ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-12-28 22:32:58 +03:00
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into sage-8.5

Browse Source
This commit is contained in:
Timo Kaufmann 2018-12-29 12:16:02 +01:00
commit 22c16ed300
2837 changed files with 46442 additions and 42275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.github/CODEOWNERS vendored
View File

@ -55,7 +55,7 @@
/pkgs/top-level/python-packages.nix @FRidh
/pkgs/development/interpreters/python @FRidh
/pkgs/development/python-modules @FRidh
/doc/languages-frameworks/python.md @FRidh
/doc/languages-frameworks/python.section.md @FRidh
# Haskell
/pkgs/development/compilers/ghc @peti @ryantm @basvandijk
@ -64,13 +64,18 @@
/pkgs/development/haskell-modules/generic-builder.nix @peti @ryantm @basvandijk
/pkgs/development/haskell-modules/hoogle.nix @peti @ryantm @basvandijk
# Perl
/pkgs/development/interpreters/perl @volth
/pkgs/top-level/perl-packages.nix @volth
/pkgs/development/perl-modules @volth
# R
/pkgs/applications/science/math/R @peti
/pkgs/development/r-modules @peti
# Ruby
/pkgs/development/interpreters/ruby @zimbatm
/pkgs/development/ruby-modules @zimbatm
/pkgs/development/interpreters/ruby @alyssais @zimbatm
/pkgs/development/ruby-modules @alyssais @zimbatm
# Rust
/pkgs/development/compilers/rust @Mic92 @LnL7

3
.gitignore vendored
View File

@ -13,4 +13,5 @@ result-*
.DS_Store
/pkgs/development/libraries/qt-5/*/tmp/
/pkgs/desktops/kde-5/*/tmp/
/pkgs/desktops/kde-5/*/tmp/
/pkgs/development/mobile/androidenv/xml/*

29
doc/coding-conventions.xml
View File

@ -56,25 +56,30 @@ foo { arg = ...; }
or list elements should be aligned:
<programlisting>
# A long list.
list =
[ elem1
elem2
elem3
];
list = [
elem1
elem2
elem3
];
# A long attribute set.
attrs =
{ attr1 = short_expr;
attr2 =
if true then big_expr else big_expr;
};
# Alternatively:
attrs = {
attr1 = short_expr;
attr2 =
if true then big_expr else big_expr;
};
# Combined
listOfAttrs = [
{
attr1 = 3;
attr2 = "fff";
}
{
attr1 = 5;
attr2 = "ggg";
}
];
</programlisting>
</para>
</listitem>

2
doc/cross-compilation.xml
View File

@ -385,7 +385,7 @@ nix-build &lt;nixpkgs&gt; --arg crossSystem '(import &lt;nixpkgs/lib&gt;).system
Eventually we would like to make these platform examples an unnecessary
convenience so that
<programlisting>
nix-build &lt;nixpkgs&gt; --arg crossSystem.config '&lt;arch&gt;-&lt;os&gt;-&lt;vendor&gt;-&lt;abi&gt;' -A whatever</programlisting>
nix-build &lt;nixpkgs&gt; --arg crossSystem '{ config = "&lt;arch&gt;-&lt;os&gt;-&lt;vendor&gt;-&lt;abi&gt;"; }' -A whatever</programlisting>
works in the vast majority of cases. The problem today is dependencies on
other sorts of configuration which aren't given proper defaults. We rely on
the examples to crudely to set those configuration parameters in some

240
doc/languages-frameworks/android.section.md Normal file
View File

@ -0,0 +1,240 @@
---
title: Android
author: Sander van der Burg
date: 2018-11-18
---
# Android
The Android build environment provides three major features and a number of
supporting features.
Deploying an Android SDK installation with plugins
--------------------------------------------------
The first use case is deploying the SDK with a desired set of plugins or subsets
of an SDK.
```nix
with import <nixpkgs> {};
let
androidComposition = androidenv.composeAndroidPackages {
toolsVersion = "25.2.5";
platformToolsVersion = "27.0.1";
buildToolsVersions = [ "27.0.3" ];
includeEmulator = false;
emulatorVersion = "27.2.0";
platformVersions = [ "24" ];
includeSources = false;
includeDocs = false;
includeSystemImages = false;
systemImageTypes = [ "default" ];
abiVersions = [ "armeabi-v7a" ];
lldbVersions = [ "2.0.2558144" ];
cmakeVersions = [ "3.6.4111459" ];
includeNDK = false;
ndkVersion = "16.1.4479499";
useGoogleAPIs = false;
useGoogleTVAddOns = false;
includeExtras = [
"extras;google;gcm"
];
};
in
androidComposition.androidsdk
```
The above function invocation states that we want an Android SDK with the above
specified plugin versions. By default, most plugins are disabled. Notable
exceptions are the tools, platform-tools and build-tools sub packages.
The following parameters are supported:
* `toolsVersion`, specifies the version of the tools package to use
* `platformsToolsVersion` specifies the version of the `platform-tools` plugin
* `buildToolsVersion` specifies the versions of the `build-tools` plugins to
use.
* `includeEmulator` specifies whether to deploy the emulator package (`false`
by default). When enabled, the version of the emulator to deploy can be
specified by setting the `emulatorVersion` parameter.
* `includeDocs` specifies whether the documentation catalog should be included.
* `lldbVersions` specifies what LLDB versions should be deployed.
* `cmakeVersions` specifies which CMake versions should be deployed.
* `includeNDK` specifies that the Android NDK bundle should be included.
Defaults to: `false`.
* `ndkVersion` specifies the NDK version that we want to use.
* `includeExtras` is an array of identifier strings referring to arbitrary
add-on packages that should be installed.
* `platformVersions` specifies which platform SDK versions should be included.
For each platform version that has been specified, we can apply the following
options:
* `includeSystemImages` specifies whether a system image for each platform SDK
should be included.
* `includeSources` specifies whether the sources for each SDK version should be
included.
* `useGoogleAPIs` specifies that for each selected platform version the
Google API should be included.
* `useGoogleTVAddOns` specifies that for each selected platform version the
Google TV add-on should be included.
For each requested system image we can specify the following options:
* `systemImageTypes` specifies what kind of system images should be included.
Defaults to: `default`.
* `abiVersions` specifies what kind of ABI version of each system image should
be included. Defaults to: `armeabi-v7a`.
Most of the function arguments have reasonable default settings.
When building the above expression with:
```bash
$ nix-build
```
The Android SDK gets deployed with all desired plugin versions.
We can also deploy subsets of the Android SDK. For example, to only the the
`platform-tools` package, you can evaluate the following expression:
```nix
with import <nixpkgs> {};
let
androidComposition = androidenv.composeAndroidPackages {
# ...
};
in
androidComposition.platform-tools
```
Using predefine Android package compositions
--------------------------------------------
In addition to composing an Android package set manually, it is also possible
to use a predefined composition that contains all basic packages for a specific
Android version, such as version 9.0 (API-level 28).
The following Nix expression can be used to deploy the entire SDK with all basic
plugins:
```nix
with import <nixpkgs> {};
androidenv.androidPkgs_9_0.androidsdk
```
It is also possible to use one plugin only:
```nix
with import <nixpkgs> {};
androidenv.androidPkgs_9_0.platform-tools
```
Building an Android application
-------------------------------
In addition to the SDK, it is also possible to build an Ant-based Android
project and automatically deploy all the Android plugins that a project
requires.
```nix
with import <nixpkgs> {};
androidenv.buildApp {
name = "MyAndroidApp";
src = ./myappsources;
release = true;
# If release is set to true, you need to specify the following parameters
keyStore = ./keystore;
keyAlias = "myfirstapp";
keyStorePassword = "mykeystore";
keyAliasPassword = "myfirstapp";
# Any Android SDK parameters that install all the relevant plugins that a
# build requires
platformVersions = [ "24" ];
# When we include the NDK, then ndk-build is invoked before Ant gets invoked
includeNDK = true;
}
```
Aside from the app-specific build parameters (`name`, `src`, `release` and
keystore parameters), the `buildApp {}` function supports all the function
parameters that the SDK composition function (the function shown in the
previous section) supports.
This build function is particularly useful when it is desired to use
[Hydra](http://nixos.org/hydra): the Nix-based continuous integration solution
to build Android apps. An Android APK gets exposed as a build product and can be
installed on any Android device with a web browser by navigating to the build
result page.
Spawning emulator instances
---------------------------
For testing purposes, it can also be quite convenient to automatically generate
scripts that spawn emulator instances with all desired configuration settings.
An emulator spawn script can be configured by invoking the `emulateApp {}`
function:
```nix
with import <nixpkgs> {};
androidenv.emulateApp {
name = "emulate-MyAndroidApp";
platformVersion = "24";
abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
systemImageType = "default";
useGoogleAPIs = false;
}
```
It is also possible to specify an APK to deploy inside the emulator
and the package and activity names to launch it:
```nix
with import <nixpkgs> {};
androidenv.emulateApp {
name = "emulate-MyAndroidApp";
platformVersion = "24";
abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
systemImageType = "default";
useGoogleAPIs = false;
app = ./MyApp.apk;
package = "MyApp";
activity = "MainActivity";
}
```
In addition to prebuilt APKs, you can also bind the APK parameter to a
`buildApp {}` function invocation shown in the previous example.
Querying the available versions of each plugin
----------------------------------------------
When using any of the previously shown functions, it may be a bit inconvenient
to find out what options are supported, since the Android SDK provides many
plugins.
A shell script in the `pkgs/development/mobile/androidenv/` sub directory can be used to retrieve all
possible options:
```bash
sh ./querypackages.sh packages build-tools
```
The above command-line instruction queries all build-tools versions in the
generated `packages.nix` expression.
Updating the generated expressions
----------------------------------
Most of the Nix expressions are generated from XML files that the Android
package manager uses. To update the expressions run the `generate.sh` script
that is stored in the `pkgs/development/mobile/androidenv/` sub directory:
```bash
sh ./generate.sh
```

2
doc/languages-frameworks/haskell.section.md
View File

@ -935,7 +935,7 @@ The implementation can be found in the
[integer-gmp](http://hackage.haskell.org/package/integer-gmp) package.
A potential problem with this is that GMP is licensed under the
[GNU Lesser General Public License (LGPL)](http://www.gnu.org/copyleft/lesser.html),
[GNU Lesser General Public License (LGPL)](https://www.gnu.org/copyleft/lesser.html),
a kind of "copyleft" license. According to the terms of the LGPL, paragraph 5,
you may distribute a program that is designed to be compiled and dynamically
linked with the library under the terms of your choice (i.e., commercially) but

3
doc/languages-frameworks/index.xml
View File

@ -10,12 +10,14 @@
Nixpkgs to easily build packages for other programming languages, such as
Perl or Haskell. These are described in this chapter.
</para>
<xi:include href="android.section.xml" />
<xi:include href="beam.xml" />
<xi:include href="bower.xml" />
<xi:include href="coq.xml" />
<xi:include href="go.xml" />
<xi:include href="haskell.section.xml" />
<xi:include href="idris.section.xml" />
<xi:include href="ios.section.xml" />
<xi:include href="java.xml" />
<xi:include href="lua.xml" />
<xi:include href="node.section.xml" />
@ -27,6 +29,7 @@
<xi:include href="ruby.xml" />
<xi:include href="rust.section.xml" />
<xi:include href="texlive.xml" />
<xi:include href="titanium.section.xml" />
<xi:include href="vim.section.xml" />
<xi:include href="emscripten.section.xml" />
</chapter>

219
doc/languages-frameworks/ios.section.md Normal file
View File

@ -0,0 +1,219 @@
---
title: iOS
author: Sander van der Burg
date: 2018-11-18
---
# iOS
This component is basically a wrapper/workaround that makes it possible to
expose an Xcode installation as a Nix package by means of symlinking to the
relevant executables on the host system.
Since Xcode can't be packaged with Nix, nor we can publish it as a Nix package
(because of its license) this is basically the only integration strategy
making it possible to do iOS application builds that integrate with other
components of the Nix ecosystem
The primary objective of this project is to use the Nix expression language to
specify how iOS apps can be built from source code, and to automatically spawn
iOS simulator instances for testing.
This component also makes it possible to use [Hydra](http://nixos.org/hydra),
the Nix-based continuous integration server to regularly build iOS apps and to
do wireless ad-hoc installations of enterprise IPAs on iOS devices through
Hydra.
The Xcode build environment implements a number of features.
Deploying a proxy component wrapper exposing Xcode
--------------------------------------------------
The first use case is deploying a Nix package that provides symlinks to the Xcode
installation on the host system. This package can be used as a build input to
any build function implemented in the Nix expression language that requires
Xcode.
```nix
let
pkgs = import <nixpkgs> {};
xcodeenv = import ./xcodeenv {
inherit (pkgs) stdenv;
};
in
xcodeenv.composeXcodeWrapper {
version = "9.2";
xcodeBaseDir = "/Applications/Xcode.app";
}
```
By deploying the above expression with `nix-build` and inspecting its content
you will notice that several Xcode-related executables are exposed as a Nix
package:
```bash
$ ls result/bin
lrwxr-xr-x 1 sander staff 94 1 jan 1970 Simulator -> /Applications/Xcode.app/Contents/Developer/Applications/Simulator.app/Contents/MacOS/Simulator
lrwxr-xr-x 1 sander staff 17 1 jan 1970 codesign -> /usr/bin/codesign
lrwxr-xr-x 1 sander staff 17 1 jan 1970 security -> /usr/bin/security
lrwxr-xr-x 1 sander staff 21 1 jan 1970 xcode-select -> /usr/bin/xcode-select
lrwxr-xr-x 1 sander staff 61 1 jan 1970 xcodebuild -> /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild
lrwxr-xr-x 1 sander staff 14 1 jan 1970 xcrun -> /usr/bin/xcrun
```
Building an iOS application
---------------------------
We can build an iOS app executable for the simulator, or an IPA/xcarchive file
for release purposes, e.g. ad-hoc, enterprise or store installations, by
executing the `xcodeenv.buildApp {}` function:
```nix
let
pkgs = import <nixpkgs> {};
xcodeenv = import ./xcodeenv {
inherit (pkgs) stdenv;
};
in
xcodeenv.buildApp {
name = "MyApp";
src = ./myappsources;
sdkVersion = "11.2";
target = null; # Corresponds to the name of the app by default
configuration = null; # Release for release builds, Debug for debug builds
scheme = null; # -scheme will correspond to the app name by default
sdk = null; # null will set it to 'iphonesimulator` for simulator builds or `iphoneos` to real builds
xcodeFlags = "";
release = true;
certificateFile = ./mycertificate.p12;
certificatePassword = "secret";
provisioningProfile = ./myprovisioning.profile;
signMethod = "ad-hoc"; # 'enterprise' or 'store'
generateIPA = true;
generateXCArchive = false;
enableWirelessDistribution = true;
installURL = "/installipa.php";
bundleId = "mycompany.myapp";
appVersion = "1.0";
# Supports all xcodewrapper parameters as well
xcodeBaseDir = "/Applications/Xcode.app";
}
```
The above function takes a variety of parameters:
* The `name` and `src` parameters are mandatory and specify the name of the app
and the location where the source code resides
* `sdkVersion` specifies which version of the iOS SDK to use.
It also possile to adjust the `xcodebuild` parameters. This is only needed in
rare circumstances. In most cases the default values should suffice:
* Specifies which `xcodebuild` target to build. By default it takes the target
that has the same name as the app.
* The `configuration` parameter can be overridden if desired. By default, it
will do a debug build for the simulator and a release build for real devices.
* The `scheme` parameter specifies which `-scheme` parameter to propagate to
`xcodebuild`. By default, it corresponds to the app name.
* The `sdk` parameter specifies which SDK to use. By default, it picks
`iphonesimulator` for simulator builds and `iphoneos` for release builds.
* The `xcodeFlags` parameter specifies arbitrary command line parameters that
should be propagated to `xcodebuild`.
By default, builds are carried out for the iOS simulator. To do release builds
(builds for real iOS devices), you must set the `release` parameter to `true`.
In addition, you need to set the following parameters:
* `certificateFile` refers to a P12 certificate file.
* `certificatePassword` specifies the password of the P12 certificate.
* `provisioningProfile` refers to the provision profile needed to sign the app
* `signMethod` should refer to `ad-hoc` for signing the app with an ad-hoc
certificate, `enterprise` for enterprise certificates and `app-store` for App
store certificates.
* `generateIPA` specifies that we want to produce an IPA file (this is probably
what you want)
* `generateXCArchive` specifies thet we want to produce an xcarchive file.
When building IPA files on Hydra and when it is desired to allow iOS devices to
install IPAs by browsing to the Hydra build products page, you can enable the
`enableWirelessDistribution` parameter.
When enabled, you need to configure the following options:
* The `installURL` parameter refers to the URL of a PHP script that composes the
`itms-services://` URL allowing iOS devices to install the IPA file.
* `bundleId` refers to the bundle ID value of the app
* `appVersion` refers to the app's version number
To use wireless adhoc distributions, you must also install the corresponding
PHP script on a web server (see section: 'Installing the PHP script for wireless
ad hoc installations from Hydra' for more information).
In addition to the build parameters, you can also specify any parameters that
the `xcodeenv.composeXcodeWrapper {}` function takes. For example, the
`xcodeBaseDir` parameter can be overridden to refer to a different Xcode
version.
Spawning simulator instances
----------------------------
In addition to building iOS apps, we can also automatically spawn simulator
instances:
```nix
let
pkgs = import <nixpkgs> {};
xcodeenv = import ./xcodeenv {
inherit (pkgs) stdenv;
};
in
xcode.simulateApp {
name = "simulate";
# Supports all xcodewrapper parameters as well
xcodeBaseDir = "/Applications/Xcode.app";
}
```
The above expression produces a script that starts the simulator from the
provided Xcode installation. The script can be started as follows:
```bash
./result/bin/run-test-simulator
```
By default, the script will show an overview of UDID for all available simulator
instances and asks you to pick one. You can also provide a UDID as a
command-line parameter to launch an instance automatically:
```bash
./result/bin/run-test-simulator 5C93129D-CF39-4B1A-955F-15180C3BD4B8
```
You can also extend the simulator script to automatically deploy and launch an
app in the requested simulator instance:
```nix
let
pkgs = import <nixpkgs> {};
xcodeenv = import ./xcodeenv {
inherit (pkgs) stdenv;
};
in
xcode.simulateApp {
name = "simulate";
bundleId = "mycompany.myapp";
app = xcode.buildApp {
# ...
};
# Supports all xcodewrapper parameters as well
xcodeBaseDir = "/Applications/Xcode.app";
}
```
By providing the result of an `xcode.buildApp {}` function and configuring the
app bundle id, the app gets deployed automatically and started.

