lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

Merge commit '3ed4d12aac391a1eb607b388e386854780fd3cd3' into HEAD

Browse source
This commit is contained in:
Luke Granger-Brown 2024-11-23 21:16:41 +00:00
commit da66e90c04
2211 changed files with 91019 additions and 159619 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
third_party/nixpkgs/.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -7,34 +7,44 @@ assignees: ''
---
### Describe the bug
A clear and concise description of what the bug is.
## Describe the bug
<!-- A clear and concise description of what the bug is. -->
## Steps To Reproduce
### Steps To Reproduce
Steps to reproduce the behavior:
1. ...
2. ...
3. ...
### Expected behavior
A clear and concise description of what you expected to happen.
## Expected behavior
### Screenshots
If applicable, add screenshots to help explain your problem.
<!-- A clear and concise description of what you expected to happen. -->
### Additional context
Add any other context about the problem here.
## Screenshots
### Notify maintainers
<!-- If applicable, add screenshots to help explain your problem: -->
## Additional context
<!-- Add any other context about the problem here. -->
## Metadata
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
## Notify maintainers
<!--
Please @ people who are in the `meta.maintainers` list of the offending package or module.
If in doubt, check `git blame` for whoever last touched something.
-->
### Metadata
---
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
Note for maintainers: Please tag this issue in your PR.
---

28
third_party/nixpkgs/.github/ISSUE_TEMPLATE/build_failure.md vendored
View file

@ -7,31 +7,43 @@ assignees: ''
---
### Steps To Reproduce
## Steps To Reproduce
Steps to reproduce the behavior:
1. build *X*
### Build log
## Build log
<!-- insert build log in code block in collapsable section -->
<details>
<summary>Build Log</summary>
```
log here if short otherwise a link to a gist
```
### Additional context
</details>
Add any other context about the problem here.
## Additional context
### Notify maintainers
<!-- Add any other context about the problem here. -->
## Metadata
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
## Notify maintainers
<!--
Please @ people who are in the `meta.maintainers` list of the offending package or module.
If in doubt, check `git blame` for whoever last touched something.
-->
### Metadata
---
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
Note for maintainers: Please tag this issue in your PR.
---

15
third_party/nixpkgs/.github/ISSUE_TEMPLATE/missing_documentation.md vendored
View file

@ -23,12 +23,9 @@ assignees: ''
- [ ] checked [open documentation issues] for possible duplicates
- [ ] checked [open documentation pull requests] for possible solutions
[latest Nixpkgs manual]: https://nixos.org/manual/nixpkgs/unstable/
[latest NixOS manual]: https://nixos.org/manual/nixos/unstable/
[nixpkgs-source]: https://github.com/NixOS/nixpkgs/tree/master/doc
[nixos-source]: https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual
[open documentation issues]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22
[open documentation pull requests]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+documentation%22%2C%226.topic%3A+documentation%22
---
Note for maintainers: Please tag this issue in your PR.
---
@ -36,3 +33,9 @@ Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
[latest Nixpkgs manual]: https://nixos.org/manual/nixpkgs/unstable/
[latest NixOS manual]: https://nixos.org/manual/nixos/unstable/
[nixpkgs-source]: https://github.com/NixOS/nixpkgs/tree/master/doc
[nixos-source]: https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual
[open documentation issues]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22
[open documentation pull requests]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+documentation%22%2C%226.topic%3A+documentation%22

4
third_party/nixpkgs/.github/ISSUE_TEMPLATE/module_request.md vendored
View file

@ -7,11 +7,11 @@ assignees: ''
---
### Description
## Description
<!-- Describe what the module should accomplish: -->
### Notify maintainers
## Notify maintainers
<!-- If applicable, tag the maintainers of the package that corresponds to the module. If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->

13
third_party/nixpkgs/.github/ISSUE_TEMPLATE/out_of_date_package_report.md vendored
View file

@ -7,23 +7,30 @@ assignees: ''
---
## Package Information
<!-- Search for the package here: https://search.nixos.org/packages?channel=unstable -->
- Package name:
- Latest released version:
<!-- Search your package here: https://search.nixos.org/packages?channel=unstable -->
- Current version on the unstable channel:
- Current version on the stable/release channel:
## Checklist
<!--
Type the name of your package and try to find an open pull request for the package
If you find an open pull request, you can review it!
There's a high chance that you'll have the new version right away while helping the community!
-->
- [ ] Checked the [nixpkgs pull requests](https://github.com/NixOS/nixpkgs/pulls)
**Notify maintainers**
## Notify maintainers
<!-- If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->
-----
---
Note for maintainers: Please tag this issue in your PR.

8
third_party/nixpkgs/.github/ISSUE_TEMPLATE/packaging_request.md vendored
View file

@ -7,11 +7,11 @@ assignees: ''
---
**Project description**
## Project description
<!-- Describe the project a little: -->
**Metadata**
## Metadata
* homepage URL:
* source URL:
@ -20,6 +20,10 @@ assignees: ''
---
Note for maintainers: Please tag this issue in your PR.
---
Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/

24
third_party/nixpkgs/.github/ISSUE_TEMPLATE/unreproducible_package.md vendored
View file

@ -31,12 +31,12 @@ Fixing bit-by-bit reproducibility also has additional advantages, such as
avoiding hard-to-reproduce bugs, making content-addressed storage more effective
and reducing rebuilds in such systems.
### Steps To Reproduce
## Steps To Reproduce
In the following steps, replace `<package>` with the canonical name of the
package.
#### 1. Build the package
### 1. Build the package
This step will build the package. Specific arguments are passed to the command
to keep the build artifacts so we can compare them in case of differences.
@ -53,7 +53,7 @@ Or using the new command line style:
nix build nixpkgs#<package> && nix build nixpkgs#<package> --rebuild --keep-failed
```
#### 2. Compare the build artifacts
### 2. Compare the build artifacts
If the previous command completes successfully, no differences were found and
there's nothing to do, builds are reproducible.
@ -67,7 +67,7 @@ metadata (*e.g. timestamp*) differences.
nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
```
#### 3. Examine the build log
### 3. Examine the build log
To examine the build log, use:
@ -81,10 +81,20 @@ Or with the new command line style:
nix log $(nix path-info --derivation nixpkgs#<package>)
```
### Additional context
## Additional context
(please share the relevant fragment of the diffoscope output here, and any
additional analysis you may have done)
(please share the relevant fragment of the diffoscope output here, and any additional analysis you may have done)
## Notify maintainers
<!--
Please @ people who are in the `meta.maintainers` list of the offending package or module.
If in doubt, check `git blame` for whoever last touched something.
-->
---
Note for maintainers: Please tag this issue in your PR.
---

2
third_party/nixpkgs/.github/PULL_REQUEST_TEMPLATE.md vendored
View file

@ -25,7 +25,7 @@ For new packages please briefly describe the package or provide a link to its ho
- made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [24.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) (or backporting [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) and [24.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) Release notes)
- [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes)
- [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [ ] (Module updates) Added a release notes entry if the change is significant
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module

4
third_party/nixpkgs/.github/labeler.yml vendored
View file

@ -293,6 +293,7 @@
- any-glob-to-any-file:
- nixos/**/*
- pkgs/by-name/sw/switch-to-configuration-ng/**/*
- pkgs/by-name/ni/nixos-rebuild-ng/**/*
- pkgs/os-specific/linux/nixos-rebuild/**/*
"6.topic: nixos-container":
@ -358,8 +359,9 @@
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/php.section.md
- nixos/tests/php/**/*
- pkgs/build-support/php/**/*
- pkgs/development/interpreters/php/*
- pkgs/development/interpreters/php/**/*
- pkgs/development/php-packages/**/*
- pkgs/test/php/default.nix
- pkgs/top-level/php-packages.nix

4
third_party/nixpkgs/.github/workflows/periodic-merge-24h.yml vendored
View file

@ -39,6 +39,10 @@ jobs:
into: staging-next-24.05
- from: staging-next-24.05
into: staging-24.05
- from: release-24.11
into: staging-next-24.11
- from: staging-next-24.11
into: staging-24.11
name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

2
third_party/nixpkgs/CONTRIBUTING.md vendored
View file

@ -345,7 +345,7 @@ See [Nix Channel Status](https://status.nixos.org/) for the current channels and
Here's a brief overview of the main Git branches and what channels they're used for:
- `master`: The main branch, used for the unstable channels such as `nixpkgs-unstable`, `nixos-unstable` and `nixos-unstable-small`.
- `release-YY.MM` (e.g. `release-24.05`): The NixOS release branches, used for the stable channels such as `nixos-24.05`, `nixos-24.05-small` and `nixpkgs-24.05-darwin`.
- `release-YY.MM` (e.g. `release-24.11`): The NixOS release branches, used for the stable channels such as `nixos-24.11`, `nixos-24.11-small` and `nixpkgs-24.11-darwin`.
When a channel is updated, a corresponding Git branch is also updated to point to the corresponding commit.
So e.g. the [`nixpkgs-unstable` branch](https://github.com/nixos/nixpkgs/tree/nixpkgs-unstable) corresponds to the Git commit from the [`nixpkgs-unstable` channel](https://channels.nixos.org/nixpkgs-unstable).

4
third_party/nixpkgs/README.md vendored
View file

@ -9,7 +9,7 @@
</p>
<p align="center">
<a href="https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md"><img src="https://img.shields.io/github/contributors-anon/NixOS/nixpkgs" alt="Contributors badge" /></a>
<a href="CONTRIBUTING.md"><img src="https://img.shields.io/github/contributors-anon/NixOS/nixpkgs" alt="Contributors badge" /></a>
<a href="https://opencollective.com/nixos"><img src="https://opencollective.com/nixos/tiers/supporter/badge.svg?label=supporters&color=brightgreen" alt="Open Collective supporters" /></a>
</p>
@ -74,7 +74,7 @@ Community contributions are always welcome through GitHub Issues and
Pull Requests.
For more information about contributing to the project, please visit
the [contributing page](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).
the [contributing page](CONTRIBUTING.md).
# Donations

11
third_party/nixpkgs/ci/OWNERS vendored
View file

@ -105,6 +105,11 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/nixos/modules/system/activation/bootspec.nix @grahamc @cole-h @raitobezarius
/nixos/modules/system/activation/bootspec.cue @grahamc @cole-h @raitobezarius
# NixOS Render Docs
/pkgs/by-name/ni/nixos-render-docs @fricklerhandwerk @GetPsyched @hsjobeki
/doc/redirects.json @fricklerhandwerk @GetPsyched @hsjobeki
/nixos/doc/manual/redirects.json @fricklerhandwerk @GetPsyched @hsjobeki
# NixOS integration test driver
/nixos/lib/test-driver @tfc
@ -138,6 +143,8 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/nixos/tests/amazon-ssm-agent.nix @arianvp
/nixos/modules/system/boot/grow-partition.nix @arianvp
# nixos-rebuild-ng
/pkgs/by-name/ni/nixos-rebuild-ng @thiagokokada
# Updaters
@ -149,8 +156,8 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
# Python-related code and docs
/doc/languages-frameworks/python.section.md @mweinelt @natsukium
/maintainers/scripts/update-python-libraries @natsukium
/pkgs/development/interpreters/python @natsukium
/maintainers/scripts/update-python-libraries @mweinelt @natsukium
/pkgs/development/interpreters/python @mweinelt @natsukium
/pkgs/top-level/python-packages.nix @natsukium
/pkgs/top-level/release-python.nix @natsukium

8
third_party/nixpkgs/doc/README.md vendored
View file

@ -21,7 +21,7 @@ Rendered documentation:
- [Unstable (from master)](https://nixos.org/manual/nixpkgs/unstable/)
- [Stable (from latest release)](https://nixos.org/manual/nixpkgs/stable/)
The rendering tool is [nixos-render-docs](../pkgs/tools/nix/nixos-render-docs/src/nixos_render_docs), sometimes abbreviated `nrd`.
The rendering tool is [nixos-render-docs](../pkgs/by-name/ni/nixos-render-docs), sometimes abbreviated `nrd`.
## Contributing to this documentation
@ -42,6 +42,12 @@ It is a daemon, that:
2. HTTP serves the manual, injecting a script that triggers reload on changes
3. opens the manual in the default browser
### Testing redirects
Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.
Note that if you already loaded the page and *then* input the anchor, you will need to perform a reload. This is because browsers do not re-run client JS code when only the anchor has changed.
## Syntax
As per [RFC 0072](https://github.com/NixOS/rfcs/pull/72), all new documentation content should be written in [CommonMark](https://commonmark.org/) Markdown dialect.

70
third_party/nixpkgs/doc/build-helpers/fetchers.chapter.md vendored
View file

@ -755,25 +755,63 @@ Used with Subversion. Expects `url` to a Subversion directory, `rev`, and `hash`
Used with Git. Expects `url` to a Git repo, `rev`, and `hash`. `rev` in this case can be full the git commit id (SHA1 hash) or a tag name like `refs/tags/v1.0`.
Additionally, the following optional arguments can be given: `fetchSubmodules = true` makes `fetchgit` also fetch the submodules of a repository. If `deepClone` is set to true, the entire repository is cloned as opposing to just creating a shallow clone. `deepClone = true` also implies `leaveDotGit = true` which means that the `.git` directory of the clone won't be removed after checkout.
Additionally, the following optional arguments can be given:
If only parts of the repository are needed, `sparseCheckout` can be used. This will prevent git from fetching unnecessary blobs from server, see [git sparse-checkout](https://git-scm.com/docs/git-sparse-checkout) for more information:
*`fetchSubmodules`* (Boolean)
```nix
{ stdenv, fetchgit }:
: Whether to also fetch the submodules of a repository.
stdenv.mkDerivation {
name = "hello";
src = fetchgit {
url = "https://...";
sparseCheckout = [
"directory/to/be/included"
"another/directory"
];
hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
};
}
```
*`fetchLFS`* (Boolean)
: Whether to fetch LFS objects.
*`postFetch`* (String)
: Shell code executed after the file has been fetched successfully.
This can do things like check or transform the file.
*`leaveDotGit`* (Boolean)
: Whether the `.git` directory of the clone should *not* be removed after checkout.
Be warned though that the git repository format is not stable and this flag is therefore not suitable for actual use by itself.
Only use this for testing purposes or in conjunction with removing the `.git` directory in `postFetch`.
*`deepClone`* (Boolean)
: Clone the entire repository as opposing to just creating a shallow clone.
This implies `leaveDotGit`.
*`sparseCheckout`* (List of String)
: Prevent git from fetching unnecessary blobs from server.
This is useful if only parts of the repository are needed.
::: {.example #ex-fetchgit-sparseCheckout}
# Use `sparseCheckout` to only include some directories:
```nix
{ stdenv, fetchgit }:
stdenv.mkDerivation {
name = "hello";
src = fetchgit {
url = "https://...";
sparseCheckout = [
"directory/to/be/included"
"another/directory"
];
hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
};
}
```
:::
See [git sparse-checkout](https://git-scm.com/docs/git-sparse-checkout) for more information.
Some additional parameters for niche use-cases can be found listed in the function parameters in the declaration of `fetchgit`: `pkgs/build-support/fetchgit/default.nix`.
Future parameters additions might also happen without immediately being documented here.
## `fetchfossil` {#fetchfossil}

16
third_party/nixpkgs/doc/doc-support/package.nix vendored
View file

@ -5,6 +5,8 @@
lib,
stdenvNoCC,
callPackage,
devmode,
mkShellNoCC,
documentation-highlighter,
nixos-render-docs,
nixpkgs ? { },
@ -29,6 +31,7 @@ stdenvNoCC.mkDerivation (
../anchor-use.js
../anchor.min.js
../manpage-urls.json
../redirects.json
];
};
@ -60,6 +63,7 @@ stdenvNoCC.mkDerivation (
nixos-render-docs manual html \
--manpage-urls ./manpage-urls.json \
--redirects ./redirects.json \
--revision ${nixpkgs.rev or "master"} \
--stylesheet style.css \
--stylesheet highlightjs/mono-blue.css \
@ -95,10 +99,14 @@ stdenvNoCC.mkDerivation (
pythonInterpreterTable = callPackage ./python-interpreter-table.nix { };
shell = callPackage ../../pkgs/tools/nix/web-devmode.nix {
buildArgs = "./.";
open = "/share/doc/nixpkgs/manual.html";
};
shell =
let
devmode' = devmode.override {
buildArgs = "./.";
open = "/share/doc/nixpkgs/manual.html";
};
in
mkShellNoCC { packages = [ devmode' ]; };
tests.manpage-urls = callPackage ../tests/manpage-urls.nix { };
};

10
third_party/nixpkgs/doc/hooks/meson.section.md vendored
View file

@ -18,6 +18,16 @@ setup hook registering ninja-based build and install phases.
Controls the flags passed to `meson setup` during configure phase.
#### `mesonBuildDir` {#meson-build-dir}
Directory where Meson will put intermediate files.
Setting this can be useful for debugging multiple Meson builds while in the same source directory, for example, when building for different platforms.
Different values for each build will prevent build artefacts from interefering with each other.
This setting has no tangible effect when running the build in a sandboxed derivation.
The default value is `build`.
#### `mesonWrapMode` {#meson-wrap-mode}
Which value is passed as

4
third_party/nixpkgs/doc/hooks/tauri.section.md vendored
View file

@ -52,12 +52,12 @@ rustPlatform.buildRustPackage rec {
buildInputs =
[ openssl ]
++ lib.optionals stdenv.isLinux [
++ lib.optionals stdenv.hostPlatform.isLinux [
glib-networking # Most Tauri apps need networking
libsoup
webkitgtk_4_0
]
++ lib.optionals stdenv.isDarwin (
++ lib.optionals stdenv.hostPlatform.isDarwin (
with darwin.apple_sdk.frameworks;
[
AppKit

2
third_party/nixpkgs/doc/languages-frameworks/dotnet.section.md vendored
View file

@ -42,7 +42,7 @@ $ dotnet --info
Version: 7.0.202
Commit: 6c74320bc3
Środowisko uruchomieniowe:
Runtime Environment:
OS Name: nixos
OS Version: 23.05
OS Platform: Linux

4
third_party/nixpkgs/doc/languages-frameworks/haskell.section.md vendored
View file

@ -57,8 +57,8 @@ Available compilers are collected under `haskell.compiler`.
Each of those compiler versions has a corresponding attribute set `packages` built with
it. However, the non-standard package sets are not tested regularly and, as a
result, contain fewer working packages. The corresponding package set for GHC
9.4.5 is `haskell.packages.ghc945`. In fact `haskellPackages` is just an alias
for `haskell.packages.ghc964`:
9.4.5 is `haskell.packages.ghc945`. In fact `haskellPackages` (at the time of writing) is just an alias
for `haskell.packages.ghc966`:
Every package set also re-exposes the GHC used to build its packages as `haskell.packages.*.ghc`.

1
third_party/nixpkgs/doc/languages-frameworks/python.section.md vendored
View file

@ -55,6 +55,7 @@ sets are
* `pkgs.python311Packages`
* `pkgs.python312Packages`
* `pkgs.python313Packages`
* `pkgs.python314Packages`
* `pkgs.pypy27Packages`
* `pkgs.pypy39Packages`
* `pkgs.pypy310Packages`

8
third_party/nixpkgs/doc/languages-frameworks/qt.section.md vendored
View file

@ -25,12 +25,14 @@ stdenv.mkDerivation {
The same goes for Qt 5 where libraries and tools are under `libsForQt5`.
Any Qt package should include `wrapQtAppsHook` in `nativeBuildInputs`, or explicitly set `dontWrapQtApps` to bypass generating the wrappers.
Any Qt package should include `wrapQtAppsHook` or `wrapQtAppsNoGuiHook` in `nativeBuildInputs`, or explicitly set `dontWrapQtApps` to bypass generating the wrappers.
::: {.note}
Qt 6 graphical applications should also include `qtwayland` in `buildInputs` on Linux (but not on platforms e.g. Darwin, where `qtwayland` is not available), to ensure the Wayland platform plugin is available.
This may become default in the future, see [NixOS/nixpkgs#269674](https://github.com/NixOS/nixpkgs/pull/269674).
`wrapQtAppsHook` propagates plugins and QML components from `qtwayland` on platforms that support it, to allow applications to act as native Wayland clients. It should be used for all graphical applications.
`wrapQtAppsNoGuiHook` does not propagate `qtwayland` to reduce closure size for purely command-line applications.
:::
## Packages supporting multiple Qt versions {#qt-versions}

25
third_party/nixpkgs/doc/languages-frameworks/rust.section.md vendored
View file

@ -64,10 +64,18 @@ hash using `nix-hash --to-sri --type sha256 "<original sha256>"`.
```
Exception: If the application has cargo `git` dependencies, the `cargoHash`
approach will not work, and you will need to copy the `Cargo.lock` file of the application
to nixpkgs and continue with the next section for specifying the options of the `cargoLock`
section.
approach will not work by default. In this case, you can set `useFetchCargoVendor = true`
to use an improved fetcher that supports handling `git` dependencies.
```nix
{
useFetchCargoVendor = true;
cargoHash = "sha256-RqPVFovDaD2rW31HyETJfQ0qVwFxoGEvqkIgag3H6KU=";
}
```
If this method still does not work, you can resort to copying the `Cargo.lock` file into nixpkgs
and importing it as described in the [next section](#importing-a-cargo.lock-file).
Both types of hashes are permitted when contributing to nixpkgs. The
Cargo hash is obtained by inserting a fake checksum into the
@ -462,6 +470,17 @@ also be used:
the `Cargo.lock`/`Cargo.toml` files need to be patched before
vendoring.
In case the lockfile contains cargo `git` dependencies, you can use
`fetchCargoVendor` instead.
```nix
{
cargoDeps = rustPlatform.fetchCargoVendor {
inherit src;
hash = "sha256-RqPVFovDaD2rW31HyETJfQ0qVwFxoGEvqkIgag3H6KU=";
};
}
```
If a `Cargo.lock` file is available, you can alternatively use the
`importCargoLock` function. In contrast to `fetchCargoTarball`, this
function does not require a hash (unless git dependencies are used)

