mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-26 04:43:09 +03:00
Merge branch 'master' into improved-make-overridable
This commit is contained in:
commit
dbd5009376
46
.github/CODEOWNERS
vendored
46
.github/CODEOWNERS
vendored
@ -7,17 +7,43 @@
|
||||
# For documentation on this file, see https://help.github.com/articles/about-codeowners/
|
||||
# Mentioned users will get code review requests.
|
||||
|
||||
# Python-related code and docs
|
||||
pkgs/top-level/python-packages.nix @FRidh
|
||||
pkgs/development/interpreters/python/* @FRidh
|
||||
pkgs/development/python-modules/* @FRidh
|
||||
doc/languages-frameworks/python.md @FRidh
|
||||
# This file
|
||||
.github/CODEOWNERS @edolstra
|
||||
|
||||
# Boostraping and core infra
|
||||
pkgs/stdenv/ @Ericson2314
|
||||
pkgs/build-support/cc-wrapper/ @Ericson2314
|
||||
pkgs/stdenv/ @edolstra
|
||||
pkgs/build-support/cc-wrapper/ @edolstra
|
||||
|
||||
# Libraries
|
||||
lib/ @edolstra
|
||||
|
||||
# Python-related code and docs
|
||||
pkgs/top-level/python-packages.nix @FRidh
|
||||
pkgs/development/interpreters/python/* @FRidh
|
||||
pkgs/development/python-modules/* @FRidh
|
||||
doc/languages-frameworks/python.md @FRidh
|
||||
|
||||
# Haskell
|
||||
pkgs/development/compilers/ghc @peti
|
||||
pkgs/development/haskell-modules @peti
|
||||
pkgs/development/haskell-modules/default.nix @Profpatsch @peti
|
||||
pkgs/development/haskell-modules/generic-builder.nix @Profpatsch @peti
|
||||
pkgs/development/haskell-modules/hoogle.nix @Profpatsch @peti
|
||||
|
||||
# R
|
||||
pkgs/applications/science/math/R @peti
|
||||
pkgs/development/r-modules @peti
|
||||
|
||||
# Darwin-related
|
||||
pkgs/stdenv/darwin/* @copumpkin @LnL7
|
||||
pkgs/os-specific/darwin/* @LnL7
|
||||
pkgs/os-specific/darwin/apple-source-releases/* @copumpkin
|
||||
pkgs/stdenv/darwin/* @copumpkin @LnL7
|
||||
pkgs/os-specific/darwin/* @LnL7
|
||||
pkgs/os-specific/darwin/apple-source-releases/* @copumpkin
|
||||
|
||||
# Beam-related (Erlang, Elixir, LFE, etc)
|
||||
pkgs/development/beam-modules/* @gleber
|
||||
pkgs/development/interpreters/erlang/* @gleber
|
||||
pkgs/development/interpreters/lfe/* @gleber
|
||||
pkgs/development/interpreters/elixir/* @gleber
|
||||
pkgs/development/tools/build-managers/rebar/* @gleber
|
||||
pkgs/development/tools/build-managers/rebar3/* @gleber
|
||||
pkgs/development/tools/erlang/* @gleber
|
||||
|
2
.github/CONTRIBUTING.md
vendored
2
.github/CONTRIBUTING.md
vendored
@ -23,7 +23,7 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
|
||||
Examples:
|
||||
|
||||
* nginx: init at 2.0.1
|
||||
* firefox: 3.0 -> 3.1.1
|
||||
* firefox: 54.0.1 -> 55.0
|
||||
* nixos/hydra: add bazBaz option
|
||||
|
||||
Dual baz behavior is needed to do foo.
|
||||
|
5
.github/PULL_REQUEST_TEMPLATE.md
vendored
5
.github/PULL_REQUEST_TEMPLATE.md
vendored
@ -5,10 +5,7 @@
|
||||
|
||||
<!-- Please check what applies. Note that these are not hard requirements but merely serve as information for reviewers. -->
|
||||
|
||||
- [ ] Tested using sandboxing
|
||||
([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS,
|
||||
or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
|
||||
on non-NixOS)
|
||||
- [ ] Tested using sandboxing ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file) on non-NixOS)
|
||||
- Built on platform(s)
|
||||
- [ ] NixOS
|
||||
- [ ] macOS
|
||||
|
@ -254,7 +254,7 @@ bound to the variable name <varname>e2fsprogs</varname> in
|
||||
dash) — e.g., <literal>"hello-0.3.1rc2"</literal>.</para></listitem>
|
||||
|
||||
<listitem><para>If a package is not a release but a commit from a repository, then
|
||||
the version part of the name <emphasis>must</emphasis> be the date of that
|
||||
the version part of the name <emphasis>must</emphasis> be the date of that
|
||||
(fetched) commit. The date must be in <literal>"YYYY-MM-DD"</literal> format.
|
||||
Also append <literal>"unstable"</literal> to the name - e.g.,
|
||||
<literal>"pkgname-unstable-2014-09-23"</literal>.</para></listitem>
|
||||
@ -365,7 +365,7 @@ splitting up an existing category.</para>
|
||||
<varlistentry>
|
||||
<term>If it’s a (set of) <emphasis>tool(s)</emphasis>:</term>
|
||||
<listitem>
|
||||
<para>(A tool is a relatively small program, especially one intented
|
||||
<para>(A tool is a relatively small program, especially one intended
|
||||
to be used non-interactively.)</para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -456,7 +456,7 @@ splitting up an existing category.</para>
|
||||
<varlistentry>
|
||||
<term>If it’s a <emphasis>window manager</emphasis>:</term>
|
||||
<listitem>
|
||||
<para><filename>applications/window-managers</filename> (e.g. <filename>awesome</filename>, <filename>compiz</filename>, <filename>stumpwm</filename>)</para>
|
||||
<para><filename>applications/window-managers</filename> (e.g. <filename>awesome</filename>, <filename>stumpwm</filename>)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
<varlistentry>
|
||||
@ -608,7 +608,7 @@ evaluate correctly.</para>
|
||||
</section>
|
||||
<section xml:id="sec-sources"><title>Fetching Sources</title>
|
||||
<para>There are multiple ways to fetch a package source in nixpkgs. The
|
||||
general guidline is that you should package sources with a high degree of
|
||||
general guideline is that you should package sources with a high degree of
|
||||
availability. Right now there is only one fetcher which has mirroring
|
||||
support and that is <literal>fetchurl</literal>. Note that you should also
|
||||
prefer protocols which have a corresponding proxy environment variable.
|
||||
@ -661,9 +661,9 @@ src = fetchFromGitHub {
|
||||
</section>
|
||||
|
||||
<section xml:id="sec-patches"><title>Patches</title>
|
||||
<para>Only patches that are unique to <literal>nixpkgs</literal> should be
|
||||
<para>Only patches that are unique to <literal>nixpkgs</literal> should be
|
||||
included in <literal>nixpkgs</literal> source.</para>
|
||||
<para>Patches available online should be retrieved using
|
||||
<para>Patches available online should be retrieved using
|
||||
<literal>fetchpatch</literal>.</para>
|
||||
<para>
|
||||
<programlisting>
|
||||
|
@ -867,6 +867,67 @@ use the following to get the `scientific` package build with `integer-simple`:
|
||||
nix-build -A haskell.packages.integer-simple.ghc802.scientific
|
||||
```
|
||||
|
||||
### Quality assurance
|
||||
|
||||
The `haskell.lib` library includes a number of functions for checking for
|
||||
various imperfections in Haskell packages. It's useful to apply these functions
|
||||
to your own Haskell packages and integrate that in a Continuous Integration
|
||||
server like [hydra](https://nixos.org/hydra/) to assure your packages maintain a
|
||||
minimum level of quality. This section discusses some of these functions.
|
||||
|
||||
#### failOnAllWarnings
|
||||
|
||||
Applying `haskell.lib.failOnAllWarnings` to a Haskell package enables the
|
||||
`-Wall` and `-Werror` GHC options to turn all warnings into build failures.
|
||||
|
||||
#### buildStrictly
|
||||
|
||||
Applying `haskell.lib.buildStrictly` to a Haskell package calls
|
||||
`failOnAllWarnings` on the given package to turn all warnings into build
|
||||
failures. Additionally the source of your package is gotten from first invoking
|
||||
`cabal sdist` to ensure all needed files are listed in the Cabal file.
|
||||
|
||||
#### checkUnusedPackages
|
||||
|
||||
Applying `haskell.lib.checkUnusedPackages` to a Haskell package invokes
|
||||
the [packunused](http://hackage.haskell.org/package/packunused) tool on the
|
||||
package. `packunused` complains when it finds packages listed as build-depends
|
||||
in the Cabal file which are redundant. For example:
|
||||
|
||||
```
|
||||
$ nix-build -E 'let pkgs = import <nixpkgs> {}; in pkgs.haskell.lib.checkUnusedPackages {} pkgs.haskellPackages.scientific'
|
||||
these derivations will be built:
|
||||
/nix/store/3lc51cxj2j57y3zfpq5i69qbzjpvyci1-scientific-0.3.5.1.drv
|
||||
...
|
||||
detected package components
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
- library
|
||||
- testsuite(s): test-scientific
|
||||
- benchmark(s): bench-scientific*
|
||||
|
||||
(component names suffixed with '*' are not configured to be built)
|
||||
|
||||
library
|
||||
~~~~~~~
|
||||
|
||||
The following package dependencies seem redundant:
|
||||
|
||||
- ghc-prim-0.5.0.0
|
||||
|
||||
testsuite(test-scientific)
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
no redundant packages dependencies found
|
||||
|
||||
builder for ‘/nix/store/3lc51cxj2j57y3zfpq5i69qbzjpvyci1-scientific-0.3.5.1.drv’ failed with exit code 1
|
||||
error: build of ‘/nix/store/3lc51cxj2j57y3zfpq5i69qbzjpvyci1-scientific-0.3.5.1.drv’ failed
|
||||
```
|
||||
|
||||
As you can see, `packunused` finds out that although the testsuite component has
|
||||
no redundant dependencies the library component of `scientific-0.3.5.1` depends
|
||||
on `ghc-prim` which is unused in the library.
|
||||
|
||||
## Other resources
|
||||
|
||||
- The Youtube video [Nix Loves Haskell](https://www.youtube.com/watch?v=BsBhi_r-OeE)
|
||||
|
@ -590,7 +590,7 @@ By default tests are run because `doCheck = true`. Test dependencies, like
|
||||
e.g. the test runner, should be added to `buildInputs`.
|
||||
|
||||
By default `meta.platforms` is set to the same value
|
||||
as the interpreter unless overriden otherwise.
|
||||
as the interpreter unless overridden otherwise.
|
||||
|
||||
##### `buildPythonPackage` parameters
|
||||
|
||||
@ -774,6 +774,21 @@ The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
|
||||
Both are also exported in `nix-shell`.
|
||||
|
||||
|
||||
### Automatic tests
|
||||
|
||||
It is recommended to test packages as part of the build process.
|
||||
Source distributions (`sdist`) often include test files, but not always.
|
||||
|
||||
By default the command `python setup.py test` is run as part of the
|
||||
`checkPhase`, but often it is necessary to pass a custom `checkPhase`. An
|
||||
example of such a situation is when `py.test` is used.
|
||||
|
||||
#### Common issues
|
||||
|
||||
- Non-working tests can often be deselected. In the case of `py.test`: `py.test -k 'not function_name and not other_function'`.
|
||||
- Unicode issues can typically be fixed by including `glibcLocales` in `buildInputs` and exporting `LC_ALL=en_US.utf-8`.
|
||||
- Tests that attempt to access `$HOME` can be fixed by using the following work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`
|
||||
|
||||
## FAQ
|
||||
|
||||
### How to solve circular dependencies?
|
||||
@ -985,8 +1000,9 @@ rec {
|
||||
|
||||
Following rules are desired to be respected:
|
||||
|
||||
* Python libraries are supposed to be called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
|
||||
* Python libraries are called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
|
||||
* Python applications live outside of `python-packages.nix` and are packaged with `buildPythonApplication`.
|
||||
* Make sure libraries build for all Python interpreters.
|
||||
* By default we enable tests. Make sure the tests are found and, in the case of libraries, are passing for all interpreters. If certain tests fail they can be disabled individually. Try to avoid disabling the tests altogether. In any case, when you disable tests, leave a comment explaining why.
|
||||
* Commit names of Python libraries should include `pythonPackages`, for example `pythonPackages.numpy: 1.11 -> 1.12`.
|
||||
* Commit names of Python libraries should reflect that they are Python libraries, so write for example `pythonPackages.numpy: 1.11 -> 1.12`.
|
||||
|
||||
|
@ -17,7 +17,7 @@ into the `environment.systemPackages` or bring them into scope with
|
||||
`nix-shell -p rustStable.rustc -p rustStable.cargo`.
|
||||
|
||||
There are also `rustBeta` and `rustNightly` package sets available.
|
||||
These are not updated very regulary. For daily builds use either rustup from
|
||||
These are not updated very regularly. For daily builds use either rustup from
|
||||
nixpkgs or use the [Rust nightlies overlay](#using-the-rust-nightlies-overlay).
|
||||
|
||||
## Packaging Rust applications
|
||||
|
@ -101,7 +101,7 @@ modulesTree = [kernel]
|
||||
$ nix-env -i ncurses
|
||||
$ export NIX_CFLAGS_LINK=-lncurses
|
||||
$ make menuconfig ARCH=<replaceable>arch</replaceable></screen>
|
||||
|
||||
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
@ -111,9 +111,9 @@ $ make menuconfig ARCH=<replaceable>arch</replaceable></screen>
|
||||
</listitem>
|
||||
|
||||
</orderedlist>
|
||||
|
||||
|
||||
</para>
|
||||
|
||||
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -409,24 +409,24 @@ it. Place the resulting <filename>package.nix</filename> file into
|
||||
<title>Steam in Nix</title>
|
||||
|
||||
<para>
|
||||
Steam is distributed as a <filename>.deb</filename> file, for now only
|
||||
as an i686 package (the amd64 package only has documentation).
|
||||
When unpacked, it has a script called <filename>steam</filename> that
|
||||
Steam is distributed as a <filename>.deb</filename> file, for now only
|
||||
as an i686 package (the amd64 package only has documentation).
|
||||
When unpacked, it has a script called <filename>steam</filename> that
|
||||
in ubuntu (their target distro) would go to <filename>/usr/bin
|
||||
</filename>. When run for the first time, this script copies some
|
||||
files to the user's home, which include another script that is the
|
||||
ultimate responsible for launching the steam binary, which is also
|
||||
</filename>. When run for the first time, this script copies some
|
||||
files to the user's home, which include another script that is the
|
||||
ultimate responsible for launching the steam binary, which is also
|
||||
in $HOME.
|
||||
</para>
|
||||
<para>
|
||||
Nix problems and constraints:
|
||||
<itemizedlist>
|
||||
<listitem><para>We don't have <filename>/bin/bash</filename> and many
|
||||
<listitem><para>We don't have <filename>/bin/bash</filename> and many
|
||||
scripts point there. Similarly for <filename>/usr/bin/python</filename>
|
||||
.</para></listitem>
|
||||
<listitem><para>We don't have the dynamic loader in <filename>/lib
|
||||
</filename>.</para></listitem>
|
||||
<listitem><para>The <filename>steam.sh</filename> script in $HOME can
|
||||
<listitem><para>The <filename>steam.sh</filename> script in $HOME can
|
||||
not be patched, as it is checked and rewritten by steam.</para></listitem>
|
||||
<listitem><para>The steam binary cannot be patched, it's also checked.</para></listitem>
|
||||
</itemizedlist>
|
||||
@ -446,10 +446,10 @@ it. Place the resulting <filename>package.nix</filename> file into
|
||||
<title>How to play</title>
|
||||
|
||||
<para>
|
||||
For 64-bit systems it's important to have
|
||||
<programlisting>hardware.opengl.driSupport32Bit = true;</programlisting>
|
||||
in your <filename>/etc/nixos/configuration.nix</filename>. You'll also need
|
||||
<programlisting>hardware.pulseaudio.support32Bit = true;</programlisting>
|
||||
For 64-bit systems it's important to have
|
||||
<programlisting>hardware.opengl.driSupport32Bit = true;</programlisting>
|
||||
in your <filename>/etc/nixos/configuration.nix</filename>. You'll also need
|
||||
<programlisting>hardware.pulseaudio.support32Bit = true;</programlisting>
|
||||
if you are using PulseAudio - this will enable 32bit ALSA apps integration.
|
||||
To use the Steam controller, you need to add
|
||||
<programlisting>services.udev.extraRules = ''
|
||||
@ -470,23 +470,31 @@ it. Place the resulting <filename>package.nix</filename> file into
|
||||
|
||||
<varlistentry>
|
||||
<term>Steam fails to start. What do I do?</term>
|
||||
<listitem><para>Try to run
|
||||
<listitem><para>Try to run
|
||||
<programlisting>strace steam</programlisting>
|
||||
to see what is causing steam to fail.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Using the FOSS Radeon drivers</term>
|
||||
<term>Using the FOSS Radeon or nouveau (nvidia) drivers</term>
|
||||
<listitem><itemizedlist><listitem><para>
|
||||
The open source radeon drivers need a newer libc++ than is provided
|
||||
by the default runtime, which leads to a crash on launch. Use
|
||||
<programlisting>environment.systemPackages = [(pkgs.steam.override { newStdcpp = true; })];</programlisting>
|
||||
in your config if you get an error like
|
||||
Both the open source radeon drivers as well as the nouveau drivers (nvidia)
|
||||
need a newer libc++ than is provided by the default runtime, which leads to a
|
||||
crash on launch. Use <programlisting>environment.systemPackages =
|
||||
[(pkgs.steam.override { newStdcpp = true; })];</programlisting> in your config
|
||||
if you get an error like
|
||||
<programlisting>
|
||||
libGL error: unable to load driver: radeonsi_dri.so
|
||||
libGL error: driver pointer missing
|
||||
libGL error: failed to load driver: radeonsi
|
||||
libGL error: unable to load driver: swrast_dri.so
|
||||
libGL error: failed to load driver: swrast</programlisting>
|
||||
or
|
||||
<programlisting>
|
||||
libGL error: unable to load driver: nouveau_dri.so
|
||||
libGL error: driver pointer missing
|
||||
libGL error: failed to load driver: nouveau
|
||||
libGL error: unable to load driver: swrast_dri.so
|
||||
libGL error: failed to load driver: swrast</programlisting></para></listitem>
|
||||
<listitem><para>
|
||||
Steam ships statically linked with a version of libcrypto that
|
||||
@ -504,7 +512,7 @@ libGL error: failed to load driver: swrast</programlisting></para></listitem>
|
||||
<listitem><para>
|
||||
There is no java in steam chrootenv by default. If you get a message like
|
||||
<programlisting>/home/foo/.local/share/Steam/SteamApps/common/towns/towns.sh: line 1: java: command not found</programlisting>
|
||||
You need to add
|
||||
You need to add
|
||||
<programlisting> steam.override { withJava = true; };</programlisting>
|
||||
to your configuration.
|
||||
</para></listitem>
|
||||
@ -519,14 +527,14 @@ libGL error: failed to load driver: swrast</programlisting></para></listitem>
|
||||
|
||||
<title>steam-run</title>
|
||||
<para>
|
||||
The FHS-compatible chroot used for steam can also be used to run
|
||||
The FHS-compatible chroot used for steam can also be used to run
|
||||
other linux games that expect a FHS environment.
|
||||
To do it, add
|
||||
To do it, add
|
||||
<programlisting>pkgs.(steam.override {
|
||||
nativeOnly = true;
|
||||
newStdcpp = true;
|
||||
}).run</programlisting>
|
||||
to your configuration, rebuild, and run the game with
|
||||
to your configuration, rebuild, and run the game with
|
||||
<programlisting>steam-run ./foo</programlisting>
|
||||
</para>
|
||||
|
||||
|
@ -78,7 +78,7 @@ Additional information.
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
<command>firefox: 3.0 -> 3.1.1</command>
|
||||
<command>firefox: 54.0.1 -> 55.0</command>
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
@ -223,6 +223,133 @@ Additional information.