21
doc/languages-frameworks/python.section.md
View File

@ -484,10 +484,12 @@ and in this case the `python35` interpreter is automatically used.
### Interpreters
Versions 2.7, 3.5, 3.6 and 3.7 of the CPython interpreter are available as
respectively `python27`, `python35`, `python36`, and `python37`. The PyPy
interpreter is available as `pypy`. The aliases `python2` and `python3`
correspond to respectively `python27` and `python37`. The default interpreter,
`python`, maps to `python2`. The Nix expressions for the interpreters can be
respectively `python27`, `python35`, `python36` and `python37`. The aliases
`python2` and `python3` correspond to respectively `python27` and
`python37`. The default interpreter, `python`, maps to `python2`. The PyPy
interpreters compatible with Python 2.7 and 3 are available as `pypy27` and
`pypy3`, with aliases `pypy2` mapping to `pypy27` and `pypy` mapping to
`pypy2`. The Nix expressions for the interpreters can be
found in `pkgs/development/interpreters/python`.
All packages depending on any Python interpreter get appended
@ -1102,7 +1104,7 @@ on `numpy` will be built with `mkl`.
The following is an overlay that configures `numpy` to use `mkl`:
```nix
self: super: {
python36 = super.python36.override {
python37 = super.python37.override {
packageOverrides = python-self: python-super: {
numpy = python-super.numpy.override {
blas = super.pkgs.mkl;
@ -1112,6 +1114,15 @@ self: super: {
}
```
`mkl` requires an `openmp` implementation when running with multiple processors.
By default, `mkl` will use Intel's `iomp` implementation if no other is
specified, but this is a runtime-only dependency and binary compatible with the
LLVM implementation. To use that one instead, Intel recommends users set it with
`LD_PRELOAD`.
Note that `mkl` is only available on `x86_64-{linux,darwin}` platforms;
moreover, Hydra is not building and distributing pre-compiled binaries using it.
## Contributing
### Contributing guidelines

11
doc/languages-frameworks/ruby.xml
View File

@ -50,6 +50,17 @@ bundlerEnv rec {
future updates can be run easily.
</para>
<para>
Updating Ruby packages can then be done like this:
</para>
<screen>
<![CDATA[$ cd pkgs/servers/monitoring/sensu
$ nix-shell -p bundler --run 'bundle lock --update'
$ nix-shell -p bundix --run 'bundix'
]]>
</screen>
<para>
For tools written in Ruby - i.e. where the desire is to install a package and
then execute e.g. <command>rake</command> at the command line, there is an

12
doc/languages-frameworks/texlive.xml
View File

@ -49,12 +49,12 @@ texlive.combine {
</listitem>
<listitem>
<para>
You can list packages e.g. by <command>nix-repl</command>.
<programlisting>
$ nix-repl
nix-repl> :l &lt;nixpkgs>
nix-repl> texlive.collection-&lt;TAB>
</programlisting>
You can list packages e.g. by <command>nix repl</command>.
<programlisting><![CDATA[
$ nix repl
nix-repl> :l <nixpkgs>
nix-repl> texlive.collection-<TAB>
]]></programlisting>
</para>
</listitem>
<listitem>

115
doc/languages-frameworks/titanium.section.md Normal file
View File

@ -0,0 +1,115 @@
---
title: Titanium
author: Sander van der Burg
date: 2018-11-18
---
# Titanium
The Nixpkgs repository contains facilities to deploy a variety of versions of
the [Titanium SDK](https://www.appcelerator.com) versions, a cross-platform
mobile app development framework using JavaScript as an implementation language,
and includes a function abstraction making it possible to build Titanium
applications for Android and iOS devices from source code.
Not all Titanium features supported -- currently, it can only be used to build
Android and iOS apps.
Building a Titanium app
-----------------------
We can build a Titanium app from source for Android or iOS and for debugging or
release purposes by invoking the `titaniumenv.buildApp {}` function:
```nix
titaniumenv.buildApp {
name = "myapp";
src = ./myappsource;
preBuild = "";
target = "android"; # or 'iphone'
tiVersion = "7.1.0.GA";
release = true;
androidsdkArgs = {
platformVersions = [ "25" "26" ];
};
androidKeyStore = ./keystore;
androidKeyAlias = "myfirstapp";
androidKeyStorePassword = "secret";
xcodeBaseDir = "/Applications/Xcode.app";
xcodewrapperArgs = {
version = "9.3";
};
iosMobileProvisioningProfile = ./myprovisioning.profile;
iosCertificateName = "My Company";
iosCertificate = ./mycertificate.p12;
iosCertificatePassword = "secret";
iosVersion = "11.3";
iosBuildStore = false;
enableWirelessDistribution = true;
installURL = "/installipa.php";
}
```
The `titaniumenv.buildApp {}` function takes the following parameters:
* The `name` parameter refers to the name in the Nix store.
* The `src` parameter refers to the source code location of the app that needs
to be built.
* `preRebuild` contains optional build instructions that are carried out before
the build starts.
* `target` indicates for which device the app must be built. Currently only
'android' and 'iphone' (for iOS) are supported.
* `tiVersion` can be used to optionally override the requested Titanium version
in `tiapp.xml`. If not specified, it will use the version in `tiapp.xml`.
* `release` should be set to true when building an app for submission to the
Google Playstore or Apple Appstore. Otherwise, it should be false.
When the `target` has been set to `android`, we can configure the following
parameters:
* The `androidSdkArgs` parameter refers to an attribute set that propagates all
parameters to the `androidenv.composeAndroidPackages {}` function. This can
be used to install all relevant Android plugins that may be needed to perform
the Android build. If no parameters are given, it will deploy the platform
SDKs for API-levels 25 and 26 by default.
When the `release` parameter has been set to true, you need to provide
parameters to sign the app:
* `androidKeyStore` is the path to the keystore file
* `androidKeyAlias` is the key alias
* `androidKeyStorePassword` refers to the password to open the keystore file.
When the `target` has been set to `iphone`, we can configure the following
parameters:
* The `xcodeBaseDir` parameter refers to the location where Xcode has been
installed. When none value is given, the above value is the default.
* The `xcodewrapperArgs` parameter passes arbitrary parameters to the
`xcodeenv.composeXcodeWrapper {}` function. This can, for example, be used
to adjust the default version of Xcode.
When `release` has been set to true, you also need to provide the following
parameters:
* `iosMobileProvisioningProfile` refers to a mobile provisioning profile needed
for signing.
* `iosCertificateName` refers to the company name in the P12 certificate.
* `iosCertificate` refers to the path to the P12 file.
* `iosCertificatePassword` contains the password to open the P12 file.
* `iosVersion` refers to the iOS SDK version to use. It defaults to the latest
version.
* `iosBuildStore` should be set to `true` when building for the Apple Appstore
submission. For enterprise or ad-hoc builds it should be set to `false`.
When `enableWirelessDistribution` has been enabled, you must also provide the
path of the PHP script (`installURL`) (that is included with the iOS build
environment) to enable wireless ad-hoc installations.
Emulating or simulating the app
-------------------------------
It is also possible to simulate the correspond iOS simulator build by using
`xcodeenv.simulateApp {}` and emulate an Android APK by using
`androidenv.emulateApp {}`.