2
third_party/nixpkgs/doc/languages-frameworks/texlive.section.md vendored
View file

@ -1,6 +1,6 @@
# TeX Live {#sec-language-texlive}
Since release 15.09 there is a new TeX Live packaging that lives entirely under attribute `texlive`.
There is a TeX Live packaging that lives entirely under attribute `texlive`.
## User's guide (experimental new interface) {#sec-language-texlive-user-guide-experimental}

2
third_party/nixpkgs/doc/packages/nginx.section.md vendored
View file

@ -8,4 +8,4 @@ HTTP has a couple of different mechanisms for caching to prevent clients from ha
Fortunately, HTTP supports an alternative (and more effective) caching mechanism: the [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag) response header. The value of the `ETag` header specifies some identifier for the particular content that the server is sending (e.g., a hash). When a client makes a second request for the same resource, it sends that value back in an `If-None-Match` header. If the ETag value is unchanged, then the server does not need to resend the content.
As of NixOS 19.09, the nginx package in Nixpkgs is patched such that when nginx serves a file out of `/nix/store`, the hash in the store path is used as the `ETag` header in the HTTP response, thus providing proper caching functionality. With NixOS 24.05 and later, the `ETag` additionally includes the response content length, to ensure files served with static compression do not share `ETag`s with their uncompressed version. This `ETag` functionality is enabled automatically; you do not need to do modify any configuration to get this behavior.
The nginx package in Nixpkgs is patched such that when nginx serves a file out of `/nix/store`, the hash in the store path is used as the `ETag` header in the HTTP response, thus providing proper caching functionality. With NixOS 24.05 and later, the `ETag` additionally includes the response content length, to ensure files served with static compression do not share `ETag`s with their uncompressed version. This `ETag` functionality is enabled automatically; you do not need to do modify any configuration to get this behavior.

