lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

Compare commits

base: lukegb:ad8bc97d0cc588b0d587c09deadd4d16ddf3d665
Branches Tags
lukegb:canon
...
compare: lukegb:8919df8542a7b4aa67a5edefa301f2ce1aaa8647
Branches Tags
lukegb:canon

4 commits
ad8bc97d0c ... 8919df8542

Author SHA1 Message Date
Luke Granger-Brown
8919df8542 More git conversion stuff 2024-11-11 00:35:15 +00:00
Luke Granger-Brown
8a1c371b63 Merge commit '57725ef3ec0b51fea97137fca7cb8f14c98b4525' as 'third_party/nixpkgs' 2024-11-10 23:59:47 +00:00
Luke Granger-Brown
57725ef3ec Squashed 'third_party/nixpkgs/' content from commit 76612b17c0ce 
git-subtree-dir: third_party/nixpkgs
git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
 2024-11-10 23:59:47 +00:00
Luke Granger-Brown
12e0f0fc75 remove 3p/nixpkgs 2024-11-10 23:58:38 +00:00
4220 changed files with 129549 additions and 99386 deletions
Show stats Expand all files Collapse all files

39
.gitignore vendored Normal file
View file

@ -0,0 +1,39 @@
# SPDX-FileCopyrightText: 2024 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
/ops/secrets/
# For now, ignore the freeswitch config until I have it in a good state.
/ops/nixos/lib/freeswitch/
/ops/vault/cfg/tf/
/ops/vault/cfg/secrets.nix
/rust/passgen/input/
/rust/passgen/target/
/web/quotes/theme/static/
/nix/pkgs/factorio-mods/cache/
/nix/pkgs/factorio-mods/.pytest_cache/
/py/tumblrcap/dl/
/py/tumblrcap/mylikes.*
/go/trains/*/start.sh
/go/trains/*/lukegb-trains.json
/py/icalfilter/config/*
/rust/*/target/*
result-*
*.sw?
*.pyc
*.orig
*~
db.sqlite3
node_modules/
.next/
out/
firebase-debug.log
.ruff_cache/

2
nix/pkgs/default.nix
View file

@ -88,8 +88,6 @@
srsran5g = pkgs.callPackage ./srsran5g { };
open5gs = pkgs.callPackage ./open5gs { };
zigbee2mqtt = pkgs.callPackage ./zigbee2mqtt.nix { };
seaweedfs = pkgs.callPackage ./seaweedfs { };
bsky-pds = pkgs.callPackage ./bsky-pds { };
} // (import ./heptapod-runner args)

22
nix/pkgs/zigbee2mqtt.nix
View file

@ -1,22 +0,0 @@
{ zigbee2mqtt, fetchNpmDeps, fetchFromGitHub, lib, ... }:
assert zigbee2mqtt.version == "1.40.2";
zigbee2mqtt.overrideAttrs (old: rec {
version = "0-unstable-2024-10-13";
src = fetchFromGitHub {
owner = "lukegb";
repo = "zigbee2mqtt";
rev = "d2c92da66574aff205f758cd2c12dfdd9a614290";
hash = "sha256-5TY0nOWIX196zs5hw2Wk1un+QrTASPwpXMF7nD0EjS0=";
};
npmDepsHash = "sha256-2MTr5dF2PGUuHvJMCVzjGI8mcdkhxshf5v6GAwYUJf0=";
makeCacheWritable = true;
npmDeps = fetchNpmDeps {
inherit src;
name = "zigbee2mqtt-npm-deps";
hash = npmDepsHash;
};
})

1
ops/nixos/default.nix
View file

@ -69,6 +69,7 @@ let
unifi-poller = false;
snmp = false;
minio = false;
tor = false;
};
stockExporters = lib.mapAttrsToList (exporterName: exporter: mkExporter exporterName exporter.port) (lib.filterAttrs (exporterName: exporter: (allowStockExporters.${exporterName} or true) && builtins.isAttrs exporter && exporter.enable) sys.config.services.prometheus.exporters);
customExporters = lib.mapAttrsToList mkExporter sys.config.my.prometheus.additionalExporterPorts;

2
ops/nixos/totoro/home-assistant.nix
View file

@ -5,7 +5,7 @@ let
in {
services.zigbee2mqtt = {
enable = true;
package = depot.nix.pkgs.zigbee2mqtt;
package = pkgs.zigbee2mqtt;
settings = {
homeassistant = true;
serial.port = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_eca6e9ba6596ed11ac206b4ce259fb3e-if00-port0";

4
third_party/nixpkgs/.github/CODEOWNERS vendored
View file

@ -1,4 +0,0 @@
# Use ci/OWNERS instead
#
# This file would be for the native code owner feature of GitHub,
# but is not being used because of its problems, see ci/OWNERS

124
third_party/nixpkgs/.github/labeler.yml vendored
View file

@ -1,3 +1,4 @@
# NOTE: bsd, darwin and cross-compilation labels are handled by ofborg
"6.topic: agda":
- any:
- changed-files:
@ -21,6 +22,47 @@
- pkgs/by-name/ne/nemo/**/*
- pkgs/by-name/ne/nemo-*/**/*
"6.topic: continuous integration":
- any:
- changed-files:
- any-glob-to-any-file:
- .github/**/*
- ci/**/*
"6.topic: coq":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/science/logic/coq/**/*
- pkgs/development/coq-modules/**/*
- pkgs/top-level/coq-packages.nix
"6.topic: crystal":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/compilers/crystal/**/*
"6.topic: cuda":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/cuda-modules/**/*
- pkgs/top-level/cuda-packages.nix
"6.topic: deepin":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/desktops/deepin/**/*
- pkgs/desktops/deepin/**/*
"6.topic: docker tools":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/virtualization/docker/**/*
"6.topic: dotnet":
- any:
- changed-files:
@ -86,6 +128,12 @@
- pkgs/build-support/flutter/*.nix
- pkgs/development/compilers/flutter/**/*.nix
"6.topic: games":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/games/**/*
"6.topic: GNOME":
- any:
- changed-files:
@ -105,6 +153,12 @@
- pkgs/build-support/go/**/*
- pkgs/development/compilers/go/**/*
"6.topic: hardware":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/hardware/**/*
"6.topic: haskell":
- any:
- changed-files:
@ -118,6 +172,28 @@
- pkgs/top-level/haskell-packages.nix
- pkgs/top-level/release-haskell.nix
"6.topic: java":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/programs/java.nix
- pkgs/development/compilers/graalvm/**/*
- pkgs/development/compilers/openjdk/**/*
- pkgs/development/compilers/temurin-bin/**/*
- pkgs/development/compilers/zulu/**/*
- pkgs/development/java-modules/**/*
- pkgs/top-level/java-packages.nix
"6.topic: jitsi":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/services/networking/jitsi-videobridge.nix
- nixos/modules/services/web-apps/jitsi-meet.nix
- pkgs/servers/web-apps/jitsi-meet/**/*
- pkgs/servers/jitsi-videobridge/**/*
- pkgs/applications/networking/instant-messengers/jitsi/**/*
"6.topic: julia":
- any:
- changed-files:
@ -205,13 +281,27 @@
- lib/tests/modules.sh
- lib/tests/modules/**
"6.topic: musl":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/os-specific/linux/musl/**/*
"6.topic: nixos":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/**/*
- pkgs/by-name/sw/switch-to-configuration-ng/**/*
- pkgs/os-specific/linux/nixos-rebuild/**/*
"6.topic: nixos-container":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/virtualisation/nixos-containers.nix
- pkgs/tools/virtualization/nixos-container/**/*
"6.topic: nim":
- any:
- changed-files:
@ -233,6 +323,15 @@
- pkgs/development/tools/pnpm/**/*
- pkgs/development/web/nodejs/*
"6.topic: nvidia":
- any:
- changed-files:
- any-glob-to-any-file:
- nixos/modules/hardware/video/nvidia.nix
- nixos/modules/services/hardware/nvidia-container-toolkit/**/*
- nixos/modules/services/hardware/nvidia-optimus.nix
- pkgs/os-specific/linux/nvidia-x11/**/*
"6.topic: ocaml":
- any:
- changed-files:
@ -305,6 +404,19 @@
- pkgs/development/libraries/kde-frameworks/**/*
- pkgs/development/libraries/qt-5/**/*
"6.topic: R":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/applications/science/math/R/**/*
- pkgs/development/r-modules/**/*
"6.topic: rocm":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/development/rocm-modules/**/*
"6.topic: ruby":
- any:
- changed-files:
@ -373,6 +485,12 @@
- nixos/tests/make-test-python.nix # legacy
# lib/debug.nix has a test framework (runTests) but it's not the main focus
"6.topic: updaters":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/common-updater/**/*
"6.topic: vim":
- any:
- changed-files:
@ -389,6 +507,12 @@
- any-glob-to-any-file:
- pkgs/applications/editors/vscode/**/*
"6.topic: windows":
- any:
- changed-files:
- any-glob-to-any-file:
- pkgs/os-specific/windows/**/*
"6.topic: xen-project":
- any:
- changed-files:

2
third_party/nixpkgs/.mailmap vendored
View file

@ -6,6 +6,8 @@ Christina Sørensen <christina@cafkafk.com> <christinaafk@gmail.com>
Christina Sørensen <christina@cafkafk.com> <89321978+cafkafk@users.noreply.github.com>
Daniel Løvbrøtte Olsen <me@dandellion.xyz> <daniel.olsen99@gmail.com>
Fabian Affolter <mail@fabian-affolter.ch> <fabian@affolter-engineering.ch>
Fiona Behrens <me@kloenk.dev>
Fiona Behrens <me@kloenk.dev> <me@kloenk.de>
goatastronaut0212 <goatastronaut0212@outlook.com> <goatastronaut0212@proton.me>
Janne Heß <janne@hess.ooo> <dasJ@users.noreply.github.com>
Jörg Thalheim <joerg@thalheim.io> <Mic92@users.noreply.github.com>

1
third_party/nixpkgs/.version vendored
View file

@ -1 +0,0 @@
24.11

1
third_party/nixpkgs/.version vendored Symbolic link
View file

@ -0,0 +1 @@
lib/.version

1
third_party/nixpkgs/CONTRIBUTING.md vendored
View file

@ -313,6 +313,7 @@ Container system, boot system and library changes are some examples of the pull
To streamline automated updates, leverage the nixpkgs-merge-bot by simply commenting `@NixOS/nixpkgs-merge-bot merge`. The bot will verify if the following conditions are met, refusing to merge otherwise:
- the PR author should be @r-ryantm;
- the commenter that issued the command should be among the package maintainers;
- the package should reside in `pkgs/by-name`.

34
third_party/nixpkgs/ci/OWNERS vendored
View file

@ -18,8 +18,8 @@
/.github/workflows/check-nix-format.yml @infinisil
/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
/.github/workflows/codeowners-v2.yml @infinisil
/ci/OWNERS @infinisil
/ci @infinisil @philiptaron @NixOS/Security
/ci/OWNERS @infinisil @philiptaron
# Development support
/.editorconfig @Mic92 @zowoq
@ -58,7 +58,7 @@
/pkgs/build-support/bintools-wrapper @Ericson2314
/pkgs/build-support/setup-hooks @Ericson2314
/pkgs/build-support/setup-hooks/auto-patchelf.sh @layus
/pkgs/build-support/setup-hooks/auto-patchelf.py @layus
/pkgs/by-name/au/auto-patchelf @layus
/pkgs/pkgs-lib @infinisil
## Format generators/serializers
/pkgs/pkgs-lib/formats/libconfig @h7x4
@ -226,17 +226,17 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/maintainers/scripts/kde @K900 @NickCao @SuperSandro2000 @ttuegel
# PostgreSQL and related stuff
/pkgs/servers/sql/postgresql @thoughtpolice
/nixos/modules/services/databases/postgresql.md @thoughtpolice
/nixos/modules/services/databases/postgresql.nix @thoughtpolice
/nixos/tests/postgresql.nix @thoughtpolice
/pkgs/servers/sql/postgresql @NixOS/postgres
/nixos/modules/services/databases/postgresql.md @NixOS/postgres
/nixos/modules/services/databases/postgresql.nix @NixOS/postgres
/nixos/tests/postgresql.nix @NixOS/postgres
# Hardened profile & related modules
/nixos/modules/profiles/hardened.nix @joachifm
/nixos/modules/security/lock-kernel-modules.nix @joachifm
/nixos/modules/security/misc.nix @joachifm
/nixos/tests/hardened.nix @joachifm
/pkgs/os-specific/linux/kernel/hardened/config.nix @joachifm
/nixos/modules/profiles/hardened.nix @joachifm
/nixos/modules/security/lock-kernel-modules.nix @joachifm
/nixos/modules/security/misc.nix @joachifm
/nixos/tests/hardened.nix @joachifm
/pkgs/os-specific/linux/kernel/hardened/ @fabianhjr @joachifm
# Home Automation
/nixos/modules/services/home-automation/home-assistant.nix @mweinelt
@ -296,10 +296,10 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/pkgs/applications/editors/kakoune @philiptaron
# Neovim
/pkgs/applications/editors/neovim @figsoda @teto
/pkgs/applications/editors/neovim @NixOS/neovim
# VimPlugins
/pkgs/applications/editors/vim/plugins @figsoda
/pkgs/applications/editors/vim/plugins @NixOS/neovim
# VsCode Extensions
/pkgs/applications/editors/vscode/extensions
@ -338,6 +338,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/pkgs/by-name/ne/nemo @mkg20001
/pkgs/by-name/ne/nemo-* @mkg20001
# Xfce
/doc/hooks/xfce4-dev-tools.section.md @NixOS/xfce
# nim
/doc/languages-frameworks/nim.section.md @ehmry
/pkgs/build-support/build-nim-package.nix @ehmry
@ -415,3 +418,8 @@ pkgs/by-name/lx/lxc* @adamcstephens
/pkgs/by-name/in/installShellFiles/* @Ericson2314
/pkgs/test/install-shell-files/* @Ericson2314
/doc/hooks/installShellFiles.section.md @Ericson2314
# Darwin
/pkgs/by-name/ap/apple-sdk @NixOS/darwin-core
/pkgs/os-specific/darwin/apple-source-releases @NixOS/darwin-core
/pkgs/stdenv/darwin @NixOS/darwin-core

24
third_party/nixpkgs/copy.bara.sky vendored
View file

@ -1,24 +0,0 @@
core.workflow(
name = "default",
origin = git.github_origin(
url = "https://github.com/NixOS/nixpkgs.git",
ref = "nixos-unstable",
),
destination = hg.destination(
url = "file:///home/lukegb/depot",
fetch = "default",
push = "default",
),
origin_files = glob(["**"], exclude = [
"pkgs/test/nixpkgs-check-by-name/tests/**",
]),
destination_files = glob(["third_party/nixpkgs/**"], exclude = [
"third_party/nixpkgs/copy.bara.sky",
"third_party/nixpkgs/patches/**",
]),
authoring = authoring.pass_thru("Default email <noreply+nixpkgs@lukegb.com>"),
transformations = [
patch.apply(series = "patches/series"),
core.move("", "third_party/nixpkgs"),
],
)

4
third_party/nixpkgs/doc/build-helpers/images/appimagetools.section.md vendored
View file

@ -117,7 +117,7 @@ in appimageTools.wrapType2 {
install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/512x512/apps/irccloud.png \
$out/share/icons/hicolor/512x512/apps/irccloud.png
substituteInPlace $out/share/applications/irccloud.desktop \
--replace 'Exec=AppRun' 'Exec=${pname}'
--replace-fail 'Exec=AppRun' 'Exec=${pname}'
'';
}
```
@ -147,7 +147,7 @@ let
appimageContents = appimageTools.extract {
inherit pname version src;
postExtract = ''
substituteInPlace $out/irccloud.desktop --replace 'Exec=AppRun' 'Exec=${pname}'
substituteInPlace $out/irccloud.desktop --replace-fail 'Exec=AppRun' 'Exec=${pname}'
'';
};
in appimageTools.wrapType2 {

1
third_party/nixpkgs/doc/hooks/index.md vendored
View file

@ -39,4 +39,5 @@ versionCheckHook.section.md
waf.section.md
zig.section.md
xcbuild.section.md
xfce4-dev-tools.section.md
```

2
third_party/nixpkgs/doc/hooks/just.section.md vendored
View file

@ -6,7 +6,7 @@ This setup hook attempts to use [the `just` command runner](https://just.systems
## `buildPhase` {#just-hook-buildPhase}
This phase attempts to invoke `just` with [the default recipe](https://just.systems/man/en/chapter_23.html).
This phase attempts to invoke `just` with [the default recipe](https://just.systems/man/en/the-default-recipe.html).
[]{#just-hook-dontUseJustBuild} This behavior can be disabled by setting `dontUseJustBuild` to `true`.

4
third_party/nixpkgs/doc/hooks/tauri.section.md vendored
View file

@ -21,7 +21,7 @@ In Nixpkgs, `cargo-tauri.hook` overrides the default build and install phases.
npmHooks,
openssl,
pkg-config,
webkitgtk,
webkitgtk_4_0,
wrapGAppsHook3,
}:
@ -55,7 +55,7 @@ rustPlatform.buildRustPackage rec {
++ lib.optionals stdenv.isLinux [
glib-networking # Most Tauri apps need networking
libsoup
webkitgtk
webkitgtk_4_0
]
++ lib.optionals stdenv.isDarwin (
with darwin.apple_sdk.frameworks;

5
third_party/nixpkgs/doc/hooks/xfce4-dev-tools.section.md vendored Normal file
View file

@ -0,0 +1,5 @@
# `xfce.xfce4-dev-tools` {#xfce4-dev-tools}
This setup hook attempts to run `xdt-autogen` in `xdtAutogenPhase`, which is part of `preConfigurePhases`.
[]{#dontUseXdtAutogenPhase} This behavior can be disabled by setting `dontUseXdtAutogenPhase` to `true`.

2
third_party/nixpkgs/doc/languages-frameworks/cuda.section.md vendored
View file

@ -150,7 +150,7 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`autoAddDriverRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=autoAddDriverRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary.
## Running Docker or Podman containers with CUDA support {#running-docker-or-podman-containers-with-cuda-support}
## Running Docker or Podman containers with CUDA support {#cuda-docker-podman}
It is possible to run Docker or Podman containers with CUDA support. The recommended mechanism to perform this task is to use the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html).

2
third_party/nixpkgs/doc/languages-frameworks/gnome.section.md vendored
View file

@ -64,7 +64,7 @@ To avoid costly file system access when locating icons, GTK, [as well as Qt](htt
### Packaging icon themes {#ssec-icon-theme-packaging}
Icon themes may inherit from other icon themes. The inheritance is specified using the `Inherits` key in the `index.theme` file distributed with the icon theme. According to the [icon theme specification](https://specifications.freedesktop.org/icon-theme-spec/icon-theme-spec-latest.html), icons not provided by the theme are looked for in its parent icon themes. Therefore the parent themes should be installed as dependencies for a more complete experience regarding the icon sets used.
Icon themes may inherit from other icon themes. The inheritance is specified using the `Inherits` key in the `index.theme` file distributed with the icon theme. According to the [icon theme specification](https://specifications.freedesktop.org/icon-theme-spec/latest), icons not provided by the theme are looked for in its parent icon themes. Therefore the parent themes should be installed as dependencies for a more complete experience regarding the icon sets used.
The package `hicolor-icon-theme` provides a setup hook which makes symbolic links for the parent themes into the directory `share/icons` of the current theme directory in the nix store, making sure they can be found at runtime. For that to work the packages providing parent icon themes should be listed as propagated build dependencies, together with `hicolor-icon-theme`.

6
third_party/nixpkgs/doc/languages-frameworks/haskell.section.md vendored
View file

@ -191,6 +191,10 @@ and `version` from Hackage.
`sha256`
: Hash to use for the default case of `src`.
`sourceRoot`, `setSourceRoot`
: Passed to `stdenv.mkDerivation`; see [“Variables controlling the unpack
phase”](#variables-controlling-the-unpack-phase).
`revision`
: Revision number of the updated cabal file to fetch from Hackage.
If `null` (which is the default value), the one included in `src` is used.
@ -760,7 +764,7 @@ that depend on that library, you may want to use:
```nix
haskellPackages.haskell-ci.overrideScope (self: super: {
Cabal = self.Cabal_3_6_2_0;
Cabal = self.Cabal_3_14_0_0;
})
```

3
third_party/nixpkgs/doc/languages-frameworks/java.section.md vendored
View file

