mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-09-20 12:08:17 +03:00
Merge remote-tracking branch 'upstream/master' into testers
This commit is contained in:
commit
ebf0465d09
@ -288,7 +288,7 @@ self: super: {
|
||||
ps: with ps; [
|
||||
pyflakes
|
||||
pytest
|
||||
python-language-server
|
||||
black
|
||||
]
|
||||
))
|
||||
|
||||
|
@ -513,15 +513,26 @@
|
||||
github = "alexnortung";
|
||||
githubId = 1552267;
|
||||
};
|
||||
alexshpilkin = {
|
||||
email = "ashpilkin@gmail.com";
|
||||
github = "alexshpilkin";
|
||||
githubId = 1010468;
|
||||
keys = [{
|
||||
longkeyid = "rsa4096/0x73E9AA114B3A894B";
|
||||
fingerprint = "B595 D74D 6615 C010 469F 5A13 73E9 AA11 4B3A 894B";
|
||||
}];
|
||||
matrix = "@alexshpilkin:matrix.org";
|
||||
name = "Alexander Shpilkin";
|
||||
};
|
||||
alexvorobiev = {
|
||||
email = "alexander.vorobiev@gmail.com";
|
||||
github = "alexvorobiev";
|
||||
githubId = 782180;
|
||||
name = "Alex Vorobiev";
|
||||
};
|
||||
alex-eyre = {
|
||||
alexeyre = {
|
||||
email = "A.Eyre@sms.ed.ac.uk";
|
||||
github = "alex-eyre";
|
||||
github = "alexeyre";
|
||||
githubId = 38869148;
|
||||
name = "Alex Eyre";
|
||||
};
|
||||
@ -811,6 +822,16 @@
|
||||
githubId = 1771266;
|
||||
name = "Vo Anh Duy";
|
||||
};
|
||||
Anillc = {
|
||||
name = "Anillc";
|
||||
email = "i@anillc.cn";
|
||||
github = "Anillc";
|
||||
githubId = 23411248;
|
||||
keys = [{
|
||||
longkeyid = "ed25519/0x0BE8A88F47B2145C";
|
||||
fingerprint = "6141 1E4F FE10 CE7B 2E14 CD76 0BE8 A88F 47B2 145C";
|
||||
}];
|
||||
};
|
||||
anirrudh = {
|
||||
email = "anik597@gmail.com";
|
||||
github = "anirrudh";
|
||||
@ -972,6 +993,12 @@
|
||||
githubId = 1118815;
|
||||
name = "Vikram Narayanan";
|
||||
};
|
||||
armeenm = {
|
||||
email = "mahdianarmeen@gmail.com";
|
||||
github = "armeenm";
|
||||
githubId = 29145250;
|
||||
name = "Armeen Mahdian";
|
||||
};
|
||||
armijnhemel = {
|
||||
email = "armijn@tjaldur.nl";
|
||||
github = "armijnhemel";
|
||||
@ -5023,6 +5050,12 @@
|
||||
githubId = 222664;
|
||||
name = "Matthew Leach";
|
||||
};
|
||||
hexchen = {
|
||||
email = "nix@lilwit.ch";
|
||||
github = "hexchen";
|
||||
githubId = 41522204;
|
||||
name = "hexchen";
|
||||
};
|
||||
hh = {
|
||||
email = "hh@m-labs.hk";
|
||||
github = "HarryMakes";
|
||||
@ -9003,6 +9036,12 @@
|
||||
email = "nfjinjing@gmail.com";
|
||||
name = "Jinjing Wang";
|
||||
};
|
||||
ngiger = {
|
||||
email = "niklaus.giger@member.fsf.org";
|
||||
github = "ngiger";
|
||||
githubId = 265800;
|
||||
name = "Niklaus Giger";
|
||||
};
|
||||
nh2 = {
|
||||
email = "mail@nh2.me";
|
||||
matrix = "@nh2:matrix.org";
|
||||
@ -13976,6 +14015,13 @@
|
||||
githubId = 6191421;
|
||||
name = "Edward d'Albon";
|
||||
};
|
||||
zebreus = {
|
||||
matrix = "@lennart:cicen.net";
|
||||
email = "lennarteichhorn+nixpkgs@gmail.com";
|
||||
github = "Zebreus";
|
||||
githubId = 1557253;
|
||||
name = "Lennart Eichhorn";
|
||||
};
|
||||
zef = {
|
||||
email = "zef@zef.me";
|
||||
name = "Zef Hemel";
|
||||
|
@ -22,6 +22,8 @@ ldoc,https://github.com/stevedonovan/LDoc.git,,,,,
|
||||
lgi,,,,,,
|
||||
linenoise,https://github.com/hoelzro/lua-linenoise.git,,,,,
|
||||
ljsyscall,,,,,lua5_1,lblasc
|
||||
lmathx,,,,,lua5_3,alexshpilkin
|
||||
lmpfrlib,,,,,lua5_3,alexshpilkin
|
||||
lpeg,,,,,,vyp
|
||||
lpeg_patterns,,,,,,
|
||||
lpeglabel,,,,,,
|
||||
|
|
@ -445,6 +445,19 @@ with lib.maintainers; {
|
||||
enableFeatureFreezePing = true;
|
||||
};
|
||||
|
||||
numtide = {
|
||||
members = [
|
||||
mic92
|
||||
flokli
|
||||
jfroche
|
||||
tazjin
|
||||
zimbatm
|
||||
];
|
||||
enableFeatureFreezePing = true;
|
||||
scope = "Group registration for Numtide team members who collectively maintain packages.";
|
||||
shortName = "Numtide team";
|
||||
};
|
||||
|
||||
openstack = {
|
||||
members = [
|
||||
emilytrau
|
||||
|
@ -248,7 +248,7 @@ $ nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -I nixos-co
|
||||
(since your Nix install was probably single user):
|
||||
</para>
|
||||
<programlisting>
|
||||
$ sudo chown -R 0.0 /nix
|
||||
$ sudo chown -R 0:0 /nix
|
||||
</programlisting>
|
||||
</listitem>
|
||||
<listitem>
|
||||
|
@ -455,6 +455,12 @@
|
||||
<link xlink:href="options.html#opt-services.nifi.enable">services.nifi</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://kanidm.github.io/kanidm/stable/">kanidm</link>,
|
||||
an identity management server written in Rust.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="sec-release-22.05-incompatibilities">
|
||||
@ -2465,6 +2471,21 @@
|
||||
hosts.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The option
|
||||
<link xlink:href="options.html#opt-networking.useDHCP">networking.useDHCP</link>
|
||||
isn’t deprecated anymore. When using
|
||||
<link xlink:href="options.html#opt-networking.useNetworkd"><literal>systemd-networkd</literal></link>,
|
||||
a generic <literal>.network</literal>-unit is added which
|
||||
enables DHCP for each interface matching
|
||||
<literal>en*</literal>, <literal>eth*</literal> or
|
||||
<literal>wl*</literal> with priority 99 (which means that it
|
||||
doesn’t have any effect if such an interface is matched by a
|
||||
<literal>.network-</literal>unit with a lower priority). In
|
||||
case of scripted networking, no behavior was changed.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
@ -177,7 +177,7 @@ The first steps to all these are the same:
|
||||
was probably single user):
|
||||
|
||||
```ShellSession
|
||||
$ sudo chown -R 0.0 /nix
|
||||
$ sudo chown -R 0:0 /nix
|
||||
```
|
||||
|
||||
1. Set up the `/etc/NIXOS` and `/etc/NIXOS_LUSTRATE` files:
|
||||
|
@ -135,6 +135,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
|
||||
- [nifi](https://nifi.apache.org), an easy to use, powerful, and reliable system to process and distribute data. Available as [services.nifi](options.html#opt-services.nifi.enable).
|
||||
|
||||
- [kanidm](https://kanidm.github.io/kanidm/stable/), an identity management server written in Rust.
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
||||
## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
|
||||
@ -875,4 +877,11 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||
`true` starting with NixOS 22.11. Enable it explicitly if you need to control
|
||||
Snapserver remotely or connect streamig clients from other hosts.
|
||||
|
||||
- The option [networking.useDHCP](options.html#opt-networking.useDHCP) isn't deprecated anymore.
|
||||
When using [`systemd-networkd`](options.html#opt-networking.useNetworkd), a generic
|
||||
`.network`-unit is added which enables DHCP for each interface matching `en*`, `eth*`
|
||||
or `wl*` with priority 99 (which means that it doesn't have any effect if such an interface is matched
|
||||
by a `.network-`unit with a lower priority). In case of scripted networking, no behavior
|
||||
was changed.
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
21
nixos/modules/hardware/keyboard/uhk.nix
Normal file
21
nixos/modules/hardware/keyboard/uhk.nix
Normal file
@ -0,0 +1,21 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.hardware.keyboard.uhk;
|
||||
in
|
||||
{
|
||||
options.hardware.keyboard.uhk = {
|
||||
enable = mkEnableOption ''
|
||||
non-root access to the firmware of UHK keyboards.
|
||||
You need it when you want to flash a new firmware on the keyboard.
|
||||
Access to the keyboard is granted to users in the "input" group.
|
||||
You may want to install the uhk-agent package.
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.udev.packages = [ pkgs.uhk-udev-rules ];
|
||||
};
|
||||
}
|
@ -46,5 +46,5 @@ with lib;
|
||||
done
|
||||
'';
|
||||
|
||||
system.stateVersion = mkDefault "18.03";
|
||||
system.stateVersion = lib.mkDefault lib.trivial.release;
|
||||
}
|
||||
|
@ -581,17 +581,19 @@ ${\join "", (map { " $_\n" } (uniq @attrs))}}
|
||||
EOF
|
||||
|
||||
sub generateNetworkingDhcpConfig {
|
||||
# FIXME disable networking.useDHCP by default when switching to networkd.
|
||||
my $config = <<EOF;
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
networking.useDHCP = lib.mkDefault false;
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
EOF
|
||||
|
||||
foreach my $path (glob "/sys/class/net/*") {
|
||||
my $dev = basename($path);
|
||||
if ($dev ne "lo") {
|
||||
$config .= " networking.interfaces.$dev.useDHCP = lib.mkDefault true;\n";
|
||||
$config .= " # networking.interfaces.$dev.useDHCP = lib.mkDefault true;\n";
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -34,7 +34,7 @@ let
|
||||
name = "nixos-generate-config";
|
||||
src = ./nixos-generate-config.pl;
|
||||
perl = "${pkgs.perl.withPackages (p: [ p.FileSlurp ])}/bin/perl";
|
||||
detectvirt = "${pkgs.systemd}/bin/systemd-detect-virt";
|
||||
detectvirt = "${config.systemd.package}/bin/systemd-detect-virt";
|
||||
btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
|
||||
inherit (config.system.nixos-generate-config) configuration desktopConfiguration;
|
||||
xserverEnabled = config.services.xserver.enable;
|
||||
@ -177,6 +177,10 @@ in
|
||||
# users.users.jane = {
|
||||
# isNormalUser = true;
|
||||
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||
# packages = with pkgs; [
|
||||
# firefox
|
||||
# thunderbird
|
||||
# ];
|
||||
# };
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
@ -184,7 +188,6 @@ in
|
||||
# environment.systemPackages = with pkgs; [
|
||||
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
||||
# wget
|
||||
# firefox
|
||||
# ];
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
|
@ -53,7 +53,9 @@ in {
|
||||
# see: https://inbox.vuxu.org/mandoc-tech/20210906171231.GF83680@athene.usta.de/T/#e85f773c1781e3fef85562b2794f9cad7b2909a3c
|
||||
extraSetup = lib.mkIf config.documentation.man.generateCaches ''
|
||||
${makewhatis} -T utf8 ${
|
||||
lib.concatMapStringsSep " " (path: "\"$out/${path}\"") cfg.manPath
|
||||
lib.concatMapStringsSep " " (path:
|
||||
"$out/" + lib.escapeShellArg path
|
||||
) cfg.manPath
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
@ -146,6 +146,15 @@ in
|
||||
"/etc/os-release".source = initrdRelease;
|
||||
"/etc/initrd-release".source = initrdRelease;
|
||||
};