1
third_party/nixpkgs/doc/packages/steam.section.md vendored
View file

@ -31,7 +31,6 @@ Use `programs.steam.enable = true;` if you want to add steam to `systemPackages`
- **Using the FOSS Radeon or nouveau (nvidia) drivers**
- The `newStdcpp` parameter was removed since NixOS 17.09 and should not be needed anymore.
- Steam ships statically linked with a version of `libcrypto` that conflicts with the one dynamically loaded by radeonsi_dri.so. If you get the error:
```

4193
third_party/nixpkgs/doc/redirects.json vendored Normal file
View file

File diff suppressed because it is too large Load diff

2
third_party/nixpkgs/lib/.version vendored
View file

@ -1 +1 @@
24.11
25.05

27
third_party/nixpkgs/lib/licenses.nix vendored
View file

@ -115,7 +115,6 @@ lib.mapAttrs mkLicense ({
arphicpl = {
spdxId = "Arphic-1999";
fullName = "Arphic Public License";
url = "https://www.freedesktop.org/wiki/Arphic_Public_License/";
};
artistic1 = {
@ -213,6 +212,11 @@ lib.mapAttrs mkLicense ({
fullName = "BSD 3-Clause Clear License";
};
bsd3Lbnl = {
spdxId = "BSD-3-Clause-LBNL";
fullName = "Lawrence Berkeley National Labs BSD variant license";
};
bsdOriginal = {
spdxId = "BSD-4-Clause";
fullName = ''BSD 4-clause "Original" or "Old" License'';
@ -236,7 +240,6 @@ lib.mapAttrs mkLicense ({
bsl11 = {
spdxId = "BUSL-1.1";
fullName = "Business Source License 1.1";
url = "https://mariadb.com/bsl11";
free = false;
redistributable = true;
};
@ -249,13 +252,11 @@ lib.mapAttrs mkLicense ({
cal10 = {
spdxId = "CAL-1.0";
fullName = "Cryptographic Autonomy License version 1.0 (CAL-1.0)";
url = "https://opensource.org/licenses/CAL-1.0";
};
caldera = {
spdxId = "Caldera";
fullName = "Caldera License";
url = "http://www.lemis.com/grog/UNIX/ancient-source-all.pdf";
};
capec = {
@ -459,7 +460,6 @@ lib.mapAttrs mkLicense ({
ecl20 = {
fullName = "Educational Community License, Version 2.0";
url = "https://opensource.org/licenses/ECL-2.0";
shortName = "ECL 2.0";
spdxId = "ECL-2.0";
};
@ -477,7 +477,6 @@ lib.mapAttrs mkLicense ({
elastic20 = {
spdxId = "Elastic-2.0";
fullName = "Elastic License 2.0";
url = "https://github.com/elastic/elasticsearch/blob/main/licenses/ELASTIC-LICENSE-2.0.txt";
free = false;
};
@ -671,7 +670,6 @@ lib.mapAttrs mkLicense ({
iasl = {
spdxId = "Intel-ACPI";
fullName = "Intel ACPI Software License Agreement";
url = "https://old.calculate-linux.org/packages/licenses/iASL";
};
icu = {
@ -697,7 +695,6 @@ lib.mapAttrs mkLicense ({
info-zip = {
spdxId = "Info-ZIP";
fullName = "Info-ZIP License";
url = "https://infozip.sourceforge.net/license.html";
};
inria-compcert = {
@ -882,7 +879,6 @@ lib.mapAttrs mkLicense ({
miros = {
spdxId = "MirOS";
fullName = "MirOS License";
url = "https://opensource.org/licenses/MirOS";
};
mit = {
@ -890,6 +886,11 @@ lib.mapAttrs mkLicense ({
fullName = "MIT License";
};
mit-cmu = {
spdxId = "MIT-CMU";
fullName = "CMU License";
};
mit-feh = {
spdxId = "MIT-feh";
fullName = "feh License";
@ -939,7 +940,6 @@ lib.mapAttrs mkLicense ({
mulan-psl2 = {
spdxId = "MulanPSL-2.0";
fullName = "Mulan Permissive Software License, Version 2";
url = "https://license.coscl.org.cn/MulanPSL2";
};
naist-2003 = {
@ -974,7 +974,6 @@ lib.mapAttrs mkLicense ({
fullName = "Netdata Cloud UI License v1.0";
free = false;
redistributable = true; # Only if used in Netdata products.
url = "https://raw.githubusercontent.com/netdata/netdata/master/web/gui/v2/LICENSE.md";
};
nistSoftware = {
@ -1072,7 +1071,6 @@ lib.mapAttrs mkLicense ({
parity70 = {
spdxId = "Parity-7.0.0";
fullName = "Parity Public License 7.0.0";
url = "https://paritylicense.com/versions/7.0.0.html";
};
php301 = {
@ -1094,7 +1092,6 @@ lib.mapAttrs mkLicense ({
psfl = {
spdxId = "Python-2.0";
fullName = "Python Software Foundation License version 2";
url = "https://docs.python.org/license.html";
};
publicDomain = {
@ -1223,8 +1220,8 @@ lib.mapAttrs mkLicense ({
};
ufl = {
spdxId = "Ubuntu-font-1.0";
fullName = "Ubuntu Font License 1.0";
url = "https://ubuntu.com/legal/font-licence";
};
unfree = {
@ -1268,7 +1265,6 @@ lib.mapAttrs mkLicense ({
upl = {
spdxId = "UPL-1.0";
fullName = "Universal Permissive License";
url = "https://oss.oracle.com/licenses/upl/";
};
vim = {
@ -1334,7 +1330,6 @@ lib.mapAttrs mkLicense ({
xfig = {
spdxId = "Xfig";
fullName = "xfig";
url = "https://mcj.sourceforge.net/authors.html#xfig";
};
xinetd = {

2
third_party/nixpkgs/lib/trivial.nix vendored
View file

@ -415,7 +415,7 @@ in {
On each release the first letter is bumped and a new animal is chosen
starting with that new letter.
*/
codeName = "Vicuna";
codeName = "Warbler";
/**
Returns the current nixpkgs version suffix as string.

176
third_party/nixpkgs/maintainers/maintainer-list.nix vendored
View file

@ -1834,6 +1834,12 @@
githubId = 10587952;
name = "Armijn Hemel";
};
arminius-smh = {
email = "armin@sprejz.de";
github = "arminius-smh";
githubId = 159054879;
name = "Armin Manfred Sprejz";
};
arnarg = {
email = "arnarg@fastmail.com";
github = "arnarg";
@ -2832,6 +2838,12 @@
githubId = 24254289;
name = "Payas Relekar";
};
bhasherbel = {
email = "nixos.maintainer@bhasher.com";
github = "bhasherbel";
githubId = 45831883;
name = "Brieuc Dubois";
};
bhipple = {
email = "bhipple@protonmail.com";
github = "bhipple";
@ -4122,6 +4134,12 @@
githubId = 43564;
name = "Claes Holmerson";
};
claha = {
email = "hallstrom.claes@gmail.com";
github = "claha";
githubId = 9336788;
name = "Claes Hallström";
};
clebs = {
email = "borja.clemente@gmail.com";
github = "clebs";
@ -4167,6 +4185,12 @@
githubId = 69784758;
matrix = "@clot27:matrix.org";
};
cloudripper = {
email = "other.wing8806@fastmail.com";
github = "cloudripper";
githubId = 70971768;
name = "cloudripper";
};
clr-cera = {
email = "clrcera05@gmail.com";
github = "clr-cera";
@ -4483,7 +4507,7 @@
name = "Chris Ostrouchov";
};
cottand = {
email = "nico@dcotta.eu";
email = "nico@dcotta.com";
github = "cottand";
githubId = 45274424;
name = "Nico D'Cotta";
@ -4769,6 +4793,12 @@
githubId = 743057;
name = "Danylo Hlynskyi";
};
danbulant = {
name = "Daniel Bulant";
email = "danbulant@gmail.com";
github = "danbulant";
githubId = 30036876;
};
danc86 = {
name = "Dan Callaghan";
email = "djc@djc.id.au";
@ -5150,6 +5180,12 @@
github = "DeclanRixon";
githubId = 57464835;
};
deeengan = {
github = "deeengan";
githubId = 87693324;
name = "Dee Engan";
keys = [ { fingerprint = "9C24 79F5 F0CE 48F4 00EE 4A5B B8ED 46EB 468B F72D"; } ];
};
deejayem = {
email = "nixpkgs.bu5hq@simplelogin.com";
github = "deejayem";
@ -5762,6 +5798,12 @@
githubId = 6806011;
name = "Robert Schütz";
};
dotmobo = {
email = "morgan.bohn@gmail.com";
github = "dotmobo";
githubId = 1997638;
name = ".mobo";
};
dottedmag = {
email = "dottedmag@dottedmag.net";
github = "dottedmag";
@ -5835,7 +5877,7 @@
name = "Sebastian Krohn";
};
drawbu = {
email = "clement21.boillot@gmail.com";
email = "clement2104.boillot@gmail.com";
github = "drawbu";
githubId = 69208565;
name = "Clément Boillot";
@ -7105,6 +7147,12 @@
githubId = 628359;
name = "Felix Singer";
};
felixzieger = {
name = "Felix Zieger";
github = "felixzieger";
githubId = 67903933;
email = "nixpkgs@felixzieger.de";
};
felschr = {
email = "dev@felschr.com";
matrix = "@felschr:matrix.org";
@ -8299,6 +8347,14 @@
githubId = 7385287;
name = "Lana Black";
};
grgi = {
name = "Gregor Giesen";
email = "gregor@giesen.net";
matrix = "@gregor:giesen.net";
github = "grgi";
githubId = 6435815;
keys = [ { fingerprint = "0F92 602B 1860 4476 77F4 8A67 C303 16AA C10F 3EA7"; } ];
};
gridaphobe = {
email = "eric@seidel.io";
github = "gridaphobe";
@ -10285,6 +10341,13 @@
githubId = 2502736;
name = "James Hillyerd";
};
jhol = {
name = "Joel Holdsworth";
email = "joel@airwebreathe.org.uk";
github = "jhol";
githubId = 1449493;
keys = [ { fingerprint = "08F7 2546 95DE EAEF 03DE B0E4 D874 562D DC99 D889"; } ];
};
jhollowe = {
email = "jhollowe@johnhollowell.com";
github = "jhollowe";
@ -10935,6 +10998,12 @@
githubId = 54635632;
keys = [ { fingerprint = "4C68 56EE DFDA 20FB 77E8 9169 1964 2151 C218 F6F5"; } ];
};
jthulhu = {
name = "Adrien Mathieu";
email = "adrien.lc.mathieu@gmail.com";
github = "jthulhu";
githubId = 23179762;
};
jtobin = {
email = "jared@jtobin.io";
github = "jtobin";
@ -11440,6 +11509,13 @@
name = "Khushraj Rathod";
keys = [ { fingerprint = "1988 3FD8 EA2E B4EC 0A93 1E22 B77B 2A40 E770 2F19"; } ];
};
kiara = {
name = "kiara";
email = "cinereal@riseup.net";
github = "KiaraGrouwstra";
githubId = 3059397;
matrix = "@cinerealkiara:matrix.org";
};
KibaFox = {
email = "kiba.fox@foxypossibilities.com";
github = "KibaFox";
@ -11804,6 +11880,12 @@
githubId = 26622971;
name = "Ronnie Ebrin";
};
kraftnix = {
email = "kraftnix@protonmail.com";
github = "kraftnix";
githubId = 83026656;
name = "kraftnix";
};
kragniz = {
email = "louis@kragniz.eu";
github = "kragniz";
@ -11883,6 +11965,12 @@
github = "krzaczek";
githubId = 5773701;
};
KSJ2000 = {
email = "katsho123@outlook.com";
name = "KSJ2000";
github = "KSJ2000";
githubId = 184105270;
};
ktf = {
email = "giulio.eulisse@cern.ch";
github = "ktf";
@ -11920,6 +12008,13 @@
name = "André Kugland";
keys = [ { fingerprint = "6A62 5E60 E3FF FCAE B3AA 50DC 1DA9 3817 80CD D833"; } ];
};
kuglimon = {
name = "Tatu Argillander";
email = "tatu.argillander@kouralabs.com";
github = "kuglimon";
githubId = 629430;
keys = [ { fingerprint = "2843 750C B1AB E256 94BE 40E2 D843 D30B 42CA 0E2D"; } ];
};
kupac = {
github = "Kupac";
githubId = 8224569;
@ -13412,6 +13507,12 @@
githubId = 1709273;
name = "Robin Hack";
};
marnym = {
email = "markus@nyman.dev";
github = "marnym";
githubId = 56825922;
name = "Markus Nyman";
};
marsupialgutz = {
email = "mars@possums.xyz";
github = "pupbrained";
@ -14334,12 +14435,6 @@
githubId = 5378535;
name = "Milo Gertjejansen";
};
milran = {
email = "milranmike@protonmail.com";
github = "wattmto";
githubId = 93639059;
name = "Milran Mike";
};
mimame = {
email = "miguel.madrid.mencia@gmail.com";
github = "mimame";
@ -14494,12 +14589,6 @@
githubId = 16974598;
name = "Mike Playle";
};
mkaito = {
email = "chris@mkaito.net";
github = "mkaito";
githubId = 20434;
name = "Christian Höppner";
};
mkazulak = {
email = "kazulakm@gmail.com";
github = "mulderr";
@ -15117,6 +15206,13 @@
githubId = 1234956;
"keys" = [ { "fingerprint" = "F21A 6194 C9DB 9899 CD09 E24E 434B 2C14 B8C3 3422"; } ];
};
nadiaholmquist = {
name = "Nadia Holmquist Pedersen";
email = "nadia@nhp.sh";
matrix = "@nhp:matrix.org";
github = "nadiaholmquist";
githubId = 893884;
};
nadir-ishiguro = {
github = "nadir-ishiguro";
githubId = 23151917;
@ -15846,6 +15942,12 @@
githubId = 30374463;
name = "Michal S.";
};
notthebee = {
email = "moe@notthebe.ee";
github = "notthebee";
githubId = 30384331;
name = "Wolfgang";
};
notthemessiah = {
email = "brian.cohen.88@gmail.com";
github = "NOTtheMessiah";
@ -16519,6 +16621,13 @@
githubId = 120342602;
name = "Michael Paepcke";
};
pagedMov = {
email = "kylerclay@proton.me";
github = "pagedMov";
githubId = 19557376;
name = "Kyler Clay";
keys = [ { fingerprint = "784B 3623 94E7 8F11 0B9D AE0F 56FD CFA6 2A93 B51E"; } ];
};
paholg = {
email = "paho@paholg.com";
github = "paholg";
@ -16793,6 +16902,12 @@
githubId = 943430;
name = "David Hagege";
};
peat-psuwit = {
name = "Ratchanan Srirattanamet";
email = "peat@peat-network.xyz";
github = "peat-psuwit";
githubId = 6771175;
};
pedohorse = {
github = "pedohorse";
githubId = 13556996;
@ -18098,12 +18213,6 @@
githubId = 5653911;
name = "Rampoina";
};
rane = {
email = "rane+nix@junkyard.systems";
github = "digitalrane";
githubId = 1829286;
name = "Rane";
};
ranfdev = {
email = "ranfdev@gmail.com";
name = "Lorenzo Miglietta";
@ -18728,6 +18837,12 @@
githubId = 6204883;
name = "Longrin Wischnewski";
};
robbiebuxton = {
email = "robbiesbuxton@gmail.com";
github = "robbiebuxton";
githubId = 67549526;
name = "Robbie Buxton";
};
robbinch = {
email = "robbinch33@gmail.com";
github = "robbinch";
@ -19573,6 +19688,13 @@
githubId = 5104601;
name = "schnusch";
};
schrobingus = {
email = "brent.monning.jr@gmail.com";
name = "Brent Monning";
github = "schrobingus";
githubId = 72168352;
matrix = "@schrobingus:matrix.org";
};
Schweber = {
github = "Schweber";
githubId = 64630479;
@ -23309,6 +23431,12 @@
github = "water-sucks";
githubId = 68445574;
};
wattmto = {
email = "dev@wattmto.dev";
github = "wattmto";
githubId = 93639059;
name = "wattmto";
};
waynr = {
name = "Wayne Warren";
email = "wayne.warren.s@gmail.com";
@ -23440,6 +23568,12 @@
githubId = 7121530;
name = "Wolf Honoré";
};
whtsht = {
email = "whiteshirt0079@gmail.com";
github = "whtsht";
githubId = 85547207;
name = "Hinata Toma";
};
wietsedv = {
email = "wietsedv@proton.me";
github = "wietsedv";
@ -24086,7 +24220,7 @@
githubId = 47071325;
};
ymstnt = {
name = "YMSTNT";
name = "ymstnt";
github = "ymstnt";
githubId = 21342713;
};

75
third_party/nixpkgs/maintainers/scripts/update-dotnet-lockfiles.nix vendored
View file

@ -8,69 +8,12 @@
to 'fetch-deps', 'nuget-to-nix', or other changes to the dotnet build
infrastructure. Regular updates should be done through the individual packages
update scripts.
*/
{ startWith ? null }:
let
pkgs = import ../.. { config.allowAliases = false; };
inherit (pkgs) lib;
packagesWith = cond: pkgs:
let
packagesWithInner = attrs:
lib.concatLists (
lib.mapAttrsToList (name: elem:
let
result = builtins.tryEval elem;
in
if result.success then
let
value = result.value;
in
if lib.isDerivation value then
lib.optional (cond value) value
else
if lib.isAttrs value && (value.recurseForDerivations or false || value.recurseForRelease or false) then
packagesWithInner value
else []
else []) attrs);
in
packagesWithInner pkgs;
packages = lib.unique
(lib.filter (p:
(builtins.tryEval p.outPath).success ||
builtins.trace "warning: skipping ${p.name} because it failed to evaluate" false)
((pkgs: (lib.drop (lib.lists.findFirstIndex (p: p.name == startWith) 0 pkgs) pkgs))
(packagesWith (p: p ? fetch-deps) pkgs)));
helpText = ''
Please run:
% nix-shell maintainers/scripts/update-dotnet-lockfiles.nix
'';
fetchScripts = map (p: p.fetch-deps) packages;
in pkgs.stdenv.mkDerivation {
name = "nixpkgs-update-dotnet-lockfiles";
buildCommand = ''
echo ""
echo "----------------------------------------------------------------"
echo ""
echo "Not possible to update packages using \`nix-build\`"
echo ""
echo "${helpText}"
echo "----------------------------------------------------------------"
exit 1
'';
shellHook = ''
unset shellHook # do not contaminate nested shells
set -e
for x in $fetchScripts; do
$x
done
exit
'';
inherit fetchScripts;
}
*/
{ ... }@args:
import ./update.nix (
{
predicate = _: _: true;
get-script = pkg: pkg.fetch-deps or null;
}
// args
)

22
third_party/nixpkgs/maintainers/scripts/update.nix vendored
View file

@ -8,6 +8,7 @@
{ package ? null
, maintainer ? null
, predicate ? null
, get-script ? pkg: pkg.updateScript or null
, path ? null
, max-workers ? null
, include-overlays ? false
@ -17,13 +18,13 @@
}:
let
pkgs = import ./../../default.nix (
pkgs = import ./../../default.nix ((
if include-overlays == false then
{ overlays = []; }
else if include-overlays == true then
{ } # Let Nixpkgs include overlays impurely.
else { overlays = include-overlays; }
);
) // { config.allowAliases = false; });
inherit (pkgs) lib;
@ -56,7 +57,7 @@ let
somewhatUniqueRepresentant =
{ package, attrPath }: {
inherit (package) updateScript;
updateScript = (get-script package);
# Some updaters use the same `updateScript` value for all packages.
# Also compare `meta.description`.
position = package.meta.position or null;
@ -89,7 +90,7 @@ let
/* Recursively find all packages in `pkgs` with updateScript matching given predicate.
*/
packagesWithUpdateScriptMatchingPredicate = cond:
packagesWith (path: pkg: builtins.hasAttr "updateScript" pkg && cond path pkg);
packagesWith (path: pkg: (get-script pkg != null) && cond path pkg);
/* Recursively find all packages in `pkgs` with updateScript by given maintainer.
*/
@ -121,7 +122,7 @@ let
if pathContent == null then
builtins.throw "Attribute path `${path}` does not exist."
else
packagesWithPath prefix (path: pkg: builtins.hasAttr "updateScript" pkg)
packagesWithPath prefix (path: pkg: (get-script pkg != null))
pathContent;
/* Find a package under `path` in `pkgs` and require that it has an updateScript.
@ -132,7 +133,7 @@ let
in
if package == null then
builtins.throw "Package with an attribute name `${path}` does not exist."
else if ! builtins.hasAttr "updateScript" package then
else if get-script package == null then
builtins.throw "Package with an attribute name `${path}` does not have a `passthru.updateScript` attribute defined."
else
{ attrPath = path; inherit package; };
@ -193,13 +194,13 @@ let
/* Transform a matched package into an object for update.py.
*/
packageData = { package, attrPath }: {
packageData = { package, attrPath }: let updateScript = get-script package; in {
name = package.name;
pname = lib.getName package;
oldVersion = lib.getVersion package;
updateScript = map builtins.toString (lib.toList (package.updateScript.command or package.updateScript));
supportedFeatures = package.updateScript.supportedFeatures or [];
attrPath = package.updateScript.attrPath or attrPath;
updateScript = map builtins.toString (lib.toList (updateScript.command or updateScript));
supportedFeatures = updateScript.supportedFeatures or [];
attrPath = updateScript.attrPath or attrPath;
};
/* JSON file with data for update.py.
@ -230,4 +231,5 @@ in pkgs.stdenv.mkDerivation {
unset shellHook # do not contaminate nested shells
exec ${pkgs.python3.interpreter} ${./update.py} ${builtins.concatStringsSep " " args}
'';
nativeBuildInputs = [ pkgs.git pkgs.nix pkgs.cacert ];
}

1
third_party/nixpkgs/maintainers/team-list.nix vendored
View file

@ -1076,7 +1076,6 @@ with lib.maintainers;
members = [
hehongbo
lach
rane
sigmasquadron
];
scope = "Maintain the Xen Project Hypervisor and the related tooling ecosystem.";

2
third_party/nixpkgs/nixos/doc/manual/configuration/kubernetes.chapter.md vendored
View file

@ -52,7 +52,7 @@ and [](#opt-services.kubernetes.easyCerts)
to true. This sets up flannel as CNI and activates automatic PKI bootstrapping.
::: {.note}
As of NixOS 19.03, it is mandatory to configure:
It is mandatory to configure:
[](#opt-services.kubernetes.masterAddress).
The masterAddress must be resolveable and routeable by all cluster nodes.
In single node clusters, this can be set to `localhost`.

6
third_party/nixpkgs/nixos/doc/manual/contributing-to-this-manual.chapter.md vendored
View file

@ -17,6 +17,12 @@ There's also [a convenient development daemon](https://nixos.org/manual/nixpkgs/
The above instructions don't deal with the appendix of available `configuration.nix` options, and the manual pages related to NixOS. These are built, and written in a different location and in a different format, as explained in the next sections.
## Testing redirects {#sec-contributing-redirects}
Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.
Note that if you already loaded the page and *then* input the anchor, you will need to perform a reload. This is because browsers do not re-run client JS code when only the anchor has changed.
## Contributing to the `configuration.nix` options documentation {#sec-contributing-options}
The documentation for all the different `configuration.nix` options is automatically generated by reading the `description`s of all the NixOS options defined at `nixos/modules/`. If you want to improve such `description`, find it in the `nixos/modules/` directory, and edit it and open a pull request.

1
third_party/nixpkgs/nixos/doc/manual/default.nix vendored
View file

@ -122,6 +122,7 @@ in rec {
nixos-render-docs -j $NIX_BUILD_CORES manual html \
--manpage-urls ${manpageUrls} \
--redirects ${./redirects.json} \
--revision ${escapeShellArg revision} \
--generator "nixos-render-docs ${pkgs.lib.version}" \
--stylesheet style.css \

4
third_party/nixpkgs/nixos/doc/manual/development/settings-options.section.md vendored
View file

@ -312,6 +312,8 @@ have a predefined type and string generator already declared under
may be transformed into multiple key-value pairs depending on
`listToValue`).
The attribute `lib.type.atom` contains the used INI atom.
`pkgs.formats.iniWithGlobalSection` { *`listsAsDuplicateKeys`* ? false, *`listToValue`* ? null, \.\.\. }
: A function taking an attribute set with values
@ -333,6 +335,8 @@ have a predefined type and string generator already declared under
attrset of key-value pairs for a single section, the global section which
preceedes the section definitions.
The attribute `lib.type.atom` contains the used INI atom.
`pkgs.formats.toml` { }
: A function taking an empty attribute set (for future extensibility)

3
third_party/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.section.md vendored
View file

@ -206,8 +206,7 @@ The first steps to all these are the same:
line)
::: {.note}
Support for `NIXOS_LUSTRATE` was added in NixOS 16.09. The act of
"lustrating" refers to the wiping of the existing distribution.
The act of "lustrating" refers to the wiping of the existing distribution.
Creating `/etc/NIXOS_LUSTRATE` can also be used on NixOS to remove
all mutable files from your root partition (anything that's not in
`/nix` or `/boot` gets "lustrated" on the next boot.

2177
third_party/nixpkgs/nixos/doc/manual/redirects.json vendored Normal file
View file

File diff suppressed because it is too large Load diff

1
third_party/nixpkgs/nixos/doc/manual/release-notes/release-notes.md vendored
View file

@ -3,6 +3,7 @@
This section lists the release notes for each stable version of NixOS and current unstable revision.
```{=include=} sections
rl-2505.section.md
rl-2411.section.md
rl-2405.section.md
rl-2311.section.md

63
third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2411.section.md vendored
View file

@ -101,8 +101,12 @@
systemd-sysusers to achieve a system without Perl, as it can create normal
users and change passwords. Available as [services.userborn](#opt-services.userborn.enable).
- [g810-led](https://github.com/MatMoul/g810-led), a LED controller for Logitech G keyboards. Available as [services.g810-led](options.html#opt-services.g810-led.enable).
- [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu.enable).
- [Soteria](https://github.com/ImVaskel/soteria), a polkit authentication agent to handle elevated prompts for any desktop environment. Normally this should only be used on DEs or WMs that do not provide a graphical polkit frontend on their own. Available as [`security.soteria`](#opt-security.soteria.enable).
- [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood.enable).
- [Niri](https://github.com/YaLTeR/niri), a scrollable-tiling Wayland compositor. Available as [programs.niri](options.html#opt-programs.niri.enable).
@ -115,6 +119,8 @@
- [Eintopf](https://eintopf.info), a community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf.enable).
- [`pay-respects`](https://codeberg.org/iff/pay-respects), a terminal command correction program, alternative to `thefuck`, written in Rust. Available as [programs.pay-respects](options.html#opt-programs.pay-respects).
- [Radicle](https://radicle.xyz), an open source, peer-to-peer code collaboration stack built on Git. Available as [services.radicle](#opt-services.radicle.enable).
- [ddns-updater](https://github.com/qdm12/ddns-updater), a service with a WebUI to update DNS records periodically for many providers. Available as [services.ddns-updater](#opt-services.ddns-updater.enable).
@ -123,6 +129,8 @@
- [HomeBox](https://github.com/sysadminsmedia/homebox), an inventory and organization system built for the home user. Available as [services.homebox](#opt-services.homebox.enable).
- [evremap](https://github.com/wez/evremap), a keyboard input remapper for Linux/Wayland systems. Available as [services.evremap](options.html#opt-services.evremap).
- [matrix-hookshot](https://matrix-org.github.io/matrix-hookshot), a Matrix bot for connecting to external services. Available as [services.matrix-hookshot](#opt-services.matrix-hookshot.enable).
- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various Git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
@ -131,6 +139,8 @@
- [zeronsd](https://github.com/zerotier/zeronsd), a DNS server for ZeroTier users. Available with [services.zeronsd.servedNetworks](#opt-services.zeronsd.servedNetworks).
- [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](#opt-services.agorakit.enable).
- [Collabora Online](https://www.collaboraonline.com/), a collaborative online office suite based on LibreOffice technology. Available as [services.collabora-online](options.html#opt-services.collabora-online.enable).
- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a WebUI for connecting devices. Available as [services.wg-access-server](#opt-services.wg-access-server.enable).
@ -195,6 +205,8 @@
- [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret.enable).
- [Glances](https://github.com/nicolargo/glances), an open-source system cross-platform monitoring tool. Available as [services.glances](option.html#opt-services.glances).
## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
- Nixpkgs now requires Nix 2.3.17 or newer to allow for zstd compressed binary artifacts.
@ -203,8 +215,9 @@
- The NVIDIA driver no longer defaults to the proprietary kernel module with versions >= 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open modules.
- The `(buildPythonPackage { ... }).override` attribute is now deprecated and removed in favour of `overridePythonAttrs`.
- The `(buildPythonPackage { ... }).override` and `(buildPythonPackage { ... }).overrideDerivation` attributes is now deprecated and removed in favour of `overridePythonAttrs` and `lib.overrideDerivation`.
This change does not affect the override interface of most Python packages, as [`<pkg>.override`](https://nixos.org/manual/nixpkgs/unstable/#sec-pkg-override) provided by `callPackage` shadows such a locally-defined `override` attribute.
The `<pkg>.overrideDerivation` attribute of Python packages called with `callPackage` will also remain available after this change.
- All Cinnamon and XApp packages have been moved to top-level (i.e., `cinnamon.nemo` is now `nemo`).
@ -225,7 +238,7 @@
- The VirtualBox demo installer appliance has been removed.
Please use the standard installer ISOs instead.
- `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected.
- `grafana` has been updated to version 11.3. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected.
- `deno` has been updated to Deno 2, which has breaking changes.
See the [migration guide](https://docs.deno.com/runtime/reference/migration_guide/) for details.
@ -236,6 +249,8 @@
- `knot-dns` has been updated to version 3.4.x. Check the [migration guide](https://www.knot-dns.cz/docs/latest/html/migration.html#upgrade-3-3-x-to-3-4-x) for breaking changes.
- `mutmut` has been updated to version 3.0.5.
- `services.kubernetes.kubelet.clusterDns` now accepts a list of DNS resolvers rather than a single string, bringing the module more in line with the upstream Kubelet configuration schema.
- `bluemap` has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: <https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2>. Unless you are using an SQL storage backend, this should only entail deleting the contents of `config.services.bluemap.coreSettings.data` (defaults to `/var/lib/bluemap`) and `config.services.bluemap.webRoot` (defaults to `/var/lib/bluemap/web`).
@ -303,10 +318,21 @@
- The `mautrix-signal` module was adapted to incorporate the configuration changes that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
In case you want to update your configuration, make sure to check the NixOS manual.
- `cargo-tauri` has been updated to major version 2. Please review [the migration guide](https://tauri.app/start/migrate/from-tauri-1/).
v1 of `cargo-tauri` is still available as `cargo-tauri_1`, but will be removed in future releases.
- The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver.
- `postgresql_12` has been removed since it reached its end of life.
- `postgresql` no longer accepts the `enableSystemd` override. Use `systemdSupport` instead.
- `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected.
- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.
- The dhcpcd service (`networking.useDHCP`) has been hardened and now runs exclusively as the "dhcpcd" user.
Users that were relying on the root privileges in `networking.dhcpcd.runHook` will have to write specific [sudo](security.sudo.extraRules) or [polkit](security.polkit.extraConfig) rules to allow dhcpcd to perform privileged actions.
@ -572,8 +598,6 @@
- Docker now defaults to 27.x, as version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084).
- `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected.
- `keycloak` was updated to version 25, which introduces new hostname related options.
See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions.
@ -688,11 +712,10 @@
- `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.
- Legacy package `globalprotect-openconnect` 1.x and related module
`services.globalprotect` were dropped. Two new packages -- `gpauth` and `gpclient`
from the 2.x version of the GlobalProtect-openconnect project -- are added in its
place. The GUI components related to the project are non-free and not
packaged.
- Two new packages -- `gpauth` and `gpclient` from the 2.x version of the
GlobalProtect-openconnect project -- are added in parallel to
`globalprotect-openconnect`. The GUI components related to the project are
non-free and not packaged.
- Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details.
@ -715,6 +738,20 @@
- `python3Packages.nose` has been removed, as it has been deprecated and unmaintained for almost a decade and does not work on Python 3.12.
Please switch to `pytest` or another test runner/framework.
- `dotnet-sdk`, `dotnet-runtime`, and all other dotnet packages now use a
wrapper package containing `bin/dotnet`, build hooks, etc. If you need to
reference the underlying dotnet distribution (DOTNET_ROOT) you should use e.g.
`dotnet-runtime.unwrapped`.
- The root of dotnet distribution packages (DOTNET_ROOT) is now under e.g.
`${dotnet-sdk.unwrapped}/share/dotnet` instead of directly in the package
root. This is consistent with packaging guidelines and more friendly for FHS
environments.
- `dotnet-sdk`, `dotnet-runtime`, and `dotnet-aspnetcore` now point to dotnet 8
rather than dotnet 6. For packages that still need dotnet 6, use
`dotnet-sdk_6`, etc.
## Other Notable Changes {#sec-release-24.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@ -783,6 +820,8 @@
- The new `boot.loader.systemd-boot.windows` option makes setting up dual-booting with Windows on a different drive easier.
- The `boot.loader.raspberryPi` options were marked as deprecated in 23.11 and have now been removed.
- Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11.
- Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an
@ -817,8 +856,6 @@
- `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep). Available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).
- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
- Mattermost has been updated from 9.5 to 9.11 ESR. See the [changelog](https://docs.mattermost.com/about/mattermost-v9-changelog.html#release-v9-11-extended-support-release) for more details.
- `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside
@ -838,8 +875,6 @@
- `iproute2` now has libbpf support.
- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.
If you use extensions that are not packaged in nixpkgs, please review whether it still works
with the current settings and adjust accordingly if needed.
@ -856,6 +891,8 @@
- `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`.
- `virtualisation.incus` module gained new `incus-user.service` and `incus-user.socket` systemd units. It is now possible to add a user to `incus` group instead of `incus-admin` for increased security.
## Detailed Migration Information {#sec-release-24.11-migration}
### `sound` options removal {#sec-release-24.11-migration-sound}