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Pull Request Template</title>
|
||||
<para>
|
||||
The pull request template helps determine what steps have been made for a
|
||||
contribution so far, and will help guide maintainers on the status of a
|
||||
change. The motivation section of the PR should include any extra details
|
||||
the title does not address and link any existing issues related to the pull
|
||||
request.
|
||||
</para>
|
||||
<para>When a PR is created, it will be pre-populated with some checkboxes detailed below:
|
||||
</para>
|
||||
<section>
|
||||
<title>Tested using sandboxing</title>
|
||||
<para>
|
||||
When sandbox builds are enabled, Nix will setup an isolated environment
|
||||
for each build process. It is used to remove further hidden dependencies
|
||||
set by the build environment to improve reproducibility. This includes
|
||||
access to the network during the build outside of
|
||||
<function>fetch*</function> functions and files outside the Nix store.
|
||||
Depending on the operating system access to other resources are blocked
|
||||
as well (ex. inter process communication is isolated on Linux); see <link
|
||||
xlink:href="https://nixos.org/nix/manual/#description-45">build-use-sandbox</link>
|
||||
in Nix manual for details.
|
||||
</para>
|
||||
<para>
|
||||
Sandboxing is not enabled by default in Nix due to a small performance
|
||||
hit on each build. In pull requests for <link
|
||||
xlink:href="https://github.com/NixOS/nixpkgs/">nixpkgs</link> people
|
||||
are asked to test builds with sandboxing enabled (see <literal>Tested
|
||||
using sandboxing</literal> in the pull request template) because
|
||||
in<link
|
||||
xlink:href="https://nixos.org/hydra/">https://nixos.org/hydra/</link>
|
||||
sandboxing is also used.
|
||||
</para>
|
||||
<para>
|
||||
Depending if you use NixOS or other platforms you can use one of the
|
||||
following methods to enable sandboxing <emphasis role="bold">before</emphasis> building the package:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis role="bold">Globally enable sandboxing on NixOS</emphasis>:
|
||||
add the following to
|
||||
<filename>configuration.nix</filename>
|
||||
<screen>nix.useSandbox = true;</screen>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<emphasis role="bold">Globally enable sandboxing on non-NixOS platforms</emphasis>:
|
||||
add the following to: <filename>/etc/nix/nix.conf</filename>
|
||||
<screen>build-use-sandbox = true</screen>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
|
||||
</section>
|
||||
<section>
|
||||
<title>Built on platform(s)</title>
|
||||
<para>
|
||||
Many Nix packages are designed to run on multiple
|
||||
platforms. As such, it's important to let the maintainer know which
|
||||
platforms your changes have been tested on. It's not always practical to
|
||||
test a change on all platforms, and is not required for a pull request to
|
||||
be merged. Only check the systems you tested the build on in this
|
||||
section.
|
||||
</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)</title>
|
||||
<para>
|
||||
Packages with automated tests are much more likely to be merged in a
|
||||
timely fashion because it doesn't require as much manual testing by the
|
||||
maintainer to verify the functionality of the package. If there are
|
||||
existing tests for the package, they should be run to verify your changes
|
||||
do not break the tests. Tests only apply to packages with NixOS modules
|
||||
defined and can only be run on Linux. For more details on writing and
|
||||
running tests, see the <link
|
||||
xlink:href="https://nixos.org/nixos/manual/index.html#sec-nixos-tests">section
|
||||
in the NixOS manual</link>.
|
||||
</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>Tested compilation of all pkgs that depend on this change using <command>nox-review</command></title>
|
||||
<para>
|
||||
If you are updating a package's version, you can use nox to make sure all
|
||||
packages that depend on the updated package still compile correctly. This
|
||||
can be done using the nox utility. The <command>nox-review</command>
|
||||
utility can look for and build all dependencies either based on
|
||||
uncommited changes with the <literal>wip</literal> option or specifying a
|
||||
github pull request number.
|
||||
</para>
|
||||
<para>
|
||||
review uncommitted changes:
|
||||
<screen>nix-shell -p nox --run nox-review wip</screen>
|
||||
</para>
|
||||
<para>
|
||||
review changes from pull request number 12345:
|
||||
<screen>nix-shell -p nox --run nox-review pr 12345</screen>
|
||||
</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>Tested execution of all binary files (usually in <filename>./result/bin/</filename>)</title>
|
||||
<para>
|
||||
It's important to test any executables generated by a build when you
|
||||
change or create a package in nixpkgs. This can be done by looking in
|
||||
<filename>./result/bin</filename> and running any files in there, or at a
|
||||
minimum, the main executable for the package. For example, if you make a change
|
||||
to <package>texlive</package>, you probably would only check the binaries
|
||||
associated with the change you made rather than testing all of them.
|
||||
</para>
|
||||
</section>
|
||||
<section>
|
||||
<title>Meets nixpkgs contribution standards</title>
|
||||
<para>
|
||||
The last checkbox is fits <link
|
||||
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md">CONTRIBUTING.md</link>.
|
||||
The contributing document has detailed information on standards the Nix
|
||||
community has for commit messages, reviews, licensing of contributions
|
||||
you make to the project, etc... Everyone should read and understand the
|
||||
standards the community has for contributing before submitting a pull
|
||||
request.
|
||||
</para>
|
||||
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Hotfixing pull requests</title>
|
||||
|
||||
|
@ -198,7 +198,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
|
||||
|
||||
eupl11 = spdx {
|
||||
spdxId = "EUPL-1.1";
|
||||
fullname = "European Union Public License 1.1";
|
||||
fullName = "European Union Public License 1.1";
|
||||
};
|
||||
|
||||
fdl12 = spdx {
|
||||
@ -363,7 +363,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
|
||||
};
|
||||
|
||||
miros = {
|
||||
fullname = "MirOS License";
|
||||
fullName = "MirOS License";
|
||||
url = https://opensource.org/licenses/MirOS;
|
||||
};
|
||||
|
||||
|
@ -97,6 +97,7 @@
|
||||
canndrew = "Andrew Cann <shum@canndrew.org>";
|
||||
carlsverre = "Carl Sverre <accounts@carlsverre.com>";
|
||||
casey = "Casey Rodarmor <casey@rodarmor.net>";
|
||||
caugner = "Claas Augner <nixos@caugner.de>";
|
||||
cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
|
||||
cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
|
||||
changlinli = "Changlin Li <mail@changlinli.com>";
|
||||
@ -112,6 +113,7 @@
|
||||
cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
|
||||
cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
|
||||
cmfwyp = "cmfwyp <cmfwyp@riseup.net>";
|
||||
cobbal = "Andrew Cobb <andrew.cobb@gmail.com>";
|
||||
coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
|
||||
codsl = "codsl <codsl@riseup.net>";
|
||||
codyopel = "Cody Opel <codyopel@gmail.com>";
|
||||
@ -210,6 +212,7 @@
|
||||
fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
|
||||
fuzzy-id = "Thomas Bach <hacking+nixos@babibo.de>";
|
||||
fxfactorial = "Edgar Aroutiounian <edgar.factorial@gmail.com>";
|
||||
gabesoft = "Gabriel Adomnicai <gabesoft@gmail.com>";
|
||||
gal_bolle = "Florent Becker <florent.becker@ens-lyon.org>";
|
||||
garbas = "Rok Garbas <rok@garbas.si>";
|
||||
garrison = "Jim Garrison <jim@garrison.cc>";
|
||||
@ -250,6 +253,7 @@
|
||||
igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
|
||||
ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
|
||||
infinisil = "Silvan Mosberger <infinisil@icloud.com>";
|
||||
ironpinguin = "Michele Catalano <michele@catalano.de>";
|
||||
ivan-tkatchev = "Ivan Tkatchev <tkatchev@gmail.com>";
|
||||
j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
|
||||
jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
|
||||
@ -546,6 +550,7 @@
|
||||
smironov = "Sergey Mironov <grrwlf@gmail.com>";
|
||||
snyh = "Xia Bin <snyh@snyh.org>";
|
||||
solson = "Scott Olson <scott@solson.me>";
|
||||
sorpaas = "Wei Tang <hi@that.world>";
|
||||
spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
|
||||
spencerjanssen = "Spencer Janssen <spencerjanssen@gmail.com>";
|
||||
spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
|
||||
@ -570,7 +575,9 @@
|
||||
taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
|
||||
tari = "Peter Marheine <peter@taricorp.net>";
|
||||
tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
|
||||
ltavard = "Laure Tavard <laure.tavard@univ-grenoble-alpes.fr>";
|
||||
teh = "Tom Hunger <tehunger@gmail.com>";
|
||||
teto = "Matthieu Coudron <mcoudron@hotmail.com>";
|
||||
telotortium = "Robert Irelan <rirelan@gmail.com>";
|
||||
thall = "Niclas Thall <niclas.thall@gmail.com>";
|
||||
thammers = "Tobias Hammerschmidt <jawr@gmx.de>";
|
||||
|
@ -15,8 +15,11 @@ rec {
|
||||
cleanSourceFilter = name: type: let baseName = baseNameOf (toString name); in ! (
|
||||
# Filter out Subversion and CVS directories.
|
||||
(type == "directory" && (baseName == ".git" || baseName == ".svn" || baseName == "CVS" || baseName == ".hg")) ||
|
||||
# Filter out backup files.
|
||||
# Filter out editor backup / swap files.
|
||||
lib.hasSuffix "~" baseName ||
|
||||
builtins.match "^\\.sw[a-z]$" baseName != null ||
|
||||
builtins.match "^\\..*\\.sw[a-z]$" baseName != null ||
|
||||
|
||||
# Filter out generates files.
|
||||
lib.hasSuffix ".o" baseName ||
|
||||
lib.hasSuffix ".so" baseName ||
|
||||
|
@ -26,7 +26,7 @@ in rec {
|
||||
allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
|
||||
none = [];
|
||||
|
||||
arm = filterDoubles predicates.isArm32;
|
||||
arm = filterDoubles predicates.isArm;
|
||||
i686 = filterDoubles predicates.isi686;
|
||||
mips = filterDoubles predicates.isMips;
|
||||
x86_64 = filterDoubles predicates.isx86_64;
|
||||
|
@ -11,6 +11,7 @@ rec {
|
||||
PowerPC = { cpu = cpuTypes.powerpc; };
|
||||
x86 = { cpu = { family = "x86"; }; };
|
||||
Arm = { cpu = { family = "arm"; }; };
|
||||
Aarch64 = { cpu = { family = "aarch64"; }; };
|
||||
Mips = { cpu = { family = "mips"; }; };
|
||||
BigEndian = { cpu = { significantByte = significantBytes.bigEndian; }; };
|
||||
LittleEndian = { cpu = { significantByte = significantBytes.littleEndian; }; };
|
||||
@ -28,9 +29,6 @@ rec {
|
||||
Windows = { kernel = kernels.windows; };
|
||||
Cygwin = { kernel = kernels.windows; abi = abis.cygnus; };
|
||||
MinGW = { kernel = kernels.windows; abi = abis.gnu; };
|
||||
|
||||
Arm32 = recursiveUpdate Arm patterns."32bit";
|
||||
Arm64 = recursiveUpdate Arm patterns."64bit";
|
||||
};
|
||||
|
||||
matchAnyAttrs = patterns:
|
||||
|
@ -40,7 +40,7 @@ rec {
|
||||
armv6l = { bits = 32; significantByte = littleEndian; family = "arm"; };
|
||||
armv7a = { bits = 32; significantByte = littleEndian; family = "arm"; };
|
||||
armv7l = { bits = 32; significantByte = littleEndian; family = "arm"; };
|
||||
aarch64 = { bits = 64; significantByte = littleEndian; family = "arm"; };
|
||||
aarch64 = { bits = 64; significantByte = littleEndian; family = "aarch64"; };
|
||||
i686 = { bits = 32; significantByte = littleEndian; family = "x86"; };
|
||||
x86_64 = { bits = 64; significantByte = littleEndian; family = "x86"; };
|
||||
mips64el = { bits = 32; significantByte = littleEndian; family = "mips"; };
|
||||
|
@ -70,6 +70,16 @@ rec {
|
||||
min = x: y: if x < y then x else y;
|
||||
max = x: y: if x > y then x else y;
|
||||
|
||||
/* Integer modulus
|
||||
|
||||
Example:
|
||||
mod 11 10
|
||||
=> 1
|
||||
mod 1 10
|
||||
=> 1
|
||||
*/
|
||||
mod = base: int: base - (int * (builtins.div base int));
|
||||
|
||||
/* Reads a JSON file. */
|
||||
importJSON = path:
|
||||
builtins.fromJSON (builtins.readFile path);
|
||||
|
@ -31,18 +31,21 @@ EVAL_FILE = {
|
||||
|
||||
|
||||
def get_maintainers(attr_name):
|
||||
nixname = attr_name.split('.')
|
||||
meta_json = subprocess.check_output([
|
||||
'nix-instantiate',
|
||||
'--eval',
|
||||
'--strict',
|
||||
'-A',
|
||||
'.'.join(nixname[1:]) + '.meta',
|
||||
EVAL_FILE[nixname[0]],
|
||||
'--json'])
|
||||
meta = json.loads(meta_json)
|
||||
if meta.get('maintainers'):
|
||||
return [MAINTAINERS[name] for name in meta['maintainers'] if MAINTAINERS.get(name)]
|
||||
try:
|
||||
nixname = attr_name.split('.')
|
||||
meta_json = subprocess.check_output([
|
||||
'nix-instantiate',
|
||||
'--eval',
|
||||
'--strict',
|
||||
'-A',
|
||||
'.'.join(nixname[1:]) + '.meta',
|
||||
EVAL_FILE[nixname[0]],
|
||||
'--json'])
|
||||
meta = json.loads(meta_json)
|
||||
if meta.get('maintainers'):
|
||||
return [MAINTAINERS[name] for name in meta['maintainers'] if MAINTAINERS.get(name)]
|
||||
except:
|
||||
return []
|
||||
|
||||
|
||||
@click.command()
|
||||
|
@ -16,7 +16,7 @@ containers.database =
|
||||
{ config =
|
||||
{ config, pkgs, ... }:
|
||||
{ services.postgresql.enable = true;
|
||||
services.postgresql.package = pkgs.postgresql92;
|
||||
services.postgresql.package = pkgs.postgresql96;
|
||||
};
|
||||
};
|
||||
</programlisting>
|
||||
|
@ -113,7 +113,8 @@ manual</link> for the rest.</para>
|
||||
</row>
|
||||
<row>
|
||||
<entry><literal>assert 1 + 1 == 2; "yes!"</literal></entry>
|
||||
<entry>Assertion check (evaluates to <literal>"yes!"</literal>)</entry>
|
||||
<entry>Assertion check (evaluates to <literal>"yes!"</literal>). See <xref
|
||||
linkend="sec-assertions"/> for using assertions in modules</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry><literal>let x = "foo"; y = "bar"; in x + y</literal></entry>
|
||||
|
80
nixos/doc/manual/development/assertions.xml
Normal file
80
nixos/doc/manual/development/assertions.xml
Normal file
@ -0,0 +1,80 @@
|
||||
<section xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
version="5.0"
|
||||
xml:id="sec-assertions">
|
||||
|
||||
<title>Warnings and Assertions</title>
|
||||
|
||||
<para>
|
||||
When configuration problems are detectable in a module, it is a good
|
||||
idea to write an assertion or warning. Doing so provides clear
|
||||
feedback to the user and prevents errors after the build.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Although Nix has the <literal>abort</literal> and
|
||||
<literal>builtins.trace</literal> <link xlink:href="https://nixos.org/nix/manual/#ssec-builtins">functions</link> to perform such tasks,
|
||||
they are not ideally suited for NixOS modules. Instead of these
|
||||
functions, you can declare your warnings and assertions using the
|
||||
NixOS module system.
|
||||
</para>
|
||||
|
||||
<section>
|
||||
|
||||
<title>Warnings</title>
|
||||
|
||||
<para>
|
||||
This is an example of using <literal>warnings</literal>.
|
||||
</para>
|
||||
|
||||
<programlisting>
|
||||
<![CDATA[
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
config = lib.mkIf config.services.foo.enable {
|
||||
warnings =
|
||||
if config.services.foo.bar
|
||||
then [ ''You have enabled the bar feature of the foo service.
|
||||
This is known to cause some specific problems in certain situations.
|
||||
'' ]
|
||||
else [];
|
||||
}
|
||||
}
|
||||
]]>
|
||||
</programlisting>
|
||||
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
||||
<title>Assertions</title>
|
||||
|
||||
|
||||
<para>
|
||||
This example, extracted from the
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-17.09/nixos/modules/services/logging/syslogd.nix">
|
||||
<literal>syslogd</literal> module
|
||||
</link> shows how to use <literal>assertions</literal>. Since there
|
||||
can only be one active syslog daemon at a time, an assertion is useful to
|
||||
prevent such a broken system from being built.
|
||||
</para>
|
||||
|
||||
<programlisting>
|
||||
<![CDATA[
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
config = lib.mkIf config.services.syslogd.enable {
|
||||
assertions =
|
||||
[ { assertion = !config.services.rsyslogd.enable;
|
||||
message = "rsyslogd conflicts with syslogd";
|
||||
}
|
||||
];
|
||||
}
|
||||
}
|
||||
]]>
|
||||
</programlisting>
|
||||
|
||||
</section>
|
||||
|
||||
</section>
|
@ -137,8 +137,8 @@ services.xserver.displayManager.enable = mkOption {
|
||||
};</screen></example>
|
||||
|
||||
<example xml:id='ex-option-declaration-eot-backend-sddm'><title>Extending
|
||||
<literal>services.foo.backend</literal> in the <literal>sddm</literal>
|
||||
module</title>
|
||||
<literal>services.xserver.displayManager.enable</literal> in the
|
||||
<literal>sddm</literal> module</title>
|
||||
<screen>
|
||||
services.xserver.displayManager.enable = mkOption {
|
||||
type = with types; nullOr (enum [ "sddm" ]);
|
||||
|
@ -157,27 +157,26 @@
|
||||
|
||||
<section xml:id='section-option-types-submodule'><title>Submodule</title>
|
||||
|
||||
<para>Submodule is a very powerful type that defines a set of sub-options that
|
||||
are handled like a separate module.
|
||||
It is especially interesting when used with composed types like
|
||||
<literal>attrsOf</literal> or <literal>listOf</literal>.</para>
|
||||
<para><literal>submodule</literal> is a very powerful type that defines a set
|
||||
of sub-options that are handled like a separate module.</para>
|
||||
|
||||
<para>The submodule type take a parameter <replaceable>o</replaceable>, that
|
||||
should be a set, or a function returning a set with an
|
||||
<literal>options</literal> key defining the sub-options.
|
||||
The option set can be defined directly (<xref linkend='ex-submodule-direct'
|
||||
/>) or as reference (<xref linkend='ex-submodule-reference' />).</para>
|
||||
<para>It takes a parameter <replaceable>o</replaceable>, that should be a set,
|
||||
or a function returning a set with an <literal>options</literal> key
|
||||
defining the sub-options.
|
||||
Submodule option definitions are type-checked accordingly to the
|
||||
<literal>options</literal> declarations.
|
||||
Of course, you can nest submodule option definitons for even higher
|
||||
modularity.</para>
|
||||
|
||||
<para>Submodule option definitions are type-checked accordingly to the options
|
||||
declarations. It is possible to declare submodule options inside a submodule
|
||||
sub-options for even higher modularity.</para>
|
||||
<para>The option set can be defined directly
|
||||
(<xref linkend='ex-submodule-direct' />) or as reference
|
||||
(<xref linkend='ex-submodule-reference' />).</para>
|
||||
|
||||
<example xml:id='ex-submodule-direct'><title>Directly defined submodule</title>
|
||||
<screen>
|
||||
options.mod = mkOption {
|
||||
name = "mod";
|
||||
description = "submodule example";
|
||||
type = with types; listOf (submodule {
|
||||
type = with types; submodule {
|
||||
options = {
|
||||
foo = mkOption {
|
||||
type = int;
|
||||
@ -186,10 +185,10 @@ options.mod = mkOption {
|
||||
type = str;
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};</screen></example>
|
||||
|
||||
<example xml:id='ex-submodule-reference'><title>Submodule defined as a
|
||||
<example xml:id='ex-submodule-reference'><title>Submodule defined as a
|
||||
reference</title>
|
||||
<screen>
|
||||
let
|
||||
@ -206,16 +205,20 @@ let
|
||||
in
|
||||
options.mod = mkOption {
|
||||
description = "submodule example";
|
||||
type = with types; listOf (submodule modOptions);
|
||||
type = with types; submodule modOptions;
|
||||
};</screen></example>
|
||||
|
||||
<section><title>Composed with <literal>listOf</literal></title>
|
||||
|
||||
<para>When composed with <literal>listOf</literal>, submodule allows multiple
|
||||
definitions of the submodule option set.</para>
|
||||
<para>The <literal>submodule</literal> type is especially interesting when
|
||||
used with composed types like <literal>attrsOf</literal> or
|
||||
<literal>listOf</literal>.
|
||||
When composed with <literal>listOf</literal>
|
||||
(<xref linkend='ex-submodule-listof-declaration' />),
|
||||
<literal>submodule</literal> allows multiple definitions of the submodule
|
||||
option set (<xref linkend='ex-submodule-listof-definition' />).</para>
|
||||
|
||||
|
||||
<example xml:id='ex-submodule-listof-declaration'><title>Declaration of a list
|
||||
of submodules</title>
|
||||
nof submodules</title>
|
||||
<screen>
|
||||
options.mod = mkOption {
|
||||
description = "submodule example";
|
||||
@ -239,13 +242,11 @@ config.mod = [
|
||||
{ foo = 2; bar = "two"; }
|
||||
];</screen></example>
|
||||
|
||||
</section>
|
||||
|
||||
|
||||
<section><title>Composed with <literal>attrsOf</literal></title>
|
||||
|
||||
<para>When composed with <literal>attrsOf</literal>, submodule allows multiple
|
||||
named definitions of the submodule option set.</para>
|
||||
<para>When composed with <literal>attrsOf</literal>
|
||||
(<xref linkend='ex-submodule-attrsof-declaration' />),
|
||||
<literal>submodule</literal> allows multiple named definitions of the
|
||||
submodule option set (<xref linkend='ex-submodule-attrsof-definition' />).
|
||||
</para>
|
||||
|
||||
<example xml:id='ex-submodule-attrsof-declaration'><title>Declaration of
|
||||
attribute sets of submodules</title>
|
||||
@ -270,7 +271,6 @@ options.mod = mkOption {
|
||||
config.mod.one = { foo = 1; bar = "one"; };
|
||||
config.mod.two = { foo = 2; bar = "two"; };</screen></example>
|
||||
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section><title>Extending types</title>
|
||||
|
@ -10,7 +10,7 @@
|
||||
<title>Release process</title>
|
||||
|
||||
<para>
|
||||
Going through an example of releasing NixOS 15.09:
|
||||
Going through an example of releasing NixOS 17.09:
|
||||
</para>
|
||||
|
||||
<section xml:id="one-month-before-the-beta">
|
||||
@ -18,13 +18,13 @@
|
||||
<itemizedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>
|
||||
Send an email to nix-dev mailinglist as a warning about upcoming beta "feature freeze" in a month.
|
||||
Send an email to the nix-devel mailinglist as a warning about upcoming beta "feature freeze" in a month.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Discuss with Eelco Dolstra and the community (via IRC, ML) about what will reach the deadline.
|
||||
Any issue or Pull Request targeting the release should have assigned milestone.
|
||||
Any issue or Pull Request targeting the release should be included in the release milestone.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
@ -32,64 +32,6 @@
|
||||
<section xml:id="at-beta-release-time">
|
||||
<title>At beta release time</title>
|
||||
<itemizedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>
|
||||
Rename <literal>rl-unstable.xml</literal> ->
|
||||
<literal>rl-1509.xml</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>git tag -a -m "Release 15.09-beta" 15.09-beta && git push --tags</literal>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
From the master branch run <literal>git checkout -B release-15.09</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18">
|
||||
Make sure channel is created at http://nixos.org/channels/.