|
||||
|
||||
# We have to use `warnings` because when warning in the default of the option
|
||||
# the warning would also be shown when building the manual since the manual
|
||||
# has to evaluate the default.
|
||||
#
|
||||
# TODO Remove this and drop the default of the option so people are forced to set it.
|
||||
# Doing this also means fixing the comment in nixos/modules/testing/test-instrumentation.nix
|
||||
warnings = lib.optional (options.system.stateVersion.highestPrio == (lib.mkOptionDefault { }).priority)
|
||||
"system.stateVersion is not set, defaulting to ${config.system.stateVersion}. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion.";
|
||||
};
|
||||
|
||||
# uses version info nixpkgs, which requires a full nixpkgs path
|
||||
|
@ -57,6 +57,7 @@
|
||||
./hardware/sensor/hddtemp.nix
|
||||
./hardware/sensor/iio.nix
|
||||
./hardware/keyboard/teck.nix
|
||||
./hardware/keyboard/uhk.nix
|
||||
./hardware/keyboard/zsa.nix
|
||||
./hardware/ksm.nix
|
||||
./hardware/ledger.nix
|
||||
@ -196,7 +197,6 @@
|
||||
./programs/partition-manager.nix
|
||||
./programs/plotinus.nix
|
||||
./programs/proxychains.nix
|
||||
./programs/phosh.nix
|
||||
./programs/qt5ct.nix
|
||||
./programs/screen.nix
|
||||
./programs/sedutil.nix
|
||||
@ -975,6 +975,7 @@
|
||||
./services/security/hockeypuck.nix
|
||||
./services/security/hologram-server.nix
|
||||
./services/security/hologram-agent.nix
|
||||
./services/security/kanidm.nix
|
||||
./services/security/munge.nix
|
||||
./services/security/nginx-sso.nix
|
||||
./services/security/oauth2_proxy.nix
|
||||
|
@ -626,7 +626,7 @@ let
|
||||
session optional ${pkgs.otpw}/lib/security/pam_otpw.so
|
||||
'' +
|
||||
optionalString cfg.startSession ''
|
||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||
session optional ${config.systemd.package}/lib/security/pam_systemd.so
|
||||
'' +
|
||||
optionalString cfg.forwardXAuth ''
|
||||
session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99
|
||||
@ -1242,7 +1242,7 @@ in
|
||||
mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,
|
||||
'' +
|
||||
optionalString (isEnabled (cfg: cfg.startSession)) ''
|
||||
mr ${pkgs.systemd}/lib/security/pam_systemd.so,
|
||||
mr ${config.systemd.package}/lib/security/pam_systemd.so,
|
||||
'' +
|
||||
optionalString (isEnabled (cfg: cfg.enableAppArmor)
|
||||
&& config.security.apparmor.enable) ''
|
||||
|
@ -98,7 +98,7 @@ let
|
||||
|
||||
# Prevent races
|
||||
chmod 0000 "$wrapperDir/${program}"
|
||||
chown ${owner}.${group} "$wrapperDir/${program}"
|
||||
chown ${owner}:${group} "$wrapperDir/${program}"
|
||||
|
||||
# Set desired capabilities on the file plus cap_setpcap so
|
||||
# the wrapper program can elevate the capabilities set on
|
||||
@ -126,7 +126,7 @@ let
|
||||
|
||||
# Prevent races
|
||||
chmod 0000 "$wrapperDir/${program}"
|
||||
chown ${owner}.${group} "$wrapperDir/${program}"
|
||||
chown ${owner}:${group} "$wrapperDir/${program}"
|
||||
|
||||
chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" "$wrapperDir/${program}"
|
||||
'';
|
||||
|
@ -4,7 +4,8 @@ with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.borgmatic;
|
||||
cfgfile = pkgs.writeText "config.yaml" (builtins.toJSON cfg.settings);
|
||||
settingsFormat = pkgs.formats.yaml { };
|
||||
cfgfile = settingsFormat.generate "config.yaml" cfg.settings;
|
||||
in {
|
||||
options.services.borgmatic = {
|
||||
enable = mkEnableOption "borgmatic";
|
||||
@ -14,7 +15,7 @@ in {
|
||||
See https://torsion.org/borgmatic/docs/reference/configuration/
|
||||
'';
|
||||
type = types.submodule {
|
||||
freeformType = with lib.types; attrsOf anything;
|
||||
freeformType = settingsFormat.type;
|
||||
options.location = {
|
||||
source_directories = mkOption {
|
||||
type = types.listOf types.str;
|
||||
|
@ -300,17 +300,17 @@ in
|
||||
};
|
||||
preStart = ''
|
||||
mkdir -p ${baseDir}
|
||||
chown hydra.hydra ${baseDir}
|
||||
chown hydra:hydra ${baseDir}
|
||||
chmod 0750 ${baseDir}
|
||||
|
||||
ln -sf ${hydraConf} ${baseDir}/hydra.conf
|
||||
|
||||
mkdir -m 0700 -p ${baseDir}/www
|
||||
chown hydra-www.hydra ${baseDir}/www
|
||||
chown hydra-www:hydra ${baseDir}/www
|
||||
|
||||
mkdir -m 0700 -p ${baseDir}/queue-runner
|
||||
mkdir -m 0750 -p ${baseDir}/build-logs
|
||||
chown hydra-queue-runner.hydra ${baseDir}/queue-runner ${baseDir}/build-logs
|
||||
chown hydra-queue-runner:hydra ${baseDir}/queue-runner ${baseDir}/build-logs
|
||||
|
||||
${optionalString haveLocalDB ''
|
||||
if ! [ -e ${baseDir}/.db-created ]; then
|
||||
@ -338,7 +338,7 @@ in
|
||||
rmdir /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots
|
||||
fi
|
||||
|
||||
chown hydra.hydra ${cfg.gcRootsDir}
|
||||
chown hydra:hydra ${cfg.gcRootsDir}
|
||||
chmod 2775 ${cfg.gcRootsDir}
|
||||
'';
|
||||
serviceConfig.ExecStart = "${hydra-package}/bin/hydra-init";
|
||||
|
@ -61,6 +61,9 @@
|
||||
{
|
||||
"application.process.binary": "teams"
|
||||
},
|
||||
{
|
||||
"application.process.binary": "teams-insiders"
|
||||
},
|
||||
{
|
||||
"application.process.binary": "skypeforlinux"
|
||||
}
|
||||
|
@ -87,6 +87,18 @@ in
|
||||
a new map with default settings will be generated before starting the service.
|
||||
'';
|
||||
};
|
||||
loadLatestSave = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Load the latest savegame on startup. This overrides saveName, in that the latest
|
||||
save will always be used even if a saved game of the given name exists. It still
|
||||
controls the 'canonical' name of the savegame.
|
||||
|
||||
Set this to true to have the server automatically reload a recent autosave after
|
||||
a crash or desync.
|
||||
'';
|
||||
};
|
||||
# TODO Add more individual settings as nixos-options?
|
||||
# TODO XXX The server tries to copy a newly created config file over the old one
|
||||
# on shutdown, but fails, because it's in the nix store. When is this needed?
|
||||
@ -250,8 +262,9 @@ in
|
||||
"--config=${cfg.configFile}"
|
||||
"--port=${toString cfg.port}"
|
||||
"--bind=${cfg.bind}"
|
||||
"--start-server=${mkSavePath cfg.saveName}"
|
||||
(optionalString (!cfg.loadLatestSave) "--start-server=${mkSavePath cfg.saveName}")
|
||||
"--server-settings=${serverSettingsFile}"
|
||||
(optionalString cfg.loadLatestSave "--start-server-load-latest")
|
||||
(optionalString (cfg.mods != []) "--mod-directory=${modDir}")
|
||||
(optionalString (cfg.admins != []) "--server-adminlist=${serverAdminsFile}")
|
||||
];
|
||||
|
@ -28,6 +28,7 @@ in {
|
||||
description = "Backlight Adjustment Service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = "${pkgs.illum}/bin/illum-d";
|
||||
serviceConfig.Restart = "on-failure";
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -26,8 +26,7 @@ in
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# TODO: Rename to .conf in upcomming release
|
||||
environment.etc."usbrelayd.ini".text = ''
|
||||
environment.etc."usbrelayd.conf".text = ''
|
||||
[MQTT]
|
||||
BROKER = ${cfg.broker}
|
||||
CLIENTNAME = ${cfg.clientName}
|
||||
@ -41,4 +40,8 @@ in
|
||||
};
|
||||
users.groups.usbrelay = { };
|
||||
};
|
||||
|
||||
meta = {
|
||||
maintainers = with lib.maintainers; [ wentasah ];
|
||||
};
|
||||
}
|
||||
|
@ -360,7 +360,14 @@ in {
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.openFirewall -> !isNull cfg.config;
|
||||
message = "openFirewall can only be used with a declarative config";
|
||||
}
|
||||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.config.http.server_port ];
|
||||
|
||||
systemd.services.home-assistant = {
|
||||
description = "Home Assistant";
|
||||
|
@ -109,7 +109,7 @@ in
|
||||
'''
|
||||
# Read from journal
|
||||
pipe {
|
||||
command => "''${pkgs.systemd}/bin/journalctl -f -o json"
|
||||
command => "''${config.systemd.package}/bin/journalctl -f -o json"
|
||||
type => "syslog" codec => json {}
|
||||
}
|
||||
'''
|
||||
|
@ -135,7 +135,7 @@ in
|
||||
User = "spamd";
|
||||
Group = "spamd";
|
||||
StateDirectory = "spamassassin";
|
||||
ExecStartPost = "+${pkgs.systemd}/bin/systemctl -q --no-block try-reload-or-restart spamd.service";
|
||||
ExecStartPost = "+${config.systemd.package}/bin/systemctl -q --no-block try-reload-or-restart spamd.service";
|
||||
};
|
||||
|
||||
script = ''
|
||||
|
@ -296,6 +296,7 @@ in {
|
||||
default = if lib.versionAtLeast config.system.stateVersion "22.05"
|
||||
then "${cfg.dataDir}/media_store"
|
||||
else "${cfg.dataDir}/media";
|
||||
defaultText = "${cfg.dataDir}/media_store for when system.stateVersion is at least 22.05, ${cfg.dataDir}/media when lower than 22.05";
|
||||
description = ''
|
||||
Directory where uploaded images and attachments are stored.