7
doc/languages-frameworks/vim.section.md
View File

@ -48,7 +48,7 @@ neovim.override {
## Managing plugins with Vim packages
To store you plugins in Vim packages the following example can be used:
To store you plugins in Vim packages (the native vim plugin manager, see `:help packages`) the following example can be used:
```
vim_configurable.customize {
@ -56,6 +56,8 @@ vim_configurable.customize {
# loaded on launch
start = [ youcompleteme fugitive ];
# manually loadable by calling `:packadd $plugin-name`
# however, if a vim plugin has a dependency that is not explicitly listed in
# opt that dependency will always be added to start to avoid confusion.
opt = [ phpCompletion elm-vim ];
# To automatically load a plugin when opening a filetype, add vimrc lines like:
# autocmd FileType php :packadd phpCompletion
@ -63,6 +65,7 @@ vim_configurable.customize {
}
```
`myVimPackage` is an arbitrary name for the generated package. You can choose any name you like.
For Neovim the syntax is:
```
@ -74,6 +77,8 @@ neovim.override {
packages.myVimPackage = with pkgs.vimPlugins; {
# see examples below how to use custom packages
start = [ ];
# If a vim plugin has a dependency that is not explicitly listed in
# opt that dependency will always be added to start to avoid confusion.
opt = [ ];
};
};

8
doc/meta.xml
View File

@ -14,7 +14,7 @@ meta = with stdenv.lib; {
GNU Hello is a program that prints "Hello, world!" when you run it.
It is fully customizable.
'';
homepage = http://www.gnu.org/software/hello/manual/;
homepage = https://www.gnu.org/software/hello/manual/;
license = licenses.gpl3Plus;
maintainers = [ maintainers.eelco ];
platforms = platforms.all;
@ -35,7 +35,7 @@ $ nix-env -qa hello --json
"hello": {
"meta": {
"description": "A program that produces a familiar, friendly greeting",
"homepage": "http://www.gnu.org/software/hello/manual/",
"homepage": "https://www.gnu.org/software/hello/manual/",
"license": {
"fullName": "GNU General Public License version 3 or later",
"shortName": "GPLv3+",
@ -135,7 +135,7 @@ hello-2.3 A program that produces a familiar, friendly greeting
<listitem>
<para>
The packages homepage. Example:
<literal>http://www.gnu.org/software/hello/manual/</literal>
<literal>https://www.gnu.org/software/hello/manual/</literal>
</para>
</listitem>
</varlistentry>
@ -146,7 +146,7 @@ hello-2.3 A program that produces a familiar, friendly greeting
<listitem>
<para>
The page where a link to the current version can be found. Example:
<literal>http://ftp.gnu.org/gnu/hello/</literal>
<literal>https://ftp.gnu.org/gnu/hello/</literal>
</para>
</listitem>
</varlistentry>

64
doc/stdenv.xml
View File

@ -671,6 +671,43 @@ passthru = {
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<varname>passthru.updateScript</varname>
</term>
<listitem>
<para>
A script to be run by <filename>maintainers/scripts/update.nix</filename> when
the package is matched. It needs to be an executable file, either on the file
system:
<programlisting>
passthru.updateScript = ./update.sh;
</programlisting>
or inside the expression itself:
<programlisting>
passthru.updateScript = writeScript "update-zoom-us" ''
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl pcre common-updater-scripts
set -eu -o pipefail
version="$(curl -sI https://zoom.us/client/latest/zoom_x86_64.tar.xz | grep -Fi 'Location:' | pcregrep -o1 '/(([0-9]\.?)+)/')"
update-source-version zoom-us "$version"
'';
</programlisting>
The attribute can also contain a list, a script followed by arguments to be passed to it:
<programlisting>
passthru.updateScript = [ ../../update.sh pname "--requested-release=unstable" ];
</programlisting>
Note that the update scripts will be run in parallel by default; you should avoid running <command>git commit</command> or any other commands that cannot handle that.
</para>
<para>
For information about how to run the updates, execute
<cmdsynopsis><command>nix-shell</command> <arg>maintainers/scripts/update.nix</arg></cmdsynopsis>.
</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="sec-stdenv-phases">
@ -2463,17 +2500,17 @@ addEnvHooks "$hostOffset" myBashFunction
<listitem>
<para>
This hook will make a build pause instead of stopping when a failure
happen. It prevents nix to cleanup the build environment immediatly and
happens. It prevents nix from cleaning up the build environment immediately and
allows the user to attach to a build environment using the
<command>cntr</command> command. On build error it will print the
instruction that are neccessary for <command>cntr</command>. Installing
<command>cntr</command> command. Upon build error it will print
instructions on how to use <command>cntr</command>. Installing
cntr and running the command will provide shell access to the build
sandbox of failed build. At <filename>/var/lib/cntr</filename> the
sandbox filesystem is mounted. All commands and files of the system are
sandboxed filesystem is mounted. All commands and files of the system are
still accessible within the shell. To execute commands from the sandbox
use the cntr exec subcommand. Note that <command>cntr</command> also
needs to be executed on the machine that is doing the build, which might
be not the case when remote builders are enabled.
not be the case when remote builders are enabled.
<command>cntr</command> is only supported on Linux-based platforms. To
use it first add <literal>cntr</literal> to your
<literal>environment.systemPackages</literal> on NixOS or alternatively to
@ -2488,6 +2525,23 @@ addEnvHooks "$hostOffset" myBashFunction
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
libiconv, libintl
</term>
<listitem>
<para>
A few libraries automatically add to
<literal>NIX_LDFLAGS</literal> their library, making their
symbols automatically available to the linker. This includes
libiconv and libintl (gettext). This is done to provide
compatibility between GNU Linux, where libiconv and libintl
are bundled in, and other systems where that might not be the
case. Sometimes, this behavior is not desired. To disable
this behavior, set <literal>dontAddExtraLibs</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
cmake

9
lib/attrsets.nix
View File

@ -94,6 +94,15 @@ rec {
attrValues = builtins.attrValues or (attrs: attrVals (attrNames attrs) attrs);
/* Given a set of attribute names, return the set of the corresponding
attributes from the given set.
Example:
getAttrs [ "a" "b" ] { a = 1; b = 2; c = 3; }
=> { a = 1; b = 2; }
*/
getAttrs = names: attrs: genAttrs names (name: attrs.${name});
/* Collect each attribute named `attr' from a list of attribute
sets. Sets that don't contain the named attribute are ignored.

4
lib/default.nix
View File

@ -61,10 +61,10 @@ let
boolToString mergeAttrs flip mapNullable inNixShell min max
importJSON warn info nixpkgsVersion version mod compare
splitByAndCompare functionArgs setFunctionArgs isFunction;
inherit (fixedPoints) fix fix' extends composeExtensions
inherit (fixedPoints) fix fix' converge extends composeExtensions
makeExtensible makeExtensibleWithCustomName;
inherit (attrsets) attrByPath hasAttrByPath setAttrByPath
getAttrFromPath attrVals attrValues catAttrs filterAttrs
getAttrFromPath attrVals attrValues getAttrs catAttrs filterAttrs
filterAttrsRecursive foldAttrs collect nameValuePair mapAttrs
mapAttrs' mapAttrsToList mapAttrsRecursive mapAttrsRecursiveCond
genAttrs isDerivation toDerivation optionalAttrs

10
lib/fixed-points.nix
View File

@ -24,6 +24,16 @@ rec {
# for a concrete example.
fix' = f: let x = f x // { __unfix__ = f; }; in x;
# Return the fixpoint that `f` converges to when called recursively, starting
# with the input `x`.
#
# nix-repl> converge (x: x / 2) 16
# 0
converge = f: x:
if (f x) == x
then x
else converge f (f x);
# Modify the contents of an explicitly recursive attribute set in a way that
# honors `self`-references. This is accomplished with a function
#

61
lib/licenses.nix
View File

@ -29,13 +29,13 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
};
agpl3 = spdx {
spdxId = "AGPL-3.0";
fullName = "GNU Affero General Public License v3.0";
spdxId = "AGPL-3.0-only";
fullName = "GNU Affero General Public License v3.0 only";
};
agpl3Plus = {
agpl3Plus = spdx {
spdxId = "AGPL-3.0-or-later";
fullName = "GNU Affero General Public License v3.0 or later";
inherit (agpl3) url;
};
amazonsl = {
@ -266,13 +266,23 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
};
fdl12 = spdx {
spdxId = "GFDL-1.2";
fullName = "GNU Free Documentation License v1.2";
spdxId = "GFDL-1.2-only";
fullName = "GNU Free Documentation License v1.2 only";
};
fdl12Plus = spdx {
spdxId = "GFDL-1.2-or-later";
fullName = "GNU Free Documentation License v1.2 or later";
};
fdl13 = spdx {
spdxId = "GFDL-1.3";
fullName = "GNU Free Documentation License v1.3";
spdxId = "GFDL-1.3-only";
fullName = "GNU Free Documentation License v1.3 only";
};
fdl13Plus = spdx {
spdxId = "GFDL-1.3-or-later";
fullName = "GNU Free Documentation License v1.3 or later";
};
ffsl = {
@ -297,24 +307,23 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
};
gpl1 = spdx {
spdxId = "GPL-1.0";
spdxId = "GPL-1.0-only";
fullName = "GNU General Public License v1.0 only";
};
gpl1Plus = spdx {
spdxId = "GPL-1.0+";
spdxId = "GPL-1.0-or-later";
fullName = "GNU General Public License v1.0 or later";
};
gpl2 = spdx {
spdxId = "GPL-2.0";
spdxId = "GPL-2.0-only";
fullName = "GNU General Public License v2.0 only";
};
gpl2Classpath = {
gpl2Classpath = spdx {
spdxId = "GPL-2.0-with-classpath-exception";
fullName = "GNU General Public License v2.0 only (with Classpath exception)";
url = https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception;
};
gpl2ClasspathPlus = {
@ -328,17 +337,17 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
};
gpl2Plus = spdx {
spdxId = "GPL-2.0+";
spdxId = "GPL-2.0-or-later";
fullName = "GNU General Public License v2.0 or later";
};
gpl3 = spdx {
spdxId = "GPL-3.0";
spdxId = "GPL-3.0-only";
fullName = "GNU General Public License v3.0 only";
};
gpl3Plus = spdx {
spdxId = "GPL-3.0+";
spdxId = "GPL-3.0-or-later";
fullName = "GNU General Public License v3.0 or later";
};
@ -408,32 +417,32 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
};
lgpl2 = spdx {
spdxId = "LGPL-2.0";
spdxId = "LGPL-2.0-only";
fullName = "GNU Library General Public License v2 only";
};
lgpl2Plus = spdx {
spdxId = "LGPL-2.0+";
spdxId = "LGPL-2.0-or-later";
fullName = "GNU Library General Public License v2 or later";
};
lgpl21 = spdx {
spdxId = "LGPL-2.1";
spdxId = "LGPL-2.1-only";
fullName = "GNU Library General Public License v2.1 only";
};
lgpl21Plus = spdx {
spdxId = "LGPL-2.1+";
spdxId = "LGPL-2.1-or-later";
fullName = "GNU Library General Public License v2.1 or later";
};
lgpl3 = spdx {
spdxId = "LGPL-3.0";
spdxId = "LGPL-3.0-only";
fullName = "GNU Lesser General Public License v3.0 only";
};
lgpl3Plus = spdx {
spdxId = "LGPL-3.0+";
spdxId = "LGPL-3.0-or-later";
fullName = "GNU Lesser General Public License v3.0 or later";
};
@ -505,6 +514,12 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
free = false;
};
nasa13 = spdx {
spdxId = "NASA-1.3";
fullName = "NASA Open Source Agreement 1.3";
free = false;
};
ncsa = spdx {
spdxId = "NCSA";
fullName = "University of Illinois/NCSA Open Source License";
@ -691,7 +706,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
};
wxWindows = spdx {
spdxId = "WXwindows";
spdxId = "wxWindows";
fullName = "wxWindows Library Licence, Version 3.1";
};

20
lib/strings.nix
View File

@ -236,6 +236,26 @@ rec {
in lenContent >= lenSuffix &&
substring (lenContent - lenSuffix) lenContent content == suffix;
/* Determine whether a string contains the given infix
Type: hasInfix :: string -> string -> bool
Example:
hasInfix "bc" "abcd"
=> true
hasInfix "ab" "abcd"
=> true
hasInfix "cd" "abcd"
=> true
hasInfix "foo" "abcd"
=> false
*/
hasInfix = infix: content:
let
drop = x: substring 1 (stringLength x) x;
in hasPrefix infix content
|| content != "" && hasInfix infix (drop content);
/* Convert a string to a list of characters (i.e. singleton strings).
This allows you to, e.g., map a function over each character. However,
note that this will likely be horribly inefficient; Nix is not a

40
lib/systems/default.nix
View File

@ -66,6 +66,46 @@ rec {
# uname -r
release = null;
};
qemuArch =
if final.isArm then "arm"
else if final.isx86_64 then "x86_64"
else if final.isx86 then "i386"
else {
"powerpc" = "ppc";
"powerpc64" = "ppc64";
"powerpc64le" = "ppc64";
"mips64" = "mips";
"mipsel64" = "mipsel";
}.${final.parsed.cpu.name} or final.parsed.cpu.name;
emulator = pkgs: let
qemu-user = pkgs.qemu.override {
smartcardSupport = false;
spiceSupport = false;
openGLSupport = false;
virglSupport = false;
vncSupport = false;
gtkSupport = false;
sdlSupport = false;
pulseSupport = false;
smbdSupport = false;
seccompSupport = false;
hostCpuTargets = ["${final.qemuArch}-linux-user"];
};
wine-name = "wine${toString final.parsed.cpu.bits}";
wine = (pkgs.winePackagesFor wine-name).minimal;
in
if final.parsed.kernel.name == pkgs.stdenv.hostPlatform.parsed.kernel.name &&
(final.parsed.cpu.name == pkgs.stdenv.hostPlatform.parsed.cpu.name ||
(final.platform.isi686 && pkgs.stdenv.hostPlatform.isx86_64))
then pkgs.runtimeShell
else if final.isWindows
then "${wine}/bin/${wine-name}"
else if final.isLinux && pkgs.stdenv.hostPlatform.isLinux
then "${qemu-user}/bin/qemu-${final.qemuArch}"
else throw "Don't know how to run ${final.config} executables.";
} // mapAttrs (n: v: v final.parsed) inspect.predicates
// args;
in assert final.useAndroidPrebuilt -> final.isAndroid;

23
lib/systems/examples.nix
View File

@ -2,7 +2,14 @@
# `crossSystem`. They are put here for user convenience, but also used by cross
# tests and linux cross stdenv building, so handle with care!
{ lib }:
let platforms = import ./platforms.nix { inherit lib; }; in
let
platforms = import ./platforms.nix { inherit lib; };
riscv = bits: {
config = "riscv${bits}-unknown-linux-gnu";
platform = platforms.riscv-multiplatform bits;
};
in
rec {
#
@ -40,7 +47,7 @@ rec {
armv5te-android-prebuilt = rec {
config = "armv5tel-unknown-linux-androideabi";
sdkVer = "21";
ndkVer = "10e";
ndkVer = "18b";
platform = platforms.armv5te-android;
useAndroidPrebuilt = true;
};
@ -48,7 +55,7 @@ rec {
armv7a-android-prebuilt = rec {
config = "armv7a-unknown-linux-androideabi";
sdkVer = "24";
ndkVer = "17c";
ndkVer = "18b";
platform = platforms.armv7a-android;
useAndroidPrebuilt = true;
};
@ -56,7 +63,7 @@ rec {
aarch64-android-prebuilt = rec {
config = "aarch64-unknown-linux-android";
sdkVer = "24";
ndkVer = "17c";
ndkVer = "18b";
platform = platforms.aarch64-multiplatform;
useAndroidPrebuilt = true;
};
@ -92,10 +99,6 @@ rec {
musl64 = { config = "x86_64-unknown-linux-musl"; };
musl32 = { config = "i686-unknown-linux-musl"; };
riscv = bits: {
config = "riscv${bits}-unknown-linux-gnu";
platform = platforms.riscv-multiplatform bits;
};
riscv64 = riscv "64";
riscv32 = riscv "32";
@ -107,6 +110,10 @@ rec {
config = "arm-none-eabi";
libc = "newlib";
};
armhf-embedded = {
config = "arm-none-eabihf";
libc = "newlib";
};
aarch64-embedded = {
config = "aarch64-none-elf";

23
lib/systems/parse.nix
View File

@ -209,8 +209,15 @@ rec {
abis = setTypes types.openAbi {
cygnus = {};
msvc = {};
eabi = {};
elf = {};
# Note: eabi is specific to ARM and PowerPC.
# On PowerPC, this corresponds to PPCEABI.
# On ARM, this corresponds to ARMEABI.
eabi = { float = "soft"; };
eabihf = { float = "hard"; };
# Other architectures should use ELF in embedded situations.
elf = {};
androideabi = {};
android = {
@ -272,10 +279,8 @@ rec {
"2" = # We only do 2-part hacks for things Nix already supports
if elemAt l 1 == "cygwin"
then { cpu = elemAt l 0; kernel = "windows"; abi = "cygnus"; }
else if (elemAt l 1 == "eabi")
then { cpu = elemAt l 0; vendor = "none"; kernel = "none"; abi = elemAt l 1; }
else if (elemAt l 1 == "elf")
then { cpu = elemAt l 0; vendor = "none"; kernel = "none"; abi = elemAt l 1; }
else if (elemAt l 1) == "elf"
then { cpu = elemAt l 0; vendor = "unknown"; kernel = "none"; abi = elemAt l 1; }
else { cpu = elemAt l 0; kernel = elemAt l 1; };
"3" = # Awkwards hacks, beware!
if elemAt l 1 == "apple"
@ -286,10 +291,8 @@ rec {
then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = "windows"; abi = "gnu"; }
else if hasPrefix "netbsd" (elemAt l 2)
then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; }
else if (elemAt l 2 == "eabi")
then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = "none"; abi = elemAt l 2; }
else if (elemAt l 2 == "elf")
then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = "none"; abi = elemAt l 2; }
else if (elem (elemAt l 2) ["eabi" "eabihf" "elf"])
then { cpu = elemAt l 0; vendor = "unknown"; kernel = elemAt l 1; abi = elemAt l 2; }
else throw "Target specification with 3 components is ambiguous";
"4" = { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; abi = elemAt l 3; };
}.${toString (length l)}

55
maintainers/maintainer-list.nix
View File

@ -256,6 +256,11 @@
github = "AndrewMorsillo";
name = "Andrew Morsillo";
};
andersk = {
email = "andersk@mit.edu";
github = "andersk";
name = "Anders Kaseorg";
};
AndersonTorres = {
email = "torres.anderson.85@protonmail.com";
github = "AndersonTorres";
@ -401,6 +406,11 @@
github = "aszlig";
name = "aszlig";
};
atnnn = {
email = "etienne@atnnn.com";
github = "atnnn";
name = "Etienne Laurin";
};
auntie = {
email = "auntieNeo@gmail.com";
github = "auntie";
@ -1319,6 +1329,11 @@
github = "ellis";
name = "Ellis Whitehead";
};
elohmeier = {
email = "elo-nixos@nerdworks.de";
github = "elohmeier";
name = "Enno Lohmeier";
};
elseym = {
email = "elseym@me.com";
github = "elseym";
@ -1889,6 +1904,11 @@
github = "ironpinguin";
name = "Michele Catalano";
};
ivan = {
email = "ivan@ludios.org";
github = "ivan";
name = "Ivan Kozik";
};
ivan-tkatchev = {
email = "tkatchev@gmail.com";
name = "Ivan Tkatchev";
@ -1918,6 +1938,11 @@
github = "jagajaga";
name = "Arseniy Seroka";
};
jakelogemann = {
email = "jake.logemann@gmail.com";
github = "jakelogemann";
name = "Jake Logemann";
};
jammerful = {
email = "jammerful@gmail.com";
github = "jammerful";
@ -2052,6 +2077,11 @@
github = "jluttine";
name = "Jaakko Luttinen";
};
jmagnusj = {
email = "jmagnusj@gmail.com";
github = "magnusjonsson";
name = "Johan Magnus Jonsson";
};
jmettes = {
email = "jonathan@jmettes.com";
github = "jmettes";
@ -2459,6 +2489,11 @@
github = "listx";
name = "Linus Arver";
};
lionello = {
email = "lio@lunesu.com";
github = "lionello";
name = "Lionello Lunesu";
};
lluchs = {
email = "lukas.werling@gmail.com";
github = "lluchs";
@ -3404,6 +3439,11 @@
github = "pkmx";
name = "Chih-Mao Chen";
};
plchldr = {
email = "mail@oddco.de";
github = "plchldr";
name = "Jonas Beyer";
};
plcplc = {
email = "plcplc@gmail.com";
github = "plcplc";
@ -3856,6 +3896,11 @@
github = "sboosali";
name = "Sam Boosalis";
};
scalavision = {
email = "scalavision@gmail.com";
github = "scalavision";
name = "Tom Sorlie";
};
schmitthenner = {
email = "development@schmitthenner.eu";
github = "fkz";
@ -3925,6 +3970,11 @@
github = "seppeljordan";
name = "Sebastian Jordan";
};
seqizz = {
email = "seqizz@gmail.com";
github = "seqizz";
name = "Gurkan Gur";
};
sfrijters = {
email = "sfrijters@gmail.com";
github = "sfrijters";
@ -4258,6 +4308,11 @@
github = "talyz";
name = "Kim Lindberger";
};
taneb = {
email = "nvd1234@gmail.com";
github = "Taneb";
name = "Nathan van Doorn";
};
tari = {
email = "peter@taricorp.net";
github = "tari";

364
maintainers/scripts/update-python-libraries
View File

@ -1,361 +1,5 @@
#! /usr/bin/env nix-shell
#! nix-shell -i python3 -p "python3.withPackages(ps: with ps; [ packaging requests toolz ])" -p git
#!/bin/sh
build=`nix-build -E "with import (fetchTarball "channel:nixpkgs-unstable") {}; python3.withPackages(ps: with ps; [ packaging requests toolz ])"`
python=${build}/bin/python
exec ${python} pkgs/development/interpreters/python/update-python-libraries/update-python-libraries.py $@
"""
Update a Python package expression by passing in the `.nix` file, or the directory containing it.
You can pass in multiple files or paths.
You'll likely want to use
``
$ ./update-python-libraries ../../pkgs/development/python-modules/*
``
to update all libraries in that folder.
"""
import argparse
import logging
import os
import re
import requests
import toolz
from concurrent.futures import ThreadPoolExecutor as Pool
from packaging.version import Version as _Version
from packaging.version import InvalidVersion
from packaging.specifiers import SpecifierSet
import collections
import subprocess
INDEX = "https://pypi.io/pypi"
"""url of PyPI"""
EXTENSIONS = ['tar.gz', 'tar.bz2', 'tar', 'zip', '.whl']
"""Permitted file extensions. These are evaluated from left to right and the first occurance is returned."""
PRERELEASES = False
import logging
logging.basicConfig(level=logging.INFO)
class Version(_Version, collections.abc.Sequence):
def __init__(self, version):
super().__init__(version)
# We cannot use `str(Version(0.04.21))` because that becomes `0.4.21`
# https://github.com/avian2/unidecode/issues/13#issuecomment-354538882
self.raw_version = version
def __getitem__(self, i):
return self._version.release[i]
def __len__(self):
return len(self._version.release)
def __iter__(self):
yield from self._version.release
def _get_values(attribute, text):
"""Match attribute in text and return all matches.
:returns: List of matches.
"""
regex = '{}\s+=\s+"(.*)";'.format(attribute)
regex = re.compile(regex)
values = regex.findall(text)
return values
def _get_unique_value(attribute, text):
"""Match attribute in text and return unique match.
:returns: Single match.
"""
values = _get_values(attribute, text)
n = len(values)
if n > 1:
raise ValueError("found too many values for {}".format(attribute))
elif n == 1:
return values[0]
else:
raise ValueError("no value found for {}".format(attribute))
def _get_line_and_value(attribute, text):
"""Match attribute in text. Return the line and the value of the attribute."""
regex = '({}\s+=\s+"(.*)";)'.format(attribute)
regex = re.compile(regex)
value = regex.findall(text)
n = len(value)
if n > 1:
raise ValueError("found too many values for {}".format(attribute))
elif n == 1:
return value[0]
else:
raise ValueError("no value found for {}".format(attribute))
def _replace_value(attribute, value, text):
"""Search and replace value of attribute in text."""
old_line, old_value = _get_line_and_value(attribute, text)
new_line = old_line.replace(old_value, value)
new_text = text.replace(old_line, new_line)
return new_text
def _fetch_page(url):
r = requests.get(url)
if r.status_code == requests.codes.ok:
return r.json()
else:
raise ValueError("request for {} failed".format(url))
SEMVER = {
'major' : 0,
'minor' : 1,
'patch' : 2,
}
def _determine_latest_version(current_version, target, versions):
"""Determine latest version, given `target`.
"""
current_version = Version(current_version)
def _parse_versions(versions):
for v in versions:
try:
yield Version(v)
except InvalidVersion:
pass
versions = _parse_versions(versions)
index = SEMVER[target]
ceiling = list(current_version[0:index])
if len(ceiling) == 0:
ceiling = None
else:
ceiling[-1]+=1
ceiling = Version(".".join(map(str, ceiling)))
# We do not want prereleases
versions = SpecifierSet(prereleases=PRERELEASES).filter(versions)
if ceiling is not None:
versions = SpecifierSet(f"<{ceiling}").filter(versions)
return (max(sorted(versions))).raw_version
def _get_latest_version_pypi(package, extension, current_version, target):
"""Get latest version and hash from PyPI."""
url = "{}/{}/json".format(INDEX, package)
json = _fetch_page(url)
versions = json['releases'].keys()
version = _determine_latest_version(current_version, target, versions)
try:
releases = json['releases'][version]
except KeyError as e:
raise KeyError('Could not find version {} for {}'.format(version, package)) from e
for release in releases:
if release['filename'].endswith(extension):
# TODO: In case of wheel we need to do further checks!
sha256 = release['digests']['sha256']
break
else:
sha256 = None
return version, sha256
def _get_latest_version_github(package, extension, current_version, target):
raise ValueError("updating from GitHub is not yet supported.")
FETCHERS = {
'fetchFromGitHub' : _get_latest_version_github,
'fetchPypi' : _get_latest_version_pypi,
'fetchurl' : _get_latest_version_pypi,
}
DEFAULT_SETUPTOOLS_EXTENSION = 'tar.gz'
FORMATS = {
'setuptools' : DEFAULT_SETUPTOOLS_EXTENSION,
'wheel' : 'whl'
}
def _determine_fetcher(text):
# Count occurences of fetchers.
nfetchers = sum(text.count('src = {}'.format(fetcher)) for fetcher in FETCHERS.keys())
if nfetchers == 0:
raise ValueError("no fetcher.")
elif nfetchers > 1:
raise ValueError("multiple fetchers.")
else:
# Then we check which fetcher to use.
for fetcher in FETCHERS.keys():
if 'src = {}'.format(fetcher) in text:
return fetcher
def _determine_extension(text, fetcher):
"""Determine what extension is used in the expression.
If we use:
- fetchPypi, we check if format is specified.
- fetchurl, we determine the extension from the url.
- fetchFromGitHub we simply use `.tar.gz`.
"""
if fetcher == 'fetchPypi':
try:
src_format = _get_unique_value('format', text)
except ValueError as e:
src_format = None # format was not given
try:
extension = _get_unique_value('extension', text)
except ValueError as e:
extension = None # extension was not given
if extension is None:
if src_format is None:
src_format = 'setuptools'
elif src_format == 'flit':
raise ValueError("Don't know how to update a Flit package.")
extension = FORMATS[src_format]
elif fetcher == 'fetchurl':
url = _get_unique_value('url', text)
extension = os.path.splitext(url)[1]
if 'pypi' not in url:
raise ValueError('url does not point to PyPI.')
elif fetcher == 'fetchFromGitHub':
raise ValueError('updating from GitHub is not yet implemented.')
return extension
def _update_package(path, target):
# Read the expression
with open(path, 'r') as f:
text = f.read()
# Determine pname.
pname = _get_unique_value('pname', text)
# Determine version.
version = _get_unique_value('version', text)
# First we check how many fetchers are mentioned.
fetcher = _determine_fetcher(text)
extension = _determine_extension(text, fetcher)
new_version, new_sha256 = FETCHERS[fetcher](pname, extension, version, target)
if new_version == version:
logging.info("Path {}: no update available for {}.".format(path, pname))
return False
elif Version(new_version) <= Version(version):
raise ValueError("downgrade for {}.".format(pname))
if not new_sha256:
raise ValueError("no file available for {}.".format(pname))
text = _replace_value('version', new_version, text)
text = _replace_value('sha256', new_sha256, text)
with open(path, 'w') as f:
f.write(text)
logging.info("Path {}: updated {} from {} to {}".format(path, pname, version, new_version))
result = {
'path' : path,
'target': target,
'pname': pname,
'old_version' : version,
'new_version' : new_version,
#'fetcher' : fetcher,
}
return result
def _update(path, target):
# We need to read and modify a Nix expression.
if os.path.isdir(path):
path = os.path.join(path, 'default.nix')
# If a default.nix does not exist, we quit.
if not os.path.isfile(path):
logging.info("Path {}: does not exist.".format(path))
return False
# If file is not a Nix expression, we quit.
if not path.endswith(".nix"):
logging.info("Path {}: does not end with `.nix`.".format(path))
return False
try:
return _update_package(path, target)
except ValueError as e:
logging.warning("Path {}: {}".format(path, e))
return False
def _commit(path, pname, old_version, new_version, **kwargs):
"""Commit result.
"""
msg = f'python: {pname}: {old_version} -> {new_version}'
try:
subprocess.check_call(['git', 'add', path])
subprocess.check_call(['git', 'commit', '-m', msg])
except subprocess.CalledProcessError as e:
subprocess.check_call(['git', 'checkout', path])
raise subprocess.CalledProcessError(f'Could not commit {path}') from e
return True
def main():
parser = argparse.ArgumentParser()
parser.add_argument('package', type=str, nargs='+')
parser.add_argument('--target', type=str, choices=SEMVER.keys(), default='major')
parser.add_argument('--commit', action='store_true', help='Create a commit for each package update')
args = parser.parse_args()
target = args.target
packages = list(map(os.path.abspath, args.package))
logging.info("Updating packages...")
# Use threads to update packages concurrently
with Pool() as p:
results = list(p.map(lambda pkg: _update(pkg, target), packages))
logging.info("Finished updating packages.")
# Commits are created sequentially.
if args.commit:
logging.info("Committing updates...")
list(map(lambda x: _commit(**x), filter(bool, results)))
logging.info("Finished committing updates")
count = sum(map(bool, results))
logging.info("{} package(s) updated".format(count))
if __name__ == '__main__':
main()

53
maintainers/scripts/update.nix
View File

@ -1,6 +1,8 @@
{ package ? null
, maintainer ? null
, path ? null
, max-workers ? null
, keep-going ? null
}:
# TODO: add assert statements
@ -105,26 +107,23 @@ let
% nix-shell maintainers/scripts/update.nix --argstr path gnome3
to run update script for all package under an attribute path.
You can also add
--argstr max-workers 8
to increase the number of jobs in parallel, or
--argstr keep-going true
to continue running when a single update fails.
'';
runUpdateScript = package: ''
echo -ne " - ${package.name}: UPDATING ..."\\r
${package.updateScript} &> ${(builtins.parseDrvName package.name).name}.log
CODE=$?
if [ "$CODE" != "0" ]; then
echo " - ${package.name}: ERROR "
echo ""
echo "--- SHOWING ERROR LOG FOR ${package.name} ----------------------"
echo ""
cat ${(builtins.parseDrvName package.name).name}.log
echo ""
echo "--- SHOWING ERROR LOG FOR ${package.name} ----------------------"
exit $CODE
else
rm ${(builtins.parseDrvName package.name).name}.log
fi
echo " - ${package.name}: DONE. "
'';
packageData = package: {
name = package.name;
pname = (builtins.parseDrvName package.name).name;
updateScript = pkgs.lib.toList package.updateScript;
};
in pkgs.stdenv.mkDerivation {
name = "nixpkgs-update-script";
@ -139,21 +138,7 @@ in pkgs.stdenv.mkDerivation {
exit 1
'';
shellHook = ''
echo ""
echo "Going to be running update for following packages:"
echo "${builtins.concatStringsSep "\n" (map (x: " - ${x.name}") packages)}"
echo ""
read -n1 -r -p "Press space to continue..." confirm
if [ "$confirm" = "" ]; then
echo ""
echo "Running update for:"
${builtins.concatStringsSep "\n" (map runUpdateScript packages)}
echo ""
echo "Packages updated!"
exit 0
else
echo "Aborting!"
exit 1
fi
unset shellHook # do not contaminate nested shells
exec ${pkgs.python3.interpreter} ${./update.py} ${pkgs.writeText "packages.json" (builtins.toJSON (map packageData packages))}${pkgs.lib.optionalString (max-workers != null) " --max-workers=${max-workers}"}${pkgs.lib.optionalString (keep-going == "true") " --keep-going"}
'';
}

79
maintainers/scripts/update.py Normal file
View File

@ -0,0 +1,79 @@
import argparse
import concurrent.futures
import json
import os
import subprocess
import sys
updates = {}
def eprint(*args, **kwargs):
print(*args, file=sys.stderr, **kwargs)
def run_update_script(package):
eprint(f" - {package['name']}: UPDATING ...")
subprocess.run(package['updateScript'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, check=True)
def main(max_workers, keep_going, packages):
with open(sys.argv[1]) as f:
packages = json.load(f)
eprint()
eprint('Going to be running update for following packages:')
for package in packages:
eprint(f" - {package['name']}")
eprint()
confirm = input('Press Enter key to continue...')
if confirm == '':
eprint()
eprint('Running update for:')
with concurrent.futures.ProcessPoolExecutor(max_workers=max_workers) as executor:
for package in packages:
updates[executor.submit(run_update_script, package)] = package
for future in concurrent.futures.as_completed(updates):
package = updates[future]
try:
future.result()
eprint(f" - {package['name']}: DONE.")
except subprocess.CalledProcessError as e:
eprint(f" - {package['name']}: ERROR")
eprint()
eprint(f"--- SHOWING ERROR LOG FOR {package['name']} ----------------------")
eprint()
eprint(e.stdout.decode('utf-8'))
with open(f"{package['pname']}.log", 'wb') as f:
f.write(e.stdout)
eprint()
eprint(f"--- SHOWING ERROR LOG FOR {package['name']} ----------------------")
if not keep_going:
sys.exit(1)
eprint()
eprint('Packages updated!')
sys.exit()
else:
eprint('Aborting!')
sys.exit(130)
parser = argparse.ArgumentParser(description='Update packages')
parser.add_argument('--max-workers', '-j', dest='max_workers', type=int, help='Number of updates to run concurrently', nargs='?', default=4)
parser.add_argument('--keep-going', '-k', dest='keep_going', action='store_true', help='Do not stop after first failure')
parser.add_argument('packages', help='JSON file containing the list of package names and their update scripts')
if __name__ == '__main__':
args = parser.parse_args()
try:
main(args.max_workers, args.keep_going, args.packages)
except (KeyboardInterrupt, SystemExit) as e:
for update in updates:
update.cancel()
sys.exit(e.code if isinstance(e, SystemExit) else 130)

2
nixos/doc/manual/configuration/adding-custom-packages.xml
View File

@ -31,7 +31,7 @@ $ cd nixpkgs
<para>
The second possibility is to add the package outside of the Nixpkgs tree. For
instance, here is how you specify a build of the
<link xlink:href="http://www.gnu.org/software/hello/">GNU Hello</link>
<link xlink:href="https://www.gnu.org/software/hello/">GNU Hello</link>
package directly in <filename>configuration.nix</filename>:
<programlisting>
<xref linkend="opt-environment.systemPackages"/> =

27
nixos/doc/manual/configuration/modularity.xml
View File

@ -113,12 +113,10 @@ $ nixos-option <xref linkend="opt-boot.kernelModules"/>
[ "tun" "ipv6" "loop" <replaceable>...</replaceable> ]
</screen>
Interactive exploration of the configuration is possible using
<command
xlink:href="https://github.com/edolstra/nix-repl">nix-repl</command>,
a read-eval-print loop for Nix expressions. Its not installed by default;
run <literal>nix-env -i nix-repl</literal> to get it. A typical use:
<command>nix repl</command>, a read-eval-print loop for Nix expressions.
A typical use:
<screen>
$ nix-repl '&lt;nixpkgs/nixos>'
$ nix repl '&lt;nixpkgs/nixos>'
nix-repl> config.<xref linkend="opt-networking.hostName"/>
"mandark"
@ -127,4 +125,23 @@ nix-repl> map (x: x.hostName) config.<xref linkend="opt-services.httpd.virtualHo
[ "example.org" "example.gov" ]
</screen>
</para>
<para>
While abstracting your configuration, you may find it useful to generate
modules using code, instead of writing files. The example
below would have the same effect as importing a file which sets those
options.
<screen>
{ config, pkgs, ... }:
let netConfig = { hostName }: {
networking.hostName = hostName;
networking.useDHCP = false;
};
in
{ imports = [ (netConfig "nixos.localdomain") ]; }
</screen>
</para>
</section>

2
nixos/doc/manual/development/running-nixos-tests-interactively.xml
View File

@ -19,7 +19,7 @@ starting VDE switch for network 1
&gt; startAll
&gt; testScript
&gt; $machine->succeed("touch /tmp/foo")
&gt; print($machine->succeed("pwd"), "\n") # Show stdout of command
&gt; print($machine->succeed("pwd")) # Show stdout of command
</screen>
The function <command>testScript</command> executes the entire test script
and drops you back into the test driver command line upon its completion.

2
nixos/doc/manual/development/writing-nixos-tests.xml
View File

@ -108,7 +108,7 @@ xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualis
<programlisting>
$machine->start;
$machine->waitForUnit("default.target");
die unless $machine->succeed("uname") =~ /Linux/;
$machine->succeed("uname") =~ /Linux/ or die;
</programlisting>
The first line is actually unnecessary; machines are implicitly started when
you first execute an action on them (such as <literal>waitForUnit</literal>

2
nixos/doc/manual/release-notes/rl-1412.xml
View File

@ -17,7 +17,7 @@
</listitem>
<listitem>
<para>
<link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165">
<link xlink:href="https://www.mail-archive.com/nix-dev@lists.science.uu.nl/msg13957.html">
Nix has been updated to 1.8.</link>
</para>
</listitem>

128
nixos/doc/manual/release-notes/rl-1903.xml
View File

@ -39,7 +39,18 @@
<itemizedlist>
<listitem>
<para />
<para>
<literal>./programs/nm-applet.nix</literal>
</para>
</listitem>
<listitem>
<para>
There is a new <varname>security.googleOsLogin</varname> module for using
<link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS Login</link>
to manage SSH access to Google Compute Engine instances, which supersedes
the imperative and broken <literal>google-accounts-daemon</literal> used
in <literal>nixos/modules/virtualisation/google-compute-config.nix</literal>.
</para>
</listitem>
</itemizedlist>
</section>
@ -111,6 +122,16 @@
without Syncthing resetting the permission on every start.
</para>
</listitem>
<listitem>
<para>
The <literal>ntp</literal> module now has sane default restrictions.
If you're relying on the previous defaults, which permitted all queries
and commands from all firewall-permitted sources, you can set
<varname>services.ntp.restrictDefault</varname> and
<varname>services.ntp.restrictSource</varname> to
<literal>[]</literal>.
</para>
</listitem>
<listitem>
<para>
Package <varname>rabbitmq_server</varname> is renamed to
@ -231,8 +252,97 @@
(<literal>networking.firewall.interfaces.default.*</literal>), and assigning
to this pseudo device will override the (<literal>networking.firewall.allow*</literal>)
options.
</para>
</listitem>
</para>
</listitem>
<listitem>
<para>
The <literal>nscd</literal> service now disables all caching of
<literal>passwd</literal> and <literal>group</literal> databases by
default. This was interferring with the correct functioning of the
<literal>libnss_systemd.so</literal> module which is used by
<literal>systemd</literal> to manage uids and usernames in the presence of
<literal>DynamicUser=</literal> in systemd services. This was already the
default behaviour in presence of <literal>services.sssd.enable =
true</literal> because nscd caching would interfere with
<literal>sssd</literal> in unpredictable ways as well. Because we're
using nscd not for caching, but for convincing glibc to find NSS modules
in the nix store instead of an absolute path, we have decided to disable
caching globally now, as it's usually not the behaviour the user wants and
can lead to surprising behaviour. Furthermore, negative caching of host
lookups is also disabled now by default. This should fix the issue of dns
lookups failing in the presence of an unreliable network.
</para>
<para>
If the old behaviour is desired, this can be restored by setting
the <literal>services.nscd.config</literal> option
with the desired caching parameters.
<programlisting>
services.nscd.config =
''
server-user nscd
threads 1
paranoia no
debug-level 0
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd no
shared passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group no
shared group yes
enable-cache hosts yes
positive-time-to-live hosts 600
negative-time-to-live hosts 5
suggested-size hosts 211
check-files hosts yes
persistent hosts no
shared hosts yes
'';
</programlisting>
See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
for details.
</para>
</listitem>
<listitem>
<para>
GitLab Shell previously used the nix store paths for the
<literal>gitlab-shell</literal> command in its
<literal>authorized_keys</literal> file, which might stop working after
garbage collection. To circumvent that, we regenerated that file on each
startup. As <literal>gitlab-shell</literal> has now been changed to use
<literal>/var/run/current-system/sw/bin/gitlab-shell</literal>, this is
not necessary anymore, but there might be leftover lines with a nix store
path. Regenerate the <literal>authorized_keys</literal> file via
<command>sudo -u git -H gitlab-rake gitlab:shell:setup</command> in that
case.
</para>
</listitem>
<listitem>
<para>
The <literal>pam_unix</literal> account module is now loaded with its
control field set to <literal>required</literal> instead of
<literal>sufficient</literal>, so that later pam account modules that
might do more extensive checks are being executed.
Previously, the whole account module verification was exited prematurely
in case a nss module provided the account name to
<literal>pam_unix</literal>.
The LDAP and SSSD NixOS modules already add their NSS modules when
enabled. In case your setup breaks due to some later pam account module
previosuly shadowed, or failing NSS lookups, please file a bug. You can
get back the old behaviour by manually setting
<literal><![CDATA[security.pam.services.<name?>.text]]></literal>.
</para>
</listitem>
</itemizedlist>
</section>
@ -273,6 +383,18 @@
<option>services.kubernetes.addons.dns.replicas</option>.
</para>
</listitem>
<listitem>
<para>
The quassel-webserver package and module was removed from nixpkgs due to the lack
of maintainers.
</para>
</listitem>
<listitem>
<para>
The owncloud server packages and httpd subservice module were removed
from nixpkgs due to the lack of maintainers.
</para>
</listitem>
</itemizedlist>
</section>
</section>

19
nixos/lib/make-ext4-fs.nix
View File

@ -94,5 +94,24 @@ pkgs.stdenv.mkDerivation {
cat errorlog
return 1
fi
(
# Resizes **snugly** to its actual limits (or closer to)
free=$(dumpe2fs $out | grep '^Free blocks:')
blocksize=$(dumpe2fs $out | grep '^Block size:')
blocks=$(dumpe2fs $out | grep '^Block count:')
blocks=$((''${blocks##*:})) # format the number.
blocksize=$((''${blocksize##*:})) # format the number.
# System can't boot with 0 blocks free.
# Add 16MiB of free space
fudge=$(( 16 * 1024 * 1024 / blocksize ))
size=$(( blocks - ''${free##*:} + fudge ))
echo "Resizing from $blocks blocks to $size blocks. (~ $((size*blocksize/1024/1024))MiB)"
EXT2FS_NO_MTAB_OK=yes resize2fs $out -f $size
)
# And a final fsck, because of the previous truncating.
fsck.ext4 -n -f $out
'';
}

5
nixos/lib/make-iso9660-image.sh
View File

@ -47,7 +47,8 @@ if test -n "$bootable"; then
isoBootFlags="-eltorito-boot ${bootImage}
-eltorito-catalog .boot.cat
-no-emul-boot -boot-load-size 4 -boot-info-table"
-no-emul-boot -boot-load-size 4 -boot-info-table
--sort-weight 1 /isolinux" # Make sure isolinux is near the beginning of the ISO
fi
if test -n "$usbBootable"; then
@ -112,7 +113,7 @@ xorriso="xorriso
-r
-path-list pathlist
--sort-weight 0 /
--sort-weight 1 /isolinux" # Make sure isolinux is near the beginning of the ISO
"
$xorriso -output $out/iso/$isoName

22
nixos/lib/testing.nix
View File

@ -116,7 +116,7 @@ in rec {
vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
ocrProg = tesseract_4.override { enableLanguages = [ "eng" ]; };
ocrProg = tesseract4.override { enableLanguages = [ "eng" ]; };
imagemagick_tiff = imagemagick_light.override { inherit libtiff; };
@ -156,9 +156,23 @@ in rec {
test = passMeta (runTests driver);
report = passMeta (releaseTools.gcovReport { coverageRuns = [ test ]; });
in (if makeCoverageReport then report else test) // {
inherit nodes driver test;
};
nodeNames = builtins.attrNames nodes;
invalidNodeNames = lib.filter
(node: builtins.match "^[A-z_][A-z0-9_]+$" node == null) nodeNames;
in
if lib.length invalidNodeNames > 0 then
throw ''
