Merge commit '3ed4d12aac391a1eb607b388e386854780fd3cd3' into HEAD

This commit is contained in:
Luke Granger-Brown 2024-11-23 21:16:41 +00:00
commit da66e90c04
2211 changed files with 91019 additions and 159619 deletions

View file

@ -7,34 +7,44 @@ assignees: ''
--- ---
### Describe the bug ## Describe the bug
A clear and concise description of what the bug is.
<!-- A clear and concise description of what the bug is. -->
## Steps To Reproduce
### Steps To Reproduce
Steps to reproduce the behavior: Steps to reproduce the behavior:
1. ... 1. ...
2. ... 2. ...
3. ... 3. ...
### Expected behavior ## Expected behavior
A clear and concise description of what you expected to happen.
### Screenshots <!-- A clear and concise description of what you expected to happen. -->
If applicable, add screenshots to help explain your problem.
### Additional context ## Screenshots
Add any other context about the problem here.
### Notify maintainers <!-- If applicable, add screenshots to help explain your problem: -->
## Additional context
<!-- Add any other context about the problem here. -->
## Metadata
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
## Notify maintainers
<!-- <!--
Please @ people who are in the `meta.maintainers` list of the offending package or module. Please @ people who are in the `meta.maintainers` list of the offending package or module.
If in doubt, check `git blame` for whoever last touched something. If in doubt, check `git blame` for whoever last touched something.
--> -->
### Metadata ---
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line --> Note for maintainers: Please tag this issue in your PR.
--- ---

View file

@ -7,31 +7,43 @@ assignees: ''
--- ---
### Steps To Reproduce ## Steps To Reproduce
Steps to reproduce the behavior: Steps to reproduce the behavior:
1. build *X* 1. build *X*
### Build log ## Build log
<!-- insert build log in code block in collapsable section -->
<details>
<summary>Build Log</summary>
``` ```
log here if short otherwise a link to a gist
``` ```
### Additional context </details>
Add any other context about the problem here. ## Additional context
### Notify maintainers <!-- Add any other context about the problem here. -->
## Metadata
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
## Notify maintainers
<!-- <!--
Please @ people who are in the `meta.maintainers` list of the offending package or module. Please @ people who are in the `meta.maintainers` list of the offending package or module.
If in doubt, check `git blame` for whoever last touched something. If in doubt, check `git blame` for whoever last touched something.
--> -->
### Metadata ---
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line --> Note for maintainers: Please tag this issue in your PR.
--- ---

View file

@ -23,12 +23,9 @@ assignees: ''
- [ ] checked [open documentation issues] for possible duplicates - [ ] checked [open documentation issues] for possible duplicates
- [ ] checked [open documentation pull requests] for possible solutions - [ ] checked [open documentation pull requests] for possible solutions
[latest Nixpkgs manual]: https://nixos.org/manual/nixpkgs/unstable/ ---
[latest NixOS manual]: https://nixos.org/manual/nixos/unstable/
[nixpkgs-source]: https://github.com/NixOS/nixpkgs/tree/master/doc Note for maintainers: Please tag this issue in your PR.
[nixos-source]: https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual
[open documentation issues]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22
[open documentation pull requests]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+documentation%22%2C%226.topic%3A+documentation%22
--- ---
@ -36,3 +33,9 @@ Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/
[issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc [issues you find important]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc
[latest Nixpkgs manual]: https://nixos.org/manual/nixpkgs/unstable/
[latest NixOS manual]: https://nixos.org/manual/nixos/unstable/
[nixpkgs-source]: https://github.com/NixOS/nixpkgs/tree/master/doc
[nixos-source]: https://github.com/NixOS/nixpkgs/tree/master/nixos/doc/manual
[open documentation issues]: https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+label%3A%229.needs%3A+documentation%22
[open documentation pull requests]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%228.has%3A+documentation%22%2C%226.topic%3A+documentation%22

View file

@ -7,11 +7,11 @@ assignees: ''
--- ---
### Description ## Description
<!-- Describe what the module should accomplish: --> <!-- Describe what the module should accomplish: -->
### Notify maintainers ## Notify maintainers
<!-- If applicable, tag the maintainers of the package that corresponds to the module. If the search.nixos.org result shows no maintainers, tag the person that last updated the package. --> <!-- If applicable, tag the maintainers of the package that corresponds to the module. If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->

View file

@ -7,23 +7,30 @@ assignees: ''
--- ---
## Package Information
<!-- Search for the package here: https://search.nixos.org/packages?channel=unstable -->
- Package name: - Package name:
- Latest released version: - Latest released version:
<!-- Search your package here: https://search.nixos.org/packages?channel=unstable -->
- Current version on the unstable channel: - Current version on the unstable channel:
- Current version on the stable/release channel: - Current version on the stable/release channel:
## Checklist
<!-- <!--
Type the name of your package and try to find an open pull request for the package Type the name of your package and try to find an open pull request for the package
If you find an open pull request, you can review it! If you find an open pull request, you can review it!
There's a high chance that you'll have the new version right away while helping the community! There's a high chance that you'll have the new version right away while helping the community!
--> -->
- [ ] Checked the [nixpkgs pull requests](https://github.com/NixOS/nixpkgs/pulls) - [ ] Checked the [nixpkgs pull requests](https://github.com/NixOS/nixpkgs/pulls)
**Notify maintainers** ## Notify maintainers
<!-- If the search.nixos.org result shows no maintainers, tag the person that last updated the package. --> <!-- If the search.nixos.org result shows no maintainers, tag the person that last updated the package. -->
----- ---
Note for maintainers: Please tag this issue in your PR. Note for maintainers: Please tag this issue in your PR.

View file

@ -7,11 +7,11 @@ assignees: ''
--- ---
**Project description** ## Project description
<!-- Describe the project a little: --> <!-- Describe the project a little: -->
**Metadata** ## Metadata
* homepage URL: * homepage URL:
* source URL: * source URL:
@ -20,6 +20,10 @@ assignees: ''
--- ---
Note for maintainers: Please tag this issue in your PR.
---
Add a :+1: [reaction] to [issues you find important]. Add a :+1: [reaction] to [issues you find important].
[reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/

View file

@ -31,12 +31,12 @@ Fixing bit-by-bit reproducibility also has additional advantages, such as
avoiding hard-to-reproduce bugs, making content-addressed storage more effective avoiding hard-to-reproduce bugs, making content-addressed storage more effective
and reducing rebuilds in such systems. and reducing rebuilds in such systems.
### Steps To Reproduce ## Steps To Reproduce
In the following steps, replace `<package>` with the canonical name of the In the following steps, replace `<package>` with the canonical name of the
package. package.
#### 1. Build the package ### 1. Build the package
This step will build the package. Specific arguments are passed to the command This step will build the package. Specific arguments are passed to the command
to keep the build artifacts so we can compare them in case of differences. to keep the build artifacts so we can compare them in case of differences.
@ -53,7 +53,7 @@ Or using the new command line style:
nix build nixpkgs#<package> && nix build nixpkgs#<package> --rebuild --keep-failed nix build nixpkgs#<package> && nix build nixpkgs#<package> --rebuild --keep-failed
``` ```
#### 2. Compare the build artifacts ### 2. Compare the build artifacts
If the previous command completes successfully, no differences were found and If the previous command completes successfully, no differences were found and
there's nothing to do, builds are reproducible. there's nothing to do, builds are reproducible.
@ -67,7 +67,7 @@ metadata (*e.g. timestamp*) differences.
nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z> nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
``` ```
#### 3. Examine the build log ### 3. Examine the build log
To examine the build log, use: To examine the build log, use:
@ -81,10 +81,20 @@ Or with the new command line style:
nix log $(nix path-info --derivation nixpkgs#<package>) nix log $(nix path-info --derivation nixpkgs#<package>)
``` ```
### Additional context ## Additional context
(please share the relevant fragment of the diffoscope output here, and any (please share the relevant fragment of the diffoscope output here, and any additional analysis you may have done)
additional analysis you may have done)
## Notify maintainers
<!--
Please @ people who are in the `meta.maintainers` list of the offending package or module.
If in doubt, check `git blame` for whoever last touched something.
-->
---
Note for maintainers: Please tag this issue in your PR.
--- ---

View file

@ -25,7 +25,7 @@ For new packages please briefly describe the package or provide a link to its ho
- made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
- [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
- [ ] Tested basic functionality of all binary files (usually in `./result/bin/`) - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
- [24.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) (or backporting [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) and [24.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) Release notes) - [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes)
- [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Package updates) Added a release notes entry if the change is major or breaking
- [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module updates) Added a release notes entry if the change is significant
- [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [ ] (Module addition) Added a release notes entry if adding a new NixOS module

View file

@ -293,6 +293,7 @@
- any-glob-to-any-file: - any-glob-to-any-file:
- nixos/**/* - nixos/**/*
- pkgs/by-name/sw/switch-to-configuration-ng/**/* - pkgs/by-name/sw/switch-to-configuration-ng/**/*
- pkgs/by-name/ni/nixos-rebuild-ng/**/*
- pkgs/os-specific/linux/nixos-rebuild/**/* - pkgs/os-specific/linux/nixos-rebuild/**/*
"6.topic: nixos-container": "6.topic: nixos-container":
@ -358,8 +359,9 @@
- changed-files: - changed-files:
- any-glob-to-any-file: - any-glob-to-any-file:
- doc/languages-frameworks/php.section.md - doc/languages-frameworks/php.section.md
- nixos/tests/php/**/*
- pkgs/build-support/php/**/* - pkgs/build-support/php/**/*
- pkgs/development/interpreters/php/* - pkgs/development/interpreters/php/**/*
- pkgs/development/php-packages/**/* - pkgs/development/php-packages/**/*
- pkgs/test/php/default.nix - pkgs/test/php/default.nix
- pkgs/top-level/php-packages.nix - pkgs/top-level/php-packages.nix

View file

@ -39,6 +39,10 @@ jobs:
into: staging-next-24.05 into: staging-next-24.05
- from: staging-next-24.05 - from: staging-next-24.05
into: staging-24.05 into: staging-24.05
- from: release-24.11
into: staging-next-24.11
- from: staging-next-24.11
into: staging-24.11
name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }} name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View file

@ -345,7 +345,7 @@ See [Nix Channel Status](https://status.nixos.org/) for the current channels and
Here's a brief overview of the main Git branches and what channels they're used for: Here's a brief overview of the main Git branches and what channels they're used for:
- `master`: The main branch, used for the unstable channels such as `nixpkgs-unstable`, `nixos-unstable` and `nixos-unstable-small`. - `master`: The main branch, used for the unstable channels such as `nixpkgs-unstable`, `nixos-unstable` and `nixos-unstable-small`.
- `release-YY.MM` (e.g. `release-24.05`): The NixOS release branches, used for the stable channels such as `nixos-24.05`, `nixos-24.05-small` and `nixpkgs-24.05-darwin`. - `release-YY.MM` (e.g. `release-24.11`): The NixOS release branches, used for the stable channels such as `nixos-24.11`, `nixos-24.11-small` and `nixpkgs-24.11-darwin`.
When a channel is updated, a corresponding Git branch is also updated to point to the corresponding commit. When a channel is updated, a corresponding Git branch is also updated to point to the corresponding commit.
So e.g. the [`nixpkgs-unstable` branch](https://github.com/nixos/nixpkgs/tree/nixpkgs-unstable) corresponds to the Git commit from the [`nixpkgs-unstable` channel](https://channels.nixos.org/nixpkgs-unstable). So e.g. the [`nixpkgs-unstable` branch](https://github.com/nixos/nixpkgs/tree/nixpkgs-unstable) corresponds to the Git commit from the [`nixpkgs-unstable` channel](https://channels.nixos.org/nixpkgs-unstable).

View file

@ -9,7 +9,7 @@
</p> </p>
<p align="center"> <p align="center">
<a href="https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md"><img src="https://img.shields.io/github/contributors-anon/NixOS/nixpkgs" alt="Contributors badge" /></a> <a href="CONTRIBUTING.md"><img src="https://img.shields.io/github/contributors-anon/NixOS/nixpkgs" alt="Contributors badge" /></a>
<a href="https://opencollective.com/nixos"><img src="https://opencollective.com/nixos/tiers/supporter/badge.svg?label=supporters&color=brightgreen" alt="Open Collective supporters" /></a> <a href="https://opencollective.com/nixos"><img src="https://opencollective.com/nixos/tiers/supporter/badge.svg?label=supporters&color=brightgreen" alt="Open Collective supporters" /></a>
</p> </p>
@ -74,7 +74,7 @@ Community contributions are always welcome through GitHub Issues and
Pull Requests. Pull Requests.
For more information about contributing to the project, please visit For more information about contributing to the project, please visit
the [contributing page](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md). the [contributing page](CONTRIBUTING.md).
# Donations # Donations

View file

@ -105,6 +105,11 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/nixos/modules/system/activation/bootspec.nix @grahamc @cole-h @raitobezarius /nixos/modules/system/activation/bootspec.nix @grahamc @cole-h @raitobezarius
/nixos/modules/system/activation/bootspec.cue @grahamc @cole-h @raitobezarius /nixos/modules/system/activation/bootspec.cue @grahamc @cole-h @raitobezarius
# NixOS Render Docs
/pkgs/by-name/ni/nixos-render-docs @fricklerhandwerk @GetPsyched @hsjobeki
/doc/redirects.json @fricklerhandwerk @GetPsyched @hsjobeki
/nixos/doc/manual/redirects.json @fricklerhandwerk @GetPsyched @hsjobeki
# NixOS integration test driver # NixOS integration test driver
/nixos/lib/test-driver @tfc /nixos/lib/test-driver @tfc
@ -138,6 +143,8 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/nixos/tests/amazon-ssm-agent.nix @arianvp /nixos/tests/amazon-ssm-agent.nix @arianvp
/nixos/modules/system/boot/grow-partition.nix @arianvp /nixos/modules/system/boot/grow-partition.nix @arianvp
# nixos-rebuild-ng
/pkgs/by-name/ni/nixos-rebuild-ng @thiagokokada
# Updaters # Updaters
@ -149,8 +156,8 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
# Python-related code and docs # Python-related code and docs
/doc/languages-frameworks/python.section.md @mweinelt @natsukium /doc/languages-frameworks/python.section.md @mweinelt @natsukium
/maintainers/scripts/update-python-libraries @natsukium /maintainers/scripts/update-python-libraries @mweinelt @natsukium
/pkgs/development/interpreters/python @natsukium /pkgs/development/interpreters/python @mweinelt @natsukium
/pkgs/top-level/python-packages.nix @natsukium /pkgs/top-level/python-packages.nix @natsukium
/pkgs/top-level/release-python.nix @natsukium /pkgs/top-level/release-python.nix @natsukium

View file

@ -21,7 +21,7 @@ Rendered documentation:
- [Unstable (from master)](https://nixos.org/manual/nixpkgs/unstable/) - [Unstable (from master)](https://nixos.org/manual/nixpkgs/unstable/)
- [Stable (from latest release)](https://nixos.org/manual/nixpkgs/stable/) - [Stable (from latest release)](https://nixos.org/manual/nixpkgs/stable/)
The rendering tool is [nixos-render-docs](../pkgs/tools/nix/nixos-render-docs/src/nixos_render_docs), sometimes abbreviated `nrd`. The rendering tool is [nixos-render-docs](../pkgs/by-name/ni/nixos-render-docs), sometimes abbreviated `nrd`.
## Contributing to this documentation ## Contributing to this documentation
@ -42,6 +42,12 @@ It is a daemon, that:
2. HTTP serves the manual, injecting a script that triggers reload on changes 2. HTTP serves the manual, injecting a script that triggers reload on changes
3. opens the manual in the default browser 3. opens the manual in the default browser
### Testing redirects
Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.
Note that if you already loaded the page and *then* input the anchor, you will need to perform a reload. This is because browsers do not re-run client JS code when only the anchor has changed.
## Syntax ## Syntax
As per [RFC 0072](https://github.com/NixOS/rfcs/pull/72), all new documentation content should be written in [CommonMark](https://commonmark.org/) Markdown dialect. As per [RFC 0072](https://github.com/NixOS/rfcs/pull/72), all new documentation content should be written in [CommonMark](https://commonmark.org/) Markdown dialect.

View file

@ -755,14 +755,46 @@ Used with Subversion. Expects `url` to a Subversion directory, `rev`, and `hash`
Used with Git. Expects `url` to a Git repo, `rev`, and `hash`. `rev` in this case can be full the git commit id (SHA1 hash) or a tag name like `refs/tags/v1.0`. Used with Git. Expects `url` to a Git repo, `rev`, and `hash`. `rev` in this case can be full the git commit id (SHA1 hash) or a tag name like `refs/tags/v1.0`.
Additionally, the following optional arguments can be given: `fetchSubmodules = true` makes `fetchgit` also fetch the submodules of a repository. If `deepClone` is set to true, the entire repository is cloned as opposing to just creating a shallow clone. `deepClone = true` also implies `leaveDotGit = true` which means that the `.git` directory of the clone won't be removed after checkout. Additionally, the following optional arguments can be given:
If only parts of the repository are needed, `sparseCheckout` can be used. This will prevent git from fetching unnecessary blobs from server, see [git sparse-checkout](https://git-scm.com/docs/git-sparse-checkout) for more information: *`fetchSubmodules`* (Boolean)
```nix : Whether to also fetch the submodules of a repository.
{ stdenv, fetchgit }:
stdenv.mkDerivation { *`fetchLFS`* (Boolean)
: Whether to fetch LFS objects.
*`postFetch`* (String)
: Shell code executed after the file has been fetched successfully.
This can do things like check or transform the file.
*`leaveDotGit`* (Boolean)
: Whether the `.git` directory of the clone should *not* be removed after checkout.
Be warned though that the git repository format is not stable and this flag is therefore not suitable for actual use by itself.
Only use this for testing purposes or in conjunction with removing the `.git` directory in `postFetch`.
*`deepClone`* (Boolean)
: Clone the entire repository as opposing to just creating a shallow clone.
This implies `leaveDotGit`.
*`sparseCheckout`* (List of String)
: Prevent git from fetching unnecessary blobs from server.
This is useful if only parts of the repository are needed.
::: {.example #ex-fetchgit-sparseCheckout}
# Use `sparseCheckout` to only include some directories:
```nix
{ stdenv, fetchgit }:
stdenv.mkDerivation {
name = "hello"; name = "hello";
src = fetchgit { src = fetchgit {
url = "https://..."; url = "https://...";
@ -772,8 +804,14 @@ stdenv.mkDerivation {
]; ];
hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="; hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
}; };
} }
``` ```
:::
See [git sparse-checkout](https://git-scm.com/docs/git-sparse-checkout) for more information.
Some additional parameters for niche use-cases can be found listed in the function parameters in the declaration of `fetchgit`: `pkgs/build-support/fetchgit/default.nix`.
Future parameters additions might also happen without immediately being documented here.
## `fetchfossil` {#fetchfossil} ## `fetchfossil` {#fetchfossil}

View file

@ -5,6 +5,8 @@
lib, lib,
stdenvNoCC, stdenvNoCC,
callPackage, callPackage,
devmode,
mkShellNoCC,
documentation-highlighter, documentation-highlighter,
nixos-render-docs, nixos-render-docs,
nixpkgs ? { }, nixpkgs ? { },
@ -29,6 +31,7 @@ stdenvNoCC.mkDerivation (
../anchor-use.js ../anchor-use.js
../anchor.min.js ../anchor.min.js
../manpage-urls.json ../manpage-urls.json
../redirects.json
]; ];
}; };
@ -60,6 +63,7 @@ stdenvNoCC.mkDerivation (
nixos-render-docs manual html \ nixos-render-docs manual html \
--manpage-urls ./manpage-urls.json \ --manpage-urls ./manpage-urls.json \
--redirects ./redirects.json \
--revision ${nixpkgs.rev or "master"} \ --revision ${nixpkgs.rev or "master"} \
--stylesheet style.css \ --stylesheet style.css \
--stylesheet highlightjs/mono-blue.css \ --stylesheet highlightjs/mono-blue.css \
@ -95,10 +99,14 @@ stdenvNoCC.mkDerivation (
pythonInterpreterTable = callPackage ./python-interpreter-table.nix { }; pythonInterpreterTable = callPackage ./python-interpreter-table.nix { };
shell = callPackage ../../pkgs/tools/nix/web-devmode.nix { shell =
let
devmode' = devmode.override {
buildArgs = "./."; buildArgs = "./.";
open = "/share/doc/nixpkgs/manual.html"; open = "/share/doc/nixpkgs/manual.html";
}; };
in
mkShellNoCC { packages = [ devmode' ]; };
tests.manpage-urls = callPackage ../tests/manpage-urls.nix { }; tests.manpage-urls = callPackage ../tests/manpage-urls.nix { };
}; };

View file

@ -18,6 +18,16 @@ setup hook registering ninja-based build and install phases.
Controls the flags passed to `meson setup` during configure phase. Controls the flags passed to `meson setup` during configure phase.
#### `mesonBuildDir` {#meson-build-dir}
Directory where Meson will put intermediate files.
Setting this can be useful for debugging multiple Meson builds while in the same source directory, for example, when building for different platforms.
Different values for each build will prevent build artefacts from interefering with each other.
This setting has no tangible effect when running the build in a sandboxed derivation.
The default value is `build`.
#### `mesonWrapMode` {#meson-wrap-mode} #### `mesonWrapMode` {#meson-wrap-mode}
Which value is passed as Which value is passed as

View file

@ -52,12 +52,12 @@ rustPlatform.buildRustPackage rec {
buildInputs = buildInputs =
[ openssl ] [ openssl ]
++ lib.optionals stdenv.isLinux [ ++ lib.optionals stdenv.hostPlatform.isLinux [
glib-networking # Most Tauri apps need networking glib-networking # Most Tauri apps need networking
libsoup libsoup
webkitgtk_4_0 webkitgtk_4_0
] ]
++ lib.optionals stdenv.isDarwin ( ++ lib.optionals stdenv.hostPlatform.isDarwin (
with darwin.apple_sdk.frameworks; with darwin.apple_sdk.frameworks;
[ [
AppKit AppKit

View file

@ -42,7 +42,7 @@ $ dotnet --info
Version: 7.0.202 Version: 7.0.202
Commit: 6c74320bc3 Commit: 6c74320bc3
Środowisko uruchomieniowe: Runtime Environment:
OS Name: nixos OS Name: nixos
OS Version: 23.05 OS Version: 23.05
OS Platform: Linux OS Platform: Linux

View file

@ -57,8 +57,8 @@ Available compilers are collected under `haskell.compiler`.
Each of those compiler versions has a corresponding attribute set `packages` built with Each of those compiler versions has a corresponding attribute set `packages` built with
it. However, the non-standard package sets are not tested regularly and, as a it. However, the non-standard package sets are not tested regularly and, as a
result, contain fewer working packages. The corresponding package set for GHC result, contain fewer working packages. The corresponding package set for GHC
9.4.5 is `haskell.packages.ghc945`. In fact `haskellPackages` is just an alias 9.4.5 is `haskell.packages.ghc945`. In fact `haskellPackages` (at the time of writing) is just an alias
for `haskell.packages.ghc964`: for `haskell.packages.ghc966`:
Every package set also re-exposes the GHC used to build its packages as `haskell.packages.*.ghc`. Every package set also re-exposes the GHC used to build its packages as `haskell.packages.*.ghc`.