|
||||
'';
|
||||
|
@ -204,7 +204,7 @@ in
|
||||
NoNewPrivileges = true;
|
||||
LockPersonality = true;
|
||||
RestrictRealtime = true;
|
||||
SystemCallFilter = ["@system-service" "~@priviledged" "@chown"];
|
||||
SystemCallFilter = ["@system-service" "~@privileged" "@chown"];
|
||||
SystemCallArchitectures = "native";
|
||||
RestrictAddressFamilies = "AF_INET AF_INET6";
|
||||
};
|
||||
|
@ -3,6 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
json = pkgs.formats.json { };
|
||||
cfg = config.services.prometheus;
|
||||
|
||||
workingDir = "/var/lib/" + cfg.stateDir;
|
||||
@ -34,13 +35,7 @@ let
|
||||
promtool ${what} $out
|
||||
'' else file;
|
||||
|
||||
# Pretty-print JSON to a file
|
||||
writePrettyJSON = name: x:
|
||||
pkgs.runCommandLocal name { } ''
|
||||
echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out
|
||||
'';
|
||||
|
||||
generatedPrometheusYml = writePrettyJSON "prometheus.yml" promConfig;
|
||||
generatedPrometheusYml = json.generate "prometheus.yml" promConfig;
|
||||
|
||||
# This becomes the main config file for Prometheus
|
||||
promConfig = {
|
||||
|
@ -36,11 +36,11 @@ config = mkIf cfg.enable {
|
||||
preStart = ''
|
||||
if [ ! -d ${cfg.settingsDir} ] ; then
|
||||
mkdir -m 0750 -p ${cfg.settingsDir}
|
||||
chown -R gateone.gateone ${cfg.settingsDir}
|
||||
chown -R gateone:gateone ${cfg.settingsDir}
|
||||
fi
|
||||
if [ ! -d ${cfg.pidDir} ] ; then
|
||||
mkdir -m 0750 -p ${cfg.pidDir}
|
||||
chown -R gateone.gateone ${cfg.pidDir}
|
||||
chown -R gateone:gateone ${cfg.pidDir}
|
||||
fi
|
||||
'';
|
||||
#unitConfig.RequiresMountsFor = "${cfg.settingsDir}";
|
||||
|
@ -98,7 +98,7 @@ serverinfo {
|
||||
*
|
||||
* openssl genrsa -out rsa.key 2048
|
||||
* openssl rsa -in rsa.key -pubout -out rsa.pub
|
||||
* chown <ircd-user>.<ircd.group> rsa.key rsa.pub
|
||||
* chown <ircd-user>:<ircd.group> rsa.key rsa.pub
|
||||
* chmod 0600 rsa.key
|
||||
* chmod 0644 rsa.pub
|
||||
*/
|
||||
|
@ -1,7 +1,6 @@
|
||||
{ config, options, lib, pkgs, stdenv, ... }:
|
||||
let
|
||||
cfg = config.services.pleroma;
|
||||
cookieFile = "/var/lib/pleroma/.cookie";
|
||||
in {
|
||||
options = {
|
||||
services.pleroma = with lib; {
|
||||
@ -9,7 +8,7 @@ in {
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.pleroma.override { inherit cookieFile; };
|
||||
default = pkgs.pleroma;
|
||||
defaultText = literalExpression "pkgs.pleroma";
|
||||
description = "Pleroma package to use.";
|
||||
};
|
||||
@ -101,6 +100,7 @@ in {
|
||||
after = [ "network-online.target" "postgresql.service" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
|
||||
environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie";
|
||||
serviceConfig = {
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
@ -118,10 +118,10 @@ in {
|
||||
# Better be safe than sorry migration-wise.
|
||||
ExecStartPre =
|
||||
let preScript = pkgs.writers.writeBashBin "pleromaStartPre" ''
|
||||
if [ ! -f "${cookieFile}" ] || [ ! -s "${cookieFile}" ]
|
||||
if [ ! -f /var/lib/pleroma/.cookie ]
|
||||
then
|
||||
echo "Creating cookie file"
|
||||
dd if=/dev/urandom bs=1 count=16 | ${pkgs.hexdump}/bin/hexdump -e '16/1 "%02x"' > "${cookieFile}"
|
||||
dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie
|
||||
fi
|
||||
${cfg.package}/bin/pleroma_ctl migrate
|
||||
'';
|
||||
|
@ -108,7 +108,7 @@ with lib;
|
||||
#username pptpd password *
|
||||
EOF
|
||||
|
||||
chown root.root "$secrets"
|
||||
chown root:root "$secrets"
|
||||
chmod 600 "$secrets"
|
||||
'';
|
||||
|
||||
|
@ -82,7 +82,7 @@ in
|
||||
serviceConfig.Type = "forking";
|
||||
preStart = ''
|
||||
mkdir -m 0755 -p ${stateDir}
|
||||
chown ${prayerUser}.${prayerGroup} ${stateDir}
|
||||
chown ${prayerUser}:${prayerGroup} ${stateDir}
|
||||
'';
|
||||
script = "${prayer}/sbin/prayer --config-file=${prayerCfg}";
|
||||
};
|
||||
|
@ -226,10 +226,10 @@ in
|
||||
ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="${i}", TAG+="systemd", ENV{SYSTEMD_WANTS}+="supplicant-${replaceChars [" "] ["-"] iface}.service", TAG+="SUPPLICANT_ASSIGNED"''))}
|
||||
|
||||
${optionalString (hasAttr "WLAN" cfg) ''
|
||||
ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="${pkgs.systemd}/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-wlan@$result.service"
|
||||
ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="wlan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="/run/current-system/systemd/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-wlan@$result.service"
|
||||
''}
|
||||
${optionalString (hasAttr "LAN" cfg) ''
|
||||
ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="lan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="${pkgs.systemd}/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-lan@$result.service"
|
||||
ACTION=="add", SUBSYSTEM=="net", ENV{DEVTYPE}=="lan", TAG!="SUPPLICANT_ASSIGNED", TAG+="systemd", PROGRAM="/run/current-system/systemd/bin/systemd-escape -p %E{INTERFACE}", ENV{SYSTEMD_WANTS}+="supplicant-lan@$result.service"
|
||||
''}
|
||||
'';
|
||||
})];
|
||||
|
@ -2,9 +2,13 @@
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.services.tailscale;
|
||||
let
|
||||
cfg = config.services.tailscale;
|
||||
firewallOn = config.networking.firewall.enable;
|
||||
rpfMode = config.networking.firewall.checkReversePath;
|
||||
rpfIsStrict = rpfMode == true || rpfMode == "strict";
|
||||
in {
|
||||
meta.maintainers = with maintainers; [ danderson mbaillie ];
|
||||
meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ];
|
||||
|
||||
options.services.tailscale = {
|
||||
enable = mkEnableOption "Tailscale client daemon";
|
||||
@ -36,17 +40,34 @@ in {
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
warnings = optional (firewallOn && rpfIsStrict) "Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose'";
|
||||
environment.systemPackages = [ cfg.package ]; # for the CLI
|
||||
systemd.packages = [ cfg.package ];
|
||||
systemd.services.tailscaled = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = [ pkgs.openresolv pkgs.procps ];
|
||||
path = [
|
||||
pkgs.openresolv # for configuring DNS in some configs
|
||||
pkgs.procps # for collecting running services (opt-in feature)
|
||||
pkgs.glibc # for `getent` to look up user shells
|
||||
];
|
||||
serviceConfig.Environment = [
|
||||
"PORT=${toString cfg.port}"
|
||||
''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName}"''
|
||||
] ++ (lib.optionals (cfg.permitCertUid != null) [
|
||||
"TS_PERMIT_CERT_UID=${cfg.permitCertUid}"
|
||||
]);
|
||||
# Restart tailscaled with a single `systemctl restart` at the
|
||||
# end of activation, rather than a `stop` followed by a later
|
||||
# `start`. Activation over Tailscale can hang for tens of
|
||||
# seconds in the stop+start setup, if the activation script has
|
||||
# a significant delay between the stop and start phases
|
||||
# (e.g. script blocked on another unit with a slow shutdown).
|
||||
#
|
||||
# Tailscale is aware of the correctness tradeoff involved, and
|
||||
# already makes its upstream systemd unit robust against unit
|
||||
# version mismatches on restart for compatibility with other
|
||||
# linux distros.
|
||||
stopIfChanged = false;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -116,18 +116,18 @@ with lib;
|
||||
#username xl2tpd password *
|
||||
EOF
|
||||
|
||||
chown root.root ppp/chap-secrets
|
||||
chown root:root ppp/chap-secrets
|
||||
chmod 600 ppp/chap-secrets
|
||||
|
||||
# The documentation says this file should be present but doesn't explain why and things work even if not there:
|
||||
[ -f l2tp-secrets ] || (echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) > l2tp-secrets
|
||||
chown root.root l2tp-secrets
|
||||
chown root:root l2tp-secrets
|
||||
chmod 600 l2tp-secrets
|
||||
|
||||
popd > /dev/null
|
||||
|
||||
mkdir -p /run/xl2tpd
|
||||
chown root.root /run/xl2tpd
|
||||
chown root:root /run/xl2tpd
|
||||
chmod 700 /run/xl2tpd
|
||||
'';
|
||||
|
||||
|
345
nixos/modules/services/security/kanidm.nix
Normal file
345
nixos/modules/services/security/kanidm.nix
Normal file
@ -0,0 +1,345 @@
|
||||
{ config, lib, options, pkgs, ... }:
|
||||
let
|
||||
cfg = config.services.kanidm;
|
||||
settingsFormat = pkgs.formats.toml { };
|
||||
# Remove null values, so we can document optional values that don't end up in the generated TOML file.
|
||||
filterConfig = lib.converge (lib.filterAttrsRecursive (_: v: v != null));
|
||||
serverConfigFile = settingsFormat.generate "server.toml" (filterConfig cfg.serverSettings);
|
||||
clientConfigFile = settingsFormat.generate "kanidm-config.toml" (filterConfig cfg.clientSettings);
|
||||
unixConfigFile = settingsFormat.generate "kanidm-unixd.toml" (filterConfig cfg.unixSettings);
|
||||
|
||||
defaultServiceConfig = {
|
||||
BindReadOnlyPaths = [
|
||||
"/nix/store"
|
||||
"-/etc/resolv.conf"
|
||||
"-/etc/nsswitch.conf"
|
||||
"-/etc/hosts"
|
||||
"-/etc/localtime"
|
||||
];
|
||||
CapabilityBoundingSet = "";
|
||||
# ProtectClock= adds DeviceAllow=char-rtc r
|
||||
DeviceAllow = "";
|
||||
# Implies ProtectSystem=strict, which re-mounts all paths
|
||||
# DynamicUser = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateNetwork = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
# Would re-mount paths ignored by temporary root
|
||||
#ProtectSystem = "strict";
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
RestrictAddressFamilies = [ ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
|
||||
# Does not work well with the temporary root
|
||||
#UMask = "0066";
|
||||
};
|
||||
|
||||
in
|
||||
{
|
||||
options.services.kanidm = {
|
||||
enableClient = lib.mkEnableOption "the Kanidm client";
|
||||
enableServer = lib.mkEnableOption "the Kanidm server";
|
||||
enablePam = lib.mkEnableOption "the Kanidm PAM and NSS integration.";
|
||||
|
||||
serverSettings = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
|
||||
options = {
|
||||
bindaddress = lib.mkOption {
|
||||
description = "Address/port combination the webserver binds to.";
|
||||
example = "[::1]:8443";
|
||||
type = lib.types.str;
|
||||
};
|
||||
# Should be optional but toml does not accept null
|
||||
ldapbindaddress = lib.mkOption {
|
||||
description = ''
|
||||
Address and port the LDAP server is bound to. Setting this to <literal>null</literal> disables the LDAP interface.
|
||||
'';
|
||||
example = "[::1]:636";
|
||||
default = null;
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
};
|
||||
origin = lib.mkOption {
|
||||
description = "The origin of your Kanidm instance. Must have https as protocol.";
|
||||
example = "https://idm.example.org";
|
||||
type = lib.types.strMatching "^https://.*";
|
||||
};
|
||||
domain = lib.mkOption {
|
||||
description = ''
|
||||
The <literal>domain</literal> that Kanidm manages. Must be below or equal to the domain
|
||||
specified in <literal>serverSettings.origin</literal>.
|
||||
This can be left at <literal>null</literal>, only if your instance has the role <literal>ReadOnlyReplica</literal>.
|
||||
While it is possible to change the domain later on, it requires extra steps!
|
||||
Please consider the warnings and execute the steps described
|
||||
<link xlink:href="https://kanidm.github.io/kanidm/stable/administrivia.html#rename-the-domain">in the documentation</link>.
|
||||
'';
|
||||
example = "example.org";
|
||||
default = null;
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
};
|
||||
db_path = lib.mkOption {
|
||||
description = "Path to Kanidm database.";
|
||||
default = "/var/lib/kanidm/kanidm.db";
|
||||
readOnly = true;
|
||||
type = lib.types.path;
|
||||
};
|
||||
log_level = lib.mkOption {
|
||||
description = "Log level of the server.";
|
||||
default = "default";
|
||||
type = lib.types.enum [ "default" "verbose" "perfbasic" "perffull" ];
|
||||
};
|
||||
role = lib.mkOption {
|
||||
description = "The role of this server. This affects the replication relationship and thereby available features.";
|
||||
default = "WriteReplica";
|
||||
type = lib.types.enum [ "WriteReplica" "WriteReplicaNoUI" "ReadOnlyReplica" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
default = { };
|
||||
description = ''
|
||||
Settings for Kanidm, see
|
||||
<link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/server_configuration.md">the documentation</link>
|
||||
and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/server.toml">example configuration</link>
|
||||
for possible values.