@ -33,8 +33,7 @@ stdenv.mkDerivation {
```
Note that `jdk` is an alias for the OpenJDK (self-built where available,
or pre-built via Zulu). Platforms with OpenJDK not (yet) in Nixpkgs
(`Aarch32`, `Aarch64`) point to the (unfree) `oraclejdk`.
or pre-built via Zulu).
Also note that not using `stripJavaArchivesHook` will likely cause the
generated `.jar` files to be non-deterministic, which is not optimal.

11
third_party/nixpkgs/doc/languages-frameworks/rust.section.md vendored
View file

@ -162,9 +162,10 @@ rustPlatform.buildRustPackage {
}
```
Note that setting `cargoLock.lockFile` or `cargoLock.lockFileContents`
doesn't add a `Cargo.lock` to your `src`, and a `Cargo.lock` is still
required to build a rust package. A simple fix is to use:
If the upstream source repository lacks a `Cargo.lock` file, you must add one
to `src`, as it is essential for building a Rust package. Setting
`cargoLock.lockFile` or `cargoLock.lockFileContents` will not automatically add
a `Cargo.lock` file to `src`. A straightforward solution is to use:
```nix
{
@ -678,7 +679,7 @@ Some projects, especially GNOME applications, are built with the Meson Build Sys
, blueprint-compiler
, libadwaita
, libsecret
, tracker
, tinysparql
}:
stdenv.mkDerivation rec {
@ -712,7 +713,7 @@ stdenv.mkDerivation rec {
buildInputs = [
libadwaita
libsecret
tracker
tinysparql
];
# ...

190
third_party/nixpkgs/doc/stdenv/platform-notes.chapter.md vendored
View file

@ -46,22 +46,198 @@ Some common issues when packaging software for Darwin:
}
```
- Some packages assume xcode is available and use `xcrun` to resolve build tools like `clang`, etc. This causes errors like `xcode-select: error: no developer tools were found at '/Applications/Xcode.app'` while the build doesnt actually depend on xcode.
- Some packages assume Xcode is available and use `xcrun` to resolve build tools like `clang`, etc. The Darwin stdenv includes `xcrun`, and it will return the path to any binary available in a build.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
nativeBuildInputs = [ bison ];
buildCommand = ''
xcrun bison foo.y # produces foo.tab.c
# ...
'';
}
```
The package `xcbuild` can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues.
Note: Some packages may hardcode an absolute path to `xcrun`, `xcodebuild`, or `xcode-select`. Those paths should be removed or replaced.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
prePatch = ''
substituteInPlace Makefile \
--replace-fail '/usr/bin/xcrun clang' clang
--replace-fail /usr/bin/xcrun xcrun
# or: --replace-fail /usr/bin/xcrun '${lib.getExe' buildPackages.xcbuild "xcrun"}'
'';
}
```
The package `xcbuild` can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues.
- Multiple SDKs are available for use in nixpkgs. Each platform has a default SDK (10.12.2 for x86_64-darwin and 11.3 for aarch64-darwin), which is available as the `apple-sdk` package.
- x86_64-darwin uses the 10.12 SDK by default, but some software is not compatible with that version of the SDK. In that case,
the 11.0 SDK used by aarch64-darwin is available for use on x86_64-darwin. To use it, reference `apple_sdk_11_0` instead of
`apple_sdk` in your derivation and use `pkgs.darwin.apple_sdk_11_0.callPackage` instead of `pkgs.callPackage`. On Linux, this will
have the same effect as `pkgs.callPackage`, so you can use `pkgs.darwin.apple_sdk_11_0.callPackage` regardless of platform.
The SDK provides the necessary headers and text-based stubs to link common frameworks and libraries (such as libSystem, which is effectively Darwins libc). Projects will sometimes indicate which SDK to use by the Xcode version. As a rule of thumb, subtract one from the Xcode version to get the available SDK in nixpkgs.
The `DEVELOPER_DIR` variable in the build environment has the path to the SDK in the build environment. The `SDKROOT` variable there contains a sysroot with the framework, header, and library paths. You can reference an SDKs sysroot from Nix using the `sdkroot` attribute on the SDK package. Note that it is preferable to use `SDKROOT` because the latter will be resolved to the highest SDK version of any available to your derivation.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
env.PACKAGE_SPECIFIC_SDK_VAR = apple-sdk_10_15.sdkroot;
# or
buildInputs = [ apple-sdk_10_15 ];
postPatch = ''
export PACKAGE_SPECIFIC_SDK_VAR=$SDKROOT
'';
}
```
The following is a list of Xcode versions, the SDK version in nixpkgs, and the attribute to use to add it. Generally, only the last SDK release for a major version is packaged (each _x_ in 10._x_ until 10.15 is considered a major version).
| Xcode version | SDK version | nixpkgs attribute |
|--------------------|---------------------------------------------------|-------------------|
| Varies by platform | 10.12.2 (x86_64-darwin)<br/>11.3 (aarch64-darwin) | `apple-sdk` |
| 8.08.3.3 | 10.12.2 | `apple-sdk_10_12` |
| 9.09.4.1 | 10.13.2 | `apple-sdk_10_13` |
| 10.010.3 | 10.14.6 | `apple-sdk_10_14` |
| 11.011.7 | 10.15.6 | `apple-sdk_10_15` |
| 12.012.5.1 | 11.3 | `apple-sdk_11` |
| 13.013.4.1 | 12.3 | `apple-sdk_12` |
| 14.014.3.1 | 13.3 | `apple-sdk_13` |
| 15.015.4 | 14.4 | `apple-sdk_14` |
| 16.0 | 15.0 | `apple-sdk_15` |
To use a non-default SDK, add it to your build inputs.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
buildInputs = [ apple-sdk_15 ]; # Uses the 15.0 SDK instead of the default SDK for the platform.
}
```
If your derivation has multiple SDKs its inputs (e.g., because they have been propagated by its dependencies), it will use the highest SDK version available.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3"; # Upstream specifies that it needs Xcode 12 to build, so use the 11.3 SDK.
# ...
buildInputs = [ apple-sdk_11 ];
nativeBuildInputs = [ swift ]; # Propagates the 13.3 SDK, so the 13.3 SDK package will be used instead of the 11.3 SDK.
}
```
- When a package indicates a minimum supported version, also called the deployment target, you can set it in your derivation using `darwinMinVersionHook`. If you need to set a minimum version higher than the default SDK, you should also add the corresponding SDK to your `buildInputs`.
The deployment target controls how Darwin handles availability and access to some APIs. In most cases, if a deployment target is newer than the first availability of an API, that API will be linked directly. Otherwise, the API will be weakly linked and checked at runtime.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3"; # Upstream specifies the minimum supported version as 12.5.
buildInputs = [ (darwinMinVersionHook "12.5") ];
}
```
If your derivation has multiple versions of this hook in its inputs (e.g., because it has been propagated by one of your dependencies), it will use the highest deployment target available.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3"; # Upstream specifies the minimum supported version as 10.15.
buildInputs = [ qt6.qtbase (darwinMinVersionHook "10.15") ];
}
# Qt 6 specifies a minimum version of 12.0, so the minimum version resolves to 12.0.
```
- You should rely on the default SDK when possible. If a package specifies a required SDK version, use that version (e.g., libuv requires 11.0, so it should use `apple-sdk_11`). When a package supports multiple SDKs, determine which SDK package to use based on the following rules of thumb:
- If a package supports multiple SDK versions, use the lowest supported SDK version by the package (but no lower than the default SDK). That ensures maximal platform compatibility for the package.
- If a package specifies a range of supported SDK versions _and_ a minimum supported version, assume the package is using availability checks to support the indicated minimum version. Add the highest supported SDK and a `darwinMinVersionHook` set to the minimum version supported by the upstream package.
Warning: Avoid using newer SDKs than an upstream package supports. When a binary is linked on Darwin, the SDK version used to build it is recorded in the binary. Runtime behavior can vary based on the SDK version, which may work fine but can also result in unexpected behavior or crashes when building with an unsupported SDK.
```nix
stdenv.mkDerivation {
name = "foo-1.2.3";
# ...
buildInputs = [ apple-sdk_15 (darwinMinVersionHook "10.15") ]; # Upstream builds with the 15.0 SDK but supports 10.15.
}
```
- Libraries that require a minimum version can propagate an appropriate SDK and `darwinMinVersionHook`. Derivations using that library will automatically use an appropriate SDK and minimum version. Even if the library builds with a newer SDK, it should propagate the minimum supported SDK. Derivations that need a newer SDK can add it to their `buildInputs`.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
buildInputs = [ apple-sdk_15 ]; # Upstream builds with the 15.0 SDK but supports 10.15.
propagatedBuildInputs = [ apple-sdk_10_15 (darwinMinVersionHook "10.15") ];
}
# ...
stdenv.mkDerivation {
name = "bar-1.2.3";
# ...
buildInputs = [ libfoo ]; # Builds with the 10.15 SDK
}
# ...
stdenv.mkDerivation {
name = "baz-1.2.3";
# ...
buildInputs = [ apple-sdk_12 libfoo ]; # Builds with the 12.3 SDK
}
```
- Many SDK libraries and frameworks use text-based stubs to link against system libraries and frameworks, but several are built from source (typically corresponding to the source releases for the latest release of macOS). Several of these are propagated to your package automatically. They can be accessed via the `darwin` package set along with others that are not propagated by default.
- libiconv
- libresolv
- libsbuf
Other common libraries are available in Darwin-specific versions with modifications from Apple. Note that these packages may be made the default on Darwin in the future.
- ICU (compatible with the top-level icu package, but it also provides `libicucore.B.dylib` with an ABI compatible with the Darwin system version)
- libpcap (compatible with the top-level libpcap, but it includes Darwin-specific extensions)
- The legacy SDKs packages are still available in the `darwin` package set under their existing names, but all packages in these SDKs (frameworks, libraries, etc) are stub packages for evaluation compatibility.
In most cases, a derivation can be updated by deleting all of its SDK inputs (frameworks, libraries, etc). If you had to override the SDK, see below for how to do that using the new SDK pattern. If your derivation depends on the layout of the old frameworks or other internal details, you have more work to do.
When a package depended on the location of frameworks, references to those framework packages can usually be replaced with `${apple-sdk.sdkroot}/System` or `$SDKROOT/System`. For example, if you substituted `${darwin.apple_sdk.frameworks.OpenGL}/Library/Frameworks/OpenGL.framework` in your derivation, you should replace it with `${apple-sdk.sdkroot}/System/Library/Frameworks/OpenGL.framework` or `$SDKROOT/System/Library/Frameworks`. The latter is preferred because it supports using the SDK that is resolved when multiple SDKs are propagated (see above).
Note: the new SDK pattern uses the name `apple-sdk` to better align with nixpkgs naming conventions. The old SDK pattern uses `apple_sdk`.
- There are two legacy patterns that are being phased out. These patterns were used in the past to change the SDK version. They have been reimplemented to use the `apple-sdk` packages.
- `pkgs.darwin.apple_sdk_11_0.callPackage` - this pattern was used to provide frameworks from the 11.0 SDK. It now adds the `apple-sdk_11` package to your derivations build inputs.
- `overrideSDK` - this stdenv adapter would try to replace the frameworks used by your derivation and its transitive dependencies. It now adds the `apple-sdk_11` package for `11.0` or the `apple-sdk_12` package for `12.3`. If `darwinMinVersion` is specified, it will add `darwinMinVersionHook` with the specified minimum version. No other SDK versions are supported.
- Darwin supports cross-compilation between Darwin platforms. Cross-compilation from Linux is not currently supported but may be supported in the future. To cross-compile to Darwin, you can set `crossSystem` or use one of the Darwin systems in `pkgsCross`. The `darwinMinVersionHook` and the SDKs support cross-compilation. If you need to specify a different SDK version for a `depsBuildBuild` compiler, add it to your `nativeBuildInputs`.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ apple-sdk_12 ];
buildInputs = [ apple-sdk_13 ];
depsTargetTargetPropagated = [ apple-sdk_14 ];
}
# The build-build clang will use the 12.3 SDK while the package build itself will use the 13.3 SDK.
# Derivations that add this package as an input will have the 14.4 SDK propagated to them.
```
The different target SDK and hooks are mangled based on role:
- `DEVELOPER_DIR_FOR_BUILD` and `MACOSX_DEPLOYMENT_TARGET_FOR_BUILD` for the build platform;
- `DEVELOPER_DIR` and `MACOSX_DEPLOYMENT_TARGET` for the host platform; and
- `DEVELOPER_DIR_FOR_TARGET` and `MACOSX_DEPLOYMENT_TARGET_FOR_TARGET` for the build platform.
In static compilation situations, it is possible for the build and host platform to be the same platform but have different SDKs with the same version (one dynamic and one static). cc-wrapper takes care of handling this distinction.
- The current default versions of the deployment target (minimum version) and SDK are indicated by Darwin-specific attributes on the platform. Because of the ways that minimum version and SDK can be changed that are not visible to Nix, they should be treated as lower bounds. If you need to parameterize over a specific version, create a function that takes the version as a parameter instead of relying on these attributes.
- `darwinMinVersion` defaults to 10.12 on x86_64-darwin and 11.0 on aarch64-darwin. It sets the default `MACOSX_DEPLOYMENT_TARGET`.
- `darwinSdkVersion` defaults to 10.12 on x86-64-darwin and 11.0 on aarch64-darwin. Only the major version determines the SDK version, resulting in the 10.12.2 and 11.3 SDKs being used on these platforms respectively.

5
third_party/nixpkgs/lib/attrsets.nix vendored
View file

@ -7,7 +7,7 @@ let
inherit (builtins) head length;
inherit (lib.trivial) oldestSupportedReleaseIsAtLeast mergeAttrs warn warnIf;
inherit (lib.strings) concatStringsSep concatMapStringsSep escapeNixIdentifier sanitizeDerivationName;
inherit (lib.lists) foldr foldl' concatMap elemAt all partition groupBy take foldl;
inherit (lib.lists) filter foldr foldl' concatMap elemAt all partition groupBy take foldl;
in
rec {
@ -644,8 +644,7 @@ rec {
filterAttrs =
pred:
set:
listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
removeAttrs set (filter (name: ! pred name set.${name}) (attrNames set));
/**
Filter an attribute set recursively by removing all attributes for

24
third_party/nixpkgs/lib/fixed-points.nix vendored
View file

@ -160,7 +160,9 @@ rec {
A fixed-point function returning an attribute set has the form
```nix
final: { # attributes }
final: {
# attributes
}
```
where `final` refers to the lazily evaluated attribute set returned by the fixed-point function.
@ -168,7 +170,9 @@ rec {
An overlay to such a fixed-point function has the form
```nix
final: prev: { # attributes }
final: prev: {
# attributes
}
```
where `prev` refers to the result of the original function to `final`, and `final` is the result of the composition of the overlay and the original function.
@ -177,8 +181,12 @@ rec {
```nix
let
f = final: { # attributes };
overlay = final: prev: { # attributes };
f = final: {
# attributes
};
overlay = final: prev: {
# attributes
};
in extends overlay f;
```
@ -186,8 +194,12 @@ rec {
```nix
let
f = final: { # attributes };
overlay = final: prev: { # attributes };
f = final: {
# attributes
};
overlay = final: prev: {
# attributes
};
g = extends overlay f;
in fix g
```

14
third_party/nixpkgs/lib/licenses.nix vendored
View file

@ -1212,6 +1212,11 @@ lib.mapAttrs mkLicense ({
fullName = "TCL/TK License";
};
tost = {
fullName = "Tomorrow Open Source Technology License 1.0";
url = "https://github.com/PixarAnimationStudios/OpenUSD/blob/release/LICENSE.txt";
};
ucd = {
fullName = "Unicode Character Database License";
url = "https://fedoraproject.org/wiki/Licensing:UCD";
@ -1290,6 +1295,15 @@ lib.mapAttrs mkLicense ({
watcom = {
spdxId = "Watcom-1.0";
fullName = "Sybase Open Watcom Public License 1.0";
# Despite being OSIapproved, this licence is not considered FOSS
# by Debian, Fedora, or the FSF, due to an onerous restriction that
# requires publication of even privatelydeployed modifications.
# This violates the FSFs freedom 3 and Debians “desert island
# test” and “dissident test”.
#
# See: <https://en.wikipedia.org/wiki/Sybase_Open_Watcom_Public_License>
free = false;
redistributable = true;
};
w3c = {

2
third_party/nixpkgs/lib/systems/doubles.nix vendored
View file

@ -55,7 +55,7 @@ let
"wasm64-wasi" "wasm32-wasi"
# Windows
"x86_64-windows" "i686-windows"
"aarch64-windows" "x86_64-windows" "i686-windows"
];
allParsed = map parse.mkSystemFromString all;

7
third_party/nixpkgs/lib/systems/examples.nix vendored
View file

@ -325,6 +325,13 @@ rec {
libc = "ucrt"; # This distinguishes the mingw (non posix) toolchain
};
# LLVM-based mingw-w64 for ARM
ucrtAarch64 = {
config = "aarch64-w64-mingw32";
libc = "ucrt";
useLLVM = true;
};
# BSDs
x86_64-freebsd = {

20
third_party/nixpkgs/lib/tests/misc.nix vendored
View file

@ -47,6 +47,7 @@ let
evalModules
extends
filter
filterAttrs
fix
fold
foldAttrs
@ -1102,6 +1103,25 @@ runTests {
};
};
testFilterAttrs = {
expr = filterAttrs (n: v: n != "a" && (v.hello or false) == true) {
a.hello = true;
b.hello = true;
c = {
hello = true;
world = false;
};
d.hello = false;
};
expected = {
b.hello = true;
c = {
hello = true;
world = false;
};
};
};
# code from example
testFoldlAttrs = {
expr = {

2
third_party/nixpkgs/lib/tests/systems.nix vendored
View file

@ -60,7 +60,7 @@ lib.runTests (
testlinux = mseteq linux [ "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "i686-linux" "loongarch64-linux" "m68k-linux" "microblaze-linux" "microblazeel-linux" "mips-linux" "mips64-linux" "mips64el-linux" "mipsel-linux" "powerpc64-linux" "powerpc64le-linux" "riscv32-linux" "riscv64-linux" "s390-linux" "s390x-linux" "x86_64-linux" ];
testnetbsd = mseteq netbsd [ "aarch64-netbsd" "armv6l-netbsd" "armv7a-netbsd" "armv7l-netbsd" "i686-netbsd" "m68k-netbsd" "mipsel-netbsd" "powerpc-netbsd" "riscv32-netbsd" "riscv64-netbsd" "x86_64-netbsd" ];
testopenbsd = mseteq openbsd [ "i686-openbsd" "x86_64-openbsd" ];
testwindows = mseteq windows [ "i686-cygwin" "x86_64-cygwin" "i686-windows" "x86_64-windows" ];
testwindows = mseteq windows [ "i686-cygwin" "x86_64-cygwin" "aarch64-windows" "i686-windows" "x86_64-windows" ];
testunix = mseteq unix (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos ++ cygwin ++ redox);
})

3
third_party/nixpkgs/maintainers/README.md vendored
View file

@ -172,3 +172,6 @@ to the team without an approval by at least one existing member.
Various utility scripts, which are mainly useful for nixpkgs maintainers,
are available under `./scripts/`. See its [README](./scripts/README.md)
for further information.
# nixpkgs-merge-bot
To streamline autoupdates, leverage the nixpkgs-merge-bot by commenting `@NixOS/nixpkgs-merge-bot merge` if the package resides in pkgs-by-name and the commenter is among the package maintainers. The bot ensures that all ofborg checks, except for darwin, are successfully completed before merging the pull request. Should the checks still be underway, the bot patiently waits for ofborg to finish before attempting the merge again.

242
third_party/nixpkgs/maintainers/maintainer-list.nix vendored
View file

@ -870,6 +870,12 @@
githubId = 56970006;
keys = [ { fingerprint = "50E2 669C AB38 2F4A 5F72 1667 0D6B FC01 D45E DADD"; } ];
};
akotro = {
name = "Antonis Kotronakis";
email = "mail@akotro.dev";
github = "akotro";
githubId = 20772540;
};
akru = {
email = "mail@akru.me";
github = "akru";
@ -1038,6 +1044,12 @@
github = "Alexnortung";
githubId = 1552267;
};
alex-nt = {
email = "nix@azuremyst.org";
github = "alex-nt";
githubId = 12470950;
name = "AN";
};
alexoundos = {
email = "alexoundos@gmail.com";
github = "AleXoundOS";
@ -1070,6 +1082,12 @@
githubId = 50754358;
name = "Alex Winter";
};
alexymantha = {
email = "alexy@mantha.dev";
github = "alexymantha";
githubId = 1365231;
name = "Alexy Mantha";
};
alfarel = {
email = "alfarelcynthesis@proton.me";
github = "alfarelcynthesis";
@ -2122,7 +2140,6 @@
};
aucub = {
name = "aucub";
email = "dr56ekgbb@mozmail.com";
github = "aucub";
githubId = 78630225;
};
@ -2345,7 +2362,7 @@
email = "baduhai@pm.me";
github = "baduhai";
githubId = 31864305;
name = "William";
name = "William Hai";
};
baitinq = {
email = "manuelpalenzuelamerino@gmail.com";
@ -2951,6 +2968,12 @@
githubId = 535135;
name = "Brennon Loveless";
};
bloxx12 = {
email = "charlie@charlieroot.dev";
github = "bloxx12";
githubId = 75451918;
name = "Charlie Root";
};
bluescreen303 = {
email = "mathijs@bluescreen303.nl";
github = "bluescreen303";
@ -3891,6 +3914,13 @@
github = "CHN-beta";
githubId = 35858462;
};
ChocolateLoverRaj = {
email = "paranjperajas@gmail.com";
github = "ChocolateLoverRaj";
githubId = 52586855;
matrix = "@chocolateloverraj:matrix.org";
name = "Rajas Paranjpe";
};
cholli = {
email = "christoph.hollizeck@hey.com";
github = "Daholli";
@ -4349,6 +4379,12 @@
githubId = 18414241;
name = "Andreas Erdes";
};
computerdane = {
email = "danerieber@gmail.com";
github = "computerdane";
githubId = 6487079;
name = "Dane Rieber";
};
confus = {
email = "con-f-use@gmx.net";
github = "con-f-use";
@ -4369,7 +4405,7 @@
githubId = 2083950;
};
conni2461 = {
email = "simon.hauser@outlook.com";
email = "simon-hauser@outlook.com";
github = "Conni2461";
name = "Simon Hauser";
githubId = 15233006;
@ -4416,6 +4452,12 @@
{ fingerprint = "D8CB 816A B678 A4E6 1EC7 5325 230F 4AC1 53F9 0F29"; }
];
};
corbinwunderlich = {
email = "corbin@wcopy.net";
github = "CorbinWunderlich";
githubId = 140280062;
name = "Corbin Wunderlich";
};
corngood = {
email = "corngood@gmail.com";
github = "corngood";
@ -4747,12 +4789,6 @@
githubId = 24708079;
name = "Dan Eads";
};
danerieber = {
email = "danerieber@gmail.com";
github = "danerieber";
githubId = 6487079;
name = "Dane Rieber";
};
danid3v = {
email = "sch220233@spengergasse.at";
github = "DaniD3v";
@ -5437,6 +5473,12 @@
githubId = 4490283;
name = "diadatp";
};
diamond-deluxe = {
email = "carbon_lattice@proton.me";
github = "diamond-deluxe";
githubId = 112557036;
name = "Diamond";
};
DianaOlympos = {
github = "DianaOlympos";
githubId = 15774340;
@ -5862,6 +5904,12 @@
githubId = 1931963;
name = "David Sferruzza";
};
dsluijk = {
name = "Dany Sluijk";
email = "nix@dany.dev";
github = "dsluijk";
githubId = 8537327;
};
dstengele = {
name = "Dennis Stengele";
email = "dennis@stengele.me";
@ -6613,6 +6661,14 @@
github = "ErinvanderVeen";
githubId = 10973664;
};
erooke = {
email = "ethan@roo.ke";
name = "Ethan Rooke";
keys = [ { fingerprint = "B66B EB9F 6111 E44B 7588 8240 B287 4A77 049A 5923"; } ];
github = "erooke";
githubId = 46689793;
matrix = "@ethan:roo.ke";
};
erosennin = {
email = "ag@sologoc.com";
github = "erosennin";
@ -6830,14 +6886,6 @@
githubId = 873530;
name = "Alexey Levan";
};
expipiplus1 = {
email = "nix@monoid.al";
matrix = "@ellie:monoid.al";
github = "expipiplus1";
githubId = 857308;
name = "Ellie Hermaszewska";
keys = [ { fingerprint = "FC1D 3E4F CBCA 80DF E870 6397 C811 6E3A 0C1C A76A"; } ];
};
exploitoverload = {
email = "nix@exploitoverload.com";
github = "exploitoverload";
@ -7403,6 +7451,11 @@
githubId = 13279982;
name = "freezeboy";
};
frenetic00 = {
github = "frenetic00";
githubId = 50942055;
name = "frenetic00";
};
Fresheyeball = {
email = "fresheyeball@gmail.com";
github = "Fresheyeball";
@ -8241,6 +8294,13 @@
githubId = 201997;
name = "Eric Seidel";
};
griffi-gh = {
name = "Alex Prasol";
email = "prasol258@gmail.com";
matrix = "@voxel:nyanbinary.rs";
github = "griffi-gh";
githubId = 45996170;
};
grimmauld = {
name = "Sören Bender";
email = "soeren@benjos.de";
@ -8638,6 +8698,12 @@
githubId = 186660;
name = "Miao, ZhiCheng";
};
helsinki-Jo = {
email = "joachim.ernst@helsinki-systems.de";
github = "helsinki-Jo";
githubId = 155722885;
name = "Joachim Ernst";
};
henkery = {
email = "jim@reupload.nl";
github = "henkery";
@ -9101,12 +9167,6 @@
githubId = 30196;
name = "Ian Liu Rodrigues";
};
ianmjones = {
email = "ian@ianmjones.com";
github = "ianmjones";
githubId = 4710;
name = "Ian M. Jones";
};
ianwookim = {
email = "ianwookim@gmail.com";
github = "wavewave";
@ -9342,6 +9402,12 @@
githubId = 36996706;
name = "Philip Rying";
};
imsick = {
email = "lent-lather-excuse@duck.com";
github = "dvishal485";
githubId = 26341736;
name = "Vishal Das";
};
imuli = {
email = "i@imu.li";
github = "imuli";
@ -9487,6 +9553,11 @@
github = "istoph";
githubId = 114227790;
};
istudyatuni = {
name = "Ilia";
github = "istudyatuni";
githubId = 43654815;
};
itepastra = {
name = "Noa Aarts";
github = "itepastra";
@ -9494,6 +9565,13 @@
email = "itepastra@gmail.com";
keys = [ { fingerprint = "E681 4CAF 06AE B076 D55D 3E32 A16C DCBF 1472 541F"; } ];
};
itsvic-dev = {
email = "contact@itsvic.dev";
name = "Victor B.";
github = "itsvic-dev";
githubId = 17727163;
keys = [ { fingerprint = "FBAA B86A 101B 4C5F D4F1 25D2 E93D DAC1 7E5D 6CA1"; } ];
};
ius = {
email = "j.de.gram@gmail.com";
name = "Joerie de Gram";
@ -9697,6 +9775,13 @@
githubId = 2179419;
name = "Arseniy Seroka";
};
jakecleary = {
email = "shout@jakecleary.net";
github = "jakecleary";
githubId = 4572429;
name = "Jake Cleary";
keys = [ { fingerprint = "6192 E5CC 28B8 FA7E F5F3 775F 3726 5B1E 496C 92A2"; } ];
};
jakedevs = {
email = "work@jakedevs.net";
github = "jakedevs";
@ -11170,6 +11255,7 @@
name = "katanallama";
};
katexochen = {
email = "katexochen0@gmail.com";
github = "katexochen";
githubId = 49727155;
matrix = "@katexochen:matrix.org";
@ -11223,6 +11309,19 @@
github = "keenanweaver";
githubId = 37268985;
};
kekschen = {
email = "kx@imkx.dev";
github = "kek5chen";
githubId = 52585984;
name = "Kek5chen";
};
keksgesicht = {
name = "Jan Braun";
email = "git@keksgesicht.de";
github = "Keksgesicht";
githubId = 32649612;
keys = [ { fingerprint = "65DF D21C 22A9 E4CD FD1A 0804 C3D7 16E7 29B3 C86A"; } ];
};
keldu = {
email = "mail@keldu.de";
github = "keldu";
@ -11518,11 +11617,11 @@
};
kloenk = {
email = "me@kloenk.dev";
matrix = "@kloenk:petabyte.dev";
name = "Finn Behrens";
github = "Kloenk";
matrix = "@kloenk:kloenk.eu";
name = "Fiona Behrens";
github = "kloenk";
githubId = 12898828;
keys = [ { fingerprint = "6881 5A95 D715 D429 659B 48A4 B924 45CF C954 6F9D"; } ];
keys = [ { fingerprint = "B44A DFDF F869 A66A 3FDF DD8B 8609 A7B5 19E5 E342"; } ];
};
kmcopper = {
email = "kmcopper@danwin1210.me";
@ -12150,6 +12249,11 @@
github = "lenivaya";
githubId = 49302467;
};
lenny = {
name = "Lenny.";
matrix = "lenny@flipdot.org";
keys = [ { fingerprint = "6D63 2D4D 0CFE 8D53 F5FD C7ED 738F C800 6E9E A634"; } ];
};
leo248 = {
github = "leo248";
githubId = 95365184;
@ -13690,12 +13794,6 @@
githubId = 2971615;
name = "Marius Bergmann";
};
mcaju = {
email = "cajum.bugs@yandex.com";
github = "CajuM";
githubId = 10420834;
name = "Mihai-Drosi Caju";
};
mccartykim = {
email = "mccartykim@zoho.com";
github = "mccartykim";
@ -14189,6 +14287,12 @@
githubId = 38543128;
name = "Miles Breslin";
};
milescranmer = {
email = "miles.cranmer@gmail.com";
github = "MilesCranmer";
githubId = 7593028;
name = "Miles Cranmer";
};
milibopp = {
email = "contact@ebopp.de";
github = "milibopp";
@ -14652,6 +14756,12 @@
githubId = 2072185;
name = "Marc Scholten";
};
mrbenjadmin = {
email = "mrbenjadmin@gmail.com";
github = "mrbenjadmin";
githubId = 68156310;
name = "Benjamin Strachan";
};
mrcjkb = {
email = "marc@jakobi.dev";
matrix = "@mrcjk:matrix.org";
@ -15008,6 +15118,12 @@
name = "Daniel Nagy";
keys = [ { fingerprint = "F6AE 2C60 9196 A1BC ECD8 7108 1B8E 8DCB 576F B671"; } ];
};
naho = {
github = "trueNAHO";
githubId = 90870942;
name = "Noah Pierre Biewesch";
keys = [ { fingerprint = "5FC6 088A FB1A 609D 4532 F919 0C1C 177B 3B64 68E0"; } ];
};
nalbyuites = {
email = "ashijit007@gmail.com";
github = "nalbyuites";
@ -15525,6 +15641,12 @@
githubId = 3159451;
name = "Nicolas Schneider";
};
nipeharefa = {
name = "Nipe Harefa";
email = "nipeharefa@gmail.com";
github = "nipeharefa";
githubId = 12620257;
};
NIS = {
name = "NSC IT Solutions";
github = "dev-nis";
@ -16095,6 +16217,12 @@
githubId = 1538622;
name = "Michael Reilly";
};
ondt = {
name = "Ondrej Telka";
email = "nix@ondt.dev";
github = "ondt";
githubId = 20520951;
};
onedragon = {
name = "YiLong Liu";
email = "18922251299@163.com";
@ -16712,6 +16840,12 @@
githubId = 63069986;
name = "Per Stark";
};
petee = {
name = "Pete Erickson";
email = "pete.perickson@gmail.com";
github = "petee";
githubId = 89916;
};
petercommand = {
email = "petercommand@gmail.com";
github = "petercommand";
@ -17565,6 +17699,12 @@
githubId = 43755002;
name = "Dmitriy P";
};
pta2002 = {
email = "pta2002@pta2002.com";
github = "pta2002";
githubId = 7443916;
name = "Pedro Alves";
};
ptival = {
email = "valentin.robert.42@gmail.com";
github = "Ptival";
@ -17670,6 +17810,12 @@
githubId = 12017109;
name = "Rabindra Dhakal";
};
qbisi = {
name = "qbisicwate";
email = "qbisicwate@gmail.com";
github = "qbisi";
githubId = 84267544;
};
qbit = {
name = "Aaron Bieber";
email = "aaron@bolddaemon.com";
@ -18246,6 +18392,11 @@
githubId = 3302;
name = "Renzo Carbonara";
};
reputable2772 = {
name = "Reputable2772";
github = "Reputable2772";
githubId = 153411261;
};
rettetdemdativ = {
email = "michael@koeppl.dev";
github = "rettetdemdativ";
@ -21312,6 +21463,11 @@
githubId = 38222826;
name = "Aamaruvi Yogamani";
};
technobaboo = {
github = "technobaboo";
githubId = 4541968;
name = "Nova King";
};
teh = {
email = "tehunger@gmail.com";
github = "teh";
@ -23013,6 +23169,12 @@
githubId = 7677567;
name = "Victor SENE";
};
vtimofeenko = {
email = "nixpkgs.maintain@vtimofeenko.com";
github = "VTimofeenko";
githubId = 9886026;
name = "Vladimir Timofeenko";
};
vtuan10 = {
email = "mail@tuan-vo.de";
github = "vtuan10";
@ -23177,6 +23339,12 @@
githubId = 24979302;
name = "Vladimír Zahradník";
};
wfdewith = {
name = "Wim de With";
email = "wf@dewith.io";
github = "wfdewith";
githubId = 2306085;
};
wgunderwood = {
email = "wg.underwood13@gmail.com";
github = "WGUNDERWOOD";
@ -23252,7 +23420,6 @@
github = "willbush";
githubId = 2023546;
name = "Will Bush";
keys = [ { fingerprint = "4441 422E 61E4 C8F3 EBFE 5E33 3823 864B 54B1 3BDA"; } ];
};
willcohen = {
github = "willcohen";
@ -23915,6 +24082,13 @@
github = "youhaveme9";
githubId = 58213083;
};
youwen5 = {
name = "Youwen Wu";
email = "youwenw@gmail.com";
github = "youwen5";
githubId = 38934577;
keys = [ { fingerprint = "8F5E 6C1A F909 76CA 7102 917A 8656 58ED 1FE6 1EC3"; } ];
};
yrashk = {
email = "yrashk@gmail.com";
github = "yrashk";

71
third_party/nixpkgs/maintainers/scripts/check-by-name.sh vendored
View file

@ -1,71 +0,0 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p jq
set -o pipefail -o errexit -o nounset
trace() { echo >&2 "$@"; }
tmp=$(mktemp -d)
cleanup() {
# Don't exit early if anything fails to cleanup
set +o errexit
trace -n "Cleaning up.. "
[[ -e "$tmp/base" ]] && git worktree remove --force "$tmp/base"
[[ -e "$tmp/merged" ]] && git worktree remove --force "$tmp/merged"
rm -rf "$tmp"
trace "Done"
}
trap cleanup exit
repo=https://github.com/NixOS/nixpkgs.git
if (( $# != 0 )); then
baseBranch=$1
shift
else
trace "Usage: $0 BASE_BRANCH [REPOSITORY]"
trace "BASE_BRANCH: The base branch to use, e.g. master or release-23.11"
trace "REPOSITORY: The repository to fetch the base branch from, defaults to $repo"
exit 1
fi
if (( $# != 0 )); then
repo=$1
shift
fi
if [[ -n "$(git status --porcelain)" ]]; then
trace -e "\e[33mWarning: Dirty tree, uncommitted changes won't be taken into account\e[0m"
fi
headSha=$(git rev-parse HEAD)
trace -e "Using HEAD commit \e[34m$headSha\e[0m"
trace -n "Creating Git worktree for the HEAD commit in $tmp/merged.. "
git worktree add --detach -q "$tmp/merged" HEAD
trace "Done"
trace -n "Fetching base branch $baseBranch to compare against.. "
git fetch -q "$repo" refs/heads/"$baseBranch"
baseSha=$(git rev-parse FETCH_HEAD)
trace -e "\e[34m$baseSha\e[0m"
trace -n "Creating Git worktree for the base branch in $tmp/base.. "
git worktree add -q "$tmp/base" "$baseSha"
trace "Done"
trace -n "Merging base branch into the HEAD commit in $tmp/merged.. "
git -C "$tmp/merged" merge -q --no-edit "$baseSha"
trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m"
trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
trace -e "\e[34m$toolVersion\e[0m"
trace -n "Building tool.. "
nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
trace "Running nixpkgs-vet.."
"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"

1
third_party/nixpkgs/maintainers/scripts/check-by-name.sh vendored Symbolic link
View file

@ -0,0 +1 @@
../../ci/nixpkgs-vet.sh

19
third_party/nixpkgs/maintainers/team-list.nix vendored
View file

@ -194,9 +194,13 @@ with lib.maintainers;
};
darwin = {
members = [ toonn ];
githubTeams = [ "darwin-maintainers" ];
scope = "Maintain Darwin compatibility of packages and Darwin-only packages.";
members = [
emily
reckenrode
toonn
];
githubTeams = [ "darwin-core" ];
scope = "Maintain core platform support and packages for macOS and other Apple platforms.";
shortName = "Darwin";
enableFeatureFreezePing = true;
};
@ -445,7 +449,6 @@ with lib.maintainers;
haskell = {
members = [
cdepillabout
expipiplus1
maralorn
ncfavier
sternenseemann
@ -461,6 +464,7 @@ with lib.maintainers;
members = [
das_j
conni2461
helsinki-Jo
];
scope = "Group registration for packages maintained by Helsinki Systems";
shortName = "Helsinki Systems employees";
@ -841,9 +845,14 @@ with lib.maintainers;
};
postgres = {
members = [ thoughtpolice ];
members = [
thoughtpolice
ma27
wolfgangwalther
];
scope = "Maintain the PostgreSQL package and plugins along with the NixOS module.";
shortName = "PostgreSQL";
enableFeatureFreezePing = true;
};
python = {

4
third_party/nixpkgs/nixos/doc/manual/configuration/customizing-packages.section.md vendored
View file

@ -33,8 +33,8 @@ Unfortunately, Nixpkgs currently lacks a way to query available package configur
::: {.note}
For example, many packages come with extensions one might add.
Examples include:
- [`passExtensions.pass-otp`](https://search.nixos.org/packages/query=passExtensions.pass-otp)
- [`python310Packages.requests`](https://search.nixos.org/packages/query=python310Packages.requests)
- [`passExtensions.pass-otp`](https://search.nixos.org/packages?query=passExtensions.pass-otp)
- [`python312Packages.requests`](https://search.nixos.org/packages?query=python312Packages.requests)
You can use them like this:
```nix