View file

@ -55,6 +55,7 @@ sets are
* `pkgs.python311Packages` * `pkgs.python311Packages`
* `pkgs.python312Packages` * `pkgs.python312Packages`
* `pkgs.python313Packages` * `pkgs.python313Packages`
* `pkgs.python314Packages`
* `pkgs.pypy27Packages` * `pkgs.pypy27Packages`
* `pkgs.pypy39Packages` * `pkgs.pypy39Packages`
* `pkgs.pypy310Packages` * `pkgs.pypy310Packages`

View file

@ -25,12 +25,14 @@ stdenv.mkDerivation {
The same goes for Qt 5 where libraries and tools are under `libsForQt5`. The same goes for Qt 5 where libraries and tools are under `libsForQt5`.
Any Qt package should include `wrapQtAppsHook` in `nativeBuildInputs`, or explicitly set `dontWrapQtApps` to bypass generating the wrappers. Any Qt package should include `wrapQtAppsHook` or `wrapQtAppsNoGuiHook` in `nativeBuildInputs`, or explicitly set `dontWrapQtApps` to bypass generating the wrappers.
::: {.note} ::: {.note}
Qt 6 graphical applications should also include `qtwayland` in `buildInputs` on Linux (but not on platforms e.g. Darwin, where `qtwayland` is not available), to ensure the Wayland platform plugin is available.
This may become default in the future, see [NixOS/nixpkgs#269674](https://github.com/NixOS/nixpkgs/pull/269674). `wrapQtAppsHook` propagates plugins and QML components from `qtwayland` on platforms that support it, to allow applications to act as native Wayland clients. It should be used for all graphical applications.
`wrapQtAppsNoGuiHook` does not propagate `qtwayland` to reduce closure size for purely command-line applications.
::: :::
## Packages supporting multiple Qt versions {#qt-versions} ## Packages supporting multiple Qt versions {#qt-versions}

View file

@ -64,10 +64,18 @@ hash using `nix-hash --to-sri --type sha256 "<original sha256>"`.
``` ```
Exception: If the application has cargo `git` dependencies, the `cargoHash` Exception: If the application has cargo `git` dependencies, the `cargoHash`
approach will not work, and you will need to copy the `Cargo.lock` file of the application approach will not work by default. In this case, you can set `useFetchCargoVendor = true`
to nixpkgs and continue with the next section for specifying the options of the `cargoLock` to use an improved fetcher that supports handling `git` dependencies.
section.
```nix
{
useFetchCargoVendor = true;
cargoHash = "sha256-RqPVFovDaD2rW31HyETJfQ0qVwFxoGEvqkIgag3H6KU=";
}
```
If this method still does not work, you can resort to copying the `Cargo.lock` file into nixpkgs
and importing it as described in the [next section](#importing-a-cargo.lock-file).
Both types of hashes are permitted when contributing to nixpkgs. The Both types of hashes are permitted when contributing to nixpkgs. The
Cargo hash is obtained by inserting a fake checksum into the Cargo hash is obtained by inserting a fake checksum into the
@ -462,6 +470,17 @@ also be used:
the `Cargo.lock`/`Cargo.toml` files need to be patched before the `Cargo.lock`/`Cargo.toml` files need to be patched before
vendoring. vendoring.
In case the lockfile contains cargo `git` dependencies, you can use
`fetchCargoVendor` instead.
```nix
{
cargoDeps = rustPlatform.fetchCargoVendor {
inherit src;
hash = "sha256-RqPVFovDaD2rW31HyETJfQ0qVwFxoGEvqkIgag3H6KU=";
};
}
```
If a `Cargo.lock` file is available, you can alternatively use the If a `Cargo.lock` file is available, you can alternatively use the
`importCargoLock` function. In contrast to `fetchCargoTarball`, this `importCargoLock` function. In contrast to `fetchCargoTarball`, this
function does not require a hash (unless git dependencies are used) function does not require a hash (unless git dependencies are used)

View file

@ -1,6 +1,6 @@
# TeX Live {#sec-language-texlive} # TeX Live {#sec-language-texlive}
Since release 15.09 there is a new TeX Live packaging that lives entirely under attribute `texlive`. There is a TeX Live packaging that lives entirely under attribute `texlive`.
## User's guide (experimental new interface) {#sec-language-texlive-user-guide-experimental} ## User's guide (experimental new interface) {#sec-language-texlive-user-guide-experimental}

View file

@ -8,4 +8,4 @@ HTTP has a couple of different mechanisms for caching to prevent clients from ha
Fortunately, HTTP supports an alternative (and more effective) caching mechanism: the [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag) response header. The value of the `ETag` header specifies some identifier for the particular content that the server is sending (e.g., a hash). When a client makes a second request for the same resource, it sends that value back in an `If-None-Match` header. If the ETag value is unchanged, then the server does not need to resend the content. Fortunately, HTTP supports an alternative (and more effective) caching mechanism: the [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag) response header. The value of the `ETag` header specifies some identifier for the particular content that the server is sending (e.g., a hash). When a client makes a second request for the same resource, it sends that value back in an `If-None-Match` header. If the ETag value is unchanged, then the server does not need to resend the content.
As of NixOS 19.09, the nginx package in Nixpkgs is patched such that when nginx serves a file out of `/nix/store`, the hash in the store path is used as the `ETag` header in the HTTP response, thus providing proper caching functionality. With NixOS 24.05 and later, the `ETag` additionally includes the response content length, to ensure files served with static compression do not share `ETag`s with their uncompressed version. This `ETag` functionality is enabled automatically; you do not need to do modify any configuration to get this behavior. The nginx package in Nixpkgs is patched such that when nginx serves a file out of `/nix/store`, the hash in the store path is used as the `ETag` header in the HTTP response, thus providing proper caching functionality. With NixOS 24.05 and later, the `ETag` additionally includes the response content length, to ensure files served with static compression do not share `ETag`s with their uncompressed version. This `ETag` functionality is enabled automatically; you do not need to do modify any configuration to get this behavior.

View file

@ -31,7 +31,6 @@ Use `programs.steam.enable = true;` if you want to add steam to `systemPackages`
- **Using the FOSS Radeon or nouveau (nvidia) drivers** - **Using the FOSS Radeon or nouveau (nvidia) drivers**
- The `newStdcpp` parameter was removed since NixOS 17.09 and should not be needed anymore.
- Steam ships statically linked with a version of `libcrypto` that conflicts with the one dynamically loaded by radeonsi_dri.so. If you get the error: - Steam ships statically linked with a version of `libcrypto` that conflicts with the one dynamically loaded by radeonsi_dri.so. If you get the error:
``` ```

4193
third_party/nixpkgs/doc/redirects.json vendored Normal file

File diff suppressed because it is too large Load diff

View file

@ -1 +1 @@
24.11 25.05

View file

@ -115,7 +115,6 @@ lib.mapAttrs mkLicense ({
arphicpl = { arphicpl = {
spdxId = "Arphic-1999"; spdxId = "Arphic-1999";
fullName = "Arphic Public License"; fullName = "Arphic Public License";
url = "https://www.freedesktop.org/wiki/Arphic_Public_License/";
}; };
artistic1 = { artistic1 = {
@ -213,6 +212,11 @@ lib.mapAttrs mkLicense ({
fullName = "BSD 3-Clause Clear License"; fullName = "BSD 3-Clause Clear License";
}; };
bsd3Lbnl = {
spdxId = "BSD-3-Clause-LBNL";
fullName = "Lawrence Berkeley National Labs BSD variant license";
};
bsdOriginal = { bsdOriginal = {
spdxId = "BSD-4-Clause"; spdxId = "BSD-4-Clause";
fullName = ''BSD 4-clause "Original" or "Old" License''; fullName = ''BSD 4-clause "Original" or "Old" License'';
@ -236,7 +240,6 @@ lib.mapAttrs mkLicense ({
bsl11 = { bsl11 = {
spdxId = "BUSL-1.1"; spdxId = "BUSL-1.1";
fullName = "Business Source License 1.1"; fullName = "Business Source License 1.1";
url = "https://mariadb.com/bsl11";
free = false; free = false;
redistributable = true; redistributable = true;
}; };
@ -249,13 +252,11 @@ lib.mapAttrs mkLicense ({
cal10 = { cal10 = {
spdxId = "CAL-1.0"; spdxId = "CAL-1.0";
fullName = "Cryptographic Autonomy License version 1.0 (CAL-1.0)"; fullName = "Cryptographic Autonomy License version 1.0 (CAL-1.0)";
url = "https://opensource.org/licenses/CAL-1.0";
}; };
caldera = { caldera = {
spdxId = "Caldera"; spdxId = "Caldera";
fullName = "Caldera License"; fullName = "Caldera License";
url = "http://www.lemis.com/grog/UNIX/ancient-source-all.pdf";
}; };
capec = { capec = {
@ -459,7 +460,6 @@ lib.mapAttrs mkLicense ({
ecl20 = { ecl20 = {
fullName = "Educational Community License, Version 2.0"; fullName = "Educational Community License, Version 2.0";
url = "https://opensource.org/licenses/ECL-2.0";
shortName = "ECL 2.0"; shortName = "ECL 2.0";
spdxId = "ECL-2.0"; spdxId = "ECL-2.0";
}; };
@ -477,7 +477,6 @@ lib.mapAttrs mkLicense ({
elastic20 = { elastic20 = {
spdxId = "Elastic-2.0"; spdxId = "Elastic-2.0";
fullName = "Elastic License 2.0"; fullName = "Elastic License 2.0";
url = "https://github.com/elastic/elasticsearch/blob/main/licenses/ELASTIC-LICENSE-2.0.txt";
free = false; free = false;
}; };
@ -671,7 +670,6 @@ lib.mapAttrs mkLicense ({
iasl = { iasl = {
spdxId = "Intel-ACPI"; spdxId = "Intel-ACPI";
fullName = "Intel ACPI Software License Agreement"; fullName = "Intel ACPI Software License Agreement";
url = "https://old.calculate-linux.org/packages/licenses/iASL";
}; };
icu = { icu = {
@ -697,7 +695,6 @@ lib.mapAttrs mkLicense ({
info-zip = { info-zip = {
spdxId = "Info-ZIP"; spdxId = "Info-ZIP";
fullName = "Info-ZIP License"; fullName = "Info-ZIP License";
url = "https://infozip.sourceforge.net/license.html";
}; };
inria-compcert = { inria-compcert = {
@ -882,7 +879,6 @@ lib.mapAttrs mkLicense ({
miros = { miros = {
spdxId = "MirOS"; spdxId = "MirOS";
fullName = "MirOS License"; fullName = "MirOS License";
url = "https://opensource.org/licenses/MirOS";
}; };
mit = { mit = {
@ -890,6 +886,11 @@ lib.mapAttrs mkLicense ({
fullName = "MIT License"; fullName = "MIT License";
}; };
mit-cmu = {
spdxId = "MIT-CMU";
fullName = "CMU License";
};
mit-feh = { mit-feh = {
spdxId = "MIT-feh"; spdxId = "MIT-feh";
fullName = "feh License"; fullName = "feh License";
@ -939,7 +940,6 @@ lib.mapAttrs mkLicense ({
mulan-psl2 = { mulan-psl2 = {
spdxId = "MulanPSL-2.0"; spdxId = "MulanPSL-2.0";
fullName = "Mulan Permissive Software License, Version 2"; fullName = "Mulan Permissive Software License, Version 2";
url = "https://license.coscl.org.cn/MulanPSL2";
}; };
naist-2003 = { naist-2003 = {
@ -974,7 +974,6 @@ lib.mapAttrs mkLicense ({
fullName = "Netdata Cloud UI License v1.0"; fullName = "Netdata Cloud UI License v1.0";
free = false; free = false;
redistributable = true; # Only if used in Netdata products. redistributable = true; # Only if used in Netdata products.
url = "https://raw.githubusercontent.com/netdata/netdata/master/web/gui/v2/LICENSE.md";
}; };
nistSoftware = { nistSoftware = {
@ -1072,7 +1071,6 @@ lib.mapAttrs mkLicense ({
parity70 = { parity70 = {
spdxId = "Parity-7.0.0"; spdxId = "Parity-7.0.0";
fullName = "Parity Public License 7.0.0"; fullName = "Parity Public License 7.0.0";
url = "https://paritylicense.com/versions/7.0.0.html";
}; };
php301 = { php301 = {
@ -1094,7 +1092,6 @@ lib.mapAttrs mkLicense ({
psfl = { psfl = {
spdxId = "Python-2.0"; spdxId = "Python-2.0";
fullName = "Python Software Foundation License version 2"; fullName = "Python Software Foundation License version 2";
url = "https://docs.python.org/license.html";
}; };
publicDomain = { publicDomain = {
@ -1223,8 +1220,8 @@ lib.mapAttrs mkLicense ({
}; };
ufl = { ufl = {
spdxId = "Ubuntu-font-1.0";
fullName = "Ubuntu Font License 1.0"; fullName = "Ubuntu Font License 1.0";
url = "https://ubuntu.com/legal/font-licence";
}; };
unfree = { unfree = {
@ -1268,7 +1265,6 @@ lib.mapAttrs mkLicense ({
upl = { upl = {
spdxId = "UPL-1.0"; spdxId = "UPL-1.0";
fullName = "Universal Permissive License"; fullName = "Universal Permissive License";
url = "https://oss.oracle.com/licenses/upl/";
}; };
vim = { vim = {
@ -1334,7 +1330,6 @@ lib.mapAttrs mkLicense ({
xfig = { xfig = {
spdxId = "Xfig"; spdxId = "Xfig";
fullName = "xfig"; fullName = "xfig";
url = "https://mcj.sourceforge.net/authors.html#xfig";
}; };
xinetd = { xinetd = {

View file

@ -415,7 +415,7 @@ in {
On each release the first letter is bumped and a new animal is chosen On each release the first letter is bumped and a new animal is chosen
starting with that new letter. starting with that new letter.
*/ */
codeName = "Vicuna"; codeName = "Warbler";
/** /**
Returns the current nixpkgs version suffix as string. Returns the current nixpkgs version suffix as string.