|
||||
'';
|
||||
};
|
||||
|
||||
clientSettings = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
|
||||
options.uri = lib.mkOption {
|
||||
description = "Address of the Kanidm server.";
|
||||
example = "http://127.0.0.1:8080";
|
||||
type = lib.types.str;
|
||||
};
|
||||
};
|
||||
description = ''
|
||||
Configure Kanidm clients, needed for the PAM daemon. See
|
||||
<link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/client_tools.md#kanidm-configuration">the documentation</link>
|
||||
and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/config">example configuration</link>
|
||||
for possible values.
|
||||
'';
|
||||
};
|
||||
|
||||
unixSettings = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
freeformType = settingsFormat.type;
|
||||
|
||||
options.pam_allowed_login_groups = lib.mkOption {
|
||||
description = "Kanidm groups that are allowed to login using PAM.";
|
||||
example = "my_pam_group";
|
||||
type = lib.types.listOf lib.types.str;
|
||||
};
|
||||
};
|
||||
description = ''
|
||||
Configure Kanidm unix daemon.
|
||||
See <link xlink:href="https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/pam_and_nsswitch.md#the-unix-daemon">the documentation</link>
|
||||
and <link xlink:href="https://github.com/kanidm/kanidm/blob/master/examples/unixd">example configuration</link>
|
||||
for possible values.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf (cfg.enableClient || cfg.enableServer || cfg.enablePam) {
|
||||
assertions =
|
||||
[
|
||||
{
|
||||
assertion = !cfg.enableServer || ((cfg.serverSettings.tls_chain or null) == null) || (!lib.isStorePath cfg.serverSettings.tls_chain);
|
||||
message = ''
|
||||
<option>services.kanidm.serverSettings.tls_chain</option> points to
|
||||
a file in the Nix store. You should use a quoted absolute path to
|
||||
prevent this.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = !cfg.enableServer || ((cfg.serverSettings.tls_key or null) == null) || (!lib.isStorePath cfg.serverSettings.tls_key);
|
||||
message = ''
|
||||
<option>services.kanidm.serverSettings.tls_key</option> points to
|
||||
a file in the Nix store. You should use a quoted absolute path to
|
||||
prevent this.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = !cfg.enableClient || options.services.kanidm.clientSettings.isDefined;
|
||||
message = ''
|
||||
<option>services.kanidm.clientSettings</option> needs to be configured
|
||||
if the client is enabled.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = !cfg.enablePam || options.services.kanidm.clientSettings.isDefined;
|
||||
message = ''
|
||||
<option>services.kanidm.clientSettings</option> needs to be configured
|
||||
for the PAM daemon to connect to the Kanidm server.
|
||||
'';
|
||||
}
|
||||
{
|
||||
assertion = !cfg.enableServer || (cfg.serverSettings.domain == null
|
||||
-> cfg.serverSettings.role == "WriteReplica" || cfg.serverSettings.role == "WriteReplicaNoUI");
|
||||
message = ''
|
||||
<option>services.kanidm.serverSettings.domain</option> can only be set if this instance
|
||||
is not a ReadOnlyReplica. Otherwise the db would inherit it from
|
||||
the instance it follows.
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
environment.systemPackages = lib.mkIf cfg.enableClient [ pkgs.kanidm ];
|
||||
|
||||
systemd.services.kanidm = lib.mkIf cfg.enableServer {
|
||||
description = "kanidm identity management daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = defaultServiceConfig // {
|
||||
StateDirectory = "kanidm";
|
||||
StateDirectoryMode = "0700";
|
||||
ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}";
|
||||
User = "kanidm";
|
||||
Group = "kanidm";
|
||||
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
# This would otherwise override the CAP_NET_BIND_SERVICE capability.
|
||||
PrivateUsers = false;
|
||||
# Port needs to be exposed to the host network
|
||||
PrivateNetwork = false;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
TemporaryFileSystem = "/:ro";
|
||||
};
|
||||
environment.RUST_LOG = "info";
|
||||
};
|
||||
|
||||
systemd.services.kanidm-unixd = lib.mkIf cfg.enablePam {
|
||||
description = "Kanidm PAM daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
restartTriggers = [ unixConfigFile clientConfigFile ];
|
||||
serviceConfig = defaultServiceConfig // {
|
||||
CacheDirectory = "kanidm-unixd";
|
||||
CacheDirectoryMode = "0700";
|
||||
RuntimeDirectory = "kanidm-unixd";
|
||||
ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd";
|
||||
User = "kanidm-unixd";
|
||||
Group = "kanidm-unixd";
|
||||
|
||||
BindReadOnlyPaths = [
|
||||
"/nix/store"
|
||||
"-/etc/resolv.conf"
|
||||
"-/etc/nsswitch.conf"
|
||||
"-/etc/hosts"
|
||||
"-/etc/localtime"
|
||||
"-/etc/kanidm"
|
||||
"-/etc/static/kanidm"
|
||||
];
|
||||
BindPaths = [
|
||||
# To create the socket
|
||||
"/run/kanidm-unixd:/var/run/kanidm-unixd"
|
||||
];
|
||||
# Needs to connect to kanidmd
|
||||
PrivateNetwork = false;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
||||
TemporaryFileSystem = "/:ro";
|
||||
};
|
||||
environment.RUST_LOG = "info";
|
||||
};
|
||||
|
||||
systemd.services.kanidm-unixd-tasks = lib.mkIf cfg.enablePam {
|
||||
description = "Kanidm PAM home management daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" "kanidm-unixd.service" ];
|
||||
partOf = [ "kanidm-unixd.service" ];
|
||||
restartTriggers = [ unixConfigFile clientConfigFile ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.kanidm}/bin/kanidm_unixd_tasks";
|
||||
|
||||
BindReadOnlyPaths = [
|
||||
"/nix/store"
|
||||
"-/etc/resolv.conf"
|
||||
"-/etc/nsswitch.conf"
|
||||
"-/etc/hosts"
|
||||
"-/etc/localtime"
|
||||
"-/etc/kanidm"
|
||||
"-/etc/static/kanidm"
|
||||
];
|
||||
BindPaths = [
|
||||
# To manage home directories
|
||||
"/home"
|
||||
# To connect to kanidm-unixd
|
||||
"/run/kanidm-unixd:/var/run/kanidm-unixd"
|
||||
];
|
||||
# CAP_DAC_OVERRIDE is needed to ignore ownership of unixd socket
|
||||
CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" "CAP_DAC_OVERRIDE" "CAP_DAC_READ_SEARCH" ];
|
||||
IPAddressDeny = "any";
|
||||
# Need access to users
|
||||
PrivateUsers = false;
|
||||
# Need access to home directories
|
||||
ProtectHome = false;
|
||||
RestrictAddressFamilies = [ "AF_UNIX" ];
|
||||
TemporaryFileSystem = "/:ro";
|
||||
};
|
||||
environment.RUST_LOG = "info";
|
||||
};
|
||||
|
||||
# These paths are hardcoded
|
||||
environment.etc = lib.mkMerge [
|
||||
(lib.mkIf options.services.kanidm.clientSettings.isDefined {
|
||||
"kanidm/config".source = clientConfigFile;
|
||||
})
|
||||
(lib.mkIf cfg.enablePam {
|
||||
"kanidm/unixd".source = unixConfigFile;
|
||||
})
|
||||
];
|
||||
|
||||
system.nssModules = lib.mkIf cfg.enablePam [ pkgs.kanidm ];
|
||||
|
||||
system.nssDatabases.group = lib.optional cfg.enablePam "kanidm";
|
||||
system.nssDatabases.passwd = lib.optional cfg.enablePam "kanidm";
|
||||
|
||||
users.groups = lib.mkMerge [
|
||||
(lib.mkIf cfg.enableServer {
|
||||
kanidm = { };
|
||||
})
|
||||
(lib.mkIf cfg.enablePam {
|
||||
kanidm-unixd = { };
|
||||
})
|
||||
];
|
||||
users.users = lib.mkMerge [
|
||||
(lib.mkIf cfg.enableServer {
|
||||
kanidm = {
|
||||
description = "Kanidm server";
|
||||
isSystemUser = true;
|
||||
group = "kanidm";
|
||||
packages = with pkgs; [ kanidm ];
|
||||
};
|
||||
})
|
||||
(lib.mkIf cfg.enablePam {
|
||||
kanidm-unixd = {
|
||||
description = "Kanidm PAM daemon";
|
||||
isSystemUser = true;
|
||||
group = "kanidm-unixd";
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
meta.maintainers = with lib.maintainers; [ erictapen Flakebi ];
|
||||
meta.buildDocsInSandbox = false;
|
||||
}
|
@ -17,7 +17,7 @@ let
|
||||
else "sshg-fw-ipset";
|
||||
in pkgs.writeText "sshguard.conf" ''
|
||||
BACKEND="${pkgs.sshguard}/libexec/${backend}"
|
||||
LOGREADER="LANG=C ${pkgs.systemd}/bin/journalctl ${args}"
|
||||
LOGREADER="LANG=C ${config.systemd.package}/bin/journalctl ${args}"
|
||||
'';
|
||||
|
||||
in {
|
||||
|
@ -88,7 +88,7 @@ in {
|
||||
account required pam_unix.so
|
||||
session required pam_unix.so
|
||||
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
||||
session required ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||
session required ${config.systemd.package}/lib/security/pam_systemd.so
|
||||
'';
|
||||
|
||||
hardware.opengl.enable = mkDefault true;
|
||||
|
@ -294,7 +294,7 @@ in
|
||||
ln -sf "${cfg.dataDir}/client/img" "${runDir}/client/img"
|
||||
|
||||
chmod g+w "${runDir}/tmp/cache"
|
||||
chown -R "${cfg.user}"."${cfg.group}" "${runDir}"
|
||||
chown -R "${cfg.user}":"${cfg.group}" "${runDir}"
|
||||
|
||||
|
||||
mkdir -m 0750 -p "${cfg.dataDir}"
|
||||
@ -302,9 +302,9 @@ in
|
||||
mkdir -m 0750 -p "${cfg.dataDir}/client/img"
|
||||
cp -r "${pkgs.restya-board}/media/"* "${cfg.dataDir}/media"
|
||||
cp -r "${pkgs.restya-board}/client/img/"* "${cfg.dataDir}/client/img"
|
||||
chown "${cfg.user}"."${cfg.group}" "${cfg.dataDir}"
|
||||
chown -R "${cfg.user}"."${cfg.group}" "${cfg.dataDir}/media"
|
||||
chown -R "${cfg.user}"."${cfg.group}" "${cfg.dataDir}/client/img"
|
||||
chown "${cfg.user}":"${cfg.group}" "${cfg.dataDir}"
|
||||
chown -R "${cfg.user}":"${cfg.group}" "${cfg.dataDir}/media"
|
||||
chown -R "${cfg.user}":"${cfg.group}" "${cfg.dataDir}/client/img"
|
||||
|
||||
${optionalString (cfg.database.host == null) ''
|
||||
if ! [ -e "${cfg.dataDir}/.db-initialized" ]; then
|
||||
|
@ -18,7 +18,7 @@ in
|
||||
# determines the default: later modules (if enabled) are preferred.
|
||||
# E.g., if Plasma 5 is enabled, it supersedes xterm.
|
||||
imports = [
|
||||
./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix
|
||||
./none.nix ./xterm.nix ./phosh.nix ./xfce.nix ./plasma5.nix ./lumina.nix
|
||||
./lxqt.nix ./enlightenment.nix ./gnome.nix ./retroarch.nix ./kodi.nix
|
||||
./mate.nix ./pantheon.nix ./surf-display.nix ./cde.nix
|
||||
./cinnamon.nix
|
||||
|
@ -3,7 +3,7 @@
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.programs.phosh;
|
||||
cfg = config.services.xserver.desktopManager.phosh;
|
||||
|
||||
# Based on https://source.puri.sm/Librem5/librem5-base/-/blob/4596c1056dd75ac7f043aede07887990fd46f572/default/sm.puri.OSK0.desktop
|
||||
oskItem = pkgs.makeDesktopItem {
|
||||
@ -118,12 +118,39 @@ let
|
||||
[cursor]
|
||||
theme = ${phoc.cursorTheme}
|
||||
'';
|
||||
in {
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
programs.phosh = {
|
||||
enable = mkEnableOption ''
|
||||
Whether to enable, Phosh, related packages and default configurations.
|
||||
'';
|
||||
services.xserver.desktopManager.phosh = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable the Phone Shell.";
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.phosh;
|
||||
defaultText = literalExpression "pkgs.phosh";
|
||||
example = literalExpression "pkgs.phosh";
|
||||
description = ''
|
||||
Package that should be used for Phosh.