36
third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2505.section.md vendored Normal file
View file

@ -0,0 +1,36 @@
# Release 25.05 (“Warbler”, 2025.05/??) {#sec-release-25.05}
## Highlights {#sec-release-25.05-highlights}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Create the first release note entry in this section!
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## New Modules {#sec-release-25.05-new-modules}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- [Kimai](https://www.kimai.org/), a web-based multi-user time-tracking application. Available as [services.kimai](option.html#opt-services.kimai).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-25.05-incompatibilities}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- `kanata` was updated to v1.7.0, which introduces several breaking changes.
See the release notes of
[v1.7.0](https://github.com/jtroo/kanata/releases/tag/v1.7.0)
for more information.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Other Notable Changes {#sec-release-25.05-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Create the first release note entry in this section!
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

9
third_party/nixpkgs/nixos/doc/manual/shell.nix vendored
View file

@ -6,8 +6,11 @@ let
common = import ./common.nix;
inherit (common) outputPath indexPath;
devmode = pkgs.devmode.override {
buildArgs = "../../release.nix -A manualHTML.${builtins.currentSystem}";
open = "/${outputPath}/${indexPath}";
};
in
pkgs.callPackage ../../../pkgs/tools/nix/web-devmode.nix {
buildArgs = "../../release.nix -A manualHTML.${builtins.currentSystem}";
open = "/${outputPath}/${indexPath}";
pkgs.mkShellNoCC {
packages = [ devmode ];
}

2
third_party/nixpkgs/nixos/lib/qemu-common.nix vendored
View file

@ -57,7 +57,7 @@ rec {
throwUnsupportedGuestSystem = guestMap:
throw "Unsupported guest system ${guestSystem} for host ${hostSystem}, supported: ${lib.concatStringsSep ", " (lib.attrNames guestMap)}";
in
if hostStdenv.isLinux then
if hostStdenv.hostPlatform.isLinux then
linuxHostGuestMatrix.${guestSystem} or "${qemuPkg}/bin/qemu-kvm"
else
let

2
third_party/nixpkgs/nixos/modules/config/nix-channel.nix vendored
View file

@ -70,7 +70,7 @@ in
defaultChannel = mkOption {
internal = true;
type = types.str;
default = "https://nixos.org/channels/nixos-unstable";
default = "https://nixos.org/channels/nixos-24.11";
description = "Default NixOS channel to which the root user is subscribed.";
};
};

2
third_party/nixpkgs/nixos/modules/hardware/graphics.nix vendored
View file

@ -101,7 +101,7 @@ in
assertions = [
{
assertion = cfg.enable32Bit -> pkgs.stdenv.hostPlatform.isx86_64;
message = "`hardware.graphics.enable32Bit` only makes sense on a 64-bit system.";
message = "`hardware.graphics.enable32Bit` is only supported on an x86_64 system.";
}
{
assertion = cfg.enable32Bit -> (config.boot.kernelPackages.kernel.features.ia32Emulation or false);

2
third_party/nixpkgs/nixos/modules/installer/tools/tools.nix vendored
View file

@ -218,7 +218,7 @@ in
mkToolModule = { name, package ? pkgs.${name} }: { config, ... }: {
options.system.tools.${name}.enable = lib.mkEnableOption "${name} script" // {
default = config.nix.enable && ! config.system.disableInstallerTools;
internal = true;
defaultText = "config.nix.enable && !config.system.disableInstallerTools";
};
config = lib.mkIf config.system.tools.${name}.enable {

1
third_party/nixpkgs/nixos/modules/misc/version.nix vendored
View file

@ -42,6 +42,7 @@ let
VARIANT = optionalString (cfg.variantName != null) cfg.variantName;
VARIANT_ID = optionalString (cfg.variant_id != null) cfg.variant_id;
DEFAULT_HOSTNAME = config.networking.fqdnOrHostName;
SUPPORT_END = "2025-06-30";
};
initrdReleaseContents = (removeAttrs osReleaseContents [ "BUILD_ID" ]) // {

11
third_party/nixpkgs/nixos/modules/module-list.nix vendored
View file

@ -148,6 +148,7 @@
./programs/alvr.nix
./programs/appgate-sdp.nix
./programs/appimage.nix
./programs/arp-scan.nix
./programs/atop.nix
./programs/ausweisapp.nix
./programs/autojump.nix
@ -295,6 +296,7 @@
./programs/sysdig.nix
./programs/system-config-printer.nix
./programs/systemtap.nix
./programs/tcpdump.nix
./programs/thefuck.nix
./programs/thunar.nix
./programs/thunderbird.nix
@ -362,6 +364,7 @@
./security/polkit.nix
./security/rngd.nix
./security/rtkit.nix
./security/soteria.nix
./security/sudo.nix
./security/sudo-rs.nix
./security/systemd-confinement.nix
@ -588,6 +591,7 @@
./services/hardware/fancontrol.nix
./services/hardware/freefall.nix
./services/hardware/fwupd.nix
./services/hardware/g810-led.nix
./services/hardware/handheld-daemon.nix
./services/hardware/hddfancontrol.nix
./services/hardware/illum.nix
@ -752,6 +756,7 @@
./services/misc/etebase-server.nix
./services/misc/etesync-dav.nix
./services/misc/evdevremapkeys.nix
./services/misc/evremap.nix
./services/misc/felix.nix
./services/misc/flaresolverr.nix
./services/misc/forgejo.nix
@ -887,6 +892,7 @@
./services/monitoring/do-agent.nix
./services/monitoring/fusion-inventory.nix
./services/monitoring/gatus.nix
./services/monitoring/glances.nix
./services/monitoring/goss.nix
./services/monitoring/grafana-agent.nix
./services/monitoring/grafana-image-renderer.nix
@ -1052,6 +1058,7 @@
./services/networking/gdomap.nix
./services/networking/ghostunnel.nix
./services/networking/git-daemon.nix
./services/networking/globalprotect-vpn.nix
./services/networking/gns3-server.nix
./services/networking/gnunet.nix
./services/networking/go-autoconfig.nix
@ -1388,6 +1395,7 @@
./services/wayland/cage.nix
./services/wayland/hypridle.nix
./services/web-apps/akkoma.nix
./services/web-apps/agorakit.nix
./services/web-apps/alps.nix
./services/web-apps/anuko-time-tracker.nix
./services/web-apps/artalk.nix
@ -1408,6 +1416,7 @@
./services/web-apps/crabfit.nix
./services/web-apps/davis.nix
./services/web-apps/cryptpad.nix
./services/web-apps/dashy.nix
./services/web-apps/dependency-track.nix
./services/web-apps/dex.nix
./services/web-apps/discourse.nix
@ -1452,6 +1461,7 @@
./services/web-apps/kasmweb/default.nix
./services/web-apps/kavita.nix
./services/web-apps/keycloak.nix
./services/web-apps/kimai.nix
./services/web-apps/komga.nix
./services/web-apps/lanraragi.nix
./services/web-apps/lemmy.nix
@ -1626,7 +1636,6 @@
./system/boot/loader/external/external.nix
./system/boot/loader/init-script/init-script.nix
./system/boot/loader/loader.nix
./system/boot/loader/raspberrypi/raspberrypi.nix
./system/boot/loader/systemd-boot/systemd-boot.nix
./system/boot/luksroot.nix
./system/boot/stratisroot.nix

32
third_party/nixpkgs/nixos/modules/programs/arp-scan.nix vendored Normal file
View file

@ -0,0 +1,32 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.arp-scan;
in
{
options = {
programs.arp-scan = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to configure a setcap wrapper for arp-scan.
'';
};
};
};
config = lib.mkIf cfg.enable {
security.wrappers.arp-scan = {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = lib.getExe pkgs.arp-scan;
};
};
}

4
third_party/nixpkgs/nixos/modules/programs/firefox.nix vendored
View file

@ -313,7 +313,9 @@ in
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
nativeMessagingHosts = lib.unique (
old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages
);
cfg = (old.cfg or { }) // cfg.wrapperConfig;
}))
];

14
third_party/nixpkgs/nixos/modules/programs/iftop.nix vendored
View file

@ -1,10 +1,16 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.programs.iftop;
in {
in
{
options = {
programs.iftop.enable = lib.mkEnableOption "iftop + setcap wrapper";
programs.iftop.enable = lib.mkEnableOption "iftop and setcap wrapper for it";
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.iftop ];
@ -12,7 +18,7 @@ in {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.iftop}/bin/iftop";
source = lib.getExe pkgs.iftop;
};
};
}

56
third_party/nixpkgs/nixos/modules/programs/pay-respects.nix vendored Normal file
View file

@ -0,0 +1,56 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib)
getExe
maintainers
mkEnableOption
mkIf
mkOption
types
;
inherit (types) str;
cfg = config.programs.pay-respects;
initScript =
shell:
if (shell != "fish") then
''
eval $(${getExe pkgs.pay-respects} ${shell} --alias ${cfg.alias})
''
else
''
${getExe pkgs.pay-respects} ${shell} --alias ${cfg.alias} | source
'';
in
{
options = {
programs.pay-respects = {
enable = mkEnableOption "pay-respects, an app which corrects your previous console command";
alias = mkOption {
default = "f";
type = str;
description = ''
`pay-respects` needs an alias to be configured.
The default value is `f`, but you can use anything else as well.
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.pay-respects ];
programs = {
bash.interactiveShellInit = initScript "bash";
fish.interactiveShellInit = mkIf config.programs.fish.enable initScript "fish";
zsh.interactiveShellInit = mkIf config.programs.zsh.enable initScript "zsh";
};
};
meta.maintainers = with maintainers; [ sigmasquadron ];
}

36
third_party/nixpkgs/nixos/modules/programs/tcpdump.nix vendored Normal file
View file

@ -0,0 +1,36 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.tcpdump;
in
{
options = {
programs.tcpdump = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to configure a setcap wrapper for tcpdump.
To use it, add your user to the `pcap` group.
'';
};
};
};
config = lib.mkIf cfg.enable {
security.wrappers.tcpdump = {
owner = "root";
group = "pcap";
capabilities = "cap_net_raw+p";
permissions = "u+rx,g+x";
source = lib.getExe pkgs.tcpdump;
};
users.groups.pcap = { };
};
}

12
third_party/nixpkgs/nixos/modules/programs/traceroute.nix vendored
View file

@ -1,8 +1,14 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.traceroute;
in {
in
{
options = {
programs.traceroute = {
enable = lib.mkOption {
@ -20,7 +26,7 @@ in {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = "${pkgs.traceroute}/bin/traceroute";
source = lib.getExe pkgs.traceroute;
};
};
}

156
third_party/nixpkgs/nixos/modules/programs/wayland/hyprland.nix vendored
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.hyprland;
@ -13,29 +18,53 @@ in
A configuration file will be generated in {file}`~/.config/hypr/hyprland.conf`.
See <https://wiki.hyprland.org> for more information'';
package = lib.mkPackageOption pkgs "hyprland" {
extraDescription = ''
If the package is not overridable with `enableXWayland`, then the module option
{option}`xwayland` will have no effect.
'';
} // {
apply = p: wayland-lib.genFinalPackage p {
enableXWayland = cfg.xwayland.enable;
package =
lib.mkPackageOption pkgs "hyprland" {
extraDescription = ''
If the package is not overridable with `enableXWayland`, then the module option
{option}`xwayland` will have no effect.
'';
}
// {
apply =
p:
wayland-lib.genFinalPackage p {
enableXWayland = cfg.xwayland.enable;
};
};
portalPackage =
lib.mkPackageOption pkgs "xdg-desktop-portal-hyprland" {
extraDescription = ''
If the package is not overridable with `hyprland`, then the Hyprland package
used by the portal may differ from the one set in the module option {option}`package`.
'';
}
// {
apply =
p:
wayland-lib.genFinalPackage p {
hyprland = cfg.package;
};
};
xwayland.enable = lib.mkEnableOption "XWayland" // {
default = true;
};
portalPackage = lib.mkPackageOption pkgs "xdg-desktop-portal-hyprland" {
extraDescription = ''
If the package is not overridable with `hyprland`, then the Hyprland package
used by the portal may differ from the one set in the module option {option}`package`.
'';
} // {
apply = p: wayland-lib.genFinalPackage p {
hyprland = cfg.package;
};
};
withUWSM = lib.mkEnableOption null // {
description = ''
Launch Hyprland with the UWSM (Universal Wayland Session Manager) session manager.
This has improved systemd support and is recommended for most users.
This automatically starts appropiate targets like `graphical-session.target`,
and `wayland-session@Hyprland.target`.
xwayland.enable = lib.mkEnableOption "XWayland" // { default = true; };
::: {.note}
Some changes may need to be made to Hyprland configs depending on your setup, see
[Hyprland wiki](https://wiki.hyprland.org/Useful-Utilities/Systemd-start/#uwsm).
:::
'';
};
systemd.setPath.enable = lib.mkEnableOption null // {
default = lib.versionOlder cfg.package.version "0.41.2";
@ -49,46 +78,65 @@ in
};
};
config = lib.mkIf cfg.enable (lib.mkMerge [
{
environment.systemPackages = [ cfg.package ];
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
environment.systemPackages = [ cfg.package ];
# To make a Hyprland session available if a display manager like SDDM is enabled:
services.displayManager.sessionPackages = [ cfg.package ];
xdg.portal = {
enable = true;
extraPortals = [ cfg.portalPackage ];
configPackages = lib.mkDefault [ cfg.package ];
};
xdg.portal = {
enable = true;
extraPortals = [ cfg.portalPackage ];
configPackages = lib.mkDefault [ cfg.package ];
};
systemd = lib.mkIf cfg.systemd.setPath.enable {
user.extraConfig = ''
DefaultEnvironment="PATH=/run/wrappers/bin:/etc/profiles/per-user/%u/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:$PATH"
'';
};
}
systemd = lib.mkIf cfg.systemd.setPath.enable {
user.extraConfig = ''
DefaultEnvironment="PATH=/run/wrappers/bin:/etc/profiles/per-user/%u/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:$PATH"
'';
};
}
(lib.mkIf (cfg.withUWSM) {
programs.uwsm.enable = true;
# Configure UWSM to launch Hyprland from a display manager like SDDM
programs.uwsm.waylandCompositors = {
hyprland = {
prettyName = "Hyprland";
comment = "Hyprland compositor managed by UWSM";
binPath = "/run/current-system/sw/bin/Hyprland";
};
};
})
(lib.mkIf (!cfg.withUWSM) {
# To make a vanilla Hyprland session available in DM
services.displayManager.sessionPackages = [ cfg.package ];
})
(import ./wayland-session.nix {
inherit lib pkgs;
enableXWayland = cfg.xwayland.enable;
enableWlrPortal = lib.mkDefault false; # Hyprland has its own portal, wlr is not needed
})
]);
(import ./wayland-session.nix {
inherit lib pkgs;
enableXWayland = cfg.xwayland.enable;
enableWlrPortal = lib.mkDefault false; # Hyprland has its own portal, wlr is not needed
})
]
);
imports = [
(lib.mkRemovedOptionModule
[ "programs" "hyprland" "xwayland" "hidpi" ]
"XWayland patches are deprecated. Refer to https://wiki.hyprland.org/Configuring/XWayland"
)
(lib.mkRemovedOptionModule
[ "programs" "hyprland" "enableNvidiaPatches" ]
"Nvidia patches are no longer needed"
)
(lib.mkRemovedOptionModule
[ "programs" "hyprland" "nvidiaPatches" ]
"Nvidia patches are no longer needed"
)
(lib.mkRemovedOptionModule [
"programs"
"hyprland"
"xwayland"
"hidpi"
] "XWayland patches are deprecated. Refer to https://wiki.hyprland.org/Configuring/XWayland")
(lib.mkRemovedOptionModule [
"programs"
"hyprland"
"enableNvidiaPatches"
] "Nvidia patches are no longer needed")
(lib.mkRemovedOptionModule [
"programs"
"hyprland"
"nvidiaPatches"
] "Nvidia patches are no longer needed")
];
meta.maintainers = with lib.maintainers; [ fufexan ];

