdenv.lib;
stdenv.mkDerivation rec {
version = "2.9.5";
version = "2.9.6";
pname = "asunder";
src = fetchurl {
url = "http://littlesvr.ca/asunder/releases/${pname}-${version}.tar.bz2";
sha256 = "069x6az2r3wlb2hd07iz0hxpxwknw7s9h7pyhnkmzv1pw9ci3kk4";
sha256 = "1ycnd82lh7qy1pcbngd4b41s16j9hnm2kyfrncg4cwr3bfk7yg7a";
};
nativeBuildInputs = [ intltool makeWrapper pkgconfig ];

View file

@ -1,7 +1,7 @@
{ stdenv, fetchurl, pkgconfig, wrapGAppsHook, gettext, glib, gtk3
, libmowgli, dbus-glib, libxml2, xorg, gnome3, alsaLib
, libpulseaudio, libjack2, fluidsynth, libmad, libogg, libvorbis
, libcdio, libcddb, flac, ffmpeg, mpg123, libcue, libmms, libbs2b
, libcdio, libcddb, flac, ffmpeg_3, mpg123, libcue, libmms, libbs2b
, libsndfile, libmodplug, libsamplerate, soxr, lirc, curl, wavpack
, neon, faad2, lame, libnotify, libsidplayfp
}:
@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
gettext glib gtk3 libmowgli dbus-glib libxml2
xorg.libXcomposite gnome3.adwaita-icon-theme alsaLib libjack2
libpulseaudio fluidsynth libmad libogg libvorbis libcdio
libcddb flac ffmpeg mpg123 libcue libmms libbs2b libsndfile
libcddb flac ffmpeg_3 mpg123 libcue libmms libbs2b libsndfile
libmodplug libsamplerate soxr lirc curl wavpack neon faad2
lame libnotify libsidplayfp
];

View file

@ -2,7 +2,7 @@
mkDerivation, lib, fetchurl, fetchpatch,
gettext, pkgconfig,
qtbase,
alsaLib, curl, faad2, ffmpeg, flac, fluidsynth, gdk-pixbuf, lame, libbs2b,
alsaLib, curl, faad2, ffmpeg_3, flac, fluidsynth, gdk-pixbuf, lame, libbs2b,
libcddb, libcdio, libcue, libjack2, libmad, libmms, libmodplug,
libmowgli, libnotify, libogg, libpulseaudio, libsamplerate, libsidplayfp,
libsndfile, libvorbis, libxml2, lirc, mpg123, neon, qtmultimedia, soxr,
@ -45,7 +45,7 @@ mkDerivation {
qtbase
# Plugin dependencies
alsaLib curl faad2 ffmpeg flac fluidsynth gdk-pixbuf lame libbs2b libcddb
alsaLib curl faad2 ffmpeg_3 flac fluidsynth gdk-pixbuf lame libbs2b libcddb
libcdio libcue libjack2 libmad libmms libmodplug libmowgli
libnotify libogg libpulseaudio libsamplerate libsidplayfp libsndfile
libvorbis libxml2 lirc mpg123 neon qtmultimedia soxr wavpack

View file

@ -1,6 +1,6 @@
{ stdenv, fetchzip, wxGTK30, pkgconfig, file, gettext,
libvorbis, libmad, libjack2, lv2, lilv, serd, sord, sratom, suil, alsaLib, libsndfile, soxr, flac, lame,
expat, libid3tag, ffmpeg, soundtouch, /*, portaudio - given up fighting their portaudio.patch */
expat, libid3tag, ffmpeg_3, soundtouch, /*, portaudio - given up fighting their portaudio.patch */
autoconf, automake, libtool
}:
@ -47,7 +47,7 @@ stdenv.mkDerivation rec {
buildInputs = [
file gettext wxGTK30 expat alsaLib
libsndfile soxr libid3tag libjack2 lv2 lilv serd sord sratom suil wxGTK30.gtk
ffmpeg libmad lame libvorbis flac soundtouch
ffmpeg_3 libmad lame libvorbis flac soundtouch
]; #ToDo: detach sbsms
enableParallelBuilding = true;
@ -59,6 +59,7 @@ stdenv.mkDerivation rec {
description = "Sound editor with graphical UI";
homepage = "http://audacityteam.org/";
license = licenses.gpl2Plus;
maintainers = with maintainers; [ lheckemann ];
platforms = intersectLists platforms.linux platforms.x86; # fails on ARM
};
}

Some files were not shown because too many files have changed in this diff Show more