View file

@ -1834,6 +1834,12 @@
githubId = 10587952; githubId = 10587952;
name = "Armijn Hemel"; name = "Armijn Hemel";
}; };
arminius-smh = {
email = "armin@sprejz.de";
github = "arminius-smh";
githubId = 159054879;
name = "Armin Manfred Sprejz";
};
arnarg = { arnarg = {
email = "arnarg@fastmail.com"; email = "arnarg@fastmail.com";
github = "arnarg"; github = "arnarg";
@ -2832,6 +2838,12 @@
githubId = 24254289; githubId = 24254289;
name = "Payas Relekar"; name = "Payas Relekar";
}; };
bhasherbel = {
email = "nixos.maintainer@bhasher.com";
github = "bhasherbel";
githubId = 45831883;
name = "Brieuc Dubois";
};
bhipple = { bhipple = {
email = "bhipple@protonmail.com"; email = "bhipple@protonmail.com";
github = "bhipple"; github = "bhipple";
@ -4122,6 +4134,12 @@
githubId = 43564; githubId = 43564;
name = "Claes Holmerson"; name = "Claes Holmerson";
}; };
claha = {
email = "hallstrom.claes@gmail.com";
github = "claha";
githubId = 9336788;
name = "Claes Hallström";
};
clebs = { clebs = {
email = "borja.clemente@gmail.com"; email = "borja.clemente@gmail.com";
github = "clebs"; github = "clebs";
@ -4167,6 +4185,12 @@
githubId = 69784758; githubId = 69784758;
matrix = "@clot27:matrix.org"; matrix = "@clot27:matrix.org";
}; };
cloudripper = {
email = "other.wing8806@fastmail.com";
github = "cloudripper";
githubId = 70971768;
name = "cloudripper";
};
clr-cera = { clr-cera = {
email = "clrcera05@gmail.com"; email = "clrcera05@gmail.com";
github = "clr-cera"; github = "clr-cera";
@ -4483,7 +4507,7 @@
name = "Chris Ostrouchov"; name = "Chris Ostrouchov";
}; };
cottand = { cottand = {
email = "nico@dcotta.eu"; email = "nico@dcotta.com";
github = "cottand"; github = "cottand";
githubId = 45274424; githubId = 45274424;
name = "Nico D'Cotta"; name = "Nico D'Cotta";
@ -4769,6 +4793,12 @@
githubId = 743057; githubId = 743057;
name = "Danylo Hlynskyi"; name = "Danylo Hlynskyi";
}; };
danbulant = {
name = "Daniel Bulant";
email = "danbulant@gmail.com";
github = "danbulant";
githubId = 30036876;
};
danc86 = { danc86 = {
name = "Dan Callaghan"; name = "Dan Callaghan";
email = "djc@djc.id.au"; email = "djc@djc.id.au";
@ -5150,6 +5180,12 @@
github = "DeclanRixon"; github = "DeclanRixon";
githubId = 57464835; githubId = 57464835;
}; };
deeengan = {
github = "deeengan";
githubId = 87693324;
name = "Dee Engan";
keys = [ { fingerprint = "9C24 79F5 F0CE 48F4 00EE 4A5B B8ED 46EB 468B F72D"; } ];
};
deejayem = { deejayem = {
email = "nixpkgs.bu5hq@simplelogin.com"; email = "nixpkgs.bu5hq@simplelogin.com";
github = "deejayem"; github = "deejayem";
@ -5762,6 +5798,12 @@
githubId = 6806011; githubId = 6806011;
name = "Robert Schütz"; name = "Robert Schütz";
}; };
dotmobo = {
email = "morgan.bohn@gmail.com";
github = "dotmobo";
githubId = 1997638;
name = ".mobo";
};
dottedmag = { dottedmag = {
email = "dottedmag@dottedmag.net"; email = "dottedmag@dottedmag.net";
github = "dottedmag"; github = "dottedmag";
@ -5835,7 +5877,7 @@
name = "Sebastian Krohn"; name = "Sebastian Krohn";
}; };
drawbu = { drawbu = {
email = "clement21.boillot@gmail.com"; email = "clement2104.boillot@gmail.com";
github = "drawbu"; github = "drawbu";
githubId = 69208565; githubId = 69208565;
name = "Clément Boillot"; name = "Clément Boillot";
@ -7105,6 +7147,12 @@
githubId = 628359; githubId = 628359;
name = "Felix Singer"; name = "Felix Singer";
}; };
felixzieger = {
name = "Felix Zieger";
github = "felixzieger";
githubId = 67903933;
email = "nixpkgs@felixzieger.de";
};
felschr = { felschr = {
email = "dev@felschr.com"; email = "dev@felschr.com";
matrix = "@felschr:matrix.org"; matrix = "@felschr:matrix.org";
@ -8299,6 +8347,14 @@
githubId = 7385287; githubId = 7385287;
name = "Lana Black"; name = "Lana Black";
}; };
grgi = {
name = "Gregor Giesen";
email = "gregor@giesen.net";
matrix = "@gregor:giesen.net";
github = "grgi";
githubId = 6435815;
keys = [ { fingerprint = "0F92 602B 1860 4476 77F4 8A67 C303 16AA C10F 3EA7"; } ];
};
gridaphobe = { gridaphobe = {
email = "eric@seidel.io"; email = "eric@seidel.io";
github = "gridaphobe"; github = "gridaphobe";
@ -10285,6 +10341,13 @@
githubId = 2502736; githubId = 2502736;
name = "James Hillyerd"; name = "James Hillyerd";
}; };
jhol = {
name = "Joel Holdsworth";
email = "joel@airwebreathe.org.uk";
github = "jhol";
githubId = 1449493;
keys = [ { fingerprint = "08F7 2546 95DE EAEF 03DE B0E4 D874 562D DC99 D889"; } ];
};
jhollowe = { jhollowe = {
email = "jhollowe@johnhollowell.com"; email = "jhollowe@johnhollowell.com";
github = "jhollowe"; github = "jhollowe";
@ -10935,6 +10998,12 @@
githubId = 54635632; githubId = 54635632;
keys = [ { fingerprint = "4C68 56EE DFDA 20FB 77E8 9169 1964 2151 C218 F6F5"; } ]; keys = [ { fingerprint = "4C68 56EE DFDA 20FB 77E8 9169 1964 2151 C218 F6F5"; } ];
}; };
jthulhu = {
name = "Adrien Mathieu";
email = "adrien.lc.mathieu@gmail.com";
github = "jthulhu";
githubId = 23179762;
};
jtobin = { jtobin = {
email = "jared@jtobin.io"; email = "jared@jtobin.io";
github = "jtobin"; github = "jtobin";
@ -11440,6 +11509,13 @@
name = "Khushraj Rathod"; name = "Khushraj Rathod";
keys = [ { fingerprint = "1988 3FD8 EA2E B4EC 0A93 1E22 B77B 2A40 E770 2F19"; } ]; keys = [ { fingerprint = "1988 3FD8 EA2E B4EC 0A93 1E22 B77B 2A40 E770 2F19"; } ];
}; };
kiara = {
name = "kiara";
email = "cinereal@riseup.net";
github = "KiaraGrouwstra";
githubId = 3059397;
matrix = "@cinerealkiara:matrix.org";
};
KibaFox = { KibaFox = {
email = "kiba.fox@foxypossibilities.com"; email = "kiba.fox@foxypossibilities.com";
github = "KibaFox"; github = "KibaFox";
@ -11804,6 +11880,12 @@
githubId = 26622971; githubId = 26622971;
name = "Ronnie Ebrin"; name = "Ronnie Ebrin";
}; };
kraftnix = {
email = "kraftnix@protonmail.com";
github = "kraftnix";
githubId = 83026656;
name = "kraftnix";
};
kragniz = { kragniz = {
email = "louis@kragniz.eu"; email = "louis@kragniz.eu";
github = "kragniz"; github = "kragniz";
@ -11883,6 +11965,12 @@
github = "krzaczek"; github = "krzaczek";
githubId = 5773701; githubId = 5773701;
}; };
KSJ2000 = {
email = "katsho123@outlook.com";
name = "KSJ2000";
github = "KSJ2000";
githubId = 184105270;
};
ktf = { ktf = {
email = "giulio.eulisse@cern.ch"; email = "giulio.eulisse@cern.ch";
github = "ktf"; github = "ktf";
@ -11920,6 +12008,13 @@
name = "André Kugland"; name = "André Kugland";
keys = [ { fingerprint = "6A62 5E60 E3FF FCAE B3AA 50DC 1DA9 3817 80CD D833"; } ]; keys = [ { fingerprint = "6A62 5E60 E3FF FCAE B3AA 50DC 1DA9 3817 80CD D833"; } ];
}; };
kuglimon = {
name = "Tatu Argillander";
email = "tatu.argillander@kouralabs.com";
github = "kuglimon";
githubId = 629430;
keys = [ { fingerprint = "2843 750C B1AB E256 94BE 40E2 D843 D30B 42CA 0E2D"; } ];
};
kupac = { kupac = {
github = "Kupac"; github = "Kupac";
githubId = 8224569; githubId = 8224569;
@ -13412,6 +13507,12 @@
githubId = 1709273; githubId = 1709273;
name = "Robin Hack"; name = "Robin Hack";
}; };
marnym = {
email = "markus@nyman.dev";
github = "marnym";
githubId = 56825922;
name = "Markus Nyman";
};
marsupialgutz = { marsupialgutz = {
email = "mars@possums.xyz"; email = "mars@possums.xyz";
github = "pupbrained"; github = "pupbrained";
@ -14334,12 +14435,6 @@
githubId = 5378535; githubId = 5378535;
name = "Milo Gertjejansen"; name = "Milo Gertjejansen";
}; };
milran = {
email = "milranmike@protonmail.com";
github = "wattmto";
githubId = 93639059;
name = "Milran Mike";
};
mimame = { mimame = {
email = "miguel.madrid.mencia@gmail.com"; email = "miguel.madrid.mencia@gmail.com";
github = "mimame"; github = "mimame";
@ -14494,12 +14589,6 @@
githubId = 16974598; githubId = 16974598;
name = "Mike Playle"; name = "Mike Playle";
}; };
mkaito = {
email = "chris@mkaito.net";
github = "mkaito";
githubId = 20434;
name = "Christian Höppner";
};
mkazulak = { mkazulak = {
email = "kazulakm@gmail.com"; email = "kazulakm@gmail.com";
github = "mulderr"; github = "mulderr";
@ -15117,6 +15206,13 @@
githubId = 1234956; githubId = 1234956;
"keys" = [ { "fingerprint" = "F21A 6194 C9DB 9899 CD09 E24E 434B 2C14 B8C3 3422"; } ]; "keys" = [ { "fingerprint" = "F21A 6194 C9DB 9899 CD09 E24E 434B 2C14 B8C3 3422"; } ];
}; };
nadiaholmquist = {
name = "Nadia Holmquist Pedersen";
email = "nadia@nhp.sh";
matrix = "@nhp:matrix.org";
github = "nadiaholmquist";
githubId = 893884;
};
nadir-ishiguro = { nadir-ishiguro = {
github = "nadir-ishiguro"; github = "nadir-ishiguro";
githubId = 23151917; githubId = 23151917;
@ -15846,6 +15942,12 @@
githubId = 30374463; githubId = 30374463;
name = "Michal S."; name = "Michal S.";
}; };
notthebee = {
email = "moe@notthebe.ee";
github = "notthebee";
githubId = 30384331;
name = "Wolfgang";
};
notthemessiah = { notthemessiah = {
email = "brian.cohen.88@gmail.com"; email = "brian.cohen.88@gmail.com";
github = "NOTtheMessiah"; github = "NOTtheMessiah";
@ -16519,6 +16621,13 @@
githubId = 120342602; githubId = 120342602;
name = "Michael Paepcke"; name = "Michael Paepcke";
}; };
pagedMov = {
email = "kylerclay@proton.me";
github = "pagedMov";
githubId = 19557376;
name = "Kyler Clay";
keys = [ { fingerprint = "784B 3623 94E7 8F11 0B9D AE0F 56FD CFA6 2A93 B51E"; } ];
};
paholg = { paholg = {
email = "paho@paholg.com"; email = "paho@paholg.com";
github = "paholg"; github = "paholg";
@ -16793,6 +16902,12 @@
githubId = 943430; githubId = 943430;
name = "David Hagege"; name = "David Hagege";
}; };
peat-psuwit = {
name = "Ratchanan Srirattanamet";
email = "peat@peat-network.xyz";
github = "peat-psuwit";
githubId = 6771175;
};
pedohorse = { pedohorse = {
github = "pedohorse"; github = "pedohorse";
githubId = 13556996; githubId = 13556996;
@ -18098,12 +18213,6 @@
githubId = 5653911; githubId = 5653911;
name = "Rampoina"; name = "Rampoina";
}; };
rane = {
email = "rane+nix@junkyard.systems";
github = "digitalrane";
githubId = 1829286;
name = "Rane";
};
ranfdev = { ranfdev = {
email = "ranfdev@gmail.com"; email = "ranfdev@gmail.com";
name = "Lorenzo Miglietta"; name = "Lorenzo Miglietta";
@ -18728,6 +18837,12 @@
githubId = 6204883; githubId = 6204883;
name = "Longrin Wischnewski"; name = "Longrin Wischnewski";
}; };
robbiebuxton = {
email = "robbiesbuxton@gmail.com";
github = "robbiebuxton";
githubId = 67549526;
name = "Robbie Buxton";
};
robbinch = { robbinch = {
email = "robbinch33@gmail.com"; email = "robbinch33@gmail.com";
github = "robbinch"; github = "robbinch";
@ -19573,6 +19688,13 @@
githubId = 5104601; githubId = 5104601;
name = "schnusch"; name = "schnusch";
}; };
schrobingus = {
email = "brent.monning.jr@gmail.com";
name = "Brent Monning";
github = "schrobingus";
githubId = 72168352;
matrix = "@schrobingus:matrix.org";
};
Schweber = { Schweber = {
github = "Schweber"; github = "Schweber";
githubId = 64630479; githubId = 64630479;
@ -23309,6 +23431,12 @@
github = "water-sucks"; github = "water-sucks";
githubId = 68445574; githubId = 68445574;
}; };
wattmto = {
email = "dev@wattmto.dev";
github = "wattmto";
githubId = 93639059;
name = "wattmto";
};
waynr = { waynr = {
name = "Wayne Warren"; name = "Wayne Warren";
email = "wayne.warren.s@gmail.com"; email = "wayne.warren.s@gmail.com";
@ -23440,6 +23568,12 @@
githubId = 7121530; githubId = 7121530;
name = "Wolf Honoré"; name = "Wolf Honoré";
}; };
whtsht = {
email = "whiteshirt0079@gmail.com";
github = "whtsht";
githubId = 85547207;
name = "Hinata Toma";
};
wietsedv = { wietsedv = {
email = "wietsedv@proton.me"; email = "wietsedv@proton.me";
github = "wietsedv"; github = "wietsedv";
@ -24086,7 +24220,7 @@
githubId = 47071325; githubId = 47071325;
}; };
ymstnt = { ymstnt = {
name = "YMSTNT"; name = "ymstnt";
github = "ymstnt"; github = "ymstnt";
githubId = 21342713; githubId = 21342713;
}; };

View file

@ -8,69 +8,12 @@
to 'fetch-deps', 'nuget-to-nix', or other changes to the dotnet build to 'fetch-deps', 'nuget-to-nix', or other changes to the dotnet build
infrastructure. Regular updates should be done through the individual packages infrastructure. Regular updates should be done through the individual packages
update scripts. update scripts.
*/ */
{ startWith ? null }: { ... }@args:
let import ./update.nix (
pkgs = import ../.. { config.allowAliases = false; }; {
predicate = _: _: true;
inherit (pkgs) lib; get-script = pkg: pkg.fetch-deps or null;
}
packagesWith = cond: pkgs: // args
let )
packagesWithInner = attrs:
lib.concatLists (
lib.mapAttrsToList (name: elem:
let
result = builtins.tryEval elem;
in
if result.success then
let
value = result.value;
in
if lib.isDerivation value then
lib.optional (cond value) value
else
if lib.isAttrs value && (value.recurseForDerivations or false || value.recurseForRelease or false) then
packagesWithInner value
else []
else []) attrs);
in
packagesWithInner pkgs;
packages = lib.unique
(lib.filter (p:
(builtins.tryEval p.outPath).success ||
builtins.trace "warning: skipping ${p.name} because it failed to evaluate" false)
((pkgs: (lib.drop (lib.lists.findFirstIndex (p: p.name == startWith) 0 pkgs) pkgs))
(packagesWith (p: p ? fetch-deps) pkgs)));
helpText = ''
Please run:
% nix-shell maintainers/scripts/update-dotnet-lockfiles.nix
'';
fetchScripts = map (p: p.fetch-deps) packages;
in pkgs.stdenv.mkDerivation {
name = "nixpkgs-update-dotnet-lockfiles";
buildCommand = ''
echo ""
echo "----------------------------------------------------------------"
echo ""
echo "Not possible to update packages using \`nix-build\`"
echo ""
echo "${helpText}"
echo "----------------------------------------------------------------"
exit 1
'';
shellHook = ''
unset shellHook # do not contaminate nested shells
set -e
for x in $fetchScripts; do
$x
done
exit
'';
inherit fetchScripts;
}

View file

@ -8,6 +8,7 @@
{ package ? null { package ? null
, maintainer ? null , maintainer ? null
, predicate ? null , predicate ? null
, get-script ? pkg: pkg.updateScript or null
, path ? null , path ? null
, max-workers ? null , max-workers ? null
, include-overlays ? false , include-overlays ? false
@ -17,13 +18,13 @@
}: }:
let let
pkgs = import ./../../default.nix ( pkgs = import ./../../default.nix ((
if include-overlays == false then if include-overlays == false then
{ overlays = []; } { overlays = []; }
else if include-overlays == true then else if include-overlays == true then
{ } # Let Nixpkgs include overlays impurely. { } # Let Nixpkgs include overlays impurely.
else { overlays = include-overlays; } else { overlays = include-overlays; }
); ) // { config.allowAliases = false; });
inherit (pkgs) lib; inherit (pkgs) lib;
@ -56,7 +57,7 @@ let
somewhatUniqueRepresentant = somewhatUniqueRepresentant =
{ package, attrPath }: { { package, attrPath }: {
inherit (package) updateScript; updateScript = (get-script package);
# Some updaters use the same `updateScript` value for all packages. # Some updaters use the same `updateScript` value for all packages.
# Also compare `meta.description`. # Also compare `meta.description`.
position = package.meta.position or null; position = package.meta.position or null;
@ -89,7 +90,7 @@ let
/* Recursively find all packages in `pkgs` with updateScript matching given predicate. /* Recursively find all packages in `pkgs` with updateScript matching given predicate.
*/ */
packagesWithUpdateScriptMatchingPredicate = cond: packagesWithUpdateScriptMatchingPredicate = cond:
packagesWith (path: pkg: builtins.hasAttr "updateScript" pkg && cond path pkg); packagesWith (path: pkg: (get-script pkg != null) && cond path pkg);
/* Recursively find all packages in `pkgs` with updateScript by given maintainer. /* Recursively find all packages in `pkgs` with updateScript by given maintainer.
*/ */
@ -121,7 +122,7 @@ let
if pathContent == null then if pathContent == null then
builtins.throw "Attribute path `${path}` does not exist." builtins.throw "Attribute path `${path}` does not exist."
else else
packagesWithPath prefix (path: pkg: builtins.hasAttr "updateScript" pkg) packagesWithPath prefix (path: pkg: (get-script pkg != null))
pathContent; pathContent;
/* Find a package under `path` in `pkgs` and require that it has an updateScript. /* Find a package under `path` in `pkgs` and require that it has an updateScript.
@ -132,7 +133,7 @@ let
in in
if package == null then if package == null then
builtins.throw "Package with an attribute name `${path}` does not exist." builtins.throw "Package with an attribute name `${path}` does not exist."
else if ! builtins.hasAttr "updateScript" package then else if get-script package == null then
builtins.throw "Package with an attribute name `${path}` does not have a `passthru.updateScript` attribute defined." builtins.throw "Package with an attribute name `${path}` does not have a `passthru.updateScript` attribute defined."
else else
{ attrPath = path; inherit package; }; { attrPath = path; inherit package; };
@ -193,13 +194,13 @@ let
/* Transform a matched package into an object for update.py. /* Transform a matched package into an object for update.py.
*/ */
packageData = { package, attrPath }: { packageData = { package, attrPath }: let updateScript = get-script package; in {
name = package.name; name = package.name;
pname = lib.getName package; pname = lib.getName package;
oldVersion = lib.getVersion package; oldVersion = lib.getVersion package;
updateScript = map builtins.toString (lib.toList (package.updateScript.command or package.updateScript)); updateScript = map builtins.toString (lib.toList (updateScript.command or updateScript));
supportedFeatures = package.updateScript.supportedFeatures or []; supportedFeatures = updateScript.supportedFeatures or [];
attrPath = package.updateScript.attrPath or attrPath; attrPath = updateScript.attrPath or attrPath;
}; };
/* JSON file with data for update.py. /* JSON file with data for update.py.
@ -230,4 +231,5 @@ in pkgs.stdenv.mkDerivation {
unset shellHook # do not contaminate nested shells unset shellHook # do not contaminate nested shells
exec ${pkgs.python3.interpreter} ${./update.py} ${builtins.concatStringsSep " " args} exec ${pkgs.python3.interpreter} ${./update.py} ${builtins.concatStringsSep " " args}
''; '';
nativeBuildInputs = [ pkgs.git pkgs.nix pkgs.cacert ];
} }

View file

@ -1076,7 +1076,6 @@ with lib.maintainers;
members = [ members = [
hehongbo hehongbo
lach lach
rane
sigmasquadron sigmasquadron
]; ];
scope = "Maintain the Xen Project Hypervisor and the related tooling ecosystem."; scope = "Maintain the Xen Project Hypervisor and the related tooling ecosystem.";

View file

@ -52,7 +52,7 @@ and [](#opt-services.kubernetes.easyCerts)
to true. This sets up flannel as CNI and activates automatic PKI bootstrapping. to true. This sets up flannel as CNI and activates automatic PKI bootstrapping.
::: {.note} ::: {.note}
As of NixOS 19.03, it is mandatory to configure: It is mandatory to configure:
[](#opt-services.kubernetes.masterAddress). [](#opt-services.kubernetes.masterAddress).
The masterAddress must be resolveable and routeable by all cluster nodes. The masterAddress must be resolveable and routeable by all cluster nodes.
In single node clusters, this can be set to `localhost`. In single node clusters, this can be set to `localhost`.

View file

@ -17,6 +17,12 @@ There's also [a convenient development daemon](https://nixos.org/manual/nixpkgs/
The above instructions don't deal with the appendix of available `configuration.nix` options, and the manual pages related to NixOS. These are built, and written in a different location and in a different format, as explained in the next sections. The above instructions don't deal with the appendix of available `configuration.nix` options, and the manual pages related to NixOS. These are built, and written in a different location and in a different format, as explained in the next sections.
## Testing redirects {#sec-contributing-redirects}
Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.
Note that if you already loaded the page and *then* input the anchor, you will need to perform a reload. This is because browsers do not re-run client JS code when only the anchor has changed.
## Contributing to the `configuration.nix` options documentation {#sec-contributing-options} ## Contributing to the `configuration.nix` options documentation {#sec-contributing-options}
The documentation for all the different `configuration.nix` options is automatically generated by reading the `description`s of all the NixOS options defined at `nixos/modules/`. If you want to improve such `description`, find it in the `nixos/modules/` directory, and edit it and open a pull request. The documentation for all the different `configuration.nix` options is automatically generated by reading the `description`s of all the NixOS options defined at `nixos/modules/`. If you want to improve such `description`, find it in the `nixos/modules/` directory, and edit it and open a pull request.

View file

@ -122,6 +122,7 @@ in rec {
nixos-render-docs -j $NIX_BUILD_CORES manual html \ nixos-render-docs -j $NIX_BUILD_CORES manual html \
--manpage-urls ${manpageUrls} \ --manpage-urls ${manpageUrls} \
--redirects ${./redirects.json} \
--revision ${escapeShellArg revision} \ --revision ${escapeShellArg revision} \
--generator "nixos-render-docs ${pkgs.lib.version}" \ --generator "nixos-render-docs ${pkgs.lib.version}" \
--stylesheet style.css \ --stylesheet style.css \

View file

@ -312,6 +312,8 @@ have a predefined type and string generator already declared under
may be transformed into multiple key-value pairs depending on may be transformed into multiple key-value pairs depending on
`listToValue`). `listToValue`).
The attribute `lib.type.atom` contains the used INI atom.
`pkgs.formats.iniWithGlobalSection` { *`listsAsDuplicateKeys`* ? false, *`listToValue`* ? null, \.\.\. } `pkgs.formats.iniWithGlobalSection` { *`listsAsDuplicateKeys`* ? false, *`listToValue`* ? null, \.\.\. }
: A function taking an attribute set with values : A function taking an attribute set with values
@ -333,6 +335,8 @@ have a predefined type and string generator already declared under
attrset of key-value pairs for a single section, the global section which attrset of key-value pairs for a single section, the global section which
preceedes the section definitions. preceedes the section definitions.
The attribute `lib.type.atom` contains the used INI atom.
`pkgs.formats.toml` { } `pkgs.formats.toml` { }
: A function taking an empty attribute set (for future extensibility) : A function taking an empty attribute set (for future extensibility)

View file

@ -206,8 +206,7 @@ The first steps to all these are the same:
line) line)
::: {.note} ::: {.note}
Support for `NIXOS_LUSTRATE` was added in NixOS 16.09. The act of The act of "lustrating" refers to the wiping of the existing distribution.
"lustrating" refers to the wiping of the existing distribution.
Creating `/etc/NIXOS_LUSTRATE` can also be used on NixOS to remove Creating `/etc/NIXOS_LUSTRATE` can also be used on NixOS to remove
all mutable files from your root partition (anything that's not in all mutable files from your root partition (anything that's not in
`/nix` or `/boot` gets "lustrated" on the next boot. `/nix` or `/boot` gets "lustrated" on the next boot.