|
||||
</link>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/settings/branches">
|
||||
Lock the branch on github (so developers can’t force push)
|
||||
</link>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">bump
|
||||
<literal>system.defaultChannel</literal> attribute in
|
||||
<literal>nixos/modules/misc/version.nix</literal></link>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06">update
|
||||
<literal>versionSuffix</literal> in
|
||||
<literal>nixos/release.nix</literal></link>, use
|
||||
<literal>git log --format=%an|wc -l</literal> to get commit
|
||||
count
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>echo -n "16.03" > .version</literal> in
|
||||
master.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/b8a4095003e27659092892a4708bb3698231a842">pick
|
||||
a new name for unstable branch.</link>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/13559">Create
|
||||
@ -99,26 +41,81 @@
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Use https://lwn.net/Vulnerabilities/ and
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=vulnerabilities&type=Issues">triage vulnerabilities in an issue</link>.
|
||||
<literal>git tag -a -s -m "Release 17.09-beta" 17.09-beta && git push --tags</literal>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Create two Hydra jobsets: release-15.09 and release-15.09-small with <literal>stableBranch</literal> set to false
|
||||
From the master branch run <literal>git checkout -B release-17.09</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18">
|
||||
Make sure a channel is created at http://nixos.org/channels/.
|
||||
</link>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/settings/branches">
|
||||
Let a GitHub nixpkgs admin lock the branch on github for you.
|
||||
(so developers can’t force push)
|
||||
</link>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">
|
||||
Bump the <literal>system.defaultChannel</literal> attribute in
|
||||
<literal>nixos/modules/misc/version.nix</literal>
|
||||
</link>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06">
|
||||
Update <literal>versionSuffix</literal> in
|
||||
<literal>nixos/release.nix</literal></link>, use
|
||||
<literal>git log --format=%an|wc -l</literal> to get the commit
|
||||
count
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>echo -n "18.03" > .version</literal> on
|
||||
master.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/b8a4095003e27659092892a4708bb3698231a842">
|
||||
Pick a new name for the unstable branch.
|
||||
</link>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Create a new release notes file for the upcoming release + 1, in this
|
||||
case <literal>rl-1803.xml</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Create two Hydra jobsets: release-17.09 and release-17.09-small with <literal>stableBranch</literal> set to false.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Edit changelog at
|
||||
<literal>nixos/doc/manual/release-notes/rl-1509.xml</literal>
|
||||
<literal>nixos/doc/manual/release-notes/rl-1709.xml</literal>
|
||||
(double check desktop versions are noted)
|
||||
</para>
|
||||
<itemizedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>
|
||||
Get all new NixOS modules
|
||||
<literal>git diff release-14.12..release-15.09 nixos/modules/module-list.nix|grep ^+</literal>
|
||||
<literal>git diff release-17.03..release-17.09 nixos/modules/module-list.nix|grep ^+</literal>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
@ -130,9 +127,25 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="during-beta">
|
||||
<title>During Beta</title>
|
||||
<itemizedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>
|
||||
Monitor the master branch for bugfixes and minor updates
|
||||
and cherry-pick them to the release branch.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="before-the-final-release">
|
||||
<title>Before the final release</title>
|
||||
<itemizedlist spacing="compact">
|
||||
<listitem>
|
||||
<para>
|
||||
Re-check that the release notes are complete.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Release Nix (currently only Eelco Dolstra can do that).
|
||||
|
@ -178,6 +178,7 @@ in {
|
||||
<xi:include href="option-declarations.xml" />
|
||||
<xi:include href="option-types.xml" />
|
||||
<xi:include href="option-def.xml" />
|
||||
<xi:include href="assertions.xml" />
|
||||
<xi:include href="meta-attributes.xml" />
|
||||
<xi:include href="replace-modules.xml" />
|
||||
|
||||
|
@ -176,7 +176,7 @@ following incompatible changes:</para>
|
||||
streamlined. Desktop users should be able to simply set
|
||||
<programlisting>security.grsecurity.enable = true</programlisting> to get
|
||||
a reasonably secure system without having to sacrifice too much
|
||||
functionality. See <xref linkend="sec-grsecurity" /> for documentation
|
||||
functionality.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>Special filesystems, like <literal>/proc</literal>,
|
||||
|
@ -10,6 +10,11 @@
|
||||
has the following highlights: </para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
The GNOME version is now 3.24.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The user handling now keeps track of deallocated UIDs/GIDs. When a user
|
||||
@ -101,6 +106,9 @@ rmdir /var/lib/ipfs/.ipfs
|
||||
<para>
|
||||
The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
|
||||
</para>
|
||||
<para>
|
||||
Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
@ -162,6 +170,38 @@ rmdir /var/lib/ipfs/.ipfs
|
||||
Refer to the description of the options for more details.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>compiz</literal> window manager and package was
|
||||
removed. The system support had been broken for several years.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Touchpad support should now be enabled through
|
||||
<literal>libinput</literal> as <literal>synaptics</literal> is
|
||||
now deprecated. See the option
|
||||
<literal>services.xserver.libinput.enable</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
grsecurity/PaX support has been dropped, following upstream's
|
||||
decision to cease free support. See
|
||||
<link xlink:href="https://grsecurity.net/passing_the_baton.php">
|
||||
upstream's announcement</link> for more information.
|
||||
No complete replacement for grsecurity/PaX is available presently.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <literal>gnupg</literal> package used to suffix its programs
|
||||
with <literal>2</literal>, like <command>gpg2</command> and
|
||||
<command>gpgv2</command>. This suffix has since been dropped,
|
||||
and the programs are now simply <command>gpg</command>,
|
||||
<command>gpgv</command>, etc.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Other notable improvements:</para>
|
||||
@ -207,7 +247,7 @@ rmdir /var/lib/ipfs/.ipfs
|
||||
<listitem>
|
||||
<para>
|
||||
Nixpkgs overlays may now be specified with a file as well as a directory. The
|
||||
value of <literal><nixpkgs-overlays></literal> may be a file, and
|
||||
value of <literal><nixpkgs-overlays></literal> may be a file, and
|
||||
<filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of the
|
||||
<filename>~/.config/nixpkgs/overalys</filename> directory.
|
||||
</para>
|
||||
|
46
nixos/doc/manual/release-notes/rl-1803.xml
Normal file
46
nixos/doc/manual/release-notes/rl-1803.xml
Normal file
@ -0,0 +1,46 @@
|
||||
<section xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
version="5.0"
|
||||
xml:id="sec-release-18.03">
|
||||
|
||||
<title>Release 18.03 (“Impala”, 2018/03/??)</title>
|
||||
|
||||
<para>In addition to numerous new and upgraded packages, this release
|
||||
has the following highlights: </para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The following new services were added since the last release:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>When upgrading from a previous release, please be aware of the
|
||||
following incompatible changes:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Other notable improvements:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
</section>
|
@ -45,19 +45,7 @@ let
|
||||
raw = "img";
|
||||
};
|
||||
|
||||
# Copied from https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/installer/cd-dvd/channel.nix
|
||||
# TODO: factor out more cleanly
|
||||
|
||||
# Do not include these things:
|
||||
# - The '.git' directory
|
||||
# - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
|
||||
# - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
|
||||
filterFn = path: type: let basename = baseNameOf (toString path); in
|
||||
if type == "directory" then basename != ".git"
|
||||
else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
|
||||
else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
|
||||
|
||||
nixpkgs = builtins.filterSource filterFn pkgs.path;
|
||||
nixpkgs = lib.cleanSource pkgs.path;
|
||||
|
||||
channelSources = pkgs.runCommand "nixos-${config.system.nixosVersion}" {} ''
|
||||
mkdir -p $out
|
||||
|
@ -1,3 +1,5 @@
|
||||
# nix-build '<nixpkgs/nixos>' -A config.system.build.novaImage --arg configuration "{ imports = [ ./nixos/maintainers/scripts/openstack/nova-image.nix ]; }"
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
@ -53,7 +53,7 @@ in
|
||||
};
|
||||
|
||||
substitutions = mkOption {
|
||||
type = types.nullOr (types.enum ["free" "combi" "ms"]);
|
||||
type = types.enum ["free" "combi" "ms" "none"];
|
||||
default = "free";
|
||||
description = ''
|
||||
Font substitutions to replace common Type 1 fonts with nicer
|
||||
|
@ -43,7 +43,7 @@ with lib;
|
||||
<literal>"all"</literal> means that all locales supported by
|
||||
Glibc will be installed. A full list of supported locales
|
||||
can be found at <link
|
||||
xlink:href="http://sourceware.org/cgi-bin/cvsweb.cgi/libc/localedata/SUPPORTED?cvsroot=glibc"/>.
|
||||
xlink:href="https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED"/>.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -34,6 +34,7 @@ with lib;
|
||||
networkmanager_openvpn = pkgs.networkmanager_openvpn.override { withGnome = false; };
|
||||
networkmanager_pptp = pkgs.networkmanager_pptp.override { withGnome = false; };
|
||||
networkmanager_vpnc = pkgs.networkmanager_vpnc.override { withGnome = false; };
|
||||
networkmanager_iodine = pkgs.networkmanager_iodine.override { withGnome = false; };
|
||||
pinentry = pkgs.pinentry.override { gtk2 = null; qt4 = null; };
|
||||
};
|
||||
};
|
||||
|
61
nixos/modules/hardware/raid/hpsa.nix
Normal file
61
nixos/modules/hardware/raid/hpsa.nix
Normal file
@ -0,0 +1,61 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
hpssacli = pkgs.stdenv.mkDerivation rec {
|
||||
name = "hpssacli-${version}";
|
||||
version = "2.40-13.0";
|
||||
|
||||
src = pkgs.fetchurl {
|
||||
url = "http://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${name}_amd64.deb";
|
||||
sha256 = "11w7fwk93lmfw0yya4jpjwdmgjimqxx6412sqa166g1pz4jil4sw";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ pkgs.dpkg ];
|
||||
|
||||
unpackPhase = "dpkg -x $src ./";
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin $out/share/doc $out/share/man
|
||||
mv opt/hp/hpssacli/bld/{hpssascripting,hprmstr,hpssacli} $out/bin/
|
||||
mv opt/hp/hpssacli/bld/*.{license,txt} $out/share/doc/
|
||||
mv usr/man $out/share/
|
||||
|
||||
for file in $out/bin/*; do
|
||||
chmod +w $file
|
||||
patchelf --set-interpreter "$(cat $NIX_BINUTILS/nix-support/dynamic-linker)" \
|
||||
--set-rpath ${lib.makeLibraryPath [ pkgs.stdenv.cc.cc ]} \
|
||||
$file
|
||||
done
|
||||
'';
|
||||
|
||||
dontStrip = true;
|
||||
|
||||
meta = with lib; {
|
||||
description = "HP Smart Array CLI";
|
||||
homepage = http://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/;
|
||||
license = licenses.unfreeRedistributable;
|
||||
platforms = [ "x86_64-linux" ];
|
||||
maintainers = with maintainers; [ volth ];
|
||||
};
|
||||
};
|
||||
in {
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
hardware.raid.HPSmartArray = {
|
||||
enable = mkEnableOption "HP Smart Array kernel modules and CLI utility";
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf config.hardware.raid.HPSmartArray.enable {
|
||||
|
||||
boot.initrd.kernelModules = [ "sg" ]; /* hpssacli wants it */
|
||||
boot.initrd.availableKernelModules = [ "hpsa" ];
|
||||
|
||||
environment.systemPackages = [ hpssacli ];
|
||||
};
|
||||
}
|
@ -6,16 +6,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
# Do not include these things:
|
||||
# - The '.git' directory
|
||||
# - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
|
||||
# - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
|
||||
filterFn = path: type: let basename = baseNameOf (toString path); in
|
||||
if type == "directory" then basename != ".git"
|
||||
else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
|
||||
else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
|
||||
|
||||
nixpkgs = builtins.filterSource filterFn pkgs.path;
|
||||
nixpkgs = lib.cleanSource pkgs.path;
|
||||
|
||||
# We need a copy of the Nix expressions for Nixpkgs and NixOS on the
|
||||
# CD. These are installed into the "nixos" channel of the root
|
||||
|
@ -76,7 +76,7 @@ let cfg = config.system.autoUpgrade; in
|
||||
environment = config.nix.envVars //
|
||||
{ inherit (config.environment.sessionVariables) NIX_PATH;
|
||||
HOME = "/root";
|
||||
};
|
||||
} // config.networking.proxy.envVars;
|
||||
|
||||
path = [ pkgs.gnutar pkgs.xz.bin config.nix.package.out ];
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
{
|
||||
x86_64-linux = "/nix/store/avwiw7hb1qckag864sc6ixfxr8qmf94w-nix-1.11.13";
|
||||
i686-linux = "/nix/store/8wv3ms0afw95hzsz4lxzv0nj4w3614z9-nix-1.11.13";
|
||||
x86_64-darwin = "/nix/store/z21lvakv1l7lhasmv5fvaz8mlzxia8k9-nix-1.11.13";
|
||||
x86_64-linux = "/nix/store/xrqssm90gsrnqdn79rpfcs6dwx8597d2-nix-1.11.14";
|
||||
i686-linux = "/nix/store/3vjphivqs2iy6m9yb3bd80nd3518510k-nix-1.11.14";
|
||||
x86_64-darwin = "/nix/store/4j9jacx8mjd4jlj53wvymyhxq7dqyj5d-nix-1.11.14";
|
||||
}
|
||||
|
@ -605,6 +605,9 @@ $bootLoaderConfig
|
||||
# services.xserver.layout = "us";
|
||||
# services.xserver.xkbOptions = "eurosign:e";
|
||||
|
||||
# Enable touchpad support.
|
||||
# services.xserver.libinput.enable = true;
|
||||
|
||||
# Enable the KDE Desktop Environment.
|
||||
# services.xserver.displayManager.sddm.enable = true;
|
||||
# services.xserver.desktopManager.plasma5.enable = true;
|
||||
@ -615,8 +618,11 @@ $bootLoaderConfig
|
||||
# uid = 1000;
|
||||
# };
|
||||
|
||||
# The NixOS release to be compatible with for stateful data such as databases.
|
||||
system.stateVersion = "${\(qw(@nixosRelease@))}";
|
||||
# This value determines the NixOS release with which your system is to be
|
||||
# compatible, in order to avoid breaking some software such as database
|
||||
# servers. You should change this only after NixOS release notes say you
|
||||
# should.
|
||||
system.stateVersion = "${\(qw(@nixosRelease@))}"; # Did you read the comment?
|
||||
|
||||
}
|
||||
EOF
|
||||
|
@ -254,7 +254,6 @@
|
||||
hydra-queue-runner = 235;
|
||||
hydra-www = 236;
|
||||
syncthing = 237;
|
||||
mfi = 238;
|
||||
caddy = 239;
|
||||
taskd = 240;
|
||||
factorio = 241;
|
||||
@ -522,7 +521,6 @@
|
||||
octoprint = 230;
|
||||
radicale = 234;
|
||||
syncthing = 237;
|
||||
#mfi = 238; # unused
|
||||
caddy = 239;
|
||||
taskd = 240;
|
||||
factorio = 241;
|
||||
|
@ -95,7 +95,7 @@ in
|
||||
nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));
|
||||
|
||||
# Note: code names must only increase in alphabetical order.
|
||||
nixosCodeName = "Hummingbird";
|
||||
nixosCodeName = "Impala";
|
||||
};
|
||||
|
||||
# Generate /etc/os-release. See
|
||||
|
@ -43,6 +43,7 @@
|
||||
./hardware/nitrokey.nix
|
||||
./hardware/opengl.nix
|
||||
./hardware/pcmcia.nix
|
||||
./hardware/raid/hpsa.nix
|
||||
./hardware/usb-wwan.nix
|
||||
./hardware/video/amdgpu.nix
|
||||
./hardware/video/amdgpu-pro.nix
|
||||
@ -120,7 +121,6 @@
|
||||
./security/chromium-suid-sandbox.nix
|
||||
./security/dhparams.nix
|
||||
./security/duosec.nix
|
||||
./security/grsecurity.nix
|
||||
./security/hidepid.nix
|
||||
./security/lock-kernel-modules.nix
|
||||
./security/oath.nix
|
||||
@ -204,6 +204,7 @@
|
||||
./services/desktops/gnome3/gnome-online-miners.nix
|
||||
./services/desktops/gnome3/gnome-terminal-server.nix
|
||||
./services/desktops/gnome3/gnome-user-share.nix
|
||||
./services/desktops/gnome3/gpaste.nix
|
||||
./services/desktops/gnome3/gvfs.nix
|
||||
./services/desktops/gnome3/seahorse.nix
|
||||
./services/desktops/gnome3/sushi.nix
|
||||
@ -225,6 +226,7 @@
|
||||
./services/hardware/brltty.nix
|
||||
./services/hardware/freefall.nix
|
||||
./services/hardware/illum.nix
|
||||
./services/hardware/interception-tools.nix
|
||||
./services/hardware/irqbalance.nix
|
||||
./services/hardware/nvidia-optimus.nix
|
||||
./services/hardware/pcscd.nix
|
||||
@ -361,6 +363,7 @@
|
||||
./services/monitoring/prometheus/default.nix
|
||||
./services/monitoring/prometheus/alertmanager.nix
|
||||
./services/monitoring/prometheus/blackbox-exporter.nix
|
||||
./services/monitoring/prometheus/collectd-exporter.nix
|
||||
./services/monitoring/prometheus/fritzbox-exporter.nix
|
||||
./services/monitoring/prometheus/json-exporter.nix
|
||||
./services/monitoring/prometheus/nginx-exporter.nix
|
||||
@ -456,7 +459,6 @@
|
||||
./services/networking/lldpd.nix
|
||||
./services/networking/logmein-hamachi.nix
|
||||
./services/networking/mailpile.nix
|
||||
./services/networking/mfi.nix
|
||||
./services/networking/mjpg-streamer.nix
|
||||
./services/networking/minidlna.nix
|
||||
./services/networking/miniupnpd.nix
|
||||
@ -549,7 +551,6 @@
|
||||
./services/security/fail2ban.nix
|
||||
./services/security/fprintd.nix
|
||||
./services/security/fprot.nix
|
||||
./services/security/frandom.nix
|
||||
./services/security/haka.nix
|
||||
./services/security/haveged.nix
|
||||
./services/security/hologram-server.nix
|
||||
@ -587,6 +588,7 @@
|
||||
./services/web-apps/frab.nix
|
||||
./services/web-apps/mattermost.nix
|
||||
./services/web-apps/nixbot.nix
|
||||
./services/web-apps/nexus.nix
|
||||
./services/web-apps/pgpkeyserver-lite.nix
|
||||
./services/web-apps/piwik.nix
|
||||
./services/web-apps/pump.io.nix
|
||||
@ -630,7 +632,6 @@
|
||||
./services/x11/redshift.nix
|
||||
./services/x11/urxvtd.nix
|
||||
./services/x11/window-managers/awesome.nix
|
||||
#./services/x11/window-managers/compiz.nix
|
||||
./services/x11/window-managers/default.nix
|
||||
./services/x11/window-managers/fluxbox.nix
|
||||
./services/x11/window-managers/icewm.nix
|
||||
@ -680,6 +681,7 @@
|
||||
./tasks/cpu-freq.nix
|
||||
./tasks/encrypted-devices.nix
|
||||
./tasks/filesystems.nix
|
||||
./tasks/filesystems/bcachefs.nix
|
||||
./tasks/filesystems/btrfs.nix
|
||||
./tasks/filesystems/cifs.nix
|
||||
./tasks/filesystems/exfat.nix
|
||||
|
@ -8,7 +8,7 @@
|
||||
enable = true;
|
||||
displayManager.sddm.enable = true;
|
||||
desktopManager.plasma5.enable = true;
|
||||
synaptics.enable = true; # for touchpad support on many laptops
|
||||
libinput.enable = true; # for touchpad support on many laptops
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.glxinfo ];
|
||||
|
@ -25,6 +25,13 @@ with lib;
|
||||
"nohibernate"
|
||||
];
|
||||
|
||||
boot.blacklistedKernelModules = [
|
||||
# Obscure network protocols
|
||||
"ax25"
|
||||
"netrom"
|
||||
"rose"
|
||||
];
|
||||
|
||||
# Restrict ptrace() usage to processes with a pre-defined relationship
|
||||
# (e.g., parent/child)
|
||||
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
|
||||
@ -65,4 +72,14 @@ with lib;
|
||||
# Note: mmap_rnd_compat_bits may not exist on 64bit.
|
||||
boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
|
||||
boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
|
||||
|
||||
# Allowing users to mmap() memory starting at virtual address 0 can turn a
|
||||
# NULL dereference bug in the kernel into code execution with elevated
|
||||
# privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory
|
||||
# space. This breaks applications that require mapping the 0 page, such as
|
||||
# dosemu or running 16bit applications under wine. It also breaks older
|
||||
# versions of qemu.
|
||||
#
|
||||
# The value is taken from the KSPP recommendations (Debian uses 4096).
|
||||
boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
|
||||
}
|
||||
|
@ -28,7 +28,7 @@ with lib;
|
||||
services.nixosManual.showManual = true;
|
||||
|
||||
# Let the user play Rogue on TTY 8 during the installation.
|
||||
services.rogue.enable = true;
|
||||
#services.rogue.enable = true;
|
||||
|
||||
# Disable some other stuff we don't need.
|
||||
security.sudo.enable = false;
|
||||
|
@ -169,12 +169,12 @@ in
|
||||
"source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh"
|
||||
}
|
||||
|
||||
${zshAliases}
|
||||
|
||||
${cfge.interactiveShellInit}
|
||||
|
||||
${cfg.interactiveShellInit}
|
||||
|
||||
${zshAliases}
|
||||
|
||||
${cfg.promptInit}
|
||||
|
||||
# Read system-wide modifications.
|
||||
|
@ -1,4 +1,4 @@
|
||||
{ lib, ... }:
|
||||
{ lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
@ -14,6 +14,10 @@ with lib;
|
||||
(mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
|
||||
|
||||
(mkRenamedOptionModule [ "services" "cadvisor" "host" ] [ "services" "cadvisor" "listenAddress" ])
|
||||
(mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ]
|
||||
(config:
|
||||
let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config;
|
||||
in if enabled then [ pkgs.gutenprint ] else [ ]))
|
||||
(mkRenamedOptionModule [ "services" "elasticsearch" "host" ] [ "services" "elasticsearch" "listenAddress" ])
|
||||
(mkRenamedOptionModule [ "services" "graphite" "api" "host" ] [ "services" "graphite" "api" "listenAddress" ])
|
||||
(mkRenamedOptionModule [ "services" "graphite" "web" "host" ] [ "services" "graphite" "web" "listenAddress" ])
|
||||
@ -120,26 +124,6 @@ with lib;
|
||||
(mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ])
|
||||
(mkRemovedOptionModule [ "services" "iodined" "client" ] "")
|
||||
|
||||
# Grsecurity
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "")
|
||||
(mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "")
|
||||
|
||||
# Unity3D
|
||||
(mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
|
||||
|
||||
|
@ -19,9 +19,6 @@ in
|
||||
|
||||
Also, if the URL chrome://sandbox tells you that "You are not adequately
|
||||
sandboxed!", turning this on might resolve the issue.