Cannot create machines out of (${lib.concatStringsSep ", " invalidNodeNames})!
All machines are referenced as perl variables in the testing framework which will break the
script when special characters are used.
Please stick to alphanumeric chars and underscores as separation.
''
else
(if makeCoverageReport then report else test) // {
inherit nodes driver test;
};
runInMachine =
{ drv

5
nixos/lib/utils.nix
View File

@ -7,9 +7,8 @@ rec {
|| elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
# Check whenever `b` depends on `a` as a fileSystem
# FIXME: it's incorrect to simply use hasPrefix here: "/dev/a" is not a parent of "/dev/ab"
fsBefore = a: b: ((any (x: elem x [ "bind" "move" ]) b.options) && (a.mountPoint == b.device))
|| (hasPrefix a.mountPoint b.mountPoint);
fsBefore = a: b: a.mountPoint == b.device
|| hasPrefix "${a.mountPoint}${optionalString (!(hasSuffix "/" a.mountPoint)) "/"}" b.mountPoint;
# Escape a path according to the systemd rules, e.g. /dev/xyzzy
# becomes dev-xyzzy. FIXME: slow.

25
nixos/modules/config/appstream.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, lib, ... }:
with lib;
{
options = {
appstream.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install files to support the
<link xlink:href="https://www.freedesktop.org/software/appstream/docs/index.html">AppStream metadata specification</link>.
'';
};
};
config = mkIf config.appstream.enable {
environment.pathsToLink = [
# per component metadata
"/share/metainfo"
# legacy path for above
"/share/appdata"
];
};
}

14
nixos/modules/config/i18n.nix
View File

@ -34,6 +34,17 @@ with lib;
'';
};
extraLocaleSettings = mkOption {
type = types.attrsOf types.str;
default = {};
example = { LC_MESSAGES = "en_US.UTF-8"; LC_TIME = "de_DE.UTF-8"; };
description = ''
A set of additional system-wide locale settings other than
<literal>LANG</literal> which can be configured with
<option>i18n.defaultLocale</option>.
'';
};
supportedLocales = mkOption {
type = types.listOf types.str;
default = ["all"];
@ -129,7 +140,7 @@ with lib;
environment.sessionVariables =
{ LANG = config.i18n.defaultLocale;
LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
};
} // config.i18n.extraLocaleSettings;
systemd.globalEnvironment = mkIf (config.i18n.supportedLocales != []) {
LOCALE_ARCHIVE = "${config.i18n.glibcLocales}/lib/locale/locale-archive";
@ -141,6 +152,7 @@ with lib;
source = pkgs.writeText "locale.conf"
''
LANG=${config.i18n.defaultLocale}
${concatStringsSep "\n" (mapAttrsToList (n: v: ''${n}=${v}'') config.i18n.extraLocaleSettings)}
'';
};

2
nixos/modules/config/no-x-libs.nix
View File

@ -35,7 +35,7 @@ with lib;
networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; };
networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; };
pinentry = super.pinentry_ncurses;
gobjectIntrospection = super.gobjectIntrospection.override { x11Support = false; };
gobject-introspection = super.gobject-introspection.override { x11Support = false; };
}));
};
}

8
nixos/modules/config/nsswitch.nix
View File

@ -1,6 +1,6 @@
# Configuration for the Name Service Switch (/etc/nsswitch.conf).
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
with lib;
@ -15,6 +15,7 @@ let
ldap = canLoadExternalModules && (config.users.ldap.enable && config.users.ldap.nsswitch);
sssd = canLoadExternalModules && config.services.sssd.enable;
resolved = canLoadExternalModules && config.services.resolved.enable;
googleOsLogin = canLoadExternalModules && config.security.googleOsLogin.enable;
hostArray = [ "files" ]
++ optional mymachines "mymachines"
@ -29,6 +30,7 @@ let
++ optional sssd "sss"
++ optional ldap "ldap"
++ optional mymachines "mymachines"
++ optional googleOsLogin "cache_oslogin oslogin"
++ [ "systemd" ];
shadowArray = [ "files" ]
@ -97,7 +99,7 @@ in {
# configured IP addresses, or ::1 and 127.0.0.2 as
# fallbacks. Systemd also provides nss-mymachines to return IP
# addresses of local containers.
system.nssModules = optionals canLoadExternalModules [ config.systemd.package.out ];
system.nssModules = (optionals canLoadExternalModules [ config.systemd.package.out ])
++ optional googleOsLogin pkgs.google-compute-engine-oslogin.out;
};
}

22
nixos/modules/config/xdg/sounds.nix Normal file
View File

@ -0,0 +1,22 @@
{ config, lib, ... }:
with lib;
{
options = {
xdg.sounds.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to install files to support the
<link xlink:href="https://www.freedesktop.org/wiki/Specifications/sound-theme-spec/">XDG Sound Theme specification</link>.
'';
};
};
config = mkIf config.xdg.sounds.enable {
environment.pathsToLink = [
"/share/sounds"
];
};
}

28
nixos/modules/hardware/bladeRF.nix Normal file
View File

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.bladeRF;
in
{
options.hardware.bladeRF = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enables udev rules for BladeRF devices. By default grants access
to users in the "bladerf" group. You may want to install the
libbladeRF package.
'';
};
};
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.libbladeRF ];
users.groups.bladerf = {};
};
}

6
nixos/modules/hardware/video/nvidia.nix
View File

@ -20,6 +20,8 @@ let
kernelPackages.nvidia_x11_legacy304
else if elem "nvidiaLegacy340" drivers then
kernelPackages.nvidia_x11_legacy340
else if elem "nvidiaLegacy390" drivers then
kernelPackages.nvidia_x11_legacy390
else null;
nvidia_x11 = nvidiaForKernel config.boot.kernelPackages;
@ -101,8 +103,8 @@ in
config = mkIf enabled {
assertions = [
{
assertion = config.services.xserver.displayManager.gdm.wayland;
message = "NVIDIA drivers don't support wayland";
assertion = with config.services.xserver.displayManager; gdm.enable -> !gdm.wayland;
message = "NVIDIA drivers don't support wayland, set services.xserver.displayManager.gdm.wayland=false";
}
{
assertion = !optimusCfg.enable ||

82
nixos/modules/installer/cd-dvd/iso-image.nix
View File

@ -50,7 +50,7 @@ let
finalCfg = {
name = "NixOS ${config.system.nixos.label}${config.isoImage.appendToMenuLabel}";
params = "init=${config.system.build.toplevel}/init ${additional} ${toString config.boot.kernelParams}";
image = "/boot/bzImage";
image = "/boot/${config.system.boot.loader.kernelFile}";
initrd = "/boot/initrd";
};
in
@ -163,7 +163,7 @@ let
cp -v ${pkgs.refind}/share/refind/refind_x64.efi $out/EFI/boot/
''
else
"# No refind for ia32"
"# No refind for ${targetArch}"
;
grubMenuCfg = ''
@ -222,18 +222,34 @@ let
efiDir = pkgs.runCommand "efi-directory" {} ''
mkdir -p $out/EFI/boot/
# ALWAYS required modules.
MODULES="fat iso9660 part_gpt part_msdos \
normal boot linux configfile loopback chain halt \
efifwsetup efi_gop efi_uga \
efifwsetup efi_gop \
ls search search_label search_fs_uuid search_fs_file \
gfxmenu gfxterm gfxterm_background gfxterm_menu test all_video loadenv \
exfat ext2 ntfs btrfs hfsplus udf \
videoinfo png \
echo serial \
"
echo "Building GRUB with modules:"
for mod in $MODULES; do
echo " - $mod"
done
# Modules that may or may not be available per-platform.
echo "Adding additional modules:"
for mod in efi_uga; do
if [ -f ${pkgs.grub2_efi}/lib/grub/${pkgs.grub2_efi.grubTarget}/$mod.mod ]; then
echo " - $mod"
MODULES+=" $mod"
fi
done
# Make our own efi program, we can't rely on "grub-install" since it seems to
# probe for devices, even with --skip-fs-probe.
${pkgs.grub2_efi}/bin/grub-mkimage -o $out/EFI/boot/${if targetArch == "x64" then "bootx64" else "bootia32"}.efi -p /EFI/boot -O ${if targetArch == "x64" then "x86_64" else "i386"}-efi \
${pkgs.grub2_efi}/bin/grub-mkimage -o $out/EFI/boot/boot${targetArch}.efi -p /EFI/boot -O ${pkgs.grub2_efi.grubTarget} \
$MODULES
cp ${pkgs.grub2_efi}/share/grub/unicode.pf2 $out/EFI/boot/
@ -339,15 +355,24 @@ let
echo "Image size: $image_size"
truncate --size=$image_size "$out"
${pkgs.libfaketime}/bin/faketime "2000-01-01 00:00:00" ${pkgs.dosfstools}/sbin/mkfs.vfat -i 12345678 -n EFIBOOT "$out"
mcopy -bpsvm -i "$out" ./* ::
mcopy -psvm -i "$out" ./* ::
# Verify the FAT partition.
${pkgs.dosfstools}/sbin/fsck.vfat -vn "$out"
''; # */
targetArch = if pkgs.stdenv.isi686 then
"ia32"
else if pkgs.stdenv.isx86_64 then
"x64"
else
throw "Unsupported architecture";
# Name used by UEFI for architectures.
targetArch =
if pkgs.stdenv.isi686 then
"ia32"
else if pkgs.stdenv.isx86_64 then
"x64"
else if pkgs.stdenv.isAarch64 then
"aa64"
else
throw "Unsupported architecture";
# Syslinux (and isolinux) only supports x86-based architectures.
canx86BiosBoot = pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64;
in
@ -481,9 +506,9 @@ in
# here and it causes a cyclic dependency.
boot.loader.grub.enable = false;
# !!! Hack - attributes expected by other modules.
system.boot.loader.kernelFile = "bzImage";
environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ];
environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi ]
++ optional canx86BiosBoot pkgs.syslinux
;
# In stage 1 of the boot, mount the CD as the root FS by label so
# that we don't need to know its device. We pass the label of the
@ -554,13 +579,7 @@ in
# Individual files to be included on the CD, outside of the Nix
# store on the CD.
isoImage.contents =
[ { source = pkgs.substituteAll {
name = "isolinux.cfg";
src = pkgs.writeText "isolinux.cfg-in" isolinuxCfg;
bootRoot = "/boot";
};
target = "/isolinux/isolinux.cfg";
}
[
{ source = config.boot.kernelPackages.kernel + "/" + config.system.boot.loader.kernelFile;
target = "/boot/" + config.system.boot.loader.kernelFile;
}
@ -570,9 +589,6 @@ in
{ source = config.system.build.squashfsStore;
target = "/nix-store.squashfs";
}
{ source = "${pkgs.syslinux}/share/syslinux";
target = "/isolinux";
}
{ source = config.isoImage.efiSplashImage;
target = "/EFI/boot/efi-background.png";
}
@ -582,6 +598,17 @@ in
{ source = pkgs.writeText "version" config.system.nixos.label;
target = "/version.txt";
}
] ++ optionals canx86BiosBoot [
{ source = pkgs.substituteAll {
name = "isolinux.cfg";
src = pkgs.writeText "isolinux.cfg-in" isolinuxCfg;
bootRoot = "/boot";
};
target = "/isolinux/isolinux.cfg";
}
{ source = "${pkgs.syslinux}/share/syslinux";
target = "/isolinux";
}
] ++ optionals config.isoImage.makeEfiBootable [
{ source = efiImg;
target = "/boot/efi.img";
@ -589,7 +616,7 @@ in
{ source = "${efiDir}/EFI";
target = "/EFI";
}
] ++ optionals config.boot.loader.grub.memtest86.enable [
] ++ optionals (config.boot.loader.grub.memtest86.enable && canx86BiosBoot) [
{ source = "${pkgs.memtest86plus}/memtest.bin";
target = "/boot/memtest.bin";
}
@ -604,9 +631,10 @@ in
# Create the ISO image.
system.build.isoImage = pkgs.callPackage ../../../lib/make-iso9660-image.nix ({
inherit (config.isoImage) isoName compressImage volumeID contents;
bootable = true;
bootable = canx86BiosBoot;
bootImage = "/isolinux/isolinux.bin";
} // optionalAttrs config.isoImage.makeUsbBootable {
syslinux = if canx86BiosBoot then pkgs.syslinux else null;
} // optionalAttrs (config.isoImage.makeUsbBootable && canx86BiosBoot) {
usbBootable = true;
isohybridMbrImage = "${pkgs.syslinux}/share/syslinux/isohdpfx.bin";
} // optionalAttrs config.isoImage.makeEfiBootable {

7
nixos/modules/installer/cd-dvd/sd-image-aarch64-new-kernel.nix Normal file
View File

@ -0,0 +1,7 @@
{ pkgs, ... }:
{
imports = [ ./sd-image-aarch64.nix ];
boot.kernelPackages = pkgs.linuxPackages_latest;
}

1
nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
View File

@ -26,7 +26,6 @@ in
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
boot.kernelPackages = pkgs.linuxPackages_latest;
# The serial ports listed here are:
# - ttyS0: for Tegra (Jetson TX1)

4
nixos/modules/installer/cd-dvd/sd-image.nix
View File

@ -134,7 +134,9 @@ in
${config.sdImage.populateBootCommands}
# Copy the populated /boot into the SD image
(cd boot; mcopy -bpsvm -i ../bootpart.img ./* ::)
(cd boot; mcopy -psvm -i ../bootpart.img ./* ::)
# Verify the FAT partition before copying it.
fsck.vfat -vn bootpart.img
dd conv=notrunc if=bootpart.img of=$img seek=$START count=$SECTORS
'';
}) {};

2
nixos/modules/misc/ids.nix
View File

@ -337,6 +337,7 @@
alerta = 310;
minetest = 311;
rss2email = 312;
cockroachdb = 313;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -634,6 +635,7 @@
alerta = 310;
minetest = 311;
rss2email = 312;
cockroachdb = 313;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

11
nixos/modules/module-list.nix
View File

@ -11,6 +11,8 @@
./config/xdg/icons.nix
./config/xdg/menus.nix
./config/xdg/mime.nix
./config/appstream.nix
./config/xdg/sounds.nix
./config/gtk/gtk-icon-cache.nix
./config/gnu.nix
./config/i18n.nix
@ -34,6 +36,7 @@
./config/vpnc.nix
./config/zram.nix
./hardware/all-firmware.nix
./hardware/bladeRF.nix
./hardware/brightnessctl.nix
./hardware/ckb-next.nix
./hardware/cpu/amd-microcode.nix
@ -106,6 +109,7 @@
./programs/mininet.nix
./programs/mtr.nix
./programs/nano.nix
./programs/nm-applet.nix
./programs/npm.nix
./programs/oblogout.nix
./programs/plotinus.nix
@ -150,6 +154,7 @@
./security/chromium-suid-sandbox.nix
./security/dhparams.nix
./security/duosec.nix
./security/google_oslogin.nix
./security/hidepid.nix
./security/lock-kernel-modules.nix
./security/misc.nix
@ -212,6 +217,7 @@
./services/databases/aerospike.nix
./services/databases/cassandra.nix
./services/databases/clickhouse.nix
./services/databases/cockroachdb.nix
./services/databases/couchdb.nix
./services/databases/firebird.nix
./services/databases/foundationdb.nix
@ -246,6 +252,7 @@
./services/desktops/gnome3/gnome-documents.nix
./services/desktops/gnome3/gnome-keyring.nix
./services/desktops/gnome3/gnome-online-accounts.nix
./services/desktops/gnome3/gnome-remote-desktop.nix
./services/desktops/gnome3/gnome-online-miners.nix
./services/desktops/gnome3/gnome-terminal-server.nix
./services/desktops/gnome3/gnome-user-share.nix
@ -297,6 +304,7 @@
./services/hardware/usbmuxd.nix
./services/hardware/thermald.nix
./services/hardware/undervolt.nix
./services/hardware/vdr.nix
./services/logging/SystemdJournal2Gelf.nix
./services/logging/awstats.nix
./services/logging/fluentd.nix
@ -332,11 +340,13 @@
./services/mail/rspamd.nix
./services/mail/rss2email.nix
./services/mail/rmilter.nix
./services/mail/roundcube.nix
./services/mail/nullmailer.nix
./services/misc/airsonic.nix
./services/misc/apache-kafka.nix
./services/misc/autofs.nix
./services/misc/autorandr.nix
./services/misc/bees.nix
./services/misc/bepasty.nix
./services/misc/canto-daemon.nix
./services/misc/calibre-server.nix
@ -710,7 +720,6 @@
./services/web-apps/restya-board.nix
./services/web-apps/tt-rss.nix
./services/web-apps/selfoss.nix
./services/web-apps/quassel-webserver.nix
./services/web-apps/virtlyst.nix
./services/web-apps/youtrack.nix
./services/web-servers/apache-httpd/default.nix

2
nixos/modules/profiles/base.nix
View File

@ -49,7 +49,7 @@
];
# Include support for various filesystems.
boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "ntfs" "cifs" ];
boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "zfs" "ntfs" "cifs" ];
# Configure host id for ZFS to work
networking.hostId = lib.mkDefault "8425e349";

12
nixos/modules/profiles/hardened.nix
View File

@ -20,6 +20,12 @@ with lib;
security.allowUserNamespaces = mkDefault false;
security.protectKernelImage = mkDefault true;
security.allowSimultaneousMultithreading = mkDefault false;
security.virtualization.flushL1DataCache = mkDefault "always";
security.apparmor.enable = mkDefault true;
boot.kernelParams = [
@ -28,9 +34,6 @@ with lib;
# Disable legacy virtual syscalls
"vsyscall=none"
# Disable hibernation (allows replacing the running kernel)
"nohibernate"
];
boot.blacklistedKernelModules = [
@ -44,9 +47,6 @@ with lib;
# (e.g., parent/child)
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
# Restrict access to kernel ring buffer (information leaks)
boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;

3
nixos/modules/programs/adb.nix
View File

@ -16,7 +16,6 @@ with lib;
To grant access to a user, it must be part of adbusers group:
<code>users.users.alice.extraGroups = ["adbusers"];</code>
'';
relatedPackages = [ ["androidenv" "platformTools"] ];
};
};
};
@ -24,7 +23,7 @@ with lib;
###### implementation
config = mkIf config.programs.adb.enable {
services.udev.packages = [ pkgs.android-udev-rules ];
environment.systemPackages = [ pkgs.androidenv.platformTools ];
environment.systemPackages = [ pkgs.androidenv.androidPkgs_9_0.platform-tools ];
users.groups.adbusers = {};
};
}

7
nixos/modules/programs/bash/bash.nix
View File

@ -98,7 +98,12 @@ in
if [ "$TERM" != "dumb" -o -n "$INSIDE_EMACS" ]; then
PROMPT_COLOR="1;31m"
let $UID && PROMPT_COLOR="1;32m"
PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
if [ -n "$INSIDE_EMACS" ]; then
# Emacs term mode doesn't support xterm title escape sequence (\e]0;)
PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
else
PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] "
fi
if test "$TERM" = "xterm"; then
PS1="\[\033]2;\h:\u:\w\007\]$PS1"
fi

14
nixos/modules/programs/nm-applet.nix Normal file
View File

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }:
{
options.programs.nm-applet.enable = lib.mkEnableOption "nm-applet";
config = lib.mkIf config.programs.nm-applet.enable {
systemd.user.services.nm-applet = {
description = "Network manager applet";
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig.ExecStart = "${pkgs.networkmanagerapplet}/bin/nm-applet";
};
};
}

15
nixos/modules/programs/sway-beta.nix
View File

@ -7,8 +7,19 @@ let
swayPackage = cfg.package;
swayWrapped = pkgs.writeShellScriptBin "sway" ''
${cfg.extraSessionCommands}
exec ${pkgs.dbus.dbus-launch} --exit-with-session ${swayPackage}/bin/sway
set -o errexit
if [ ! "$_SWAY_WRAPPER_ALREADY_EXECUTED" ]; then
export _SWAY_WRAPPER_ALREADY_EXECUTED=1
${cfg.extraSessionCommands}
fi
if [ "$DBUS_SESSION_BUS_ADDRESS" ]; then
export DBUS_SESSION_BUS_ADDRESS
exec ${swayPackage}/bin/sway "$@"
else
exec ${pkgs.dbus}/bin/dbus-run-session ${swayPackage}/bin/sway "$@"
fi
'';
swayJoined = pkgs.symlinkJoin {
name = "sway-joined";

8
nixos/modules/programs/zsh/oh-my-zsh.xml
View File

@ -19,7 +19,7 @@
configuration format of <literal>oh-my-zsh</literal>.
<programlisting>
{
programs.ohMyZsh = {
programs.zsh.ohMyZsh = {
enable = true;
plugins = [ "git" "python" "man" ];
theme = "agnoster";
@ -51,7 +51,7 @@
The module can do this as well:
<programlisting>
{
programs.ohMyZsh.custom = "~/path/to/custom/scripts";
programs.zsh.ohMyZsh.custom = "~/path/to/custom/scripts";
}
</programlisting>
</para>
@ -73,7 +73,7 @@
<programlisting>
{ pkgs, ... }:
{
programs.ohMyZsh.customPkgs = with pkgs; [
programs.zsh.ohMyZsh.customPkgs = with pkgs; [
pkgs.nix-zsh-completions
# and even more...
];
@ -87,7 +87,7 @@
<para>
<emphasis>Please keep in mind that this is not compatible with
<literal>programs.ohMyZsh.custom</literal> as it requires an immutable store
<literal>programs.zsh.ohMyZsh.custom</literal> as it requires an immutable store
path while <literal>custom</literal> shall remain mutable! An evaluation
failure will be thrown if both <literal>custom</literal> and
<literal>customPkgs</literal> are set.</emphasis>

8
nixos/modules/programs/zsh/zsh-autosuggestions.nix
View File

@ -18,13 +18,13 @@ in
};
strategy = mkOption {
type = types.enum [ "default" "match_prev_cmd" ];
default = "default";
type = types.enum [ "history" "match_prev_cmd" ];
default = "history";
description = ''
Set ZSH_AUTOSUGGEST_STRATEGY to choose the strategy for generating suggestions.
There are currently two to choose from:
* default: Chooses the most recent match.
* history: Chooses the most recent match.
* match_prev_cmd: Chooses the most recent match whose preceding history item matches
the most recently executed command (more info). Note that this strategy won't work as
expected with ZSH options that don't preserve the history order such as
@ -51,7 +51,7 @@ in
source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh
export ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE="${cfg.highlightStyle}"
export ZSH_AUTOSUGGEST_STRATEGY="${cfg.strategy}"
export ZSH_AUTOSUGGEST_STRATEGY=("${cfg.strategy}")
${concatStringsSep "\n" (mapAttrsToList (key: value: ''export ${key}="${value}"'') cfg.extraConfig)}
'';

68
nixos/modules/security/google_oslogin.nix Normal file
View File

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security.googleOsLogin;
package = pkgs.google-compute-engine-oslogin;
in
{
options = {
security.googleOsLogin.enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable Google OS Login
The OS Login package enables the following components:
AuthorizedKeysCommand to query valid SSH keys from the user's OS Login
profile during ssh authentication phase.
NSS Module to provide user and group information
PAM Module for the sshd service, providing authorization and
authentication support, allowing the system to use data stored in
Google Cloud IAM permissions to control both, the ability to log into
an instance, and to perform operations as root (sudo).
'';
};
};
config = mkIf cfg.enable {
security.pam.services.sshd = {
makeHomeDir = true;
googleOsLoginAccountVerification = true;
# disabled for now: googleOsLoginAuthentication = true;
};
security.sudo.extraConfig = ''
#includedir /run/google-sudoers.d
'';
systemd.tmpfiles.rules = [
"d /run/google-sudoers.d 750 root root -"
"d /var/google-users.d 750 root root -"
];
# enable the nss module, so user lookups etc. work
system.nssModules = [ package ];
# Ugly: sshd refuses to start if a store path is given because /nix/store is group-writable.
# So indirect by a symlink.
environment.etc."ssh/authorized_keys_command_google_oslogin" = {
mode = "0755";
text = ''
#!/bin/sh
exec ${package}/bin/google_authorized_keys "$@"
'';
};
services.openssh.extraConfig = ''
AuthorizedKeysCommand /etc/ssh/authorized_keys_command_google_oslogin %u