File diff suppressed because it is too large Load diff

View file

@ -3,6 +3,7 @@
This section lists the release notes for each stable version of NixOS and current unstable revision. This section lists the release notes for each stable version of NixOS and current unstable revision.
```{=include=} sections ```{=include=} sections
rl-2505.section.md
rl-2411.section.md rl-2411.section.md
rl-2405.section.md rl-2405.section.md
rl-2311.section.md rl-2311.section.md

View file

@ -101,8 +101,12 @@
systemd-sysusers to achieve a system without Perl, as it can create normal systemd-sysusers to achieve a system without Perl, as it can create normal
users and change passwords. Available as [services.userborn](#opt-services.userborn.enable). users and change passwords. Available as [services.userborn](#opt-services.userborn.enable).
- [g810-led](https://github.com/MatMoul/g810-led), a LED controller for Logitech G keyboards. Available as [services.g810-led](options.html#opt-services.g810-led.enable).
- [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu.enable). - [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu.enable).
- [Soteria](https://github.com/ImVaskel/soteria), a polkit authentication agent to handle elevated prompts for any desktop environment. Normally this should only be used on DEs or WMs that do not provide a graphical polkit frontend on their own. Available as [`security.soteria`](#opt-security.soteria.enable).
- [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood.enable). - [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood.enable).
- [Niri](https://github.com/YaLTeR/niri), a scrollable-tiling Wayland compositor. Available as [programs.niri](options.html#opt-programs.niri.enable). - [Niri](https://github.com/YaLTeR/niri), a scrollable-tiling Wayland compositor. Available as [programs.niri](options.html#opt-programs.niri.enable).
@ -115,6 +119,8 @@
- [Eintopf](https://eintopf.info), a community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf.enable). - [Eintopf](https://eintopf.info), a community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf.enable).
- [`pay-respects`](https://codeberg.org/iff/pay-respects), a terminal command correction program, alternative to `thefuck`, written in Rust. Available as [programs.pay-respects](options.html#opt-programs.pay-respects).
- [Radicle](https://radicle.xyz), an open source, peer-to-peer code collaboration stack built on Git. Available as [services.radicle](#opt-services.radicle.enable). - [Radicle](https://radicle.xyz), an open source, peer-to-peer code collaboration stack built on Git. Available as [services.radicle](#opt-services.radicle.enable).
- [ddns-updater](https://github.com/qdm12/ddns-updater), a service with a WebUI to update DNS records periodically for many providers. Available as [services.ddns-updater](#opt-services.ddns-updater.enable). - [ddns-updater](https://github.com/qdm12/ddns-updater), a service with a WebUI to update DNS records periodically for many providers. Available as [services.ddns-updater](#opt-services.ddns-updater.enable).
@ -123,6 +129,8 @@
- [HomeBox](https://github.com/sysadminsmedia/homebox), an inventory and organization system built for the home user. Available as [services.homebox](#opt-services.homebox.enable). - [HomeBox](https://github.com/sysadminsmedia/homebox), an inventory and organization system built for the home user. Available as [services.homebox](#opt-services.homebox.enable).
- [evremap](https://github.com/wez/evremap), a keyboard input remapper for Linux/Wayland systems. Available as [services.evremap](options.html#opt-services.evremap).
- [matrix-hookshot](https://matrix-org.github.io/matrix-hookshot), a Matrix bot for connecting to external services. Available as [services.matrix-hookshot](#opt-services.matrix-hookshot.enable). - [matrix-hookshot](https://matrix-org.github.io/matrix-hookshot), a Matrix bot for connecting to external services. Available as [services.matrix-hookshot](#opt-services.matrix-hookshot.enable).
- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various Git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable). - [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various Git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
@ -131,6 +139,8 @@
- [zeronsd](https://github.com/zerotier/zeronsd), a DNS server for ZeroTier users. Available with [services.zeronsd.servedNetworks](#opt-services.zeronsd.servedNetworks). - [zeronsd](https://github.com/zerotier/zeronsd), a DNS server for ZeroTier users. Available with [services.zeronsd.servedNetworks](#opt-services.zeronsd.servedNetworks).
- [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](#opt-services.agorakit.enable).
- [Collabora Online](https://www.collaboraonline.com/), a collaborative online office suite based on LibreOffice technology. Available as [services.collabora-online](options.html#opt-services.collabora-online.enable). - [Collabora Online](https://www.collaboraonline.com/), a collaborative online office suite based on LibreOffice technology. Available as [services.collabora-online](options.html#opt-services.collabora-online.enable).
- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a WebUI for connecting devices. Available as [services.wg-access-server](#opt-services.wg-access-server.enable). - [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a WebUI for connecting devices. Available as [services.wg-access-server](#opt-services.wg-access-server.enable).
@ -195,6 +205,8 @@
- [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret.enable). - [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret.enable).
- [Glances](https://github.com/nicolargo/glances), an open-source system cross-platform monitoring tool. Available as [services.glances](option.html#opt-services.glances).
## Backward Incompatibilities {#sec-release-24.11-incompatibilities} ## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
- Nixpkgs now requires Nix 2.3.17 or newer to allow for zstd compressed binary artifacts. - Nixpkgs now requires Nix 2.3.17 or newer to allow for zstd compressed binary artifacts.
@ -203,8 +215,9 @@
- The NVIDIA driver no longer defaults to the proprietary kernel module with versions >= 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open modules. - The NVIDIA driver no longer defaults to the proprietary kernel module with versions >= 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open modules.
- The `(buildPythonPackage { ... }).override` attribute is now deprecated and removed in favour of `overridePythonAttrs`. - The `(buildPythonPackage { ... }).override` and `(buildPythonPackage { ... }).overrideDerivation` attributes is now deprecated and removed in favour of `overridePythonAttrs` and `lib.overrideDerivation`.
This change does not affect the override interface of most Python packages, as [`<pkg>.override`](https://nixos.org/manual/nixpkgs/unstable/#sec-pkg-override) provided by `callPackage` shadows such a locally-defined `override` attribute. This change does not affect the override interface of most Python packages, as [`<pkg>.override`](https://nixos.org/manual/nixpkgs/unstable/#sec-pkg-override) provided by `callPackage` shadows such a locally-defined `override` attribute.
The `<pkg>.overrideDerivation` attribute of Python packages called with `callPackage` will also remain available after this change.
- All Cinnamon and XApp packages have been moved to top-level (i.e., `cinnamon.nemo` is now `nemo`). - All Cinnamon and XApp packages have been moved to top-level (i.e., `cinnamon.nemo` is now `nemo`).
@ -225,7 +238,7 @@
- The VirtualBox demo installer appliance has been removed. - The VirtualBox demo installer appliance has been removed.
Please use the standard installer ISOs instead. Please use the standard installer ISOs instead.
- `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected. - `grafana` has been updated to version 11.3. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected.
- `deno` has been updated to Deno 2, which has breaking changes. - `deno` has been updated to Deno 2, which has breaking changes.
See the [migration guide](https://docs.deno.com/runtime/reference/migration_guide/) for details. See the [migration guide](https://docs.deno.com/runtime/reference/migration_guide/) for details.
@ -236,6 +249,8 @@
- `knot-dns` has been updated to version 3.4.x. Check the [migration guide](https://www.knot-dns.cz/docs/latest/html/migration.html#upgrade-3-3-x-to-3-4-x) for breaking changes. - `knot-dns` has been updated to version 3.4.x. Check the [migration guide](https://www.knot-dns.cz/docs/latest/html/migration.html#upgrade-3-3-x-to-3-4-x) for breaking changes.
- `mutmut` has been updated to version 3.0.5.
- `services.kubernetes.kubelet.clusterDns` now accepts a list of DNS resolvers rather than a single string, bringing the module more in line with the upstream Kubelet configuration schema. - `services.kubernetes.kubelet.clusterDns` now accepts a list of DNS resolvers rather than a single string, bringing the module more in line with the upstream Kubelet configuration schema.
- `bluemap` has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: <https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2>. Unless you are using an SQL storage backend, this should only entail deleting the contents of `config.services.bluemap.coreSettings.data` (defaults to `/var/lib/bluemap`) and `config.services.bluemap.webRoot` (defaults to `/var/lib/bluemap/web`). - `bluemap` has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: <https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2>. Unless you are using an SQL storage backend, this should only entail deleting the contents of `config.services.bluemap.coreSettings.data` (defaults to `/var/lib/bluemap`) and `config.services.bluemap.webRoot` (defaults to `/var/lib/bluemap/web`).
@ -303,10 +318,21 @@
- The `mautrix-signal` module was adapted to incorporate the configuration changes that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work. - The `mautrix-signal` module was adapted to incorporate the configuration changes that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
In case you want to update your configuration, make sure to check the NixOS manual. In case you want to update your configuration, make sure to check the NixOS manual.
- `cargo-tauri` has been updated to major version 2. Please review [the migration guide](https://tauri.app/start/migrate/from-tauri-1/).
v1 of `cargo-tauri` is still available as `cargo-tauri_1`, but will be removed in future releases.
- The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver. - The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver.
- `postgresql_12` has been removed since it reached its end of life.
- `postgresql` no longer accepts the `enableSystemd` override. Use `systemdSupport` instead. - `postgresql` no longer accepts the `enableSystemd` override. Use `systemdSupport` instead.
- `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected.
- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.
- The dhcpcd service (`networking.useDHCP`) has been hardened and now runs exclusively as the "dhcpcd" user. - The dhcpcd service (`networking.useDHCP`) has been hardened and now runs exclusively as the "dhcpcd" user.
Users that were relying on the root privileges in `networking.dhcpcd.runHook` will have to write specific [sudo](security.sudo.extraRules) or [polkit](security.polkit.extraConfig) rules to allow dhcpcd to perform privileged actions. Users that were relying on the root privileges in `networking.dhcpcd.runHook` will have to write specific [sudo](security.sudo.extraRules) or [polkit](security.polkit.extraConfig) rules to allow dhcpcd to perform privileged actions.
@ -572,8 +598,6 @@
- Docker now defaults to 27.x, as version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084). - Docker now defaults to 27.x, as version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084).
- `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected.
- `keycloak` was updated to version 25, which introduces new hostname related options. - `keycloak` was updated to version 25, which introduces new hostname related options.
See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions. See [Upgrading Guide](https://www.keycloak.org/docs/25.0.1/upgrading/#migrating-to-25-0-0) for instructions.
@ -688,11 +712,10 @@
- `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details. - `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.
- Legacy package `globalprotect-openconnect` 1.x and related module - Two new packages -- `gpauth` and `gpclient` from the 2.x version of the
`services.globalprotect` were dropped. Two new packages -- `gpauth` and `gpclient` GlobalProtect-openconnect project -- are added in parallel to
from the 2.x version of the GlobalProtect-openconnect project -- are added in its `globalprotect-openconnect`. The GUI components related to the project are
place. The GUI components related to the project are non-free and not non-free and not packaged.
packaged.
- Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details. - Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details.
@ -715,6 +738,20 @@
- `python3Packages.nose` has been removed, as it has been deprecated and unmaintained for almost a decade and does not work on Python 3.12. - `python3Packages.nose` has been removed, as it has been deprecated and unmaintained for almost a decade and does not work on Python 3.12.
Please switch to `pytest` or another test runner/framework. Please switch to `pytest` or another test runner/framework.
- `dotnet-sdk`, `dotnet-runtime`, and all other dotnet packages now use a
wrapper package containing `bin/dotnet`, build hooks, etc. If you need to
reference the underlying dotnet distribution (DOTNET_ROOT) you should use e.g.
`dotnet-runtime.unwrapped`.
- The root of dotnet distribution packages (DOTNET_ROOT) is now under e.g.
`${dotnet-sdk.unwrapped}/share/dotnet` instead of directly in the package
root. This is consistent with packaging guidelines and more friendly for FHS
environments.
- `dotnet-sdk`, `dotnet-runtime`, and `dotnet-aspnetcore` now point to dotnet 8
rather than dotnet 6. For packages that still need dotnet 6, use
`dotnet-sdk_6`, etc.
## Other Notable Changes {#sec-release-24.11-notable-changes} ## Other Notable Changes {#sec-release-24.11-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
@ -783,6 +820,8 @@
- The new `boot.loader.systemd-boot.windows` option makes setting up dual-booting with Windows on a different drive easier. - The new `boot.loader.systemd-boot.windows` option makes setting up dual-booting with Windows on a different drive easier.
- The `boot.loader.raspberryPi` options were marked as deprecated in 23.11 and have now been removed.
- Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11. - Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11.
- Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an - Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an
@ -817,8 +856,6 @@
- `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep). Available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep). - `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep). Available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).
- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
- Mattermost has been updated from 9.5 to 9.11 ESR. See the [changelog](https://docs.mattermost.com/about/mattermost-v9-changelog.html#release-v9-11-extended-support-release) for more details. - Mattermost has been updated from 9.5 to 9.11 ESR. See the [changelog](https://docs.mattermost.com/about/mattermost-v9-changelog.html#release-v9-11-extended-support-release) for more details.
- `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside - `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside
@ -838,8 +875,6 @@
- `iproute2` now has libbpf support. - `iproute2` now has libbpf support.
- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.
If you use extensions that are not packaged in nixpkgs, please review whether it still works If you use extensions that are not packaged in nixpkgs, please review whether it still works
with the current settings and adjust accordingly if needed. with the current settings and adjust accordingly if needed.
@ -856,6 +891,8 @@
- `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`. - `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`.
- `virtualisation.incus` module gained new `incus-user.service` and `incus-user.socket` systemd units. It is now possible to add a user to `incus` group instead of `incus-admin` for increased security.
## Detailed Migration Information {#sec-release-24.11-migration} ## Detailed Migration Information {#sec-release-24.11-migration}
### `sound` options removal {#sec-release-24.11-migration-sound} ### `sound` options removal {#sec-release-24.11-migration-sound}

View file

@ -0,0 +1,36 @@
# Release 25.05 (“Warbler”, 2025.05/??) {#sec-release-25.05}
## Highlights {#sec-release-25.05-highlights}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Create the first release note entry in this section!
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## New Modules {#sec-release-25.05-new-modules}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- [Kimai](https://www.kimai.org/), a web-based multi-user time-tracking application. Available as [services.kimai](option.html#opt-services.kimai).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-25.05-incompatibilities}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- `kanata` was updated to v1.7.0, which introduces several breaking changes.
See the release notes of
[v1.7.0](https://github.com/jtroo/kanata/releases/tag/v1.7.0)
for more information.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Other Notable Changes {#sec-release-25.05-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
- Create the first release note entry in this section!
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

View file

@ -6,8 +6,11 @@ let
common = import ./common.nix; common = import ./common.nix;
inherit (common) outputPath indexPath; inherit (common) outputPath indexPath;
in devmode = pkgs.devmode.override {
pkgs.callPackage ../../../pkgs/tools/nix/web-devmode.nix {
buildArgs = "../../release.nix -A manualHTML.${builtins.currentSystem}"; buildArgs = "../../release.nix -A manualHTML.${builtins.currentSystem}";
open = "/${outputPath}/${indexPath}"; open = "/${outputPath}/${indexPath}";
};
in
pkgs.mkShellNoCC {
packages = [ devmode ];
} }

View file

@ -57,7 +57,7 @@ rec {
throwUnsupportedGuestSystem = guestMap: throwUnsupportedGuestSystem = guestMap:
throw "Unsupported guest system ${guestSystem} for host ${hostSystem}, supported: ${lib.concatStringsSep ", " (lib.attrNames guestMap)}"; throw "Unsupported guest system ${guestSystem} for host ${hostSystem}, supported: ${lib.concatStringsSep ", " (lib.attrNames guestMap)}";
in in
if hostStdenv.isLinux then if hostStdenv.hostPlatform.isLinux then
linuxHostGuestMatrix.${guestSystem} or "${qemuPkg}/bin/qemu-kvm" linuxHostGuestMatrix.${guestSystem} or "${qemuPkg}/bin/qemu-kvm"
else else
let let

View file

@ -70,7 +70,7 @@ in
defaultChannel = mkOption { defaultChannel = mkOption {
internal = true; internal = true;
type = types.str; type = types.str;
default = "https://nixos.org/channels/nixos-unstable"; default = "https://nixos.org/channels/nixos-24.11";
description = "Default NixOS channel to which the root user is subscribed."; description = "Default NixOS channel to which the root user is subscribed.";
}; };
}; };

View file

@ -101,7 +101,7 @@ in
assertions = [ assertions = [
{ {
assertion = cfg.enable32Bit -> pkgs.stdenv.hostPlatform.isx86_64; assertion = cfg.enable32Bit -> pkgs.stdenv.hostPlatform.isx86_64;
message = "`hardware.graphics.enable32Bit` only makes sense on a 64-bit system."; message = "`hardware.graphics.enable32Bit` is only supported on an x86_64 system.";
} }
{ {
assertion = cfg.enable32Bit -> (config.boot.kernelPackages.kernel.features.ia32Emulation or false); assertion = cfg.enable32Bit -> (config.boot.kernelPackages.kernel.features.ia32Emulation or false);

View file

@ -218,7 +218,7 @@ in
mkToolModule = { name, package ? pkgs.${name} }: { config, ... }: { mkToolModule = { name, package ? pkgs.${name} }: { config, ... }: {
options.system.tools.${name}.enable = lib.mkEnableOption "${name} script" // { options.system.tools.${name}.enable = lib.mkEnableOption "${name} script" // {
default = config.nix.enable && ! config.system.disableInstallerTools; default = config.nix.enable && ! config.system.disableInstallerTools;
internal = true; defaultText = "config.nix.enable && !config.system.disableInstallerTools";
}; };
config = lib.mkIf config.system.tools.${name}.enable { config = lib.mkIf config.system.tools.${name}.enable {

View file

@ -42,6 +42,7 @@ let
VARIANT = optionalString (cfg.variantName != null) cfg.variantName; VARIANT = optionalString (cfg.variantName != null) cfg.variantName;
VARIANT_ID = optionalString (cfg.variant_id != null) cfg.variant_id; VARIANT_ID = optionalString (cfg.variant_id != null) cfg.variant_id;
DEFAULT_HOSTNAME = config.networking.fqdnOrHostName; DEFAULT_HOSTNAME = config.networking.fqdnOrHostName;
SUPPORT_END = "2025-06-30";
}; };
initrdReleaseContents = (removeAttrs osReleaseContents [ "BUILD_ID" ]) // { initrdReleaseContents = (removeAttrs osReleaseContents [ "BUILD_ID" ]) // {

View file

@ -148,6 +148,7 @@
./programs/alvr.nix ./programs/alvr.nix
./programs/appgate-sdp.nix ./programs/appgate-sdp.nix
./programs/appimage.nix ./programs/appimage.nix
./programs/arp-scan.nix
./programs/atop.nix ./programs/atop.nix
./programs/ausweisapp.nix ./programs/ausweisapp.nix
./programs/autojump.nix ./programs/autojump.nix
@ -295,6 +296,7 @@
./programs/sysdig.nix ./programs/sysdig.nix
./programs/system-config-printer.nix ./programs/system-config-printer.nix
./programs/systemtap.nix ./programs/systemtap.nix
./programs/tcpdump.nix
./programs/thefuck.nix ./programs/thefuck.nix
./programs/thunar.nix ./programs/thunar.nix
./programs/thunderbird.nix ./programs/thunderbird.nix
@ -362,6 +364,7 @@
./security/polkit.nix ./security/polkit.nix
./security/rngd.nix ./security/rngd.nix
./security/rtkit.nix ./security/rtkit.nix
./security/soteria.nix
./security/sudo.nix ./security/sudo.nix
./security/sudo-rs.nix ./security/sudo-rs.nix
./security/systemd-confinement.nix ./security/systemd-confinement.nix
@ -588,6 +591,7 @@
./services/hardware/fancontrol.nix ./services/hardware/fancontrol.nix
./services/hardware/freefall.nix ./services/hardware/freefall.nix
./services/hardware/fwupd.nix ./services/hardware/fwupd.nix
./services/hardware/g810-led.nix
./services/hardware/handheld-daemon.nix ./services/hardware/handheld-daemon.nix
./services/hardware/hddfancontrol.nix ./services/hardware/hddfancontrol.nix
./services/hardware/illum.nix ./services/hardware/illum.nix
@ -752,6 +756,7 @@
./services/misc/etebase-server.nix ./services/misc/etebase-server.nix
./services/misc/etesync-dav.nix ./services/misc/etesync-dav.nix
./services/misc/evdevremapkeys.nix ./services/misc/evdevremapkeys.nix
./services/misc/evremap.nix
./services/misc/felix.nix ./services/misc/felix.nix
./services/misc/flaresolverr.nix ./services/misc/flaresolverr.nix
./services/misc/forgejo.nix ./services/misc/forgejo.nix
@ -887,6 +892,7 @@
./services/monitoring/do-agent.nix ./services/monitoring/do-agent.nix
./services/monitoring/fusion-inventory.nix ./services/monitoring/fusion-inventory.nix
./services/monitoring/gatus.nix ./services/monitoring/gatus.nix
./services/monitoring/glances.nix
./services/monitoring/goss.nix ./services/monitoring/goss.nix
./services/monitoring/grafana-agent.nix ./services/monitoring/grafana-agent.nix
./services/monitoring/grafana-image-renderer.nix ./services/monitoring/grafana-image-renderer.nix
@ -1052,6 +1058,7 @@
./services/networking/gdomap.nix ./services/networking/gdomap.nix
./services/networking/ghostunnel.nix ./services/networking/ghostunnel.nix
./services/networking/git-daemon.nix ./services/networking/git-daemon.nix
./services/networking/globalprotect-vpn.nix
./services/networking/gns3-server.nix ./services/networking/gns3-server.nix
./services/networking/gnunet.nix ./services/networking/gnunet.nix
./services/networking/go-autoconfig.nix ./services/networking/go-autoconfig.nix
@ -1388,6 +1395,7 @@
./services/wayland/cage.nix ./services/wayland/cage.nix
./services/wayland/hypridle.nix ./services/wayland/hypridle.nix
./services/web-apps/akkoma.nix ./services/web-apps/akkoma.nix
./services/web-apps/agorakit.nix
./services/web-apps/alps.nix ./services/web-apps/alps.nix
./services/web-apps/anuko-time-tracker.nix ./services/web-apps/anuko-time-tracker.nix
./services/web-apps/artalk.nix ./services/web-apps/artalk.nix
@ -1408,6 +1416,7 @@
./services/web-apps/crabfit.nix ./services/web-apps/crabfit.nix
./services/web-apps/davis.nix ./services/web-apps/davis.nix
./services/web-apps/cryptpad.nix ./services/web-apps/cryptpad.nix
./services/web-apps/dashy.nix
./services/web-apps/dependency-track.nix ./services/web-apps/dependency-track.nix
./services/web-apps/dex.nix ./services/web-apps/dex.nix
./services/web-apps/discourse.nix ./services/web-apps/discourse.nix
@ -1452,6 +1461,7 @@
./services/web-apps/kasmweb/default.nix ./services/web-apps/kasmweb/default.nix
./services/web-apps/kavita.nix ./services/web-apps/kavita.nix
./services/web-apps/keycloak.nix ./services/web-apps/keycloak.nix
./services/web-apps/kimai.nix
./services/web-apps/komga.nix ./services/web-apps/komga.nix
./services/web-apps/lanraragi.nix ./services/web-apps/lanraragi.nix
./services/web-apps/lemmy.nix ./services/web-apps/lemmy.nix
@ -1626,7 +1636,6 @@
./system/boot/loader/external/external.nix ./system/boot/loader/external/external.nix
./system/boot/loader/init-script/init-script.nix ./system/boot/loader/init-script/init-script.nix
./system/boot/loader/loader.nix ./system/boot/loader/loader.nix
./system/boot/loader/raspberrypi/raspberrypi.nix
./system/boot/loader/systemd-boot/systemd-boot.nix ./system/boot/loader/systemd-boot/systemd-boot.nix
./system/boot/luksroot.nix ./system/boot/luksroot.nix
./system/boot/stratisroot.nix ./system/boot/stratisroot.nix

View file

@ -0,0 +1,32 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.arp-scan;
in
{
options = {
programs.arp-scan = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to configure a setcap wrapper for arp-scan.
'';
};
};
};
config = lib.mkIf cfg.enable {
security.wrappers.arp-scan = {
owner = "root";
group = "root";
capabilities = "cap_net_raw+p";
source = lib.getExe pkgs.arp-scan;
};
};
}

View file

@ -313,7 +313,9 @@ in
old.extraPrefsFiles or [ ] old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles ++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ]; ++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages; nativeMessagingHosts = lib.unique (
old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages
);
cfg = (old.cfg or { }) // cfg.wrapperConfig; cfg = (old.cfg or { }) // cfg.wrapperConfig;
})) }))
]; ];

View file

@ -1,10 +1,16 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
cfg = config.programs.iftop; cfg = config.programs.iftop;
in { in
{
options = { options = {
programs.iftop.enable = lib.mkEnableOption "iftop + setcap wrapper"; programs.iftop.enable = lib.mkEnableOption "iftop and setcap wrapper for it";
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.iftop ]; environment.systemPackages = [ pkgs.iftop ];
@ -12,7 +18,7 @@ in {
owner = "root"; owner = "root";
group = "root"; group = "root";
capabilities = "cap_net_raw+p"; capabilities = "cap_net_raw+p";
source = "${pkgs.iftop}/bin/iftop"; source = lib.getExe pkgs.iftop;
}; };
}; };
} }

View file

@ -0,0 +1,56 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib)
getExe
maintainers
mkEnableOption
mkIf
mkOption
types
;
inherit (types) str;
cfg = config.programs.pay-respects;
initScript =
shell:
if (shell != "fish") then
''
eval $(${getExe pkgs.pay-respects} ${shell} --alias ${cfg.alias})
''
else
''
${getExe pkgs.pay-respects} ${shell} --alias ${cfg.alias} | source
'';
in
{
options = {
programs.pay-respects = {
enable = mkEnableOption "pay-respects, an app which corrects your previous console command";
alias = mkOption {
default = "f";
type = str;
description = ''
`pay-respects` needs an alias to be configured.
The default value is `f`, but you can use anything else as well.
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.pay-respects ];
programs = {
bash.interactiveShellInit = initScript "bash";
fish.interactiveShellInit = mkIf config.programs.fish.enable initScript "fish";
zsh.interactiveShellInit = mkIf config.programs.zsh.enable initScript "zsh";
};
};
meta.maintainers = with maintainers; [ sigmasquadron ];
}

View file

@ -0,0 +1,36 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.tcpdump;
in
{
options = {
programs.tcpdump = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to configure a setcap wrapper for tcpdump.
To use it, add your user to the `pcap` group.
'';
};
};
};
config = lib.mkIf cfg.enable {
security.wrappers.tcpdump = {
owner = "root";
group = "pcap";
capabilities = "cap_net_raw+p";