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
description = "The user to run the Phosh service.";
|
||||
type = types.str;
|
||||
example = "alice";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
description = "The group to run the Phosh service.";
|
||||
type = types.str;
|
||||
example = "users";
|
||||
};
|
||||
|
||||
phocConfig = mkOption {
|
||||
description = ''
|
||||
Configurations for the Phoc compositor.
|
||||
@ -135,14 +162,42 @@ in {
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.defaultUnit = "graphical.target";
|
||||
# Inspired by https://gitlab.gnome.org/World/Phosh/phosh/-/blob/main/data/phosh.service
|
||||
systemd.services.phosh = {
|
||||
wantedBy = [ "graphical.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package}/bin/phosh";
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
PAMName = "login";
|
||||
WorkingDirectory = "~";
|
||||
Restart = "always";
|
||||
|
||||
TTYPath = "/dev/tty7";
|
||||
TTYReset = "yes";
|
||||
TTYVHangup = "yes";
|
||||
TTYVTDisallocate = "yes";
|
||||
|
||||
# Fail to start if not controlling the tty.
|
||||
StandardInput = "tty-fail";
|
||||
StandardOutput = "journal";
|
||||
StandardError = "journal";
|
||||
|
||||
# Log this user with utmp, letting it show up with commands 'w' and 'who'.
|
||||
UtmpIdentifier = "tty7";
|
||||
UtmpMode = "user";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.phoc
|
||||
pkgs.phosh
|
||||
cfg.package
|
||||
pkgs.squeekboard
|
||||
oskItem
|
||||
];
|
||||
|
||||
systemd.packages = [ pkgs.phosh ];
|
||||
systemd.packages = [ cfg.package ];
|
||||
|
||||
programs.feedbackd.enable = true;
|
||||
|
||||
@ -152,7 +207,7 @@ in {
|
||||
|
||||
services.gnome.core-shell.enable = true;
|
||||
services.gnome.core-os-services.enable = true;
|
||||
services.xserver.displayManager.sessionPackages = [ pkgs.phosh ];
|
||||
services.xserver.displayManager.sessionPackages = [ cfg.package ];
|
||||
|
||||
environment.etc."phosh/phoc.ini".source =
|
||||
if builtins.isPath cfg.phocConfig then cfg.phocConfig
|
@ -298,7 +298,7 @@ in
|
||||
|
||||
session required pam_succeed_if.so audit quiet_success user = gdm
|
||||
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||
session optional ${config.systemd.package}/lib/security/pam_systemd.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session optional pam_permit.so
|
||||
'';
|
||||
|
@ -287,7 +287,7 @@ in
|
||||
|
||||
session required pam_succeed_if.so audit quiet_success user = lightdm
|
||||
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||
session optional ${config.systemd.package}/lib/security/pam_systemd.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session optional pam_permit.so
|
||||
'';
|
||||
|
@ -231,7 +231,7 @@ in
|
||||
|
||||
session required pam_succeed_if.so audit quiet_success user = sddm
|
||||
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||
session optional ${config.systemd.package}/lib/security/pam_systemd.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session optional pam_permit.so
|
||||
'';
|
||||
|
@ -52,7 +52,7 @@ with lib;
|
||||
'';
|
||||
environment.etc."modprobe.d/debian.conf".source = pkgs.kmod-debian-aliases;
|
||||
|
||||
environment.etc."modprobe.d/systemd.conf".source = "${pkgs.systemd}/lib/modprobe.d/systemd.conf";
|
||||
environment.etc."modprobe.d/systemd.conf".source = "${config.systemd.package}/lib/modprobe.d/systemd.conf";
|
||||
|
||||
environment.systemPackages = [ pkgs.kmod ];
|
||||
|
||||
|
@ -779,6 +779,7 @@ let
|
||||
"RouteDenyList"
|
||||
"RouteAllowList"
|
||||
"DHCPv6Client"
|
||||
"RouteMetric"
|
||||
])
|
||||
(assertValueOneOf "UseDNS" boolValues)
|
||||
(assertValueOneOf "UseDomains" (boolValues ++ ["route"]))
|
||||
|
@ -4,7 +4,10 @@ with lib;
|
||||
|
||||
let
|
||||
|
||||
inherit (pkgs) plymouth nixos-icons;
|
||||
inherit (pkgs) nixos-icons;
|
||||
plymouth = pkgs.plymouth.override {
|
||||
systemd = config.boot.initrd.systemd.package;
|
||||
};
|
||||
|
||||
cfg = config.boot.plymouth;
|
||||
opt = options.boot.plymouth;
|
||||
@ -143,7 +146,88 @@ in
|
||||
systemd.services.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ];
|
||||
systemd.paths.systemd-ask-password-plymouth.wantedBy = [ "multi-user.target" ];
|
||||
|
||||
boot.initrd.extraUtilsCommands = ''
|
||||
boot.initrd.systemd = {
|
||||
extraBin.plymouth = "${plymouth}/bin/plymouth"; # for the recovery shell
|
||||
storePaths = [
|
||||
"${lib.getBin config.boot.initrd.systemd.package}/bin/systemd-tty-ask-password-agent"
|
||||
"${plymouth}/bin/plymouthd"
|
||||
"${plymouth}/sbin/plymouthd"
|
||||
];
|
||||
packages = [ plymouth ]; # systemd units
|
||||
contents = {
|
||||
# Files
|
||||
"/etc/plymouth/plymouthd.conf".source = configFile;
|
||||
"/etc/plymouth/plymouthd.defaults".source = "${plymouth}/share/plymouth/plymouthd.defaults";
|
||||
"/etc/plymouth/logo.png".source = cfg.logo;
|
||||
# Directories
|
||||
"/etc/plymouth/plugins".source = pkgs.runCommand "plymouth-initrd-plugins" {} ''
|
||||
# Check if the actual requested theme is here
|
||||
if [[ ! -d ${themesEnv}/share/plymouth/themes/${cfg.theme} ]]; then
|
||||
echo "The requested theme: ${cfg.theme} is not provided by any of the packages in boot.plymouth.themePackages"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
moduleName="$(sed -n 's,ModuleName *= *,,p' ${themesEnv}/share/plymouth/themes/${cfg.theme}/${cfg.theme}.plymouth)"
|
||||
|
||||
mkdir -p $out/renderers
|
||||
# module might come from a theme
|
||||
cp ${themesEnv}/lib/plymouth/{text,details,label,$moduleName}.so $out
|
||||
cp ${plymouth}/lib/plymouth/renderers/{drm,frame-buffer}.so $out/renderers
|
||||
'';
|
||||
"/etc/plymouth/themes".source = pkgs.runCommand "plymouth-initrd-themes" {} ''
|
||||
# Check if the actual requested theme is here
|
||||
if [[ ! -d ${themesEnv}/share/plymouth/themes/${cfg.theme} ]]; then
|
||||
echo "The requested theme: ${cfg.theme} is not provided by any of the packages in boot.plymouth.themePackages"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir $out
|
||||
cp -r ${themesEnv}/share/plymouth/themes/${cfg.theme} $out
|
||||
# Copy more themes if the theme depends on others
|
||||
for theme in $(grep -hRo '/etc/plymouth/themes/.*$' ${themesEnv} | xargs -n1 basename); do
|
||||
if [[ -d "${themesEnv}/theme" ]]; then
|
||||
cp -r "${themesEnv}/theme" $out
|
||||
fi
|
||||
done
|
||||
'';
|
||||
|
||||
# Fonts
|
||||
"/etc/plymouth/fonts".source = pkgs.runCommand "plymouth-initrd-fonts" {} ''
|
||||
mkdir -p $out
|
||||
cp ${cfg.font} $out
|
||||
'';
|
||||
"/etc/fonts/fonts.conf".text = ''
|
||||
<?xml version="1.0"?>
|
||||
<!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd">
|
||||
<fontconfig>
|
||||
<dir>/etc/plymouth/fonts</dir>
|
||||
</fontconfig>
|
||||
'';
|
||||
};
|
||||
# Properly enable units. These are the units that arch copies
|
||||
services = {
|
||||
plymouth-halt.wantedBy = [ "halt.target" ];
|
||||
plymouth-kexec.wantedBy = [ "kexec.target" ];
|
||||
plymouth-poweroff.wantedBy = [ "poweroff.target" ];
|
||||
plymouth-quit-wait.wantedBy = [ "multi-user.target" ];
|
||||
plymouth-quit.wantedBy = [ "multi-user.target" ];
|
||||
plymouth-read-write.wantedBy = [ "sysinit.target" ];
|
||||
plymouth-reboot.wantedBy = [ "reboot.target" ];
|
||||
plymouth-start.wantedBy = [ "initrd-switch-root.target" "sysinit.target" ];
|
||||
plymouth-switch-root-initramfs.wantedBy = [ "halt.target" "kexec.target" "plymouth-switch-root-initramfs.service" "poweroff.target" "reboot.target" ];
|
||||
plymouth-switch-root.wantedBy = [ "initrd-switch-root.target" ];
|
||||
};
|
||||
};
|
||||
|
||||
# Insert required udev rules. We take stage 2 systemd because the udev
|
||||
# rules are only generated when building with logind.
|
||||
boot.initrd.services.udev.packages = [ (pkgs.runCommand "initrd-plymouth-udev-rules" {} ''
|
||||
mkdir -p $out/etc/udev/rules.d
|
||||
cp ${config.systemd.package.out}/lib/udev/rules.d/{70-uaccess,71-seat}.rules $out/etc/udev/rules.d
|
||||
sed -i '/loginctl/d' $out/etc/udev/rules.d/71-seat.rules
|
||||
'') ];
|
||||
|
||||
boot.initrd.extraUtilsCommands = lib.mkIf (!config.boot.initrd.systemd.enable) ''
|
||||
copy_bin_and_libs ${plymouth}/bin/plymouth
|
||||
copy_bin_and_libs ${plymouth}/bin/plymouthd
|
||||
|
||||
@ -198,18 +282,18 @@ in
|
||||
EOF
|
||||
'';
|
||||
|
||||
boot.initrd.extraUtilsCommandsTest = ''
|
||||
boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.enable) ''
|
||||
$out/bin/plymouthd --help >/dev/null
|
||||
$out/bin/plymouth --help >/dev/null
|
||||
'';
|
||||
|
||||
boot.initrd.extraUdevRulesCommands = ''
|
||||
boot.initrd.extraUdevRulesCommands = mkIf (!config.boot.initrd.enable) ''
|
||||
cp ${config.systemd.package}/lib/udev/rules.d/{70-uaccess,71-seat}.rules $out
|
||||
sed -i '/loginctl/d' $out/71-seat.rules
|
||||
'';
|
||||
|
||||
# We use `mkAfter` to ensure that LUKS password prompt would be shown earlier than the splash screen.
|
||||
boot.initrd.preLVMCommands = mkAfter ''
|
||||
boot.initrd.preLVMCommands = mkIf (!config.boot.initrd.enable) (mkAfter ''
|
||||
mkdir -p /etc/plymouth
|
||||
mkdir -p /run/plymouth
|
||||
ln -s ${configFile} /etc/plymouth/plymouthd.conf
|
||||
@ -221,16 +305,16 @@ in
|
||||
|
||||
plymouthd --mode=boot --pid-file=/run/plymouth/pid --attach-to-session
|
||||
plymouth show-splash
|
||||
'';
|
||||
'');
|
||||
|
||||
boot.initrd.postMountCommands = ''
|
||||
boot.initrd.postMountCommands = mkIf (!config.boot.initrd.enable) ''
|
||||
plymouth update-root-fs --new-root-dir="$targetRoot"
|
||||
'';