AuthorizedKeysCommandUser nobody
'';
};
}

108
nixos/modules/security/misc.nix
View File

@ -22,18 +22,104 @@ with lib;
a user namespace fails with "no space left on device" (ENOSPC).
'';
};
security.protectKernelImage = mkOption {
type = types.bool;
default = false;
description = ''
Whether to prevent replacing the running kernel image.
'';
};
security.allowSimultaneousMultithreading = mkOption {
type = types.bool;
default = true;
description = ''
Whether to allow SMT/hyperthreading. Disabling SMT means that only
physical CPU cores will be usable at runtime, potentially at
significant performance cost.
</para>
<para>
The primary motivation for disabling SMT is to mitigate the risk of
leaking data between threads running on the same CPU core (due to
e.g., shared caches). This attack vector is unproven.
</para>
<para>
Disabling SMT is a supplement to the L1 data cache flushing mitigation
(see <xref linkend="opt-security.virtualization.flushL1DataCache"/>)
versus malicious VM guests (SMT could "bring back" previously flushed
data).
</para>
<para>
'';
};
security.virtualization.flushL1DataCache = mkOption {
type = types.nullOr (types.enum [ "never" "cond" "always" ]);
default = null;
description = ''
Whether the hypervisor should flush the L1 data cache before
entering guests.
See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.
</para>
<para>
<variablelist>
<varlistentry>
<term><literal>null</literal></term>
<listitem><para>uses the kernel default</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"never"</literal></term>
<listitem><para>disables L1 data cache flushing entirely.
May be appropriate if all guests are trusted.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"cond"</literal></term>
<listitem><para>flushes L1 data cache only for pre-determined
code paths. May leak information about the host address space
layout.</para></listitem>
</varlistentry>
<varlistentry>
<term><literal>"always"</literal></term>
<listitem><para>flushes L1 data cache every time the hypervisor
enters the guest. May incur significant performance cost.
</para></listitem>
</varlistentry>
</variablelist>
'';
};
};
config = mkIf (!config.security.allowUserNamespaces) {
# Setting the number of allowed user namespaces to 0 effectively disables
# the feature at runtime. Note that root may raise the limit again
# at any time.
boot.kernel.sysctl."user.max_user_namespaces" = 0;
config = mkMerge [
(mkIf (!config.security.allowUserNamespaces) {
# Setting the number of allowed user namespaces to 0 effectively disables
# the feature at runtime. Note that root may raise the limit again
# at any time.
boot.kernel.sysctl."user.max_user_namespaces" = 0;
assertions = [
{ assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
}
];
};
assertions = [
{ assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
}
];
})
(mkIf config.security.protectKernelImage {
# Disable hibernation (allows replacing the running kernel)
boot.kernelParams = [ "nohibernate" ];
# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
})
(mkIf (!config.security.allowSimultaneousMultithreading) {
boot.kernelParams = [ "nosmt" ];
})
(mkIf (config.security.virtualization.flushL1DataCache != null) {
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualization.flushL1DataCache}" ];
})
];
}

32
nixos/modules/security/pam.nix
View File

@ -77,6 +77,30 @@ let
'';
};
googleOsLoginAccountVerification = mkOption {
default = false;
type = types.bool;
description = ''
If set, will use the Google OS Login PAM modules
(<literal>pam_oslogin_login</literal>,
<literal>pam_oslogin_admin</literal>) to verify possible OS Login
users and set sudoers configuration accordingly.
This only makes sense to enable for the <literal>sshd</literal> PAM
service.
'';
};
googleOsLoginAuthentication = mkOption {
default = false;
type = types.bool;
description = ''
If set, will use the <literal>pam_oslogin_login</literal>'s user
authentication methods to authenticate users using 2FA.
This only makes sense to enable for the <literal>sshd</literal> PAM
service.
'';
};
fprintAuth = mkOption {
default = config.services.fprintd.enable;
type = types.bool;
@ -269,7 +293,7 @@ let
text = mkDefault
(''
# Account management.
account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so
account required pam_unix.so
${optionalString use_ldap
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
@ -278,8 +302,14 @@ let
"account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
${optionalString config.krb5.enable
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
${optionalString cfg.googleOsLoginAccountVerification ''
account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
''}
# Authentication management.
${optionalString cfg.googleOsLoginAuthentication
"auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}
${optionalString cfg.rootOK
"auth sufficient pam_rootok.so"}
${optionalString cfg.requireWheel

2
nixos/modules/services/backup/borgbackup.nix
View File

@ -191,7 +191,7 @@ in {
options = {
paths = mkOption {
type = with types; either path (nonEmptyListOf path);
type = with types; either path (listOf str);
description = "Path(s) to back up.";
example = "/home/user";
apply = x: if isList x then x else [ x ];

14
nixos/modules/services/computing/slurm/slurm.nix
View File

@ -46,7 +46,7 @@ let
# in the same directory as slurm.conf
etcSlurm = pkgs.symlinkJoin {
name = "etc-slurm";
paths = [ configFile cgroupConfig plugStackConfig ];
paths = [ configFile cgroupConfig plugStackConfig ] ++ cfg.extraConfigPaths;
};
in
@ -239,6 +239,17 @@ in
'';
};
extraConfigPaths = mkOption {
type = with types; listOf path;
default = [];
description = ''
Slurm expects config files for plugins in the same path
as <literal>slurm.conf</literal>. Add extra nix store
paths that should be merged into same directory as
<literal>slurm.conf</literal>.
'';
};
};
@ -303,6 +314,7 @@ in
serviceConfig = {
Type = "forking";
KillMode = "process";
ExecStart = "${wrappedSlurm}/bin/slurmd";
PIDFile = "/run/slurmd.pid";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

36
nixos/modules/services/continuous-integration/jenkins/job-builder.nix
View File

@ -42,6 +42,18 @@ in {
type = types.str;
description = ''
User token in Jenkins used to reload config.
WARNING: This token will be world readable in the Nix store. To keep
it secret, use the <option>accessTokenFile</option> option instead.
'';
};
accessTokenFile = mkOption {
default = "";
type = types.str;
example = "/run/keys/jenkins-job-builder-access-token";
description = ''
File containing the API token for the <option>accessUser</option>
user.
'';
};
@ -103,6 +115,21 @@ in {
};
config = mkIf (jenkinsCfg.enable && cfg.enable) {
assertions = [
{ assertion =
if cfg.accessUser != ""
then (cfg.accessToken != "" && cfg.accessTokenFile == "") ||
(cfg.accessToken == "" && cfg.accessTokenFile != "")
else true;
message = ''
One of accessToken and accessTokenFile options must be non-empty
strings, but not both. Current values:
services.jenkins.jobBuilder.accessToken = "${cfg.accessToken}"
services.jenkins.jobBuilder.accessTokenFile = "${cfg.accessTokenFile}"
'';
}
];
systemd.services.jenkins-job-builder = {
description = "Jenkins Job Builder Service";
# JJB can run either before or after jenkins. We chose after, so we can
@ -128,8 +155,13 @@ in {
ownerStamp = ".config-xml-managed-by-nixos-jenkins-job-builder";
reloadScript = ''
echo "Asking Jenkins to reload config"
CRUMB=$(curl -s 'http://${cfg.accessUser}:${cfg.accessToken}@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
curl --silent -X POST -H "$CRUMB" http://${cfg.accessUser}:${cfg.accessToken}@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}/reload
curl_opts="--silent --fail --show-error"
access_token=${if cfg.accessTokenFile != ""
then "$(cat '${cfg.accessTokenFile}')"
else cfg.accessToken}
jenkins_url="http://${cfg.accessUser}:$access_token@${jenkinsCfg.listenAddress}:${toString jenkinsCfg.port}${jenkinsCfg.prefix}"
crumb=$(curl $curl_opts "$jenkins_url"'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
curl $curl_opts -X POST -H "$crumb" "$jenkins_url"/reload
'';
in
''

1
nixos/modules/services/databases/aerospike.nix
View File

@ -43,6 +43,7 @@ in
package = mkOption {
default = pkgs.aerospike;
defaultText = "pkgs.aerospike";
type = types.package;
description = "Which Aerospike derivation to use";
};

5
nixos/modules/services/databases/clickhouse.nix
View File

@ -70,6 +70,11 @@ with lib;
};
};
environment.systemPackages = [ pkgs.clickhouse ];
# startup requires a `/etc/localtime` which only if exists if `time.timeZone != null`
time.timeZone = mkDefault "UTC";
};
}

217
nixos/modules/services/databases/cockroachdb.nix Normal file
View File

@ -0,0 +1,217 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.cockroachdb;
crdb = cfg.package;
escape = builtins.replaceStrings ["%"] ["%%"];
ifNotNull = v: s: optionalString (!isNull v) s;
startupCommand = lib.concatStringsSep " "
[ # Basic startup
"${crdb}/bin/cockroach start"
"--logtostderr"
"--store=/var/lib/cockroachdb"
(ifNotNull cfg.locality "--locality='${cfg.locality}'")
# WebUI settings
"--http-addr='${cfg.http.address}:${toString cfg.http.port}'"
# Cluster listen address
"--listen-addr='${cfg.listen.address}:${toString cfg.listen.port}'"
# Cluster configuration
(ifNotNull cfg.join "--join=${cfg.join}")
# Cache and memory settings. Must be escaped.
"--cache='${escape cfg.cache}'"
"--max-sql-memory='${escape cfg.maxSqlMemory}'"
# Certificate/security settings.
(if cfg.insecure then "--insecure" else "--certs-dir=${cfg.certsDir}")
];
addressOption = descr: defaultPort: {
address = mkOption {
type = types.str;
default = "localhost";
description = "Address to bind to for ${descr}";
};
port = mkOption {
type = types.port;
default = defaultPort;
description = "Port to bind to for ${descr}";
};
};
in
{
options = {
services.cockroachdb = {
enable = mkEnableOption "CockroachDB Server";
listen = addressOption "intra-cluster communication" 26257;
http = addressOption "http-based Admin UI" 8080;
locality = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
An ordered, comma-separated list of key-value pairs that describe the
topography of the machine. Topography might include country,
datacenter or rack designations. Data is automatically replicated to
maximize diversities of each tier. The order of tiers is used to
determine the priority of the diversity, so the more inclusive
localities like country should come before less inclusive localities
like datacenter. The tiers and order must be the same on all nodes.
Including more tiers is better than including fewer. For example:
<literal>
country=us,region=us-west,datacenter=us-west-1b,rack=12
country=ca,region=ca-east,datacenter=ca-east-2,rack=4
planet=earth,province=manitoba,colo=secondary,power=3
</literal>
'';
};
join = mkOption {
type = types.nullOr types.str;
default = null;
description = "The addresses for connecting the node to a cluster.";
};
insecure = mkOption {
type = types.bool;
default = false;
description = "Run in insecure mode.";
};
certsDir = mkOption {
type = types.nullOr types.path;
default = null;
description = "The path to the certificate directory.";
};
user = mkOption {
type = types.str;
default = "cockroachdb";
description = "User account under which CockroachDB runs";
};
group = mkOption {
type = types.str;
default = "cockroachdb";
description = "User account under which CockroachDB runs";
};
openPorts = mkOption {
type = types.bool;
default = false;
description = "Open firewall ports for cluster communication by default";
};
cache = mkOption {
type = types.str;
default = "25%";
description = ''
The total size for caches.
This can be a percentage, expressed with a fraction sign or as a
decimal-point number, or any bytes-based unit. For example,
<literal>"25%"</literal>, <literal>"0.25"</literal> both represent
25% of the available system memory. The values
<literal>"1000000000"</literal> and <literal>"1GB"</literal> both
represent 1 gigabyte of memory.
'';
};
maxSqlMemory = mkOption {
type = types.str;
default = "25%";
description = ''
The maximum in-memory storage capacity available to store temporary
data for SQL queries.
This can be a percentage, expressed with a fraction sign or as a
decimal-point number, or any bytes-based unit. For example,
<literal>"25%"</literal>, <literal>"0.25"</literal> both represent
25% of the available system memory. The values
<literal>"1000000000"</literal> and <literal>"1GB"</literal> both
represent 1 gigabyte of memory.
'';
};
package = mkOption {
type = types.package;
default = pkgs.cockroachdb;
defaultText = "pkgs.cockroachdb";
description = ''
The CockroachDB derivation to use for running the service.
This would primarily be useful to enable Enterprise Edition features
in your own custom CockroachDB build (Nixpkgs CockroachDB binaries
only contain open source features and open source code).
'';
};
};
};
config = mkIf config.services.cockroachdb.enable {
assertions = [
{ assertion = !cfg.insecure -> !(isNull cfg.certsDir);
message = "CockroachDB must have a set of SSL certificates (.certsDir), or run in Insecure Mode (.insecure = true)";
}
];
environment.systemPackages = [ crdb ];
users.users = optionalAttrs (cfg.user == "cockroachdb") (singleton
{ name = "cockroachdb";
description = "CockroachDB Server User";
uid = config.ids.uids.cockroachdb;
group = cfg.group;
});
users.groups = optionalAttrs (cfg.group == "cockroachdb") (singleton
{ name = "cockroachdb";
gid = config.ids.gids.cockroachdb;
});
networking.firewall.allowedTCPPorts = lib.optionals cfg.openPorts
[ cfg.http.port cfg.listen.port ];
systemd.services.cockroachdb =
{ description = "CockroachDB Server";
documentation = [ "man:cockroach(1)" "https://www.cockroachlabs.com" ];
after = [ "network.target" "time-sync.target" ];
requires = [ "time-sync.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig.RequiresMountsFor = "/var/lib/cockroachdb";
serviceConfig =
{ ExecStart = startupCommand;
Type = "notify";
User = cfg.user;
StateDirectory = "cockroachdb";
StateDirectoryMode = "0700";
Restart = "always";
# A conservative-ish timeout is alright here, because for Type=notify
# cockroach will send systemd pings during startup to keep it alive
TimeoutStopSec = 60;
RestartSec = 10;
};
};
};
meta.maintainers = with lib.maintainers; [ thoughtpolice ];
}

34
nixos/modules/services/databases/mysql.nix
View File

@ -29,21 +29,6 @@ let
installOptions =
"${mysqldAndInstallOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}";
myCnf = pkgs.writeText "my.cnf"
''
[mysqld]
port = ${toString cfg.port}
datadir = ${cfg.dataDir}
${optionalString (cfg.bind != null) "bind-address = ${cfg.bind}" }
${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "log-bin=mysql-bin"}
${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "server-id = ${toString cfg.replication.serverId}"}
${optionalString (cfg.ensureUsers != [])
''
plugin-load-add = auth_socket.so
''}
${cfg.extraOptions}
'';
in
{
@ -242,6 +227,21 @@ in
environment.systemPackages = [mysql];
environment.etc."my.cnf".text =
''
[mysqld]
port = ${toString cfg.port}
datadir = ${cfg.dataDir}
${optionalString (cfg.bind != null) "bind-address = ${cfg.bind}" }
${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "log-bin=mysql-bin"}
${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "server-id = ${toString cfg.replication.serverId}"}
${optionalString (cfg.ensureUsers != [])
''
plugin-load-add = auth_socket.so
''}
${cfg.extraOptions}
'';
systemd.services.mysql = let
hasNotify = (cfg.package == pkgs.mariadb);
in {
@ -263,7 +263,7 @@ in
if ! test -e ${cfg.dataDir}/mysql; then
mkdir -m 0700 -p ${cfg.dataDir}
chown -R ${cfg.user} ${cfg.dataDir}
${mysql}/bin/mysql_install_db ${installOptions}
${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${installOptions}
touch /tmp/mysql_init
fi
@ -274,7 +274,7 @@ in
serviceConfig = {
Type = if hasNotify then "notify" else "simple";
RuntimeDirectory = "mysqld";
ExecStart = "${mysql}/bin/mysqld --defaults-extra-file=${myCnf} ${mysqldOptions}";
ExecStart = "${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions}";
};
postStart = ''

9
nixos/modules/services/databases/openldap.nix
View File

@ -54,6 +54,13 @@ in
description = "The database directory.";
};
logLevel = mkOption {
type = types.str;
default = "0";
example = "acl trace";
description = "The log level selector of slapd.";
};
configDir = mkOption {
type = types.nullOr types.path;
default = null;
@ -139,7 +146,7 @@ in
chown -R "${cfg.user}:${cfg.group}" "${cfg.dataDir}"
'';
serviceConfig.ExecStart =
"${openldap.out}/libexec/slapd -d 0 " +
"${openldap.out}/libexec/slapd -d ${cfg.logLevel} " +
"-u '${cfg.user}' -g '${cfg.group}' " +
"-h '${concatStringsSep " " cfg.urlList}' " +
"${configOpts}";

3
nixos/modules/services/databases/postgresql.nix
View File

@ -238,6 +238,9 @@ in
User = "postgres";
Group = "postgres";
PermissionsStartOnly = true;
Type = if lib.versionAtLeast cfg.package.version "9.6"
then "notify"
else "simple";
# Shut down Postgres using SIGINT ("Fast Shutdown mode"). See
# http://www.postgresql.org/docs/current/static/server-shutdown.html

2
nixos/modules/services/desktops/geoclue2.nix
View File

@ -61,6 +61,8 @@ in
wantedBy = [ "default.target" ];
};
};
environment.etc."geoclue/geoclue.conf".source = "${package}/etc/geoclue/geoclue.conf";
};
}

18
nixos/modules/services/desktops/gnome3/gnome-remote-desktop.nix Normal file
View File

@ -0,0 +1,18 @@
# Remote desktop daemon using Pipewire.
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
services.gnome3.gnome-remote-desktop = {
enable = mkEnableOption "Remote Desktop support using Pipewire";
};
};
###### implementation
config = mkIf config.services.gnome3.gnome-remote-desktop.enable {
systemd.packages = [ pkgs.gnome3.gnome-remote-desktop ];
};
}

2
nixos/modules/services/editors/emacs.xml
View File

@ -11,7 +11,7 @@
Rodney Lorrimar @rvl
-->
<para>
<link xlink:href="http://www.gnu.org/software/emacs/">Emacs</link> is an
<link xlink:href="https://www.gnu.org/software/emacs/">Emacs</link> is an
extensible, customizable, self-documenting real-time display editor — and
more. At its core is an interpreter for Emacs Lisp, a dialect of the Lisp
programming language with extensions to support text editing.

7
nixos/modules/services/hardware/bluetooth.nix
View File

@ -25,9 +25,14 @@ in {
type = types.package;
default = pkgs.bluez;
defaultText = "pkgs.bluez";
example = "pkgs.bluez.override { enableMidi = true; }";
example = "pkgs.bluezFull";
description = ''
Which BlueZ package to use.
<note><para>
Use the <literal>pkgs.bluezFull</literal> package to enable all
bluez plugins.
</para></note>
'';
};

13
nixos/modules/services/hardware/lirc.nix
View File

@ -49,6 +49,7 @@ in {
description = "LIRC daemon socket";
wantedBy = [ "sockets.target" ];
socketConfig = {
# default search path
ListenStream = "/run/lirc/lircd";
SocketUser = "lirc";
SocketMode = "0660";
@ -66,9 +67,19 @@ in {
serviceConfig = {
RuntimeDirectory = "lirc";
# socket lives in runtime directory; we have to keep is available
# Service runtime directory and socket share same folder.
# Following hacks are necessary to get everything right:
# 1. prevent socket deletion during stop and restart
RuntimeDirectoryPreserve = true;
# 2. fix runtime folder owner-ship, happens when socket activation
# creates the folder
PermissionsStartOnly = true;
ExecStartPre = [
"${pkgs.coreutils}/bin/chown lirc /run/lirc/"
];
ExecStart = ''
${pkgs.lirc}/bin/lircd --nodaemon \
${escapeShellArgs cfg.extraArguments} \

71
nixos/modules/services/hardware/vdr.nix Normal file
View File

@ -0,0 +1,71 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.vdr;
libDir = "/var/lib/vdr";
in {
###### interface
options = {
services.vdr = {
enable = mkEnableOption "enable VDR. Please put config into ${libDir}.";
package = mkOption {
type = types.package;
default = pkgs.vdr;
defaultText = "pkgs.vdr";
example = literalExample "pkgs.wrapVdr.override { plugins = with pkgs.vdrPlugins; [ hello ]; }";
description = "Package to use.";
};
videoDir = mkOption {
type = types.path;
default = "/srv/vdr/video";
description = "Recording directory";
};
extraArguments = mkOption {
type = types.listOf types.str;
default = [];
description = "Additional command line arguments to pass to VDR.";
};
};
};
###### implementation
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"d ${cfg.videoDir} 0755 vdr vdr -"
"Z ${cfg.videoDir} - vdr vdr -"
];
systemd.services.vdr = {
description = "VDR";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/vdr \
--video="${cfg.videoDir}" \
--config="${libDir}" \
${escapeShellArgs cfg.extraArguments}
'';
User = "vdr";
CacheDirectory = "vdr";
StateDirectory = "vdr";
Restart = "on-failure";
};
};
users.users.vdr = {
group = "vdr";
home = libDir;
};
users.groups.vdr = {};
};
}

153
nixos/modules/services/mail/roundcube.nix Normal file
View File

@ -0,0 +1,153 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.roundcube;
in
{
options.services.roundcube = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable roundcube.
Also enables nginx virtual host management.
Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.&lt;name&gt;</literal>.
See <xref linkend="opt-services.nginx.virtualHosts"/> for further information.
'';
};
hostName = mkOption {
type = types.str;
example = "webmail.example.com";
description = "Hostname to use for the nginx vhost";
};
database = {
username = mkOption {
type = types.str;
default = "roundcube";
description = "Username for the postgresql connection";
};
host = mkOption {
type = types.str;
default = "localhost";
description = ''
Host of the postgresql server. If this is not set to