3
third_party/nixpkgs/nixos/doc/manual/development/writing-modules.chapter.md vendored
View file

@ -140,7 +140,8 @@ in {
path = [ pkgs.su ];
script =
''
mkdir -m 0755 -p $(dirname ${toString cfg.output})
mkdir -p $(dirname ${toString cfg.output})
chmod 0755 $(dirname ${toString cfg.output})
exec updatedb \
--localuser=${cfg.localuser} \
${optionalString (!cfg.includeStore) "--prunepaths='/nix/store'"} \

6
third_party/nixpkgs/nixos/doc/manual/installation/installing-virtualbox-guest.section.md vendored
View file

@ -1,10 +1,8 @@
# Installing in a VirtualBox guest {#sec-installing-virtualbox-guest}
Installing NixOS into a VirtualBox guest is convenient for users who
want to try NixOS without installing it on bare metal. If you want to
use a pre-made VirtualBox appliance, it is available at [the downloads
page](https://nixos.org/download/#nixos-virtualbox). If you want to set
up a VirtualBox guest manually, follow these instructions:
want to try NixOS without installing it on bare metal. If you want to set
up a VirtualBox guest, follow these instructions:
1. Add a New Machine in VirtualBox with OS Type "Linux / Other Linux"

418
third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2411.section.md vendored
View file