4
third_party/nixpkgs/nixos/modules/programs/yabar.nix vendored
View file

@ -64,8 +64,8 @@ in
description = ''
The package which contains the `yabar` binary.
Nixpkgs provides the `yabar` and `yabar-unstable`
derivations since 18.03, so it's possible to choose.
Nixpkgs provides the `yabar` and `yabar-unstable`,
so it's possible to choose.
'';
};

2
third_party/nixpkgs/nixos/modules/rename.nix vendored
View file

@ -20,6 +20,7 @@ in
(mkAliasOptionModuleMD [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ])
# Completely removed modules
(mkRemovedOptionModule [ "boot" "loader" "raspberryPi" ] "The raspberryPi boot loader has been removed. See https://github.com/NixOS/nixpkgs/pull/241534 for what to use instead.")
(mkRemovedOptionModule [ "environment" "blcr" "enable" ] "The BLCR module has been removed")
(mkRemovedOptionModule [ "environment" "noXlibs" ] ''
The environment.noXlibs option was removed, as it often caused surprising breakages for new users.
@ -80,7 +81,6 @@ in
(mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
(mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed")
(mkRemovedOptionModule [ "services" "globalprotect"] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.")
(mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")
(mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")

2
third_party/nixpkgs/nixos/modules/security/acme/default.nix vendored
View file

@ -87,6 +87,8 @@ let
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;

50
third_party/nixpkgs/nixos/modules/security/soteria.nix vendored Normal file
View file

@ -0,0 +1,50 @@
{
lib,
pkgs,
config,
...
}:
let
cfg = config.security.soteria;
in
{
options.security.soteria = {
enable = lib.mkEnableOption null // {
description = ''
Whether to enable Soteria, a Polkit authentication agent
for any desktop environment.
::: {.note}
You should only enable this if you are on a Desktop Environment that
does not provide a graphical polkit authentication agent, or you are on
a standalone window manager or Wayland compositor.
:::
'';
};
package = lib.mkPackageOption pkgs "soteria" { };
};
config = lib.mkIf cfg.enable {
security.polkit.enable = true;
environment.systemPackages = [ cfg.package ];
systemd.user.services.polkit-soteria = {
description = "Soteria, Polkit authentication agent for any desktop environment";
wantedBy = [ "graphical-session.target" ];
wants = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
script = lib.getExe cfg.package;
serviceConfig = {
Type = "simple";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};
meta.maintainers = with lib.maintainers; [ johnrtitor ];
}

1
third_party/nixpkgs/nixos/modules/services/audio/mopidy.nix vendored
View file

@ -12,6 +12,7 @@ let
mopidyEnv = buildEnv {
name = "mopidy-with-extensions-${mopidy.version}";
ignoreCollisions = true;
paths = closePropagation cfg.extensionPackages;
pathsToLink = [ "/${mopidyPackages.python.sitePackages}" ];
nativeBuildInputs = [ makeWrapper ];

6
third_party/nixpkgs/nixos/modules/services/databases/mysql.nix vendored
View file

@ -334,6 +334,12 @@ in
environment.etc."my.cnf".source = cfg.configFile;
# The mysql_install_db binary will try to adjust the permissions, but fail to do so with a permission
# denied error in some circumstances. Setting the permissions manually with tmpfiles is a workaround.
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group} - -"
];
systemd.services.mysql = {
description = "MySQL Server";

9
third_party/nixpkgs/nixos/modules/services/databases/postgresql.md vendored
View file

@ -261,8 +261,9 @@ Technically, we'd not want to have EOL'ed packages in a stable NixOS release, wh
Thus:
- In September/October the new major version will be released and added to nixos-unstable.
- In November the last minor version for the oldest major will be released.
- Both the current stable .05 release and nixos-unstable should be updated to the latest minor.
- In November, before branch-off for the .11 release, the EOL-ed major will be removed from nixos-unstable.
- Both the current stable .05 release and nixos-unstable should be updated to the latest minor that will usually be released in November.
- This is relevant for people who need to use this major for as long as possible. In that case its desirable to be able to pin nixpkgs to a commit that still has it, at the latest minor available.
- In November, before branch-off for the .11 release and after the update to the latest minor, the EOL-ed major will be removed from nixos-unstable.
This leaves a small gap of a couple of weeks after the latest minor release and the end of our support window for the .05 release, in which there could be an emergency release to other major versions of PostgreSQL - but not the oldest major we have in that branch. In that case: If we can't trivially patch the issue, we will mark the package/version as insecure **immediately**.
@ -292,7 +293,7 @@ postgresql_15.pkgs.pg_partman postgresql_15.pkgs.pgroonga
To add plugins via NixOS configuration, set `services.postgresql.extraPlugins`:
```nix
{
services.postgresql.package = pkgs.postgresql_12;
services.postgresql.package = pkgs.postgresql_17;
services.postgresql.extraPlugins = ps: with ps; [
pg_repack
postgis
@ -303,7 +304,7 @@ To add plugins via NixOS configuration, set `services.postgresql.extraPlugins`:
You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using function `.withPackages`. For example, creating a custom PostgreSQL package in an overlay can look like:
```nix
self: super: {
postgresql_custom = self.postgresql_12.withPackages (ps: [
postgresql_custom = self.postgresql_17.withPackages (ps: [
ps.pg_repack
ps.postgis
]);

58
third_party/nixpkgs/nixos/modules/services/databases/postgresql.nix vendored
View file

@ -2,6 +2,7 @@
let
inherit (lib)
any
attrValues
concatMapStrings
concatStringsSep
@ -9,6 +10,7 @@ let
elem
escapeShellArgs
filterAttrs
getName
isString
literalExpression
mapAttrs
@ -26,23 +28,24 @@ let
optionalString
types
versionAtLeast
warn
;
cfg = config.services.postgresql;
postgresql =
let
# ensure that
# services.postgresql = {
# enableJIT = true;
# package = pkgs.postgresql_<major>;
# };
# works.
base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
in
if cfg.extraPlugins == []
then base
else base.withPackages cfg.extraPlugins;
# ensure that
# services.postgresql = {
# enableJIT = true;
# package = pkgs.postgresql_<major>;
# };
# works.
basePackage = if cfg.enableJIT
then cfg.package.withJIT
else cfg.package.withoutJIT;
postgresql = if cfg.extensions == []
then basePackage
else basePackage.withPackages cfg.extensions;
toStr = value:
if true == value then "yes"
@ -60,6 +63,8 @@ let
groupAccessAvailable = versionAtLeast postgresql.version "11.0";
extensionNames = map getName postgresql.installedExtensions;
extensionInstalled = extension: elem extension extensionNames;
in
{
@ -68,6 +73,7 @@ in
(mkRenamedOptionModule [ "services" "postgresql" "logLinePrefix" ] [ "services" "postgresql" "settings" "log_line_prefix" ])
(mkRenamedOptionModule [ "services" "postgresql" "port" ] [ "services" "postgresql" "settings" "port" ])
(mkRenamedOptionModule [ "services" "postgresql" "extraPlugins" ] [ "services" "postgresql" "extensions" ])
];
###### interface
@ -371,12 +377,12 @@ in
'';
};
extraPlugins = mkOption {
extensions = mkOption {
type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path));
default = _: [];
example = literalExpression "ps: with ps; [ postgis pg_repack ]";
description = ''
List of PostgreSQL plugins.
List of PostgreSQL extensions to install.
'';
};
@ -484,10 +490,18 @@ in
services.postgresql.package = let
mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
mkWarn = ver: warn ''
The postgresql package is not pinned and selected automatically by
`system.stateVersion`. Right now this is `pkgs.postgresql_${ver}`, the
oldest postgresql version available and thus the next that will be
removed when EOL on the next stable cycle.
See also https://endoflife.date/postgresql
'';
base = if versionAtLeast config.system.stateVersion "24.11" then pkgs.postgresql_16
else if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14
else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13
else if versionAtLeast config.system.stateVersion "21.11" then mkWarn "13" pkgs.postgresql_13
else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11"
else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6"
else mkThrow "9_5";
@ -630,7 +644,7 @@ in
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off");
MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ]));
NoNewPrivileges = true;
LockPersonality = true;
PrivateDevices = true;
@ -654,10 +668,12 @@ in
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
SystemCallFilter =
[
"@system-service"
"~@privileged @resources"
]
++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
UMask = if groupAccessAvailable then "0027" else "0077";
}
(mkIf (cfg.dataDir != "/var/lib/postgresql") {

398
third_party/nixpkgs/nixos/modules/services/desktop-managers/lomiri.nix vendored
View file

@ -1,200 +1,258 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.desktopManager.lomiri;
in {
in
{
options.services.desktopManager.lomiri = {
enable = lib.mkEnableOption ''
the Lomiri graphical shell (formerly known as Unity8)
'';
basics = lib.mkOption {
internal = true;
description = ''
Enable basic things for getting Lomiri working.
'';
type = lib.types.bool;
default = config.services.xserver.displayManager.lightdm.greeters.lomiri.enable || cfg.enable;
};
};
config = lib.mkIf cfg.enable {
environment = {
systemPackages = (with pkgs; [
glib # XDG MIME-related tools identify it as GNOME, add gio for MIME identification to work
libayatana-common
ubports-click
]) ++ (with pkgs.lomiri; [
hfd-service
history-service
libusermetrics
lomiri
lomiri-calculator-app
lomiri-camera-app
lomiri-clock-app
lomiri-content-hub
lomiri-docviewer-app
lomiri-download-manager
lomiri-filemanager-app
lomiri-gallery-app
lomiri-polkit-agent
lomiri-schemas # exposes some required dbus interfaces
lomiri-session # wrappers to properly launch the session
lomiri-sounds
lomiri-system-settings
lomiri-terminal-app
lomiri-thumbnailer
lomiri-url-dispatcher
lomiri-wallpapers
mediascanner2 # TODO possibly needs to be kicked off by graphical-session.target
morph-browser
qtmir # not having its desktop file for Xwayland available causes any X11 application to crash the session
suru-icon-theme
telephony-service
teleports
]);
config = lib.mkMerge [
# Basics for getting Lomiri to work
(lib.mkIf cfg.basics {
environment = {
# To override the default keyboard layout in Lomiri
etc.${pkgs.lomiri.lomiri.passthru.etcLayoutsFile}.text = lib.strings.replaceStrings [ "," ] [
"\n"
] config.services.xserver.xkb.layout;
# To override the default keyboard layout in Lomiri
etc.${pkgs.lomiri.lomiri.passthru.etcLayoutsFile}.text = lib.strings.replaceStrings [","] ["\n"] config.services.xserver.xkb.layout;
};
pathsToLink = [
# Data
"/share/locale" # TODO LUITK hardcoded default locale path, fix individual apps to not rely on it
"/share/wallpapers"
];
hardware = {
bluetooth.enable = lib.mkDefault true;
};
systemPackages = with pkgs.lomiri; [
lomiri-wallpapers # default + additional wallpaper
suru-icon-theme # basic indicator icons
];
};
networking.networkmanager.enable = lib.mkDefault true;
systemd.packages = with pkgs.lomiri; [
hfd-service
lomiri-download-manager
];
services.dbus.packages = with pkgs.lomiri; [
hfd-service
libusermetrics
lomiri-download-manager
];
fonts.packages = with pkgs; [
# Applications tend to default to Ubuntu font
ubuntu-classic
];
# Copy-pasted basic stuff
hardware.graphics.enable = lib.mkDefault true;
fonts.enableDefaultPackages = lib.mkDefault true;
programs.dconf.enable = lib.mkDefault true;
# Xwayland is partly hardcoded in Mir so it can't really be fully turned off, and it must be on PATH for X11 apps *and Lomiri's web browser* to work.
# Until Mir/Lomiri can be properly used without it, force it on so everything behaves as expected.
programs.xwayland.enable = lib.mkForce true;
services.accounts-daemon.enable = true;
services.ayatana-indicators = {
enable = true;
packages = (with pkgs; [
ayatana-indicator-datetime
ayatana-indicator-display
ayatana-indicator-messages
ayatana-indicator-power
ayatana-indicator-session
] ++ lib.optionals config.hardware.bluetooth.enable [
ayatana-indicator-bluetooth
] ++ lib.optionals (config.hardware.pulseaudio.enable || config.services.pipewire.pulse.enable) [
ayatana-indicator-sound
]) ++ (with pkgs.lomiri; [
telephony-service
] ++ lib.optionals config.networking.networkmanager.enable [
lomiri-indicator-network
]);
};
services.udisks2.enable = true;
services.upower.enable = true;
services.geoclue2.enable = true;
services.gnome.evolution-data-server = {
enable = true;
plugins = with pkgs; [
# TODO: lomiri.address-book-service
fonts.packages = with pkgs; [
ubuntu-classic # Ubuntu is default font
];
};
services.telepathy.enable = true;
# Xwayland is partly hardcoded in Mir so it can't really be fully turned off, and it must be on PATH for X11 apps *and Lomiri's web browser* to work.
# Until Mir/Lomiri can be properly used without it, force it on so everything behaves as expected.
programs.xwayland.enable = lib.mkForce true;
services.displayManager = {
defaultSession = lib.mkDefault "lomiri";
sessionPackages = with pkgs.lomiri; [ lomiri-session ];
};
services.ayatana-indicators = {
enable = true;
packages = (
with pkgs;
[
ayatana-indicator-datetime # Clock
ayatana-indicator-session # Controls for shutting down etc
]
);
};
})
services.xserver = {
enable = lib.mkDefault true;
displayManager.lightdm = {
# Full Lomiri DE
(lib.mkIf cfg.enable {
# We need the basic setup as well
services.desktopManager.lomiri.basics = true;
environment = {
systemPackages =
(with pkgs; [
glib # XDG MIME-related tools identify it as GNOME, add gio for MIME identification to work
libayatana-common
ubports-click
])
++ (with pkgs.lomiri; [
hfd-service
libusermetrics
lomiri
lomiri-calculator-app
lomiri-camera-app
lomiri-clock-app
lomiri-content-hub
lomiri-docviewer-app
lomiri-download-manager
lomiri-filemanager-app
lomiri-gallery-app
lomiri-history-service
lomiri-polkit-agent
lomiri-schemas # exposes some required dbus interfaces
lomiri-session # wrappers to properly launch the session
lomiri-sounds
lomiri-system-settings
lomiri-terminal-app
lomiri-thumbnailer
lomiri-url-dispatcher
mediascanner2 # TODO possibly needs to be kicked off by graphical-session.target
morph-browser
qtmir # not having its desktop file for Xwayland available causes any X11 application to crash the session
telephony-service
teleports
]);
};
hardware = {
bluetooth.enable = lib.mkDefault true;
};
networking.networkmanager.enable = lib.mkDefault true;
systemd.packages = with pkgs.lomiri; [
hfd-service
lomiri-download-manager
];
services.dbus.packages = with pkgs.lomiri; [
hfd-service
libusermetrics
lomiri-download-manager
];
# Copy-pasted basic stuff
hardware.graphics.enable = lib.mkDefault true;
fonts.enableDefaultPackages = lib.mkDefault true;
programs.dconf.enable = lib.mkDefault true;
services.accounts-daemon.enable = true;
services.ayatana-indicators = {
enable = true;
packages =
(
with pkgs;
[
ayatana-indicator-display
ayatana-indicator-messages
ayatana-indicator-power
]
++ lib.optionals config.hardware.bluetooth.enable [ ayatana-indicator-bluetooth ]
++ lib.optionals (config.hardware.pulseaudio.enable || config.services.pipewire.pulse.enable) [
ayatana-indicator-sound
]
)
++ (
with pkgs.lomiri;
[ telephony-service ]
++ lib.optionals config.networking.networkmanager.enable [ lomiri-indicator-network ]
);
};
services.udisks2.enable = true;
services.upower.enable = true;
services.geoclue2.enable = true;
services.gnome.evolution-data-server = {
enable = true;
plugins = with pkgs; [
# TODO: lomiri.address-book-service
];
};
services.telepathy.enable = true;
services.displayManager = {
defaultSession = lib.mkDefault "lomiri";
sessionPackages = with pkgs.lomiri; [ lomiri-session ];
};
services.xserver = {
enable = lib.mkDefault true;
greeters.lomiri.enable = lib.mkDefault true;
};
};
environment.pathsToLink = [
# Configs for inter-app data exchange system
"/share/lomiri-content-hub/peers"
# Configs for inter-app URL requests
"/share/lomiri-url-dispatcher/urls"
# Splash screens & other images for desktop apps launched via lomiri-app-launch
"/share/lomiri-app-launch"
# TODO Try to get maliit stuff working
"/share/maliit/plugins"
# At least the network indicator is still under the unity name, due to leftover Unity-isms
"/share/unity"
# Data
"/share/locale" # TODO LUITK hardcoded default locale path, fix individual apps to not rely on it
"/share/sounds"
"/share/wallpapers"
];
systemd.user.services = {
# Unconditionally run service that collects system-installed URL handlers before LUD
# TODO also run user-installed one?
"lomiri-url-dispatcher-update-system-dir" = {
description = "Lomiri URL dispatcher system directory updater";
wantedBy = [ "lomiri-url-dispatcher.service" ];
before = [ "lomiri-url-dispatcher.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.lomiri.lomiri-url-dispatcher}/libexec/lomiri-url-dispatcher/lomiri-update-directory /run/current-system/sw/share/lomiri-url-dispatcher/urls/";
displayManager.lightdm = {
enable = lib.mkDefault true;
greeters.lomiri.enable = lib.mkDefault true;
};
};
"lomiri-polkit-agent" = rec {
description = "Lomiri Polkit agent";
wantedBy = [ "lomiri.service" "lomiri-full-greeter.service" "lomiri-full-shell.service" "lomiri-greeter.service" "lomiri-shell.service" ];
after = [ "graphical-session.target" ];
partOf = wantedBy;
serviceConfig = {
Type = "simple";
Restart = "always";
ExecStart = "${pkgs.lomiri.lomiri-polkit-agent}/libexec/lomiri-polkit-agent/policykit-agent";
environment.pathsToLink = [
# Configs for inter-app data exchange system
"/share/lomiri-content-hub/peers"
# Configs for inter-app URL requests
"/share/lomiri-url-dispatcher/urls"
# Splash screens & other images for desktop apps launched via lomiri-app-launch
"/share/lomiri-app-launch"
# TODO Try to get maliit stuff working
"/share/maliit/plugins"
# At least the network indicator is still under the unity name, due to leftover Unity-isms
"/share/unity"
# Data
"/share/sounds"
];
systemd.user.services = {
# Unconditionally run service that collects system-installed URL handlers before LUD
# TODO also run user-installed one?
"lomiri-url-dispatcher-update-system-dir" = {
description = "Lomiri URL dispatcher system directory updater";
wantedBy = [ "lomiri-url-dispatcher.service" ];
before = [ "lomiri-url-dispatcher.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.lomiri.lomiri-url-dispatcher}/libexec/lomiri-url-dispatcher/lomiri-update-directory /run/current-system/sw/share/lomiri-url-dispatcher/urls/";
};
};
"lomiri-polkit-agent" = rec {
description = "Lomiri Polkit agent";
wantedBy = [
"lomiri.service"
"lomiri-full-greeter.service"
"lomiri-full-shell.service"
"lomiri-greeter.service"
"lomiri-shell.service"
];
after = [ "graphical-session.target" ];
partOf = wantedBy;
serviceConfig = {
Type = "simple";
Restart = "always";
ExecStart = "${pkgs.lomiri.lomiri-polkit-agent}/libexec/lomiri-polkit-agent/policykit-agent";
};
};
};
};
systemd.services = {
"dbus-com.lomiri.UserMetrics" = {
serviceConfig = {
Type = "dbus";
BusName = "com.lomiri.UserMetrics";
User = "usermetrics";
StandardOutput = "syslog";
SyslogIdentifier = "com.lomiri.UserMetrics";
ExecStart = "${pkgs.lomiri.libusermetrics}/libexec/libusermetrics/usermetricsservice";
} // lib.optionalAttrs (!config.security.apparmor.enable) {
# Due to https://gitlab.com/ubports/development/core/libusermetrics/-/issues/8, auth must be disabled when not using AppArmor, lest the next database usage breaks
Environment = "USERMETRICS_NO_AUTH=1";
systemd.services = {
"dbus-com.lomiri.UserMetrics" = {
serviceConfig =
{
Type = "dbus";
BusName = "com.lomiri.UserMetrics";
User = "usermetrics";
StandardOutput = "syslog";
SyslogIdentifier = "com.lomiri.UserMetrics";
ExecStart = "${pkgs.lomiri.libusermetrics}/libexec/libusermetrics/usermetricsservice";
}
// lib.optionalAttrs (!config.security.apparmor.enable) {
# Due to https://gitlab.com/ubports/development/core/libusermetrics/-/issues/8, auth must be disabled when not using AppArmor, lest the next database usage breaks
Environment = "USERMETRICS_NO_AUTH=1";
};
};
};
};
users.users.usermetrics = {
group = "usermetrics";
home = "/var/lib/usermetrics";
createHome = true;
isSystemUser = true;
};
users.users.usermetrics = {
group = "usermetrics";
home = "/var/lib/usermetrics";
createHome = true;
isSystemUser = true;
};
users.groups.usermetrics = { };
};
users.groups.usermetrics = { };
})
];
meta.maintainers = lib.teams.lomiri.members;
}