|
||||
|
||||
# `mkBefore` to ensure that any custom prompts would be visible.
|
||||
boot.initrd.preFailCommands = mkBefore ''
|
||||
boot.initrd.preFailCommands = mkIf (!config.boot.initrd.enable) (mkBefore ''
|
||||
plymouth quit --wait
|
||||
'';
|
||||
'');
|
||||
|
||||
};
|
||||
|
||||
|
@ -16,7 +16,7 @@ let
|
||||
"LimitNOFILE" "LimitAS" "LimitNPROC" "LimitMEMLOCK" "LimitLOCKS"
|
||||
"LimitSIGPENDING" "LimitMSGQUEUE" "LimitNICE" "LimitRTPRIO" "LimitRTTIME"
|
||||
"OOMScoreAdjust" "CPUAffinity" "Hostname" "ResolvConf" "Timezone"
|
||||
"LinkJournal"
|
||||
"LinkJournal" "Ephemeral" "AmbientCapability"
|
||||
])
|
||||
(assertValueOneOf "Boot" boolValues)
|
||||
(assertValueOneOf "ProcessTwo" boolValues)
|
||||
@ -26,11 +26,13 @@ let
|
||||
checkFiles = checkUnitConfig "Files" [
|
||||
(assertOnlyFields [
|
||||
"ReadOnly" "Volatile" "Bind" "BindReadOnly" "TemporaryFileSystem"
|
||||
"Overlay" "OverlayReadOnly" "PrivateUsersChown"
|
||||
"Overlay" "OverlayReadOnly" "PrivateUsersChown" "BindUser"
|
||||
"Inaccessible" "PrivateUserOwnership"
|
||||
])
|
||||
(assertValueOneOf "ReadOnly" boolValues)
|
||||
(assertValueOneOf "Volatile" (boolValues ++ [ "state" ]))
|
||||
(assertValueOneOf "PrivateUsersChown" boolValues)
|
||||
(assertValueOneOf "PrivateUserOwnership" [ "off" "chown" "map" "auto" ])
|
||||
];
|
||||
|
||||
checkNetwork = checkUnitConfig "Network" [
|
||||
|
@ -190,7 +190,7 @@ in {
|
||||
nixos-rebuild = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
|
||||
date = "${pkgs.coreutils}/bin/date";
|
||||
readlink = "${pkgs.coreutils}/bin/readlink";
|
||||
shutdown = "${pkgs.systemd}/bin/shutdown";
|
||||
shutdown = "${config.systemd.package}/bin/shutdown";
|
||||
upgradeFlag = optional (cfg.channel == null) "--upgrade";
|
||||
in if cfg.allowReboot then ''
|
||||
${nixos-rebuild} boot ${toString (cfg.flags ++ upgradeFlag)}
|
||||
|
@ -58,6 +58,13 @@ let
|
||||
# latter case it makes one last attempt at importing, allowing the system to
|
||||
# (eventually) boot even with a degraded pool.
|
||||
importLib = {zpoolCmd, awkCmd, cfgZfs}: ''
|
||||
for o in $(cat /proc/cmdline); do
|
||||
case $o in
|
||||
zfs_force|zfs_force=1|zfs_force=y)
|
||||
ZFS_FORCE="-f"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
poolReady() {
|
||||
pool="$1"
|
||||
state="$("${zpoolCmd}" import 2>/dev/null | "${awkCmd}" "/pool: $pool/ { found = 1 }; /state:/ { if (found == 1) { print \$2; exit } }; END { if (found == 0) { print \"MISSING\" } }")"
|
||||
@ -78,6 +85,95 @@ let
|
||||
}
|
||||
'';
|
||||
|
||||
getPoolFilesystems = pool:
|
||||
filter (x: x.fsType == "zfs" && (fsToPool x) == pool) config.system.build.fileSystems;
|
||||
|
||||
getPoolMounts = prefix: pool:
|
||||
let
|
||||
# Remove the "/" suffix because even though most mountpoints
|
||||
# won't have it, the "/" mountpoint will, and we can't have the
|
||||
# trailing slash in "/sysroot/" in stage 1.
|
||||
mountPoint = fs: escapeSystemdPath (prefix + (lib.removeSuffix "/" fs.mountPoint));
|
||||
in
|
||||
map (x: "${mountPoint x}.mount") (getPoolFilesystems pool);
|
||||
|
||||
getKeyLocations = pool:
|
||||
if isBool cfgZfs.requestEncryptionCredentials
|
||||
then "${cfgZfs.package}/sbin/zfs list -rHo name,keylocation,keystatus ${pool}"
|
||||
else "${cfgZfs.package}/sbin/zfs list -Ho name,keylocation,keystatus ${toString (filter (x: datasetToPool x == pool) cfgZfs.requestEncryptionCredentials)}";
|
||||
|
||||
createImportService = { pool, systemd, force, prefix ? "" }:
|
||||
nameValuePair "zfs-import-${pool}" {
|
||||
description = "Import ZFS pool \"${pool}\"";
|
||||
# we need systemd-udev-settle to ensure devices are available
|
||||
# In the future, hopefully someone will complete this:
|
||||
# https://github.com/zfsonlinux/zfs/pull/4943
|
||||
requires = [ "systemd-udev-settle.service" ];
|
||||
after = [
|
||||
"systemd-udev-settle.service"
|
||||
"systemd-modules-load.service"
|
||||
"systemd-ask-password-console.service"
|
||||
];
|
||||
wantedBy = (getPoolMounts prefix pool) ++ [ "local-fs.target" ];
|
||||
before = (getPoolMounts prefix pool) ++ [ "local-fs.target" ];
|
||||
unitConfig = {
|
||||
DefaultDependencies = "no";
|
||||
};
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
environment.ZFS_FORCE = optionalString force "-f";
|
||||
script = (importLib {
|
||||
# See comments at importLib definition.
|
||||
zpoolCmd = "${cfgZfs.package}/sbin/zpool";
|
||||
awkCmd = "${pkgs.gawk}/bin/awk";
|
||||
inherit cfgZfs;
|
||||
}) + ''
|
||||
poolImported "${pool}" && exit
|
||||
echo -n "importing ZFS pool \"${pool}\"..."
|
||||
# Loop across the import until it succeeds, because the devices needed may not be discovered yet.
|
||||
for trial in `seq 1 60`; do
|
||||
poolReady "${pool}" && poolImport "${pool}" && break
|
||||
sleep 1
|
||||
done
|
||||
poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool.
|
||||
if poolImported "${pool}"; then
|
||||
${optionalString (if isBool cfgZfs.requestEncryptionCredentials
|
||||
then cfgZfs.requestEncryptionCredentials
|
||||
else cfgZfs.requestEncryptionCredentials != []) ''
|
||||
${getKeyLocations pool} | while IFS=$'\t' read ds kl ks; do
|
||||
{
|
||||
if [[ "$ks" != unavailable ]]; then
|
||||
continue
|
||||
fi
|
||||
case "$kl" in
|
||||
none )
|
||||
;;
|
||||
prompt )
|
||||
tries=3
|
||||
success=false
|
||||
while [[ $success != true ]] && [[ $tries -gt 0 ]]; do
|
||||
${systemd}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds" \
|
||||
&& success=true \
|
||||
|| tries=$((tries - 1))
|
||||
done
|
||||
[[ $success = true ]]
|
||||
;;
|
||||
* )
|
||||
${cfgZfs.package}/sbin/zfs load-key "$ds"
|
||||
;;
|
||||
esac
|
||||
} < /dev/null # To protect while read ds kl in case anything reads stdin
|
||||
done
|
||||
''}
|
||||
echo "Successfully imported ${pool}"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
'';
|
||||
};
|
||||
|
||||
zedConf = generators.toKeyValue {
|
||||
mkKeyValue = generators.mkKeyValueDefault {
|
||||
mkValueString = v:
|
||||
@ -428,14 +524,6 @@ in
|
||||
'';
|
||||
postDeviceCommands = concatStringsSep "\n" ([''
|
||||
ZFS_FORCE="${optionalString cfgZfs.forceImportRoot "-f"}"
|
||||
|
||||
for o in $(cat /proc/cmdline); do
|
||||
case $o in
|
||||
zfs_force|zfs_force=1)
|
||||
ZFS_FORCE="-f"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
''] ++ [(importLib {
|
||||
# See comments at importLib definition.
|
||||
zpoolCmd = "zpool";
|
||||
@ -464,6 +552,21 @@ in
|
||||
zfs load-key ${fs}
|
||||
'') cfgZfs.requestEncryptionCredentials}
|
||||
'') rootPools));
|
||||
|
||||
# Systemd in stage 1
|
||||
systemd = {
|
||||
packages = [cfgZfs.package];
|
||||
services = listToAttrs (map (pool: createImportService {
|
||||
inherit pool;
|
||||
systemd = config.boot.initrd.systemd.package;
|
||||
force = cfgZfs.forceImportRoot;
|
||||
prefix = "/sysroot";
|
||||
}) rootPools);
|
||||
extraBin = {
|
||||
# zpool and zfs are already in thanks to fsPackages
|
||||
awk = "${pkgs.gawk}/bin/awk";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.shutdownRamfs.contents."/etc/systemd/system-shutdown/zpool".source = pkgs.writeShellScript "zpool-sync-shutdown" ''
|
||||
@ -521,79 +624,11 @@ in
|
||||
systemd.packages = [ cfgZfs.package ];
|
||||
|
||||
systemd.services = let
|
||||
getPoolFilesystems = pool:
|
||||
filter (x: x.fsType == "zfs" && (fsToPool x) == pool) config.system.build.fileSystems;
|
||||
|
||||
getPoolMounts = pool:
|
||||
let
|
||||
mountPoint = fs: escapeSystemdPath fs.mountPoint;
|
||||
in
|
||||
map (x: "${mountPoint x}.mount") (getPoolFilesystems pool);
|
||||
|
||||
createImportService = pool:
|
||||
nameValuePair "zfs-import-${pool}" {
|
||||
description = "Import ZFS pool \"${pool}\"";
|
||||
# we need systemd-udev-settle until https://github.com/zfsonlinux/zfs/pull/4943 is merged
|
||||
requires = [ "systemd-udev-settle.service" ];
|
||||
after = [
|
||||
"systemd-udev-settle.service"
|
||||
"systemd-modules-load.service"
|
||||
"systemd-ask-password-console.service"
|
||||
];
|
||||
wantedBy = (getPoolMounts pool) ++ [ "local-fs.target" ];
|
||||
before = (getPoolMounts pool) ++ [ "local-fs.target" ];
|
||||
unitConfig = {
|
||||
DefaultDependencies = "no";
|
||||
};
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
environment.ZFS_FORCE = optionalString cfgZfs.forceImportAll "-f";
|
||||
script = (importLib {
|
||||
# See comments at importLib definition.
|
||||
zpoolCmd = "${cfgZfs.package}/sbin/zpool";
|
||||
awkCmd = "${pkgs.gawk}/bin/awk";
|
||||
inherit cfgZfs;
|
||||
}) + ''
|
||||
poolImported "${pool}" && exit
|
||||
echo -n "importing ZFS pool \"${pool}\"..."
|
||||
# Loop across the import until it succeeds, because the devices needed may not be discovered yet.
|
||||
for trial in `seq 1 60`; do
|
||||
poolReady "${pool}" && poolImport "${pool}" && break
|
||||
sleep 1
|
||||
done
|
||||
poolImported "${pool}" || poolImport "${pool}" # Try one last time, e.g. to import a degraded pool.