@ -7,7 +7,8 @@
- **This will be the last release of Nixpkgs to support macOS Sierra 10.12 to macOS Catalina 10.15.**
Starting with release 25.05, the minimum supported version will be macOS Big Sur 11, and we cannot guarantee that packages will continue to work on older versions of macOS.
Users on old macOS versions should consider upgrading to a supported version (potentially using [OpenCore Legacy Patcher](https://dortania.github.io/OpenCore-Legacy-Patcher/) for old hardware) or installing NixOS.
If neither of those options are viable and you require new versions of software, [MacPorts](https://www.macports.org/) supports back to Mac OS X Snow Leopard 10.6.
If neither of those options are viable and you require new versions of software, [MacPorts](https://www.macports.org/) supports versions back to Mac OS X Snow Leopard 10.6.
- Nix was updated to 2.24, which brings a lot of improvements and fixes. See the release notes for
[2.19](https://nix.dev/manual/nix/latest/release-notes/rl-2.19),
[2.20](https://nix.dev/manual/nix/latest/release-notes/rl-2.20),
@ -15,35 +16,38 @@
[2.22](https://nix.dev/manual/nix/latest/release-notes/rl-2.22),
[2.23](https://nix.dev/manual/nix/latest/release-notes/rl-2.23),
[2.24](https://nix.dev/manual/nix/latest/release-notes/rl-2.24).
Notable changes include improvements to Git fetching, documentation comment support in `nix-repl> :doc`, as well as many quality of life improvements.
Notable changes include improvements to Git fetching, documentation comment support in `nix-repl> :doc`, as well as many quality of life additions.
- This will be the last release of Nixpkgs to support versions of CUDA prior to CUDA 12.0.
These versions only work with old compiler versions that will be unsupported by the time of the Nixpkgs 25.05 release.
In future, users should expect CUDA versions to be dropped as the compiler versions they require leave upstream support windows.
In the future, users should expect CUDA versions to be dropped as the compiler versions they require leave upstream support windows.
- Convenience options for `amdgpu`, open source driver for Radeon cards, is now available under `hardware.amdgpu`.
- Convenience options for `amdgpu`, the open source driver for Radeon cards, are now available under [`hardware.amdgpu`](#opt-hardware.amdgpu.initrd.enable).
- [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured as `hardware.amdgpu.amdvlk` option.
This also allows configuring runtime settings of AMDVLK and enabling experimental features.
- The `moonlight-qt` package ([Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems.
- [AMDVLK](https://github.com/GPUOpen-Drivers/AMDVLK), AMD's open source Vulkan driver, is now available to be configured under the [`hardware.amdgpu.amdvlk`](#opt-hardware.amdgpu.amdvlk.enable) option.
This also allows configuring runtime settings for AMDVLK, including enabling experimental features.
- The `moonlight-qt` package (for [Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems.
- PostgreSQL now defaults to major version 16.
- GNOME has been updated to version 47. Refer to the [release notes](https://release.gnome.org/47/) for more details.
- `authelia` has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the [release blog post](https://www.authelia.com/blog/4.38-release-notes/).
This release also deprecates some configuration keys, which are likely to be removed in future version 5.0, but they are still supported and expected to be working in the current version.
This release also deprecates some configuration keys which are likely to be removed in version 5.0.0.
- `compressDrv` can compress selected files in a derivation. `compressDrvWeb` compresses files for common web server usage (`.gz` with `zopfli`, `.br` with `brotli`).
- `hardware.display` is a new module implementing workarounds for misbehaving monitors
through setting up custom EDID files and forcing kernel/framebuffer modes.
- [`hardware.display`](#opt-hardware.display.edid.enable) is a new module implementing workarounds for misbehaving monitors
by setting up custom EDID files and forcing kernel/framebuffer modes.
- A new display-manager `services.displayManager.ly` was added.
It is a tui based replacement of sddm and lightdm for window manager users.
Users can use it by `services.displayManager.ly.enable` and config it by
`services.displayManager.ly.settings` to generate `/etc/ly/config.ini`
- [`services.displayManager.ly`](#opt-services.displayManager.ly.enable) is a new module for configuring the display manager [ly](https://github.com/fairyglade/ly),
a TUI-based replacement for SDDM and LightDM meant for window manager users.
- `srcOnly` was rewritten to be more readable, have additional warnings in the event that something is probably wrong, use the `stdenv` provided by the derivation, and Noogle-compatible documentation was added.
- The default sound server for most graphical sessions has been switched from PulseAudio to PipeWire.
Users that want to keep PulseAudio will want to set `services.pipewire.enable = false;` and `hardware.pulseaudio.enable = true;`.
Users that want to keep using PulseAudio will want to set `services.pipewire.enable = false;` and `hardware.pulseaudio.enable = true;`.
There is currently no plan to fully deprecate and remove PulseAudio, however, PipeWire should generally be preferred for new installs.
- The Rust rewrite of the `switch-to-configuration` program is now used for system activation by default.
@ -51,7 +55,7 @@
The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by setting `system.switch.enableNg` to `false`.
- Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)
was added through the `boot.initrd.systemd.dmVerity` option.
was added through the [`boot.initrd.systemd.dmVerity`](#opt-boot.initrd.systemd.dmVerity.enable) option.
- The [Xen Project Hypervisor](https://xenproject.org) is once again available as a virtualisation option under [`virtualisation.xen`](#opt-virtualisation.xen.enable).
- This release includes Xen [4.19.0](https://wiki.xenproject.org/wiki/Xen_Project_4.19_Release_Notes) and support for booting the hypervisor on EFI systems.
@ -75,62 +79,59 @@
- [Cyrus IMAP](https://github.com/cyrusimap/cyrus-imapd), an email, contacts and calendar server. Available as [services.cyrus-imap](#opt-services.cyrus-imap.enable) service.
- [TaskChampion Sync-Server](https://github.com/GothenburgBitFactory/taskchampion-sync-server), a [Taskwarrior 3](https://taskwarrior.org/docs/upgrade-3/) sync server, replacing Taskwarrior 2's sync server named [`taskserver`](https://github.com/GothenburgBitFactory/taskserver).
- [TaskChampion Sync-Server](https://github.com/GothenburgBitFactory/taskchampion-sync-server), a [Taskwarrior 3](https://taskwarrior.org/docs/upgrade-3/) sync server. Available as [services.taskchampion-sync-server](#opt-services.taskchampion-sync-server.enable).
- [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr), proxy server to bypass Cloudflare protection. Available as [services.flaresolverr](#opt-services.flaresolverr.enable) service.
- [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr), a proxy server to bypass Cloudflare protection. Available as [services.flaresolverr](#opt-services.flaresolverr.enable).
- [Gancio](https://gancio.org/), a shared agenda for local communities. Available as [services.gancio](#opt-services.gancio.enable).
- [Goatcounter](https://www.goatcounter.com/), Easy web analytics. No tracking of personal data. Available as [services.goatcounter](options.html#opt-services.goatcocunter.enable).
- [Goatcounter](https://www.goatcounter.com/), an easy web analytics platform with no tracking of personal data. Available as [services.goatcounter](options.html#opt-services.goatcocunter.enable).
- [Privatebin](https://github.com/PrivateBin/PrivateBin/), A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable)
- [Privatebin](https://github.com/PrivateBin/PrivateBin/), a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable).
- [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland Compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable).
- [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable).
- [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI
for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable)
service.
- [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI for LLMs. Available as [services.open-webui](#opt-services.open-webui.enable).
- [Quickwit](https://quickwit.io), sub-second search & analytics engine on cloud storage. Available as [services.quickwit](options.html#opt-services.quickwit).
- [Quickwit](https://quickwit.io), a sub-second search & analytics engine on cloud storage. Available as [services.quickwit](options.html#opt-services.quickwit.enable).
- [Userborn](https://github.com/nikstur/userborn), a service for declarative
user management. This can be used instead of the `update-users-groups.pl`
Perl script and instead of systemd-sysusers. To achieve a system without
Perl, this is the now recommended tool over systemd-sysusers because it can
also create normal users and change passwords. Available as
[services.userborn](#opt-services.userborn.enable)
Perl script and/or systemd-sysusers. This is now recommended over
systemd-sysusers to achieve a system without Perl, as it can create normal
users and change passwords. Available as [services.userborn](#opt-services.userborn.enable).
- [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu).
- [Hatsu](https://github.com/importantimport/hatsu), a self-hosted bridge that interacts with Fediverse on behalf of your static site. Available as [services.hatsu](options.html#opt-services.hatsu.enable).
- [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood).
- [Flood](https://flood.js.org/), a beautiful WebUI for various torrent clients. Available as [services.flood](options.html#opt-services.flood.enable).
- [Niri](https://github.com/YaLTeR/niri), a scrollable-tiling Wayland compositor. Available as [programs.niri](options.html#opt-programs.niri.enable).
- [Firefly-iii Data Importer](https://github.com/firefly-iii/data-importer), a data importer for Firefly-III. Available as [services.firefly-iii-data-importer](options.html#opt-services.firefly-iii-data-importer)
- [Firefly-iii Data Importer](https://github.com/firefly-iii/data-importer), a data importer for Firefly-III. Available as [services.firefly-iii-data-importer](options.html#opt-services.firefly-iii-data-importer.enable).
- [QGroundControl], a ground station support and configuration manager for the PX4 and APM Flight Stacks. Available as [programs.qgroundcontrol](options.html#opt-programs.qgroundcontrol.enable).
- [Eintopf](https://eintopf.info), community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf).
- [Eintopf](https://eintopf.info), a community event and calendar web application. Available as [services.eintopf](options.html#opt-services.eintopf.enable).
- [Radicle](https://radicle.xyz), an open source, peer-to-peer code collaboration stack built on Git. Available as [services.radicle](#opt-services.radicle.enable).
- [ddns-updater](https://github.com/qdm12/ddns-updater), a service to update DNS records periodically with WebUI for many DNS providers. Available as [services.ddns-updater](#opt-services.ddns-updater.enable).
- [ddns-updater](https://github.com/qdm12/ddns-updater), a service with a WebUI to update DNS records periodically for many providers. Available as [services.ddns-updater](#opt-services.ddns-updater.enable).
- [Immersed](https://immersed.com/), a closed-source coworking platform. Available as [programs.immersed](#opt-programs.immersed.enable).
- [HomeBox](https://github.com/sysadminsmedia/homebox): the inventory and organization system built for the Home User. Available as [services.homebox](#opt-services.homebox.enable).
- [HomeBox](https://github.com/sysadminsmedia/homebox), an inventory and organization system built for the home user. Available as [services.homebox](#opt-services.homebox.enable).
- [matrix-hookshot](https://matrix-org.github.io/matrix-hookshot), a Matrix bot for connecting to external services. Available as [services.matrix-hookshot](#opt-services.matrix-hookshot.enable).
- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
- [Renovate](https://github.com/renovatebot/renovate), a dependency updating tool for various Git forges and language ecosystems. Available as [services.renovate](#opt-services.renovate.enable).
- [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources which can easily stream your favourite music to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable).
- [Music Assistant](https://music-assistant.io/), a music library manager for your offline and online music sources that can stream to a wide range of supported players. Available as [services.music-assistant](#opt-services.music-assistant.enable).
- [zeronsd](https://github.com/zerotier/zeronsd), a DNS server for ZeroTier users. Available with [services.zeronsd.servedNetworks](#opt-services.zeronsd.servedNetworks).
- [Collabora Online](https://www.collaboraonline.com/), a collaborative online office suite based on LibreOffice technology. Available as [services.collabora-online](options.html#opt-services.collabora-online.enable).
- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable).
- [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a WebUI for connecting devices. Available as [services.wg-access-server](#opt-services.wg-access-server.enable).
- [Pingvin Share](https://github.com/stonith404/pingvin-share), a self-hosted file sharing platform and an alternative for WeTransfer. Available as [services.pingvin-share](#opt-services.pingvin-share.enable).
@ -140,65 +141,63 @@
- [Gatus](https://github.com/TwiN/gatus), an automated developer-oriented status page. Available as [services.gatus](#opt-services.gatus.enable).
- [cryptpad](https://cryptpad.org/), a privacy-oriented collaborative platform (docs/drive/etc), has been added back. Available as [services.cryptpad](#opt-services.cryptpad.enable).
- [cryptpad](https://cryptpad.org/), a privacy-oriented collaborative office suite, has been added back. Available as [services.cryptpad](#opt-services.cryptpad.enable).
- [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable).
- [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in Rust. Available as [services.realm](#opt-services.realm.enable).
- [Gotenberg](https://gotenberg.dev), an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as [services.gotenberg](options.html#opt-services.gotenberg).
- [Gotenberg](https://gotenberg.dev), an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as [services.gotenberg](options.html#opt-services.gotenberg.enable).
- [Suricata](https://suricata.io/), a free and open source, mature, fast and robust network threat detection engine. Available as [services.suricata](options.html#opt-services.suricata).
- [Suricata](https://suricata.io/), a free and open source, mature, fast and robust network threat detection engine. Available as [services.suricata](options.html#opt-services.suricata.enable).
- [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld).
- [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld.enable).
- [MenhirLib](https://gitlab.inria.fr/fpottier/menhir/-/tree/master/coq-menhirlib) A support library for verified Coq parsers produced by Menhir.
- [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](option.html#opt-services.glance.enable).
- [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](option.html#opt-services.glance).
- [Apache Tika](https://github.com/apache/tika), a toolkit that detects and extracts metadata and text from over a thousand different file types. Available as [services.tika](option.html#opt-services.tika.enable).
- [Apache Tika](https://github.com/apache/tika), a toolkit that detects and extracts metadata and text from over a thousand different file types. Available as [services.tika](option.html#opt-services.tika).
- [Misskey](https://misskey-hub.net/en/), an interplanetary microblogging platform. Available as [services.misskey](options.html#opt-services.misskey.enable).
- [Misskey](https://misskey-hub.net/en/), an interplanetary microblogging platform. Available as [services.misskey](options.html#opt-services.misskey).
- [Improved File Manager](https://github.com/misterunknown/ifm), or IFM, a single-file web-based file manager. Available as [services.ifm](options.html#opt-services.ifm.enable)
- [Improved File Manager (IFM)](https://github.com/misterunknown/ifm), a single-file web-based file manager. Available as [services.ifm](options.html#opt-services.ifm.enable).
- [OpenGFW](https://github.com/apernet/OpenGFW), an implementation of the Great Firewall on Linux. Available as [services.opengfw](#opt-services.opengfw.enable).
- [Rathole](https://github.com/rapiz1/rathole), a lightweight and high-performance reverse proxy for NAT traversal. Available as [services.rathole](#opt-services.rathole.enable).
- [Proton Mail bridge](https://proton.me/mail/bridge), a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer. It lets you add your Proton Mail account to your favorite email client via IMAP/SMTP by creating a local email server on your computer.
- [Proton Mail bridge](https://proton.me/mail/bridge), a desktop application that runs in the background, encrypting and decrypting messages as they enter and leave your computer. Available as [services.protonmail-bridge](#opt-services.protonmail-bridge.enable).
- [chromadb](https://www.trychroma.com/), an open-source AI application
database. Batteries included. Available as [services.chromadb](options.html#opt-services.chromadb.enable).
- [chromadb](https://www.trychroma.com/), an open-source AI application database with batteries included. Available as [services.chromadb](options.html#opt-services.chromadb.enable).
- [bitmagnet](https://bitmagnet.io/), A self-hosted BitTorrent indexer, DHT crawler, content classifier and torrent search engine with web UI, GraphQL API and Servarr stack integration.
Available as [services.bitmagnet](options.html#opt-services.bitmagnet.enable).
- [bitmagnet](https://bitmagnet.io/), a self-hosted BitTorrent indexer, DHT crawler, content classifier and torrent search engine with WebUI, GraphQL API and Servarr stack integration. Available as [services.bitmagnet](options.html#opt-services.bitmagnet.enable).
- [Wakapi](https://wakapi.dev/), a time tracking software for programmers. Available as [services.wakapi](#opt-services.wakapi.enable).
- [foot](https://codeberg.org/dnkl/foot), a fast, lightweight and minimalistic Wayland terminal emulator. Available as [programs.foot](#opt-programs.foot.enable).
- [ToDesk](https://www.todesk.com/linux.html), a remote desktop applicaton. Available as [services.todesk.enable](#opt-services.todesk.enable).
- [ToDesk](https://www.todesk.com/linux.html), a remote desktop application. Available as [services.todesk](#opt-services.todesk.enable).
- [Dependency Track](https://dependencytrack.org/), an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Available as [services.dependency-track](option.html#opt-services.dependency-track).
- [Dependency Track](https://dependencytrack.org/), an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Available as [services.dependency-track](option.html#opt-services.dependency-track.enable).
- [Immich](https://github.com/immich-app/immich), a self-hosted photo and video backup solution. Available as [services.immich](#opt-services.immich.enable).
- [saunafs](https://saunafs.com) Distributed POSIX file system. Available as [services.saunafs](options.html#opt-services.saunafs).
- [saunafs](https://saunafs.com), a distributed POSIX file system. Available as [services.saunafs](options.html#opt-services.saunafs.enable).
- [obs-studio](https://obsproject.com/), Free and open source software for video recording and live streaming. Available as [programs.obs-studio.enable](#opt-programs.obs-studio.enable).
- [obs-studio](https://obsproject.com/), a free and open source software for video recording and live streaming. Available as [programs.obs-studio](#opt-programs.obs-studio.enable).
- [Veilid](https://veilid.com), a headless server that enables privacy-focused data sharing and messaging on a peer-to-peer network. Available as [services.veilid](#opt-services.veilid.enable).
- [Veilid](https://veilid.com), a privacy-focused, headless server for data sharing and messaging on a peer-to-peer network. Available as [services.veilid](#opt-services.veilid.enable).
- [Fedimint](https://github.com/fedimint/fedimint), a module based system for building federated applications (Federated E-Cash Mint). Available as [services.fedimintd](#opt-services.fedimintd).
- [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](options.html#opt-services.zapret).
- [tiny-dfr](https://github.com/WhatAmISupposedToPutHere/tiny-dfr), a dynamic function row daemon for the Touch Bar found on some Apple laptops. Available as [hardware.apple.touchBar.enable](options.html#opt-hardware.apple.touchBar.enable).
- [Swapspace](https://github.com/Tookmund/Swapspace), a dynamic swap space manager that turns your unused free space into swap automatically. Available as [services.swapspace](#opt-services.swapspace.enable).
- [Zapret](https://github.com/bol-van/zapret), a DPI bypass tool. Available as [services.zapret](option.html#opt-services.zapret.enable).
## Backward Incompatibilities {#sec-release-24.11-incompatibilities}
- The `sound` options have been removed or renamed, as they had a lot of unintended side effects. See [below](#sec-release-24.11-migration-sound) for details.
- The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver.
- The NVIDIA driver no longer defaults to the proprietary kernel module with versions >= 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open modules.
- The `(buildPythonPackage { ... }).override` attribute is now deprecated and removed in favour of `overridePythonAttrs`.
This change does not affect the override interface of most Python packages, as [`<pkg>.override`](https://nixos.org/manual/nixpkgs/unstable/#sec-pkg-override) provided by `callPackage` shadows such a locally-defined `override` attribute.
@ -207,7 +206,7 @@
- All GNOME packages have been moved to top-level (i.e., `gnome.nautilus` is now `nautilus`).
- `transmission` package has been aliased with a `trace` warning to `transmission_3`. Since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0), and Transmission 3 will eventually go away, it was decided perform this warning alias to make people aware of the new version. The `services.transmission.package` defaults to `transmission_3` as well because the upgrade can cause data loss in certain specific usage patterns (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory per your usage:
- `transmission` has been aliased with a `trace` warning to `transmission_3`, since [Transmission 4 has been released last year](https://github.com/transmission/transmission/releases/tag/4.0.0) and Transmission 3 will eventually go away -- this is meant to make people aware of the new version. `services.transmission.package` now also defaults to `transmission_3`, as the upgrade can cause data loss in some cases (examples: [#5153](https://github.com/transmission/transmission/issues/5153), [#6796](https://github.com/transmission/transmission/issues/6796)). Please make sure to back up to your data directory if you may be affected:
- `transmission-gtk`: `~/.config/transmission`
- `transmission-daemon` using NixOS module: `${config.services.transmission.home}/.config/transmission-daemon` (defaults to `/var/lib/transmission/.config/transmission-daemon`)
@ -217,11 +216,15 @@
- `unifi` has been updated to UniFi 8.
`unifi7` was removed as it is vulnerable to CVE-2024-42025 and required a version of MongoDB that has reached end of life.
- `androidenv.androidPkgs_9_0` has been removed, and replaced with `androidenv.androidPkgs` for a more complete Android SDK including support for Android 9 and later.
- `androidenv.androidPkgs_9_0` has been removed. It is replaced with `androidenv.androidPkgs` for a more complete Android SDK, including support for Android 9 and later.
- The VirtualBox demo installer appliance has been removed.
Please use the standard installer ISOs instead.
- `grafana` has been updated to version 11.1. This version doesn't support setting `http_addr` to a hostname anymore, an IP address is expected.
- `deno` has been updated to v2 which has breaking changes. Upstream will be abandoning v1 soon but for now you can use `deno_1` if you are yet to migrate (will be removed prior to cutting a final 24.11 release).
- `deno` has been updated to Deno 2, which has breaking changes.
See the [migration guide](https://docs.deno.com/runtime/reference/migration_guide/) for details.
- `gogs` has been removed. Upstream development has stalled and it has several
[critical vulnerabilities](https://github.com/gogs/gogs/issues/7777) that weren't addressed
@ -234,14 +237,16 @@
- `bluemap` has changed the format used to store map tiles, and the database layout has been heavily modified. Upstream recommends a clean reinstallation: <https://github.com/BlueMap-Minecraft/BlueMap/releases/tag/v5.2>. Unless you are using an SQL storage backend, this should only entail deleting the contents of `config.services.bluemap.coreSettings.data` (defaults to `/var/lib/bluemap`) and `config.services.bluemap.webRoot` (defaults to `/var/lib/bluemap/web`).
- `wstunnel` has had a major version upgrade that entailed rewriting the program in Rust.
The module was updated to accommodate for breaking changes.
Breaking changes to the module API were minimised as much as possible,
but some were nonetheless inevitable due to changes in the upstream CLI.
Certain options were moved from separate CLI arguments into the forward specifications,
and those options were also removed from the module's API,
please consult the wstunnel man page for more detail.
The module was updated to accommodate for breaking changes and breaking changes to the
module options were minimised as much as possible. Nonetheless, some were inevitable due
to changes in the upstream CLI. Certain options were moved from separate CLI arguments into
the forward specifications, and those options were also removed from the module's options.
Please consult the wstunnel man page for more details.
Also be aware that if you have set additional options in `services.wstunnel.{clients,servers}.<name>.extraArgs`,
that those might have been removed or modified upstream.
they may have been modified or removed upstream.
- `gnat` and `gnatPackages` now use GNAT 13 instead of GNAT 12. This matches
the default `gcc` version.