1
third_party/nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix vendored
View file

@ -73,6 +73,7 @@ in {
kguiaddons # provides geo URL handlers
kiconthemes # provides Qt plugins
kimageformats # provides Qt plugins
qtimageformats # provides optional image formats such as .webp and .avif
kio # provides helper service + a bunch of other stuff
kio-admin # managing files as admin
kio-extras # stuff for MTP, AFC, etc

22
third_party/nixpkgs/nixos/modules/services/desktops/geoclue2.nix vendored
View file

@ -5,9 +5,6 @@
with lib;
let
# the demo agent isn't built by default, but we need it here
package = pkgs.geoclue2.override { withDemoAgent = config.services.geoclue2.enableDemoAgent; };
cfg = config.services.geoclue2;
defaultWhitelist = [ "gnome-shell" "io.elementary.desktop.agent-geoclue2" ];
@ -132,6 +129,17 @@ in
'';
};
package = mkOption {
type = types.package;
default = pkgs.geoclue2;
defaultText = literalExpression "pkgs.geoclue2";
apply = pkg: pkg.override {
# the demo agent isn't built by default, but we need it here
withDemoAgent = cfg.enableDemoAgent;
};
description = "The geoclue2 package to use";
};
submitData = mkOption {
type = types.bool;
default = false;
@ -180,11 +188,11 @@ in
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ package ];
environment.systemPackages = [ cfg.package ];
services.dbus.packages = [ package ];
services.dbus.packages = [ cfg.package ];
systemd.packages = [ package ];
systemd.packages = [ cfg.package ];
# we cannot use DynamicUser as we need the the geoclue user to exist for the
# dbus policy to work
@ -223,7 +231,7 @@ in
unitConfig.ConditionUser = "!@system";
serviceConfig = {
Type = "exec";
ExecStart = "${package}/libexec/geoclue-2.0/demos/agent";
ExecStart = "${cfg.package}/libexec/geoclue-2.0/demos/agent";
Restart = "on-failure";
PrivateTmp = true;
};

23
third_party/nixpkgs/nixos/modules/services/development/athens.md vendored
View file