permissions = "u+rx,g+x";
source = lib.getExe pkgs.tcpdump;
};
users.groups.pcap = { };
};
}

View file

@ -1,8 +1,14 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
cfg = config.programs.traceroute; cfg = config.programs.traceroute;
in { in
{
options = { options = {
programs.traceroute = { programs.traceroute = {
enable = lib.mkOption { enable = lib.mkOption {
@ -20,7 +26,7 @@ in {
owner = "root"; owner = "root";
group = "root"; group = "root";
capabilities = "cap_net_raw+p"; capabilities = "cap_net_raw+p";
source = "${pkgs.traceroute}/bin/traceroute"; source = lib.getExe pkgs.traceroute;
}; };
}; };
} }

View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
cfg = config.programs.hyprland; cfg = config.programs.hyprland;
@ -13,29 +18,53 @@ in
A configuration file will be generated in {file}`~/.config/hypr/hyprland.conf`. A configuration file will be generated in {file}`~/.config/hypr/hyprland.conf`.
See <https://wiki.hyprland.org> for more information''; See <https://wiki.hyprland.org> for more information'';
package = lib.mkPackageOption pkgs "hyprland" { package =
lib.mkPackageOption pkgs "hyprland" {
extraDescription = '' extraDescription = ''
If the package is not overridable with `enableXWayland`, then the module option If the package is not overridable with `enableXWayland`, then the module option
{option}`xwayland` will have no effect. {option}`xwayland` will have no effect.
''; '';
} // { }
apply = p: wayland-lib.genFinalPackage p { // {
apply =
p:
wayland-lib.genFinalPackage p {
enableXWayland = cfg.xwayland.enable; enableXWayland = cfg.xwayland.enable;
}; };
}; };
portalPackage = lib.mkPackageOption pkgs "xdg-desktop-portal-hyprland" { portalPackage =
lib.mkPackageOption pkgs "xdg-desktop-portal-hyprland" {
extraDescription = '' extraDescription = ''
If the package is not overridable with `hyprland`, then the Hyprland package If the package is not overridable with `hyprland`, then the Hyprland package
used by the portal may differ from the one set in the module option {option}`package`. used by the portal may differ from the one set in the module option {option}`package`.
''; '';
} // { }
apply = p: wayland-lib.genFinalPackage p { // {
apply =
p:
wayland-lib.genFinalPackage p {
hyprland = cfg.package; hyprland = cfg.package;
}; };
}; };
xwayland.enable = lib.mkEnableOption "XWayland" // { default = true; }; xwayland.enable = lib.mkEnableOption "XWayland" // {
default = true;
};
withUWSM = lib.mkEnableOption null // {
description = ''
Launch Hyprland with the UWSM (Universal Wayland Session Manager) session manager.
This has improved systemd support and is recommended for most users.
This automatically starts appropiate targets like `graphical-session.target`,
and `wayland-session@Hyprland.target`.
::: {.note}
Some changes may need to be made to Hyprland configs depending on your setup, see
[Hyprland wiki](https://wiki.hyprland.org/Useful-Utilities/Systemd-start/#uwsm).
:::
'';
};
systemd.setPath.enable = lib.mkEnableOption null // { systemd.setPath.enable = lib.mkEnableOption null // {
default = lib.versionOlder cfg.package.version "0.41.2"; default = lib.versionOlder cfg.package.version "0.41.2";
@ -49,13 +78,11 @@ in
}; };
}; };
config = lib.mkIf cfg.enable (lib.mkMerge [ config = lib.mkIf cfg.enable (
lib.mkMerge [
{ {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
# To make a Hyprland session available if a display manager like SDDM is enabled:
services.displayManager.sessionPackages = [ cfg.package ];
xdg.portal = { xdg.portal = {
enable = true; enable = true;
extraPortals = [ cfg.portalPackage ]; extraPortals = [ cfg.portalPackage ];
@ -69,26 +96,47 @@ in
}; };
} }
(lib.mkIf (cfg.withUWSM) {
programs.uwsm.enable = true;
# Configure UWSM to launch Hyprland from a display manager like SDDM
programs.uwsm.waylandCompositors = {
hyprland = {
prettyName = "Hyprland";
comment = "Hyprland compositor managed by UWSM";
binPath = "/run/current-system/sw/bin/Hyprland";
};
};
})
(lib.mkIf (!cfg.withUWSM) {
# To make a vanilla Hyprland session available in DM
services.displayManager.sessionPackages = [ cfg.package ];
})
(import ./wayland-session.nix { (import ./wayland-session.nix {
inherit lib pkgs; inherit lib pkgs;
enableXWayland = cfg.xwayland.enable; enableXWayland = cfg.xwayland.enable;
enableWlrPortal = lib.mkDefault false; # Hyprland has its own portal, wlr is not needed enableWlrPortal = lib.mkDefault false; # Hyprland has its own portal, wlr is not needed
}) })
]); ]
);
imports = [ imports = [
(lib.mkRemovedOptionModule (lib.mkRemovedOptionModule [
[ "programs" "hyprland" "xwayland" "hidpi" ] "programs"
"XWayland patches are deprecated. Refer to https://wiki.hyprland.org/Configuring/XWayland" "hyprland"
) "xwayland"
(lib.mkRemovedOptionModule "hidpi"
[ "programs" "hyprland" "enableNvidiaPatches" ] ] "XWayland patches are deprecated. Refer to https://wiki.hyprland.org/Configuring/XWayland")
"Nvidia patches are no longer needed" (lib.mkRemovedOptionModule [
) "programs"
(lib.mkRemovedOptionModule "hyprland"
[ "programs" "hyprland" "nvidiaPatches" ] "enableNvidiaPatches"
"Nvidia patches are no longer needed" ] "Nvidia patches are no longer needed")
) (lib.mkRemovedOptionModule [
"programs"
"hyprland"
"nvidiaPatches"
] "Nvidia patches are no longer needed")
]; ];
meta.maintainers = with lib.maintainers; [ fufexan ]; meta.maintainers = with lib.maintainers; [ fufexan ];

View file

@ -64,8 +64,8 @@ in
description = '' description = ''
The package which contains the `yabar` binary. The package which contains the `yabar` binary.
Nixpkgs provides the `yabar` and `yabar-unstable` Nixpkgs provides the `yabar` and `yabar-unstable`,
derivations since 18.03, so it's possible to choose. so it's possible to choose.
''; '';
}; };

View file

@ -20,6 +20,7 @@ in
(mkAliasOptionModuleMD [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ]) (mkAliasOptionModuleMD [ "environment" "checkConfigurationOptions" ] [ "_module" "check" ])
# Completely removed modules # Completely removed modules
(mkRemovedOptionModule [ "boot" "loader" "raspberryPi" ] "The raspberryPi boot loader has been removed. See https://github.com/NixOS/nixpkgs/pull/241534 for what to use instead.")
(mkRemovedOptionModule [ "environment" "blcr" "enable" ] "The BLCR module has been removed") (mkRemovedOptionModule [ "environment" "blcr" "enable" ] "The BLCR module has been removed")
(mkRemovedOptionModule [ "environment" "noXlibs" ] '' (mkRemovedOptionModule [ "environment" "noXlibs" ] ''
The environment.noXlibs option was removed, as it often caused surprising breakages for new users. The environment.noXlibs option was removed, as it often caused surprising breakages for new users.
@ -80,7 +81,6 @@ in
(mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed") (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
(mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed") (mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed")
(mkRemovedOptionModule [ "services" "globalprotect"] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.") (mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.")
(mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.") (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")
(mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer") (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")

View file

@ -87,6 +87,8 @@ let
RestrictAddressFamilies = [ RestrictAddressFamilies = [
"AF_INET" "AF_INET"
"AF_INET6" "AF_INET6"
"AF_UNIX"
"AF_NETLINK"
]; ];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;

View file

@ -0,0 +1,50 @@
{
lib,
pkgs,
config,
...
}:
let
cfg = config.security.soteria;
in
{
options.security.soteria = {
enable = lib.mkEnableOption null // {
description = ''
Whether to enable Soteria, a Polkit authentication agent
for any desktop environment.
::: {.note}
You should only enable this if you are on a Desktop Environment that
does not provide a graphical polkit authentication agent, or you are on
a standalone window manager or Wayland compositor.
:::
'';
};
package = lib.mkPackageOption pkgs "soteria" { };
};
config = lib.mkIf cfg.enable {
security.polkit.enable = true;
environment.systemPackages = [ cfg.package ];
systemd.user.services.polkit-soteria = {
description = "Soteria, Polkit authentication agent for any desktop environment";
wantedBy = [ "graphical-session.target" ];
wants = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
script = lib.getExe cfg.package;
serviceConfig = {
Type = "simple";
Restart = "on-failure";
RestartSec = 1;
TimeoutStopSec = 10;
};
};
};
meta.maintainers = with lib.maintainers; [ johnrtitor ];
}

View file

@ -12,6 +12,7 @@ let
mopidyEnv = buildEnv { mopidyEnv = buildEnv {
name = "mopidy-with-extensions-${mopidy.version}"; name = "mopidy-with-extensions-${mopidy.version}";
ignoreCollisions = true;
paths = closePropagation cfg.extensionPackages; paths = closePropagation cfg.extensionPackages;
pathsToLink = [ "/${mopidyPackages.python.sitePackages}" ]; pathsToLink = [ "/${mopidyPackages.python.sitePackages}" ];
nativeBuildInputs = [ makeWrapper ]; nativeBuildInputs = [ makeWrapper ];

View file

@ -334,6 +334,12 @@ in
environment.etc."my.cnf".source = cfg.configFile; environment.etc."my.cnf".source = cfg.configFile;
# The mysql_install_db binary will try to adjust the permissions, but fail to do so with a permission
# denied error in some circumstances. Setting the permissions manually with tmpfiles is a workaround.
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0755 ${cfg.user} ${cfg.group} - -"
];
systemd.services.mysql = { systemd.services.mysql = {
description = "MySQL Server"; description = "MySQL Server";

View file

@ -261,8 +261,9 @@ Technically, we'd not want to have EOL'ed packages in a stable NixOS release, wh
Thus: Thus:
- In September/October the new major version will be released and added to nixos-unstable. - In September/October the new major version will be released and added to nixos-unstable.
- In November the last minor version for the oldest major will be released. - In November the last minor version for the oldest major will be released.
- Both the current stable .05 release and nixos-unstable should be updated to the latest minor. - Both the current stable .05 release and nixos-unstable should be updated to the latest minor that will usually be released in November.
- In November, before branch-off for the .11 release, the EOL-ed major will be removed from nixos-unstable. - This is relevant for people who need to use this major for as long as possible. In that case its desirable to be able to pin nixpkgs to a commit that still has it, at the latest minor available.
- In November, before branch-off for the .11 release and after the update to the latest minor, the EOL-ed major will be removed from nixos-unstable.
This leaves a small gap of a couple of weeks after the latest minor release and the end of our support window for the .05 release, in which there could be an emergency release to other major versions of PostgreSQL - but not the oldest major we have in that branch. In that case: If we can't trivially patch the issue, we will mark the package/version as insecure **immediately**. This leaves a small gap of a couple of weeks after the latest minor release and the end of our support window for the .05 release, in which there could be an emergency release to other major versions of PostgreSQL - but not the oldest major we have in that branch. In that case: If we can't trivially patch the issue, we will mark the package/version as insecure **immediately**.
@ -292,7 +293,7 @@ postgresql_15.pkgs.pg_partman postgresql_15.pkgs.pgroonga
To add plugins via NixOS configuration, set `services.postgresql.extraPlugins`: To add plugins via NixOS configuration, set `services.postgresql.extraPlugins`:
```nix ```nix
{ {
services.postgresql.package = pkgs.postgresql_12; services.postgresql.package = pkgs.postgresql_17;
services.postgresql.extraPlugins = ps: with ps; [ services.postgresql.extraPlugins = ps: with ps; [
pg_repack pg_repack
postgis postgis
@ -303,7 +304,7 @@ To add plugins via NixOS configuration, set `services.postgresql.extraPlugins`:
You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using function `.withPackages`. For example, creating a custom PostgreSQL package in an overlay can look like: You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using function `.withPackages`. For example, creating a custom PostgreSQL package in an overlay can look like:
```nix ```nix
self: super: { self: super: {
postgresql_custom = self.postgresql_12.withPackages (ps: [ postgresql_custom = self.postgresql_17.withPackages (ps: [
ps.pg_repack ps.pg_repack
ps.postgis ps.postgis
]); ]);

View file

@ -2,6 +2,7 @@
let let
inherit (lib) inherit (lib)
any
attrValues attrValues
concatMapStrings concatMapStrings
concatStringsSep concatStringsSep
@ -9,6 +10,7 @@ let
elem elem
escapeShellArgs escapeShellArgs
filterAttrs filterAttrs
getName
isString isString
literalExpression literalExpression
mapAttrs mapAttrs
@ -26,23 +28,24 @@ let
optionalString optionalString
types types
versionAtLeast versionAtLeast
warn
; ;
cfg = config.services.postgresql; cfg = config.services.postgresql;
postgresql =
let
# ensure that # ensure that
# services.postgresql = { # services.postgresql = {
# enableJIT = true; # enableJIT = true;
# package = pkgs.postgresql_<major>; # package = pkgs.postgresql_<major>;
# }; # };
# works. # works.
base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT; basePackage = if cfg.enableJIT
in then cfg.package.withJIT
if cfg.extraPlugins == [] else cfg.package.withoutJIT;
then base
else base.withPackages cfg.extraPlugins; postgresql = if cfg.extensions == []
then basePackage
else basePackage.withPackages cfg.extensions;
toStr = value: toStr = value:
if true == value then "yes" if true == value then "yes"
@ -60,6 +63,8 @@ let
groupAccessAvailable = versionAtLeast postgresql.version "11.0"; groupAccessAvailable = versionAtLeast postgresql.version "11.0";
extensionNames = map getName postgresql.installedExtensions;
extensionInstalled = extension: elem extension extensionNames;
in in
{ {
@ -68,6 +73,7 @@ in
(mkRenamedOptionModule [ "services" "postgresql" "logLinePrefix" ] [ "services" "postgresql" "settings" "log_line_prefix" ]) (mkRenamedOptionModule [ "services" "postgresql" "logLinePrefix" ] [ "services" "postgresql" "settings" "log_line_prefix" ])
(mkRenamedOptionModule [ "services" "postgresql" "port" ] [ "services" "postgresql" "settings" "port" ]) (mkRenamedOptionModule [ "services" "postgresql" "port" ] [ "services" "postgresql" "settings" "port" ])
(mkRenamedOptionModule [ "services" "postgresql" "extraPlugins" ] [ "services" "postgresql" "extensions" ])
]; ];
###### interface ###### interface
@ -371,12 +377,12 @@ in
''; '';
}; };
extraPlugins = mkOption { extensions = mkOption {
type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path)); type = with types; coercedTo (listOf path) (path: _ignorePg: path) (functionTo (listOf path));
default = _: []; default = _: [];
example = literalExpression "ps: with ps; [ postgis pg_repack ]"; example = literalExpression "ps: with ps; [ postgis pg_repack ]";
description = '' description = ''
List of PostgreSQL plugins. List of PostgreSQL extensions to install.
''; '';
}; };
@ -484,10 +490,18 @@ in
services.postgresql.package = let services.postgresql.package = let
mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version."; mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
mkWarn = ver: warn ''
The postgresql package is not pinned and selected automatically by
`system.stateVersion`. Right now this is `pkgs.postgresql_${ver}`, the
oldest postgresql version available and thus the next that will be
removed when EOL on the next stable cycle.
See also https://endoflife.date/postgresql
'';
base = if versionAtLeast config.system.stateVersion "24.11" then pkgs.postgresql_16 base = if versionAtLeast config.system.stateVersion "24.11" then pkgs.postgresql_16
else if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15 else if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14 else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14
else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13 else if versionAtLeast config.system.stateVersion "21.11" then mkWarn "13" pkgs.postgresql_13
else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11" else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11"
else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6" else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6"
else mkThrow "9_5"; else mkThrow "9_5";
@ -630,7 +644,7 @@ in
PrivateTmp = true; PrivateTmp = true;
ProtectHome = true; ProtectHome = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off"); MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ]));
NoNewPrivileges = true; NoNewPrivileges = true;
LockPersonality = true; LockPersonality = true;
PrivateDevices = true; PrivateDevices = true;
@ -654,10 +668,12 @@ in
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter =
[
"@system-service" "@system-service"
"~@privileged @resources" "~@privileged @resources"
]; ]
++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
UMask = if groupAccessAvailable then "0027" else "0077"; UMask = if groupAccessAvailable then "0027" else "0077";
} }
(mkIf (cfg.dataDir != "/var/lib/postgresql") { (mkIf (cfg.dataDir != "/var/lib/postgresql") {

View file

@ -1,23 +1,84 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.desktopManager.lomiri; cfg = config.services.desktopManager.lomiri;
in { in
{
options.services.desktopManager.lomiri = { options.services.desktopManager.lomiri = {
enable = lib.mkEnableOption '' enable = lib.mkEnableOption ''
the Lomiri graphical shell (formerly known as Unity8) the Lomiri graphical shell (formerly known as Unity8)
''; '';
basics = lib.mkOption {
internal = true;
description = ''
Enable basic things for getting Lomiri working.
'';
type = lib.types.bool;
default = config.services.xserver.displayManager.lightdm.greeters.lomiri.enable || cfg.enable;
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkMerge [
# Basics for getting Lomiri to work
(lib.mkIf cfg.basics {
environment = { environment = {
systemPackages = (with pkgs; [ # To override the default keyboard layout in Lomiri
etc.${pkgs.lomiri.lomiri.passthru.etcLayoutsFile}.text = lib.strings.replaceStrings [ "," ] [
"\n"
] config.services.xserver.xkb.layout;
pathsToLink = [
# Data
"/share/locale" # TODO LUITK hardcoded default locale path, fix individual apps to not rely on it
"/share/wallpapers"
];
systemPackages = with pkgs.lomiri; [
lomiri-wallpapers # default + additional wallpaper
suru-icon-theme # basic indicator icons
];
};
fonts.packages = with pkgs; [
ubuntu-classic # Ubuntu is default font
];
# Xwayland is partly hardcoded in Mir so it can't really be fully turned off, and it must be on PATH for X11 apps *and Lomiri's web browser* to work.
# Until Mir/Lomiri can be properly used without it, force it on so everything behaves as expected.
programs.xwayland.enable = lib.mkForce true;
services.ayatana-indicators = {
enable = true;
packages = (
with pkgs;
[
ayatana-indicator-datetime # Clock
ayatana-indicator-session # Controls for shutting down etc
]
);
};
})
# Full Lomiri DE
(lib.mkIf cfg.enable {
# We need the basic setup as well
services.desktopManager.lomiri.basics = true;
environment = {
systemPackages =
(with pkgs; [
glib # XDG MIME-related tools identify it as GNOME, add gio for MIME identification to work glib # XDG MIME-related tools identify it as GNOME, add gio for MIME identification to work
libayatana-common libayatana-common
ubports-click ubports-click
]) ++ (with pkgs.lomiri; [ ])
++ (with pkgs.lomiri; [
hfd-service hfd-service
history-service
libusermetrics libusermetrics
lomiri lomiri
lomiri-calculator-app lomiri-calculator-app
@ -28,6 +89,7 @@ in {
lomiri-download-manager lomiri-download-manager
lomiri-filemanager-app lomiri-filemanager-app
lomiri-gallery-app lomiri-gallery-app
lomiri-history-service
lomiri-polkit-agent lomiri-polkit-agent
lomiri-schemas # exposes some required dbus interfaces lomiri-schemas # exposes some required dbus interfaces
lomiri-session # wrappers to properly launch the session lomiri-session # wrappers to properly launch the session
@ -36,17 +98,12 @@ in {
lomiri-terminal-app lomiri-terminal-app
lomiri-thumbnailer lomiri-thumbnailer
lomiri-url-dispatcher lomiri-url-dispatcher
lomiri-wallpapers
mediascanner2 # TODO possibly needs to be kicked off by graphical-session.target mediascanner2 # TODO possibly needs to be kicked off by graphical-session.target
morph-browser morph-browser
qtmir # not having its desktop file for Xwayland available causes any X11 application to crash the session qtmir # not having its desktop file for Xwayland available causes any X11 application to crash the session
suru-icon-theme
telephony-service telephony-service
teleports teleports
]); ]);
# To override the default keyboard layout in Lomiri
etc.${pkgs.lomiri.lomiri.passthru.etcLayoutsFile}.text = lib.strings.replaceStrings [","] ["\n"] config.services.xserver.xkb.layout;
}; };
hardware = { hardware = {
@ -66,39 +123,33 @@ in {
lomiri-download-manager lomiri-download-manager
]; ];
fonts.packages = with pkgs; [
# Applications tend to default to Ubuntu font
ubuntu-classic
];
# Copy-pasted basic stuff # Copy-pasted basic stuff
hardware.graphics.enable = lib.mkDefault true; hardware.graphics.enable = lib.mkDefault true;
fonts.enableDefaultPackages = lib.mkDefault true; fonts.enableDefaultPackages = lib.mkDefault true;
programs.dconf.enable = lib.mkDefault true; programs.dconf.enable = lib.mkDefault true;
# Xwayland is partly hardcoded in Mir so it can't really be fully turned off, and it must be on PATH for X11 apps *and Lomiri's web browser* to work.
# Until Mir/Lomiri can be properly used without it, force it on so everything behaves as expected.
programs.xwayland.enable = lib.mkForce true;
services.accounts-daemon.enable = true; services.accounts-daemon.enable = true;
services.ayatana-indicators = { services.ayatana-indicators = {
enable = true; enable = true;
packages = (with pkgs; [ packages =
ayatana-indicator-datetime (
with pkgs;
[
ayatana-indicator-display ayatana-indicator-display
ayatana-indicator-messages ayatana-indicator-messages
ayatana-indicator-power ayatana-indicator-power
ayatana-indicator-session ]
] ++ lib.optionals config.hardware.bluetooth.enable [ ++ lib.optionals config.hardware.bluetooth.enable [ ayatana-indicator-bluetooth ]
ayatana-indicator-bluetooth ++ lib.optionals (config.hardware.pulseaudio.enable || config.services.pipewire.pulse.enable) [
] ++ lib.optionals (config.hardware.pulseaudio.enable || config.services.pipewire.pulse.enable) [
ayatana-indicator-sound ayatana-indicator-sound
]) ++ (with pkgs.lomiri; [ ]
telephony-service )
] ++ lib.optionals config.networking.networkmanager.enable [ ++ (
lomiri-indicator-network with pkgs.lomiri;
]); [ telephony-service ]
++ lib.optionals config.networking.networkmanager.enable [ lomiri-indicator-network ]
);
}; };
services.udisks2.enable = true; services.udisks2.enable = true;
@ -139,9 +190,7 @@ in {
# At least the network indicator is still under the unity name, due to leftover Unity-isms # At least the network indicator is still under the unity name, due to leftover Unity-isms
"/share/unity" "/share/unity"
# Data # Data
"/share/locale" # TODO LUITK hardcoded default locale path, fix individual apps to not rely on it
"/share/sounds" "/share/sounds"
"/share/wallpapers"
]; ];
systemd.user.services = { systemd.user.services = {
@ -159,7 +208,13 @@ in {
"lomiri-polkit-agent" = rec { "lomiri-polkit-agent" = rec {
description = "Lomiri Polkit agent"; description = "Lomiri Polkit agent";
wantedBy = [ "lomiri.service" "lomiri-full-greeter.service" "lomiri-full-shell.service" "lomiri-greeter.service" "lomiri-shell.service" ]; wantedBy = [
"lomiri.service"
"lomiri-full-greeter.service"
"lomiri-full-shell.service"
"lomiri-greeter.service"
"lomiri-shell.service"
];
after = [ "graphical-session.target" ]; after = [ "graphical-session.target" ];
partOf = wantedBy; partOf = wantedBy;
serviceConfig = { serviceConfig = {
@ -172,14 +227,16 @@ in {
systemd.services = { systemd.services = {
"dbus-com.lomiri.UserMetrics" = { "dbus-com.lomiri.UserMetrics" = {
serviceConfig = { serviceConfig =
{
Type = "dbus"; Type = "dbus";
BusName = "com.lomiri.UserMetrics"; BusName = "com.lomiri.UserMetrics";
User = "usermetrics"; User = "usermetrics";
StandardOutput = "syslog"; StandardOutput = "syslog";
SyslogIdentifier = "com.lomiri.UserMetrics"; SyslogIdentifier = "com.lomiri.UserMetrics";
ExecStart = "${pkgs.lomiri.libusermetrics}/libexec/libusermetrics/usermetricsservice"; ExecStart = "${pkgs.lomiri.libusermetrics}/libexec/libusermetrics/usermetricsservice";
} // lib.optionalAttrs (!config.security.apparmor.enable) { }
// lib.optionalAttrs (!config.security.apparmor.enable) {
# Due to https://gitlab.com/ubports/development/core/libusermetrics/-/issues/8, auth must be disabled when not using AppArmor, lest the next database usage breaks # Due to https://gitlab.com/ubports/development/core/libusermetrics/-/issues/8, auth must be disabled when not using AppArmor, lest the next database usage breaks
Environment = "USERMETRICS_NO_AUTH=1"; Environment = "USERMETRICS_NO_AUTH=1";
}; };
@ -194,7 +251,8 @@ in {
}; };
users.groups.usermetrics = { }; users.groups.usermetrics = { };
}; })
];
meta.maintainers = lib.teams.lomiri.members; meta.maintainers = lib.teams.lomiri.members;
} }

View file

@ -73,6 +73,7 @@ in {
kguiaddons # provides geo URL handlers kguiaddons # provides geo URL handlers
kiconthemes # provides Qt plugins kiconthemes # provides Qt plugins
kimageformats # provides Qt plugins kimageformats # provides Qt plugins
qtimageformats # provides optional image formats such as .webp and .avif
kio # provides helper service + a bunch of other stuff kio # provides helper service + a bunch of other stuff
kio-admin # managing files as admin kio-admin # managing files as admin
kio-extras # stuff for MTP, AFC, etc kio-extras # stuff for MTP, AFC, etc

View file

@ -5,9 +5,6 @@
with lib; with lib;
let let
# the demo agent isn't built by default, but we need it here
package = pkgs.geoclue2.override { withDemoAgent = config.services.geoclue2.enableDemoAgent; };
cfg = config.services.geoclue2; cfg = config.services.geoclue2;
defaultWhitelist = [ "gnome-shell" "io.elementary.desktop.agent-geoclue2" ]; defaultWhitelist = [ "gnome-shell" "io.elementary.desktop.agent-geoclue2" ];
@ -132,6 +129,17 @@ in
''; '';
}; };
package = mkOption {
type = types.package;
default = pkgs.geoclue2;
defaultText = literalExpression "pkgs.geoclue2";
apply = pkg: pkg.override {
# the demo agent isn't built by default, but we need it here
withDemoAgent = cfg.enableDemoAgent;
};
description = "The geoclue2 package to use";
};
submitData = mkOption { submitData = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -180,11 +188,11 @@ in
###### implementation ###### implementation
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = [ package ]; environment.systemPackages = [ cfg.package ];
services.dbus.packages = [ package ]; services.dbus.packages = [ cfg.package ];
systemd.packages = [ package ]; systemd.packages = [ cfg.package ];
# we cannot use DynamicUser as we need the the geoclue user to exist for the # we cannot use DynamicUser as we need the the geoclue user to exist for the
# dbus policy to work # dbus policy to work
@ -223,7 +231,7 @@ in
unitConfig.ConditionUser = "!@system"; unitConfig.ConditionUser = "!@system";
serviceConfig = { serviceConfig = {
Type = "exec"; Type = "exec";
ExecStart = "${package}/libexec/geoclue-2.0/demos/agent"; ExecStart = "${cfg.package}/libexec/geoclue-2.0/demos/agent";
Restart = "on-failure"; Restart = "on-failure";
PrivateTmp = true; PrivateTmp = true;
}; };

View file

@ -37,7 +37,7 @@ If you want to prevent Athens from writing to disk, you can instead configure it
} }
``` ```
To use the local proxy in Go builds, you can set the proxy as environment variable: To use the local proxy in Go builds (outside of `nix`), you can set the proxy as environment variable:
```nix ```nix
{ {
@ -47,6 +47,21 @@ To use the local proxy in Go builds, you can set the proxy as environment variab
} }
``` ```
It is currently not possible to use the local proxy for builds done by the Nix daemon. This might be enabled To also use the local proxy for Go builds happening in `nix` (with `buildGoModule`), the nix daemon can be configured to pass the GOPROXY environment variable to the `goModules` fixed-output derivation.
by experimental features, specifically [`configurable-impure-env`](https://nixos.org/manual/nix/unstable/contributing/experimental-features#xp-feature-configurable-impure-env),
in upcoming Nix versions. This can either be done via the nix-daemon systemd unit:
```nix
{
systemd.services.nix-daemon.environment.GOPROXY = "http://localhost:3000";
}
```
or via the [impure-env experimental feature](https://nix.dev/manual/nix/2.24/command-ref/conf-file#conf-impure-env):
```nix
{
nix.settings.experimental-features = [ "configurable-impure-env" ];
nix.settings.impure-env = "GOPROXY=http://localhost:3000";
}
```