<literal>localhost</literal>, you have to create the
postgresql user and database yourself, with appropriate
permissions.
'';
};
password = mkOption {
type = types.str;
description = "Password for the postgresql connection";
};
dbname = mkOption {
type = types.str;
default = "roundcube";
description = "Name of the postgresql database";
};
};
plugins = mkOption {
type = types.listOf types.str;
default = [];
description = ''
List of roundcube plugins to enable. Currently, only those directly shipped with Roundcube are supported.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = "Extra configuration for roundcube webmail instance";
};
};
config = mkIf cfg.enable {
environment.etc."roundcube/config.inc.php".text = ''
<?php
$config = array();
$config['db_dsnw'] = 'pgsql://${cfg.database.username}:${cfg.database.password}@${cfg.database.host}/${cfg.database.dbname}';
$config['log_driver'] = 'syslog';
$config['max_message_size'] = '25M';
$config['plugins'] = [${concatMapStringsSep "," (p: "'${p}'") cfg.plugins}];
${cfg.extraConfig}
'';
services.nginx = {
enable = true;
virtualHosts = {
${cfg.hostName} = {
forceSSL = mkDefault true;
enableACME = mkDefault true;
locations."/" = {
root = pkgs.roundcube;
index = "index.php";
extraConfig = ''
location ~* \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/phpfpm/roundcube;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
}
'';
};
};
};
};
services.postgresql = mkIf (cfg.database.host == "localhost") {
enable = true;
};
services.phpfpm.poolConfigs.roundcube = ''
listen = /run/phpfpm/roundcube
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
pm = dynamic
pm.max_children = 75
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 20
pm.max_requests = 500
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
php_admin_value[post_max_size] = 25M
php_admin_value[upload_max_filesize] = 25M
catch_workers_output = yes
'';
systemd.services.phpfpm-roundcube.after = [ "roundcube-setup.service" ];
systemd.services.roundcube-setup = let
pgSuperUser = config.services.postgresql.superUser;
in {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
path = [ config.services.postgresql.package ];
script = ''
mkdir -p /var/lib/roundcube
if [ ! -f /var/lib/roundcube/db-created ]; then
if [ "${cfg.database.host}" = "localhost" ]; then
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create role ${cfg.database.username} with login password '${cfg.database.password}'";
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "create database ${cfg.database.dbname} with owner ${cfg.database.username}";
fi
PGPASSWORD=${cfg.database.password} ${pkgs.postgresql}/bin/psql -U ${cfg.database.username} \
-f ${pkgs.roundcube}/SQL/postgres.initial.sql \
-h ${cfg.database.host} ${cfg.database.dbname}
touch /var/lib/roundcube/db-created
fi
${pkgs.php}/bin/php ${pkgs.roundcube}/bin/update.sh
'';
serviceConfig.Type = "oneshot";
};
};
}

123
nixos/modules/services/misc/bees.nix Normal file
View File

@ -0,0 +1,123 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.beesd;
logLevels = { emerg = 0; alert = 1; crit = 2; err = 3; warning = 4; notice = 5; info = 6; debug = 7; };
fsOptions = with types; {
options.spec = mkOption {
type = str;
description = ''
Description of how to identify the filesystem to be duplicated by this
instance of bees. Note that deduplication crosses subvolumes; one must
not configure multiple instances for subvolumes of the same filesystem
(or block devices which are part of the same filesystem), but only for
completely independent btrfs filesystems.
</para>
<para>
This must be in a format usable by findmnt; that could be a key=value
pair, or a bare path to a mount point.
'';
example = "LABEL=MyBulkDataDrive";
};
options.hashTableSizeMB = mkOption {
type = types.addCheck types.int (n: mod n 16 == 0);
default = 1024; # 1GB; default from upstream beesd script
description = ''
Hash table size in MB; must be a multiple of 16.
</para>
<para>
A larger ratio of index size to storage size means smaller blocks of
duplicate content are recognized.
</para>
<para>
If you have 1TB of data, a 4GB hash table (which is to say, a value of
4096) will permit 4KB extents (the smallest possible size) to be
recognized, whereas a value of 1024 -- creating a 1GB hash table --
will recognize only aligned duplicate blocks of 16KB.
'';
};
options.verbosity = mkOption {
type = types.enum (attrNames logLevels ++ attrValues logLevels);
apply = v: if isString v then logLevels.${v} else v;
default = "info";
description = "Log verbosity (syslog keyword/level).";
};
options.workDir = mkOption {
type = str;
default = ".beeshome";
description = ''
Name (relative to the root of the filesystem) of the subvolume where
the hash table will be stored.
'';
};
options.extraOptions = mkOption {
type = listOf str;
default = [];
description = ''
Extra command-line options passed to the daemon. See upstream bees documentation.
'';
example = literalExample ''
[ "--thread-count" "4" ]
'';
};
};
in {
options.services.beesd = {
filesystems = mkOption {
type = with types; attrsOf (submodule fsOptions);
description = "BTRFS filesystems to run block-level deduplication on.";
default = { };
example = literalExample ''
{
root = {
spec = "LABEL=root";
hashTableSizeMB = 2048;
verbosity = "crit";
extraOptions = [ "--loadavg-target" "5.0" ];
};
}
'';
};
};
config = {
systemd.services = mapAttrs' (name: fs: nameValuePair "beesd@${name}" {
description = "Block-level BTRFS deduplication for %i";
after = [ "sysinit.target" ];
serviceConfig = let
configOpts = [
fs.spec
"verbosity=${toString fs.verbosity}"
"idxSizeMB=${toString fs.hashTableSizeMB}"
"workDir=${fs.workDir}"
];
configOptsStr = escapeShellArgs configOpts;
in {
# Values from https://github.com/Zygo/bees/blob/v0.6.1/scripts/beesd%40.service.in
ExecStart = "${pkgs.bees}/bin/bees-service-wrapper run ${configOptsStr} -- --no-timestamps ${escapeShellArgs fs.extraOptions}";
ExecStopPost = "${pkgs.bees}/bin/bees-service-wrapper cleanup ${configOptsStr}";
CPUAccounting = true;
CPUWeight = 12;
IOSchedulingClass = "idle";
IOSchedulingPriority = 7;
IOWeight = 10;
KillMode = "control-group";
KillSignal = "SIGTERM";
MemoryAccounting = true;
Nice = 19;
Restart = "on-abnormal";
StartupCPUWeight = 25;
StartupIOWeight = 25;
SyslogIdentifier = "bees"; # would otherwise be "bees-service-wrapper"
};
wantedBy = ["multi-user.target"];
}) cfg.filesystems;
};
}

4
nixos/modules/services/misc/gitlab.nix
View File

@ -609,10 +609,6 @@ in {
touch "${cfg.statePath}/db-seeded"
fi
# The gitlab:shell:setup regenerates the authorized_keys file so that
# the store path to the gitlab-shell in it gets updated
${pkgs.sudo}/bin/sudo -u ${cfg.user} -H force=yes ${gitlab-rake}/bin/gitlab-rake gitlab:shell:setup
# The gitlab:shell:create_hooks task seems broken for fixing links
# so we instead delete all the hooks and create them anew
rm -f ${cfg.statePath}/repositories/**/*.git/hooks

36
nixos/modules/services/misc/nscd-sssd.conf
View File

@ -1,36 +0,0 @@
server-user nscd
threads 1
paranoia no
debug-level 0
enable-cache passwd yes
positive-time-to-live passwd 0
negative-time-to-live passwd 0
suggested-size passwd 211
check-files passwd yes
persistent passwd no
shared passwd yes
enable-cache group yes
positive-time-to-live group 0
negative-time-to-live group 0
suggested-size group 211
check-files group yes
persistent group no
shared group yes
enable-cache hosts yes
positive-time-to-live hosts 600
negative-time-to-live hosts 5
suggested-size hosts 211
check-files hosts yes
persistent hosts no
shared hosts yes
enable-cache services yes
positive-time-to-live services 0
negative-time-to-live services 0
suggested-size services 211
check-files services yes
persistent services no
shared services yes

1
nixos/modules/services/misc/sssd.nix
View File

@ -75,7 +75,6 @@ in {
};
system.nssModules = optional cfg.enable pkgs.sssd;
services.nscd.config = builtins.readFile ./nscd-sssd.conf;
services.dbus.packages = [ pkgs.sssd ];
})

5
nixos/modules/services/monitoring/grafana.nix
View File

@ -169,8 +169,9 @@ in {
Sets the maximum amount of time (in seconds) a connection may be reused.
For MySQL this setting should be shorter than the `wait_timeout' variable.
'';
default = 14400;
type = types.int;
default = "unlimited";
example = 14400;
type = types.either types.int (types.enum [ "unlimited" ]);
};
};

2
nixos/modules/services/monitoring/prometheus/exporters.nix
View File

@ -127,7 +127,7 @@ let
serviceConfig.Restart = mkDefault "always";
serviceConfig.PrivateTmp = mkDefault true;
serviceConfig.WorkingDirectory = mkDefault /tmp;
} serviceOpts ] ++ optional (serviceOpts.serviceConfig.DynamicUser or false) {
} serviceOpts ] ++ optional (!(serviceOpts.serviceConfig.DynamicUser or false)) {
serviceConfig.User = conf.user;
serviceConfig.Group = conf.group;
});

5
nixos/modules/services/monitoring/prometheus/exporters/tor.nix
View File

@ -36,5 +36,10 @@ in
${concatStringsSep " \\\n " cfg.extraFlags}
'';
};
# CPython requires a process to either have $HOME defined or run as a UID
# defined in /etc/passwd. The latter is false with DynamicUser, so define a
# dummy $HOME. https://bugs.python.org/issue10496
environment = { HOME = "/var/empty"; };
};
}

2
nixos/modules/services/network-filesystems/ipfs.nix
View File

@ -74,7 +74,7 @@ in {
services.ipfs = {
enable = mkEnableOption "Interplanetary File System";
enable = mkEnableOption "Interplanetary File System (WARNING: may cause severe network degredation)";
user = mkOption {
type = types.str;

5
nixos/modules/services/networking/chrony.nix
View File

@ -12,7 +12,7 @@ let
${concatMapStringsSep "\n" (server: "server " + server) cfg.servers}
${optionalString
cfg.initstepslew.enabled
(cfg.initstepslew.enabled && (cfg.servers != []))
"initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}"
}
@ -113,6 +113,7 @@ in
chown chrony:chrony ${stateDir} ${keyFile}
'';
unitConfig.ConditionCapability = "CAP_SYS_TIME";
serviceConfig =
{ Type = "forking";
ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}";
@ -121,8 +122,8 @@ in
ProtectSystem = "full";
PrivateTmp = "yes";
ConditionCapability = "CAP_SYS_TIME";
};
};
};
}

2
nixos/modules/services/networking/dhcpcd.nix
View File

@ -71,7 +71,7 @@ let
# anything ever again ("couldn't resolve ..., giving up on
# it"), so we silently lose time synchronisation. This also
# applies to openntpd.
${config.systemd.package}/bin/systemctl try-reload-or-restart ntpd.service openntpd.service || true
${config.systemd.package}/bin/systemctl try-reload-or-restart ntpd.service openntpd.service chronyd.service || true
fi
${cfg.runHook}

2
nixos/modules/services/networking/networkmanager.nix
View File

@ -488,7 +488,7 @@ in {
'') cfg.dynamicHosts.hostsDirs);
serviceConfig = {
Type = "oneshot";
RemainAfterExist = true;
RemainAfterExit = true;
};
};

38
nixos/modules/services/networking/ntpd.nix
View File

@ -15,6 +15,10 @@ let
configFile = pkgs.writeText "ntp.conf" ''
driftfile ${stateDir}/ntp.drift
restrict default ${toString cfg.restrictDefault}
restrict -6 default ${toString cfg.restrictDefault}
restrict source ${toString cfg.restrictSource}
restrict 127.0.0.1
restrict -6 ::1
@ -36,11 +40,40 @@ in
enable = mkOption {
default = false;
description = ''
Whether to synchronise your machine's time using the NTP
protocol.
Whether to synchronise your machine's time using ntpd, as a peer in
the NTP network.
</para>
<para>
Disables <literal>systemd.timesyncd</literal> if enabled.
'';
};
restrictDefault = mkOption {
type = types.listOf types.str;
description = ''
The restriction flags to be set by default.
</para>
<para>
The default flags prevent external hosts from using ntpd as a DDoS
reflector, setting system time, and querying OS/ntpd version. As
recommended in section 6.5.1.1.3, answer "No" of
http://support.ntp.org/bin/view/Support/AccessRestrictions
'';
default = [ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ];
};
restrictSource = mkOption {
type = types.listOf types.str;
description = ''
The restriction flags to be set on source.
</para>
<para>
The default flags allow peers to be added by ntpd from configured
pool(s), but not by other means.
'';
default = [ "limited" "kod" "nomodify" "notrap" "noquery" ];
};
servers = mkOption {
default = config.networking.timeServers;
description = ''
@ -51,6 +84,7 @@ in
extraFlags = mkOption {
type = types.listOf types.str;
description = "Extra flags passed to the ntpd command.";
example = literalExample ''[ "--interface=eth0" ]'';
default = [];
};

1
nixos/modules/services/networking/prosody.nix
View File

@ -228,6 +228,7 @@ let
createSSLOptsStr = o: ''
ssl = {
cafile = "/etc/ssl/certs/ca-bundle.crt";
key = "${o.key}";
certificate = "${o.cert}";
${concatStringsSep "\n" (mapAttrsToList (name: value: "${name} = ${toLua value};") o.extraOptions)}

2
nixos/modules/services/networking/shairport-sync.nix
View File

@ -27,7 +27,7 @@ in
};
arguments = mkOption {
default = "-v -d pulse";
default = "-v pulse";
description = ''
Arguments to pass to the daemon. Defaults to a local pulseaudio
server.

2
nixos/modules/services/networking/wireguard.nix
View File

@ -202,7 +202,7 @@ let
};
script = ''
modprobe wireguard
${optionalString (!config.boot.isContainer) "modprobe wireguard"}
${values.preSetup}

5
nixos/modules/services/search/kibana.nix
View File

@ -149,7 +149,10 @@ in {
after = [ "network.target" "elasticsearch.service" ];
environment = { BABEL_CACHE_PATH = "${cfg.dataDir}/.babelcache.json"; };
serviceConfig = {
ExecStart = "${cfg.package}/bin/kibana --config ${cfgFile}";
ExecStart =
"${cfg.package}/bin/kibana" +
" --config ${cfgFile}" +
" --path.data ${cfg.dataDir}";
User = "kibana";
WorkingDirectory = cfg.dataDir;
};

34
nixos/modules/services/system/nscd.conf
View File

@ -1,28 +1,52 @@
# We basically use nscd as a proxy for forwarding nss requests to appropriate
# nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory
# containing all such modules
# Note that we can not use `enable-cache no` As this will actually cause nscd
# to just reject the nss requests it receives, which then causes glibc to
# fallback to trying to handle the request by itself. Which won't work as glibc
# is not aware of the path in which the nss modules live. As a workaround, we
# have `enable-cache yes` with an explicit ttl of 0
server-user nscd
threads 1
paranoia no
debug-level 0
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
positive-time-to-live passwd 0
negative-time-to-live passwd 0
suggested-size passwd 211
check-files passwd yes
persistent passwd no
shared passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
positive-time-to-live group 0
negative-time-to-live group 0
suggested-size group 211
check-files group yes
persistent group no
shared group yes
enable-cache netgroup yes
positive-time-to-live netgroup 0
negative-time-to-live netgroup 0
suggested-size netgroup 211
check-files netgroup yes
persistent netgroup no
shared netgroup yes
enable-cache hosts yes
positive-time-to-live hosts 600
negative-time-to-live hosts 5
negative-time-to-live hosts 0
suggested-size hosts 211
check-files hosts yes
persistent hosts no
shared hosts yes
enable-cache services yes
positive-time-to-live services 0
negative-time-to-live services 0
suggested-size services 211
check-files services yes
persistent services no
shared services yes

2
nixos/modules/services/web-apps/nextcloud.nix
View File

@ -484,4 +484,6 @@ in {
};
})
]);
meta.doc = ./nextcloud.xml;
}

99
nixos/modules/services/web-apps/nextcloud.xml Normal file
View File

@ -0,0 +1,99 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="module-services-nextcloud">
<title>Nextcloud</title>
<para>
<link xlink:href="https://nextcloud.com/">Nextcloud</link> is an open-source, self-hostable cloud
platform. The server setup can be automated using
<link linkend="opt-services.nextcloud.enable">services.nextcloud</link>. A desktop client is packaged
at <literal>pkgs.nextcloud-client</literal>.
</para>
<section xml:id="module-services-nextcloud-basic-usage">
<title>Basic usage</title>
<para>
Nextcloud is a PHP-based application which requires an HTTP server
(<literal><link linkend="opt-services.nextcloud.enable">services.nextcloud</link></literal> optionally supports
<literal><link linkend="opt-services.nginx.enable">services.nginx</link></literal>) and a database
(it's recommended to use <literal><link linkend="opt-services.postgresql.enable">services.postgresql</link></literal>).
</para>
<para>
A very basic configuration may look like this:
<programlisting>{ pkgs, ... }:
{
services.nextcloud = {
<link linkend="opt-services.nextcloud.enable">enable</link> = true;
<link linkend="opt-services.nextcloud.hostName">hostName</link> = "nextcloud.tld";
<link linkend="opt-services.nextcloud.nginx.enable">nginx.enable</link> = true;
config = {
<link linkend="opt-services.nextcloud.config.dbtype">dbtype</link> = "pgsql";
<link linkend="opt-services.nextcloud.config.dbuser">dbuser</link> = "nextcloud";
<link linkend="opt-services.nextcloud.config.dbhost">dbhost</link> = "/tmp"; # nextcloud will add /.s.PGSQL.5432 by itself
<link linkend="opt-services.nextcloud.config.dbname">dbname</link> = "nextcloud";
<link linkend="opt-services.nextcloud.config.adminpassFile">adminpassFile</link> = "/path/to/admin-pass-file";
<link linkend="opt-services.nextcloud.config.adminuser">adminuser</link> = "root";
};
};
services.postgresql = {
<link linkend="opt-services.postgresql.enable">enable</link> = true;
<link linkend="opt-services.postgresql.initialScript">initialScript</link> = pkgs.writeText "psql-init" ''
CREATE ROLE nextcloud WITH LOGIN;
CREATE DATABASE nextcloud WITH OWNER nextcloud;
'';
};
# ensure that postgres is running *before* running the setup
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
<link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
}</programlisting>
</para>
<para>
The options <literal>hostName</literal> and <literal>nginx.enable</literal> are used internally to configure an
HTTP server using <literal><link xlink:href="https://php-fpm.org/">PHP-FPM</link></literal> and <literal>nginx</literal>.
The <literal>config</literal> attribute set is used for the <literal>config.php</literal> which is used
for the application's configuration.
<emphasis>Beware: this isn't entirely pure since the config is modified by the application's runtime!</emphasis>
</para>
<para>
In case the application serves multiple hosts (those are checked with
<literal><link xlink:href="http://php.net/manual/en/reserved.variables.server.php">$_SERVER['HTTP_HOST']</link></literal>)
those can be added using
<literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>.
</para>
</section>
<section xml:id="module-services-nextcloud-pitfalls-during-upgrade">
<title>Pitfalls</title>
<para>
Unfortunately Nextcloud appears to be very stateful when it comes to managing its own configuration. The
config file lives in the home directory of the <literal>nextcloud</literal> user (by default
<literal>/var/lib/nextcloud/config/config.php</literal>) and is also used to track several
states of the application (e.g. whether installed or not).
</para>
<para>
Right now changes to the <literal>services.nextcloud.config</literal> attribute set won't take effect
after the first install
(except <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>) since the actual configuration
file is generated by the NextCloud installer which also sets up critical parts such as the database
structure.
</para>
<para>
<emphasis>Warning: don't delete <literal>config.php</literal>! This file tracks the application's state and a deletion can cause unwanted side-effects!</emphasis>
</para>
<para>
<emphasis>Warning: don't rerun <literal>nextcloud-occ maintenance:install</literal>! This command tries to install the application and can cause unwanted side-effects!</emphasis>
</para>
<para>
The issues are known and reported in <link xlink:href="https://github.com/NixOS/nixpkgs/issues/49783">#49783</link>, for now it's unfortunately necessary to manually work around these issues.
</para>
</section>
</chapter>

101
nixos/modules/services/web-apps/quassel-webserver.nix
View File

@ -1,101 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.quassel-webserver;
quassel-webserver = cfg.pkg;
settings = ''
module.exports = {
default: {
host: '${cfg.quasselCoreHost}', // quasselcore host
port: ${toString cfg.quasselCorePort}, // quasselcore port
initialBacklogLimit: ${toString cfg.initialBacklogLimit}, // Amount of backlogs to fetch per buffer on connection
backlogLimit: ${toString cfg.backlogLimit}, // Amount of backlogs to fetch per buffer after first retrieval
securecore: ${boolToString cfg.secureCore}, // Connect to the core using SSL
theme: '${cfg.theme}' // Default UI theme
},
themes: ['default', 'darksolarized'], // Available themes
forcedefault: ${boolToString cfg.forceHostAndPort}, // Will force default host and port to be used, and will hide the corresponding fields in the UI
prefixpath: '${cfg.prefixPath}' // Configure this if you use a reverse proxy
};
'';
settingsFile = pkgs.writeText "settings-user.js" settings;
in {
options = {
services.quassel-webserver = {
enable = mkOption {
default = false;
type = types.bool;
description = "Whether to enable the quassel webclient service";
};
pkg = mkOption {
default = pkgs.quassel-webserver;
defaultText = "pkgs.quassel-webserver";
type = types.package;
description = "The quassel-webserver package";
};
quasselCoreHost = mkOption {
default = "";
type = types.str;
description = "The default host of the quassel core";
};
quasselCorePort = mkOption {
default = 4242;
type = types.int;
description = "The default quassel core port";
};
initialBacklogLimit = mkOption {