|
||||
|
||||
Finally, if you have <option>security.grsecurity</option> enabled and you
|
||||
use Chromium, you probably need this.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -1,169 +0,0 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.security.grsecurity;
|
||||
grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
|
||||
|
||||
# Ascertain whether NixOS container support is required
|
||||
containerSupportRequired =
|
||||
config.boot.enableContainers && config.containers != {};
|
||||
in
|
||||
|
||||
{
|
||||
meta = {
|
||||
maintainers = with maintainers; [ ];
|
||||
doc = ./grsecurity.xml;
|
||||
};
|
||||
|
||||
options.security.grsecurity = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable grsecurity/PaX.
|
||||
'';
|
||||
};
|
||||
|
||||
lockTunables = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to automatically lock grsecurity tunables
|
||||
(<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>). Disable
|
||||
this to allow runtime configuration of grsecurity features. Activate
|
||||
the <literal>grsec-lock</literal> service unit to prevent further
|
||||
configuration until the next reboot.
|
||||
'';
|
||||
};
|
||||
|
||||
disableEfiRuntimeServices = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to disable access to EFI runtime services. Enabling EFI runtime
|
||||
services creates a venue for code injection attacks on the kernel and
|
||||
should be disabled if at all possible. Changing this option enters into
|
||||
effect upon reboot.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
|
||||
|
||||
boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
|
||||
++ optional cfg.disableEfiRuntimeServices "noefi";
|
||||
|
||||
nixpkgs.config.grsecurity = true;
|
||||
|
||||
# Install PaX related utillities into the system profile.
|
||||
environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
|
||||
|
||||
# Install rules for the grsec device node
|
||||
services.udev.packages = [ pkgs.gradm ];
|
||||
|
||||
# This service unit is responsible for locking the grsecurity tunables. The
|
||||
# unit is always defined, but only activated on bootup if lockTunables is
|
||||
# toggled. When lockTunables is toggled, failure to activate the unit will
|
||||
# enter emergency mode. The intent is to make it difficult to silently
|
||||
# enter multi-user mode without having locked the tunables. Some effort is
|
||||
# made to ensure that starting the unit is an idempotent operation.
|
||||
systemd.services.grsec-lock = {
|
||||
description = "Lock grsecurity tunables";
|
||||
|
||||
wantedBy = optional cfg.lockTunables "multi-user.target";
|
||||
|
||||
wants = [ "local-fs.target" "systemd-sysctl.service" ];
|
||||
after = [ "local-fs.target" "systemd-sysctl.service" ];
|
||||
conflicts = [ "shutdown.target" ];
|
||||
|
||||
restartIfChanged = false;
|
||||
|
||||
script = ''
|
||||
if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
|
||||
echo -n 1 > ${grsecLockPath}
|
||||
fi
|
||||
'';
|
||||
|
||||
unitConfig = {
|
||||
ConditionPathIsReadWrite = grsecLockPath;
|
||||
DefaultDependencies = false;
|
||||
} // optionalAttrs cfg.lockTunables {
|
||||
OnFailure = "emergency.target";
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Configure system tunables
|
||||
boot.kernel.sysctl = {
|
||||
# Read-only under grsecurity
|
||||
"kernel.kptr_restrict" = mkForce null;
|
||||
|
||||
# All grsec tunables default to off, those not enabled below are
|
||||
# *disabled*. We use mkDefault to allow expert users to override
|
||||
# our choices, but use mkForce where tunables would outright
|
||||
# conflict with other settings.
|
||||
|
||||
# Enable all chroot restrictions by default (overwritten as
|
||||
# necessary below)
|
||||
"kernel.grsecurity.chroot_caps" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_chmod" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_chroot" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_mknod" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_mount" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_pivot" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_shmat" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_unix" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_findtask" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_restrict_nice" = mkDefault 1;
|
||||
|
||||
# Enable various grsec protections
|
||||
"kernel.grsecurity.consistent_setxid" = mkDefault 1;
|
||||
"kernel.grsecurity.deter_bruteforce" = mkDefault 1;
|
||||
"kernel.grsecurity.fifo_restrictions" = mkDefault 1;
|
||||
"kernel.grsecurity.harden_ipc" = mkDefault 1;
|
||||
"kernel.grsecurity.harden_ptrace" = mkDefault 1;
|
||||
"kernel.grsecurity.harden_tty" = mkDefault 1;
|
||||
"kernel.grsecurity.ip_blackhole" = mkDefault 1;
|
||||
"kernel.grsecurity.linking_restrictions" = mkDefault 1;
|
||||
"kernel.grsecurity.ptrace_readexec" = mkDefault 1;
|
||||
|
||||
# Enable auditing
|
||||
"kernel.grsecurity.audit_ptrace" = mkDefault 1;
|
||||
"kernel.grsecurity.forkfail_logging" = mkDefault 1;
|
||||
"kernel.grsecurity.rwxmap_logging" = mkDefault 1;
|
||||
"kernel.grsecurity.signal_logging" = mkDefault 1;
|
||||
"kernel.grsecurity.timechange_logging" = mkDefault 1;
|
||||
} // optionalAttrs config.nix.useSandbox {
|
||||
# chroot(2) restrictions that conflict with sandboxed Nix builds
|
||||
"kernel.grsecurity.chroot_caps" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
|
||||
} // optionalAttrs containerSupportRequired {
|
||||
# chroot(2) restrictions that conflict with NixOS lightweight containers
|
||||
"kernel.grsecurity.chroot_caps" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
|
||||
# Disable privileged IO by default, unless X is enabled
|
||||
} // optionalAttrs (!config.services.xserver.enable) {
|
||||
"kernel.grsecurity.disable_priv_io" = mkDefault 1;
|
||||
};
|
||||
|
||||
};
|
||||
}
|
@ -1,385 +0,0 @@
|
||||
<chapter xmlns="http://docbook.org/ns/docbook"
|
||||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||||
version="5.0"
|
||||
xml:id="sec-grsecurity">
|
||||
|
||||
<title>Grsecurity/PaX</title>
|
||||
|
||||
<para>
|
||||
Grsecurity/PaX is a set of patches against the Linux kernel that
|
||||
implements an extensive suite of
|
||||
<link xlink:href="https://grsecurity.net/features.php">features</link>
|
||||
designed to increase the difficulty of exploiting kernel and
|
||||
application bugs.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The NixOS grsecurity/PaX module is designed with casual users in mind and is
|
||||
intended to be compatible with normal desktop usage, without
|
||||
<emphasis>unnecessarily</emphasis> compromising security. The
|
||||
following sections describe the configuration and administration of
|
||||
a grsecurity/PaX enabled NixOS system. For more comprehensive
|
||||
coverage, please refer to the
|
||||
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
|
||||
and the
|
||||
<link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
|
||||
Linux wiki page on grsecurity</link>.
|
||||
|
||||
<warning><para>Upstream has ceased free support for grsecurity/PaX. See
|
||||
<link xlink:href="https://grsecurity.net/passing_the_baton.php">
|
||||
the announcement</link> for more information. Consequently, NixOS
|
||||
support for grsecurity/PaX also must cease. Enabling this module will
|
||||
result in a build error.</para></warning>
|
||||
<note><para>We standardise on a desktop oriented configuration primarily due
|
||||
to lack of resources. The grsecurity/PaX configuration state space is huge
|
||||
and each configuration requires quite a bit of testing to ensure that the
|
||||
resulting packages work as advertised. Defining additional package sets
|
||||
would likely result in a large number of functionally broken packages, to
|
||||
nobody's benefit.</para></note>
|
||||
</para>
|
||||
|
||||
<sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
|
||||
|
||||
<para>
|
||||
To make use of grsecurity/PaX on NixOS, add the following to your
|
||||
<filename>configuration.nix</filename>:
|
||||
<programlisting>
|
||||
security.grsecurity.enable = true;
|
||||
</programlisting>
|
||||
followed by
|
||||
<programlisting>
|
||||
# nixos-rebuild boot
|
||||
# reboot
|
||||
</programlisting>
|
||||
<note><para>
|
||||
Enabling the grsecurity module overrides
|
||||
<option>boot.kernelPackages</option>, to reduce the risk of
|
||||
misconfiguration. <xref linkend="sec-grsec-custom-kernel" />
|
||||
describes how to use a custom kernel package set.
|
||||
</para></note>
|
||||
|
||||
For most users, further configuration should be unnecessary. All users
|
||||
are encouraged to look over <xref linkend="sec-grsec-security" /> before
|
||||
using the system, however. If you experience problems, please refer to
|
||||
<xref linkend="sec-grsec-issues" />.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Once booted into the new system, you can optionally use
|
||||
<command>paxtest</command> to exercise various PaX features:
|
||||
<screen><![CDATA[
|
||||
# nix-shell -p paxtest --command 'paxtest blackhat'
|
||||
Executable anonymous mapping : Killed
|
||||
Executable bss : Killed
|
||||
# ... remaining output truncated for brevity
|
||||
]]></screen>
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 xml:id="sec-grsec-declarative-tuning"><title>Declarative tuning</title>
|
||||
|
||||
<para>
|
||||
The default configuration mode is strictly declarative. Some features
|
||||
simply cannot be changed at all after boot, while others are locked once the
|
||||
system is up and running. Moreover, changes to the configuration enter
|
||||
into effect only upon booting into the new system.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The NixOS module exposes a limited number of options for tuning the behavior
|
||||
of grsecurity/PaX. These are options thought to be of particular interest
|
||||
to most users. For experts, further tuning is possible via
|
||||
<option>boot.kernelParams</option> (see
|
||||
<xref linkend="sec-grsec-kernel-params" />) and
|
||||
<option>boot.kernel.sysctl."kernel.grsecurity.*"</option> (the wikibook
|
||||
contains an <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Sysctl_Options">
|
||||
exhaustive listing of grsecurity sysctl tunables</link>).
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 xml:id="sec-grsec-manual-tuning"><title>Manual tuning</title>
|
||||
|
||||
<para>
|
||||
To permit manual tuning of grsecurity runtime parameters, set:
|
||||
<programlisting>
|
||||
security.grsecurity.lockTunables = false;
|
||||
</programlisting>
|
||||
Once booted into this system, grsecurity features that have a corresponding
|
||||
sysctl tunable can be changed without rebooting, either by switching into
|
||||
a new system profile or via the <command>sysctl</command> utility.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To lock all grsecurity tunables until the next boot, do:
|
||||
<screen>
|
||||
# systemctl start grsec-lock
|
||||
</screen>
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 xml:id="sec-grsec-security"><title>Security considerations</title>
|
||||
|
||||
<para>
|
||||
The NixOS kernel is built using upstream's recommended settings for a
|
||||
desktop deployment that generally favours security over performance. This
|
||||
section details deviations from upstream's recommendations that may
|
||||
compromise security.
|
||||
|
||||
<warning><para>There may be additional problems not covered here!</para>
|
||||
</warning>
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
<listitem><para>
|
||||
The following hardening features are disabled in the NixOS kernel:
|
||||
<itemizedlist>
|
||||
<listitem><para>Kernel symbol hiding: rendered useless by redistributing
|
||||
kernel objects.</para></listitem>
|
||||
|
||||
<listitem><para>Randomization of kernel structures: rendered useless by
|
||||
redistributing kernel objects.</para></listitem>
|
||||
|
||||
<listitem><para>TCP simultaneous OPEN connection is permitted: breaking
|
||||
strict TCP conformance is inappropriate for a general purpose kernel.
|
||||
The trade-off is that an attacker may be able to deny outgoing
|
||||
connections if they are able to guess the source port allocated by your
|
||||
OS for that connection <emphasis>and</emphasis> also manage to initiate
|
||||
a TCP simultaneous OPEN on that port before the connection is actually
|
||||
established.</para></listitem>
|
||||
|
||||
<listitem><para>Trusted path execution: a desirable feature, but
|
||||
requires some more work to operate smoothly on NixOS.</para></listitem>
|
||||
</itemizedlist>
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The NixOS module conditionally weakens <command>chroot</command>
|
||||
restrictions to accommodate NixOS lightweight containers and sandboxed Nix
|
||||
builds. This can be problematic if the deployment also runs privileged
|
||||
network facing processes that <emphasis>rely</emphasis> on
|
||||
<command>chroot</command> for isolation.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The NixOS kernel is patched to allow usermode helpers from anywhere in the
|
||||
Nix store. A usermode helper is an executable called by the kernel in
|
||||
certain circumstances, e.g., <command>modprobe</command>. Vanilla
|
||||
grsecurity only allows usermode helpers from paths typically owned by the
|
||||
super user. The NixOS kernel allows an attacker to inject malicious code
|
||||
into the Nix store which could then be executed by the kernel as a
|
||||
usermode helper.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The following features are disabled because they overlap with
|
||||
vanilla kernel mechanisms:
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para><filename class="directory">/proc</filename> hardening:
|
||||
use <option>security.hideProcessInformation</option> instead. This
|
||||
trades weaker protection for greater compatibility.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para><command>dmesg</command> restrictions:
|
||||
use <option>boot.kernel.sysctl."kernel.dmesg_restrict"</option> instead
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
</para></listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 xml:id="sec-grsec-custom-kernel"><title>Using a custom grsecurity/PaX kernel</title>
|
||||
|
||||
<para>
|
||||
The NixOS kernel is likely to be either too permissive or too restrictive
|
||||
for many deployment scenarios. In addition to producing a kernel more
|
||||
suitable for a particular deployment, a custom kernel may improve security
|
||||
by depriving an attacker the ability to study the kernel object code, adding
|
||||
yet more guesswork to successfully carry out certain exploits.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To build a custom kernel using upstream's recommended settings for server
|
||||
deployments, while still using the NixOS module:
|
||||
<programlisting>
|
||||
nixpkgs.config.packageOverrides = super: {
|
||||
linux_grsec_nixos = super.linux_grsec_nixos.override {
|
||||
extraConfig = ''
|
||||
GRKERNSEC_CONFIG_AUTO y
|
||||
GRKERNSEC_CONFIG_SERVER y
|
||||
GRKERNSEC_CONFIG_SECURITY y
|
||||
'';
|
||||
};
|
||||
};
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The grsecurity/PaX wikibook provides an exhaustive listing of
|
||||
<link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The NixOS module makes several assumptions about the kernel and so
|
||||
may be incompatible with your customised kernel. Currently, the only way
|
||||
to work around these incompatibilities is to eschew the NixOS
|
||||
module.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If not using the NixOS module, a custom grsecurity package set can
|
||||
be specified inline instead, as in
|
||||
<programlisting>
|
||||
boot.kernelPackages =
|
||||
let
|
||||
kernel = pkgs.linux_grsec_nixos.override {
|
||||
extraConfig = /* as above */;
|
||||
};
|
||||
self = pkgs.linuxPackagesFor kernel self;
|
||||
in self;
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 xml:id="sec-grsec-pax-flags"><title>Per-executable PaX flags</title>
|
||||
|
||||
<para>
|
||||
Manual tuning of per-file PaX flags for executables in the Nix store is
|
||||
impossible on a properly configured system. If a package in Nixpkgs fails
|
||||
due to PaX, that is a bug in the package recipe and should be reported to
|
||||
the maintainer (including relevant <command>dmesg</command> output).
|
||||
</para>
|
||||
|
||||
<para>
|
||||
For executables installed outside of the Nix store, PaX flags can be set
|
||||
using the <command>paxctl</command> utility:
|
||||
<programlisting>
|
||||
paxctl -czem <replaceable>foo</replaceable>
|
||||
</programlisting>
|
||||
|
||||
<warning>
|
||||
<para><command>paxctl</command> overwrites files in-place.</para>
|
||||
</warning>
|
||||
|
||||
Equivalently, on file systems that support extended attributes:
|
||||
<programlisting>
|
||||
setfattr -n user.pax.flags -v em <replaceable>foo</replaceable>
|
||||
</programlisting>
|
||||
|
||||
<!-- TODO: PaX flags via RBAC policy -->
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
|
||||
consequently, unprivileged namespaces are unsupported. Applications that
|
||||
rely on namespaces for sandboxing must use a privileged helper. For chromium
|
||||
there is <option>security.chromiumSuidSandbox.enable</option>.</para></listitem>
|
||||
|
||||
<listitem><para>Access to EFI runtime services is disabled by default:
|
||||
this plugs a potential code injection attack vector; use
|
||||
<option>security.grsecurity.disableEfiRuntimeServices</option> to override
|
||||
this behavior.</para></listitem>
|
||||
|
||||
<listitem><para>User initiated autoloading of modules (e.g., when
|
||||
using fuse or loop devices) is disallowed; either load requisite modules
|
||||
as root or add them to <option>boot.kernelModules</option>.</para></listitem>
|
||||
|
||||
<listitem><para>Virtualization: KVM is the preferred virtualization
|
||||
solution. Xen, Virtualbox, and VMWare are
|
||||
<emphasis>unsupported</emphasis> and most likely require a custom kernel.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Attaching <command>gdb</command> to a running process is disallowed by
|
||||
default: unprivileged users can only ptrace processes that are children of
|
||||
the ptracing process. To relax this restriction, set
|
||||
<programlisting>
|
||||
boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0;
|
||||
</programlisting>
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
Overflows in boot critical code (e.g., the root filesystem module) can
|
||||
render the system unbootable. Work around by setting
|
||||
<programlisting>
|
||||
boot.kernelParams = [ "pax_size_overflow_report_only" ];
|
||||
</programlisting>
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The <citerefentry><refentrytitle>modify_ldt
|
||||
</refentrytitle><manvolnum>2</manvolnum></citerefentry> syscall is disabled
|
||||
by default. This restriction can interfere with programs designed to run
|
||||
legacy 16-bit or segmented 32-bit code. To support applications that rely
|
||||
on this syscall, set
|
||||
<programlisting>
|
||||
boot.kernel.sysctl."kernel.modify_ldt" = 1;
|
||||
</programlisting>
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The gitlab service (<xref linkend="module-services-gitlab" />)
|
||||
requires a variant of the <literal>ruby</literal> interpreter
|
||||
built without `mprotect()` hardening, as in
|
||||
<programlisting>
|
||||
services.gitlab.packages.gitlab = pkgs.gitlab.override {
|
||||
ruby = pkgs.ruby.overrideAttrs (attrs: {
|
||||
postFixup = "paxmark m $out/bin/ruby";
|
||||
});
|
||||
};
|
||||
</programlisting>
|
||||
</para></listitem>
|
||||
|
||||
</itemizedlist>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1 xml:id="sec-grsec-kernel-params"><title>Grsecurity/PaX kernel parameters</title>
|
||||
|
||||
<para>
|
||||
The NixOS kernel supports the following kernel command line parameters:
|
||||
<itemizedlist>
|
||||
<listitem><para>
|
||||
<literal>pax_nouderef</literal>: disable UDEREF (separate kernel and
|
||||
user address spaces).
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
<literal>pax_weakuderef</literal>: enable a faster but
|
||||
weaker variant of UDEREF on 64-bit processors with PCID support
|
||||
(check <code>grep pcid /proc/cpuinfo</code>).