View file

@ -0,0 +1,45 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.g810-led;
in
{
options = {
services.g810-led = {
enable = lib.mkEnableOption "g810-led, a Linux LED controller for some Logitech G Keyboards";
package = lib.mkPackageOption pkgs "g810-led" { };
profile = lib.mkOption {
type = lib.types.nullOr lib.types.lines;
default = null;
example = ''
# G810-LED Profile (turn all keys on)
# Set all keys on
a ffffff
# Commit changes
c
'';
description = ''
Keyboard profile to apply at boot time.
The upstream repository provides [example configurations](https://github.com/MatMoul/g810-led/tree/master/sample_profiles).
'';
};
};
};
config = lib.mkIf cfg.enable {
environment.etc."g810-led/profile".text = lib.mkIf (cfg.profile != null) cfg.profile;
services.udev.packages = [ cfg.package ];
};
meta.maintainers = with lib.maintainers; [ GaetanLepage ];
}

View file

@ -11,6 +11,11 @@ in
enable = mkEnableOption "Handheld Daemon"; enable = mkEnableOption "Handheld Daemon";
package = mkPackageOption pkgs "handheld-daemon" { }; package = mkPackageOption pkgs "handheld-daemon" { };
ui = {
enable = mkEnableOption "Handheld Daemon UI";
package = mkPackageOption pkgs "handheld-daemon-ui" { };
};
user = mkOption { user = mkOption {
type = types.str; type = types.str;
description = '' description = ''
@ -20,7 +25,10 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ]; services.handheld-daemon.ui.enable = mkDefault true;
environment.systemPackages = [
cfg.package
] ++ lib.optional cfg.ui.enable cfg.ui.package;
services.udev.packages = [ cfg.package ]; services.udev.packages = [ cfg.package ];
systemd.packages = [ cfg.package ]; systemd.packages = [ cfg.package ];
@ -31,6 +39,11 @@ in
restartIfChanged = true; restartIfChanged = true;
path = mkIf cfg.ui.enable [
cfg.ui.package
pkgs.lsof
];
serviceConfig = { serviceConfig = {
ExecStart = "${ lib.getExe cfg.package } --user ${ cfg.user }"; ExecStart = "${ lib.getExe cfg.package } --user ${ cfg.user }";
Nice = "-12"; Nice = "-12";

View file

@ -18,6 +18,8 @@ in
enable = lib.mkEnableOption "udisks2, a DBus service that allows applications to query and manipulate storage devices"; enable = lib.mkEnableOption "udisks2, a DBus service that allows applications to query and manipulate storage devices";
package = lib.mkPackageOption pkgs "udisks2" {};
mountOnMedia = lib.mkOption { mountOnMedia = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = false;
@ -67,11 +69,11 @@ in
config = lib.mkIf config.services.udisks2.enable { config = lib.mkIf config.services.udisks2.enable {
environment.systemPackages = [ pkgs.udisks2 ]; environment.systemPackages = [ cfg.package ];
environment.etc = (lib.mapAttrs' (name: value: lib.nameValuePair "udisks2/${name}" { source = value; } ) configFiles) // ( environment.etc = (lib.mapAttrs' (name: value: lib.nameValuePair "udisks2/${name}" { source = value; } ) configFiles) // (
let let
libblockdev = pkgs.udisks2.libblockdev; libblockdev = cfg.package.libblockdev;
majorVer = lib.versions.major libblockdev.version; majorVer = lib.versions.major libblockdev.version;
in { in {
# We need to make sure /etc/libblockdev/@major_ver@/conf.d is populated to avoid # We need to make sure /etc/libblockdev/@major_ver@/conf.d is populated to avoid
@ -82,18 +84,18 @@ in
security.polkit.enable = true; security.polkit.enable = true;
services.dbus.packages = [ pkgs.udisks2 ]; services.dbus.packages = [ cfg.package ];
systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ] systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ]
++ lib.optional cfg.mountOnMedia "D! /media 0755 root root -"; ++ lib.optional cfg.mountOnMedia "D! /media 0755 root root -";
services.udev.packages = [ pkgs.udisks2 ]; services.udev.packages = [ cfg.package ];
services.udev.extraRules = lib.optionalString cfg.mountOnMedia '' services.udev.extraRules = lib.optionalString cfg.mountOnMedia ''
ENV{ID_FS_USAGE}=="filesystem", ENV{UDISKS_FILESYSTEM_SHARED}="1" ENV{ID_FS_USAGE}=="filesystem", ENV{UDISKS_FILESYSTEM_SHARED}="1"
''; '';
systemd.packages = [ pkgs.udisks2 ]; systemd.packages = [ cfg.package ];
}; };
} }

View file

@ -142,18 +142,10 @@ in
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
DeviceAllow = if builtins.elem options.device [ "cuda" "auto" ] then [ DeviceAllow = if builtins.elem options.device [ "cuda" "auto" ] then [
# https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf # https://docs.nvidia.com/dgx/pdf/dgx-os-5-user-guide.pdf
# CUDA not working? Check DeviceAllow and PrivateDevices first! "char-nvidia-uvm"
"/dev/nvidia0" "char-nvidia-frontend"
"/dev/nvidia1" "char-nvidia-caps"
"/dev/nvidia2" "char-nvidiactl"
"/dev/nvidia3"
"/dev/nvidia4"
"/dev/nvidia-caps/nvidia-cap1"
"/dev/nvidia-caps/nvidia-cap2"
"/dev/nvidiactl"
"/dev/nvidia-modeset"
"/dev/nvidia-uvm"
"/dev/nvidia-uvm-tools"
] else ""; ] else "";
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;

View file

@ -76,9 +76,7 @@ in
# Hardening # Hardening
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
DeviceAllow = [ DeviceAllow = lib.optionals (lib.hasPrefix "/" cfg.settings.serial.port) [ cfg.settings.serial.port ];
config.services.zigbee2mqtt.settings.serial.port
];
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = false;

View file

@ -27,7 +27,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# for cli usage # for cli usage
environment.systemPackages = [ pkgs.vector ]; environment.systemPackages = [ cfg.package ];
systemd.services.vector = { systemd.services.vector = {
description = "Vector event and log aggregator"; description = "Vector event and log aggregator";
@ -40,7 +40,7 @@ in
conf = format.generate "vector.toml" cfg.settings; conf = format.generate "vector.toml" cfg.settings;
validateConfig = file: validateConfig = file:
pkgs.runCommand "validate-vector-conf" { pkgs.runCommand "validate-vector-conf" {
nativeBuildInputs = [ pkgs.vector ]; nativeBuildInputs = [ cfg.package ];
} '' } ''
vector validate --no-environment "${file}" vector validate --no-environment "${file}"
ln -s "${file}" "$out" ln -s "${file}" "$out"

View file

@ -18,7 +18,7 @@ in
type = lib.types.listOf lib.types.path; type = lib.types.listOf lib.types.path;
default = [ ]; default = [ ];
example = lib.literalExpression "with pkgs; [ pass gnome-keyring ]"; example = lib.literalExpression "with pkgs; [ pass gnome-keyring ]";
description = "List of derivations to put in protonmail-bride's path."; description = "List of derivations to put in protonmail-bridge's path.";
}; };
logLevel = lib.mkOption { logLevel = lib.mkOption {

View file

@ -7,7 +7,7 @@ let
stateDir = "/var/lib/public-inbox"; stateDir = "/var/lib/public-inbox";
gitIni = pkgs.formats.gitIni { listsAsDuplicateKeys = true; }; gitIni = pkgs.formats.gitIni { listsAsDuplicateKeys = true; };
iniAtom = elemAt gitIni.type/*attrsOf*/.functor.wrapped/*attrsOf*/.functor.wrapped/*either*/.functor.wrapped 0; iniAtom = gitIni.lib.types.atom;
useSpamAssassin = cfg.settings.publicinboxmda.spamcheck == "spamc" || useSpamAssassin = cfg.settings.publicinboxmda.spamcheck == "spamc" ||
cfg.settings.publicinboxwatch.spamcheck == "spamc"; cfg.settings.publicinboxwatch.spamcheck == "spamc";