|
||||
if poolImported "${pool}"; then
|
||||
${optionalString (if isBool cfgZfs.requestEncryptionCredentials
|
||||
then cfgZfs.requestEncryptionCredentials
|
||||
else cfgZfs.requestEncryptionCredentials != []) ''
|
||||
${cfgZfs.package}/sbin/zfs list -rHo name,keylocation ${pool} | while IFS=$'\t' read ds kl; do
|
||||
{
|
||||
${optionalString (!isBool cfgZfs.requestEncryptionCredentials) ''
|
||||
if ! echo '${concatStringsSep "\n" cfgZfs.requestEncryptionCredentials}' | grep -qFx "$ds"; then
|
||||
continue
|
||||
fi
|
||||
''}
|
||||
case "$kl" in
|
||||
none )
|
||||
;;
|
||||
prompt )
|
||||
${config.systemd.package}/bin/systemd-ask-password "Enter key for $ds:" | ${cfgZfs.package}/sbin/zfs load-key "$ds"
|
||||
;;
|
||||
* )
|
||||
${cfgZfs.package}/sbin/zfs load-key "$ds"
|
||||
;;
|
||||
esac
|
||||
} < /dev/null # To protect while read ds kl in case anything reads stdin
|
||||
done
|
||||
''}
|
||||
echo "Successfully imported ${pool}"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
'';
|
||||
};
|
||||
createImportService' = pool: createImportService {
|
||||
inherit pool;
|
||||
systemd = config.systemd.package;
|
||||
force = cfgZfs.forceImportAll;
|
||||
};
|
||||
|
||||
# This forces a sync of any ZFS pools prior to poweroff, even if they're set
|
||||
# to sync=disabled.
|
||||
@ -619,7 +654,7 @@ in
|
||||
wantedBy = [ "zfs.target" ];
|
||||
};
|
||||
|
||||
in listToAttrs (map createImportService dataPools ++
|
||||
in listToAttrs (map createImportService' dataPools ++
|
||||
map createSyncService allPools ++
|
||||
map createZfsService [ "zfs-mount" "zfs-share" "zfs-zed" ]);
|
||||
|
||||
|
@ -43,12 +43,6 @@ in
|
||||
} {
|
||||
assertion = cfg.defaultGateway6 == null || cfg.defaultGateway6.interface == null;
|
||||
message = "networking.defaultGateway6.interface is not supported by networkd.";
|
||||
} {
|
||||
assertion = cfg.useDHCP == false;
|
||||
message = ''
|
||||
networking.useDHCP is not supported by networkd.
|
||||
Please use per interface configuration and set the global option to false.
|
||||
'';
|
||||
} ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: {
|
||||
assertion = !rstp;
|
||||
message = "networking.bridges.${n}.rstp is not supported by networkd.";
|
||||
@ -80,6 +74,42 @@ in
|
||||
in mkMerge [ {
|
||||
enable = true;
|
||||
}
|
||||
(mkIf cfg.useDHCP {
|
||||
networks."99-ethernet-default-dhcp" = lib.mkIf cfg.useDHCP {
|
||||
# We want to match physical ethernet interfaces as commonly
|
||||
# found on laptops, desktops and servers, to provide an
|
||||
# "out-of-the-box" setup that works for common cases. This
|
||||
# heuristic isn't perfect (it could match interfaces with
|
||||
# custom names that _happen_ to start with en or eth), but
|
||||
# should be good enough to make the common case easy and can
|
||||
# be overridden on a case-by-case basis using
|
||||
# higher-priority networks or by disabling useDHCP.
|
||||
|
||||
# Type=ether matches veth interfaces as well, and this is
|
||||
# more likely to result in interfaces being configured to
|
||||
# use DHCP when they shouldn't.
|
||||
|
||||
# We set RequiredForOnline to false, because it's fairly
|
||||
# common for such devices to have multiple interfaces and
|
||||
# only one of them to be connected (e.g. a laptop with
|
||||
# ethernet and WiFi interfaces). Maybe one day networkd will
|
||||
# support "any"-style RequiredForOnline...
|
||||
matchConfig.Name = ["en*" "eth*"];
|
||||
DHCP = "yes";
|
||||
linkConfig.RequiredForOnline = lib.mkDefault false;
|
||||
};
|
||||
networks."99-wireless-client-dhcp" = lib.mkIf cfg.useDHCP {
|
||||
# Like above, but this is much more likely to be correct.
|
||||
matchConfig.WLANInterfaceType = "station";
|
||||
DHCP = "yes";
|
||||
linkConfig.RequiredForOnline = lib.mkDefault false;
|
||||
# We also set the route metric to one more than the default
|
||||
# of 1024, so that Ethernet is preferred if both are
|
||||
# available.
|
||||
dhcpV4Config.RouteMetric = 1025;
|
||||
ipv6AcceptRAConfig.RouteMetric = 1025;
|
||||
};
|
||||
})
|
||||
(mkMerge (forEach interfaces (i: {
|
||||
netdevs = mkIf i.virtual ({
|
||||
"40-${i.name}" = {
|
||||
|
@ -1254,11 +1254,6 @@ in
|
||||
Whether to use DHCP to obtain an IP address and other
|
||||
configuration for all network interfaces that are not manually
|
||||
configured.
|
||||
|
||||
Using this option is highly discouraged and also incompatible with
|
||||
<option>networking.useNetworkd</option>. Please use
|
||||
<option>networking.interfaces.<name>.useDHCP</option> instead
|
||||
and set this to false.
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -129,6 +129,9 @@ in
|
||||
# Make sure we use the Guest Agent from the QEMU package for testing
|
||||
# to reduce the closure size required for the tests.
|
||||
services.qemuGuest.package = pkgs.qemu_test.ga;
|
||||
|
||||
# Squelch warning about unset system.stateVersion
|
||||
system.stateVersion = lib.mkDefault lib.trivial.release;
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -11,7 +11,7 @@ let
|
||||
echo "attempting to fetch configuration from EC2 user data..."
|
||||
|
||||
export HOME=/root
|
||||
export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused pkgs.xz config.system.build.nixos-rebuild]}:$PATH
|
||||
export PATH=${pkgs.lib.makeBinPath [ config.nix.package config.systemd.package pkgs.gnugrep pkgs.git pkgs.gnutar pkgs.gzip pkgs.gnused pkgs.xz config.system.build.nixos-rebuild]}:$PATH
|
||||
export NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels
|
||||
|
||||
userData=/etc/ec2-metadata/user-data
|
||||
|
@ -46,7 +46,7 @@ in {
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
restartIfChanged = false;
|
||||
path = [ pkgs.jq pkgs.gnused pkgs.gnugrep pkgs.systemd config.nix.package config.system.build.nixos-rebuild ];
|
||||
path = [ pkgs.jq pkgs.gnused pkgs.gnugrep config.systemd.package config.nix.package config.system.build.nixos-rebuild ];
|
||||
environment = {
|
||||
HOME = "/root";
|
||||
NIX_PATH = concatStringsSep ":" [
|
||||
|
@ -20,6 +20,15 @@ with lib;
|
||||
configuration from proxmox.
|
||||
'';
|
||||
};
|
||||
manageHostName = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to manage hostname through nix options
|
||||
When false, the hostname is picked up from /etc/hostname
|
||||
populated by proxmox.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config =
|
||||
@ -50,6 +59,8 @@ with lib;
|
||||
useDHCP = false;
|
||||
useHostResolvConf = false;
|
||||
useNetworkd = true;
|
||||
# pick up hostname from /etc/hostname generated by proxmox
|
||||
hostName = mkIf (!cfg.manageHostName) (mkForce "");
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
|
@ -253,6 +253,7 @@ in
|
||||
k3s-single-node = handleTest ./k3s-single-node.nix {};
|
||||
k3s-single-node-docker = handleTest ./k3s-single-node-docker.nix {};
|
||||
kafka = handleTest ./kafka.nix {};
|
||||
kanidm = handleTest ./kanidm.nix {};
|
||||
kbd-setfont-decompress = handleTest ./kbd-setfont-decompress.nix {};
|
||||
kbd-update-search-paths-patch = handleTest ./kbd-update-search-paths-patch.nix {};
|
||||
kea = handleTest ./kea.nix {};
|
||||
|
@ -106,6 +106,5 @@ in
|
||||
malcontent = callInstalledTest ./malcontent.nix {};
|
||||
ostree = callInstalledTest ./ostree.nix {};
|
||||
pipewire = callInstalledTest ./pipewire.nix {};
|
||||
power-profiles-daemon = callInstalledTest ./power-profiles-daemon.nix {};
|
||||
xdg-desktop-portal = callInstalledTest ./xdg-desktop-portal.nix {};
|
||||
}
|
||||
|
@ -1,9 +0,0 @@
|
||||
{ pkgs, lib, makeInstalledTest, ... }:
|
||||
|
||||
makeInstalledTest {
|
||||
tested = pkgs.power-profiles-daemon;
|
||||
|
||||
testConfig = {
|
||||
services.power-profiles-daemon.enable = true;
|
||||
};
|
||||
}
|
@ -27,7 +27,7 @@
|
||||
simpleUefiGrubSpecialisation
|
||||
simpleUefiSystemdBoot
|
||||
# swraid
|
||||
# zfsroot
|
||||
zfsroot
|
||||
;
|
||||
|
||||
}
|
||||
|
75
nixos/tests/kanidm.nix
Normal file
75
nixos/tests/kanidm.nix
Normal file
@ -0,0 +1,75 @@
|
||||
import ./make-test-python.nix ({ pkgs, ... }:
|
||||
let
|
||||
certs = import ./common/acme/server/snakeoil-certs.nix;
|
||||
serverDomain = certs.domain;
|
||||
in
|
||||
{
|
||||
name = "kanidm";
|
||||
meta.maintainers = with pkgs.lib.maintainers; [ erictapen Flakebi ];
|
||||
|
||||
nodes.server = { config, pkgs, lib, ... }: {
|
||||
services.kanidm = {
|
||||
enableServer = true;
|
||||
serverSettings = {
|
||||
origin = "https://${serverDomain}";
|
||||
domain = serverDomain;
|
||||
bindaddress = "[::1]:8443";
|
||||
ldapbindaddress = "[::1]:636";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts."${serverDomain}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = certs."${serverDomain}".cert;
|
||||
sslCertificateKey = certs."${serverDomain}".key;
|
||||
locations."/".proxyPass = "http://[::1]:8443";
|
||||
};
|
||||
};
|
||||
|
||||
security.pki.certificateFiles = [ certs.ca.cert ];
|
||||
|
||||
networking.hosts."::1" = [ serverDomain ];
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
users.users.kanidm.shell = pkgs.bashInteractive;
|
||||
|
||||
environment.systemPackages = with pkgs; [ kanidm openldap ripgrep ];
|
||||
};
|
||||
|
||||
nodes.client = { pkgs, nodes, ... }: {
|
||||
services.kanidm = {
|
||||
enableClient = true;
|
||||
clientSettings = {
|
||||
uri = "https://${serverDomain}";
|
||||
};
|
||||
};
|
||||
|
||||
networking.hosts."${nodes.server.config.networking.primaryIPAddress}" = [ serverDomain ];
|
||||
|
||||
security.pki.certificateFiles = [ certs.ca.cert ];
|
||||
};
|
||||
|
||||
testScript = { nodes, ... }:
|
||||
let
|
||||
ldapBaseDN = builtins.concatStringsSep "," (map (s: "dc=" + s) (pkgs.lib.splitString "." serverDomain));