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
<literal>pax_sanitize_slab={off|fast|full}</literal>: control kernel
|
||||
slab object sanitization. Defaults to <literal>fast</literal>
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
<literal>pax_size_overflow_report_only</literal>: log size overflow
|
||||
violations but leave the violating task running
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
<literal>grsec_sysfs_restrict=[0|1]</literal>: toggle sysfs
|
||||
restrictions. The NixOS module sets this to <literal>0</literal>
|
||||
for systemd compatibility
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
|
||||
</chapter>
|
@ -27,7 +27,13 @@ in
|
||||
noDestroy = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Does all changes to the filesystem except destroy";
|
||||
description = "Does all changes to the filesystem except destroy.";
|
||||
};
|
||||
|
||||
autoCreation = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Automatically create the dataset on dest if it does not exists.";
|
||||
};
|
||||
};
|
||||
};
|
||||
@ -44,7 +50,7 @@ in
|
||||
path = with pkgs; [ zfs mbuffer openssh ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.znapzend}/bin/znapzend --logto=${cfg.logTo} --loglevel=${cfg.logLevel} ${optionalString cfg.noDestroy "--nodestroy"}";
|
||||
ExecStart = "${pkgs.znapzend}/bin/znapzend --logto=${cfg.logTo} --loglevel=${cfg.logLevel} ${optionalString cfg.noDestroy "--nodestroy"} ${optionalString cfg.autoCreation "--autoCreation"}";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
Restart = "on-failure";
|
||||
};
|
||||
|
@ -96,10 +96,21 @@ in
|
||||
example = literalExample "pkgs.gitlab-runner_1_11";
|
||||
};
|
||||
|
||||
packages = mkOption {
|
||||
default = [ pkgs.bash pkgs.docker-machine ];
|
||||
defaultText = "[ pkgs.bash pkgs.docker-machine ]";
|
||||
type = types.listOf types.package;
|
||||
description = ''
|
||||
Packages to add to PATH for the gitlab-runner process.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.gitlab-runner = {
|
||||
path = cfg.packages;
|
||||
environment = config.networking.proxy.envVars;
|
||||
description = "Gitlab Runner";
|
||||
after = [ "network.target" ]
|
||||
++ optional hasDocker "docker.service";
|
||||
|
@ -270,8 +270,8 @@ in
|
||||
|
||||
${optionalString haveLocalDB ''
|
||||
if ! [ -e ${baseDir}/.db-created ]; then
|
||||
${config.services.postgresql.package}/bin/createuser hydra
|
||||
${config.services.postgresql.package}/bin/createdb -O hydra hydra
|
||||
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createuser hydra
|
||||
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O hydra hydra
|
||||
touch ${baseDir}/.db-created
|
||||
fi
|
||||
''}
|
||||
|
@ -108,10 +108,13 @@ in
|
||||
|
||||
initialDatabases = mkOption {
|
||||
default = [];
|
||||
description = "List of database names and their initial schemas that should be used to create databases on the first startup of MySQL";
|
||||
description = ''
|
||||
List of database names and their initial schemas that should be used to create databases on the first startup
|
||||
of MySQL. The schema attribute is optional: If not specified, an empty database is created.
|
||||
'';
|
||||
example = [
|
||||
{ name = "foodatabase"; schema = literalExample "./foodatabase.sql"; }
|
||||
{ name = "bardatabase"; schema = literalExample "./bardatabase.sql"; }
|
||||
{ name = "bardatabase"; }
|
||||
];
|
||||
};
|
||||
|
||||
@ -247,6 +250,8 @@ in
|
||||
if ! test -e "${cfg.dataDir}/${database.name}"; then
|
||||
echo "Creating initial database: ${database.name}"
|
||||
( echo "create database ${database.name};"
|
||||
|
||||
${optionalString (database ? "schema") ''
|
||||
echo "use ${database.name};"
|
||||
|
||||
if [ -f "${database.schema}" ]
|
||||
@ -256,6 +261,7 @@ in
|
||||
then
|
||||
cat ${database.schema}/mysql-databases/*.sql
|
||||
fi
|
||||
''}
|
||||
) | ${mysql}/bin/mysql -u root -N
|
||||
fi
|
||||
'') cfg.initialDatabases}
|
||||
|
@ -38,9 +38,6 @@ let
|
||||
|
||||
pre84 = versionOlder (builtins.parseDrvName postgresql.name).version "8.4";
|
||||
|
||||
# NixOS traditionally used `root` as superuser, most other distros use `postgres`. From 17.09
|
||||
# we also try to follow this standard
|
||||
superuser = (if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root");
|
||||
|
||||
in
|
||||
|
||||
@ -62,7 +59,7 @@ in
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
example = literalExample "pkgs.postgresql92";
|
||||
example = literalExample "pkgs.postgresql96";
|
||||
description = ''
|
||||
PostgreSQL package to use.
|
||||
'';
|
||||
@ -151,6 +148,16 @@ in
|
||||
Contents of the <filename>recovery.conf</filename> file.
|
||||
'';
|
||||
};
|
||||
superUser = mkOption {
|
||||
type = types.str;
|
||||
default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root";
|
||||
internal = true;
|
||||
description = ''
|
||||
NixOS traditionally used `root` as superuser, most other distros use `postgres`.
|
||||
From 17.09 we also try to follow this standard. Internal since changing this value
|
||||
would lead to breakage while setting up databases.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
@ -215,7 +222,7 @@ in
|
||||
''
|
||||
# Initialise the database.
|
||||
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
||||
initdb -U ${superuser}
|
||||
initdb -U ${cfg.superUser}
|
||||
# See postStart!
|
||||
touch "${cfg.dataDir}/.first_startup"
|
||||
fi
|
||||
@ -247,14 +254,14 @@ in
|
||||
# Wait for PostgreSQL to be ready to accept connections.
|
||||
postStart =
|
||||
''
|
||||
while ! ${pkgs.sudo}/bin/sudo -u ${superuser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do
|
||||
while ! ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do
|
||||
if ! kill -0 "$MAINPID"; then exit 1; fi
|
||||
sleep 0.1
|
||||
done
|
||||
|
||||
if test -e "${cfg.dataDir}/.first_startup"; then
|
||||
${optionalString (cfg.initialScript != null) ''
|
||||
${pkgs.sudo}/bin/sudo -u ${superuser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres
|
||||
${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres
|
||||
''}
|
||||
rm -f "${cfg.dataDir}/.first_startup"
|
||||
fi
|
||||
|
30
nixos/modules/services/desktops/gnome3/gpaste.nix
Normal file
30
nixos/modules/services/desktops/gnome3/gpaste.nix
Normal file
@ -0,0 +1,30 @@
|
||||
# GPaste daemon.
|
||||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
gnome3 = config.environment.gnome3.packageSet;
|
||||
in
|
||||
{
|
||||
###### interface
|
||||
options = {
|
||||
services.gnome3.gpaste = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable GPaste, a clipboard manager.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
config = mkIf config.services.gnome3.gpaste.enable {
|
||||
environment.systemPackages = [ gnome3.gpaste ];
|
||||
services.dbus.packages = [ gnome3.gpaste ];
|
||||
services.xserver.desktopManager.gnome3.sessionPath = [ gnome3.gpaste ];
|
||||
systemd.packages = [ gnome3.gpaste ];
|
||||
};
|
||||
}
|
61
nixos/modules/services/hardware/interception-tools.nix
Normal file
61
nixos/modules/services/hardware/interception-tools.nix
Normal file
@ -0,0 +1,61 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.interception-tools;
|
||||
in {
|
||||
options.services.interception-tools = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether to enable the interception tools service.";
|
||||
};
|
||||
|
||||
plugins = mkOption {
|
||||
type = types.listOf types.package;
|
||||
default = [ pkgs.interception-tools-plugins.caps2esc ];
|
||||
description = ''
|
||||
A list of interception tools plugins that will be made available to use
|
||||
inside the udevmon configuration.
|
||||
'';
|
||||
};
|
||||
|
||||
udevmonConfig = mkOption {
|
||||
type = types.either types.str types.path;
|
||||
default = ''
|
||||
- JOB: "intercept -g $DEVNODE | caps2esc | uinput -d $DEVNODE"
|
||||
DEVICE:
|
||||
EVENTS:
|
||||
EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
|
||||
'';
|
||||
example = ''
|
||||
- JOB: "intercept -g $DEVNODE | y2z | x2y | uinput -d $DEVNODE"
|
||||
DEVICE:
|
||||
EVENTS:
|
||||
EV_KEY: [KEY_X, KEY_Y]
|
||||
'';
|
||||
description = ''
|
||||
String of udevmon YAML configuration, or path to a udevmon YAML
|
||||
configuration file.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.interception-tools = {
|
||||
description = "Interception tools";
|
||||
path = [ pkgs.bash pkgs.interception-tools ] ++ cfg.plugins;
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${pkgs.interception-tools}/bin/udevmon -c \
|
||||
${if builtins.typeOf cfg.udevmonConfig == "path"
|
||||
then cfg.udevmonConfig
|
||||
else pkgs.writeText "udevmon.yaml" cfg.udevmonConfig}
|
||||
'';
|
||||
Nice = -20;
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
};
|
||||
}
|
@ -836,11 +836,5 @@ in
|
||||
(mkIf (cfg.dnsBlacklists != []) {
|
||||
services.postfix.mapFiles."client_access" = checkClientAccessFile;
|
||||
})
|
||||
(mkIf (cfg.extraConfig != "") {
|
||||
warnings = [ "The services.postfix.extraConfig option was deprecated. Please use services.postfix.config instead." ];
|
||||
})
|
||||
(mkIf (cfg.extraMasterConf != "") {
|
||||
warnings = [ "The services.postfix.extraMasterConf option was deprecated. Please use services.postfix.masterConfig instead." ];
|
||||
})
|
||||
]);
|
||||
}
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
let
|
||||
gunicorn = pkgs.pythonPackages.gunicorn;
|
||||
bepasty = pkgs.pythonPackages.bepasty-server;
|
||||
bepasty = pkgs.bepasty;
|
||||
gevent = pkgs.pythonPackages.gevent;
|
||||
python = pkgs.pythonPackages.python;
|
||||
cfg = config.services.bepasty;
|
||||
|
@ -42,7 +42,7 @@ in
|
||||
serviceConfig = {
|
||||
User = "calibre-server";
|
||||
Restart = "always";
|
||||
ExecStart = "${pkgs.calibre}/bin/calibre-server --with-library=${cfg.libraryDir}";
|
||||
ExecStart = "${pkgs.calibre}/bin/calibre-server ${cfg.libraryDir}";
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -10,10 +10,12 @@ let
|
||||
ruby = cfg.packages.gitlab.ruby;
|
||||
bundler = pkgs.bundler;
|
||||
|
||||
gemHome = "${cfg.packages.gitlab.env}/${ruby.gemPath}";
|
||||
gemHome = "${cfg.packages.gitlab.rubyEnv}/${ruby.gemPath}";
|
||||
|
||||
gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket";
|
||||
gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket";
|
||||
pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url;
|
||||
pgSuperUser = config.services.postgresql.superUser;
|
||||
|
||||
databaseYml = ''
|
||||
production:
|
||||
@ -25,6 +27,23 @@ let
|
||||
encoding: utf8
|
||||
'';
|
||||
|
||||
gitalyToml = pkgs.writeText "gitaly.toml" ''
|
||||
socket_path = "${lib.escape ["\""] gitalySocket}"
|
||||
prometheus_listen_addr = "localhost:9236"
|
||||
|
||||
[gitaly-ruby]
|
||||
dir = "${cfg.packages.gitaly.ruby}"
|
||||
|
||||
[gitlab-shell]
|
||||
dir = "${cfg.packages.gitlab-shell}"
|
||||
|
||||
${concatStringsSep "\n" (attrValues (mapAttrs (k: v: ''
|
||||
[[storage]]
|
||||
name = "${lib.escape ["\""] k}"
|
||||
path = "${lib.escape ["\""] v.path}"
|
||||
'') gitlabConfig.production.repositories.storages))}
|
||||
'';
|
||||
|
||||
gitlabShellYml = ''
|
||||
user: ${cfg.user}
|
||||
gitlab_url: "http+unix://${pathUrlQuote gitlabSocket}"
|
||||
@ -41,11 +60,17 @@ let
|
||||
namespace: resque:gitlab
|
||||
'';
|
||||
|
||||
redisYml = ''
|
||||
production:
|
||||
url: redis://localhost:6379/
|
||||
'';
|
||||
|
||||
secretsYml = ''
|
||||
production:
|
||||
secret_key_base: ${cfg.secrets.secret}
|
||||
otp_key_base: ${cfg.secrets.otp}
|
||||
db_key_base: ${cfg.secrets.db}
|
||||
jws_private_key: ${builtins.toJSON cfg.secrets.jws}
|
||||
'';
|
||||
|
||||
gitlabConfig = {
|
||||
@ -69,7 +94,8 @@ let
|
||||
container_registry = true;
|
||||
};
|
||||
};
|
||||
repositories.storages.default = "${cfg.statePath}/repositories";
|
||||
repositories.storages.default.path = "${cfg.statePath}/repositories";
|
||||
repositories.storages.default.gitaly_address = "unix:${gitalySocket}";
|
||||
artifacts.enabled = true;
|
||||
lfs.enabled = true;
|
||||
gravatar.enabled = true;
|
||||
@ -86,11 +112,22 @@ let
|
||||
upload_pack = true;
|
||||
receive_pack = true;
|
||||
};
|
||||
workhorse = {
|
||||
secret_file = "${cfg.statePath}/.gitlab_workhorse_secret";
|
||||
};
|
||||
git = {
|
||||
bin_path = "git";
|
||||
max_size = 20971520; # 20MB
|
||||
timeout = 10;
|
||||
};
|
||||
monitoring = {
|
||||
ip_whitelist = [ "127.0.0.0/8" "::1/128" ];
|
||||
sidekiq_exporter = {
|
||||
enable = true;
|
||||
address = "localhost";
|
||||
port = 3807;
|
||||
};
|
||||
};
|
||||
extra = {};
|
||||
};
|
||||
};
|
||||
@ -105,9 +142,11 @@ let
|
||||
GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads";
|
||||
GITLAB_LOG_PATH = "${cfg.statePath}/log";
|
||||
GITLAB_SHELL_PATH = "${cfg.packages.gitlab-shell}";
|
||||
GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/shell/config.yml";
|
||||
GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/home/config.yml";
|
||||
GITLAB_SHELL_SECRET_PATH = "${cfg.statePath}/config/gitlab_shell_secret";
|
||||
GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/shell/hooks";
|
||||
GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/home/hooks";
|
||||
GITLAB_REDIS_CONFIG_FILE = pkgs.writeText "gitlab-redis.yml" redisYml;
|
||||
prometheus_multiproc_dir = "/run/gitlab";
|
||||
RAILS_ENV = "production";
|
||||
};
|
||||
|
||||
@ -115,15 +154,15 @@ let
|
||||
|
||||
gitlab-rake = pkgs.stdenv.mkDerivation rec {
|
||||
name = "gitlab-rake";
|
||||
buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.env pkgs.makeWrapper ];
|
||||
buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.rubyEnv pkgs.makeWrapper ];
|
||||
phases = "installPhase fixupPhase";
|
||||
buildPhase = "";
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
makeWrapper ${cfg.packages.gitlab.env}/bin/bundle $out/bin/gitlab-bundle \
|
||||
makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/bundle $out/bin/gitlab-bundle \
|
||||
${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \
|
||||
--set GITLAB_CONFIG_PATH '${cfg.statePath}/config' \
|
||||
--set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip config.services.postgresql.package ]}:$PATH' \
|
||||
--set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package ]}:$PATH' \
|
||||
--set RAKEOPT '-f ${cfg.packages.gitlab}/share/gitlab/Rakefile' \
|
||||
--run 'cd ${cfg.packages.gitlab}/share/gitlab'
|
||||
makeWrapper $out/bin/gitlab-bundle $out/bin/gitlab-rake \
|
||||
@ -182,6 +221,13 @@ in {
|
||||
description = "Reference to the gitlab-workhorse package";
|
||||
};
|
||||
|
||||
packages.gitaly = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.gitaly;
|
||||
defaultText = "pkgs.gitaly";
|
||||
description = "Reference to the gitaly package";
|
||||
};
|
||||
|
||||
statePath = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/gitlab/state";
|
||||
@ -359,6 +405,19 @@ in {
|
||||
'';
|
||||
};
|
||||
|
||||
secrets.jws = mkOption {
|
||||
type = types.str;
|
||||
description = ''
|
||||
The secret is used to encrypt session keys. If you change or lose
|
||||
this key, users will be disconnected.
|
||||
|
||||
Make sure the secret is an RSA private key in PEM format. You can
|
||||
generate one with
|
||||
|
||||
openssl genrsa 2048openssl genpkey -algorithm RSA -out - -pkeyopt rsa_keygen_bits:2048
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.attrs;
|
||||
default = {};
|
||||
@ -420,6 +479,7 @@ in {
|
||||
ruby
|
||||
openssh
|
||||
nodejs
|
||||
gnupg
|
||||
];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
@ -428,7 +488,24 @@ in {
|
||||
TimeoutSec = "300";
|
||||
Restart = "on-failure";
|
||||
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
|
||||
ExecStart="${cfg.packages.gitlab.env}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
|
||||
ExecStart="${cfg.packages.gitlab.rubyEnv}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.gitaly = {
|
||||
after = [ "network.target" "gitlab.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment.HOME = gitlabEnv.HOME;
|
||||
path = with pkgs; [ gitAndTools.git cfg.packages.gitaly.rubyEnv ];
|
||||
serviceConfig = {
|
||||
#PermissionsStartOnly = true; # preStart must be run as root
|
||||
Type = "simple";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
TimeoutSec = "300";
|
||||
Restart = "on-failure";
|
||||
WorkingDirectory = gitlabEnv.HOME;
|
||||
ExecStart = "${cfg.packages.gitaly}/bin/gitaly ${gitalyToml}";
|
||||
};
|
||||
};
|
||||
|
||||
@ -463,7 +540,7 @@ in {
|
||||
+ "-listenAddr /run/gitlab/gitlab-workhorse.socket "
|
||||
+ "-authSocket ${gitlabSocket} "
|
||||
+ "-documentRoot ${cfg.packages.gitlab}/share/gitlab/public "
|
||||
+ "-secretPath ${cfg.packages.gitlab}/share/gitlab/.gitlab_workhorse_secret";
|
||||
+ "-secretPath ${cfg.statePath}/.gitlab_workhorse_secret";
|
||||
};
|
||||
};
|
||||
|
||||
@ -477,6 +554,7 @@ in {
|
||||
gitAndTools.git
|
||||
openssh
|
||||
nodejs
|
||||
procps
|
||||
];
|
||||
preStart = ''
|
||||
mkdir -p ${cfg.backupPath}
|
||||
@ -486,12 +564,11 @@ in {
|
||||
mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects
|
||||
mkdir -p ${gitlabConfig.production.shared.path}/pages
|
||||
mkdir -p ${cfg.statePath}/log
|
||||
mkdir -p ${cfg.statePath}/shell
|
||||
mkdir -p ${cfg.statePath}/tmp/pids
|
||||
mkdir -p ${cfg.statePath}/tmp/sockets
|
||||
|
||||
rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks
|
||||
mkdir -p ${cfg.statePath}/config ${cfg.statePath}/shell
|
||||
rm -rf ${cfg.statePath}/config ${cfg.statePath}/home/hooks
|
||||
mkdir -p ${cfg.statePath}/config
|
||||
|
||||
tr -dc A-Za-z0-9 < /dev/urandom | head -c 32 > ${cfg.statePath}/config/gitlab_shell_secret
|
||||
|
||||
@ -499,7 +576,8 @@ in {
|
||||
# symlinked in the gitlab package to /run/gitlab/uploads to make it
|
||||
# configurable
|
||||
mkdir -p /run/gitlab
|
||||
mkdir -p ${cfg.statePath}/uploads
|
||||
mkdir -p ${cfg.statePath}/{log,uploads}
|
||||
ln -sf ${cfg.statePath}/log /run/gitlab/log
|
||||
ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads
|
||||
chown -R ${cfg.user}:${cfg.group} /run/gitlab
|
||||
|
||||
@ -507,7 +585,6 @@ in {
|
||||
mkdir -p ${gitlabEnv.HOME}/.ssh
|
||||
touch ${gitlabEnv.HOME}/.ssh/authorized_keys
|
||||
chown -R ${cfg.user}:${cfg.group} ${gitlabEnv.HOME}/
|
||||
chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}/
|
||||
|
||||
cp -rf ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config
|
||||
${optionalString cfg.smtp.enable ''
|
||||
@ -532,14 +609,14 @@ in {
|
||||
|
||||
if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
|
||||
if ! test -e "${cfg.statePath}/db-created"; then
|
||||
psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
|
||||
${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} || true
|
||||
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.databasePassword}'"
|
||||
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName}
|
||||
touch "${cfg.statePath}/db-created"
|
||||
fi
|
||||
fi
|
||||
|
||||
# enable required pg_trgm extension for gitlab
|
||||
psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"
|
||||
${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"
|
||||
# Always do the db migrations just to be sure the database is up-to-date
|
||||
${gitlab-rake}/bin/gitlab-rake db:migrate RAILS_ENV=production
|
||||
|
||||
@ -548,14 +625,15 @@ in {
|
||||
# up the initial database
|
||||
if ! test -e "${cfg.statePath}/db-seeded"; then
|
||||
${gitlab-rake}/bin/gitlab-rake db:seed_fu RAILS_ENV=production \
|
||||
GITLAB_ROOT_PASSWORD="${cfg.initialRootPassword}" GITLAB_ROOT_EMAIL="${cfg.initialRootEmail}"
|
||||
GITLAB_ROOT_PASSWORD='${cfg.initialRootPassword}' GITLAB_ROOT_EMAIL='${cfg.initialRootEmail}'
|
||||
touch "${cfg.statePath}/db-seeded"
|
||||
fi
|
||||
|
||||
# Change permissions in the last step because some of the
|
||||
# intermediary scripts like to create directories as root.
|
||||
chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}
|
||||
chmod -R u+rwX,go-rwx+X ${cfg.statePath}
|
||||
chmod -R ug+rwX,o-rwx+X ${cfg.statePath}
|
||||
chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
@ -566,7 +644,7 @@ in {
|
||||
TimeoutSec = "300";
|
||||
Restart = "on-failure";
|
||||
WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
|
||||
ExecStart = "${cfg.packages.gitlab.env}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\"";
|
||||
ExecStart = "${cfg.packages.gitlab.rubyEnv}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\"";
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -4,7 +4,8 @@ with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.gitolite;
|
||||
pubkeyFile = pkgs.writeText "gitolite-admin.pub" cfg.adminPubkey;
|
||||
# Use writeTextDir to not leak Nix store hash into file name
|
||||
pubkeyFile = (pkgs.writeTextDir "gitolite-admin.pub" cfg.adminPubkey) + "/gitolite-admin.pub";
|
||||
hooks = lib.concatMapStrings (hook: "${hook} ") cfg.commonHooks;
|
||||
in
|
||||
{
|
||||
@ -70,6 +71,7 @@ in
|
||||
systemd.services."gitolite-init" = {
|
||||
description = "Gitolite initialization";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
unitConfig.RequiresMountsFor = cfg.dataDir;
|
||||
|
||||
serviceConfig.User = "${cfg.user}";
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
@ -0,0 +1,128 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.prometheus.collectdExporter;
|
||||
|
||||
collectSettingsArgs = if (cfg.collectdBinary.enable) then ''
|
||||
-collectd.listen-address ${optionalString (cfg.collectdBinary.listenAddress != null) cfg.collectdBinary.listenAddress}:${toString cfg.collectdBinary.port} \
|
||||
-collectd.security-level ${cfg.collectdBinary.securityLevel} \
|
||||
'' else "";
|
||||
|
||||
in {
|
||||
options = {
|
||||
services.prometheus.collectdExporter = {
|
||||
enable = mkEnableOption "prometheus collectd exporter";
|
||||
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 9103;
|
||||
description = ''
|
||||
Port to listen on.