- `percona-server_8_4` and `mysql84` now have password authentication via the deprecated `mysql_native_password` disabled by default. This authentication plugin can be enabled via a CLI argument again, for detailed instructions and alternative authentication methods [see upstream documentation](https://dev.mysql.com/doc/refman/8.4/en/native-pluggable-authentication.html). The config file directive `default_authentication_plugin` has been removed.
@ -252,29 +257,29 @@
- For convenience, the top-level `clang-tools` attribute remains and is now bound to `llvmPackages.clang-tools`.
- Top-level `clang_tools_<version>` attributes are now aliases; these will be removed in a future release.
- `buildbot` was updated to 4.0, the AngularJS frontend has been replaced by a React frontend, see the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html).
- `buildbot` was updated to 4.0 and the AngularJS frontend replaced by a React frontend. See the [upstream release notes](https://docs.buildbot.net/current/manual/upgrading/4.0-upgrade.html).
- `headscale` has been updated to version 0.23.0 which reworked large parts of the configuration including DNS, Magic DNS prefixes and ACL policy files. See the [upstream changelog](https://github.com/juanfont/headscale/releases/tag/v0.23.0) for details.
- `headscale` has been updated to version 0.23.0 which reworked large parts of the configuration, including DNS, Magic DNS prefixes and ACL policy files. See the [upstream changelog](https://github.com/juanfont/headscale/releases/tag/v0.23.0) for details.
- `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`.
- `nginx` package no longer includes the `gd` and `geoip` dependencies. To re-enable them, override `nginx` with the options `withImageFilter = true;` and `withGeoIP = true;`.
- `systemd.enableUnifiedCgroupHierarchy` option has been removed.
In systemd 256 support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd by default will refuse to boot under it.
To forcibly reenable cgroup v1 support, you can `set boot.kernelParams = [ "systemd.unified_cgroup_hierachy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]`.
NixOS does not officially support this configuration and might cause your system to be unbootable in future versions. You are on your own.
- `systemd.enableUnifiedCgroupHierarchy` has been removed.
In systemd 256, support for cgroup v1 ('legacy' and 'hybrid' hierarchies) is now considered obsolete and systemd will refuse to boot under it by default.
To forcibly re-enable cgroup v1 support, you can set `boot.kernelParams = [ "systemd.unified_cgroup_hierarchy=0" "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1" ]`.
This is not an officially supported configuration and might cause your system to become unbootable in future versions. You are on your own.
- `nrfutil` which previously pointed to the now-deprecated `pc-nrfutil` python package, has been repackaged under the same name with the new nrfutil tool.
- `nrfutil` -- which previously pointed to the now-deprecated `pc-nrfutil` Python package -- has been repackaged under the same name with the new nrfutil tool.
- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can
use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).
- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components. Users needing this support can
use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` package flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).
- `security.ipa.ipaHostname` now defaults to the value of `networking.fqdn` if
it is set, instead of the previous hardcoded default of
`${networking.hostName}.${security.ipa.domain}`.
- The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have now been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively.
- The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively.
- The logrotate service has received hardening and now requires enabling `allowNetworking`, if logrotate needs to access the network.
- The logrotate service has been hardened and now requires enabling `allowNetworking` if network access is required.
- `mautrix-whatsapp` has been updated to version 0.11.0, which is a major rewrite of the bridge. Config file changes are required.
@ -291,8 +296,12 @@
Processes also now run as a dynamically allocated user by default instead of
root.
- The `mautrix-signal` module was adapted to incorporate the configuration rearrangement that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
In case you want to update your configuration make sure to check the NixOS manual.
- The `mautrix-signal` module was adapted to incorporate the configuration changes that resulted from the update to the mautrix bridgev2 architecture. Pre-0.7.0 configurations should continue to work.
In case you want to update your configuration, make sure to check the NixOS manual.
- The nvidia driver no longer defaults to the proprietary driver starting with version 560. You will need to manually set `hardware.nvidia.open` to select the proprietary or open driver.
- `postgresql` no longer accepts the `enableSystemd` override. Use `systemdSupport` instead.
- The dhcpcd service (`networking.useDHCP`) has been hardened and now runs exclusively as the "dhcpcd" user.
Users that were relying on the root privileges in `networking.dhcpcd.runHook` will have to write specific [sudo](security.sudo.extraRules) or [polkit](security.polkit.extraConfig) rules to allow dhcpcd to perform privileged actions.
@ -301,15 +310,15 @@
- `singularity-tools` have the `storeDir` argument removed from its override interface and use `builtins.storeDir` instead.
- Two build helpers in `singularity-tools`, i.e., `mkLayer` and `shellScript`, are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases.
- The `mkLayer` and `shellScript` build helpers in `singularity-tools` are deprecated, as they are no longer involved in image-building. Maintainers will remove them in future releases.
- The `rust.toTargetArch`, `rust.toTargetOs`, `rust.toTargetFamily`, `rust.toTargetVendor`, `rust.toRustTarget`, `rust.toRustTargetSpec`, `rust.toRustTargetSpecShort`, and `rust.IsNoStdTarget` functions are deprecated in favour of the `rust.platform.arch`, `rust.platform.os`, `rust.platform.target-family`, `rust.platform.vendor`, `rust.rustcTarget`, `rust.rustcTargetSpec`, `rust.cargoShortTarget`, `rust.cargoEnvVarTarget`, and `rust.isNoStdTarget` platform attributes respectively.
- The `budgie` and `budgiePlugins` scope have been removed and their packages
moved into the top level scope (i.e., `budgie.budgie-desktop` is now
`budgie-desktop`)
- All Budgie and `budgiePlugins` packages have been moved to top-level (i.e.,
`budgie.budgie-desktop` is now `budgie-desktop` and `budgiePlugins.budgie-media-player-applet`
is now `budgie-media-player-applet`).
- The method to safely handle secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of wpa_supplicant.
- The method of safely handling secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of `wpa_supplicant`.
The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade.
- NetBox was updated to `>= 4.1.0`.
@ -324,35 +333,58 @@
This change requires granting access to the repositories to this user or
setting the appropriate one through `services.cgit.some-instance.user`.
- All Oracle JDKs and JREs (`oraclejdk`, `oraclejdk8`, `oraclejre`, `oraclejre8`,
`jrePlugin`, `jre8Plugin`, `jdkdistro`, `oraclejdk8distro`, and `oraclejdk11`)
were dropped due to being unmaintained and heavily insecure. OpenJDK provides
compatible replacements for JDKs and JREs.
- `gradle_6` was removed due to being [unsupported upstream as of 10 Feb 2023](https://endoflife.date/gradle).
Additionally, it had numerous security vulnerabilities that were only patched
in later versions, such as [CVE-2021-29429](https://nvd.nist.gov/vuln/detail/CVE-2021-32751),
[CVE-2021-29427](https://nvd.nist.gov/vuln/detail/CVE-2021-29427), [CVE-2021-29428](https://nvd.nist.gov/vuln/detail/CVE-2021-29428), and [CVE-2021-32751](https://nvd.nist.gov/vuln/detail/CVE-2021-32751).
- `nvimpager` was updated to version 0.13.0, which changes the order of user and
nvimpager settings: user commands in `-c` and `--cmd` now override the
respective default settings because they are executed later.
- `javacard-devkit` was dropped due to having a dependency on the Oracle JDK,
as well as being several years out-of-date.
- Kubernetes `featureGates` have changed from a `listOf str` to `attrsOf bool`.
This refactor makes it possible to also disable feature gates, without having
to use `extraOpts` flags.
A previous configuration may have looked like this:
```nix
featureGates = [ "EphemeralContainers" ];
extraOpts = pkgs.lib.concatStringsSep " " (
[
''--feature-gates="CSIMigration=false"''
});
{
featureGates = [ "EphemeralContainers" ];
extraOpts = pkgs.lib.concatStringsSep " " (
[
''--feature-gates="CSIMigration=false"''
]
);
}
```
Using an AttrSet instead, the new configuration would be:
Using an attribute set instead, the new configuration would be:
```nix
featureGates = {EphemeralContainers = true; CSIMigration=false;};
{
featureGates = {
EphemeralContainers = true;
CSIMigration=false;
};
}
```
- `pkgs.nextcloud27` has been removed since it's EOL.
- `pkgs.nextcloud27` has been removed as it has reached EOL.
- The `environment.noXlibs` option has been removed. It was a common source of unexpected rebuilds and breakage that was often hard to diagnose.
If you need to disable certain libraries, you're encouraged to add your own overlay to your configuration that targets the packages you care about.
- `frigate` was updated past 0.14.0. This release includes various breaking changes, so please go read the [release notes](https://github.com/blakeblackshear/frigate/releases/tag/v0.14.0).
Most prominently access to the webinterface and API are now protected by authentication. Retrieve the auto-created
- `frigate` was updated past 0.14.0. This release includes various breaking changes, so please review the [release notes](https://github.com/blakeblackshear/frigate/releases/tag/v0.14.0).
Most prominently, access to the web interface and API are now protected by authentication. Retrieve the auto-created
admin account from the `frigate.service` journal after upgrading.
- `nodePackages.coc-python` was dropped, as [its upstream is unmaintained](https://github.com/neoclide/coc-python). The associated `vimPlugins.coc-python` was also dropped.
@ -372,7 +404,10 @@
- `services.ddclient.use` has been deprecated: `ddclient` now supports separate IPv4 and IPv6 configuration. Use `services.ddclient.usev4` and `services.ddclient.usev6` instead.
- `services.pgbouncer` systemd service is configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the free-form type option named [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings) according to the NixOS RFC 0042.
- `services.pgbouncer` systemd service is now configured with `Type=notify-reload` and allows reloading configuration without process restart. PgBouncer configuration options were moved to the freeform type option under [`services.pgbouncer.settings`](#opt-services.pgbouncer.settings).
- Docear was removed because it was unmaintained upstream.
JabRef, Zotero, or Mendeley are potential replacements.
- `nodePackages.coc-metals` was removed due to being deprecated upstream.
`vimPlugins.nvim-metals` is its official replacement.
@ -390,23 +425,23 @@
Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/)
and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324).
- `tests.overriding` has its `passthru.tests` restructured as an attribute set instead of a list, making individual tests accessible by their names.
- `tests.overriding`'s `passthru.tests` has been restructured as an attribute set instead of a list, making individual tests accessible by their names.
- Package `skk-dict` was split into multiple packages under `skkDictionaries`.
If in doubt, try `skkDictionaries.l`. As part of this change, the dictionaries
were moved from `$out/share` to `$out/share/skk`. Also, the dictionaries won't
be converted to UTF-8 unless the `useUtf8` package option is enabled. UTF-8
- `skk-dict` was split into multiple packages under `skkDictionaries`.
If in doubt of what to use, try `skkDictionaries.l`. As part of this change, the dictionaries
were moved from `$out/share` to `$out/share/skk`. The dictionaries also won't
be converted to UTF-8 unless the `useUtf8` package option is enabled; UTF-8
converted dictionaries will have the .utf8 suffix appended to its filename.
- `vaultwarden` lost the capability to bind to privileged ports. If you rely on
this behavior, override the systemd unit to allow `CAP_NET_BIND_SERVICE` in
your local configuration.
your configuration.
- The Invoiceplane module now only accepts the structured `settings` option.
`extraConfig` is now removed.
- `services.invoiceplane.sites.<name>.extraConfig` was removed. Configuration must now be done
through the structured `services.invoiceplane.sites.<name>.settings` option.
- The `ollama` services replaces its `sandbox` toggle with options to configure
a static `user` and `group`. The `writablePaths` option has been removed and
- `services.ollama.sandbox` has been replaced with options to configure
a static `user` and `group`. The `writablePaths` option has also been removed and
the models directory is now always exempt from sandboxing.
- The `gns3-server` service now runs under the `gns3` system user
@ -423,13 +458,15 @@
before changing the package to `pkgs.stalwart-mail` in
[`services.stalwart-mail.package`](#opt-services.stalwart-mail.package).
- The `nomad_1_5` package was dropped, as [it has reached end-of-life upstream](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy). Evaluating it will throw an error.
- `nomad_1_5` and `nomad_1_6` were dropped, as [they have reached end-of-life upstream](https://support.hashicorp.com/hc/en-us/articles/360021185113-Support-Period-and-End-of-Life-EOL-Policy). Evaluating them will throw an error.
- The default `nomad` package has been updated to 1.8.x. For more information, see [breaking changes for Nomad 1.8](https://developer.hashicorp.com/nomad/docs/upgrade/upgrade-specific#nomad-1-8-0)
- `androidndkPkgs` has been updated to `androidndkPkgs_26`.
- Android NDK version 26 and SDK version 33 are now the default versions used for cross compilation to android.
- the `ankisyncd` package and its `services.ankisyncd` have been removed, use [`services.anki-sync-server`](#opt-services.anki-sync-server.enable) instead.
- `ankisyncd` package and its `services.ankisyncd` have been removed. Use [`services.anki-sync-server`](#opt-services.anki-sync-server.enable) instead.
- `nodePackages.vscode-css-languageserver-bin`, `nodePackages.vscode-html-languageserver-bin`,
and `nodePackages.vscode-json-languageserver-bin` were dropped due to an unmaintained upstream.
@ -438,35 +475,35 @@
- `nodePackages.prisma` has been replaced by `prisma`.
- `fetchNextcloudApp` has been rewritten to use `fetchurl` rather than
`fetchzip`. This invalidates all existing hashes but you can restore the old
`fetchzip`. This invalidates all existing hashes, but you can restore the old
behavior by passing it `unpack = true`.
- `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in the
output by default, to alert users to closure size issues caused by
- `haskell.lib.compose.justStaticExecutables` now disallows references to GHC in its
output by default to alert users to closure size issues caused by
[#164630](https://github.com/NixOS/nixpkgs/issues/164630). See ["Packaging
Helpers" in the Haskell section of the Nixpkgs
manual](https://nixos.org/manual/nixpkgs/unstable/#haskell-packaging-helpers)
for information on working around `output '...' is not allowed to refer to
the following paths` errors caused by this change.
- The `stalwart-mail` service now runs under the `stalwart-mail` system user
instead of a dynamically created one via `DynamicUser`, to avoid automatic
ownership changes on its large file store each time the service was started.
- `services.stalwart-mail` now runs under the `stalwart-mail` system user
instead of a dynamic one via `DynamicUser` in order to avoid automatic
ownership changes on its large file store on service restart.
This change requires to manually move the state directory from
`/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail` and to
`/var/lib/private/stalwart-mail` to `/var/lib/stalwart-mail`, and to
change the ownership of the directory and its content to `stalwart-mail`.
- The `stalwart-mail` module now uses RocksDB as the default storage backend
for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
data and the filesystem for blobs).
- `services.stalwart-mail` now uses RocksDB as the default storage backend
for `stateVersion` ≥ 24.11. It was previously using SQLite for structured
data and the filesystem for blobs.
- The `stargazer` service has been hardened to improve security, but these
- `services.stargazer` has been hardened to improve security, but these
changes make break certain setups, particularly around traditional CGI.
- The `stargazer.allowCgiUser` option has been added, enabling
- `services.stargazer.allowCgiUser` has been added, enabling
Stargazer's `cgi-user` option to work, which was previously broken.
- The `shiori` service now requires an HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided via environment variable. The nixos module therefore, now provides an environmentFile option:
- `services.shiori` now requires the HTTP secret value `SHIORI_HTTP_SECRET_KEY` to be provided as an environment variable. `services.shiori.environmentFile` has been introduced to handle this:
```
# This is how a environment file can be generated:
@ -476,29 +513,32 @@
- `/share/nano` is now only linked when `programs.nano.enable` is enabled.
- PPD files for Utax printers got renamed (spaces replaced by underscores) in newest `foomatic-db` package; users of Utax printers might need to adapt their `hardware.printers.ensurePrinters.*.model` value.
- PPD files for Utax printers were renamed (spaces replaced by underscores) in the newest `foomatic-db` package. Users of Utax printers might need to adapt their `hardware.printers.ensurePrinters.*.model` value to account for this.
- The `kvdo` kernel module package was removed, because it was upstreamed in kernel version 6.9, where it is called `dm-vdo`.
- `sqldeveloper` was dropped due to being severely out-of-date and having a dependency on
JavaFX for Java 8, which we do not support.
- The `kvdo` kernel module package was removed as it was upstreamed in kernel version 6.9, where it is now called `dm-vdo`.
- `libe57format` has been updated to `>= 3.0.0`, which contains some backward-incompatible API changes. See the [release note](https://github.com/asmaloney/libE57Format/releases/tag/v3.0.0) for more details.
- `gitlab` deprecated support for *runner registration tokens* in GitLab 16.0, disabled their support in GitLab 17.0 and will
ultimately remove it in GitLab 18.0, as outlined in the
[documentation](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes).
ultimately remove it in GitLab 18.0 (as outlined in the
[documentation](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#estimated-time-frame-for-planned-changes)).
After upgrading to GitLab >= 17.0, it is possible to re-enable support for registration tokens in the UI until GitLab 18.0.
Refer to the manual on [using registration tokens after GitLab 17.0](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170).
GitLab administrators should migrate to the [new runner registration workflow](https://docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow.html#using-registration-tokens-after-gitlab-170)
with *runner authentication tokens* until the release of GitLab 18.0.
- `gitlab` has been updated from 16.x to 17.x and requires at least `postgresql` 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation.
- `gitlab` has been updated from 16.x to 17.x and requires `postgresql` >= 14.9, as stated in the [documentation](https://docs.gitlab.com/17.1/ee/install/requirements.html#postgresql-requirements). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation.
- `gitaly` (part of `gitlab`) is now using the bundled `git` package instead of `pkgs.git` to maintain compatibility with GitLab.
- `gitaly` (part of `gitlab`) is now using the bundled `git` package instead of `pkgs.git`, to maintain compatibility with GitLab.
- `nixos/gitlab` no longer adds `pkgs.git` to `environment.systemPackages` by default.
- The `replay-sorcery` package and module was removed as it unmaintained upstream. Consider using `gpu-screen-recorder` or `obs-studio` instead.
- To follow [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) a few options of `samba` have been moved from `extraConfig` and `configText` to the new freeform option `settings` and renamed, e.g.:
- A few options of `services.samba` have been moved from `extraConfig` and `configText` to the new freeform option `settings` and renamed, e.g.:
- `services.samba.invalidUsers` to `services.samba.settings.global."invalid users"`
- `services.samba.securityType` to `services.samba.settings.global."security type"`
- `services.samba.shares` to `services.samba.settings`
@ -508,10 +548,10 @@
- `zx` was updated to v8, which introduces several breaking changes.
See the [v8 changelog](https://github.com/google/zx/releases/tag/8.0.0) for more information.
- `feishin` removed support for Navidrome `< v0.53.2` due to an API change; more information in the [v0.10.0 release notes](https://github.com/jeffvli/feishin/releases/tag/v0.10.0).
- `feishin` removed support for Navidrome `< v0.53.2` due to an API change. See the [v0.10.0 release notes](https://github.com/jeffvli/feishin/releases/tag/v0.10.0) for more information.
- The `dnscrypt-wrapper` module was removed since the project has been effectively unmaintained since 2018; moreover the NixOS module had to rely on an abandoned version of dnscrypt-proxy v1 for the rotation of keys.
To wrap a resolver with DNSCrypt you can instead use `dnsdist`. See options `services.dnsdist.dnscrypt.*`
- `services.dnscrypt-wrapper` was removed, as the project has been effectively unmaintained since 2018. Moreover, the NixOS module had to rely on an abandoned version of `dnscrypt-proxy` v1 for the rotation of keys.
To wrap a resolver with DNSCrypt, you can instead use `dnsdist`. See `services.dnsdist.dnscrypt`
- The `portunus` package and service do not support weak password hashes anymore.
If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing.
@ -526,7 +566,7 @@
Explicitly set `kubelet.hostname` to `networking.fqdnOrHostName` to get back
the old default behavior.
- Docker now defaults to 27.x, because version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084).
- Docker now defaults to 27.x, as version 24.x stopped receiving security updates and bug fixes after [February 1, 2024](https://github.com/moby/moby/pull/46772#discussion_r1686464084).
- `postgresql` was split into default and -dev outputs. To make this work without circular dependencies, the output of the `pg_config` system view has been removed. The `pg_config` binary is provided in the -dev output and still works as expected.
@ -541,42 +581,62 @@
The `shout` top-level attribute was an alias to this package.
The associated `services.shout` module has also been removed.
- `prometheus-openldap-exporter` was removed, as it was unmaintained both upstream and in nixpkgs.
- The `indi-full` package no longer contains non-free drivers.
To get the old collection of drivers use `indi-full-nonfree` or create your own collection of drivers by overriding indi-with-drivers.
E.g.: `pkgs.indi-with-drivers.override {extraDrivers = with pkgs.indi-3rdparty; [indi-gphoto];}`
- `/share/vim-plugins` now only gets linked if `programs.vim.enable` is enabled
- The `services.guix` module now manages trusted substitute servers
declaratively. Instead of `guix archive --authorize`, list keys with
`services.guix.substituters.authorizedKeys`. Default substitute servers can be
set via `services.guix.substituters.urls`.
- The `tracy` package no longer works on X11, since it's moved to Wayland
support, which is the intended default behavior by Tracy maintainers.
X11 users have to switch to the new package `tracy-x11`.
- The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained.
- `gollum` has been upgraded to major version 6. Please review their [migration notes](https://github.com/gollum/gollum/wiki/6.0-Release-Notes).
- `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained.
Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead.
- The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300)
- The `services.prometheus.exporters.tor` option has been removed, as its upstream implementation was broken and unmaintained.
- `services.patroni.raft` has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300).
- The `jd-cli` package was removed due to an inactive upstream and a dependency on the shut down
JCenter JAR repository.
Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
- The `jd-gui` package was removed due to an inactive upstream and a dependency on the end-of-life Gradle 6.
Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
- `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments.
- The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer.
Consequently the package `pkgs.ma1sd` has also been removed.
- `services.mxisd` has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are no longer maintained.
Consequently, the package `ma1sd` has also been removed.
- The `rss-bridge` service drops the support to load a configuration file from `${config.services.rss-bridge.dataDir}/config.ini.php`.
Consider using the `services.rss-bridge.config` option instead.
- The `xdg.portal.gtkUsePortal` option has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`.
- `mikutter` has been removed, as the package was broken and had no maintainers in nixpkgs.
- `xdg.portal.gtkUsePortal` has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`.
- Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed.
- The `services.trust-dns` module has been renamed to `services.hickory-dns`.
- `services.trust-dns` has been renamed to `services.hickory-dns`.
- The option `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since
- `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since
it leaked the connection string (and thus potentially the DB password) into the cmdline
of process making it effectively world-readable.
Use [`services.prometheus.exporters.pgbouncer.connectionEnvFile`](#opt-services.prometheus.exporters.pgbouncer.connectionEnvFile) instead.
- The `lsh` package and the `services.lshd` module have been removed as they had no maintainer in Nixpkgs and hadnt seen an upstream release in over a decade. It is recommended to migrate to `openssh` and `services.openssh`.
- `lsh` and `services.lshd` have been removed as they had no maintainer in Nixpkgs and no upstream release in over a decade. It is recommended to migrate to `openssh` and `services.openssh`.