View file

@ -0,0 +1,125 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.duckdns;
duckdns = pkgs.writeShellScriptBin "duckdns" ''
DRESPONSE=$(curl -sS --max-time 60 --no-progress-meter -k -K- <<< "url = \"https://www.duckdns.org/update?verbose=true&domains=$DUCKDNS_DOMAINS&token=$DUCKDNS_TOKEN&ip=\"")
IPV4=$(echo "$DRESPONSE" | awk 'NR==2')
IPV6=$(echo "$DRESPONSE" | awk 'NR==3')
RESPONSE=$(echo "$DRESPONSE" | awk 'NR==1')
IPCHANGE=$(echo "$DRESPONSE" | awk 'NR==4')
if [[ "$RESPONSE" = "OK" ]] && [[ "$IPCHANGE" = "UPDATED" ]]; then
if [[ "$IPV4" != "" ]] && [[ "$IPV6" == "" ]]; then
echo "Your IP was updated at $(date) to IPv4: $IPV4"
elif [[ "$IPV4" == "" ]] && [[ "$IPV6" != "" ]]; then
echo "Your IP was updated at $(date) to IPv6: $IPV6"
else
echo "Your IP was updated at $(date) to IPv4: $IPV4 & IPv6 to: $IPV6"
fi
elif [[ "$RESPONSE" = "OK" ]] && [[ "$IPCHANGE" = "NOCHANGE" ]]; then
echo "DuckDNS request at $(date) successful. IP(s) unchanged."
else
echo -e "Something went wrong, please check your settings\nThe response returned was:\n$DRESPONSE\n"
exit 1
fi
'';
in
{
options.services.duckdns = {
enable = lib.mkEnableOption "DuckDNS Dynamic DNS Client";
tokenFile = lib.mkOption {
default = null;
type = lib.types.path;
description = ''
The path to a file containing the token
used to authenticate with DuckDNS.
'';
};
domains = lib.mkOption {
default = null;
type = lib.types.nullOr (lib.types.listOf lib.types.str);
example = [ "examplehost" ];
description = ''
The domain(s) to update in DuckDNS
(without the .duckdns.org suffix)
'';
};
domainsFile = lib.mkOption {
default = null;
type = lib.types.nullOr lib.types.path;
example = lib.literalExpression ''
pkgs.writeText "duckdns-domains.txt" '''
examplehost
examplehost2
examplehost3
'''
'';
description = ''
The path to a file containing a
newline-separated list of DuckDNS
domain(s) to be updated
(without the .duckdns.org suffix)
'';
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.domains != null || cfg.domainsFile != null;
message = "Either services.duckdns.domains or services.duckdns.domainsFile has to be defined";
}
{
assertion = !(cfg.domains != null && cfg.domainsFile != null);
message = "services.duckdns.domains and services.duckdns.domainsFile can't both be defined at the same time";
}
{
assertion = (cfg.tokenFile != null);
message = "services.duckdns.tokenFile has to be defined";
}
];
environment.systemPackages = [ duckdns ];
systemd.services.duckdns = {
description = "DuckDNS Dynamic DNS Client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
startAt = "*:0/5";
path = [
pkgs.gnused
pkgs.systemd
pkgs.curl
pkgs.gawk
duckdns
];
serviceConfig = {
Type = "simple";
LoadCredential = [
"DUCKDNS_TOKEN_FILE:${cfg.tokenFile}"
] ++ lib.optionals (cfg.domainsFile != null) [ "DUCKDNS_DOMAINS_FILE:${cfg.domainsFile}" ];
DynamicUser = true;
};
script = ''
export DUCKDNS_TOKEN=$(systemd-creds cat DUCKDNS_TOKEN_FILE)
${lib.optionalString (cfg.domains != null) ''
export DUCKDNS_DOMAINS='${lib.strings.concatStringsSep "," cfg.domains}'
''}
${lib.optionalString (cfg.domainsFile != null) ''
export DUCKDNS_DOMAINS=$(systemd-creds cat DUCKDNS_DOMAINS_FILE | sed -z 's/\n/,/g')
''}
exec ${lib.getExe duckdns}
'';
};
};
meta.maintainers = with lib.maintainers; [ notthebee ];
}

View file

@ -0,0 +1,167 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.evremap;
format = pkgs.formats.toml { };
key = lib.types.strMatching "KEY_[[:upper:]]+" // {
description = "key ID prefixed with KEY_";
};
mkKeyOption =
description:
lib.mkOption {
type = key;
description = ''
${description}
You can get a list of keys by running `evremap list-keys`.
'';
};
mkKeySeqOption =
description:
(mkKeyOption description)
// {
type = lib.types.listOf key;
};
dualRoleModule = lib.types.submodule {
options = {
input = mkKeyOption "The key that should be remapped.";
hold = mkKeySeqOption "The key sequence that should be output when the input key is held.";
tap = mkKeySeqOption "The key sequence that should be output when the input key is tapped.";
};
};
remapModule = lib.types.submodule {
options = {
input = mkKeySeqOption "The key sequence that should be remapped.";
output = mkKeySeqOption "The key sequence that should be output when the input sequence is entered.";
};
};
in
{
options.services.evremap = {
enable = lib.mkEnableOption "evremap, a keyboard input remapper for Linux/Wayland systems";
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
device_name = lib.mkOption {
type = lib.types.str;
example = "AT Translated Set 2 keyboard";
description = ''
The name of the device that should be remapped.
You can get a list of devices by running `evremap list-devices` with elevated permissions.
'';
};
dual_role = lib.mkOption {
type = lib.types.listOf dualRoleModule;
default = [ ];
example = [
{
input = "KEY_CAPSLOCK";
hold = [ "KEY_LEFTCTRL" ];
tap = [ "KEY_ESC" ];
}
];
description = ''
List of dual-role remappings that output different key sequences based on whether the
input key is held or tapped.
'';
};
remap = lib.mkOption {
type = lib.types.listOf remapModule;
default = [ ];
example = [
{
input = [
"KEY_LEFTALT"
"KEY_UP"
];
output = [ "KEY_PAGEUP" ];
}
];
description = ''
List of remappings.
'';
};
};
};
description = ''
Settings for evremap.
See the [upstream documentation](https://github.com/wez/evremap/blob/master/README.md#configuration)
for how to configure evremap.
'';
default = { };
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.evremap ];
hardware.uinput.enable = true;
systemd.services.evremap = {
description = "evremap - keyboard input remapper";
wantedBy = [ "multi-user.target" ];
script = "${lib.getExe pkgs.evremap} remap ${format.generate "evremap.toml" cfg.settings}";
serviceConfig = {
DynamicUser = true;
User = "evremap";
SupplementaryGroups = [
config.users.groups.input.name
config.users.groups.uinput.name
];
Restart = "on-failure";
RestartSec = 5;
TimeoutSec = 20;
# Hardening
ProtectClock = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectHome = true;
ProcSubset = "pid";
PrivateTmp = true;
PrivateNetwork = true;
PrivateUsers = true;
RestrictRealtime = true;
RestrictNamespaces = true;
RestrictAddressFamilies = "none";
MemoryDenyWriteExecute = true;
LockPersonality = true;
IPAddressDeny = "any";
AmbientCapabilities = "";
CapabilityBoundingSet = "";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
UMask = "0027";
};
};
};
}

View file

@ -0,0 +1,20 @@
# Glances {#module-serives-glances}
Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS
and Windows operating systems.
Visit [the Glances project page](https://github.com/nicolargo/glances) to learn
more about it.
# Quickstart {#module-serives-glances-quickstart}
Use the following configuration to start a public instance of Glances locally:
```nix
{
services.glances = {
enable = true;
openFirewall = true;
};
};
```

View file

@ -0,0 +1,110 @@
{
pkgs,
config,
lib,
utils,
...
}:
let
cfg = config.services.glances;
inherit (lib)
getExe
maintainers
mkEnableOption
mkOption
mkIf
mkPackageOption
;
inherit (lib.types)
bool
listOf
port
str
;
inherit (utils)
escapeSystemdExecArgs
;
in
{
options.services.glances = {
enable = mkEnableOption "Glances";
package = mkPackageOption pkgs "glances" { };
port = mkOption {
description = "Port the server will isten on.";
type = port;
default = 61208;
};
openFirewall = mkOption {
description = "Open port in the firewall for glances.";
type = bool;
default = false;
};
extraArgs = mkOption {
type = listOf str;
default = [ "--webserver" ];
example = [
"--webserver"
"--disable-webui"
];
description = ''
Extra command-line arguments to pass to glances.
See https://glances.readthedocs.io/en/latest/cmds.html for all available options.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
systemd.services."glances" = {
description = "Glances";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
DynamicUser = true;
ExecStart = "${getExe cfg.package} --port ${toString cfg.port} ${escapeSystemdExecArgs cfg.extraArgs}";
Restart = "on-failure";
NoNewPrivileges = true;
ProtectSystem = "full";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
MemoryDenyWriteExecute = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
LockPersonality = true;
RestrictRealtime = true;
ProtectClock = true;
ReadWritePaths = [ "/var/log" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
SystemCallFilter = [ "@system-service" ];
};
};
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
};
meta.maintainers = with maintainers; [ claha ];
}

View file

@ -255,6 +255,7 @@ in
Grafana settings. See <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/> Grafana settings. See <https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/>
for available options. INI format is used. for available options. INI format is used.
''; '';
default = { };
type = types.submodule { type = types.submodule {
freeformType = settingsFormatIni.type; freeformType = settingsFormatIni.type;

View file

@ -13,6 +13,11 @@ in
package = lib.mkPackageOption pkgs "clatd" { }; package = lib.mkPackageOption pkgs "clatd" { };
enableNetworkManagerIntegration = lib.mkEnableOption "NetworkManager integration" // {
default = config.networking.networkmanager.enable;
defaultText = "config.networking.networkmanager.enable";
};
settings = lib.mkOption { settings = lib.mkOption {
type = lib.types.submodule ({ name, ... }: { type = lib.types.submodule ({ name, ... }: {
freeformType = settingsFormat.type; freeformType = settingsFormat.type;
@ -75,5 +80,17 @@ in
]; ];
}; };
}; };
networking.networkmanager.dispatcherScripts = cfg.enableNetworkManagerIntegration [
{
type = "basic";
# https://github.com/toreanderson/clatd/blob/master/scripts/clatd.networkmanager
source = pkgs.writeShellScript "restart-clatd" ''
[ "$DEVICE_IFACE" = "clat" ] && exit 0
[ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
${pkgs.systemd}/bin/systemctl restart clatd.service
'';
}
];
}; };
} }

View file

@ -0,0 +1,62 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.globalprotect;
execStart =
if cfg.csdWrapper == null then
"${pkgs.globalprotect-openconnect}/bin/gpservice"
else
"${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}";
in
{
options.services.globalprotect = {
enable = lib.mkEnableOption "globalprotect";
settings = lib.mkOption {
description = ''
GlobalProtect-openconnect configuration. For more information, visit
<https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration>.
'';
default = { };
example = {
"vpn1.company.com" = {
openconnect-args = "--script=/path/to/vpnc-script";
};
};
type = lib.types.attrs;
};
csdWrapper = lib.mkOption {
description = ''
A script that will produce a Host Integrity Protection (HIP) report,
as described at <https://www.infradead.org/openconnect/hip.html>
'';
default = null;
example = lib.literalExpression ''"''${pkgs.openconnect}/libexec/openconnect/hipreport.sh"'';
type = lib.types.nullOr lib.types.path;
};
};
config = lib.mkIf cfg.enable {
services.dbus.packages = [ pkgs.globalprotect-openconnect ];
environment.etc."gpservice/gp.conf".text = lib.generators.toINI { } cfg.settings;
systemd.services.gpservice = {
description = "GlobalProtect openconnect DBus service";
serviceConfig = {
Type = "dbus";
BusName = "com.yuezk.qt.GPService";
ExecStart = execStart;
};
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
};
};
}

View file

@ -9,7 +9,7 @@ let
cfg = config.services.magic-wormhole-mailbox-server; cfg = config.services.magic-wormhole-mailbox-server;
# keep semicolon in dataDir for backward compatibility # keep semicolon in dataDir for backward compatibility
dataDir = "/var/lib/magic-wormhole-mailbox-server;"; dataDir = "/var/lib/magic-wormhole-mailbox-server;";
python = pkgs.python311.withPackages ( python = pkgs.python3.withPackages (
py: with py; [ py: with py; [
magic-wormhole-mailbox-server magic-wormhole-mailbox-server
twisted twisted

View file

@ -21,6 +21,8 @@ in
''; '';
}; };
options.services.minidlna.package = lib.mkPackageOption pkgs "minidlna" { };
options.services.minidlna.openFirewall = mkOption { options.services.minidlna.openFirewall = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -141,7 +143,7 @@ in
CacheDirectory = "minidlna"; CacheDirectory = "minidlna";
RuntimeDirectory = "minidlna"; RuntimeDirectory = "minidlna";
PIDFile = "/run/minidlna/pid"; PIDFile = "/run/minidlna/pid";
ExecStart = "${pkgs.minidlna}/sbin/minidlnad -S -P /run/minidlna/pid -f ${settingsFile}"; ExecStart = "${lib.getExe cfg.package} -S -P /run/minidlna/pid -f ${settingsFile}";
}; };
}; };
}; };

View file

@ -27,6 +27,8 @@ in
''; '';
}; };
package = lib.options.mkPackageOption pkgs "shairport-sync" { };
arguments = mkOption { arguments = mkOption {
type = types.str; type = types.str;
default = "-v -o pa"; default = "-v -o pa";
@ -100,12 +102,12 @@ in
serviceConfig = { serviceConfig = {
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
ExecStart = "${pkgs.shairport-sync}/bin/shairport-sync ${cfg.arguments}"; ExecStart = "${lib.getExe cfg.package} ${cfg.arguments}";
RuntimeDirectory = "shairport-sync"; RuntimeDirectory = "shairport-sync";
}; };
}; };
environment.systemPackages = [ pkgs.shairport-sync ]; environment.systemPackages = [ cfg.package ];
}; };

View file

@ -186,6 +186,7 @@ in
Restart = "always"; Restart = "always";
User = "spiped"; User = "spiped";
}; };
stopIfChanged = false;
scriptArgs = "%i"; scriptArgs = "%i";
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`"; script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/$1.spec`";

View file

@ -83,6 +83,7 @@ in
systemd.services.teleport = { systemd.services.teleport = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
path = with pkgs; [ getent shadow sudo ];
serviceConfig = { serviceConfig = {
ExecStart = '' ExecStart = ''
${cfg.package}/bin/teleport start \ ${cfg.package}/bin/teleport start \

View file

@ -1,10 +1,12 @@
{ config, options, pkgs, lib, ... }: { config, options, pkgs, lib, ... }:
with lib;
let let
inherit (lib) concatStringsSep literalExpression makeLibraryPath mkEnableOption
mkForce mkIf mkOption mkPackageOption mkRemovedOptionModule optional types;
cfg = config.services.aesmd; cfg = config.services.aesmd;
opt = options.services.aesmd; opt = options.services.aesmd;
sgx-psw = pkgs.sgx-psw.override { inherit (cfg) debug; }; sgx-psw = cfg.package;
configFile = with cfg.settings; pkgs.writeText "aesmd.conf" ( configFile = with cfg.settings; pkgs.writeText "aesmd.conf" (
concatStringsSep "\n" ( concatStringsSep "\n" (
@ -18,13 +20,17 @@ let
); );
in in
{ {
imports = [
(mkRemovedOptionModule [ "debug" ] ''
Enable debug mode by overriding the aesmd package directly:
services.aesmd.package = pkgs.sgx-psw.override { debug = true; };
'')
];
options.services.aesmd = { options.services.aesmd = {
enable = mkEnableOption "Intel's Architectural Enclave Service Manager (AESM) for Intel SGX"; enable = mkEnableOption "Intel's Architectural Enclave Service Manager (AESM) for Intel SGX";
debug = mkOption { package = mkPackageOption pkgs "sgx-psw" { };
type = types.bool;
default = false;
description = "Whether to build the PSW package in debug mode.";
};
environment = mkOption { environment = mkOption {
type = with types; attrsOf str; type = with types; attrsOf str;
default = { }; default = { };
@ -126,7 +132,7 @@ in
"|/dev/sgx_enclave" "|/dev/sgx_enclave"
]; ];
serviceConfig = rec { serviceConfig = {
ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" '' ExecStartPre = pkgs.writeShellScript "copy-aesmd-data-files.sh" ''
set -euo pipefail set -euo pipefail
whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin" whiteListFile="${aesmDataFolder}/white_list_cert_to_be_verify.bin"

View file

@ -177,7 +177,7 @@ in
type = types.nullOr types.str; type = types.nullOr types.str;
example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; example = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
description = '' description = ''
"bantime.formula" used by default to calculate next value of ban time, default value bellow, "bantime.formula" used by default to calculate next value of ban time, default value below,
the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32 ... the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32 ...
''; '';
}; };