|
||||
This is used for scraping as well as the to receive collectd data via the write_http plugin.
|
||||
'';
|
||||
};
|
||||
|
||||
listenAddress = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "0.0.0.0";
|
||||
description = ''
|
||||
Address to listen on for web interface, telemetry and collectd JSON data.
|
||||
'';
|
||||
};
|
||||
|
||||
collectdBinary = {
|
||||
enable = mkEnableOption "collectd binary protocol receiver";
|
||||
|
||||
authFile = mkOption {
|
||||
default = null;
|
||||
type = types.nullOr types.path;
|
||||
description = "File mapping user names to pre-shared keys (passwords).";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 25826;
|
||||
description = ''Network address on which to accept collectd binary network packets.'';
|
||||
};
|
||||
|
||||
listenAddress = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "0.0.0.0";
|
||||
description = ''
|
||||
Address to listen on for binary network packets.
|
||||
'';
|
||||
};
|
||||
|
||||
securityLevel = mkOption {
|
||||
type = types.enum ["None" "Sign" "Encrypt"];
|
||||
default = "None";
|
||||
description = ''
|
||||
Minimum required security level for accepted packets.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
extraFlags = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Extra commandline options when launching the collectd exporter.
|
||||
'';
|
||||
};
|
||||
|
||||
logFormat = mkOption {
|
||||
type = types.str;
|
||||
default = "logger:stderr";
|
||||
example = "logger:syslog?appname=bob&local=7 or logger:stdout?json=true";
|
||||
description = ''
|
||||
Set the log target and format.
|
||||
'';
|
||||
};
|
||||
|
||||
logLevel = mkOption {
|
||||
type = types.enum ["debug" "info" "warn" "error" "fatal"];
|
||||
default = "info";
|
||||
description = ''
|
||||
Only log messages with the given severity or above.
|
||||
'';
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Open port in firewall for incoming connections.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.firewall.allowedTCPPorts = (optional cfg.openFirewall cfg.port) ++
|
||||
(optional (cfg.openFirewall && cfg.collectdBinary.enable) cfg.collectdBinary.port);
|
||||
|
||||
systemd.services.prometheus-collectd-exporter = {
|
||||
description = "Prometheus exporter for Collectd metrics";
|
||||
unitConfig.Documentation = "https://github.com/prometheus/collectd_exporter";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
Restart = "always";
|
||||
PrivateTmp = true;
|
||||
WorkingDirectory = /tmp;
|
||||
ExecStart = ''
|
||||
${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \
|
||||
-log.format ${cfg.logFormat} \
|
||||
-log.level ${cfg.logLevel} \
|
||||
-web.listen-address ${optionalString (cfg.listenAddress != null) cfg.listenAddress}:${toString cfg.port} \
|
||||
${collectSettingsArgs} \
|
||||
${concatStringsSep " " cfg.extraFlags}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -50,11 +50,19 @@ in
|
||||
after = [ "rpcbind.service" "network.target" "local-fs.target" ];
|
||||
before = [ "network-online.target" ];
|
||||
|
||||
# The copying of hooks is due to upstream bug https://bugzilla.redhat.com/show_bug.cgi?id=1452761
|
||||
preStart = ''
|
||||
install -m 0755 -d /var/log/glusterfs
|
||||
''
|
||||
# The copying of hooks is due to upstream bug https://bugzilla.redhat.com/show_bug.cgi?id=1452761
|
||||
+ ''
|
||||
mkdir -p /var/lib/glusterd/hooks/
|
||||
${rsync}/bin/rsync -a ${glusterfs}/var/lib/glusterd/hooks/ /var/lib/glusterd/hooks/
|
||||
''
|
||||
# `glusterfind` needs dirs that upstream installs at `make install` phase
|
||||
# https://github.com/gluster/glusterfs/blob/v3.10.2/tools/glusterfind/Makefile.am#L16-L17
|
||||
+ ''
|
||||
mkdir -p /var/lib/glusterd/glusterfind/.keys
|
||||
mkdir -p /var/lib/glusterd/hooks/1/delete/post/
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
|
@ -1,15 +1,19 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
inherit (pkgs) ipfs runCommand makeWrapper;
|
||||
|
||||
cfg = config.services.ipfs;
|
||||
|
||||
ipfsFlags = ''${if cfg.autoMigrate then "--migrate" else ""} ${if cfg.enableGC then "--enable-gc" else ""} ${toString cfg.extraFlags}'';
|
||||
ipfsFlags = toString ([
|
||||
#(optionalString cfg.autoMount "--mount")
|
||||
(optionalString cfg.autoMigrate "--migrate")
|
||||
(optionalString cfg.enableGC "--enable-gc")
|
||||
(optionalString (cfg.serviceFdlimit != null) "--manage-fdlimit=false")
|
||||
(optionalString (cfg.defaultMode == "offline") "--offline")
|
||||
(optionalString (cfg.defaultMode == "norouting") "--routing=none")
|
||||
] ++ cfg.extraFlags);
|
||||
|
||||
# Before Version 17.09, ipfs would always use "/var/lib/ipfs/.ipfs" as it's dataDir
|
||||
defaultDataDir = if versionAtLeast config.system.stateVersion "17.09" then
|
||||
"/var/lib/ipfs" else
|
||||
"/var/lib/ipfs/.ipfs";
|
||||
@ -17,11 +21,48 @@ let
|
||||
# Wrapping the ipfs binary with the environment variable IPFS_PATH set to dataDir because we can't set it in the user environment
|
||||
wrapped = runCommand "ipfs" { buildInputs = [ makeWrapper ]; } ''
|
||||
mkdir -p "$out/bin"
|
||||
makeWrapper "${ipfs}/bin/ipfs" "$out/bin/ipfs" --set IPFS_PATH ${cfg.dataDir}
|
||||
makeWrapper "${ipfs}/bin/ipfs" "$out/bin/ipfs" \
|
||||
--set IPFS_PATH ${cfg.dataDir} \
|
||||
--prefix PATH : /run/wrappers/bin
|
||||
'';
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
commonEnv = {
|
||||
environment.IPFS_PATH = cfg.dataDir;
|
||||
path = [ wrapped ];
|
||||
serviceConfig.User = cfg.user;
|
||||
serviceConfig.Group = cfg.group;
|
||||
};
|
||||
|
||||
baseService = recursiveUpdate commonEnv {
|
||||
wants = [ "ipfs-init.service" ];
|
||||
preStart = ''
|
||||
ipfs --local config Addresses.API ${cfg.apiAddress}
|
||||
ipfs --local config Addresses.Gateway ${cfg.gatewayAddress}
|
||||
'' + optionalString false/*cfg.autoMount*/ ''
|
||||
ipfs --local config Mounts.FuseAllowOther --json true
|
||||
ipfs --local config Mounts.IPFS ${cfg.ipfsMountDir}
|
||||
ipfs --local config Mounts.IPNS ${cfg.ipnsMountDir}
|
||||
'' + concatStringsSep "\n" (collect
|
||||
isString
|
||||
(mapAttrsRecursive
|
||||
(path: value:
|
||||
# Using heredoc below so that the value is never improperly quoted
|
||||
''
|
||||
read value <<EOF
|
||||
${builtins.toJSON value}
|
||||
EOF
|
||||
ipfs --local config --json "${concatStringsSep "." path}" "$value"
|
||||
'')
|
||||
cfg.extraConfig)
|
||||
);
|
||||
serviceConfig = {
|
||||
ExecStart = "${wrapped}/bin/ipfs daemon ${ipfsFlags}";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 1;
|
||||
} // optionalAttrs (cfg.serviceFdlimit != null) { LimitNOFILE = cfg.serviceFdlimit; };
|
||||
};
|
||||
in {
|
||||
|
||||
###### interface
|
||||
|
||||
@ -63,6 +104,24 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
#autoMount = mkOption {
|
||||
# type = types.bool;
|
||||
# default = false;
|
||||
# description = "Whether IPFS should try to mount /ipfs and /ipns at startup.";
|
||||
#};
|
||||
|
||||
ipfsMountDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/ipfs";
|
||||
description = "Where to mount the IPFS namespace to";
|
||||
};
|
||||
|
||||
ipnsMountDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/ipns";
|
||||
description = "Where to mount the IPNS namespace to";
|
||||
};
|
||||
|
||||
gatewayAddress = mkOption {
|
||||
type = types.str;
|
||||
default = "/ip4/127.0.0.1/tcp/8080";
|
||||
@ -91,11 +150,41 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.attrs;
|
||||
description = toString [
|
||||
"Attrset of daemon configuration to set using `ipfs config`, every time the daemon starts."
|
||||
"These are applied last, so may override configuration set by other options in this module."
|
||||
"Keep in mind that this configuration is stateful; i.e., unsetting anything in here does not reset the value to the default!"
|
||||
];
|
||||
default = {};
|
||||
example = {
|
||||
Datastore.StorageMax = "100GB";
|
||||
Discovery.MDNS.Enabled = false;
|
||||
Bootstrap = [
|
||||
"/ip4/128.199.219.111/tcp/4001/ipfs/QmSoLSafTMBsPKadTEgaXctDQVcqN88CNLHXMkTNwMKPnu"
|
||||
"/ip4/162.243.248.213/tcp/4001/ipfs/QmSoLueR4xBeUbY9WZ9xGUUxunbKWcrNFTDAadQJmocnWm"
|
||||
];
|
||||
Swarm.AddrFilters = null;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
extraFlags = mkOption {
|
||||
type = types.listOf types.str;
|
||||
description = "Extra flags passed to the IPFS daemon";
|
||||
default = [];
|
||||
};
|
||||
|
||||
serviceFdlimit = mkOption {
|
||||
type = types.nullOr types.int;
|
||||
default = null;
|
||||
description = ''
|
||||
The fdlimit for the IPFS systemd unit or `null` to have the daemon attempt to manage it.
|
||||
'';
|
||||
example = 256*1024;
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
@ -115,108 +204,56 @@ in
|
||||
};
|
||||
|
||||
users.extraGroups = mkIf (cfg.group == "ipfs") {
|
||||
ipfs = {
|
||||
gid = config.ids.gids.ipfs;
|
||||
};
|
||||
ipfs.gid = config.ids.gids.ipfs;
|
||||
};
|
||||
|
||||
systemd.services.ipfs-init = {
|
||||
systemd.services.ipfs-init = recursiveUpdate commonEnv {
|
||||
description = "IPFS Initializer";
|
||||
|
||||
after = [ "local-fs.target" ];
|
||||
before = [ "ipfs.service" "ipfs-offline.service" ];
|
||||
|
||||
environment.IPFS_PATH = cfg.dataDir;
|
||||
|
||||
path = [ pkgs.ipfs pkgs.su pkgs.bash ];
|
||||
|
||||
preStart = ''
|
||||
install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir}
|
||||
'' + optionalString false/*cfg.autoMount*/ ''
|
||||
install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.ipfsMountDir}
|
||||
install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.ipnsMountDir}
|
||||
'';
|
||||
script = ''
|
||||
script = ''
|
||||
if [[ ! -f ${cfg.dataDir}/config ]]; then
|
||||
${ipfs}/bin/ipfs init ${optionalString cfg.emptyRepo "-e"}
|
||||
ipfs init ${optionalString cfg.emptyRepo "-e"}
|
||||
fi
|
||||
${ipfs}/bin/ipfs --local config Addresses.API ${cfg.apiAddress}
|
||||
${ipfs}/bin/ipfs --local config Addresses.Gateway ${cfg.gatewayAddress}
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
PermissionsStartOnly = true;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.ipfs = {
|
||||
# TODO These 3 definitions possibly be further abstracted through use of a function
|
||||
# like: mutexServices "ipfs" [ "", "offline", "norouting" ] { ... shared conf here ... }
|
||||
|
||||
systemd.services.ipfs = recursiveUpdate baseService {
|
||||
description = "IPFS Daemon";
|
||||
|
||||
wantedBy = mkIf (cfg.defaultMode == "online") [ "multi-user.target" ];
|
||||
|
||||
after = [ "network.target" "local-fs.target" "ipfs-init.service" ];
|
||||
|
||||
conflicts = [ "ipfs-offline.service" "ipfs-norouting.service"];
|
||||
wants = [ "ipfs-init.service" ];
|
||||
|
||||
environment.IPFS_PATH = cfg.dataDir;
|
||||
|
||||
path = [ pkgs.ipfs ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags}";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
Restart = "on-failure";
|
||||
RestartSec = 1;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.ipfs-offline = {
|
||||
systemd.services.ipfs-offline = recursiveUpdate baseService {
|
||||
description = "IPFS Daemon (offline mode)";
|
||||
|
||||
wantedBy = mkIf (cfg.defaultMode == "offline") [ "multi-user.target" ];
|
||||
|
||||
after = [ "local-fs.target" "ipfs-init.service" ];
|
||||
|
||||
conflicts = [ "ipfs.service" "ipfs-norouting.service"];
|
||||
wants = [ "ipfs-init.service" ];
|
||||
|
||||
environment.IPFS_PATH = cfg.dataDir;
|
||||
|
||||
path = [ pkgs.ipfs ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags} --offline";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
Restart = "on-failure";
|
||||
RestartSec = 1;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.ipfs-norouting = {
|
||||
systemd.services.ipfs-norouting = recursiveUpdate baseService {
|
||||
description = "IPFS Daemon (no routing mode)";
|
||||
|
||||
wantedBy = mkIf (cfg.defaultMode == "norouting") [ "multi-user.target" ];
|
||||
|
||||
after = [ "local-fs.target" "ipfs-init.service" ];
|
||||
|
||||
conflicts = [ "ipfs.service" "ipfs-offline.service"];
|
||||
wants = [ "ipfs-init.service" ];
|
||||
|
||||
environment.IPFS_PATH = cfg.dataDir;
|
||||
|
||||
path = [ pkgs.ipfs ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags} --routing=none";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
Restart = "on-failure";
|
||||
RestartSec = 1;
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -6,8 +6,8 @@ let
|
||||
cfg = config.services.openafsClient;
|
||||
|
||||
cellServDB = pkgs.fetchurl {
|
||||
url = http://dl.central.org/dl/cellservdb/CellServDB.2009-06-29;
|
||||
sha256 = "be566f850e88130333ab8bc3462872ad90c9482e025c60a92f728b5bac1b4fa9";
|
||||
url = http://dl.central.org/dl/cellservdb/CellServDB.2017-03-14;
|
||||
sha256 = "1197z6c5xrijgf66rhaymnm5cvyg2yiy1i20y4ah4mrzmjx0m7sc";
|
||||
};
|
||||
|
||||
afsConfig = pkgs.runCommand "afsconfig" {} ''
|
||||
|
@ -28,7 +28,7 @@ let
|
||||
configFile = pkgs.writeText "smb.conf"
|
||||
(if cfg.configText != null then cfg.configText else
|
||||
''
|
||||
[ global ]
|
||||
[global]
|
||||
security = ${cfg.securityType}
|
||||
passwd program = /run/wrappers/bin/passwd %u
|
||||
pam password change = ${smbToString cfg.syncPasswordsByPam}
|
||||
|
@ -45,7 +45,7 @@ let
|
||||
rotateKeys = ''
|
||||
# check if keys are not expired
|
||||
keyValid() {
|
||||
fingerprint=$(dnscrypt-wrapper --show-provider-publickey-fingerprint | awk '{print $(NF)}')
|
||||
fingerprint=$(dnscrypt-wrapper --show-provider-publickey | awk '{print $(NF)}')
|
||||
dnscrypt-proxy --test=${toString (cfg.keys.checkInterval + 1)} \
|
||||
--resolver-address=127.0.0.1:${toString cfg.port} \
|
||||
--provider-name=${cfg.providerName} \
|
||||
@ -56,9 +56,10 @@ let
|
||||
|
||||
# archive old keys and restart the service
|
||||
if ! keyValid; then
|
||||
echo "certificate soon to become invalid; backing up old cert"
|
||||
mkdir -p oldkeys
|
||||
mv ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key
|
||||
mv ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt
|
||||
mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key
|
||||
mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt
|
||||
systemctl restart dnscrypt-wrapper
|
||||
fi
|
||||
'';
|
||||
@ -169,6 +170,7 @@ in {
|
||||
|
||||
path = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy gawk ];
|
||||
script = rotateKeys;
|
||||
serviceConfig.User = "dnscrypt-wrapper";
|
||||
};
|
||||
|
||||
|
||||
|
@ -256,6 +256,14 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
nat = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Assume router is NATed. Enabled by default.
|
||||
'';
|
||||
};
|
||||
|
||||
upnp = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
|
@ -28,16 +28,11 @@ in
|
||||
users.extraGroups._lldpd = {};
|
||||
|
||||
environment.systemPackages = [ pkgs.lldpd ];
|
||||
systemd.packages = [ pkgs.lldpd ];
|
||||
|
||||
systemd.services.lldpd = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
requires = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.lldpd}/bin/lldpd -d ${concatStringsSep " " cfg.extraArgs}";
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
};
|
||||
environment.LLDPD_OPTIONS = concatStringsSep " " cfg.extraArgs;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -1,100 +0,0 @@
|
||||
{ config, lib, pkgs, utils, ... }:
|
||||
with lib;
|
||||
let
|
||||
name = "Ubiquiti mFi Controller";
|
||||
cfg = config.services.mfi;
|
||||
stateDir = "/var/lib/mfi";
|
||||
# XXX 2 runtime exceptions using jre8: JSPException on GET / ; can't initialize ./data/keystore on first run.
|
||||
cmd = "@${pkgs.jre7}/bin/java java -jar ${stateDir}/lib/ace.jar";
|
||||
mountPoints = [
|
||||
{ what = "${pkgs.mfi}/dl"; where = "${stateDir}/dl"; }
|
||||
{ what = "${pkgs.mfi}/lib"; where = "${stateDir}/lib"; }
|
||||
{ what = "${pkgs.mongodb248}/bin"; where = "${stateDir}/bin"; }
|
||||
{ what = "${cfg.dataDir}"; where = "${stateDir}/data"; }
|
||||
];
|
||||
systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints;
|
||||
ports = [ 6080 6880 6443 6843 ];
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.mfi = {
|
||||
enable = mkEnableOption name;
|
||||
openPorts = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Whether to open TCP ports ${concatMapStrings (a: "${toString a} ") ports}for the services.";
|
||||
};
|
||||
dataDir = mkOption {
|
||||
type = types.str;
|
||||
default = "${stateDir}/data";
|
||||
description = ''
|
||||
Where to store the database and other data.
|
||||
|
||||
This directory will be bind-mounted to ${stateDir}/data as part of the service startup.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
networking.firewall.allowedTCPPorts = mkIf config.services.mfi.openPorts ports;
|
||||
|
||||
users.users.mfi = {
|
||||
uid = config.ids.uids.mfi;
|
||||
description = "mFi controller daemon user";
|
||||
home = "${stateDir}";
|
||||
};
|
||||
|
||||
# We must create the binary directories as bind mounts instead of symlinks
|
||||
# This is because the controller resolves all symlinks to absolute paths
|
||||
# to be used as the working directory.
|
||||
systemd.mounts = map ({ what, where }: {
|
||||
bindsTo = [ "mfi.service" ];
|
||||
partOf = [ "mfi.service" ];
|
||||
unitConfig.RequiresMountsFor = stateDir;
|
||||
options = "bind";
|
||||
what = what;
|
||||
where = where;
|
||||
}) mountPoints;
|
||||
|
||||
systemd.services.mfi = {
|
||||
description = "mFi controller daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ] ++ systemdMountPoints;
|
||||
partOf = systemdMountPoints;
|
||||
bindsTo = systemdMountPoints;
|
||||
unitConfig.RequiresMountsFor = stateDir;
|
||||
|
||||
preStart = ''
|
||||
# Clear ./webapps each run.
|
||||
rm -rf "${stateDir}/webapps"
|
||||
mkdir -p "${stateDir}/webapps"
|
||||
ln -s "${pkgs.mfi}/webapps/ROOT.war" "${stateDir}/webapps"
|
||||
|
||||
# Copy initial config only once.
|
||||
test -e "${stateDir}/conf" || cp -ar "${pkgs.mfi}/conf" "${stateDir}/conf"
|
||||
test -e "${stateDir}/data" || cp -ar "${pkgs.mfi}/data" "${stateDir}/data"
|
||||
|
||||
# Fix Permissions.
|
||||
# (Bind-mounts cause errors; ignore exit codes)
|
||||
chown -fR mfi: "${stateDir}" || true
|
||||
chmod -fR u=rwX,go= "${stateDir}" || true
|
||||
'';
|
||||
|
||||
postStop = ''
|
||||
rm -rf "${stateDir}/webapps"
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = "${cmd} start";
|
||||
ExecStop = "${cmd} stop";
|
||||
User = "mfi";
|
||||
PermissionsStartOnly = true;
|
||||
UMask = "0077";
|
||||
WorkingDirectory = "${stateDir}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -130,7 +130,8 @@ in {
|
||||
default = { inherit networkmanager modemmanager wpa_supplicant
|
||||
networkmanager_openvpn networkmanager_vpnc
|
||||
networkmanager_openconnect networkmanager_fortisslvpn
|
||||
networkmanager_pptp networkmanager_l2tp; };
|
||||
networkmanager_pptp networkmanager_l2tp
|
||||
networkmanager_iodine; };
|
||||
internal = true;
|
||||
};
|
||||
|
||||
@ -255,6 +256,9 @@ in {
|
||||
{ source = "${networkmanager_strongswan}/etc/NetworkManager/VPN/nm-strongswan-service.name";
|
||||
target = "NetworkManager/VPN/nm-strongswan-service.name";
|
||||
}
|
||||
{ source = "${networkmanager_iodine}/etc/NetworkManager/VPN/nm-iodine-service.name";
|
||||
target = "NetworkManager/VPN/nm-iodine-service.name";
|
||||
}
|
||||
] ++ optional (cfg.appendNameservers == [] || cfg.insertNameservers == [])
|
||||
{ source = overrideNameserversScript;
|
||||
target = "NetworkManager/dispatcher.d/02overridedns";
|
||||
@ -278,6 +282,11 @@ in {
|
||||
name = "nm-openvpn";
|
||||
uid = config.ids.uids.nm-openvpn;
|
||||
extraGroups = [ "networkmanager" ];
|
||||
}
|
||||
{
|
||||
name = "nm-iodine";
|
||||
isSystemUser = true;
|
||||
group = "networkmanager";
|
||||
}];
|
||||
|
||||
systemd.packages = cfg.packages;
|
||||
|
@ -1,4 +1,4 @@
|
||||
{config, lib, pkgs, ...}:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
@ -8,17 +8,35 @@ let
|
||||
|
||||
confFile = pkgs.writeText "radicale.conf" cfg.config;
|
||||
|
||||
# This enables us to default to version 2 while still not breaking configurations of people with version 1
|
||||
defaultPackage = if versionAtLeast "17.09" config.system.stateVersion then {
|
||||
pkg = pkgs.radicale2;
|
||||
text = "pkgs.radicale2";
|
||||
} else {
|
||||
pkg = pkgs.radicale1;
|
||||
text = "pkgs.radicale1";
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
options = {
|
||||
|
||||
services.radicale.enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable Radicale CalDAV and CardDAV server
|
||||
Enable Radicale CalDAV and CardDAV server.