- `ceph` has been upgraded to v19. See the [Ceph "squid" release notes](https://docs.ceph.com/en/latest/releases/squid/#v19-2-0-squid) for details and recommended upgrade procedure.
@ -590,30 +650,29 @@
were not used by any other package. External users are encouraged to
migrate to OpenCV 4.
- The `tvheadend` package and the `services.tvheadend` module have been
removed as nobody was willing to maintain them and they were stuck on
an unmaintained version that required FFmpeg 4; please see [pull
- `tvheadend` package and the `services.tvheadend` module have been
removed due to lack of maintenance in Nixpkgs and being stuck on
an unmaintained version that required FFmpeg 4. Please see the related [pull
request #332259](https://github.com/NixOS/nixpkgs/pull/332259) if you
are interested in maintaining a newer version.
- The `antennas` package and the `services.antennas` module have been
removed as they only work with `tvheadend` (see above).
- `antennas` and `services.antennas` have been removed as they only work with `tvheadend` (see above).
- The `system.build.brightboxImage` image has been removed as It did not build anymore and has not seen any maintenance in over 7 years (excluding tree-wide changes).
- `system.build.brightboxImage` has been removed as it no longer built and has not seen any maintenance in over 7 years (excluding tree-wide changes).
- The `services.syncplay` module now exposes all currently available command-line arguments for `syncplay-server` as options, as well as a `useACMEHost` option for easy TLS setup.
- `services.syncplay` now exposes all currently available command-line arguments for `syncplay-server` as options, as well as a `useACMEHost` option for easy TLS setup.
The systemd service now uses `DynamicUser`/`StateDirectory` and the `user` and `group` options have been deprecated.
- The `openlens` package got removed, suggested replacement `lens-desktop`
- `openlens` was removed. It is recommended to use `lens-desktop` instead.
- The `services.dnsmasq.extraConfig` option has been removed, as it had been deprecated for over 2 years. This option has been replaced by `services.dnsmasq.settings`.
- `services.dnsmasq.extraConfig` has been removed, as it had been deprecated for over 2 years. This option has been replaced by `services.dnsmasq.settings`.
- The NixOS installation media no longer support the ReiserFS or JFS file systems by default.
- Minimal installer ISOs are no longer built on the small channel.
Please obtain installer images from the full release channels.
- The default FFmpeg version is now 7, and FFmpeg 5 has been removed.
- The default FFmpeg version is now 7.1, and FFmpeg 5 has been removed.
Please prefer using the package variants without a version suffix,
or pin FFmpeg 6 or 4 if necessary for compatibility.
Note that we keep old versions around only as required
@ -623,23 +682,32 @@
- `openssl` now defaults to the latest version line `3.3.x`, instead of `3.0.x` before. While there should be no major code incompatibilities, newer OpenSSL versions typically strengthen the default security level. This means that you may have to explicitly allow weak ciphers, hashes and key lengths if necessary. See: [OpenSSL security level documentation](https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/).
- The `isync` package has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.
- `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.
- Legacy package `globalprotect-openconnect` 1.x and related module
`globalprotect-vpn` were dropped. Two new packages `gpauth` and `gpclient`
from the 2.x version of the GlobalProtect-openconnect project are added in its
`services.globalprotect` were dropped. Two new packages -- `gpauth` and `gpclient`
from the 2.x version of the GlobalProtect-openconnect project -- are added in its
place. The GUI components related to the project are non-free and not
packaged.
- Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details.
- The `rustic` package was upgrade to `0.9.0`, which contains [breaking changes to the config file format](https://github.com/rustic-rs/rustic/releases/tag/v0.9.0).
- `rustic` was upgraded to `0.9.0`, which contains [breaking changes to the config file format](https://github.com/rustic-rs/rustic/releases/tag/v0.9.0).
- `pkgs.formats.ini` and `pkgs.formats.iniWithGlobalSection` with
`listsAsDuplicateKeys` or `listToValue` no longer merge non-list values into
lists by default. Backwards-compatible behavior can be enabled with
`atomsCoercedToLists`.
- Atlassian Server products have been removed, as support for the Atlassian Server
products ended in February 2024 and there was insufficient interest in
maintaining the Atlassian Data Center replacements:
- The `atlassian-bamboo` package
- The `atlassian-confluence` package and its `services.confluence` NixOS module
- The `atlassian-crowd` package and its `services.crowd` NixOS module
- The `atlassian-jira` package and its `services.jira` NixOS module
- `python3Packages.nose` has been removed, as it has been deprecated and unmaintained for almost a decade and does not work on Python 3.12.
Please switch to `pytest` or another test runner/framework.
@ -676,6 +744,8 @@
- `lib.misc.mapAttrsFlatten` is now formally deprecated and will be removed in future releases; use the identical [`lib.attrsets.mapAttrsToList`](https://nixos.org/manual/nixpkgs/unstable#function-library-lib.attrsets.mapAttrsToList) instead.
- `virtualisation.docker.liveRestore` has been renamed to `virtualisation.docker.daemon.settings."live-restore"` and turned off by default for state versions of at least 24.11.
- Tailscale's `authKeyFile` can now have its corresponding parameters set through `config.services.tailscale.authKeyParameters`, allowing for non-ephemeral unsupervised deployment and more.
See [Registering new nodes using OAuth credentials](https://tailscale.com/kb/1215/oauth-clients#registering-new-nodes-using-oauth-credentials) for the supported options.
@ -707,9 +777,9 @@
The derivation now installs "impl" headers selectively instead of by a wildcard.
Use `imgui.src` if you just want to access the unpacked sources.
- The new `boot.loader.systemd-boot.windows` option makes setting up dual-booting with Windows on a different drive easier
- The new `boot.loader.systemd-boot.windows` option makes setting up dual-booting with Windows on a different drive easier.
- Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11
- Linux 4.19 has been removed because it will reach its end of life within the lifespan of 24.11.
- Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an
unrestricted access to it can set `boot.kernel.sysctl."kernel.dmesg_restrict" = false`.
@ -717,12 +787,11 @@
- The `i18n.inputMethod` module introduces two new properties:
`enable` and `type`, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in `type` are the same as the existing `enabled` option. `enabled` is now deprecated, and will be removed in a future release.
- `security.pam.u2f` now follows RFC42.
All module options are now settable through the freeform `.settings`.
- `security.pam.u2f` now uses freeform options; all module options are now configurable through `security.pam.u2f.settings`.
- Mikutter was removed because the package was broken and had no maintainers.
- `mikutter` was removed as the package was broken and had no maintainers.
- The new option `services.getty.autologinOnce` was added to limit the automatic login to once per boot and on the first tty only.
- `services.getty.autologinOnce` was added to limit the automatic login to once per boot and on the first tty only.
When using full disk encryption, this option allows to unlock the system without retyping the passphrase while keeping the other ttys protected.
- Gollum was upgraded to major version 6. Read their [migration notes](https://github.com/gollum/gollum/wiki/6.0-Release-Notes).
@ -733,18 +802,16 @@
- `services.timesyncd.fallbackServers` was added and defaults to `networking.timeServers`.
- Cinnamon has been updated to 6.2, please check [upstream announcement](https://www.linuxmint.com/rel_wilma_whatsnew.php) for more details.
Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default.
- Cinnamon has been updated to 6.2. Please check [upstream announcement](https://www.linuxmint.com/rel_wilma_whatsnew.php) for more details.
Following Mint 22 defaults, the Cinnamon module no longer ships `geary` and `hexchat` by default.
- `zfs.latestCompatibleLinuxPackages` is deprecated and is now pointing at the default kernel. If using the stable LTS kernel (default `linuxPackages` is not possible then you must explicitly pin a specific kernel release. For example, `boot.kernelPackages = pkgs.linuxPackages_6_6`. Please be aware that non-LTS kernels are likely to go EOL before ZFS supports the latest supported non-LTS release, requiring manual intervention.
- The `shadowstack` hardening flag has been added, though disabled by default.
- `xxd` is now provided by the `tinyxxd` package, rather than `vim.xxd`, to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's `xxd` utility, there is no user impact. Vim's `xxd` remains available as the `vim.xxd` package.
- `xxd` is now provided by the `tinyxxd` package rather than `vim.xxd` to reduce closure size and vulnerability impact. Since it has the same options and semantics as Vim's `xxd` utility, there is no user impact. Vim's `xxd` remains available as the `vim.xxd` package.
- `prometheus-openldap-exporter` was removed since it was unmaintained upstream and had no nixpkgs maintainers.
- `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).
- `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep). Available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).
- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
@ -767,6 +834,11 @@
- `iproute2` now has libbpf support.
- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.
If you use extensions that are not packaged in nixpkgs, please review whether it still works
with the current settings and adjust accordingly if needed.
- `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.
Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overridden by the `NIX_PATH` configuration variable.
@ -780,7 +852,7 @@
- `qgis` and `qgis-ltr` are now built without `grass` by default. `grass` support can be enabled with `qgis.override { withGrass = true; }`.
## Detailed migration information {#sec-release-24.11-migration}
## Detailed Migration Information {#sec-release-24.11-migration}
### `sound` options removal {#sec-release-24.11-migration-sound}

5
third_party/nixpkgs/nixos/lib/systemd-lib.nix vendored
View file

@ -99,8 +99,9 @@ in rec {
l = reverseList (stringToCharacters s);
suffix = head l;
nums = tail l;
in elem suffix (["K" "M" "G" "T"] ++ digits)
&& all (num: elem num digits) nums;
in builtins.isInt s
|| (elem suffix (["K" "M" "G" "T"] ++ digits)
&& all (num: elem num digits) nums);
assertByteFormat = name: group: attr:
optional (attr ? ${name} && ! isByteFormat attr.${name})

25
third_party/nixpkgs/nixos/modules/config/users-groups.nix vendored
View file

@ -6,6 +6,7 @@ let
attrNames
attrValues
concatMap
concatMapStringsSep
concatStrings
elem
filter
@ -13,6 +14,7 @@ let
flatten
flip
foldr
generators
getAttr
hasAttr
id
@ -944,16 +946,18 @@ in {
warnings =
flip concatMap (attrValues cfg.users) (user: let
unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([
user.hashedPassword
user.hashedPasswordFile
user.password
passwordOptions = [
"hashedPassword"
"hashedPasswordFile"
"password"
] ++ optionals cfg.mutableUsers [
# For immutable users, initialHashedPassword is set to hashedPassword,
# so using these options would always trigger the assertion.
user.initialHashedPassword
user.initialPassword
]));
"initialHashedPassword"
"initialPassword"
];
unambiguousPasswordConfiguration = 1 >= length
(filter (x: x != null) (map (flip getAttr user) passwordOptions));
in optional (!unambiguousPasswordConfiguration) ''
The user '${user.name}' has multiple of the options
`hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`
@ -961,6 +965,13 @@ in {
The options silently discard others by the order of precedence
given above which can lead to surprising results. To resolve this warning,
set at most one of the options above to a non-`null` value.
The values of these options are:
${concatMapStringsSep
"\n"
(value:
"* users.users.\"${user.name}\".${value}: ${generators.toPretty {} user.${value}}")
passwordOptions}
'')
++ filter (x: x != null) (
flip mapAttrsToList cfg.users (_: user:

2
third_party/nixpkgs/nixos/modules/config/xdg/autostart.nix vendored
View file

@ -10,7 +10,7 @@
default = true;
description = ''
Whether to install files to support the
[XDG Autostart specification](https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html).
[XDG Autostart specification](https://specifications.freedesktop.org/autostart-spec/latest).
'';
};
};

2
third_party/nixpkgs/nixos/modules/config/xdg/icons.nix vendored
View file

@ -10,7 +10,7 @@
default = true;
description = ''
Whether to install files to support the
[XDG Icon Theme specification](https://specifications.freedesktop.org/icon-theme-spec/icon-theme-spec-latest.html).
[XDG Icon Theme specification](https://specifications.freedesktop.org/icon-theme-spec/latest).
'';
};
xdg.icons.fallbackCursorThemes = lib.mkOption {

2
third_party/nixpkgs/nixos/modules/config/xdg/menus.nix vendored
View file

@ -10,7 +10,7 @@
default = true;
description = ''
Whether to install files to support the
[XDG Desktop Menu specification](https://specifications.freedesktop.org/menu-spec/menu-spec-latest.html).
[XDG Desktop Menu specification](https://specifications.freedesktop.org/menu-spec/latest).
'';
};
};

10
third_party/nixpkgs/nixos/modules/config/xdg/mime.nix vendored
View file

@ -17,8 +17,8 @@ in
default = true;
description = ''
Whether to install files to support the
[XDG Shared MIME-info specification](https://specifications.freedesktop.org/shared-mime-info-spec/shared-mime-info-spec-latest.html) and the
[XDG MIME Applications specification](https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html).
[XDG Shared MIME-info specification](https://specifications.freedesktop.org/shared-mime-info-spec/latest) and the
[XDG MIME Applications specification](https://specifications.freedesktop.org/mime-apps-spec/latest).
'';
};
@ -32,7 +32,7 @@ in
description = ''
Adds associations between mimetypes and applications. See the
[
specifications](https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html#associations) for more information.
specifications](https://specifications.freedesktop.org/mime-apps-spec/latest/associations) for more information.
'';
};
@ -46,7 +46,7 @@ in
description = ''
Sets the default applications for given mimetypes. See the
[
specifications](https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html#default) for more information.
specifications](https://specifications.freedesktop.org/mime-apps-spec/latest/default) for more information.
'';
};
@ -60,7 +60,7 @@ in
description = ''
Removes associations between mimetypes and applications. See the
[
specifications](https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html#associations) for more information.
specifications](https://specifications.freedesktop.org/mime-apps-spec/latest/associations) for more information.
'';
};
};

71
third_party/nixpkgs/nixos/modules/hardware/corectrl.nix vendored
View file

@ -1,23 +1,35 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
mkPackageOption
;
cfg = config.programs.corectrl;
in
{
options.programs.corectrl = {
enable = lib.mkEnableOption ''
enable = mkEnableOption ''
CoreCtrl, a tool to overclock amd graphics cards and processors.
Add your user to the corectrl group to run corectrl without needing to enter your password
'';
package = lib.mkPackageOption pkgs "corectrl" {
package = mkPackageOption pkgs "corectrl" {
extraDescription = "Useful for overriding the configuration options used for the package.";
};
gpuOverclock = {
enable = lib.mkEnableOption ''
enable = mkEnableOption ''
GPU overclocking
'';
ppfeaturemask = lib.mkOption {
ppfeaturemask = mkOption {
type = lib.types.str;
default = "0xfffd7fff";
example = "0xffffffff";
@ -31,33 +43,34 @@ in
};
};
config = lib.mkIf cfg.enable (lib.mkMerge [
{
environment.systemPackages = [ cfg.package ];
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
services.dbus.packages = [ cfg.package ];
services.dbus.packages = [ cfg.package ];
users.groups.corectrl = { };
users.groups.corectrl = { };
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if ((action.id == "org.corectrl.helper.init" ||
action.id == "org.corectrl.helperkiller.init") &&
subject.local == true &&
subject.active == true &&
subject.isInGroup("corectrl")) {
return polkit.Result.YES;
}
});
'';
}
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if ((action.id == "org.corectrl.helper.init" ||
action.id == "org.corectrl.helperkiller.init") &&
subject.local == true &&
subject.active == true &&
subject.isInGroup("corectrl")) {
return polkit.Result.YES;
}
});
'';
(lib.mkIf cfg.gpuOverclock.enable {
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/amd/include/amd_shared.h#n169
# The overdrive bit
boot.kernelParams = [ "amdgpu.ppfeaturemask=${cfg.gpuOverclock.ppfeaturemask}" ];
})
]);
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/gpu/drm/amd/include/amd_shared.h#n169
# The overdrive bit
boot.kernelParams = mkIf cfg.gpuOverclock.enable [
"amdgpu.ppfeaturemask=${cfg.gpuOverclock.ppfeaturemask}"
];
};
meta.maintainers = with lib.maintainers; [ artturin ];
meta.maintainers = with lib.maintainers; [
artturin
Scrumplex
];
}

1
third_party/nixpkgs/nixos/modules/hardware/hackrf.nix vendored
View file

@ -12,6 +12,7 @@ in
description = ''
Enables hackrf udev rules and ensures 'plugdev' group exists.
This is a prerequisite to using HackRF devices without being root, since HackRF USB descriptors will be owned by plugdev through udev.
Ensure your user is a member of the 'plugdev' group after enabling.
'';
};
};

35
third_party/nixpkgs/nixos/modules/hardware/tuxedo-drivers.nix vendored Normal file
View file

@ -0,0 +1,35 @@
{ config, lib, ... }:
let
cfg = config.hardware.tuxedo-drivers;
tuxedo-drivers = config.boot.kernelPackages.tuxedo-drivers;
in
{
imports = [
(lib.mkRenamedOptionModule
[
"hardware"
"tuxedo-keyboard"
]
[
"hardware"
"tuxedo-drivers"
]
)
];
options.hardware.tuxedo-drivers = {
enable = lib.mkEnableOption ''
The tuxedo-drivers driver enables access to the following on TUXEDO notebooks:
- Driver for Fn-keys
- SysFS control of brightness/color/mode for most TUXEDO keyboards
- Hardware I/O driver for TUXEDO Control Center
For more inforation it is best to check at the source code description: <https://gitlab.com/tuxedocomputers/development/packages/tuxedo-drivers>
'';
};
config = lib.mkIf cfg.enable {
boot.kernelModules = [ "tuxedo_keyboard" ];
boot.extraModulePackages = [ tuxedo-drivers ];
};
}

32
third_party/nixpkgs/nixos/modules/hardware/tuxedo-keyboard.nix vendored
View file

@ -1,32 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.hardware.tuxedo-keyboard;
tuxedo-keyboard = config.boot.kernelPackages.tuxedo-keyboard;
in
{
options.hardware.tuxedo-keyboard = {
enable = lib.mkEnableOption ''
the tuxedo-keyboard driver.
To configure the driver, pass the options to the {option}`boot.kernelParams` configuration.
There are several parameters you can change. It's best to check at the source code description which options are supported.
You can find all the supported parameters at: <https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam>
In order to use the `custom` lighting with the maximumg brightness and a color of `0xff0a0a` one would put pass {option}`boot.kernelParams` like this:
```
boot.kernelParams = [
"tuxedo_keyboard.mode=0"
"tuxedo_keyboard.brightness=255"
"tuxedo_keyboard.color_left=0xff0a0a"
];
```
'';
};
config = lib.mkIf cfg.enable
{
boot.kernelModules = ["tuxedo_keyboard"];
boot.extraModulePackages = [ tuxedo-keyboard ];
};
}

1
third_party/nixpkgs/nixos/modules/i18n/input-method/default.md vendored
View file

@ -40,6 +40,7 @@ Available extra IBus engines are:
- Anthy (`ibus-engines.anthy`): Anthy is a system for
Japanese input method. It converts Hiragana text to Kana Kanji mixed text.
- Hangul (`ibus-engines.hangul`): Korean input method.
- libpinyin (`ibus-engines.libpinyin`): A Chinese input method.
- m17n (`ibus-engines.m17n`): m17n is an input method that
uses input methods and corresponding icons in the m17n database.
- mozc (`ibus-engines.mozc`): A Japanese input method from

5
third_party/nixpkgs/nixos/modules/image/repart-image.nix vendored
View file

@ -101,6 +101,11 @@ in
) // {
__structuredAttrs = true;
# the image will be self-contained so we can drop references
# to the closure that was used to build it
unsafeDiscardReferences.out = true;
nativeBuildInputs = [
systemd
fakeroot

8
third_party/nixpkgs/nixos/modules/image/repart-verity-store.nix vendored
View file

@ -117,10 +117,6 @@ in
# do not prepare the ESP, this is done in the final image
systemdRepartFlags = previousAttrs.systemdRepartFlags ++ [ "--defer-partitions=esp" ];
# the image will be self-contained so we can drop references
# to the closure that was used to build it
unsafeDiscardReferences.out = true;
}
);
@ -210,10 +206,6 @@ in
rm -v repart-output_orig.json
'';
# the image will be self-contained so we can drop references
# to the closure that was used to build it
unsafeDiscardReferences.out = true;
}
);
};

12
third_party/nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix vendored
View file

@ -1,8 +1,8 @@
{
x86_64-linux = "/nix/store/2nhrwv91g6ycpyxvhmvc0xs8p92wp4bk-nix-2.24.9";
i686-linux = "/nix/store/idaxj9ji6ggpn1h47a35mf0c8ns4ma39-nix-2.24.9";
aarch64-linux = "/nix/store/7b5q44l2p70bf6m6dprr8f0587ypwq1z-nix-2.24.9";
riscv64-linux = "/nix/store/mgw3il1qk59750g5hbf02km79rgyx00y-nix-riscv64-unknown-linux-gnu-2.24.9";
x86_64-darwin = "/nix/store/rp8rc0pfgham7d7spj5s9syzb138dmmd-nix-2.24.9";
aarch64-darwin = "/nix/store/1n95r340s7p3vdwqh7m94q0a42crahqq-nix-2.24.9";
x86_64-linux = "/nix/store/hdy82qidsybc3fg561pqfwagv44vschb-nix-2.24.10";
i686-linux = "/nix/store/dyx4p79q6blva585bf90wbjjb7iyq8ra-nix-2.24.10";
aarch64-linux = "/nix/store/30gnc15nig1awa11vii9yz3z8518rnr3-nix-2.24.10";
riscv64-linux = "/nix/store/bxc2pyp1vj8kr77khyx5nglw73jqb98w-nix-riscv64-unknown-linux-gnu-2.24.10";
x86_64-darwin = "/nix/store/6mrkghigrci6dz2lnncqpgf80yi8gl7h-nix-2.24.10";
aarch64-darwin = "/nix/store/3f81gjiv836rjmsb29zab0pbjwf9did8-nix-2.24.10";
}

42
third_party/nixpkgs/nixos/modules/installer/tools/tools.nix vendored
View file

@ -106,11 +106,12 @@ let
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
# firefox
# tree
# ];
# };
# programs.firefox.enable = true;
# List packages installed in system profile. To search, run:
# \$ nix search wget
# environment.systemPackages = with pkgs; [
@ -216,7 +217,7 @@ in
imports = let
mkToolModule = { name, package ? pkgs.${name} }: { config, ... }: {
options.system.tools.${name}.enable = lib.mkEnableOption "${name} script" // {
default = config.nix.enable;
default = config.nix.enable && ! config.system.disableInstallerTools;
internal = true;
};
@ -227,34 +228,21 @@ in
in [
(mkToolModule { name = "nixos-build-vms"; })
(mkToolModule { name = "nixos-enter"; })
(mkToolModule { name = "nixos-generate-config"; package = nixos-generate-config; })
(mkToolModule { name = "nixos-install"; package = nixos-install; })
(mkToolModule { name = "nixos-generate-config"; package = config.system.build.nixos-generate-config; })
(mkToolModule { name = "nixos-install"; package = config.system.build.nixos-install; })
(mkToolModule { name = "nixos-option"; })
(mkToolModule { name = "nixos-rebuild"; package = nixos-rebuild; })
(mkToolModule { name = "nixos-rebuild"; package = config.system.build.nixos-rebuild; })
(mkToolModule { name = "nixos-version"; package = nixos-version; })
];
config = lib.mkMerge [
(lib.mkIf config.system.disableInstallerTools {
system.tools = {
nixos-build-vms.enable = false;
nixos-enter.enable = false;
nixos-generate-config.enable = false;
nixos-install.enable = false;
nixos-option.enable = false;
nixos-rebuild.enable = false;
nixos-version.enable = false;
};
})
{
documentation.man.man-db.skipPackages = [ nixos-version ];
config = {
documentation.man.man-db.skipPackages = [ nixos-version ];
# These may be used in auxiliary scripts (ie not part of toplevel), so they are defined unconditionally.
system.build = {
inherit nixos-generate-config nixos-install nixos-rebuild;
nixos-option = lib.warn "Accessing nixos-option through `config.system.build` is deprecated, use `pkgs.nixos-option` instead." pkgs.nixos-option;
nixos-enter = lib.warn "Accessing nixos-enter through `config.system.build` is deprecated, use `pkgs.nixos-enter` instead." pkgs.nixos-enter;
};
}
];
# These may be used in auxiliary scripts (ie not part of toplevel), so they are defined unconditionally.
system.build = {
inherit nixos-generate-config nixos-install nixos-rebuild;
nixos-option = lib.warn "Accessing nixos-option through `config.system.build` is deprecated, use `pkgs.nixos-option` instead." pkgs.nixos-option;
nixos-enter = lib.warn "Accessing nixos-enter through `config.system.build` is deprecated, use `pkgs.nixos-enter` instead." pkgs.nixos-enter;
};
};
}

61
third_party/nixpkgs/nixos/modules/installer/virtualbox-demo.nix vendored
View file

@ -1,61 +0,0 @@
{ lib, ... }:
with lib;
{
imports =
[ ../virtualisation/virtualbox-image.nix
../installer/cd-dvd/channel.nix
../profiles/demo.nix
../profiles/clone-config.nix
];
# FIXME: UUID detection is currently broken
boot.loader.grub.fsIdentifier = "provided";
# Allow mounting of shared folders.
users.users.demo.extraGroups = [ "vboxsf" ];
# Add some more video drivers to give X11 a shot at working in
# VMware and QEMU.
services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" "modesetting" ];
powerManagement.enable = false;
system.stateVersion = lib.mkDefault lib.trivial.release;
installer.cloneConfigExtra = ''
# Let demo build as a trusted user.
# nix.settings.trusted-users = [ "demo" ];
# Mount a VirtualBox shared folder.
# This is configurable in the VirtualBox menu at
# Machine / Settings / Shared Folders.
# fileSystems."/mnt" = {
# fsType = "vboxsf";
# device = "nameofdevicetomount";
# options = [ "rw" ];
# };
# By default, the NixOS VirtualBox demo image includes SDDM and Plasma.
# If you prefer another desktop manager or display manager, you may want
# to disable the default.
# services.xserver.desktopManager.plasma5.enable = lib.mkForce false;
# services.displayManager.sddm.enable = lib.mkForce false;
# Enable GDM/GNOME by uncommenting above two lines and two lines below.
# services.xserver.displayManager.gdm.enable = true;
# services.xserver.desktopManager.gnome.enable = true;
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# List packages installed in system profile. To search, run:
# \$ nix search wget
# environment.systemPackages = with pkgs; [
# wget vim
# ];
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
'';
}

38
third_party/nixpkgs/nixos/modules/misc/ids.nix vendored
View file

@ -356,7 +356,24 @@ in
localtimed = 325;
automatic-timezoned = 326;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
# When adding a uid, make sure it doesn't match an existing gid.
#
# !!! Don't use uids above "399"! !!!
#
# The reason behind this restriction is that, NixOS by default allocates
# system user UIDs/GIDs in the range of `400..999`. System users/groups
# created using command like `useradd` will have UID and GID in this range[1].
#
# If a newly added ID goes beyond "399", it may conflict with existing
# system user or group of the same id in someone else's NixOS.
# This could break their system and make that person upset for a whole day.
#
# Sidenote: the default is defined in `shadow` module[2], and the relavent change
# was made way back in 2014[3].
#
# [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)
# [2]: <nixos/modules/programs/shadow.nix>
# [3]: https://github.com/NixOS/nixpkgs/commit/0e23a175de3687df8232fe118cbe87f04228ff28
nixbld = 30000; # start of range of uids
nobody = 65534;
@ -669,7 +686,24 @@ in
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal
# uids and gids. Also, don't use gids above 399!
# uids and gids.
#
# !!! Don't use gids above "399"! !!!
#
# The reason behind this restriction is that, NixOS by default allocates
# system user UIDs/GIDs in the range of `400..999`. System users/groups
# created using command like `useradd` will have UID and GID in this range[1].
#
# If a newly added ID goes beyond "399", it may conflict with existing
# system user or group of the same id in someone else's NixOS.
# This could break their system and make that person upset for a whole day.
#
# Sidenote: the default is defined in `shadow` module[2], and the relavent change
# was made way back in 2014[3].
#
# [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)
# [2]: <nixos/modules/programs/shadow.nix>
# [3]: https://github.com/NixOS/nixpkgs/commit/0e23a175de3687df8232fe118cbe87f04228ff28
# For exceptional cases where you really need a gid above 399, leave a
# comment stating why.

30
third_party/nixpkgs/nixos/modules/misc/version.nix vendored
View file

@ -22,21 +22,26 @@ let
{
NAME = "${cfg.distroName}";
ID = "${cfg.distroId}";
ID_LIKE = optionalString (!isNixos) "nixos";
VENDOR_NAME = cfg.vendorName;
VERSION = "${cfg.release} (${cfg.codeName})";
VERSION_CODENAME = toLower cfg.codeName;
VERSION_ID = cfg.release;
BUILD_ID = cfg.version;
PRETTY_NAME = "${cfg.distroName} ${cfg.release} (${cfg.codeName})";
CPE_NAME = "cpe:/o:${cfg.vendorId}:${cfg.distroId}:${cfg.release}";
LOGO = "nix-snowflake";
HOME_URL = optionalString isNixos "https://nixos.org/";
VENDOR_URL = optionalString isNixos "https://nixos.org/";
DOCUMENTATION_URL = optionalString isNixos "https://nixos.org/learn.html";
SUPPORT_URL = optionalString isNixos "https://nixos.org/community.html";
BUG_REPORT_URL = optionalString isNixos "https://github.com/NixOS/nixpkgs/issues";
ANSI_COLOR = optionalString isNixos "1;34";
IMAGE_ID = optionalString (config.system.image.id != null) config.system.image.id;
IMAGE_VERSION = optionalString (config.system.image.version != null) config.system.image.version;
} // lib.optionalAttrs (cfg.variant_id != null) {
VARIANT_ID = cfg.variant_id;
VARIANT = optionalString (cfg.variantName != null) cfg.variantName;
VARIANT_ID = optionalString (cfg.variant_id != null) cfg.variant_id;
DEFAULT_HOSTNAME = config.networking.fqdnOrHostName;
};
initrdReleaseContents = (removeAttrs osReleaseContents [ "BUILD_ID" ]) // {
@ -116,6 +121,27 @@ in
description = "A lower-case string identifying a specific variant or edition of the operating system";
example = "installer";
};
variantName = mkOption {
type = types.nullOr types.str;
default = null;
description = "A string identifying a specific variant or edition of the operating system suitable for presentation to the user";
example = "NixOS Installer Image";
};
vendorId = mkOption {
internal = true;
type = types.str;
default = "nixos";
description = "The id of the operating system vendor";
};
vendorName = mkOption {
internal = true;
type = types.str;
default = "NixOS";
description = "The name of the operating system vendor";
};
};
image = {

11
third_party/nixpkgs/nixos/modules/module-list.nix vendored
View file

@ -98,7 +98,7 @@
./hardware/sensor/iio.nix
./hardware/steam-hardware.nix
./hardware/system-76.nix
./hardware/tuxedo-keyboard.nix
./hardware/tuxedo-drivers.nix
./hardware/ubertooth.nix
./hardware/uinput.nix
./hardware/uni-sync.nix
@ -520,10 +520,10 @@
./services/desktops/gnome/gnome-remote-desktop.nix
./services/desktops/gnome/gnome-settings-daemon.nix
./services/desktops/gnome/gnome-user-share.nix
./services/desktops/gnome/localsearch.nix
./services/desktops/gnome/rygel.nix
./services/desktops/gnome/sushi.nix
./services/desktops/gnome/tracker-miners.nix
./services/desktops/gnome/tracker.nix
./services/desktops/gnome/tinysparql.nix
./services/desktops/gsignond.nix
./services/desktops/gvfs.nix
./services/desktops/malcontent.nix
@ -1357,6 +1357,7 @@
./services/system/nscd.nix
./services/system/saslauthd.nix
./services/system/self-deploy.nix
./services/system/swapspace.nix
./services/system/systembus-notify.nix
./services/system/systemd-lock-handler.nix
./services/system/uptimed.nix
@ -1390,9 +1391,6 @@
./services/web-apps/alps.nix
./services/web-apps/anuko-time-tracker.nix
./services/web-apps/artalk.nix
./services/web-apps/atlassian/confluence.nix
./services/web-apps/atlassian/crowd.nix
./services/web-apps/atlassian/jira.nix
./services/web-apps/audiobookshelf.nix
./services/web-apps/bluemap.nix
./services/web-apps/bookstack.nix
@ -1482,6 +1480,7 @@
./services/web-apps/ocis.nix
./services/web-apps/onlyoffice.nix
./services/web-apps/openvscode-server.nix
./services/web-apps/mediagoblin.nix
./services/web-apps/mobilizon.nix
./services/web-apps/openwebrx.nix
./services/web-apps/outline.nix

21
third_party/nixpkgs/nixos/modules/profiles/demo.nix vendored
View file

@ -1,21 +0,0 @@
{ ... }:
{
imports = [ ./graphical.nix ];
users.users.demo =
{ isNormalUser = true;
description = "Demo user account";
extraGroups = [ "wheel" ];
password = "demo";
uid = 1000;
};
services.displayManager = {
autoLogin = {
enable = true;
user = "demo";
};
sddm.autoLogin.relogin = true;
};
}

2
third_party/nixpkgs/nixos/modules/profiles/minimal.nix vendored
View file

@ -29,8 +29,6 @@ with lib;
programs.command-not-found.enable = mkDefault false;
programs.ssh.setXAuthLocation = mkDefault false;
services.logrotate.enable = mkDefault false;
services.udisks2.enable = mkDefault false;

2
third_party/nixpkgs/nixos/modules/programs/nix-ld.nix vendored
View file

@ -34,7 +34,7 @@ in
environment.pathsToLink = [ "/share/nix-ld" ];
environment.variables = {
environment.sessionVariables = {
NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so";
NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib";
};

107
third_party/nixpkgs/nixos/modules/programs/openvpn3.nix vendored
View file

@ -1,29 +1,87 @@
{ config, lib, pkgs, ... }:
let
json = pkgs.formats.json { };
cfg = config.programs.openvpn3;
in
{
inherit (lib) mkEnableOption mkPackageOption mkOption literalExpression max options lists;
inherit (lib.types) bool submodule ints;
in {
options.programs.openvpn3 = {
enable = lib.mkEnableOption "the openvpn3 client";
package = lib.mkOption {
type = lib.types.package;
default = pkgs.openvpn3.override {
enableSystemdResolved = config.services.resolved.enable;
enable = mkEnableOption "the openvpn3 client";
package = mkPackageOption pkgs "openvpn3" { };
netcfg = mkOption {
description = "Network configuration";
default = { };
type = submodule {
options = {
settings = mkOption {
description = "Options stored in {file}`/etc/openvpn3/netcfg.json` configuration file";
default = { };
type = submodule {
freeformType = json.type;
options = {
systemd_resolved = mkOption {
type = bool;
description = "Whether to use systemd-resolved integration";
default = config.services.resolved.enable;
defaultText = literalExpression "config.services.resolved.enable";
example = false;
};
};
};
};
};
};
};
log-service = mkOption {
description = "Log service configuration";
default = { };
type = submodule {
options = {
settings = mkOption {
description = "Options stored in {file}`/etc/openvpn3/log-service.json` configuration file";
default = { };
type = submodule {
freeformType = json.type;
options = {
journald = mkOption {
description = "Use systemd-journald";
type = bool;
default = true;
example = false;
};
log_dbus_details = mkOption {
description = "Add D-Bus details in log file/syslog";
type = bool;
default = true;
example = false;
};
log_level = mkOption {
description = "How verbose should the logging be";
type = (ints.between 0 7) // {
merge = _loc: defs:
lists.foldl max 0 (options.getValues defs);
};
default = 3;
example = 6;
};
timestamp = mkOption {
description = "Add timestamp log file";
type = bool;
default = false;
example = true;
};
};
};
};
};
};
defaultText = lib.literalExpression ''pkgs.openvpn3.override {
enableSystemdResolved = config.services.resolved.enable;
}'';
description = ''
Which package to use for `openvpn3`.
'';
};
};
config = lib.mkIf cfg.enable {
services.dbus.packages = [
cfg.package
];
services.dbus.packages = [ cfg.package ];
users.users.openvpn = {
isSystemUser = true;
@ -31,13 +89,20 @@ in
group = "openvpn";
};
users.groups.openvpn = {
gid = config.ids.gids.openvpn;
users.groups.openvpn = { gid = config.ids.gids.openvpn; };
environment = {
systemPackages = [ cfg.package ];
etc = {
"openvpn3/netcfg.json".source =
json.generate "netcfg.json" cfg.netcfg.settings;
"openvpn3/log-service.json".source =
json.generate "log-service.json" cfg.log-service.settings;
};
};
environment.systemPackages = [
cfg.package
];
systemd.packages = [ cfg.package ];
};
meta.maintainers = with lib.maintainers; [ shamilton progrm_jarvis ];
}

5
third_party/nixpkgs/nixos/modules/programs/wayland/sway.nix vendored
View file

@ -85,9 +85,10 @@ in
extraPackages = lib.mkOption {
type = with lib.types; listOf package;
default = with pkgs; [ swaylock swayidle foot dmenu wmenu ];
# Packages used in default config
default = with pkgs; [ brightnessctl foot grim pulseaudio swayidle swaylock wmenu ];
defaultText = lib.literalExpression ''
with pkgs; [ swaylock swayidle foot dmenu wmenu ];
with pkgs; [ brightnessctl foot grim pulseaudio swayidle swaylock wmenu ];
'';
example = lib.literalExpression ''
with pkgs; [ i3status i3status-rust termite rofi light ]

2
third_party/nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix vendored
View file

@ -93,7 +93,7 @@ in
default = "";
description = ''
Shell commands executed before the `oh-my-zsh` is loaded.
For example, to disable async git prompt write `zstyle ':omz:alpha:lib:git' async-prompt force` (more information https://github.com/ohmyzsh/ohmyzsh?tab=readme-ov-file#async-git-prompt)
For example, to disable async git prompt write `zstyle ':omz:alpha:lib:git' async-prompt no` (more information https://github.com/ohmyzsh/ohmyzsh?tab=readme-ov-file#async-git-prompt)
'';
};
};

3
third_party/nixpkgs/nixos/modules/rename.nix vendored
View file

@ -62,7 +62,9 @@ in
(mkRemovedOptionModule [ "services" "beegfsEnable" ] "The BeeGFS module has been removed")
(mkRemovedOptionModule [ "services" "cgmanager" "enable"] "cgmanager was deprecated by lxc and therefore removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "chronos" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "confluence" ] "Atlassian software has been removed, as support for the Atlassian Server products ended in February 2024 and there was insufficient interest in maintaining the Atlassian Data Center replacements")
(mkRemovedOptionModule [ "services" "couchpotato" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "crowd" ] "Atlassian software has been removed, as support for the Atlassian Server products ended in February 2024 and there was insufficient interest in maintaining the Atlassian Data Center replacements")
(mkRemovedOptionModule [ "services" "dd-agent" ] "dd-agent was removed from nixpkgs in favor of the newer datadog-agent.")
(mkRemovedOptionModule [ "services" "dnscrypt-proxy" ] "Use services.dnscrypt-proxy2 instead")
(mkRemovedOptionModule [ "services" "dnscrypt-wrapper" ] ''
@ -82,6 +84,7 @@ in
(mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.")
(mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")
(mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")
(mkRemovedOptionModule [ "services" "jira" ] "Atlassian software has been removed, as support for the Atlassian Server products ended in February 2024 and there was insufficient interest in maintaining the Atlassian Data Center replacements")
(mkRemovedOptionModule [ "services" "kippo" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "lshd" ] "The corresponding package was removed from nixpkgs as it had no maintainer in Nixpkgs and hasn't seen an upstream release in over a decades.")
(mkRemovedOptionModule [ "services" "mailpile" ] "The corresponding package was removed from nixpkgs.")

2
third_party/nixpkgs/nixos/modules/security/acme/default.nix vendored
View file

@ -217,7 +217,7 @@ let
protocolOpts = if useDns then (
[ "--dns" data.dnsProvider ]
++ lib.optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]
++ lib.optionals (!data.dnsPropagationCheck) [ "--dns.propagation-disable-ans" ]
++ lib.optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ]
) else if data.s3Bucket != null then [ "--http" "--http.s3-bucket" data.s3Bucket ]
else if data.listenHTTP != null then [ "--http" "--http.port" data.listenHTTP ]

23
third_party/nixpkgs/nixos/modules/security/acme/mk-cert-ownership-assertion.nix vendored
View file

@ -1,4 +1,21 @@
{ cert, group, groups, user }: {
assertion = cert.group == group || builtins.any (u: u == user) groups.${cert.group}.members;
message = "Group for certificate ${cert.domain} must be ${group}, or user ${user} must be a member of group ${cert.group}";
lib:
{ cert, groups, services }:
let
catSep = builtins.concatStringsSep;
svcGroups = svc:
(lib.optional (svc.serviceConfig ? Group) svc.serviceConfig.Group)
++ (svc.serviceConfig.SupplementaryGroups or [ ]);
in
{
assertion = builtins.all (svc:
svc.serviceConfig.User or "root" == "root"
|| builtins.elem svc.serviceConfig.User groups.${cert.group}.members
|| builtins.elem cert.group (svcGroups svc)
) services;
message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${
catSep ", " (map (svc: "${svc.name} (user=${svc.serviceConfig.User} groups=${catSep " " (svcGroups svc)})") services)
}";
}

4
third_party/nixpkgs/nixos/modules/security/wrappers/default.nix vendored
View file

@ -253,8 +253,8 @@ in
};
in
{ # These are mount related wrappers that require the +s permission.
fusermount = mkSetuidRoot "${pkgs.fuse}/bin/fusermount";
fusermount3 = mkSetuidRoot "${pkgs.fuse3}/bin/fusermount3";
fusermount = mkSetuidRoot "${lib.getBin pkgs.fuse}/bin/fusermount";
fusermount3 = mkSetuidRoot "${lib.getBin pkgs.fuse3}/bin/fusermount3";
mount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/mount";
umount = mkSetuidRoot "${lib.getBin pkgs.util-linux}/bin/umount";
};

4
third_party/nixpkgs/nixos/modules/services/audio/snapserver.nix vendored
View file

@ -80,6 +80,8 @@ in {
'';
};
package = lib.options.mkPackageOption pkgs "snapcast" { };
listenAddress = lib.mkOption {
type = lib.types.str;
default = "::";
@ -286,7 +288,7 @@ in {
serviceConfig = {
DynamicUser = true;
ExecStart = "${pkgs.snapcast}/bin/snapserver --daemon ${optionString}";
ExecStart = "${cfg.package}/bin/snapserver --daemon ${optionString}";
Type = "forking";
LimitRTPRIO = 50;
LimitRTTIME = "infinity";

55
third_party/nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix vendored
View file

@ -1,14 +1,18 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.lighthouse;
in {
in
{
options = {
services.lighthouse = {
beacon = lib.mkOption {
description = "Beacon node";
default = {};
default = { };
type = lib.types.submodule {
options = {
enable = lib.mkEnableOption "Lightouse Beacon node";
@ -133,7 +137,7 @@ in {
validator = lib.mkOption {
description = "Validator node";
default = {};
default = { };
type = lib.types.submodule {
options = {
enable = lib.mkOption {
@ -152,7 +156,7 @@ in {
beaconNodes = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = ["http://localhost:5052"];
default = [ "http://localhost:5052" ];
description = ''
Beacon nodes to connect to.
'';
@ -190,7 +194,13 @@ in {
};
network = lib.mkOption {
type = lib.types.enum [ "mainnet" "gnosis" "chiado" "sepolia" "holesky" ];
type = lib.types.enum [
"mainnet"
"gnosis"
"chiado"
"sepolia"
"holesky"
];
default = "mainnet";
description = ''
The network to connect to. Mainnet is the default ethereum network.
@ -205,19 +215,19 @@ in {
default = "";
example = "";
};
package = lib.mkPackageOption pkgs "lighthouse" { };
};
};
config = lib.mkIf (cfg.beacon.enable || cfg.validator.enable) {
environment.systemPackages = [ pkgs.lighthouse ] ;
environment.systemPackages = [ cfg.package ];
networking.firewall = lib.mkIf cfg.beacon.enable {
allowedTCPPorts = lib.mkIf cfg.beacon.openFirewall [ cfg.beacon.port ];
allowedUDPPorts = lib.mkIf cfg.beacon.openFirewall [ cfg.beacon.port ];
};
systemd.services.lighthouse-beacon = lib.mkIf cfg.beacon.enable {
description = "Lighthouse beacon node (connect to P2P nodes and verify blocks)";
wantedBy = [ "multi-user.target" ];
@ -227,7 +237,7 @@ in {
# make sure the chain data directory is created on first run
mkdir -p ${cfg.beacon.dataDir}/${cfg.network}
${pkgs.lighthouse}/bin/lighthouse beacon_node \
${lib.getExe cfg.package} beacon_node \
--disable-upnp \
${lib.optionalString cfg.beacon.disableDepositContractSync "--disable-deposit-contract-sync"} \
--port ${toString cfg.beacon.port} \
@ -236,8 +246,8 @@ in {
--datadir ${cfg.beacon.dataDir}/${cfg.network} \
--execution-endpoint http://${cfg.beacon.execution.address}:${toString cfg.beacon.execution.port} \
--execution-jwt ''${CREDENTIALS_DIRECTORY}/LIGHTHOUSE_JWT \
${lib.optionalString cfg.beacon.http.enable '' --http --http-address ${cfg.beacon.http.address} --http-port ${toString cfg.beacon.http.port}''} \
${lib.optionalString cfg.beacon.metrics.enable '' --metrics --metrics-address ${cfg.beacon.metrics.address} --metrics-port ${toString cfg.beacon.metrics.port}''} \
${lib.optionalString cfg.beacon.http.enable ''--http --http-address ${cfg.beacon.http.address} --http-port ${toString cfg.beacon.http.port}''} \
${lib.optionalString cfg.beacon.metrics.enable ''--metrics --metrics-address ${cfg.beacon.metrics.address} --metrics-port ${toString cfg.beacon.metrics.port}''} \
${cfg.extraArgs} ${cfg.beacon.extraArgs}
'';
serviceConfig = {
@ -262,7 +272,10 @@ in {
RestrictNamespaces = true;
LockPersonality = true;
RemoveIPC = true;
SystemCallFilter = [ "@system-service" "~@privileged" ];
SystemCallFilter = [
"@system-service"
"~@privileged"
];
};
};
@ -275,7 +288,7 @@ in {
# make sure the chain data directory is created on first run
mkdir -p ${cfg.validator.dataDir}/${cfg.network}
${pkgs.lighthouse}/bin/lighthouse validator_client \
${lib.getExe cfg.package} validator_client \
--network ${cfg.network} \
--beacon-nodes ${lib.concatStringsSep "," cfg.validator.beaconNodes} \
--datadir ${cfg.validator.dataDir}/${cfg.network} \
@ -305,8 +318,14 @@ in {
RestrictNamespaces = true;
LockPersonality = true;
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
SystemCallFilter = [
"@system-service"
"~@privileged"
];
};
};
};

29
third_party/nixpkgs/nixos/modules/services/computing/slurm/slurm.nix vendored
View file

@ -32,6 +32,12 @@ let
${cfg.extraCgroupConfig}
'';
mpiConf = pkgs.writeTextDir "mpi.conf"
''
PMIxCliTmpDirBase=${cfg.mpi.PmixCliTmpDirBase}
${cfg.mpi.extraMpiConfig}
'';
slurmdbdConf = pkgs.writeText "slurmdbd.conf"
''
DbdHost=${cfg.dbdserver.dbdHost}
@ -45,7 +51,7 @@ let
# in the same directory as slurm.conf
etcSlurm = pkgs.symlinkJoin {
name = "etc-slurm";
paths = [ configFile cgroupConfig plugStackConfig ] ++ cfg.extraConfigPaths;
paths = [ configFile cgroupConfig plugStackConfig mpiConf ] ++ cfg.extraConfigPaths;
};
in
@ -242,6 +248,24 @@ in
'';
};
mpi = {
PmixCliTmpDirBase = lib.mkOption {
default = "/tmp/pmix";
type = lib.types.str;
description = ''
Base path for PMIx temporary files.
'';
};
extraMpiConfig = lib.mkOption {
default = "";
type = lib.types.lines;
description = ''
Extra configuration for that will be added to `mpi.conf`.
'';
};
};
extraPlugstackConfig = lib.mkOption {
default = "";
type = lib.types.lines;
@ -372,8 +396,9 @@ in
};
};
systemd.tmpfiles.rules = lib.mkIf cfg.client.enable [
systemd.tmpfiles.rules = lib.optionals cfg.client.enable [
"d /var/spool/slurmd 755 root root -"
"d ${cfg.mpi.PmixCliTmpDirBase} 755 root root -"
];
services.openssh.settings.X11Forwarding = lib.mkIf cfg.client.enable (lib.mkDefault true);

6
third_party/nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix vendored
View file

@ -5,7 +5,7 @@ let
opt = options.services.buildbot-master;
package = cfg.package.python.pkgs.toPythonModule cfg.package;
python = package.pythonModule;
python = cfg.package.python;
escapeStr = lib.escape [ "'" ];
@ -93,13 +93,13 @@ in {
};
extraConfig = lib.mkOption {
type = lib.types.str;
type = lib.types.lines;
description = "Extra configuration to append to master.cfg";
default = "c['buildbotNetUsageData'] = None";
};
extraImports = lib.mkOption {
type = lib.types.str;
type = lib.types.lines;
description = "Extra python imports to prepend to master.cfg";
default = "";
example = "from buildbot.process.project import Project";

14
third_party/nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix vendored
View file

@ -330,12 +330,12 @@ in
ln -sf ${hydraConf} ${baseDir}/hydra.conf
mkdir -m 0700 -p ${baseDir}/www
mkdir -m 0700 ${baseDir}/www || true
chown hydra-www:hydra ${baseDir}/www
mkdir -m 0700 -p ${baseDir}/queue-runner
mkdir -m 0750 -p ${baseDir}/build-logs
mkdir -m 0750 -p ${baseDir}/runcommand-logs
mkdir -m 0700 ${baseDir}/queue-runner || true
mkdir -m 0750 ${baseDir}/build-logs || true
mkdir -m 0750 ${baseDir}/runcommand-logs || true
chown hydra-queue-runner:hydra \
${baseDir}/queue-runner \
${baseDir}/build-logs \
@ -362,8 +362,8 @@ in
# Move legacy hydra-www roots.
if [ -e /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots ]; then
find /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots/ -type f \
| xargs -r mv -f -t ${cfg.gcRootsDir}/
find /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots/ -type f -print0 \
| xargs -0 -r mv -f -t ${cfg.gcRootsDir}/
rmdir /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots
fi
@ -520,7 +520,7 @@ in
elif [[ $compression == zstd ]]; then
compression="zstd --rm"
fi
find ${baseDir}/build-logs -type f -name "*.drv" -mtime +3 -size +0c | xargs -r "$compression" --force --quiet
find ${baseDir}/build-logs -type f -name "*.drv" -mtime +3 -size +0c -print0 | xargs -0 -r "$compression" --force --quiet
'';
startAt = "Sun 01:45";
serviceConfig.Slice = "system-hydra.slice";

18
third_party/nixpkgs/nixos/modules/services/databases/postgresql.md vendored
View file

@ -364,6 +364,24 @@ postgresql.withJIT.pname
evaluates to `"foobar"`.
## Service hardening {#module-services-postgres-hardening}
The service created by the [`postgresql`-module](#opt-services.postgresql.enable) uses
several common hardening options from `systemd`, most notably:
* Memory pages must not be both writable and executable (this only applies to non-JIT setups).
* A system call filter (see {manpage}`systemd.exec(5)` for details on `@system-service`).
* A stricter default UMask (`0027`).
* Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed.
* Restricted filesystem access (private `/tmp`, most of the file-system hierachy is mounted read-only, only process directories in `/proc` that are owned by the same user).
The NixOS module also contains necessary adjustments for extensions from `nixpkgs`
if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks
with hardening, it's considered a bug.
When using extensions that are not packaged in `nixpkgs`, hardening adjustments may
become necessary.
## Notable differences to upstream {#module-services-postgres-upstream-deviation}
- To avoid circular dependencies between default and -dev outputs, the output of the `pg_config` system view has been removed.

39
third_party/nixpkgs/nixos/modules/services/databases/postgresql.nix vendored
View file

@ -623,7 +623,46 @@ in
TimeoutSec = 120;
ExecStart = "${postgresql}/bin/postgres";
# Hardening
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off");
NoNewPrivileges = true;
LockPersonality = true;
PrivateDevices = true;
PrivateMounts = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK" # used for network interface enumeration
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
UMask = if groupAccessAvailable then "0027" else "0077";
}
(mkIf (cfg.dataDir != "/var/lib/postgresql") {
ReadWritePaths = [ cfg.dataDir ];
})
(mkIf (cfg.dataDir == "/var/lib/postgresql/${cfg.package.psqlSchema}") {
StateDirectory = "postgresql postgresql/${cfg.package.psqlSchema}";
StateDirectoryMode = if groupAccessAvailable then "0750" else "0700";

11
third_party/nixpkgs/nixos/modules/services/databases/surrealdb.nix vendored
View file

@ -14,9 +14,9 @@ in {
type = lib.types.str;
description = ''
The path that surrealdb will write data to. Use null for in-memory.
Can be one of "memory", "file://:path", "tikv://:addr".
Can be one of "memory", "rocksdb://:path", "surrealkv://:path", "tikv://:addr", "fdb://:addr".
'';
default = "file:///var/lib/surrealdb/";
default = "rocksdb:///var/lib/surrealdb/";
example = "memory";
};
@ -41,10 +41,9 @@ in {
extraFlags = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
example = [ "--allow-all" "--auth" "--user root" "--pass root" ];
example = [ "--allow-all" "--user" "root" "--pass" "root" ];
description = ''
Specify a list of additional command line flags,
which get escaped and are then passed to surrealdb.
Specify a list of additional command line flags.
'';
};
};
@ -61,7 +60,7 @@ in {
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${cfg.package}/bin/surreal start --bind ${cfg.host}:${toString cfg.port} ${lib.escapeShellArgs cfg.extraFlags} -- ${cfg.dbPath}";
ExecStart = "${cfg.package}/bin/surreal start --bind ${cfg.host}:${toString cfg.port} ${lib.strings.concatStringsSep " " cfg.extraFlags} -- ${cfg.dbPath}";
DynamicUser = true;
Restart = "on-failure";
StateDirectory = "surrealdb";

189
third_party/nixpkgs/nixos/modules/services/databases/victoriametrics.nix vendored
View file

@ -1,65 +1,188 @@
{ config, pkgs, lib, ... }:
let cfg = config.services.victoriametrics; in
{
options.services.victoriametrics = with lib; {
enable = mkEnableOption "VictoriaMetrics, a time series database, long-term remote storage for Prometheus";