default = 20;
type = types.int;
description = "Amount of backlogs to fetch per buffer on connection";
};
backlogLimit = mkOption {
default = 100;
type = types.int;
description = "Amount of backlogs to fetch per buffer after first retrieval";
};
secureCore = mkOption {
default = true;
type = types.bool;
description = "Connect to the core using SSL";
};
theme = mkOption {
default = "default";
type = types.str;
description = "default or darksolarized";
};
prefixPath = mkOption {
default = "";
type = types.str;
description = "Configure this if you use a reverse proxy. Must start with a '/'";
example = "/quassel";
};
port = mkOption {
default = 60443;
type = types.int;
description = "The port the quassel webserver should listen on";
};
useHttps = mkOption {
default = true;
type = types.bool;
description = "Whether the quassel webserver connection should be a https connection";
};
forceHostAndPort = mkOption {
default = false;
type = types.bool;
description = "Force the users to use the quasselCoreHost and quasselCorePort defaults";
};
};
};
config = mkIf cfg.enable {
systemd.services.quassel-webserver = {
description = "A web server/client for Quassel";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${quassel-webserver}/lib/node_modules/quassel-webserver/bin/www -p ${toString cfg.port} -m ${if cfg.useHttps == true then "https" else "http"} -c ${settingsFile}";
};
};
};
}

2
nixos/modules/services/web-servers/apache-httpd/limesurvey.nix
View File

@ -85,7 +85,7 @@ in rec {
id = mkOption {
default = "main";
description = ''
A unique identifier necessary to keep multiple owncloud server
A unique identifier necessary to keep multiple Limesurvey server
instances on the same machine apart. This is used to
disambiguate the administrative scripts, which get names like
mediawiki-$id-change-password.

8
nixos/modules/services/web-servers/apache-httpd/mediawiki.nix
View File

@ -83,11 +83,11 @@ let
# Unpack Mediawiki and put the config file in its root directory.
mediawikiRoot = pkgs.stdenv.mkDerivation rec {
name= "mediawiki-1.29.1";
name= "mediawiki-1.31.1";
src = pkgs.fetchurl {
url = "https://releases.wikimedia.org/mediawiki/1.29/${name}.tar.gz";
sha256 = "03mpazbxvb011s2nmlw5p6dc43yjgl5yrsilmj1imyykm57bwb3m";
url = "https://releases.wikimedia.org/mediawiki/1.31/${name}.tar.gz";
sha256 = "13x48clij21cmysjkpnx68vggchrdasqp7b290j87xlfgjhdhnnf";
};
skins = config.skins;
@ -111,7 +111,7 @@ let
sed -i \
-e 's|/bin/bash|${pkgs.bash}/bin/bash|g' \
-e 's|/usr/bin/timeout|${pkgs.coreutils}/bin/timeout|g' \
$out/includes/limit.sh \
$out/includes/shell/limit.sh \
$out/includes/GlobalFunctions.php
'';
};

608
nixos/modules/services/web-servers/apache-httpd/owncloud.nix
View File

@ -1,608 +0,0 @@
{ config, lib, pkgs, serverInfo, php, ... }:
with lib;
let
owncloudConfig = pkgs.writeText "config.php"
''
<?php
/* Only enable this for local development and not in productive environments */
/* This will disable the minifier and outputs some additional debug informations */
define("DEBUG", false);
$CONFIG = array(
/* Flag to indicate ownCloud is successfully installed (true = installed) */
"installed" => true,
/* Type of database, can be sqlite, mysql or pgsql */
"dbtype" => "${config.dbType}",
/* Name of the ownCloud database */
"dbname" => "${config.dbName}",
/* User to access the ownCloud database */
"dbuser" => "${config.dbUser}",
/* Password to access the ownCloud database */
"dbpassword" => "${config.dbPassword}",
/* Host running the ownCloud database. To specify a port use "HOSTNAME:####"; to specify a unix sockets use "localhost:/path/to/socket". */
"dbhost" => "${config.dbServer}",
/* Prefix for the ownCloud tables in the database */
"dbtableprefix" => "",
/* Force use of HTTPS connection (true = use HTTPS) */
"forcessl" => ${config.forceSSL},
/* Blacklist a specific file and disallow the upload of files with this name - WARNING: USE THIS ONLY IF YOU KNOW WHAT YOU ARE DOING. */
"blacklisted_files" => array('.htaccess'),
/* The automatic hostname detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the automatic detection. You can also add a port. For example "www.example.com:88" */
"overwritehost" => "${config.overwriteHost}",
/* The automatic protocol detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the protocol detection. For example "https" */
"overwriteprotocol" => "${config.overwriteProtocol}",
/* The automatic webroot detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to manually override the automatic detection. For example "/domain.tld/ownCloud". The value "/" can be used to remove the root. */
"overwritewebroot" => "${config.overwriteWebRoot}",
/* The automatic detection of ownCloud can fail in certain reverse proxy and CLI/cron situations. This option allows to define a manually override condition as regular expression for the remote ip address. For example "^10\.0\.0\.[1-3]$" */
"overwritecondaddr" => "",
/* A proxy to use to connect to the internet. For example "myproxy.org:88" */
"proxy" => "",
/* The optional authentication for the proxy to use to connect to the internet. The format is: [username]:[password] */
"proxyuserpwd" => "",
/* List of trusted domains, to prevent host header poisoning ownCloud is only using these Host headers */
${if config.trustedDomain != "" then "'trusted_domains' => array('${config.trustedDomain}')," else ""}
/* Theme to use for ownCloud */
"theme" => "",
/* Optional ownCloud default language - overrides automatic language detection on public pages like login or shared items. This has no effect on the user's language preference configured under "personal -> language" once they have logged in */
"default_language" => "${config.defaultLang}",
/* Path to the parent directory of the 3rdparty directory */
"3rdpartyroot" => "",
/* URL to the parent directory of the 3rdparty directory, as seen by the browser */
"3rdpartyurl" => "",
/* Default app to open on login.
* This can be a comma-separated list of app ids.
* If the first app is not enabled for the current user,
* it will try with the second one and so on. If no enabled app could be found,
* the "files" app will be displayed instead. */
"defaultapp" => "${config.defaultApp}",
/* Enable the help menu item in the settings */
"knowledgebaseenabled" => true,
/* Enable installing apps from the appstore */
"appstoreenabled" => ${config.appStoreEnable},
/* URL of the appstore to use, server should understand OCS */
"appstoreurl" => "https://api.owncloud.com/v1",
/* Domain name used by ownCloud for the sender mail address, e.g. no-reply@example.com */
"mail_domain" => "${config.mailFromDomain}",
/* FROM address used by ownCloud for the sender mail address, e.g. owncloud@example.com
This setting overwrites the built in 'sharing-noreply' and 'lostpassword-noreply'
FROM addresses, that ownCloud uses
*/
"mail_from_address" => "${config.mailFrom}",
/* Enable SMTP class debugging */
"mail_smtpdebug" => false,
/* Mode to use for sending mail, can be sendmail, smtp, qmail or php, see PHPMailer docs */
"mail_smtpmode" => "${config.SMTPMode}",
/* Host to use for sending mail, depends on mail_smtpmode if this is used */
"mail_smtphost" => "${config.SMTPHost}",
/* Port to use for sending mail, depends on mail_smtpmode if this is used */
"mail_smtpport" => ${config.SMTPPort},
/* SMTP server timeout in seconds for sending mail, depends on mail_smtpmode if this is used */
"mail_smtptimeout" => ${config.SMTPTimeout},
/* SMTP connection prefix or sending mail, depends on mail_smtpmode if this is used.
Can be "", ssl or tls */
"mail_smtpsecure" => "${config.SMTPSecure}",
/* authentication needed to send mail, depends on mail_smtpmode if this is used
* (false = disable authentication)
*/
"mail_smtpauth" => ${config.SMTPAuth},
/* authentication type needed to send mail, depends on mail_smtpmode if this is used
* Can be LOGIN (default), PLAIN or NTLM */
"mail_smtpauthtype" => "${config.SMTPAuthType}",
/* Username to use for sendmail mail, depends on mail_smtpauth if this is used */
"mail_smtpname" => "${config.SMTPUser}",
/* Password to use for sendmail mail, depends on mail_smtpauth if this is used */
"mail_smtppassword" => "${config.SMTPPass}",
/* memcached servers (Only used when xCache, APC and APCu are absent.) */
"memcached_servers" => array(
// hostname, port and optional weight. Also see:
// http://www.php.net/manual/en/memcached.addservers.php
// http://www.php.net/manual/en/memcached.addserver.php
//array('localhost', 11211),
//array('other.host.local', 11211),
),
/* How long should ownCloud keep deleted files in the trash bin, default value: 30 days */
'trashbin_retention_obligation' => 30,
/* Disable/Enable auto expire for the trash bin, by default auto expire is enabled */
'trashbin_auto_expire' => true,
/* allow user to change his display name, if it is supported by the back-end */
'allow_user_to_change_display_name' => true,
/* Check 3rdparty apps for malicious code fragments */
"appcodechecker" => true,
/* Check if ownCloud is up to date */
"updatechecker" => true,
/* Are we connected to the internet or are we running in a closed network? */
"has_internet_connection" => true,
/* Check if the ownCloud WebDAV server is working correctly. Can be disabled if not needed in special situations*/
"check_for_working_webdav" => true,
/* Check if .htaccess protection of data is working correctly. Can be disabled if not needed in special situations*/
"check_for_working_htaccess" => true,
/* Place to log to, can be owncloud and syslog (owncloud is log menu item in admin menu) */
"log_type" => "owncloud",
/* File for the owncloud logger to log to, (default is ownloud.log in the data dir) */
"logfile" => "${config.dataDir}/owncloud.log",
/* Loglevel to start logging at. 0=DEBUG, 1=INFO, 2=WARN, 3=ERROR (default is WARN) */
"loglevel" => "2",
/* date format to be used while writing to the owncloud logfile */
'logdateformat' => 'F d, Y H:i:s',
${tzSetting}
/* Append all database queries and parameters to the log file.
(watch out, this option can increase the size of your log file)*/
"log_query" => false,
/* Whether ownCloud should log the last successfull cron exec */
"cron_log" => true,
/*
* Configure the size in bytes log rotation should happen, 0 or false disables the rotation.
* This rotates the current owncloud logfile to a new name, this way the total log usage
* will stay limited and older entries are available for a while longer. The
* total disk usage is twice the configured size.
* WARNING: When you use this, the log entries will eventually be lost.
*/
'log_rotate_size' => "104857600", // 104857600, // 100 MiB
/* Lifetime of the remember login cookie, default is 15 days */
"remember_login_cookie_lifetime" => 1296000,
/* Life time of a session after inactivity */
"session_lifetime" => 86400,
/*
* Enable/disable session keep alive when a user is logged in in the Web UI.
* This is achieved by sending a "heartbeat" to the server to prevent
* the session timing out.
*/
"session_keepalive" => true,
/* Custom CSP policy, changing this will overwrite the standard policy */
"custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *",
/* Enable/disable X-Frame-Restriction */
/* HIGH SECURITY RISK IF DISABLED*/
"xframe_restriction" => true,
/* The directory where the user data is stored, default to data in the owncloud
* directory. The sqlite database is also stored here, when sqlite is used.
*/
"datadirectory" => "${config.dataDir}/storage",
/* The directory where the skeleton files are located. These files will be copied to the data
* directory of new users. Leave empty to not copy any skeleton files.
*/
// "skeletondirectory" => "",
/* Enable maintenance mode to disable ownCloud
If you want to prevent users to login to ownCloud before you start doing some maintenance work,
you need to set the value of the maintenance parameter to true.
Please keep in mind that users who are already logged-in are kicked out of ownCloud instantly.
*/
"maintenance" => false,
"apps_paths" => array(
/* Set an array of path for your apps directories
key 'path' is for the fs path and the key 'url' is for the http path to your
applications paths. 'writable' indicates whether the user can install apps in this folder.
You must have at least 1 app folder writable or you must set the parameter 'appstoreenabled' to false
*/
array(
'path'=> '${config.dataDir}/apps',
'url' => '/apps',
'writable' => true,
),
),
'user_backends'=>array(
/*
array(
'class'=>'OC_User_IMAP',
'arguments'=>array('{imap.gmail.com:993/imap/ssl}INBOX')
)
*/
),
//links to custom clients
'customclient_desktop' => ''', //http://owncloud.org/sync-clients/
'customclient_android' => ''', //https://play.google.com/store/apps/details?id=com.owncloud.android
'customclient_ios' => ''', //https://itunes.apple.com/us/app/owncloud/id543672169?mt=8
// PREVIEW
'enable_previews' => true,
/* the max width of a generated preview, if value is null, there is no limit */
'preview_max_x' => null,
/* the max height of a generated preview, if value is null, there is no limit */
'preview_max_y' => null,
/* the max factor to scale a preview, default is set to 10 */
'preview_max_scale_factor' => 10,
/* custom path for libreoffice / openoffice binary */
'preview_libreoffice_path' => '${config.libreofficePath}',
/* cl parameters for libreoffice / openoffice */
'preview_office_cl_parameters' => ''',
/* whether avatars should be enabled */
'enable_avatars' => true,
// Extra SSL options to be used for configuration
'openssl' => array(
'config' => '/etc/ssl/openssl.cnf',
),
// default cipher used for file encryption, currently we support AES-128-CFB and AES-256-CFB
'cipher' => 'AES-256-CFB',
/* whether usage of the instance should be restricted to admin users only */
'singleuser' => false,
/* all css and js files will be served by the web server statically in one js file and ons css file*/
'asset-pipeline.enabled' => false,
/* where mount.json file should be stored, defaults to data/mount.json */
'mount_file' => ''',
/*
* Location of the cache folder, defaults to "data/$user/cache" where "$user" is the current user.
*
* When specified, the format will change to "$cache_path/$user" where "$cache_path" is the configured
* cache directory and "$user" is the user.
*
*/
'cache_path' => ''',
/* EXPERIMENTAL: option whether to include external storage in quota calculation, defaults to false */
'quota_include_external_storage' => false,
/*
* specifies how often the filesystem is checked for changes made outside owncloud
* 0 -> never check the filesystem for outside changes, provides a performance increase when it's certain that no changes are made directly to the filesystem
* 1 -> check each file or folder at most once per request, recomended for general use if outside changes might happen
* 2 -> check every time the filesystem is used, causes a performance hit when using external storages, not recomended for regular use
*/
'filesystem_check_changes' => 1,
/* If true, prevent owncloud from changing the cache due to changes in the filesystem for all storage */
'filesystem_cache_readonly' => false,
/**
* define default folder for shared files and folders
*/
'share_folder' => '/',
'version' => '${config.package.version}',
'openssl' => '${pkgs.openssl.bin}/bin/openssl'
);
'';
tzSetting = let tz = serverInfo.fullConfig.time.timeZone; in optionalString (!isNull tz) ''
/* timezone used while writing to the owncloud logfile (default: UTC) */
'logtimezone' => '${tz}',
'';
postgresql = serverInfo.fullConfig.services.postgresql.package;
setupDb = pkgs.writeScript "setup-owncloud-db" ''
#!${pkgs.runtimeShell}
PATH="${postgresql}/bin"
createuser --no-superuser --no-createdb --no-createrole "${config.dbUser}" || true
createdb "${config.dbName}" -O "${config.dbUser}" || true
psql -U postgres -d postgres -c "alter user ${config.dbUser} with password '${config.dbPassword}';" || true
QUERY="CREATE TABLE appconfig
( appid VARCHAR( 255 ) NOT NULL
, configkey VARCHAR( 255 ) NOT NULL
, configvalue VARCHAR( 255 ) NOT NULL
);
GRANT ALL ON appconfig TO ${config.dbUser};
ALTER TABLE appconfig OWNER TO ${config.dbUser};"
psql -h "/tmp" -U postgres -d ${config.dbName} -Atw -c "$QUERY" || true
'';
in
rec {
extraConfig =
''
${if config.urlPrefix != "" then "Alias ${config.urlPrefix} ${config.package}" else ''
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
''}
<Directory ${config.package}>
Include ${config.package}/.htaccess
</Directory>
'';
globalEnvVars = [
{ name = "OC_CONFIG_PATH"; value = "${config.dataDir}/config/"; }
];
documentRoot = if config.urlPrefix == "" then config.package else null;
enablePHP = true;
options = {
package = mkOption {
type = types.package;
default = pkgs.owncloud70;
defaultText = "pkgs.owncloud70";
example = literalExample "pkgs.owncloud70";
description = ''
ownCloud package to use.
'';
};
urlPrefix = mkOption {
default = "";
example = "/owncloud";
description = ''
The URL prefix under which the owncloud service appears.
'';
};
id = mkOption {
default = "main";
description = ''
A unique identifier necessary to keep multiple owncloud server
instances on the same machine apart. This is used to
disambiguate the administrative scripts, which get names like
mediawiki-$id-change-password.
'';
};
adminUser = mkOption {
default = "owncloud";
description = "The admin user name for accessing owncloud.";
};
adminPassword = mkOption {
description = "The admin password for accessing owncloud.";
};
dbType = mkOption {
default = "pgsql";
description = "Type of database, in NixOS, for now, only pgsql.";
};
dbName = mkOption {
default = "owncloud";
description = "Name of the database that holds the owncloud data.";
};
dbServer = mkOption {
default = "localhost:5432";
description = ''
The location of the database server.
'';
};
dbUser = mkOption {
default = "owncloud";
description = "The user name for accessing the database.";
};
dbPassword = mkOption {
example = "foobar";
description = ''
The password of the database user. Warning: this is stored in
cleartext in the Nix store!
'';
};
forceSSL = mkOption {
default = "false";
description = "Force use of HTTPS connection.";
};
adminAddr = mkOption {
default = serverInfo.serverConfig.adminAddr;
example = "admin@example.com";
description = ''
Emergency contact e-mail address. Defaults to the Apache
admin address.
'';
};
siteName = mkOption {
default = "owncloud";
example = "Foobar owncloud";
description = "Name of the owncloud";
};
trustedDomain = mkOption {
default = "";
description = "Trusted domain";
};
defaultLang = mkOption {
default = "";
description = "Default language";
};
defaultApp = mkOption {
default = "";
description = "Default application";
};
appStoreEnable = mkOption {
default = "true";
description = "Enable app store";
};
mailFrom = mkOption {
default = "no-reply";
description = "Mail from";
};
mailFromDomain = mkOption {
default = "example.xyz";
description = "Mail from domain";
};
SMTPMode = mkOption {
default = "smtp";
description = "Which mode to use for sending mail: sendmail, smtp, qmail or php.";
};
SMTPHost = mkOption {
default = "";
description = "SMTP host";
};
SMTPPort = mkOption {
default = "25";
description = "SMTP port";
};
SMTPTimeout = mkOption {
default = "10";
description = "SMTP mode";
};
SMTPSecure = mkOption {
default = "ssl";
description = "SMTP secure";
};
SMTPAuth = mkOption {
default = "true";
description = "SMTP auth";
};
SMTPAuthType = mkOption {
default = "LOGIN";
description = "SMTP auth type";
};
SMTPUser = mkOption {
default = "";
description = "SMTP user";
};
SMTPPass = mkOption {
default = "";
description = "SMTP pass";
};
dataDir = mkOption {
default = "/var/lib/owncloud";
description = "Data dir";
};
libreofficePath = mkOption {
default = "/usr/bin/libreoffice";
description = "Path for LibreOffice/OpenOffice binary.";
};
overwriteHost = mkOption {
default = "";
description = "The automatic hostname detection of ownCloud can fail in
certain reverse proxy and CLI/cron situations. This option allows to
manually override the automatic detection. You can also add a port.";
};
overwriteProtocol = mkOption {
default = "";
description = "The automatic protocol detection of ownCloud can fail in
certain reverse proxy and CLI/cron situations. This option allows to
manually override the protocol detection.";
};
overwriteWebRoot = mkOption {
default = "";
description = "The automatic webroot detection of ownCloud can fail in
certain reverse proxy and CLI/cron situations. This option allows to
manually override the automatic detection.";
};
};
startupScript = pkgs.writeScript "owncloud_startup.sh" ''
if [ ! -d ${config.dataDir}/config ]; then
mkdir -p ${config.dataDir}/config
cp ${owncloudConfig} ${config.dataDir}/config/config.php
mkdir -p ${config.dataDir}/storage
mkdir -p ${config.dataDir}/apps
cp -r ${config.package}/apps/* ${config.dataDir}/apps/
chmod -R ug+rw ${config.dataDir}
chmod -R o-rwx ${config.dataDir}
chown -R wwwrun:wwwrun ${config.dataDir}
${pkgs.sudo}/bin/sudo -u postgres ${setupDb}
fi
if [ -e ${config.package}/config/ca-bundle.crt ]; then
cp -f ${config.package}/config/ca-bundle.crt ${config.dataDir}/config/
fi
${php}/bin/php ${config.package}/occ upgrade >> ${config.dataDir}/upgrade.log || true
chown wwwrun:wwwrun ${config.dataDir}/owncloud.log || true
QUERY="INSERT INTO groups (gid) values('admin');
INSERT INTO users (uid,password)
values('${config.adminUser}','${builtins.hashString "sha1" config.adminPassword}');
INSERT INTO group_user (gid,uid)
values('admin','${config.adminUser}');"
${pkgs.sudo}/bin/sudo -u postgres ${postgresql}/bin/psql -h "/tmp" -U postgres -d ${config.dbName} -Atw -c "$QUERY" || true
'';
}

Some files were not shown because too many files have changed in this diff Show More