|
||||
'';
|
||||
};
|
||||
|
||||
services.radicale.package = mkOption {
|
||||
type = types.package;
|
||||
default = defaultPackage.pkg;
|
||||
defaultText = defaultPackage.text;
|
||||
description = ''
|
||||
Radicale package to use. This defaults to version 1.x if
|
||||
<literal>system.stateVersion < 17.09</literal> and version 2.x
|
||||
otherwise.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -27,13 +45,13 @@ in
|
||||
default = "";
|
||||
description = ''
|
||||
Radicale configuration, this will set the service
|
||||
configuration file
|
||||
configuration file.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.radicale ];
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
users.extraUsers = singleton
|
||||
{ name = "radicale";
|
||||
@ -52,11 +70,13 @@ in
|
||||
description = "A Simple Calendar and Contact Server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
script = "${pkgs.radicale}/bin/radicale -C ${confFile} -f";
|
||||
serviceConfig.User = "radicale";
|
||||
serviceConfig.Group = "radicale";
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package}/bin/radicale -C ${confFile} -f";
|
||||
User = "radicale";
|
||||
Group = "radicale";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ aneeshusa ];
|
||||
meta.maintainers = with lib.maintainers; [ aneeshusa infinisil ];
|
||||
}
|
||||
|
@ -261,7 +261,7 @@ in
|
||||
"freenode" = {
|
||||
server = "chat.freenode.net";
|
||||
port = 6697;
|
||||
ssl = true;
|
||||
useSSL = true;
|
||||
modules = [ "simple_away" ];
|
||||
};
|
||||
};
|
||||
@ -276,6 +276,14 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
openFirewall = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to open ports in the firewall for ZNC.
|
||||
'';
|
||||
};
|
||||
|
||||
passBlock = mkOption {
|
||||
example = defaultPassBlock;
|
||||
type = types.string;
|
||||
@ -350,6 +358,10 @@ in
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
networking.firewall = mkIf cfg.openFirewall {
|
||||
allowedTCPPorts = [ cfg.port ];
|
||||
};
|
||||
|
||||
systemd.services.znc = {
|
||||
description = "ZNC Server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
@ -4,7 +4,7 @@ with lib;
|
||||
|
||||
let
|
||||
|
||||
inherit (pkgs) cups cups-pk-helper cups-filters gutenprint;
|
||||
inherit (pkgs) cups cups-pk-helper cups-filters;
|
||||
|
||||
cfg = config.services.printing;
|
||||
|
||||
@ -35,7 +35,6 @@ let
|
||||
name = "cups-progs";
|
||||
paths =
|
||||
[ cups.out additionalBackends cups-filters pkgs.ghostscript ]
|
||||
++ optional cfg.gutenprint gutenprint
|
||||
++ cfg.drivers;
|
||||
pathsToLink = [ "/lib" "/share/cups" "/bin" ];
|
||||
postBuild = cfg.bindirCmds;
|
||||
@ -97,12 +96,15 @@ let
|
||||
(writeConf "client.conf" cfg.clientConf)
|
||||
(writeConf "snmp.conf" cfg.snmpConf)
|
||||
] ++ optional avahiEnabled browsedFile
|
||||
++ optional cfg.gutenprint gutenprint
|
||||
++ cfg.drivers;
|
||||
pathsToLink = [ "/etc/cups" ];
|
||||
ignoreCollisions = true;
|
||||
};
|
||||
|
||||
filterGutenprint = pkgs: filter (pkg: pkg.meta.isGutenprint or false == true) pkgs;
|
||||
containsGutenprint = pkgs: length (filterGutenprint pkgs) > 0;
|
||||
getGutenprint = pkgs: head (filterGutenprint pkgs);
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
@ -224,23 +226,17 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
gutenprint = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable Gutenprint drivers for CUPS. This includes auto-updating
|
||||
Gutenprint PPD files.
|
||||
'';
|
||||
};
|
||||
|
||||
drivers = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
example = literalExample "[ pkgs.splix ]";
|
||||
example = literalExample "[ pkgs.gutenprint pkgs.hplip pkgs.splix ]";
|
||||
description = ''
|
||||
CUPS drivers to use. Drivers provided by CUPS, cups-filters, Ghostscript
|
||||
and Samba are added unconditionally. For adding Gutenprint, see
|
||||
<literal>gutenprint</literal>.
|
||||
CUPS drivers to use. Drivers provided by CUPS, cups-filters,
|
||||
Ghostscript and Samba are added unconditionally. If this list contains
|
||||
Gutenprint (i.e. a derivation with
|
||||
<literal>meta.isGutenprint = true</literal>) the PPD files in
|
||||
<filename>/var/lib/cups/ppd</filename> will be updated automatically
|
||||
to avoid errors due to incompatible versions.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -318,9 +314,9 @@ in
|
||||
[ ! -e /var/lib/cups/path ] && \
|
||||
ln -s ${bindir} /var/lib/cups/path
|
||||
|
||||
${optionalString cfg.gutenprint ''
|
||||
${optionalString (containsGutenprint cfg.drivers) ''
|
||||
if [ -d /var/lib/cups/ppd ]; then
|
||||
${gutenprint}/bin/cups-genppdupdate -p /var/lib/cups/ppd
|
||||
${getGutenprint cfg.drivers}/bin/cups-genppdupdate -p /var/lib/cups/ppd
|
||||
fi
|
||||
''}
|
||||
'';
|
||||
|
@ -122,7 +122,7 @@ in
|
||||
fi
|
||||
'';
|
||||
|
||||
restartTriggers = [ config.environment.etc.localtime.source ];
|
||||
restartTriggers = [ config.time.timeZone ];
|
||||
serviceConfig.ExecStart = "${cronNixosPkg}/bin/cron -n";
|
||||
};
|
||||
|
||||
|
@ -1,31 +0,0 @@
|
||||
{lib, config, ...}:
|
||||
|
||||
let kernel = config.boot.kernelPackages;
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
|
||||
services.frandom.enable = lib.mkOption {
|
||||
default = false;
|
||||
type = lib.types.bool;
|
||||
description = ''
|
||||
enable the /dev/frandom device (a very fast random number generator)
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = lib.mkIf config.services.frandom.enable {
|
||||
boot.kernelModules = [ "frandom" ];
|
||||
boot.extraModulePackages = [ kernel.frandom ];
|
||||
services.udev.packages = [ kernel.frandom ];
|
||||
};
|
||||
|
||||
}
|
@ -99,6 +99,8 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
security.pam.services.physlock = {};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -42,9 +42,9 @@ in {
|
||||
after = [ "network.target" ];
|
||||
description = "Deluge BitTorrent Daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ pkgs.pythonPackages.deluge ];
|
||||
path = [ pkgs.deluge ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.pythonPackages.deluge}/bin/deluged -d";
|
||||
ExecStart = "${pkgs.deluge}/bin/deluged -d";
|
||||
# To prevent "Quit & shutdown daemon" from working; we want systemd to manage it!
|
||||
Restart = "on-success";
|
||||
User = "deluge";
|
||||
@ -57,13 +57,13 @@ in {
|
||||
after = [ "network.target" ];
|
||||
description = "Deluge BitTorrent WebUI";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ pkgs.pythonPackages.deluge ];
|
||||
serviceConfig.ExecStart = "${pkgs.pythonPackages.deluge}/bin/deluge --ui web";
|
||||
path = [ pkgs.deluge ];
|
||||
serviceConfig.ExecStart = "${pkgs.deluge}/bin/deluge --ui web";
|
||||
serviceConfig.User = "deluge";
|
||||
serviceConfig.Group = "deluge";
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.pythonPackages.deluge ];
|
||||
environment.systemPackages = [ pkgs.deluge ];
|
||||
|
||||
users.extraUsers.deluge = {
|
||||
group = "deluge";
|
||||
|
@ -6,7 +6,7 @@ let
|
||||
cfg = config.services.transmission;
|
||||
apparmor = config.security.apparmor.enable;
|
||||
|
||||
homeDir = "/var/lib/transmission";
|
||||
homeDir = cfg.home;
|
||||
downloadDir = "${homeDir}/Downloads";
|
||||
incompleteDir = "${homeDir}/.incomplete";
|
||||
|
||||
@ -69,6 +69,14 @@ in
|
||||
default = 9091;
|
||||
description = "TCP port number to run the RPC/web interface.";
|
||||
};
|
||||
|
||||
home = mkOption {
|
||||
type = types.path;
|
||||
default = "/var/lib/transmission";
|
||||
description = ''
|
||||
The directory where transmission will create files.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
100
nixos/modules/services/web-apps/nexus.nix
Normal file
100
nixos/modules/services/web-apps/nexus.nix
Normal file
@ -0,0 +1,100 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.services.nexus;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
services.nexus = {
|
||||
enable = mkEnableOption "SonarType Nexus3 OSS service";
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "nexus";
|
||||
description = "User which runs Nexus3.";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "nexus";
|
||||
description = "Group which runs Nexus3.";
|
||||
};
|
||||
|
||||
home = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/sonatype-work";
|
||||
description = "Home directory of the Nexus3 instance.";
|
||||
};
|
||||
|
||||
listenAddress = mkOption {
|
||||
type = types.str;
|
||||
default = "127.0.0.1";
|
||||
description = "Address to listen on.";
|
||||
};
|
||||
|
||||
listenPort = mkOption {
|
||||
type = types.int;
|
||||
default = 8081;
|
||||
description = "Port to listen on.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.extraUsers."${cfg.user}" = {
|
||||
isSystemUser = true;
|
||||
group = cfg.group;
|
||||
};
|
||||
|
||||
users.extraGroups."${cfg.group}" = {};
|
||||
|
||||
systemd.services.nexus = {
|
||||
description = "SonarType Nexus3";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
path = [ cfg.home ];
|
||||
|
||||
environment = {
|
||||
NEXUS_USER = cfg.user;
|
||||
NEXUS_HOME = cfg.home;
|
||||
};
|
||||
|
||||
preStart = ''
|
||||
mkdir -p ${cfg.home}/nexus3/etc
|
||||
|
||||
ln -sf ${cfg.home} /run/sonatype-work
|
||||
|
||||
chown -R ${cfg.user}:${cfg.group} ${cfg.home}
|
||||
|
||||
if [ ! -f ${cfg.home}/nexus3/etc/nexus.properties ]; then
|
||||
echo "# Jetty section" > ${cfg.home}/nexus3/etc/nexus.properties
|
||||
echo "application-port=${toString cfg.listenPort}" >> ${cfg.home}/nexus3/etc/nexus.properties
|
||||
echo "application-host=${toString cfg.listenAddress}" >> ${cfg.home}/nexus3/etc/nexus.properties
|
||||
else
|
||||
sed 's/^application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
|
||||
sed 's/^# application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
|
||||
sed 's/^application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
|
||||
sed 's/^# application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
|
||||
fi
|
||||
'';
|
||||
|
||||
script = "${pkgs.nexus}/bin/nexus run";
|
||||
|
||||
serviceConfig = {
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
PrivateTmp = true;
|
||||
PermissionsStartOnly = true;
|
||||
LimitNOFILE = 102642;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
meta.maintainers = with stdenv.lib.maintainers; [ ironpinguin ];
|
||||
}
|
@ -79,16 +79,6 @@
|
||||
You can safely ignore this, unless you need a plugin that needs JavaScript tracker access.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
Sending mail from piwik, e.g. for the password reset function, might not work out of the box:
|
||||
There's a problem with using <command>sendmail</command> from <literal>php-fpm</literal> that is
|
||||
being investigated at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/26611" />.
|
||||
If you have (or don't have) this problem as well, please report it. You can enable SMTP as method
|
||||
to send mail in piwik's <quote>General Settings</quote> > <quote>Mail Server Settings</quote> instead.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
@ -24,14 +24,17 @@ in {
|
||||
default = false;
|
||||
description = ''
|
||||
Enable piwik web analytics with php-fpm backend.
|
||||
Either the nginx option or the webServerUser option is mandatory.
|
||||
'';
|
||||
};
|
||||
|
||||
webServerUser = mkOption {
|
||||
type = types.str;
|
||||
example = "nginx";
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
example = "lighttpd";
|
||||
description = ''
|
||||
Name of the owner of the ${phpSocket} fastcgi socket for piwik.
|
||||
Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx
|
||||
option is not used. Either this option or the nginx option is mandatory.
|
||||
If you want to use another webserver than nginx, you need to set this to that server's user
|
||||
and pass fastcgi requests to `index.php` and `piwik.php` to this socket.
|
||||
'';
|
||||
@ -57,47 +60,43 @@ in {
|
||||
};
|
||||
|
||||
nginx = mkOption {
|
||||
# TODO: for maximum flexibility, it would be nice to use nginx's vhost_options module
|
||||
# but this only makes sense if we can somehow specify defaults suitable for piwik.
|
||||
# But users can always copy the piwik nginx config to their configuration.nix and customize it.
|
||||
type = types.nullOr (types.submodule {
|
||||
options = {
|
||||
virtualHost = mkOption {
|
||||
type = types.str;
|
||||
default = "piwik.${config.networking.hostName}";
|
||||
example = "piwik.$\{config.networking.hostName\}";
|
||||
description = ''
|
||||
Name of the nginx virtualhost to use and set up.
|
||||
'';
|
||||
};
|
||||
enableSSL = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Whether to enable https.";
|
||||
};
|
||||
forceSSL = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Whether to always redirect to https.";
|
||||
};
|
||||
enableACME = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Whether to ask Let's Encrypt to sign a certificate for this vhost.";
|
||||
};
|
||||
};
|
||||
});
|
||||
type = types.nullOr (types.submodule (
|
||||
recursiveUpdate
|
||||
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; })
|
||||
{
|
||||
# enable encryption by default,
|
||||
# as sensitive login and piwik data should not be transmitted in clear text.
|
||||
options.forceSSL.default = true;
|
||||
options.enableACME.default = true;
|
||||
}
|
||||
)
|
||||
);
|
||||
default = null;
|
||||
example = { virtualHost = "stats.$\{config.networking.hostName\}"; };
|
||||
example = {
|
||||
serverName = "stats.$\{config.networking.hostName\}";
|
||||
enableACME = false;
|
||||
};
|
||||
description = ''
|
||||
The options to use to configure an nginx virtualHost.
|
||||
If null (the default), no nginx virtualHost will be configured.
|
||||
With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik.
|
||||
Either this option or the webServerUser option is mandatory.
|
||||
Set this to {} to just enable the virtualHost if you don't need any customization.
|
||||
If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active,
|
||||
and certificates are acquired via ACME.
|
||||
If this is set to null (the default), no nginx virtualHost will be configured.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [
|
||||
"If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed."
|
||||
];
|
||||
|
||||
assertions = [ {
|
||||
assertion = cfg.nginx != null || cfg.webServerUser != null;
|
||||
message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory";
|
||||
}];
|
||||
|
||||
users.extraUsers.${user} = {
|
||||
isSystemUser = true;
|
||||
@ -153,10 +152,16 @@ in {
|
||||
serviceConfig.UMask = "0007";
|
||||
};
|
||||
|
||||
services.phpfpm.poolConfigs = {
|
||||
services.phpfpm.poolConfigs = let
|
||||
# workaround for when both are null and need to generate a string,
|
||||
# which is illegal, but as assertions apparently are being triggered *after* config generation,
|
||||
# we have to avoid already throwing errors at this previous stage.
|
||||
socketOwner = if (cfg.nginx != null) then config.services.nginx.user
|
||||
else if (cfg.webServerUser != null) then cfg.webServerUser else "";
|
||||
in {
|
||||
${pool} = ''
|
||||
listen = "${phpSocket}"
|
||||
listen.owner = ${cfg.webServerUser}
|
||||
listen.owner = ${socketOwner}
|
||||
listen.group = root
|
||||
listen.mode = 0600
|
||||
user = ${user}
|
||||
@ -170,12 +175,15 @@ in {
|
||||
# References:
|
||||
# https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html
|
||||
# https://github.com/perusio/piwik-nginx
|
||||
${cfg.nginx.virtualHost} = {
|
||||
root = "${pkgs.piwik}/share";
|
||||
enableSSL = cfg.nginx.enableSSL;
|
||||
enableACME = cfg.nginx.enableACME;
|
||||
forceSSL = cfg.nginx.forceSSL;
|
||||
"${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx {
|
||||
# don't allow to override the root easily, as it will almost certainly break piwik.
|
||||
# disadvantage: not shown as default in docs.
|
||||
root = mkForce "${pkgs.piwik}/share";
|
||||
|
||||
# define locations here instead of as the submodule option's default
|
||||
# so that they can easily be extended with additional locations if required
|
||||
# without needing to redefine the piwik ones.
|
||||
# disadvantage: not shown as default in docs.
|
||||
locations."/" = {
|
||||
index = "index.php";
|
||||
};
|
||||
@ -208,7 +216,7 @@ in {
|
||||
locations."= /piwik.js".extraConfig = ''
|
||||
expires 1M;
|
||||
'';
|
||||
};
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -19,6 +19,24 @@ let
|
||||
) cfg.virtualHosts;
|
||||
enableIPv6 = config.networking.enableIPv6;
|
||||
|
||||
recommendedProxyConfig = pkgs.writeText "nginx-recommended-proxy-headers.conf" ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
'';
|
||||
|
||||
upstreamConfig = toString (flip mapAttrsToList cfg.upstreams (name: upstream: ''
|
||||
upstream ${name} {
|
||||
${toString (flip mapAttrsToList upstream.servers (name: server: ''
|
||||
server ${name} ${optionalString server.backup "backup"};
|
||||
''))}
|
||||
}
|
||||
''));
|
||||
|
||||
configFile = pkgs.writeText "nginx.conf" ''
|
||||
user ${cfg.user} ${cfg.group};
|
||||
error_log stderr;
|
||||
@ -41,6 +59,7 @@ let
|
||||
${optionalString (cfg.resolver.addresses != []) ''
|
||||
resolver ${toString cfg.resolver.addresses} ${optionalString (cfg.resolver.valid != "") "valid=${cfg.resolver.valid}"};
|
||||
''}
|
||||
${upstreamConfig}
|
||||
|
||||
${optionalString (cfg.recommendedOptimisation) ''
|
||||
# optimisation
|
||||
@ -74,21 +93,19 @@ let
|
||||
''}
|
||||
|
||||
${optionalString (cfg.recommendedProxySettings) ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header Accept-Encoding "";
|
||||
|
||||
proxy_redirect off;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_send_timeout 90;
|
||||
proxy_read_timeout 90;
|
||||
proxy_http_version 1.0;
|
||||
include ${recommendedProxyConfig};
|
||||
''}
|
||||
|
||||
# $connection_upgrade is used for websocket proxying
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
''' close;
|
||||
}
|
||||
client_max_body_size ${cfg.clientMaxBodySize};
|
||||
|
||||
server_tokens ${if cfg.serverTokens then "on" else "off"};
|
||||
@ -130,22 +147,23 @@ let
|
||||
|
||||
vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost:
|
||||
let
|
||||
ssl = with vhost; addSSL || onlySSL || enableSSL;
|
||||
onlySSL = vhost.onlySSL || vhost.enableSSL;
|
||||
hasSSL = onlySSL || vhost.addSSL || vhost.forceSSL;
|
||||
|
||||
defaultListen = with vhost;
|
||||
if listen != [] then listen
|
||||
else if onlySSL || enableSSL then
|
||||
singleton { addr = "0.0.0.0"; port = 443; ssl = true; }
|
||||
++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; }
|
||||
else singleton { addr = "0.0.0.0"; port = 80; ssl = false; }
|
||||
++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; }
|
||||
++ optional addSSL { addr = "0.0.0.0"; port = 443; ssl = true; }
|
||||
++ optional (enableIPv6 && addSSL) { addr = "[::]"; port = 443; ssl = true; };
|
||||
defaultListen =
|
||||
if vhost.listen != [] then vhost.listen
|
||||
else ((optionals hasSSL (
|
||||
singleton { addr = "0.0.0.0"; port = 443; ssl = true; }
|
||||
++ optional enableIPv6 { addr = "[::]"; port = 443; ssl = true; }
|
||||
)) ++ optionals (!onlySSL) (
|
||||
singleton { addr = "0.0.0.0"; port = 80; ssl = false; }
|
||||
++ optional enableIPv6 { addr = "[::]"; port = 80; ssl = false; }
|
||||
));
|
||||
|
||||
hostListen =
|
||||
if !vhost.forceSSL
|
||||
then defaultListen
|
||||
else filter (x: x.ssl) defaultListen;
|
||||
if vhost.forceSSL
|
||||
then filter (x: x.ssl) defaultListen
|
||||
else defaultListen;
|
||||
|
||||
listenString = { addr, port, ssl, ... }:
|
||||
"listen ${addr}:${toString port} "
|
||||
@ -155,9 +173,6 @@ let
|
||||
|
||||
redirectListen = filter (x: !x.ssl) defaultListen;
|
||||
|
||||
redirectListenString = { addr, ... }:
|
||||
"listen ${addr}:80 ${optionalString vhost.default "default_server"};";
|
||||
|
||||
acmeLocation = ''
|
||||
location /.well-known/acme-challenge {
|
||||
${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
|
||||
@ -175,7 +190,7 @@ let
|
||||
in ''
|
||||
${optionalString vhost.forceSSL ''
|
||||
server {
|
||||
${concatMapStringsSep "\n" redirectListenString redirectListen}
|
||||
${concatMapStringsSep "\n" listenString redirectListen}
|
||||
|
||||
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};
|
||||
${optionalString vhost.enableACME acmeLocation}
|
||||
@ -191,9 +206,9 @@ let
|
||||
${optionalString vhost.enableACME acmeLocation}
|
||||
${optionalString (vhost.root != null) "root ${vhost.root};"}
|
||||
${optionalString (vhost.globalRedirect != null) ''
|
||||
return 301 http${optionalString ssl "s"}://${vhost.globalRedirect}$request_uri;
|
||||
return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
|
||||
''}
|
||||
${optionalString ssl ''
|
||||
${optionalString hasSSL ''
|
||||
ssl_certificate ${vhost.sslCertificate};
|
||||
ssl_certificate_key ${vhost.sslCertificateKey};
|
||||
''}
|
||||
@ -208,12 +223,24 @@ let
|
||||
) virtualHosts);
|
||||
mkLocations = locations: concatStringsSep "\n" (mapAttrsToList (location: config: ''
|
||||
location ${location} {
|
||||
${optionalString (config.proxyPass != null) "proxy_pass ${config.proxyPass};"}
|
||||
${optionalString (config.proxyPass != null && !cfg.proxyResolveWhileRunning)
|
||||
"proxy_pass ${config.proxyPass};"
|
||||
}
|
||||
${optionalString (config.proxyPass != null && cfg.proxyResolveWhileRunning) ''
|
||||
set $nix_proxy_target "${config.proxyPass}";
|
||||
proxy_pass $nix_proxy_target;
|
||||
''}
|
||||
${optionalString config.proxyWebsockets ''
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
''}
|
||||
${optionalString (config.index != null) "index ${config.index};"}
|
||||
${optionalString (config.tryFiles != null) "try_files ${config.tryFiles};"}
|
||||
${optionalString (config.root != null) "root ${config.root};"}
|
||||
${optionalString (config.alias != null) "alias ${config.alias};"}
|
||||
${config.extraConfig}
|
||||
${optionalString (config.proxyPass != null && cfg.recommendedProxySettings) "include ${recommendedProxyConfig};"}
|
||||
}
|
||||
'') locations);
|
||||
mkBasicAuth = vhostName: authDef: let
|
||||
@ -405,6 +432,16 @@ in
|
||||
description = "Path to DH parameters file.";
|
||||
};
|
||||
|
||||
proxyResolveWhileRunning = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Resolves domains of proxyPass targets at runtime
|
||||
and not only at start, you have to set
|
||||
services.nginx.resolver, too.