@ -37,7 +37,7 @@ If you want to prevent Athens from writing to disk, you can instead configure it
}
```
To use the local proxy in Go builds, you can set the proxy as environment variable:
To use the local proxy in Go builds (outside of `nix`), you can set the proxy as environment variable:
```nix
{
@ -47,6 +47,21 @@ To use the local proxy in Go builds, you can set the proxy as environment variab
}
```
It is currently not possible to use the local proxy for builds done by the Nix daemon. This might be enabled
by experimental features, specifically [`configurable-impure-env`](https://nixos.org/manual/nix/unstable/contributing/experimental-features#xp-feature-configurable-impure-env),
in upcoming Nix versions.
To also use the local proxy for Go builds happening in `nix` (with `buildGoModule`), the nix daemon can be configured to pass the GOPROXY environment variable to the `goModules` fixed-output derivation.
This can either be done via the nix-daemon systemd unit:
```nix
{
systemd.services.nix-daemon.environment.GOPROXY = "http://localhost:3000";
}
```
or via the [impure-env experimental feature](https://nix.dev/manual/nix/2.24/command-ref/conf-file#conf-impure-env):
```nix
{
nix.settings.experimental-features = [ "configurable-impure-env" ];
nix.settings.impure-env = "GOPROXY=http://localhost:3000";
}
```

45
third_party/nixpkgs/nixos/modules/services/hardware/g810-led.nix vendored Normal file
View file

@ -0,0 +1,45 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.g810-led;
in
{
options = {
services.g810-led = {
enable = lib.mkEnableOption "g810-led, a Linux LED controller for some Logitech G Keyboards";
package = lib.mkPackageOption pkgs "g810-led" { };
profile = lib.mkOption {
type = lib.types.nullOr lib.types.lines;
default = null;
example = ''
# G810-LED Profile (turn all keys on)
# Set all keys on
a ffffff
# Commit changes
c
'';
description = ''
Keyboard profile to apply at boot time.
The upstream repository provides [example configurations](https://github.com/MatMoul/g810-led/tree/master/sample_profiles).
'';
};
};
};
config = lib.mkIf cfg.enable {
environment.etc."g810-led/profile".text = lib.mkIf (cfg.profile != null) cfg.profile;
services.udev.packages = [ cfg.package ];
};
meta.maintainers = with lib.maintainers; [ GaetanLepage ];
}

15
third_party/nixpkgs/nixos/modules/services/hardware/handheld-daemon.nix vendored
View file

@ -11,6 +11,11 @@ in
enable = mkEnableOption "Handheld Daemon";
package = mkPackageOption pkgs "handheld-daemon" { };
ui = {
enable = mkEnableOption "Handheld Daemon UI";
package = mkPackageOption pkgs "handheld-daemon-ui" { };
};
user = mkOption {
type = types.str;
description = ''
@ -20,7 +25,10 @@ in
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
services.handheld-daemon.ui.enable = mkDefault true;
environment.systemPackages = [
cfg.package
] ++ lib.optional cfg.ui.enable cfg.ui.package;
services.udev.packages = [ cfg.package ];
systemd.packages = [ cfg.package ];
@ -31,6 +39,11 @@ in
restartIfChanged = true;
path = mkIf cfg.ui.enable [
cfg.ui.package
pkgs.lsof
];
serviceConfig = {
ExecStart = "${ lib.getExe cfg.package } --user ${ cfg.user }";
Nice = "-12";

12
third_party/nixpkgs/nixos/modules/services/hardware/udisks2.nix vendored
View file

@ -18,6 +18,8 @@ in
enable = lib.mkEnableOption "udisks2, a DBus service that allows applications to query and manipulate storage devices";
package = lib.mkPackageOption pkgs "udisks2" {};
mountOnMedia = lib.mkOption {
type = lib.types.bool;
default = false;
@ -67,11 +69,11 @@ in
config = lib.mkIf config.services.udisks2.enable {
environment.systemPackages = [ pkgs.udisks2 ];
environment.systemPackages = [ cfg.package ];
environment.etc = (lib.mapAttrs' (name: value: lib.nameValuePair "udisks2/${name}" { source = value; } ) configFiles) // (
let
libblockdev = pkgs.udisks2.libblockdev;
libblockdev = cfg.package.libblockdev;
majorVer = lib.versions.major libblockdev.version;
in {
# We need to make sure /etc/libblockdev/@major_ver@/conf.d is populated to avoid
@ -82,18 +84,18 @@ in
security.polkit.enable = true;
services.dbus.packages = [ pkgs.udisks2 ];
services.dbus.packages = [ cfg.package ];
systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ]
++ lib.optional cfg.mountOnMedia "D! /media 0755 root root -";
services.udev.packages = [ pkgs.udisks2 ];
services.udev.packages = [ cfg.package ];
services.udev.extraRules = lib.optionalString cfg.mountOnMedia ''
ENV{ID_FS_USAGE}=="filesystem", ENV{UDISKS_FILESYSTEM_SHARED}="1"
'';
systemd.packages = [ pkgs.udisks2 ];
systemd.packages = [ cfg.package ];
};
}

16
third_party/nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix vendored
View file

@ -142,18 +142,10 @@ in
CapabilityBoundingSet = "";
DeviceAllow = if builtins.elem options.device [ "cuda" "auto" ] then [
# https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf
# CUDA not working? Check DeviceAllow and PrivateDevices first!
"/dev/nvidia0"
"/dev/nvidia1"
"/dev/nvidia2"
"/dev/nvidia3"
"/dev/nvidia4"
"/dev/nvidia-caps/nvidia-cap1"
"/dev/nvidia-caps/nvidia-cap2"
"/dev/nvidiactl"
"/dev/nvidia-modeset"
"/dev/nvidia-uvm"
"/dev/nvidia-uvm-tools"
"char-nvidia-uvm"
"char-nvidia-frontend"
"char-nvidia-caps"
"char-nvidiactl"
] else "";
DevicePolicy = "closed";
LockPersonality = true;

4
third_party/nixpkgs/nixos/modules/services/home-automation/zigbee2mqtt.nix vendored
View file

@ -76,9 +76,7 @@ in
# Hardening
CapabilityBoundingSet = "";
DeviceAllow = [
config.services.zigbee2mqtt.settings.serial.port
];
DeviceAllow = lib.optionals (lib.hasPrefix "/" cfg.settings.serial.port) [ cfg.settings.serial.port ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = false;

4
third_party/nixpkgs/nixos/modules/services/logging/vector.nix vendored
View file

@ -27,7 +27,7 @@ in
config = lib.mkIf cfg.enable {
# for cli usage
environment.systemPackages = [ pkgs.vector ];
environment.systemPackages = [ cfg.package ];
systemd.services.vector = {
description = "Vector event and log aggregator";
@ -40,7 +40,7 @@ in
conf = format.generate "vector.toml" cfg.settings;
validateConfig = file:
pkgs.runCommand "validate-vector-conf" {
nativeBuildInputs = [ pkgs.vector ];
nativeBuildInputs = [ cfg.package ];
} ''
vector validate --no-environment "${file}"
ln -s "${file}" "$out"

2
third_party/nixpkgs/nixos/modules/services/mail/protonmail-bridge.nix vendored
View file

@ -18,7 +18,7 @@ in
type = lib.types.listOf lib.types.path;
default = [ ];
example = lib.literalExpression "with pkgs; [ pass gnome-keyring ]";
description = "List of derivations to put in protonmail-bride's path.";
description = "List of derivations to put in protonmail-bridge's path.";
};
logLevel = lib.mkOption {

2
third_party/nixpkgs/nixos/modules/services/mail/public-inbox.nix vendored
View file

@ -7,7 +7,7 @@ let
stateDir = "/var/lib/public-inbox";
gitIni = pkgs.formats.gitIni { listsAsDuplicateKeys = true; };
iniAtom = elemAt gitIni.type/*attrsOf*/.functor.wrapped/*attrsOf*/.functor.wrapped/*either*/.functor.wrapped 0;
iniAtom = gitIni.lib.types.atom;
useSpamAssassin = cfg.settings.publicinboxmda.spamcheck == "spamc" ||
cfg.settings.publicinboxwatch.spamcheck == "spamc";

125
third_party/nixpkgs/nixos/modules/services/misc/duckdns.nix vendored Normal file
View file

@ -0,0 +1,125 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.duckdns;
duckdns = pkgs.writeShellScriptBin "duckdns" ''
DRESPONSE=$(curl -sS --max-time 60 --no-progress-meter -k -K- <<< "url = \"https://www.duckdns.org/update?verbose=true&domains=$DUCKDNS_DOMAINS&token=$DUCKDNS_TOKEN&ip=\"")
IPV4=$(echo "$DRESPONSE" | awk 'NR==2')
IPV6=$(echo "$DRESPONSE" | awk 'NR==3')
RESPONSE=$(echo "$DRESPONSE" | awk 'NR==1')
IPCHANGE=$(echo "$DRESPONSE" | awk 'NR==4')
if [[ "$RESPONSE" = "OK" ]] && [[ "$IPCHANGE" = "UPDATED" ]]; then
if [[ "$IPV4" != "" ]] && [[ "$IPV6" == "" ]]; then
echo "Your IP was updated at $(date) to IPv4: $IPV4"
elif [[ "$IPV4" == "" ]] && [[ "$IPV6" != "" ]]; then
echo "Your IP was updated at $(date) to IPv6: $IPV6"
else
echo "Your IP was updated at $(date) to IPv4: $IPV4 & IPv6 to: $IPV6"
fi
elif [[ "$RESPONSE" = "OK" ]] && [[ "$IPCHANGE" = "NOCHANGE" ]]; then
echo "DuckDNS request at $(date) successful. IP(s) unchanged."
else
echo -e "Something went wrong, please check your settings\nThe response returned was:\n$DRESPONSE\n"
exit 1
fi
'';
in
{
options.services.duckdns = {
enable = lib.mkEnableOption "DuckDNS Dynamic DNS Client";
tokenFile = lib.mkOption {
default = null;
type = lib.types.path;
description = ''
The path to a file containing the token
used to authenticate with DuckDNS.
'';
};
domains = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.listOf lib.types.str);
example = [ "examplehost" ];
description = ''
The domain(s) to update in DuckDNS
(without the .duckdns.org suffix)
'';
};
domainsFile = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.path;
example = lib.literalExpression ''
pkgs.writeText "duckdns-domains.txt" '''
examplehost
examplehost2
examplehost3
'''
'';
description = ''
The path to a file containing a
newline-separated list of DuckDNS
domain(s) to be updated
(without the .duckdns.org suffix)
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.domains != null || cfg.domainsFile != null;
message = "Either services.duckdns.domains or services.duckdns.domainsFile has to be defined";
}
{
assertion = !(cfg.domains != null && cfg.domainsFile != null);
message = "services.duckdns.domains and services.duckdns.domainsFile can't both be defined at the same time";
}
{
assertion = (cfg.tokenFile != null);
message = "services.duckdns.tokenFile has to be defined";
}
];
environment.systemPackages = [ duckdns ];
systemd.services.duckdns = {
description = "DuckDNS Dynamic DNS Client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
startAt = "*:0/5";
path = [
pkgs.gnused
pkgs.systemd
pkgs.curl
pkgs.gawk
duckdns
];
serviceConfig = {
Type = "simple";
LoadCredential = [
"DUCKDNS_TOKEN_FILE:${cfg.tokenFile}"
] ++ lib.optionals (cfg.domainsFile != null) [ "DUCKDNS_DOMAINS_FILE:${cfg.domainsFile}" ];
DynamicUser = true;
};
script = ''
export DUCKDNS_TOKEN=$(systemd-creds cat DUCKDNS_TOKEN_FILE)
${lib.optionalString (cfg.domains != null) ''
export DUCKDNS_DOMAINS='${lib.strings.concatStringsSep "," cfg.domains}'
''}
${lib.optionalString (cfg.domainsFile != null) ''
export DUCKDNS_DOMAINS=$(systemd-creds cat DUCKDNS_DOMAINS_FILE | sed -z 's/\n/,/g')
''}
exec ${lib.getExe duckdns}
'';
};
};
meta.maintainers = with lib.maintainers; [ notthebee ];
}

167
third_party/nixpkgs/nixos/modules/services/misc/evremap.nix vendored Normal file
View file

@ -0,0 +1,167 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.evremap;
format = pkgs.formats.toml { };
key = lib.types.strMatching "KEY_[[:upper:]]+" // {
description = "key ID prefixed with KEY_";
};
mkKeyOption =
description:
lib.mkOption {
type = key;
description = ''
${description}
You can get a list of keys by running `evremap list-keys`.
'';
};
mkKeySeqOption =
description:
(mkKeyOption description)
// {
type = lib.types.listOf key;
};
dualRoleModule = lib.types.submodule {
options = {
input = mkKeyOption "The key that should be remapped.";
hold = mkKeySeqOption "The key sequence that should be output when the input key is held.";
tap = mkKeySeqOption "The key sequence that should be output when the input key is tapped.";
};
};
remapModule = lib.types.submodule {
options = {
input = mkKeySeqOption "The key sequence that should be remapped.";
output = mkKeySeqOption "The key sequence that should be output when the input sequence is entered.";
};
};
in
{
options.services.evremap = {
enable = lib.mkEnableOption "evremap, a keyboard input remapper for Linux/Wayland systems";
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
device_name = lib.mkOption {
type = lib.types.str;
example = "AT Translated Set 2 keyboard";
description = ''
The name of the device that should be remapped.
You can get a list of devices by running `evremap list-devices` with elevated permissions.
'';
};
dual_role = lib.mkOption {
type = lib.types.listOf dualRoleModule;
default = [ ];
example = [
{
input = "KEY_CAPSLOCK";
hold = [ "KEY_LEFTCTRL" ];
tap = [ "KEY_ESC" ];
}
];
description = ''
List of dual-role remappings that output different key sequences based on whether the
input key is held or tapped.
'';
};
remap = lib.mkOption {
type = lib.types.listOf remapModule;
default = [ ];
example = [
{
input = [
"KEY_LEFTALT"
"KEY_UP"
];
output = [ "KEY_PAGEUP" ];
}
];
description = ''
List of remappings.
'';
};
};
};
description = ''
Settings for evremap.
See the [upstream documentation](https://github.com/wez/evremap/blob/master/README.md#configuration)
for how to configure evremap.
'';
default = { };
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.evremap ];
hardware.uinput.enable = true;
systemd.services.evremap = {
description = "evremap - keyboard input remapper";
wantedBy = [ "multi-user.target" ];
script = "${lib.getExe pkgs.evremap} remap ${format.generate "evremap.toml" cfg.settings}";
serviceConfig = {
DynamicUser = true;
User = "evremap";
SupplementaryGroups = [
config.users.groups.input.name
config.users.groups.uinput.name
];
Restart = "on-failure";
RestartSec = 5;
TimeoutSec = 20;
# Hardening
ProtectClock = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectHome = true;
ProcSubset = "pid";
PrivateTmp = true;
PrivateNetwork = true;
PrivateUsers = true;
RestrictRealtime = true;
RestrictNamespaces = true;
RestrictAddressFamilies = "none";
MemoryDenyWriteExecute = true;
LockPersonality = true;
IPAddressDeny = "any";
AmbientCapabilities = "";
CapabilityBoundingSet = "";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
UMask = "0027";
};
};
};
}

20
third_party/nixpkgs/nixos/modules/services/monitoring/glances.md vendored Normal file
View file

@ -0,0 +1,20 @@
# Glances {#module-serives-glances}
Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS
and Windows operating systems.
Visit [the Glances project page](https://github.com/nicolargo/glances) to learn
more about it.
# Quickstart {#module-serives-glances-quickstart}
Use the following configuration to start a public instance of Glances locally:
```nix
{
services.glances = {
enable = true;
openFirewall = true;
};
};
```

110
third_party/nixpkgs/nixos/modules/services/monitoring/glances.nix vendored Normal file
View file

@ -0,0 +1,110 @@
{
pkgs,
config,
lib,
utils,
...
}:
let
cfg = config.services.glances;
inherit (lib)
getExe
maintainers
mkEnableOption
mkOption
mkIf
mkPackageOption
;
inherit (lib.types)
bool
listOf
port
str
;
inherit (utils)
escapeSystemdExecArgs
;
in
{
options.services.glances = {
enable = mkEnableOption "Glances";
package = mkPackageOption pkgs "glances" { };
port = mkOption {
description = "Port the server will isten on.";
type = port;
default = 61208;
};
openFirewall = mkOption {
description = "Open port in the firewall for glances.";
type = bool;
default = false;
};
extraArgs = mkOption {
type = listOf str;
default = [ "--webserver" ];
example = [
"--webserver"
"--disable-webui"
];
description = ''
Extra command-line arguments to pass to glances.
See https://glances.readthedocs.io/en/latest/cmds.html for all available options.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
systemd.services."glances" = {
description = "Glances";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
DynamicUser = true;
ExecStart = "${getExe cfg.package} --port ${toString cfg.port} ${escapeSystemdExecArgs cfg.extraArgs}";
Restart = "on-failure";
NoNewPrivileges = true;
ProtectSystem = "full";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
MemoryDenyWriteExecute = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
LockPersonality = true;
RestrictRealtime = true;
ProtectClock = true;
ReadWritePaths = [ "/var/log" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
SystemCallFilter = [ "@system-service" ];
};
};
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
};
meta.maintainers = with maintainers; [ claha ];
}

1
third_party/nixpkgs/nixos/modules/services/monitoring/grafana.nix vendored
View file

@ -255,6 +255,7 @@ in
Grafana settings. See <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/>
for available options. INI format is used.
'';
default = { };
type = types.submodule {
freeformType = settingsFormatIni.type;

17
third_party/nixpkgs/nixos/modules/services/networking/clatd.nix vendored
View file

@ -13,6 +13,11 @@ in
package = lib.mkPackageOption pkgs "clatd" { };
enableNetworkManagerIntegration = lib.mkEnableOption "NetworkManager integration" // {
default = config.networking.networkmanager.enable;
defaultText = "config.networking.networkmanager.enable";
};
settings = lib.mkOption {
type = lib.types.submodule ({ name, ... }: {
freeformType = settingsFormat.type;
@ -75,5 +80,17 @@ in
];
};
};
networking.networkmanager.dispatcherScripts = cfg.enableNetworkManagerIntegration [
{
type = "basic";
# https://github.com/toreanderson/clatd/blob/master/scripts/clatd.networkmanager
source = pkgs.writeShellScript "restart-clatd" ''
[ "$DEVICE_IFACE" = "clat" ] && exit 0
[ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
${pkgs.systemd}/bin/systemctl restart clatd.service
'';
}
];
};
}

62
third_party/nixpkgs/nixos/modules/services/networking/globalprotect-vpn.nix vendored Normal file
View file

@ -0,0 +1,62 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.globalprotect;
execStart =
if cfg.csdWrapper == null then
"${pkgs.globalprotect-openconnect}/bin/gpservice"
else
"${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}";
in
{
options.services.globalprotect = {
enable = lib.mkEnableOption "globalprotect";
settings = lib.mkOption {
description = ''
GlobalProtect-openconnect configuration. For more information, visit
<https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration>.
'';
default = { };
example = {
"vpn1.company.com" = {
openconnect-args = "--script=/path/to/vpnc-script";
};
};
type = lib.types.attrs;
};
csdWrapper = lib.mkOption {
description = ''
A script that will produce a Host Integrity Protection (HIP) report,
as described at <https://www.infradead.org/openconnect/hip.html>
'';
default = null;
example = lib.literalExpression ''"''${pkgs.openconnect}/libexec/openconnect/hipreport.sh"'';
type = lib.types.nullOr lib.types.path;
};
};
config = lib.mkIf cfg.enable {
services.dbus.packages = [ pkgs.globalprotect-openconnect ];
environment.etc."gpservice/gp.conf".text = lib.generators.toINI { } cfg.settings;
systemd.services.gpservice = {
description = "GlobalProtect openconnect DBus service";
serviceConfig = {
Type = "dbus";
BusName = "com.yuezk.qt.GPService";
ExecStart = execStart;
};
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
};
};
}

2
third_party/nixpkgs/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix vendored
View file

@ -9,7 +9,7 @@ let
cfg = config.services.magic-wormhole-mailbox-server;
# keep semicolon in dataDir for backward compatibility
dataDir = "/var/lib/magic-wormhole-mailbox-server;";
python = pkgs.python311.withPackages (
python = pkgs.python3.withPackages (
py: with py; [
magic-wormhole-mailbox-server
twisted

4
third_party/nixpkgs/nixos/modules/services/networking/minidlna.nix vendored
View file

@ -21,6 +21,8 @@ in
'';
};
options.services.minidlna.package = lib.mkPackageOption pkgs "minidlna" { };
options.services.minidlna.openFirewall = mkOption {
type = types.bool;
default = false;
@ -141,7 +143,7 @@ in
CacheDirectory = "minidlna";
RuntimeDirectory = "minidlna";
PIDFile = "/run/minidlna/pid";
ExecStart = "${pkgs.minidlna}/sbin/minidlnad -S -P /run/minidlna/pid -f ${settingsFile}";
ExecStart = "${lib.getExe cfg.package} -S -P /run/minidlna/pid -f ${settingsFile}";
};
};
};

6
third_party/nixpkgs/nixos/modules/services/networking/shairport-sync.nix vendored
View file

@ -27,6 +27,8 @@ in
'';
};
package = lib.options.mkPackageOption pkgs "shairport-sync" { };
arguments = mkOption {
type = types.str;
default = "-v -o pa";
@ -100,12 +102,12 @@ in
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStart = "${pkgs.shairport-sync}/bin/shairport-sync ${cfg.arguments}";
ExecStart = "${lib.getExe cfg.package} ${cfg.arguments}";
RuntimeDirectory = "shairport-sync";
};
};
environment.systemPackages = [ pkgs.shairport-sync ];
environment.systemPackages = [ cfg.package ];
};

1
third_party/nixpkgs/nixos/modules/services/networking/spiped.nix vendored
View file

@ -186,6 +186,7 @@ in
Restart = "always";
User = "spiped";
};
stopIfChanged = false;
scriptArgs = "%i";
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";

1
third_party/nixpkgs/nixos/modules/services/networking/teleport.nix vendored
View file

@ -83,6 +83,7 @@ in
systemd.services.teleport = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = with pkgs; [ getent shadow sudo ];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/teleport start \

22
third_party/nixpkgs/nixos/modules/services/security/aesmd.nix vendored
View file

@ -1,10 +1,12 @@
{ config, options, pkgs, lib, ... }:
with lib;
let
inherit (lib) concatStringsSep literalExpression makeLibraryPath mkEnableOption
mkForce mkIf mkOption mkPackageOption mkRemovedOptionModule optional types;
cfg = config.services.aesmd;
opt = options.services.aesmd;
sgx-psw = pkgs.sgx-psw.override { inherit (cfg) debug; };
sgx-psw = cfg.package;
configFile = with cfg.settings; pkgs.writeText "aesmd.conf" (
concatStringsSep "\n" (
@ -18,13 +20,17 @@ let
);
in
{
imports = [
(mkRemovedOptionModule [ "debug" ] ''
Enable debug mode by overriding the aesmd package directly:
services.aesmd.package = pkgs.sgx-psw.override { debug = true; };
'')
];
options.services.aesmd = {
enable = mkEnableOption "Intel's Architectural Enclave Service Manager (AESM) for Intel SGX";
debug = mkOption {
type = types.bool;
default = false;
description = "Whether to build the PSW package in debug mode.";
};
package = mkPackageOption pkgs "sgx-psw" { };
environment = mkOption {
type = with types; attrsOf str;
default = { };
@ -126,7 +132,7 @@ in
"|/dev/sgx_enclave"
];
serviceConfig = rec {
serviceConfig = {
ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" ''
set -euo pipefail
whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin"

2
third_party/nixpkgs/nixos/modules/services/security/fail2ban.nix vendored
View file

@ -177,7 +177,7 @@ in
type = types.nullOr types.str;
example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
description = ''
"bantime.formula" used by default to calculate next value of ban time, default value bellow,
"bantime.formula" used by default to calculate next value of ban time, default value below,
the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32 ...
'';
};

482
third_party/nixpkgs/nixos/modules/services/web-apps/agorakit.nix vendored Normal file
View file

@ -0,0 +1,482 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.services.agorakit;
agorakit = pkgs.agorakit.override { dataDir = cfg.dataDir; };
db = cfg.database;
mail = cfg.mail;
user = cfg.user;
group = cfg.group;
# shell script for local administration
artisan = pkgs.writeScriptBin "agorakit" ''
#! ${pkgs.runtimeShell}
cd ${agorakit}
sudo() {
if [[ "$USER" != ${user} ]]; then
exec /run/wrappers/bin/sudo -u ${user} "$@"
else
exec "$@"
fi
}
sudo ${lib.getExe pkgs.php} artisan "$@"
'';
tlsEnabled = cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME;