View file

@ -0,0 +1,482 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.services.agorakit;
agorakit = pkgs.agorakit.override { dataDir = cfg.dataDir; };
db = cfg.database;
mail = cfg.mail;
user = cfg.user;
group = cfg.group;
# shell script for local administration
artisan = pkgs.writeScriptBin "agorakit" ''
#! ${pkgs.runtimeShell}
cd ${agorakit}
sudo() {
if [[ "$USER" != ${user} ]]; then
exec /run/wrappers/bin/sudo -u ${user} "$@"
else
exec "$@"
fi
}
sudo ${lib.getExe pkgs.php} artisan "$@"
'';
tlsEnabled = cfg.nginx.addSSL || cfg.nginx.forceSSL || cfg.nginx.onlySSL || cfg.nginx.enableACME;
in
{
options.services.agorakit = {
enable = mkEnableOption "agorakit";
user = mkOption {
default = "agorakit";
description = "User agorakit runs as.";
type = types.str;
};
group = mkOption {
default = "agorakit";
description = "Group agorakit runs as.";
type = types.str;
};
appKeyFile = mkOption {
description = ''
A file containing the Laravel APP_KEY - a 32 character long,
base64 encoded key used for encryption where needed. Can be
generated with <code>head -c 32 /dev/urandom | base64</code>.
'';
example = "/run/keys/agorakit-appkey";
type = types.path;
};
hostName = lib.mkOption {
type = lib.types.str;
default =
if config.networking.domain != null then config.networking.fqdn else config.networking.hostName;
defaultText = lib.literalExpression "config.networking.fqdn";
example = "agorakit.example.com";
description = ''
The hostname to serve agorakit on.
'';
};
appURL = mkOption {
description = ''
The root URL that you want to host agorakit on. All URLs in agorakit will be generated using this value.
If you change this in the future you may need to run a command to update stored URLs in the database.
Command example: <code>php artisan agorakit:update-url https://old.example.com https://new.example.com</code>
'';
default = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostName}";
defaultText = ''http''${lib.optionalString tlsEnabled "s"}://''${cfg.hostName}'';
example = "https://example.com";
type = types.str;
};
dataDir = mkOption {
description = "agorakit data directory";
default = "/var/lib/agorakit";
type = types.path;
};
database = {
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address.";
};
port = mkOption {
type = types.port;
default = 3306;
description = "Database host port.";
};
name = mkOption {
type = types.str;
default = "agorakit";
description = "Database name.";
};
user = mkOption {
type = types.str;
default = user;
defaultText = lib.literalExpression "user";
description = "Database username.";
};
passwordFile = mkOption {
type = with types; nullOr path;
default = null;
example = "/run/keys/agorakit-dbpassword";
description = ''
A file containing the password corresponding to
<option>database.user</option>.
'';
};
createLocally = mkOption {
type = types.bool;
default = true;
description = "Create the database and database user locally.";
};
};
mail = {
driver = mkOption {
type = types.enum [
"smtp"
"sendmail"
];
default = "smtp";
description = "Mail driver to use.";
};
host = mkOption {
type = types.str;
default = "localhost";
description = "Mail host address.";
};
port = mkOption {
type = types.port;
default = 1025;
description = "Mail host port.";
};
fromName = mkOption {
type = types.str;
default = "agorakit";
description = "Mail \"from\" name.";
};
from = mkOption {
type = types.str;
default = "mail@agorakit.com";
description = "Mail \"from\" email.";
};
user = mkOption {
type = with types; nullOr str;
default = null;
example = "agorakit";
description = "Mail username.";
};
passwordFile = mkOption {
type = with types; nullOr path;
default = null;
example = "/run/keys/agorakit-mailpassword";
description = ''
A file containing the password corresponding to
<option>mail.user</option>.
'';
};
encryption = mkOption {
type = with types; nullOr (enum [ "tls" ]);
default = null;
description = "SMTP encryption mechanism to use.";
};
};
maxUploadSize = mkOption {
type = types.str;
default = "18M";
example = "1G";
description = "The maximum size for uploads (e.g. images).";
};
poolConfig = mkOption {
type =
with types;
attrsOf (oneOf [
str
int
bool
]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the agorakit PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives.
'';
};
nginx = mkOption {
type = types.submodule (
recursiveUpdate (import ../web-servers/nginx/vhost-options.nix {
inherit config lib;
}) { }
);
default = { };
example = ''
{
serverAliases = [
"agorakit.''${config.networking.domain}"
];
# To enable encryption and let let's encrypt take care of certificate
forceSSL = true;
enableACME = true;
}
'';
description = ''
With this option, you can customize the nginx virtualHost settings.
'';
};
config = mkOption {
type =
with types;
attrsOf (
nullOr (
either
(oneOf [
bool
int
port
path
str
])
(submodule {
options = {
_secret = mkOption {
type = nullOr str;
description = ''
The path to a file containing the value the
option should be set to in the final
configuration file.
'';
};
};
})
)
);
default = { };
example = ''
{
ALLOWED_IFRAME_HOSTS = "https://example.com";
AUTH_METHOD = "oidc";
OIDC_NAME = "MyLogin";
OIDC_DISPLAY_NAME_CLAIMS = "name";
OIDC_CLIENT_ID = "agorakit";
OIDC_CLIENT_SECRET = {_secret = "/run/keys/oidc_secret"};
OIDC_ISSUER = "https://keycloak.example.com/auth/realms/My%20Realm";
OIDC_ISSUER_DISCOVER = true;
}
'';
description = ''
Agorakit configuration options to set in the
<filename>.env</filename> file.
Refer to <link xlink:href="https://github.com/agorakit/agorakit"/>
for details on supported values.
Settings containing secret data should be set to an attribute
set containing the attribute <literal>_secret</literal> - a
string pointing to a file containing the value the option
should be set to. See the example to get a better picture of
this: in the resulting <filename>.env</filename> file, the
<literal>OIDC_CLIENT_SECRET</literal> key will be set to the
contents of the <filename>/run/keys/oidc_secret</filename>
file.
'';
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = db.createLocally -> db.user == user;
message = "services.agorakit.database.user must be set to ${user} if services.agorakit.database.createLocally is set true.";
}
{
assertion = db.createLocally -> db.passwordFile == null;
message = "services.agorakit.database.passwordFile cannot be specified if services.agorakit.database.createLocally is set to true.";
}
];
services.agorakit.config = {
APP_ENV = "production";
APP_KEY._secret = cfg.appKeyFile;
APP_URL = cfg.appURL;
DB_HOST = db.host;
DB_PORT = db.port;
DB_DATABASE = db.name;
DB_USERNAME = db.user;
MAIL_DRIVER = mail.driver;
MAIL_FROM_NAME = mail.fromName;
MAIL_FROM = mail.from;
MAIL_HOST = mail.host;
MAIL_PORT = mail.port;
MAIL_USERNAME = mail.user;
MAIL_ENCRYPTION = mail.encryption;
DB_PASSWORD._secret = db.passwordFile;
MAIL_PASSWORD._secret = mail.passwordFile;
APP_SERVICES_CACHE = "/run/agorakit/cache/services.php";
APP_PACKAGES_CACHE = "/run/agorakit/cache/packages.php";
APP_CONFIG_CACHE = "/run/agorakit/cache/config.php";
APP_ROUTES_CACHE = "/run/agorakit/cache/routes-v7.php";
APP_EVENTS_CACHE = "/run/agorakit/cache/events.php";
SESSION_SECURE_COOKIE = tlsEnabled;
};
environment.systemPackages = [ artisan ];
services.mysql = mkIf db.createLocally {
enable = true;
package = mkDefault pkgs.mysql;
ensureDatabases = [ db.name ];
ensureUsers = [
{
name = db.user;
ensurePermissions = {
"${db.name}.*" = "ALL PRIVILEGES";
};
}
];
};
services.phpfpm.pools.agorakit = {
inherit user group;
phpOptions = ''
log_errors = on
post_max_size = ${cfg.maxUploadSize}
upload_max_filesize = ${cfg.maxUploadSize}
'';
settings = {
"listen.mode" = "0660";
"listen.owner" = user;
"listen.group" = group;
} // cfg.poolConfig;
};
services.nginx = {
enable = mkDefault true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedProxySettings = true;
virtualHosts.${cfg.hostName} = mkMerge [
cfg.nginx
{
root = mkForce "${agorakit}/public";
locations = {
"/" = {
index = "index.php";
tryFiles = "$uri $uri/ /index.php?$query_string";
};
"~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools."agorakit".socket};
'';
"~ \.(js|css|gif|png|ico|jpg|jpeg)$" = {
extraConfig = "expires 365d;";
};
};
}
];
};
systemd.services.agorakit-setup = {
description = "Preparation tasks for agorakit";
before = [ "phpfpm-agorakit.service" ];
after = optional db.createLocally "mysql.service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = user;
UMask = 77;
WorkingDirectory = "${agorakit}";
RuntimeDirectory = "agorakit/cache";
RuntimeDirectoryMode = 700;
};
path = [ pkgs.replace-secret ];
script =
let
isSecret = v: isAttrs v && v ? _secret && isString v._secret;
agorakitEnvVars = lib.generators.toKeyValue {
mkKeyValue = lib.flip lib.generators.mkKeyValueDefault "=" {
mkValueString =
v:
with builtins;
if isInt v then
toString v
else if isString v then
v
else if true == v then
"true"
else if false == v then
"false"
else if isSecret v then
hashString "sha256" v._secret
else
throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty { }) v}";
};
};
secretPaths = lib.mapAttrsToList (_: v: v._secret) (lib.filterAttrs (_: isSecret) cfg.config);
mkSecretReplacement = file: ''
replace-secret ${
escapeShellArgs [
(builtins.hashString "sha256" file)
file
"${cfg.dataDir}/.env"
]
}
'';
secretReplacements = lib.concatMapStrings mkSecretReplacement secretPaths;
filteredConfig = lib.converge (lib.filterAttrsRecursive (
_: v:
!elem v [
{ }
null
]
)) cfg.config;
agorakitEnv = pkgs.writeText "agorakit.env" (agorakitEnvVars filteredConfig);
in
''
# error handling
set -euo pipefail
# create .env file
install -T -m 0600 -o ${user} ${agorakitEnv} "${cfg.dataDir}/.env"
${secretReplacements}
if ! grep 'APP_KEY=base64:' "${cfg.dataDir}/.env" >/dev/null; then
sed -i 's/APP_KEY=/APP_KEY=base64:/' "${cfg.dataDir}/.env"
fi
# migrate & seed db
${pkgs.php}/bin/php artisan key:generate --force
${pkgs.php}/bin/php artisan migrate --force
${pkgs.php}/bin/php artisan config:cache
'';
};
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0710 ${user} ${group} - -"
"d ${cfg.dataDir}/public 0750 ${user} ${group} - -"
"d ${cfg.dataDir}/public/uploads 0750 ${user} ${group} - -"
"d ${cfg.dataDir}/storage 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/app 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/fonts 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/framework 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/framework/cache 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/framework/sessions 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/framework/views 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/logs 0700 ${user} ${group} - -"
"d ${cfg.dataDir}/storage/uploads 0700 ${user} ${group} - -"
];
users = {
users = mkIf (user == "agorakit") {
agorakit = {
inherit group;
isSystemUser = true;
};
"${config.services.nginx.user}".extraGroups = [ group ];
};
groups = mkIf (group == "agorakit") { agorakit = { }; };
};
};
}

View file

@ -129,9 +129,6 @@ in
services.changedetection-io = { services.changedetection-io = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
preStart = ''
mkdir -p ${cfg.datastorePath}
'';
serviceConfig = { serviceConfig = {
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
@ -153,7 +150,7 @@ in
Restart = "on-failure"; Restart = "on-failure";
}; };
}; };
tmpfiles.rules = mkIf defaultStateDir [ tmpfiles.rules = mkIf (!defaultStateDir) [
"d ${cfg.datastorePath} 0750 ${cfg.user} ${cfg.group} - -" "d ${cfg.datastorePath} 0750 ${cfg.user} ${cfg.group} - -"
]; ];
}; };

View file

@ -163,7 +163,7 @@ in {
services.mysql = mkIf cfg.enable { services.mysql = mkIf cfg.enable {
enable = true; enable = true;
package = pkgs.mysql; package = pkgs.mariadb;
ensureDatabases = [cfg.database.database]; ensureDatabases = [cfg.database.database];
ensureUsers = [ ensureUsers = [
{ {

View file

@ -227,7 +227,7 @@ in
ensureClauses.login = true; ensureClauses.login = true;
} }
]; ];
extraPlugins = ps: with ps; [ pgvecto-rs ]; extensions = ps: with ps; [ pgvecto-rs ];
settings = { settings = {
shared_preload_libraries = [ "vectors.so" ]; shared_preload_libraries = [ "vectors.so" ];
search_path = "\"$user\", public, vectors"; search_path = "\"$user\", public, vectors";

View file

@ -0,0 +1,403 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.services.kimai;
eachSite = cfg.sites;
user = "kimai";
webserver = config.services.${cfg.webserver};
stateDir = hostName: "/var/lib/kimai/${hostName}";
pkg =
hostName: cfg:
pkgs.stdenv.mkDerivation rec {
pname = "kimai-${hostName}";
src = cfg.package;
version = src.version;
installPhase = ''
mkdir -p $out
cp -r * $out/
# Symlink .env file. This will be dynamically created at the service
# startup.
ln -sf ${stateDir hostName}/.env $out/share/php/kimai/.env
# Symlink the var/ folder
# TODO: we may have to symlink individual folders if we want to also
# manage plugins from Nix.
rm -rf $out/share/php/kimai/var
ln -s ${stateDir hostName} $out/share/php/kimai/var
# Symlink local.yaml.
ln -s ${kimaiConfig hostName cfg} $out/share/php/kimai/config/packages/local.yaml
'';
};
kimaiConfig =
hostName: cfg:
pkgs.writeTextFile {
name = "kimai-config-${hostName}.yaml";
text = generators.toYAML { } cfg.settings;
};
siteOpts =
{
lib,
name,
config,
...
}:
{
options = {
package = mkPackageOption pkgs "kimai" { };
database = {
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address.";
};
port = mkOption {
type = types.port;
default = 3306;
description = "Database host port.";
};
name = mkOption {
type = types.str;
default = "kimai";
description = "Database name.";
};
user = mkOption {
type = types.str;
default = "kimai";
description = "Database user.";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/kimai-dbpassword";
description = ''
A file containing the password corresponding to
{option}`database.user`.
'';
};
socket = mkOption {
type = types.nullOr types.path;
default = null;
defaultText = literalExpression "/run/mysqld/mysqld.sock";
description = "Path to the unix socket file to use for authentication.";
};
charset = mkOption {
type = types.str;
default = "utf8mb4";
description = "Database charset.";
};
serverVersion = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
MySQL *exact* version string. Not used if `createdLocally` is set,
but must be set otherwise. See
https://www.kimai.org/documentation/installation.html#column-table_name-in-where-clause-is-ambiguous
for how to set this value, especially if you're using MariaDB.
'';
};
createLocally = mkOption {
type = types.bool;
default = true;
description = "Create the database and database user locally.";
};
};
poolConfig = mkOption {
type =
with types;
attrsOf (oneOf [
str
int
bool
]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the Kimai PHP pool. See the documentation on `php-fpm.conf`
for details on configuration directives.
'';
};
settings = mkOption {
type = types.attrsOf types.anything;
default = { };
description = ''
Structural Kimai's local.yaml configuration.
Refer to <https://www.kimai.org/documentation/local-yaml.html#localyaml>
for details.
'';
example = literalExpression ''
{
kimai = {
timesheet = {
rounding = {
default = {
begin = 15;
end = 15;
};
};
};
};
}
'';
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/secrets/kimai.env";
description = ''
Securely pass environment variabels to Kimai. This can be used to
set other environement variables such as MAILER_URL.
'';
};
};
};
in
{
# interface
options = {
services.kimai = {
sites = mkOption {
type = types.attrsOf (types.submodule siteOpts);
default = { };
description = "Specification of one or more Kimai sites to serve";
};
webserver = mkOption {
type = types.enum [ "nginx" ];
default = "nginx";
description = ''
The webserver to configure for the PHP frontend.
At the moment, only `nginx` is supported. PRs are welcome for support
for other web servers.
'';
};
};
};
# implementation
config = mkIf (eachSite != { }) (mkMerge [
{
assertions =
(mapAttrsToList (hostName: cfg: {
assertion = cfg.database.createLocally -> cfg.database.user == user;
message = ''services.kimai.sites."${hostName}".database.user must be ${user} if the database is to be automatically provisioned'';
}) eachSite)
++ (mapAttrsToList (hostName: cfg: {
assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
message = ''services.kimai.sites."${hostName}".database.passwordFile cannot be specified if services.kimai.sites."${hostName}".database.createLocally is set to true.'';
}) eachSite)
++ (mapAttrsToList (hostName: cfg: {
assertion = !cfg.database.createLocally -> cfg.database.serverVersion != null;
message = ''services.kimai.sites."${hostName}".database.serverVersion must be specified if services.kimai.sites."${hostName}".database.createLocally is set to false.'';
}) eachSite);
services.mysql = mkIf (any (v: v.database.createLocally) (attrValues eachSite)) {
enable = true;
package = mkDefault pkgs.mariadb;
ensureDatabases = mapAttrsToList (hostName: cfg: cfg.database.name) eachSite;
ensureUsers = mapAttrsToList (hostName: cfg: {
name = cfg.database.user;
ensurePermissions = {
"${cfg.database.name}.*" = "ALL PRIVILEGES";
};
}) eachSite;
};
services.phpfpm.pools = mapAttrs' (
hostName: cfg:
(nameValuePair "kimai-${hostName}" {
inherit user;
group = webserver.group;
settings = {
"listen.owner" = webserver.user;
"listen.group" = webserver.group;
} // cfg.poolConfig;
})
) eachSite;
}
{
systemd.tmpfiles.rules = flatten (
mapAttrsToList (hostName: cfg: [
"d '${stateDir hostName}' 0770 ${user} ${webserver.group} - -"
]) eachSite
);
systemd.services = mkMerge [
(mapAttrs' (
hostName: cfg:
(nameValuePair "kimai-init-${hostName}" {
wantedBy = [ "multi-user.target" ];
before = [ "phpfpm-kimai-${hostName}.service" ];
after = optional cfg.database.createLocally "mysql.service";
script =
let
envFile = "${stateDir hostName}/.env";
appSecretFile = "${stateDir hostName}/.app_secret";
mysql = "${config.services.mysql.package}/bin/mysql";
dbUser = cfg.database.user;
dbPwd = if cfg.database.passwordFile != null then ":$(cat ${cfg.database.passwordFile})" else "";
dbHost = cfg.database.host;
dbPort = toString cfg.database.port;
dbName = cfg.database.name;
dbCharset = cfg.database.charset;
dbUnixSocket = if cfg.database.socket != null then "&unixSocket=${cfg.database.socket}" else "";
# Note: serverVersion is a shell variable. See below.
dbUri =
"mysql://${dbUser}${dbPwd}@${dbHost}:${dbPort}"
+ "/${dbName}?charset=${dbCharset}"
+ "&serverVersion=$serverVersion${dbUnixSocket}";
in
''
set -eu
serverVersion=${
if !cfg.database.createLocally then
cfg.database.serverVersion
else
# Obtain MySQL version string dynamically from the running
# instance. Doctrine ORM's doc said it should be possible to
# autodetect this, however Kimai's doc insists that it has to
# be set.
# https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#mysql
# https://stackoverflow.com/q/9558867
"$(${mysql} --silent --skip-column-names --execute 'SELECT VERSION();')"
}
# Create .env file containing DATABASE_URL and other default
# variables. Set umask to make sure .env is not readable by
# unrelated users.
oldUmask=$(umask)
umask 177
if ! [ -e ${appSecretFile} ]; then
tr -dc A-Za-z0-9 </dev/urandom | head -c 20 >${appSecretFile}
fi
cat >${envFile} <<EOF
DATABASE_URL=${dbUri}
MAILER_FROM=kimai@example.com
MAILER_URL=null://null
APP_ENV=prod
APP_SECRET=$(cat ${appSecretFile})
CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?\$
EOF
umask $oldUmask
# Run kimai:install to ensure database is created or updated.
# Note that kimai:update is an alias to kimai:install.
${pkg hostName cfg}/bin/console kimai:install
'';
serviceConfig = {
Type = "oneshot";
User = user;
Group = webserver.group;
EnvironmentFile = [ cfg.environmentFile ];
};
})
) eachSite)
(mapAttrs' (
hostName: cfg:
(nameValuePair "phpfpm-kimai-${hostName}.service" {
serviceConfig = {
EnvironmentFile = [ cfg.environmentFile ];
};
})
) eachSite)
(optionalAttrs (any (v: v.database.createLocally) (attrValues eachSite)) {
"${cfg.webserver}".after = [ "mysql.service" ];
})
];
users.users.${user} = {
group = webserver.group;
isSystemUser = true;
};
}
(mkIf (cfg.webserver == "nginx") {
services.nginx = {
enable = true;
virtualHosts = mapAttrs (hostName: cfg: {
serverName = mkDefault hostName;
root = "${pkg hostName cfg}/share/php/kimai/public";
extraConfig = ''
index index.php;
'';
locations = {
"/" = {
priority = 200;
extraConfig = ''
try_files $uri /index.php$is_args$args;
'';
};
"~ ^/index\\.php(/|$)" = {
priority = 500;
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools."kimai-${hostName}".socket};
fastcgi_index index.php;
include "${config.services.nginx.package}/conf/fastcgi.conf";
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
'';
};
"~ \\.php$" = {
priority = 800;
extraConfig = ''
return 404;
'';
};
};
}) eachSite;
};
})
]);
}

View file

@ -383,7 +383,7 @@ in
ensureDBOwnership = false; ensureDBOwnership = false;
} }
]; ];
extraPlugins = ps: with ps; [ postgis ]; extensions = ps: with ps; [ postgis ];
}; };
# Nginx config taken from support/nginx/mobilizon-release.conf # Nginx config taken from support/nginx/mobilizon-release.conf

View file

@ -586,37 +586,6 @@ in
ensureDatabases = [ "outline" ]; ensureDatabases = [ "outline" ];
}; };
# Outline is unable to create the uuid-ossp extension when using postgresql 12, in later version this
# extension can be created without superuser permission. This services therefor this extension before
# outline starts and postgresql 12 is using on the host.
#
# Can be removed after postgresql 12 is dropped from nixos.
systemd.services.outline-postgresql =
let
pgsql = config.services.postgresql;
in
lib.mkIf (cfg.databaseUrl == "local" && pgsql.package == pkgs.postgresql_12) {
after = [ "postgresql.service" ];
bindsTo = [ "postgresql.service" ];
wantedBy = [ "outline.service" ];
partOf = [ "outline.service" ];
path = [
pgsql.package
];
script = ''
set -o errexit -o pipefail -o nounset -o errtrace
shopt -s inherit_errexit
psql outline -tAc 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp"'
'';
serviceConfig = {
User = pgsql.superUser;
Type = "oneshot";
RemainAfterExit = true;
};
};
services.redis.servers.outline = lib.mkIf (cfg.redisUrl == "local") { services.redis.servers.outline = lib.mkIf (cfg.redisUrl == "local") {
enable = true; enable = true;
user = config.services.outline.user; user = config.services.outline.user;

View file

@ -145,7 +145,7 @@ in
PRISMA_QUERY_ENGINE_LIBRARY = "${pkgs.prisma-engines}/lib/libquery_engine.node"; PRISMA_QUERY_ENGINE_LIBRARY = "${pkgs.prisma-engines}/lib/libquery_engine.node";
PRISMA_INTROSPECTION_ENGINE_BINARY = "${pkgs.prisma-engines}/bin/introspection-engine"; PRISMA_INTROSPECTION_ENGINE_BINARY = "${pkgs.prisma-engines}/bin/introspection-engine";
PRISMA_FMT_BINARY = "${pkgs.prisma-engines}/bin/prisma-fmt"; PRISMA_FMT_BINARY = "${pkgs.prisma-engines}/bin/prisma-fmt";
PORT = toString cfg.backend.port; BACKEND_PORT = toString cfg.backend.port;
DATABASE_URL = "file:${cfg.dataDir}/pingvin-share.db?connection_limit=1"; DATABASE_URL = "file:${cfg.dataDir}/pingvin-share.db?connection_limit=1";
DATA_DIRECTORY = cfg.dataDir; DATA_DIRECTORY = cfg.dataDir;
}; };

View file

@ -74,7 +74,7 @@ this could be most useful for testing a particular plug-in in isolation.
: This is a known [issue](https://github.com/NixOS/nixpkgs/issues/64611) and there is no known workaround. : This is a known [issue](https://github.com/NixOS/nixpkgs/issues/64611) and there is no known workaround.
[Does AppCenter work, or is it available?]{#sec-pantheon-faq-appcenter} [Does AppCenter work, or is it available?]{#sec-pantheon-faq-appcenter}
: AppCenter has been available since 20.03. Starting from 21.11, the Flatpak backend should work so you can install some Flatpak applications using it. However, due to missing appstream metadata, the Packagekit backend does not function currently. See this [issue](https://github.com/NixOS/nixpkgs/issues/15932). : AppCenter is available and the Flatpak backend should work so you can install some Flatpak applications using it. However, due to missing appstream metadata, the Packagekit backend does not function currently. See this [issue](https://github.com/NixOS/nixpkgs/issues/15932).
If you are using Pantheon, AppCenter should be installed by default if you have [Flatpak support](#module-services-flatpak) enabled. If you also wish to add the `appcenter` Flatpak remote: If you are using Pantheon, AppCenter should be installed by default if you have [Flatpak support](#module-services-flatpak) enabled. If you also wish to add the `appcenter` Flatpak remote:

Some files were not shown because too many files have changed in this diff Show more