|
||||
'';
|
||||
};
|
||||
|
||||
resolver = mkOption {
|
||||
type = types.submodule {
|
||||
options = {
|
||||
@ -431,6 +468,35 @@ in
|
||||
default = {};
|
||||
};
|
||||
|
||||
upstreams = mkOption {
|
||||
type = types.attrsOf (types.submodule {
|
||||
options = {
|
||||
servers = mkOption {
|
||||
type = types.attrsOf (types.submodule {
|
||||
options = {
|
||||
backup = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Marks the server as a backup server. It will be passed
|
||||
requests when the primary servers are unavailable.
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
description = ''
|
||||
Defines the address and other parameters of the upstream servers.
|
||||
'';
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
});
|
||||
description = ''
|
||||
Defines a group of servers to use as proxy target.
|
||||
'';
|
||||
default = {};
|
||||
};
|
||||
|
||||
virtualHosts = mkOption {
|
||||
type = types.attrsOf (types.submodule (import ./vhost-options.nix {
|
||||
inherit config lib;
|
||||
@ -441,7 +507,6 @@ in
|
||||
example = literalExample ''
|
||||
{
|
||||
"hydra.example.com" = {
|
||||
addSSL = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
@ -478,18 +543,15 @@ in
|
||||
}
|
||||
|
||||
{
|
||||
assertion = all (conf: with conf; !(addSSL && (onlySSL || enableSSL))) (attrValues virtualHosts);
|
||||
assertion = all (conf: with conf;
|
||||
!(addSSL && (onlySSL || enableSSL)) &&
|
||||
!(forceSSL && (onlySSL || enableSSL)) &&
|
||||
!(addSSL && forceSSL)
|
||||
) (attrValues virtualHosts);
|
||||
message = ''
|
||||
Options services.nginx.service.virtualHosts.<name>.addSSL and
|
||||
services.nginx.virtualHosts.<name>.onlySSL are mutually esclusive
|
||||
'';
|
||||
}
|
||||
|
||||
{
|
||||
assertion = all (conf: with conf; forceSSL -> addSSL) (attrValues virtualHosts);
|
||||
message = ''
|
||||
Option services.nginx.virtualHosts.<name>.forceSSL requires
|
||||
services.nginx.virtualHosts.<name>.addSSL set to true.
|
||||
Options services.nginx.service.virtualHosts.<name>.addSSL,
|
||||
services.nginx.virtualHosts.<name>.onlySSL and services.nginx.virtualHosts.<name>.forceSSL
|
||||
are mutually exclusive.
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
@ -14,7 +14,17 @@ with lib;
|
||||
default = null;
|
||||
example = "http://www.example.org/";
|
||||
description = ''
|
||||
Adds proxy_pass directive.
|
||||
Adds proxy_pass directive and sets recommended proxy headers if
|
||||
recommendedProxySettings is enabled.
|
||||
'';
|
||||
};
|
||||
|
||||
proxyWebsockets = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
example = true;
|
||||
description = ''
|
||||
Whether to supporty proxying websocket connections with HTTP/1.1.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -96,8 +96,9 @@ with lib;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to add a separate nginx server block that permanently redirects (301)
|
||||
all plain HTTP traffic to HTTPS. This option needs <literal>addSSL</literal>
|
||||
to be set to true.
|
||||
all plain HTTP traffic to HTTPS. This will set defaults for
|
||||
<literal>listen</literal> to listen on all interfaces on the respective default
|
||||
ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -150,7 +150,8 @@ in {
|
||||
PrivateDevices = true;
|
||||
ProtectSystem = "full";
|
||||
ProtectHome = true;
|
||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
||||
# XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
|
||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
||||
Type = "notify";
|
||||
ExecStart = "${cfg.phpPackage}/bin/php-fpm -y ${cfgFile} -c ${phpIni}";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
|
||||
|
@ -20,6 +20,7 @@ in
|
||||
imports = [
|
||||
./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix
|
||||
./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix
|
||||
./mate.nix
|
||||
];
|
||||
|
||||
options = {
|
||||
|
@ -186,7 +186,8 @@ in {
|
||||
networking.networkmanager.basePackages =
|
||||
{ inherit (pkgs) networkmanager modemmanager wpa_supplicant;
|
||||
inherit (gnome3) networkmanager_openvpn networkmanager_vpnc
|
||||
networkmanager_openconnect networkmanager_fortisslvpn networkmanager_pptp
|
||||
networkmanager_openconnect networkmanager_fortisslvpn
|
||||
networkmanager_pptp networkmanager_iodine
|
||||
networkmanager_l2tp; };
|
||||
|
||||
# Needed for themes and backgrounds
|
||||
|
79
nixos/modules/services/x11/desktop-managers/mate.nix
Normal file
79
nixos/modules/services/x11/desktop-managers/mate.nix
Normal file
@ -0,0 +1,79 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
# Remove packages of ys from xs, based on their names
|
||||
removePackagesByName = xs: ys:
|
||||
let
|
||||
pkgName = drv: (builtins.parseDrvName drv.name).name;
|
||||
ysNames = map pkgName ys;
|
||||
in
|
||||
filter (x: !(builtins.elem (pkgName x) ysNames)) xs;
|
||||
|
||||
xcfg = config.services.xserver;
|
||||
cfg = xcfg.desktopManager.mate;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
|
||||
services.xserver.desktopManager.mate.enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable the MATE desktop environment";
|
||||
};
|
||||
|
||||
environment.mate.excludePackages = mkOption {
|
||||
default = [];
|
||||
example = literalExample "[ pkgs.mate.mate-terminal pkgs.mate.pluma ]";
|
||||
type = types.listOf types.package;
|
||||
description = "Which MATE packages to exclude from the default environment";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf (xcfg.enable && cfg.enable) {
|
||||
|
||||
services.xserver.desktopManager.session = singleton {
|
||||
name = "mate";
|
||||
bgSupport = true;
|
||||
start = ''
|
||||
# Set GTK_DATA_PREFIX so that GTK+ can find the themes
|
||||
export GTK_DATA_PREFIX=${config.system.path}
|
||||
|
||||
# Find theme engines
|
||||
export GTK_PATH=${config.system.path}/lib/gtk-3.0:${config.system.path}/lib/gtk-2.0
|
||||
|
||||
export XDG_MENU_PREFIX=mate
|
||||
|
||||
# Find the mouse
|
||||
export XCURSOR_PATH=~/.icons:${config.system.path}/share/icons
|
||||
|
||||
# Update user dirs as described in http://freedesktop.org/wiki/Software/xdg-user-dirs/
|
||||
${pkgs.xdg-user-dirs}/bin/xdg-user-dirs-update
|
||||
|
||||
${pkgs.mate.mate-session-manager}/bin/mate-session &
|
||||
waitPID=$!
|
||||
'';
|
||||
};
|
||||
|
||||
environment.systemPackages =
|
||||
pkgs.mate.basePackages ++
|
||||
(removePackagesByName
|
||||
pkgs.mate.extraPackages
|
||||
config.environment.mate.excludePackages);
|
||||
|
||||
services.dbus.packages = [
|
||||
pkgs.gnome3.dconf
|
||||
pkgs.at_spi2_core
|
||||
];
|
||||
|
||||
services.gnome3.gnome-keyring.enable = true;
|
||||
|
||||
environment.pathsToLink = [ "/share" ];
|
||||
};
|
||||
|
||||
}
|
@ -103,14 +103,29 @@ in
|
||||
(filter (arg: arg != "-terminate") cfg.xserverArgs);
|
||||
GDM_SESSIONS_DIR = "${cfg.session.desktops}";
|
||||
# Find the mouse
|
||||
XCURSOR_PATH = "~/.icons:${config.system.path}/share/icons";
|
||||
XCURSOR_PATH = "~/.icons:${gnome3.adwaita-icon-theme}/share/icons";
|
||||
};
|
||||
execCmd = "exec ${gdm}/bin/gdm";
|
||||
};
|
||||
|
||||
# Because sd_login_monitor_new requires /run/systemd/machines
|
||||
systemd.services.display-manager.wants = [ "systemd-machined.service" ];
|
||||
systemd.services.display-manager.after = [ "systemd-machined.service" ];
|
||||
systemd.services.display-manager.after = [
|
||||
"rc-local.service"
|
||||
"systemd-machined.service"
|
||||
"systemd-user-sessions.service"
|
||||
"getty@tty1.service"
|
||||
];
|
||||
|
||||
systemd.services.display-manager.conflicts = [ "getty@tty1.service" ];
|
||||
systemd.services.display-manager.serviceConfig = {
|
||||
# Restart = "always"; - already defined in xserver.nix
|
||||
KillMode = "mixed";
|
||||
IgnoreSIGPIPE = "no";
|
||||
BusName = "org.gnome.DisplayManager";
|
||||
StandardOutput = "syslog";
|
||||
StandardError = "inherit";
|
||||
};
|
||||
|
||||
systemd.services.display-manager.path = [ gnome3.gnome_session ];
|
||||
|
||||
|
@ -34,6 +34,12 @@ in
|
||||
};
|
||||
|
||||
pulseaudio = mkEnableOption "pulseaudio audio streaming.";
|
||||
|
||||
extraOptions = mkOption {
|
||||
description = "Extra xpra options";
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -233,7 +239,8 @@ in
|
||||
--socket-dirs=/var/run/xpra \
|
||||
--xvfb="xpra_Xdummy ${concatStringsSep " " dmcfg.xserverArgs}" \
|
||||
${optionalString (cfg.bindTcp != null) "--bind-tcp=${cfg.bindTcp}"} \
|
||||
--auth=${cfg.auth}
|
||||
--auth=${cfg.auth} \
|
||||
${concatStringsSep " " cfg.extraOptions}
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -29,7 +29,7 @@ in {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Whether to enable touchpad support.";
|
||||
description = "Whether to enable touchpad support. Deprecated: Consider services.xserver.libinput.enable.";
|
||||
};
|
||||
|
||||
dev = mkOption {
|
||||
|
@ -1,60 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.services.xserver.windowManager.compiz;
|
||||
xorg = config.services.xserver.package;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
options = {
|
||||
|
||||
services.xserver.windowManager.compiz = {
|
||||
|
||||
enable = mkEnableOption "compiz";
|
||||
|
||||
renderingFlag = mkOption {
|
||||
default = "";
|
||||
example = "--indirect-rendering";
|
||||
description = "Pass the <option>--indirect-rendering</option> flag to Compiz.";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
services.xserver.windowManager.session = singleton
|
||||
{ name = "compiz";
|
||||
start =
|
||||
''
|
||||
# Start Compiz using the flat-file configuration backend
|
||||
# (ccp).
|
||||
export COMPIZ_PLUGINDIR=${config.system.path}/lib/compiz
|
||||
export COMPIZ_METADATADIR=${config.system.path}/share/compiz
|
||||
${pkgs.compiz}/bin/compiz ccp ${cfg.renderingFlag} &
|
||||
|
||||
# Start GTK-style window decorator.
|
||||
${pkgs.compiz}/bin/gtk-window-decorator &
|
||||
'';
|
||||
};
|
||||
|
||||
environment.systemPackages =
|
||||
[ pkgs.compiz
|
||||
pkgs.compiz_ccsm
|
||||
pkgs.compiz_plugins_main
|
||||
pkgs.compiz_plugins_extra
|
||||
pkgs.libcompizconfig # for the "ccp" plugin
|
||||
];
|
||||
|
||||
environment.pathsToLink = [ "/lib/compiz" "/share/compiz" ];
|
||||
|
||||
};
|
||||
|
||||
}
|
@ -11,7 +11,6 @@ in
|
||||
./2bwm.nix
|
||||
./afterstep.nix
|
||||
./bspwm.nix
|
||||
./compiz.nix
|
||||
./dwm.nix
|
||||
./exwm.nix
|
||||
./fluxbox.nix
|
||||
|
@ -147,11 +147,16 @@ my $activePrev = getActiveUnits;
|
||||
while (my ($unit, $state) = each %{$activePrev}) {
|
||||
my $baseUnit = $unit;
|
||||
|
||||
# Recognise template instances.
|
||||
$baseUnit = "$1\@.$2" if $unit =~ /^(.*)@[^\.]*\.(.*)$/;
|
||||
my $prevUnitFile = "/etc/systemd/system/$baseUnit";
|
||||
my $newUnitFile = "$out/etc/systemd/system/$baseUnit";
|
||||
|
||||
# Detect template instances.
|
||||
if (!-e $prevUnitFile && !-e $newUnitFile && $unit =~ /^(.*)@[^\.]*\.(.*)$/) {
|
||||
$baseUnit = "$1\@.$2";
|
||||
$prevUnitFile = "/etc/systemd/system/$baseUnit";
|
||||
$newUnitFile = "$out/etc/systemd/system/$baseUnit";
|
||||
}
|
||||
|
||||
my $baseName = $baseUnit;
|
||||
$baseName =~ s/\.[a-z]*$//;
|
||||
|
||||
|
@ -121,8 +121,8 @@ sub GetFs {
|
||||
my $device = $fields[$n + 1];
|
||||
my @superOptions = split /,/, $fields[$n + 2];
|
||||
|
||||
# Skip the read-only bind-mount on /nix/store.
|
||||
next if $mountPoint eq "/nix/store" && (grep { $_ eq "rw" } @superOptions) && (grep { $_ eq "ro" } @mountOptions);
|
||||
# Skip the bind-mount on /nix/store.
|
||||
next if $mountPoint eq "/nix/store" && (grep { $_ eq "rw" } @superOptions);
|
||||
# Skip mount point generated by systemd-efi-boot-generator?
|
||||
next if $fsType eq "autofs";
|
||||
|
||||
|
@ -12,6 +12,9 @@ import warnings
|
||||
import ctypes
|
||||
libc = ctypes.CDLL("libc.so.6")
|
||||
import re
|
||||
import datetime
|
||||
import glob
|
||||
import os.path
|
||||
|
||||
def copy_if_not_exists(source, dest):
|
||||
if not os.path.exists(dest):
|
||||
@ -24,7 +27,7 @@ def system_dir(profile, generation):
|
||||
return "/nix/var/nix/profiles/system-%d-link" % (generation)
|
||||
|
||||
BOOT_ENTRY = """title NixOS{profile}
|
||||
version Generation {generation}
|
||||
version Generation {generation} {description}
|
||||
linux {kernel}
|
||||
initrd {initrd}
|
||||
options {kernel_params}
|
||||
@ -54,6 +57,26 @@ def copy_from_profile(profile, generation, name, dry_run=False):
|
||||
copy_if_not_exists(store_file_path, "@efiSysMountPoint@%s" % (efi_file_path))
|
||||
return efi_file_path
|
||||
|
||||
def describe_generation(generation_dir):
|
||||
try:
|
||||
with open("%s/nixos-version" % generation_dir) as f:
|
||||
nixos_version = f.read()
|
||||
except IOError:
|
||||
nixos_version = "Unknown"
|
||||
|
||||
kernel_dir = os.path.dirname(os.path.realpath("%s/kernel" % generation_dir))
|
||||
module_dir = glob.glob("%s/lib/modules/*" % kernel_dir)[0]
|
||||
kernel_version = os.path.basename(module_dir)
|
||||
|
||||
build_time = int(os.path.getctime(generation_dir))
|
||||
build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F')
|
||||
|
||||
description = "NixOS {}, Linux Kernel {}, Built on {}".format(
|
||||
nixos_version, kernel_version, build_date
|
||||
)
|
||||
|
||||
return description
|
||||
|
||||
def write_entry(profile, generation, machine_id):
|
||||
kernel = copy_from_profile(profile, generation, "kernel")
|
||||
initrd = copy_from_profile(profile, generation, "initrd")
|
||||
@ -69,6 +92,7 @@ def write_entry(profile, generation, machine_id):
|
||||
generation_dir = os.readlink(system_dir(profile, generation))
|
||||
tmp_path = "%s.tmp" % (entry_file)
|
||||
kernel_params = "systemConfig=%s init=%s/init " % (generation_dir, generation_dir)
|
||||
|
||||
with open("%s/kernel-params" % (generation_dir)) as params_file:
|
||||
kernel_params = kernel_params + params_file.read()
|
||||
with open(tmp_path, 'w') as f:
|
||||
@ -76,7 +100,8 @@ def write_entry(profile, generation, machine_id):
|
||||
generation=generation,
|
||||
kernel=kernel,
|
||||
initrd=initrd,
|
||||
kernel_params=kernel_params))
|
||||
kernel_params=kernel_params,
|
||||
description=describe_generation(generation_dir)))
|
||||
if machine_id is not None:
|
||||
f.write("machine-id %s\n" % machine_id)
|
||||
os.rename(tmp_path, entry_file)
|
||||
|
@ -221,6 +221,9 @@ checkFS() {
|
||||
# Don't check resilient COWs as they validate the fs structures at mount time
|
||||
if [ "$fsType" = btrfs -o "$fsType" = zfs ]; then return 0; fi
|
||||
|
||||
# Skip fsck for bcachefs - not implemented yet.
|
||||
if [ "$fsType" = bcachefs ]; then return 0; fi
|
||||
|
||||
# Skip fsck for inherently readonly filesystems.
|
||||
if [ "$fsType" = squashfs ]; then return 0; fi
|
||||
|
||||
|
@ -294,7 +294,7 @@ in
|
||||
"/run" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; };
|
||||
"/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; };
|
||||
"/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; };
|
||||
"/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; };
|
||||
"/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "ptmxmode=0666" "gid=${toString config.ids.gids.tty}" ]; };
|
||||
|
||||
# To hold secrets that shouldn't be written to disk (generally used for NixOps, harmless elsewhere)
|
||||
"/run/keys" = { fsType = "ramfs"; options = [ "nosuid" "nodev" "mode=750" "gid=${toString config.ids.gids.keys}" ]; };
|
||||
|
26
nixos/modules/tasks/filesystems/bcachefs.nix
Normal file
26
nixos/modules/tasks/filesystems/bcachefs.nix
Normal file
@ -0,0 +1,26 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
inInitrd = any (fs: fs == "bcachefs") config.boot.initrd.supportedFilesystems;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
config = mkIf (any (fs: fs == "bcachefs") config.boot.supportedFilesystems) {
|
||||
|
||||
system.fsPackages = [ pkgs.bcachefs-tools ];
|
||||
|
||||
# use kernel package with bcachefs support until it's in mainline
|
||||
boot.kernelPackages = pkgs.linuxPackages_testing_bcachefs;
|
||||
boot.initrd.availableKernelModules = mkIf inInitrd [ "bcachefs" ];
|
||||
|
||||
boot.initrd.extraUtilsCommands = mkIf inInitrd
|
||||
''
|
||||
copy_bin_and_libs ${pkgs.bcachefs-tools}/bin/fsck.bcachefs
|
||||
'';
|
||||
|
||||
};
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user