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.services.victoriametrics;
settingsFormat = pkgs.formats.yaml { };
startCLIList =
[
"${cfg.package}/bin/victoria-metrics"
"-storageDataPath=/var/lib/${cfg.stateDir}"
"-httpListenAddr=${cfg.listenAddress}"
]
++ lib.optionals (cfg.retentionPeriod != null) [ "-retentionPeriod=${cfg.retentionPeriod}" ]
++ cfg.extraOptions;
prometheusConfigYml = checkedConfig (
settingsFormat.generate "prometheusConfig.yaml" cfg.prometheusConfig
);
checkedConfig =
file:
pkgs.runCommand "checked-config" { nativeBuildInputs = [ cfg.package ]; } ''
ln -s ${file} $out
${lib.escapeShellArgs startCLIList} -promscrape.config=${file} -dryRun
'';
in
{
options.services.victoriametrics = {
enable = mkEnableOption "VictoriaMetrics is a fast, cost-effective and scalable monitoring solution and time series database.";
package = mkPackageOption pkgs "victoriametrics" { };
listenAddress = mkOption {
default = ":8428";
type = types.str;
description = ''
The listen address for the http interface.
TCP address to listen for incoming http requests.
'';
};
retentionPeriod = mkOption {
type = types.int;
default = 1;
stateDir = mkOption {
type = types.str;
default = "victoriametrics";
description = ''
Retention period in months.
Directory below `/var/lib` to store VictoriaMetrics metrics data.
This directory will be created automatically using systemd's StateDirectory mechanism.
'';
};
retentionPeriod = mkOption {
type = types.nullOr types.str;
default = null;
example = "15d";
description = ''
How long to retain samples in storage.
The minimum retentionPeriod is 24h or 1d. See also -retentionFilter
The following optional suffixes are supported: s (second), h (hour), d (day), w (week), y (year).
If suffix isn't set, then the duration is counted in months (default 1)
'';
};
prometheusConfig = lib.mkOption {
type = lib.types.submodule { freeformType = settingsFormat.type; };
default = { };
example = literalExpression ''
{
scrape_configs = [
{
job_name = "postgres-exporter";
metrics_path = "/metrics";
static_configs = [
{
targets = ["1.2.3.4:9187"];
labels.type = "database";
}
];
}
{
job_name = "node-exporter";
metrics_path = "/metrics";
static_configs = [
{
targets = ["1.2.3.4:9100"];
labels.type = "node";
}
{
targets = ["5.6.7.8:9100"];
labels.type = "node";
}
];
}
];
}
'';
description = ''
Config for prometheus style metrics.
See the docs: <https://docs.victoriametrics.com/vmagent/#how-to-collect-metrics-in-prometheus-format>
for more information.
'';
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [];
default = [ ];
example = literalExpression ''
[
"-httpAuth.username=username"
"-httpAuth.password=file:///abs/path/to/file"
"-loggerLevel=WARN"
]
'';
description = ''
Extra options to pass to VictoriaMetrics. See the README:
<https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/README.md>
or {command}`victoriametrics -help` for more
information.
Extra options to pass to VictoriaMetrics. See the docs:
<https://docs.victoriametrics.com/single-server-victoriametrics/#list-of-command-line-flags>
or {command}`victoriametrics -help` for more information.
'';
};
};
config = lib.mkIf cfg.enable {
systemd.services.victoriametrics = {
description = "VictoriaMetrics time series database";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
startLimitBurst = 5;
serviceConfig = {
Restart = "on-failure";
RestartSec = 1;
StateDirectory = "victoriametrics";
ExecStart = lib.escapeShellArgs (
startCLIList
++ lib.optionals (cfg.prometheusConfig != null) [ "-promscrape.config=${prometheusConfigYml}" ]
);
DynamicUser = true;
ExecStart = ''
${cfg.package}/bin/victoria-metrics \
-storageDataPath=/var/lib/victoriametrics \
-httpListenAddr ${cfg.listenAddress} \
-retentionPeriod ${toString cfg.retentionPeriod} \
${lib.escapeShellArgs cfg.extraOptions}
'';
# victoriametrics 1.59 with ~7GB of data seems to eventually panic when merging files and then
# begins restart-looping forever. Set LimitNOFILE= to a large number to work around this issue.
#
# panic: FATAL: unrecoverable error when merging small parts in the partition "/var/lib/victoriametrics/data/small/2021_08":
# cannot open source part for merging: cannot open values file in stream mode:
# cannot open file "/var/lib/victoriametrics/data/small/2021_08/[...]/values.bin":
# open /var/lib/victoriametrics/data/small/2021_08/[...]/values.bin: too many open files
RestartSec = 1;
Restart = "on-failure";
RuntimeDirectory = "victoriametrics";
RuntimeDirectoryMode = "0700";
StateDirectory = cfg.stateDir;
StateDirectoryMode = "0700";
# Increase the limit to avoid errors like 'too many open files' when merging small parts
LimitNOFILE = 1048576;
# Hardening
DeviceAllow = [ "/dev/null rw" ];
DevicePolicy = "strict";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
};
wantedBy = [ "multi-user.target" ];
postStart =
let
bindAddr = (lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
bindAddr =
(lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
in
lib.mkBefore ''
until ${lib.getBin pkgs.curl}/bin/curl -s -o /dev/null http://${bindAddr}/ping; do

50
third_party/nixpkgs/nixos/modules/services/desktops/gnome/localsearch.nix vendored Normal file
View file

@ -0,0 +1,50 @@
{
config,
pkgs,
lib,
...
}:
{
meta = {
maintainers = lib.teams.gnome.members;
};
imports = [
(lib.mkRenamedOptionModule
[
"services"
"gnome"
"tracker-miners"
"enable"
]
[
"services"
"gnome"
"localsearch"
"enable"
]
)
];
options = {
services.gnome.localsearch = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable LocalSearch, indexing services for TinySPARQL
search engine and metadata storage system.
'';
};
};
};
config = lib.mkIf config.services.gnome.localsearch.enable {
environment.systemPackages = [ pkgs.localsearch ];
services.dbus.packages = [ pkgs.localsearch ];
systemd.packages = [ pkgs.localsearch ];
};
}

66
third_party/nixpkgs/nixos/modules/services/desktops/gnome/tinysparql.nix vendored Normal file
View file

@ -0,0 +1,66 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.gnome.tinysparql;
in
{
meta = {
maintainers = lib.teams.gnome.members;
};
imports = [
(lib.mkRemovedOptionModule
[
"services"
"gnome"
"tracker"
"subcommandPackages"
]
''
This option is broken since 3.7 and since 3.8 tracker (tinysparql) no longer expect
CLI to be extended by external projects, note that tracker-miners (localsearch) now
provides its own CLI tool.
''
)
(lib.mkRenamedOptionModule
[
"services"
"gnome"
"tracker"
"enable"
]
[
"services"
"gnome"
"tinysparql"
"enable"
]
)
];
options = {
services.gnome.tinysparql = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable TinySPARQL services, a search engine,
search tool and metadata storage system.
'';
};
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.tinysparql ];
services.dbus.packages = [ pkgs.tinysparql ];
systemd.packages = [ pkgs.tinysparql ];
};
}

44
third_party/nixpkgs/nixos/modules/services/desktops/gnome/tracker-miners.nix vendored
View file

@ -1,44 +0,0 @@
# Tracker Miners daemons.
{ config, pkgs, lib, ... }:
{
meta = {
maintainers = lib.teams.gnome.members;
};
###### interface
options = {
services.gnome.tracker-miners = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable Tracker miners, indexing services for Tracker
search engine and metadata storage system.
'';
};
};
};
###### implementation
config = lib.mkIf config.services.gnome.tracker-miners.enable {
environment.systemPackages = [ pkgs.tracker-miners ];
services.dbus.packages = [ pkgs.tracker-miners ];
systemd.packages = [ pkgs.tracker-miners ];
services.gnome.tracker.subcommandPackages = [ pkgs.tracker-miners ];
};
}

66
third_party/nixpkgs/nixos/modules/services/desktops/gnome/tracker.nix vendored
View file

@ -1,66 +0,0 @@
# Tracker daemon.
{ config, pkgs, lib, ... }:
let
cfg = config.services.gnome.tracker;
in
{
meta = {
maintainers = lib.teams.gnome.members;
};
###### interface
options = {
services.gnome.tracker = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable Tracker services, a search engine,
search tool and metadata storage system.
'';
};
subcommandPackages = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [ ];
internal = true;
description = ''
List of packages containing tracker3 subcommands.
'';
};
};
};
###### implementation
config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.tracker ];
services.dbus.packages = [ pkgs.tracker ];
systemd.packages = [ pkgs.tracker ];
environment.variables = {
TRACKER_CLI_SUBCOMMANDS_DIR =
let
subcommandPackagesTree = pkgs.symlinkJoin {
name = "tracker-with-subcommands-${pkgs.tracker.version}";
paths = [ pkgs.tracker ] ++ cfg.subcommandPackages;
};
in
"${subcommandPackagesTree}/libexec/tracker3";
};
};
}

2
third_party/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix vendored
View file

@ -332,7 +332,7 @@ in {
{
# JACK intentionally not checked, as PW-on-JACK setups are a thing that some people may want
assertion = (cfg.alsa.enable || cfg.pulse.enable) -> cfg.audio.enable;
message = "Using PipeWire's ALSA/PulseAudio compatibility layers requires running PipeWire as the sound server. Set `services.pipewire.audio.enable` to true.";
message = "Using PipeWire's ALSA/PulseAudio compatibility layers requires running PipeWire as the sound server. Either set `services.pipewire.audio.enable` to true to enable audio support, or set both `services.pipewire.pulse.enable` and `services.pipewire.alsa.enable` to false to use pipewire exclusively for the compositor.";
}
{
assertion = length

2
third_party/nixpkgs/nixos/modules/services/hardware/amdvlk.nix vendored
View file

@ -37,8 +37,6 @@ in {
extraPackages32 = [ cfg.support32Bit.package ];
};
services.xserver.videoDrivers = [ "amdgpu" ];
environment.sessionVariables = lib.mkIf cfg.supportExperimental.enable {
AMDVLK_ENABLE_DEVELOPING_EXT = "all";
};

15
third_party/nixpkgs/nixos/modules/services/hardware/bluetooth.nix vendored
View file

@ -62,7 +62,10 @@ in
ControllerMode = "bredr";
};
};
description = "Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf).";
description = ''
Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf).
See <https://github.com/bluez/bluez/blob/master/src/main.conf> for full list of options.
'';
};
input = mkOption {
@ -74,7 +77,10 @@ in
ClassicBondedOnly = true;
};
};
description = "Set configuration for the input service (/etc/bluetooth/input.conf).";
description = ''
Set configuration for the input service (/etc/bluetooth/input.conf).
See <https://github.com/bluez/bluez/blob/master/profiles/input/input.conf> for full list of options.
'';
};
network = mkOption {
@ -85,7 +91,10 @@ in
DisableSecurity = true;
};
};
description = "Set configuration for the network service (/etc/bluetooth/network.conf).";
description = ''
Set configuration for the network service (/etc/bluetooth/network.conf).
See <https://github.com/bluez/bluez/blob/master/profiles/network/network.conf> for full list of options.
'';
};
};
};

30
third_party/nixpkgs/nixos/modules/services/hardware/monado.nix vendored
View file

@ -1,10 +1,18 @@
{ config
, lib
, pkgs
, ...
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkDefault mkEnableOption mkIf mkOption mkPackageOption types;
inherit (lib)
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
types
;
cfg = config.services.monado;
@ -27,7 +35,8 @@ in
example = true;
};
highPriority = mkEnableOption "high priority capability for monado-service"
highPriority =
mkEnableOption "high priority capability for monado-service"
// mkOption { default = true; };
};
@ -61,9 +70,10 @@ in
serviceConfig = {
ExecStart =
if cfg.highPriority
then "${config.security.wrapperDir}/monado-service"
else lib.getExe' cfg.package "monado-service";
if cfg.highPriority then
"${config.security.wrapperDir}/monado-service"
else
lib.getExe' cfg.package "monado-service";
Restart = "no";
};
@ -93,6 +103,8 @@ in
environment.systemPackages = [ cfg.package ];
environment.pathsToLink = [ "/share/openxr" ];
hardware.graphics.extraPackages = [ pkgs.monado-vulkan-layers ];
environment.etc."xdg/openxr/1/active_runtime.json" = mkIf cfg.defaultRuntime {
source = "${cfg.package}/share/openxr/1/openxr_monado.json";
};

24
third_party/nixpkgs/nixos/modules/services/hardware/spacenavd.nix vendored
View file

@ -1,8 +1,13 @@
{ config, lib, pkgs, ... }:
let cfg = config.hardware.spacenavd;
in {
{
config,
lib,
pkgs,
...
}:
let
cfg = config.hardware.spacenavd;
in
{
options = {
hardware.spacenavd = {
enable = lib.mkEnableOption "spacenavd to support 3DConnexion devices";
@ -10,12 +15,9 @@ in {
};
config = lib.mkIf cfg.enable {
systemd.user.services.spacenavd = {
description = "Daemon for the Spacenavigator 6DOF mice by 3Dconnexion";
wantedBy = [ "graphical.target" ];
serviceConfig = {
ExecStart = "${pkgs.spacenavd}/bin/spacenavd -d -l syslog";
};
systemd = {
packages = [ pkgs.spacenavd ];
services.spacenavd.enable = true;
};
};
}

98
third_party/nixpkgs/nixos/modules/services/hardware/triggerhappy.nix vendored
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.triggerhappy;
@ -6,35 +11,53 @@ let
socket = "/run/thd.socket";
configFile = pkgs.writeText "triggerhappy.conf" ''
${lib.concatMapStringsSep "\n"
({ keys, event, cmd, ... }:
''${lib.concatMapStringsSep "+" (x: "KEY_" + x) keys} ${toString { press = 1; hold = 2; release = 0; }.${event}} ${cmd}''
)
cfg.bindings}
${lib.concatMapStringsSep "\n" (
{
keys,
event,
cmd,
...
}:
''${lib.concatMapStringsSep "+" (x: "KEY_" + x) keys} ${
toString
{
press = 1;
hold = 2;
release = 0;
}
.${event}
} ${cmd}''
) cfg.bindings}
${cfg.extraConfig}
'';
bindingCfg = { ... }: {
options = {
bindingCfg =
{ ... }:
{
options = {
keys = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "List of keys to match. Key names as defined in linux/input-event-codes.h";
};
event = lib.mkOption {
type = lib.types.enum [
"press"
"hold"
"release"
];
default = "press";
description = "Event to match.";
};
cmd = lib.mkOption {
type = lib.types.str;
description = "What to run.";
};
keys = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "List of keys to match. Key names as defined in linux/input-event-codes.h";
};
event = lib.mkOption {
type = lib.types.enum ["press" "hold" "release"];
default = "press";
description = "Event to match.";
};
cmd = lib.mkOption {
type = lib.types.str;
description = "What to run.";
};
};
};
in
@ -65,9 +88,9 @@ in
bindings = lib.mkOption {
type = lib.types.listOf (lib.types.submodule bindingCfg);
default = [];
default = [ ];
example = lib.literalExpression ''
[ { keys = ["PLAYPAUSE"]; cmd = "''${pkgs.mpc-cli}/bin/mpc -q toggle"; } ]
[ { keys = ["PLAYPAUSE"]; cmd = "''${lib.getExe pkgs.mpc} -q toggle"; } ]
'';
description = ''
Key bindings for {command}`triggerhappy`.
@ -86,7 +109,6 @@ in
};
###### implementation
config = lib.mkIf cfg.enable {
@ -101,18 +123,22 @@ in
wantedBy = [ "multi-user.target" ];
description = "Global hotkey daemon";
serviceConfig = {
ExecStart = "${pkgs.triggerhappy}/bin/thd ${lib.optionalString (cfg.user != "root") "--user ${cfg.user}"} --socket ${socket} --triggers ${configFile} --deviceglob /dev/input/event*";
ExecStart = "${pkgs.triggerhappy}/bin/thd ${
lib.optionalString (cfg.user != "root") "--user ${cfg.user}"
} --socket ${socket} --triggers ${configFile} --deviceglob /dev/input/event*";
};
};
services.udev.packages = lib.singleton (pkgs.writeTextFile {
name = "triggerhappy-udev-rules";
destination = "/etc/udev/rules.d/61-triggerhappy.rules";
text = ''
ACTION=="add", SUBSYSTEM=="input", KERNEL=="event[0-9]*", ATTRS{name}!="triggerhappy", \
RUN+="${pkgs.triggerhappy}/bin/th-cmd --socket ${socket} --passfd --udev"
'';
});
services.udev.packages = lib.singleton (
pkgs.writeTextFile {
name = "triggerhappy-udev-rules";
destination = "/etc/udev/rules.d/61-triggerhappy.rules";
text = ''
ACTION=="add", SUBSYSTEM=="input", KERNEL=="event[0-9]*", ATTRS{name}!="triggerhappy", \
RUN+="${pkgs.triggerhappy}/bin/th-cmd --socket ${socket} --passfd --udev"
'';
}
);
};

2
third_party/nixpkgs/nixos/modules/services/hardware/tuxedo-rs.nix vendored
View file

@ -14,7 +14,7 @@ in
config = lib.mkIf cfg.enable (lib.mkMerge [
{
hardware.tuxedo-keyboard.enable = true;
hardware.tuxedo-drivers.enable = true;
systemd = {
services.tailord = {

20
third_party/nixpkgs/nixos/modules/services/home-automation/home-assistant.nix vendored
View file

@ -6,17 +6,21 @@ let
cfg = config.services.home-assistant;
format = pkgs.formats.yaml {};
# Render config attribute sets to YAML
# Values that are null will be filtered from the output, so this is one way to have optional
# options shown in settings.
# We post-process the result to add support for YAML functions, like secrets or includes, see e.g.
# Post-process YAML output to add support for YAML functions, like
# secrets or includes, by naively unquoting strings with leading bangs
# and at least one space-separated parameter.
# https://www.home-assistant.io/docs/configuration/secrets/
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null ])) (lib.recursiveUpdate customLovelaceModulesResources (cfg.config or {}));
configFile = pkgs.runCommandLocal "configuration.yaml" { } ''
cp ${format.generate "configuration.yaml" filteredConfig} $out
renderYAMLFile = fn: yaml: pkgs.runCommandLocal fn { } ''
cp ${format.generate fn yaml} $out
sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out
'';
lovelaceConfigFile = format.generate "ui-lovelace.yaml" cfg.lovelaceConfig;
# Filter null values from the configuration, so that we can still advertise
# optional options in the config attribute.
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null ])) (lib.recursiveUpdate customLovelaceModulesResources (cfg.config or {}));
configFile = renderYAMLFile "configuration.yaml" filteredConfig;
lovelaceConfigFile = renderYAMLFile "ui-lovelace.yaml" cfg.lovelaceConfig;
# Components advertised by the home-assistant package
availableComponents = cfg.package.availableComponents;

20
third_party/nixpkgs/nixos/modules/services/logging/promtail.nix vendored
View file

@ -10,15 +10,29 @@ let
allowPositionsFile = !lib.hasPrefix "/var/cache/promtail" positionsFile;
positionsFile = cfg.configuration.positions.filename;
configFile = if cfg.configFile != null
then cfg.configFile
else prettyJSON cfg.configuration;
in {
options.services.promtail = with types; {
enable = mkEnableOption "the Promtail ingresser";
configuration = mkOption {
type = (pkgs.formats.json {}).type;
description = ''
Specify the configuration for Promtail in Nix.
This option will be ignored if `services.promtail.configFile` is defined.
'';
};
configFile = mkOption {
type = nullOr path;
default = null;
description = ''
Config file path for Promtail.
If this option is defined, the value of `services.promtail.configuration` will be ignored.
'';
};
@ -42,14 +56,14 @@ in {
stopIfChanged = false;
preStart = ''
${lib.getExe pkgs.promtail} -config.file=${prettyJSON cfg.configuration} -check-syntax
${lib.getExe pkgs.promtail} -config.file=${configFile} -check-syntax
'';
serviceConfig = {
Restart = "on-failure";
TimeoutStopSec = 10;
ExecStart = "${pkgs.promtail}/bin/promtail -config.file=${prettyJSON cfg.configuration} ${escapeShellArgs cfg.extraFlags}";
ExecStart = "${pkgs.promtail}/bin/promtail -config.file=${configFile} ${escapeShellArgs cfg.extraFlags}";
ProtectSystem = "strict";
ProtectHome = true;

2
third_party/nixpkgs/nixos/modules/services/matrix/conduit.nix vendored
View file

@ -111,6 +111,8 @@ in
description = "Conduit Matrix Server";
documentation = [ "https://gitlab.com/famedly/conduit/" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = lib.mkMerge ([
{ CONDUIT_CONFIG = configFile; }
cfg.extraEnvironment

4
third_party/nixpkgs/nixos/modules/services/matrix/mjolnir.nix vendored
View file

@ -186,6 +186,10 @@ in
}
];
# This defaults to true in the application,
# which breaks older configs using pantalaimon or access tokens
services.mjolnir.settings.encryption.use = lib.mkDefault false;
services.pantalaimon-headless.instances."mjolnir" = lib.mkIf cfg.pantalaimon.enable
{
homeserver = cfg.homeserverUrl;

76
third_party/nixpkgs/nixos/modules/services/misc/guix/default.nix vendored
View file

@ -46,6 +46,17 @@ let
GUIX_LOCPATH = "${cfg.stateDir}/guix/profiles/per-user/root/guix-profile/lib/locale";
LC_ALL = "C.UTF-8";
};
# Currently, this is just done the lazy way with the official Guix script. A
# more "formal" way would be creating our own Guix script to handle and
# generate the ACL file ourselves.
aclFile = pkgs.runCommandLocal "guix-acl" { } ''
export GUIX_CONFIGURATION_DIRECTORY=./
for official_server_keys in ${lib.concatStringsSep " " cfg.substituters.authorizedKeys}; do
${lib.getExe' cfg.package "guix"} archive --authorize < "$official_server_keys"
done
install -Dm0600 ./acl "$out"
'';
in
{
meta.maintainers = with lib.maintainers; [ foo-dogsquared ];
@ -118,6 +129,57 @@ in
example = "/gnu/var";
};
substituters = {
urls = lib.mkOption {
type = with lib.types; listOf str;
default = [
"https://ci.guix.gnu.org"
"https://bordeaux.guix.gnu.org"
"https://berlin.guix.gnu.org"
];
example = lib.literalExpression ''
options.services.guix.substituters.urls.default ++ [
"https://guix.example.com"
"https://guix.example.org"
]
'';
description = ''
A list of substitute servers' URLs for the Guix daemon to download
substitutes from.
'';
};
authorizedKeys = lib.mkOption {
type = with lib.types; listOf path;
default = [
"${cfg.package}/share/guix/ci.guix.gnu.org.pub"
"${cfg.package}/share/guix/bordeaux.guix.gnu.org.pub"
"${cfg.package}/share/guix/berlin.guix.gnu.org.pub"
];
defaultText = ''
The packaged signing keys from {option}`services.guix.package`.
'';
example = lib.literalExpression ''
options.services.guix.substituters.authorizedKeys.default ++ [
(builtins.fetchurl {
url = "https://guix.example.com/signing-key.pub";
})
(builtins.fetchurl {
url = "https://guix.example.org/static/signing-key.pub";
})
]
'';
description = ''
A list of signing keys for each substitute server to be authorized as
a source of substitutes. Without this, the listed substitute servers
from {option}`services.guix.substituters.urls` would be ignored [with
some
exceptions](https://guix.gnu.org/manual/en/html_node/Substitute-Authentication.html).
'';
};
};
publish = {
enable = mkEnableOption "substitute server for your Guix store directory";
@ -215,6 +277,8 @@ in
script = ''
${lib.getExe' package "guix-daemon"} \
--build-users-group=${cfg.group} \
${lib.optionalString (cfg.substituters.urls != [ ])
"--substitute-urls='${lib.concatStringsSep " " cfg.substituters.urls}'"} \
${lib.escapeShellArgs cfg.extraArgs}
'';
serviceConfig = {
@ -254,11 +318,7 @@ in
# Make transferring files from one store to another easier with the usual
# case being of most substitutes from the official Guix CI instance.
system.activationScripts.guix-authorize-keys = ''
for official_server_keys in ${package}/share/guix/*.pub; do
${lib.getExe' package "guix"} archive --authorize < $official_server_keys
done
'';
environment.etc."guix/acl".source = aclFile;
# Link the usual Guix profiles to the home directory. This is useful in
# ephemeral setups where only certain part of the filesystem is
@ -270,8 +330,8 @@ in
in ''
[ -d "${userProfile}" ] && ln -sfn "${userProfile}" "${location}"
'';
linkProfileToPath = acc: profile: location: let
in acc + (linkProfile profile location);
linkProfileToPath = acc: profile: location:
acc + (linkProfile profile location);
# This should contain export-only Guix user profiles. The rest of it is
# handled manually in the activation script.
@ -387,7 +447,7 @@ in
Type = "oneshot";
PrivateDevices = true;
PrivateNetworks = true;
PrivateNetwork = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelTunables = true;

8
third_party/nixpkgs/nixos/modules/services/misc/mollysocket.nix vendored
View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) getExe mkIf mkOption mkEnableOption optionals types;
inherit (lib) getExe mkIf mkOption mkEnableOption types;
cfg = config.services.mollysocket;
configuration = format.generate "mollysocket.conf" cfg.settings;
@ -85,9 +85,7 @@ in {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
environment.RUST_LOG = cfg.logLevel;
serviceConfig = let
capabilities = [ "" ] ++ optionals (cfg.settings.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
in {
serviceConfig = {
EnvironmentFile = cfg.environmentFile;
ExecStart = "${getExe package} server";
KillSignal = "SIGINT";
@ -97,8 +95,6 @@ in {
WorkingDirectory = "/var/lib/mollysocket";
# hardening
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
DevicePolicy = "closed";
DynamicUser = true;
LockPersonality = true;

7
third_party/nixpkgs/nixos/modules/services/misc/octoprint.nix vendored
View file

@ -5,10 +5,9 @@ let
baseConfig = {
plugins.curalegacy.cura_engine = "${pkgs.curaengine_stable}/bin/CuraEngine";
server.host = cfg.host;
server.port = cfg.port;
webcam.ffmpeg = "${pkgs.ffmpeg.bin}/bin/ffmpeg";
};
} // lib.optionalAttrs (cfg.host != null) {server.host = cfg.host;};
fullConfig = lib.recursiveUpdate cfg.extraConfig baseConfig;
@ -29,8 +28,8 @@ in
enable = lib.mkEnableOption "OctoPrint, web interface for 3D printers";
host = lib.mkOption {
type = lib.types.str;
default = "0.0.0.0";
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Host to bind OctoPrint to.
'';

3
third_party/nixpkgs/nixos/modules/services/misc/paperless.nix vendored
View file

@ -372,9 +372,6 @@ in
SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid mbind" ];
# Needs to serve web page
PrivateNetwork = false;
} // lib.optionalAttrs (cfg.port < 1024) {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
environment = env // {
PYTHONPATH = "${cfg.package.python.pkgs.makePythonPath cfg.package.propagatedBuildInputs}:${cfg.package}/lib/paperless-ngx/src";

2
third_party/nixpkgs/nixos/modules/services/misc/renovate.nix vendored
View file

@ -100,12 +100,10 @@ in
] ++ cfg.runtimePackages;
serviceConfig = {
Type = "oneshot";
User = "renovate";
Group = "renovate";
DynamicUser = true;
LoadCredential = lib.mapAttrsToList (name: value: "SECRET-${name}:${value}") cfg.credentials;
RemainAfterExit = false;
Restart = "on-failure";
CacheDirectory = "renovate";
StateDirectory = "renovate";

3
third_party/nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix vendored
View file

@ -119,9 +119,6 @@ in
# gunicorn needs setuid
SystemCallFilter = [ "@system-service" "~@privileged" "@resources" "@setuid" "@keyring" ];
UMask = "0066";
} // lib.optionalAttrs (cfg.port < 1024) {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
wantedBy = [ "multi-user.target" ];

1
third_party/nixpkgs/nixos/modules/services/misc/transfer-sh.nix vendored
View file

@ -69,7 +69,6 @@ in
wantedBy = [ "multi-user.target" ];
environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
serviceConfig = {
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
DevicePolicy = "closed";
DynamicUser = true;
ExecStart = "${getExe cfg.package} --provider ${cfg.provider}";

Some files were not shown because too many files have changed in this diff Show more