in
{
options.services.agorakit = {
enable = mkEnableOption "agorakit";
user = mkOption {
default = "agorakit";
description = "User agorakit runs as.";
type = types.str;
};
group = mkOption {
default = "agorakit";
description = "Group agorakit runs as.";
type = types.str;
};
appKeyFile = mkOption {
description = ''
A file containing the Laravel APP_KEY - a 32 character long,
base64 encoded key used for encryption where needed. Can be
generated with <code>head -c 32 /dev/urandom | base64</code>.
'';
example = "/run/keys/agorakit-appkey";
type = types.path;
};
hostName = lib.mkOption {
type = lib.types.str;
default =
if config.networking.domain != null then config.networking.fqdn else config.networking.hostName;
defaultText = lib.literalExpression "config.networking.fqdn";
example = "agorakit.example.com";
description = ''
The hostname to serve agorakit on.
'';
};
appURL = mkOption {
description = ''
The root URL that you want to host agorakit on. All URLs in agorakit will be generated using this value.
If you change this in the future you may need to run a command to update stored URLs in the database.
Command example: <code>php artisan agorakit:update-url https://old.example.com https://new.example.com</code>
'';
default = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostName}";
defaultText = ''http''${lib.optionalString tlsEnabled "s"}://''${cfg.hostName}'';
example = "https://example.com";
type = types.str;
};
dataDir = mkOption {
description = "agorakit data directory";
default = "/var/lib/agorakit";
type = types.path;
};
database = {
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address.";
};
port = mkOption {
type = types.port;
default = 3306;
description = "Database host port.";
};
name = mkOption {
type = types.str;
default = "agorakit";
description = "Database name.";
};
user = mkOption {
type = types.str;
default = user;
defaultText = lib.literalExpression "user";
description = "Database username.";
};
passwordFile = mkOption {
type = with types; nullOr path;
default = null;
example = "/run/keys/agorakit-dbpassword";
description = ''
A file containing the password corresponding to
<option>database.user</option>.
'';
};
createLocally = mkOption {
type = types.bool;
default = true;
description = "Create the database and database user locally.";
};
};
mail = {
driver = mkOption {
type = types.enum [
"smtp"
"sendmail"
];
default = "smtp";
description = "Mail driver to use.";
};
host = mkOption {
type = types.str;
default = "localhost";
description = "Mail host address.";
};
port = mkOption {
type = types.port;
default = 1025;
description = "Mail host port.";
};
fromName = mkOption {
type = types.str;
default = "agorakit";
description = "Mail \"from\" name.";
};
from = mkOption {
type = types.str;
default = "mail@agorakit.com";
description = "Mail \"from\" email.";
};
user = mkOption {
type = with types; nullOr str;
default = null;
example = "agorakit";
description = "Mail username.";
};
passwordFile = mkOption {
type = with types; nullOr path;
default = null;
example = "/run/keys/agorakit-mailpassword";
description = ''
A file containing the password corresponding to
<option>mail.user</option>.
'';
};
encryption = mkOption {
type = with types; nullOr (enum [ "tls" ]);
default = null;
description = "SMTP encryption mechanism to use.";
};
};
maxUploadSize = mkOption {
type = types.str;
default = "18M";
example = "1G";
description = "The maximum size for uploads (e.g. images).";
};
poolConfig = mkOption {
type =
with types;
attrsOf (oneOf [
str
int
bool
]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the agorakit PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives.
'';
};
nginx = mkOption {
type = types.submodule (
recursiveUpdate (import ../web-servers/nginx/vhost-options.nix {
inherit config lib;
}) { }
);
default = { };
example = ''
{
serverAliases = [
"agorakit.''${config.networking.domain}"
];
# To enable encryption and let let's encrypt take care of certificate
forceSSL = true;
enableACME = true;
}
'';
description = ''
With this option, you can customize the nginx virtualHost settings.
'';
};
config = mkOption {
type =
with types;
attrsOf (
nullOr (
either
(oneOf [
bool
int
port
path
str
])
(submodule {
options = {
_secret = mkOption {
type = nullOr str;
description = ''
The path to a file containing the value the
option should be set to in the final
configuration file.
'';
};
};
})
)
);
default = { };
example = ''
{
ALLOWED_IFRAME_HOSTS = "https://example.com";
AUTH_METHOD = "oidc";
OIDC_NAME = "MyLogin";
OIDC_DISPLAY_NAME_CLAIMS = "name";
OIDC_CLIENT_ID = "agorakit";
OIDC_CLIENT_SECRET = {_secret = "/run/keys/oidc_secret"};
OIDC_ISSUER = "https://keycloak.example.com/auth/realms/My%20Realm";
OIDC_ISSUER_DISCOVER = true;
}
'';
description = ''
Agorakit configuration options to set in the
<filename>.env</filename> file.
Refer to <link xlink:href="https://github.com/agorakit/agorakit"/>
for details on supported values.
Settings containing secret data should be set to an attribute
set containing the attribute <literal>_secret</literal> - a
string pointing to a file containing the value the option
should be set to. See the example to get a better picture of
this: in the resulting <filename>.env</filename> file, the
<literal>OIDC_CLIENT_SECRET</literal> key will be set to the
contents of the <filename>/run/keys/oidc_secret</filename>
file.
'';
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = db.createLocally -> db.user == user;
message = "services.agorakit.database.user must be set to ${user} if services.agorakit.database.createLocally is set true.";
}
{
assertion = db.createLocally -> db.passwordFile == null;
message = "services.agorakit.database.passwordFile cannot be specified if services.agorakit.database.createLocally is set to true.";
}
];
services.agorakit.config = {
APP_ENV = "production";
APP_KEY._secret = cfg.appKeyFile;
APP_URL = cfg.appURL;
DB_HOST = db.host;
DB_PORT = db.port;
DB_DATABASE = db.name;
DB_USERNAME = db.user;
MAIL_DRIVER = mail.driver;
MAIL_FROM_NAME = mail.fromName;
MAIL_FROM = mail.from;
MAIL_HOST = mail.host;
MAIL_PORT = mail.port;
MAIL_USERNAME = mail.user;
MAIL_ENCRYPTION = mail.encryption;
DB_PASSWORD._secret = db.passwordFile;
MAIL_PASSWORD._secret = mail.passwordFile;
APP_SERVICES_CACHE = "/run/agorakit/cache/services.php";
APP_PACKAGES_CACHE = "/run/agorakit/cache/packages.php";
APP_CONFIG_CACHE = "/run/agorakit/cache/config.php";
APP_ROUTES_CACHE = "/run/agorakit/cache/routes-v7.php";
APP_EVENTS_CACHE = "/run/agorakit/cache/events.php";
SESSION_SECURE_COOKIE = tlsEnabled;
};
environment.systemPackages = [ artisan ];
services.mysql = mkIf db.createLocally {
enable = true;
package = mkDefault pkgs.mysql;
ensureDatabases = [ db.name ];
ensureUsers = [
{
name = db.user;
ensurePermissions = {
"${db.name}.*" = "ALL PRIVILEGES";
};
}
];
};
services.phpfpm.pools.agorakit = {
inherit user group;
phpOptions = ''
log_errors = on
post_max_size = ${cfg.maxUploadSize}
upload_max_filesize = ${cfg.maxUploadSize}
'';
settings = {
"listen.mode" = "0660";
"listen.owner" = user;
"listen.group" = group;
} // cfg.poolConfig;
};
services.nginx = {
enable = mkDefault true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedProxySettings = true;
virtualHosts.${cfg.hostName} = mkMerge [
cfg.nginx
{
root = mkForce "${agorakit}/public";
locations = {
"/" = {
index = "index.php";
tryFiles = "$uri $uri/ /index.php?$query_string";
};
"~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools."agorakit".socket};
'';
"~ \.(js|css|gif|png|ico|jpg|jpeg)$" = {
extraConfig = "expires 365d;";
};
};
}
];
};
systemd.services.agorakit-setup = {
description = "Preparation tasks for agorakit";
before = [ "phpfpm-agorakit.service" ];
after = optional db.createLocally "mysql.service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = user;
UMask = 77;
WorkingDirectory = "${agorakit}";
RuntimeDirectory = "agorakit/cache";
RuntimeDirectoryMode = 700;
};
path = [ pkgs.replace-secret ];
script =
let
isSecret = v: isAttrs v && v ? _secret && isString v._secret;
agorakitEnvVars = lib.generators.toKeyValue {
mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" {
mkValueString =
v:
with builtins;
if isInt v then
toString v
else if isString v then
v
else if true == v then
"true"
else if false == v then
"false"
else if isSecret v then
hashString "sha256" v._secret
else
throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty { }) v}";
};
};
secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config);
mkSecretReplacement = file: ''
replace-secret ${
escapeShellArgs [
(builtins.hashString "sha256" file)
file
"${cfg.dataDir}/.env"
]
}
'';
secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
filteredConfig = lib.converge (lib.filterAttrsRecursive (
_: v:
!elem v [
{ }
null
]
)) cfg.config;
agorakitEnv = pkgs.writeText "agorakit.env" (agorakitEnvVars filteredConfig);
in
''
# error handling
set -euo pipefail
# create .env file
install -T -m 0600 -o ${user} ${agorakitEnv} "${cfg.dataDir}/.env"
${secretReplacements}
if ! grep 'APP_KEY=base64:' "${cfg.dataDir}/.env" >/dev/null; then
sed -i 's/APP_KEY=/APP_KEY=base64:/' "${cfg.dataDir}/.env"
fi
# migrate & seed db
${pkgs.php}/bin/php artisan key:generate --force
${pkgs.php}/bin/php artisan migrate --force
${pkgs.php}/bin/php artisan config:cache
'';
};
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0710 ${user} ${group} - -"
"d ${cfg.dataDir}/public 0750 ${user} ${group} - -"
"d ${cfg.dataDir}/public/uploads 0750 ${user} ${group} - -"
"d ${cfg.dataDir}/storage 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/app 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/fonts 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/framework 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/framework/cache 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/framework/sessions 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/framework/views 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/logs 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/uploads 0700 ${user} ${group} - -"
];
users = {
users = mkIf (user == "agorakit") {
agorakit = {
inherit group;
isSystemUser = true;
};
"${config.services.nginx.user}".extraGroups = [ group ];
};
groups = mkIf (group == "agorakit") { agorakit = { }; };
};
};
}

5
third_party/nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix vendored
View file

@ -129,9 +129,6 @@ in
services.changedetection-io = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
preStart = ''
mkdir -p ${cfg.datastorePath}
'';
serviceConfig = {
User = cfg.user;
Group = cfg.group;
@ -153,7 +150,7 @@ in
Restart = "on-failure";
};
};
tmpfiles.rules = mkIf defaultStateDir [
tmpfiles.rules = mkIf (!defaultStateDir) [
"d ${cfg.datastorePath} 0750 ${cfg.user} ${cfg.group} - -"
];
};

2
third_party/nixpkgs/nixos/modules/services/web-apps/flarum.nix vendored
View file

@ -163,7 +163,7 @@ in {
services.mysql = mkIf cfg.enable {
enable = true;
package = pkgs.mysql;
package = pkgs.mariadb;
ensureDatabases = [cfg.database.database];
ensureUsers = [
{

2
third_party/nixpkgs/nixos/modules/services/web-apps/immich.nix vendored
View file

@ -227,7 +227,7 @@ in
ensureClauses.login = true;
}
];
extraPlugins = ps: with ps; [ pgvecto-rs ];
extensions = ps: with ps; [ pgvecto-rs ];
settings = {
shared_preload_libraries = [ "vectors.so" ];
search_path = "\"$user\", public, vectors";

403
third_party/nixpkgs/nixos/modules/services/web-apps/kimai.nix vendored Normal file
View file

@ -0,0 +1,403 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.services.kimai;
eachSite = cfg.sites;
user = "kimai";
webserver = config.services.${cfg.webserver};
stateDir = hostName: "/var/lib/kimai/${hostName}";
pkg =
hostName: cfg:
pkgs.stdenv.mkDerivation rec {
pname = "kimai-${hostName}";
src = cfg.package;
version = src.version;
installPhase = ''
mkdir -p $out
cp -r * $out/
# Symlink .env file. This will be dynamically created at the service
# startup.
ln -sf ${stateDir hostName}/.env $out/share/php/kimai/.env
# Symlink the var/ folder
# TODO: we may have to symlink individual folders if we want to also
# manage plugins from Nix.
rm -rf $out/share/php/kimai/var
ln -s ${stateDir hostName} $out/share/php/kimai/var
# Symlink local.yaml.
ln -s ${kimaiConfig hostName cfg} $out/share/php/kimai/config/packages/local.yaml
'';
};
kimaiConfig =
hostName: cfg:
pkgs.writeTextFile {
name = "kimai-config-${hostName}.yaml";
text = generators.toYAML { } cfg.settings;
};
siteOpts =
{
lib,
name,
config,
...
}:
{
options = {
package = mkPackageOption pkgs "kimai" { };
database = {
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address.";
};
port = mkOption {
type = types.port;
default = 3306;
description = "Database host port.";
};
name = mkOption {
type = types.str;
default = "kimai";
description = "Database name.";
};
user = mkOption {
type = types.str;
default = "kimai";
description = "Database user.";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/kimai-dbpassword";
description = ''
A file containing the password corresponding to
{option}`database.user`.
'';
};
socket = mkOption {
type = types.nullOr types.path;
default = null;
defaultText = literalExpression "/run/mysqld/mysqld.sock";
description = "Path to the unix socket file to use for authentication.";
};
charset = mkOption {
type = types.str;
default = "utf8mb4";
description = "Database charset.";
};
serverVersion = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
MySQL *exact* version string. Not used if `createdLocally` is set,
but must be set otherwise. See
https://www.kimai.org/documentation/installation.html#column-table_name-in-where-clause-is-ambiguous
for how to set this value, especially if you're using MariaDB.
'';
};
createLocally = mkOption {
type = types.bool;
default = true;
description = "Create the database and database user locally.";
};
};
poolConfig = mkOption {
type =
with types;
attrsOf (oneOf [
str
int
bool
]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the Kimai PHP pool. See the documentation on `php-fpm.conf`
for details on configuration directives.
'';
};
settings = mkOption {
type = types.attrsOf types.anything;
default = { };
description = ''
Structural Kimai's local.yaml configuration.
Refer to <https://www.kimai.org/documentation/local-yaml.html#localyaml>
for details.
'';
example = literalExpression ''
{
kimai = {
timesheet = {
rounding = {
default = {
begin = 15;
end = 15;
};
};
};
};
}
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/secrets/kimai.env";
description = ''
Securely pass environment variabels to Kimai. This can be used to
set other environement variables such as MAILER_URL.
'';
};
};
};
in
{
# interface
options = {
services.kimai = {
sites = mkOption {
type = types.attrsOf (types.submodule siteOpts);
default = { };
description = "Specification of one or more Kimai sites to serve";
};
webserver = mkOption {
type = types.enum [ "nginx" ];
default = "nginx";
description = ''
The webserver to configure for the PHP frontend.
At the moment, only `nginx` is supported. PRs are welcome for support
for other web servers.
'';
};
};
};
# implementation
config = mkIf (eachSite != { }) (mkMerge [
{
assertions =
(mapAttrsToList (hostName: cfg: {
assertion = cfg.database.createLocally -> cfg.database.user == user;
message = ''services.kimai.sites."${hostName}".database.user must be ${user} if the database is to be automatically provisioned'';
}) eachSite)
++ (mapAttrsToList (hostName: cfg: {
assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
message = ''services.kimai.sites."${hostName}".database.passwordFile cannot be specified if services.kimai.sites."${hostName}".database.createLocally is set to true.'';
}) eachSite)
++ (mapAttrsToList (hostName: cfg: {
assertion = !cfg.database.createLocally -> cfg.database.serverVersion != null;
message = ''services.kimai.sites."${hostName}".database.serverVersion must be specified if services.kimai.sites."${hostName}".database.createLocally is set to false.'';
}) eachSite);
services.mysql = mkIf (any (v: v.database.createLocally) (attrValues eachSite)) {
enable = true;
package = mkDefault pkgs.mariadb;
ensureDatabases = mapAttrsToList (hostName: cfg: cfg.database.name) eachSite;
ensureUsers = mapAttrsToList (hostName: cfg: {
name = cfg.database.user;
ensurePermissions = {
"${cfg.database.name}.*" = "ALL PRIVILEGES";
};
}) eachSite;
};
services.phpfpm.pools = mapAttrs' (
hostName: cfg:
(nameValuePair "kimai-${hostName}" {
inherit user;
group = webserver.group;
settings = {
"listen.owner" = webserver.user;
"listen.group" = webserver.group;
} // cfg.poolConfig;
})
) eachSite;
}
{
systemd.tmpfiles.rules = flatten (
mapAttrsToList (hostName: cfg: [
"d '${stateDir hostName}' 0770 ${user} ${webserver.group} - -"
]) eachSite
);
systemd.services = mkMerge [
(mapAttrs' (
hostName: cfg:
(nameValuePair "kimai-init-${hostName}" {
wantedBy = [ "multi-user.target" ];
before = [ "phpfpm-kimai-${hostName}.service" ];
after = optional cfg.database.createLocally "mysql.service";
script =
let
envFile = "${stateDir hostName}/.env";
appSecretFile = "${stateDir hostName}/.app_secret";
mysql = "${config.services.mysql.package}/bin/mysql";
dbUser = cfg.database.user;
dbPwd = if cfg.database.passwordFile != null then ":$(cat ${cfg.database.passwordFile})" else "";
dbHost = cfg.database.host;
dbPort = toString cfg.database.port;
dbName = cfg.database.name;
dbCharset = cfg.database.charset;
dbUnixSocket = if cfg.database.socket != null then "&unixSocket=${cfg.database.socket}" else "";
# Note: serverVersion is a shell variable. See below.
dbUri =
"mysql://${dbUser}${dbPwd}@${dbHost}:${dbPort}"
+ "/${dbName}?charset=${dbCharset}"
+ "&serverVersion=$serverVersion${dbUnixSocket}";
in
''
set -eu
serverVersion=${
if !cfg.database.createLocally then
cfg.database.serverVersion
else
# Obtain MySQL version string dynamically from the running
# instance. Doctrine ORM's doc said it should be possible to
# autodetect this, however Kimai's doc insists that it has to
# be set.
# https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#mysql
# https://stackoverflow.com/q/9558867
"$(${mysql} --silent --skip-column-names --execute 'SELECT VERSION();')"
}
# Create .env file containing DATABASE_URL and other default
# variables. Set umask to make sure .env is not readable by
# unrelated users.
oldUmask=$(umask)
umask 177
if ! [ -e ${appSecretFile} ]; then
tr -dc A-Za-z0-9 </dev/urandom | head -c 20 >${appSecretFile}
fi
cat >${envFile} <<EOF
DATABASE_URL=${dbUri}
MAILER_FROM=kimai@example.com
MAILER_URL=null://null
APP_ENV=prod
APP_SECRET=$(cat ${appSecretFile})
CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?\$
EOF
umask $oldUmask
# Run kimai:install to ensure database is created or updated.
# Note that kimai:update is an alias to kimai:install.
${pkg hostName cfg}/bin/console kimai:install
'';
serviceConfig = {
Type = "oneshot";
User = user;
Group = webserver.group;
EnvironmentFile = [ cfg.environmentFile ];
};
})
) eachSite)
(mapAttrs' (
hostName: cfg:
(nameValuePair "phpfpm-kimai-${hostName}.service" {
serviceConfig = {
EnvironmentFile = [ cfg.environmentFile ];
};
})
) eachSite)
(optionalAttrs (any (v: v.database.createLocally) (attrValues eachSite)) {
"${cfg.webserver}".after = [ "mysql.service" ];
})
];
users.users.${user} = {
group = webserver.group;
isSystemUser = true;
};
}
(mkIf (cfg.webserver == "nginx") {
services.nginx = {
enable = true;
virtualHosts = mapAttrs (hostName: cfg: {
serverName = mkDefault hostName;
root = "${pkg hostName cfg}/share/php/kimai/public";
extraConfig = ''
index index.php;
'';
locations = {
"/" = {
priority = 200;
extraConfig = ''
try_files $uri /index.php$is_args$args;
'';
};
"~ ^/index\\.php(/|$)" = {
priority = 500;
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools."kimai-${hostName}".socket};
fastcgi_index index.php;
include "${config.services.nginx.package}/conf/fastcgi.conf";
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
'';
};
"~ \\.php$" = {
priority = 800;
extraConfig = ''
return 404;
'';
};
};
}) eachSite;
};
})
]);
}

2
third_party/nixpkgs/nixos/modules/services/web-apps/mobilizon.nix vendored
View file

@ -383,7 +383,7 @@ in
ensureDBOwnership = false;
}
];
extraPlugins = ps: with ps; [ postgis ];
extensions = ps: with ps; [ postgis ];
};
# Nginx config taken from support/nginx/mobilizon-release.conf

31
third_party/nixpkgs/nixos/modules/services/web-apps/outline.nix vendored
View file

@ -586,37 +586,6 @@ in
ensureDatabases = [ "outline" ];
};
# Outline is unable to create the uuid-ossp extension when using postgresql 12, in later version this
# extension can be created without superuser permission. This services therefor this extension before
# outline starts and postgresql 12 is using on the host.
#
# Can be removed after postgresql 12 is dropped from nixos.
systemd.services.outline-postgresql =
let
pgsql = config.services.postgresql;
in
lib.mkIf (cfg.databaseUrl == "local" && pgsql.package == pkgs.postgresql_12) {
after = [ "postgresql.service" ];
bindsTo = [ "postgresql.service" ];
wantedBy = [ "outline.service" ];
partOf = [ "outline.service" ];
path = [
pgsql.package
];
script = ''
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
psql outline -tAc 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp"'
'';
serviceConfig = {
User = pgsql.superUser;
Type = "oneshot";
RemainAfterExit = true;
};
};
services.redis.servers.outline = lib.mkIf (cfg.redisUrl == "local") {
enable = true;
user = config.services.outline.user;

2
third_party/nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix vendored
View file

@ -145,7 +145,7 @@ in
PRISMA_QUERY_ENGINE_LIBRARY = "${pkgs.prisma-engines}/lib/libquery_engine.node";
PRISMA_INTROSPECTION_ENGINE_BINARY = "${pkgs.prisma-engines}/bin/introspection-engine";
PRISMA_FMT_BINARY = "${pkgs.prisma-engines}/bin/prisma-fmt";
PORT = toString cfg.backend.port;
BACKEND_PORT = toString cfg.backend.port;
DATABASE_URL = "file:${cfg.dataDir}/pingvin-share.db?connection_limit=1";
DATA_DIRECTORY = cfg.dataDir;
};

2
third_party/nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.md vendored
View file

@ -74,7 +74,7 @@ this could be most useful for testing a particular plug-in in isolation.
: This is a known [issue](https://github.com/NixOS/nixpkgs/issues/64611) and there is no known workaround.
[Does AppCenter work, or is it available?]{#sec-pantheon-faq-appcenter}
: AppCenter has been available since 20.03. Starting from 21.11, the Flatpak backend should work so you can install some Flatpak applications using it. However, due to missing appstream metadata, the Packagekit backend does not function currently. See this [issue](https://github.com/NixOS/nixpkgs/issues/15932).
: AppCenter is available and the Flatpak backend should work so you can install some Flatpak applications using it. However, due to missing appstream metadata, the Packagekit backend does not function currently. See this [issue](https://github.com/NixOS/nixpkgs/issues/15932).
If you are using Pantheon, AppCenter should be installed by default if you have [Flatpak support](#module-services-flatpak) enabled. If you also wish to add the `appcenter` Flatpak remote:

Some files were not shown because too many files have changed in this diff Show more