|
||||
|
||||
# We need access to the config file in the test script.
|
||||
filteredConfig = pkgs.lib.converge
|
||||
(pkgs.lib.filterAttrsRecursive (_: v: v != null))
|
||||
nodes.server.config.services.kanidm.serverSettings;
|
||||
serverConfigFile = (pkgs.formats.toml { }).generate "server.toml" filteredConfig;
|
||||
|
||||
in
|
||||
''
|
||||
start_all()
|
||||
server.wait_for_unit("kanidm.service")
|
||||
server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
|
||||
server.wait_until_succeeds("ldapsearch -H ldap://[::1]:636 -b '${ldapBaseDN}' -x '(name=test)'")
|
||||
client.wait_until_succeeds("kanidm login -D anonymous && kanidm self whoami | grep anonymous@${serverDomain}")
|
||||
(rv, result) = server.execute("kanidmd recover_account -d quiet -c ${serverConfigFile} -n admin 2>&1 | rg -o '[A-Za-z0-9]{48}'")
|
||||
assert rv == 0
|
||||
'';
|
||||
})
|
@ -30,6 +30,7 @@ let
|
||||
linux_5_4_hardened
|
||||
linux_5_10_hardened
|
||||
linux_5_15_hardened
|
||||
linux_5_17_hardened
|
||||
|
||||
linux_testing;
|
||||
};
|
||||
|
@ -139,6 +139,26 @@ let
|
||||
client.wait_until_succeeds("ping -c 1 192.168.3.1")
|
||||
'';
|
||||
};
|
||||
dhcpDefault = {
|
||||
name = "useDHCP-by-default";
|
||||
nodes.router = router;
|
||||
nodes.client = { lib, ... }: {
|
||||
# Disable test driver default config
|
||||
networking.interfaces = lib.mkForce {};
|
||||
networking.useNetworkd = networkd;
|
||||
virtualisation.vlans = [ 1 ];
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
client.wait_for_unit("multi-user.target")
|
||||
client.wait_until_succeeds("ip addr show dev eth1 | grep '192.168.1'")
|
||||
client.shell_interact()
|
||||
client.succeed("ping -c 1 192.168.1.1")
|
||||
router.succeed("ping -c 1 192.168.1.1")
|
||||
router.succeed("ping -c 1 192.168.1.2")
|
||||
client.succeed("ping -c 1 192.168.1.2")
|
||||
'';
|
||||
};
|
||||
dhcpSimple = {
|
||||
name = "SimpleDHCP";
|
||||
nodes.router = router;
|
||||
|
@ -158,7 +158,9 @@ import ./make-test-python.nix ({ pkgs, ... }:
|
||||
|
||||
# Waiting for pleroma to be up.
|
||||
timeout 5m bash -c 'while [[ "$(curl -s -o /dev/null -w '%{http_code}' https://pleroma.nixos.test/api/v1/instance)" != "200" ]]; do sleep 2; done'
|
||||
pleroma_ctl user new jamy jamy@nixos.test --password 'jamy-password' --moderator --admin -y
|
||||
# Toremove the RELEASE_COOKIE bit when https://github.com/NixOS/nixpkgs/issues/166229 gets fixed.
|
||||
RELEASE_COOKIE="/var/lib/pleroma/.cookie" \
|
||||
pleroma_ctl user new jamy jamy@nixos.test --password 'jamy-password' --moderator --admin -y
|
||||
'';
|
||||
|
||||
tls-cert = pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
|
||||
|
@ -25,8 +25,15 @@ let
|
||||
nspawnImages = (pkgs.runCommand "localhost" { buildInputs = [ pkgs.coreutils pkgs.gnupg ]; } ''
|
||||
mkdir -p $out
|
||||
cd $out
|
||||
|
||||
# produce a testimage.raw
|
||||
dd if=/dev/urandom of=$out/testimage.raw bs=$((1024*1024+7)) count=5
|
||||
sha256sum testimage.raw > SHA256SUMS
|
||||
|
||||
# produce a testimage2.tar.xz, containing the hello store path
|
||||
tar cvJpf testimage2.tar.xz ${pkgs.hello}
|
||||
|
||||
# produce signature(s)
|
||||
sha256sum testimage* > SHA256SUMS
|
||||
export GNUPGHOME="$(mktemp -d)"
|
||||
cp -R ${gpgKeyring}/* $GNUPGHOME
|
||||
gpg --batch --sign --detach-sign --output SHA256SUMS.gpg SHA256SUMS
|
||||
@ -56,5 +63,9 @@ in {
|
||||
client.succeed(
|
||||
"cmp /var/lib/machines/testimage.raw ${nspawnImages}/testimage.raw"
|
||||
)
|
||||
client.succeed("machinectl pull-tar --verify=signature http://server/testimage2.tar.xz")
|
||||
client.succeed(
|
||||
"cmp /var/lib/machines/testimage2/${pkgs.hello}/bin/hello ${pkgs.hello}/bin/hello"
|
||||
)
|
||||
'';
|
||||
})
|
||||
|
@ -222,7 +222,7 @@ let
|
||||
machine.execute(ru("VBoxManage controlvm ${name} poweroff"))
|
||||
machine.succeed("rm -rf ${sharePath}")
|
||||
machine.succeed("mkdir -p ${sharePath}")
|
||||
machine.succeed("chown alice.users ${sharePath}")
|
||||
machine.succeed("chown alice:users ${sharePath}")
|
||||
|
||||
|
||||
def create_vm_${name}():
|
||||
|
25
pkgs/applications/audio/airwindows-lv2/default.nix
Normal file
25
pkgs/applications/audio/airwindows-lv2/default.nix
Normal file
@ -0,0 +1,25 @@
|
||||
{ lib, stdenv, fetchFromGitHub, cmake, pkg-config, lv2 }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "airwindows-lv2";
|
||||
version = "1.0";
|
||||
src = fetchFromGitHub {
|
||||
owner = "hannesbraun";
|
||||
repo = pname;
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-xokV4Af0evdo73D9JObzAmY1wD0aUyXiI0Z7BUN0m+M=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ cmake pkg-config ];
|
||||
buildInputs = [ lv2 ];
|
||||
|
||||
cmakeFlags = [ "-DCMAKE_INSTALL_PREFIX=${placeholder "out"}/lib/lv2" ];
|
||||
|
||||
meta = with lib; {
|
||||
description = "Airwindows plugins (ported to LV2)";
|
||||
homepage = "https://github.com/hannesbraun/airwindows-lv2";
|
||||
license = licenses.mit;
|
||||
maintainers = [ maintainers.magnetophon ];
|
||||
platforms = platforms.unix;
|
||||
};
|
||||
}
|
@ -8,6 +8,7 @@
|
||||
, ninja
|
||||
, pkg-config
|
||||
, reuse
|
||||
, m4
|
||||
, wrapGAppsHook4
|
||||
, glib
|
||||
, gtk4
|
||||
@ -18,20 +19,20 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "amberol";
|
||||
version = "0.4.3";
|
||||
version = "0.6.0";
|
||||
|
||||
src = fetchFromGitLab {
|
||||
domain = "gitlab.gnome.org";
|
||||
owner = "World";
|
||||
repo = pname;
|
||||
rev = version;
|
||||
sha256 = "sha256-4yW7rVlP9Zskyt4l/VQoX+9q3TUdEuLZrNQuQvziIf4=";
|
||||
hash = "sha256-7cwoP2Dvlrq44orckhCjFGrSVDuG8WdW8wbpAjD5zhI=";
|
||||
};
|
||||
|
||||
cargoDeps = rustPlatform.fetchCargoTarball {
|
||||
inherit src;
|
||||
name = "${pname}-${version}";
|
||||
sha256 = "sha256-1ahEWLBmkT+B8qD0Qd1skXqk1wvP6yuFNAQBRdispC4=";
|
||||
hash = "sha256-CGPDaVS8F7H/tH0lRjFloWmZmW8NHheyZRCCqEavWeo=";
|
||||
};
|
||||
|
||||
postPatch = ''
|
||||
@ -45,6 +46,7 @@ stdenv.mkDerivation rec {
|
||||
ninja
|
||||
pkg-config
|
||||
reuse
|
||||
m4
|
||||
wrapGAppsHook4
|
||||
] ++ (with rustPlatform; [
|
||||
cargoSetupHook
|
||||
|
22
pkgs/applications/audio/cdparanoia/configure.patch
Normal file
22
pkgs/applications/audio/cdparanoia/configure.patch
Normal file
@ -0,0 +1,22 @@
|
||||
diff --git a/configure.in b/configure.ac
|
||||
similarity index 90%
|
||||
rename from configure.in
|
||||
rename to configure.ac
|
||||
index 3ad98ca11da..8fad378faf4 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.ac
|
||||
@@ -1,13 +1,8 @@
|
||||
AC_INIT(interface/interface.c)
|
||||
|
||||
-cp $srcdir/configure.guess $srcdir/config.guess
|
||||
-cp $srcdir/configure.sub $srcdir/config.sub
|
||||
-
|
||||
AC_CANONICAL_HOST
|
||||
|
||||
-if test -z "$CC"; then
|
||||
- AC_PROG_CC
|
||||
-fi
|
||||
+AC_PROG_CC
|
||||
AC_PROG_RANLIB
|
||||
AC_CHECK_PROG(AR,ar,ar)
|
||||
AC_CHECK_PROG(INSTALL,install,install)
|
@ -1,4 +1,7 @@
|
||||
{ lib, stdenv, fetchurl, gnu-config, IOKit, Carbon }:
|
||||
{ lib, stdenv, fetchurl, fetchpatch
|
||||
, updateAutotoolsGnuConfigScriptsHook, autoreconfHook
|
||||
, IOKit, Carbon
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "cdparanoia-III";
|
||||
@ -10,16 +13,29 @@ stdenv.mkDerivation rec {
|
||||
};
|
||||
|
||||
patches = lib.optionals stdenv.isDarwin [
|
||||
(fetchurl {
|
||||
(fetchpatch {
|
||||
url = "https://trac.macports.org/export/70964/trunk/dports/audio/cdparanoia/files/osx_interface.patch";
|
||||
sha256 = "1n86kzm2ssl8fdf5wlhp6ncb2bf6b9xlb5vg0mhc85r69prqzjiy";
|
||||
sha256 = "0hq3lvfr0h1m3p0r33jij0s1aspiqlpy533rwv19zrfllb39qvr8";
|
||||
# Our configure patch will subsume it, but we want our configure
|
||||
# patch to be used on all platforms so we cannot just start where
|
||||
# this leaves off.
|
||||
excludes = [ "configure.in" ];
|
||||
})
|
||||
(fetchurl {
|
||||
url = "https://trac.macports.org/export/70964/trunk/dports/audio/cdparanoia/files/patch-paranoia_paranoia.c.10.4.diff";
|
||||
sha256 = "17l2qhn8sh4jy6ryy5si6ll6dndcm0r537rlmk4a6a8vkn852vad";
|
||||
})
|
||||
] ++ lib.optional stdenv.hostPlatform.isMusl ./utils.patch
|
||||
++ [./fix_private_keyword.patch];
|
||||
] ++ [
|
||||
# Has to come after darwin patches
|
||||
./fix_private_keyword.patch
|
||||
# Order does not matter
|
||||
./configure.patch
|
||||
] ++ lib.optional stdenv.hostPlatform.isMusl ./utils.patch;
|
||||
|
||||
nativeBuildInputs = [
|
||||
updateAutotoolsGnuConfigScriptsHook
|
||||
autoreconfHook
|
||||
];
|
||||
|
||||
propagatedBuildInputs = lib.optionals stdenv.isDarwin [
|
||||
Carbon
|
||||
@ -28,13 +44,6 @@ stdenv.mkDerivation rec {
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = ''
|
||||
unset CC
|
||||
'' + lib.optionalString (!stdenv.hostPlatform.isx86) ''
|
||||
cp ${gnu-config}/config.sub configure.sub
|
||||
cp ${gnu-config}/config.guess configure.guess
|
||||
'';
|
||||
|
||||
# Build system reuses the same object file names for shared and static
|
||||
# library. Occasionally fails in the middle:
|
||||
# gcc -O2 -fsigned-char -g -O2 -c scan_devices.c
|
||||
|
@ -16,8 +16,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
nativeBuildInputs = [ buildPackages.stdenv.cc pkg-config cmake ];
|
||||
|
||||
buildInputs = [ glib libsndfile libpulseaudio libjack2 ]
|
||||
++ lib.optionals stdenv.isLinux [ alsa-lib ]
|
||||
buildInputs = [ glib libsndfile libjack2 ]
|
||||
++ lib.optionals stdenv.isLinux [ alsa-lib libpulseaudio ]
|
||||
++ lib.optionals stdenv.isDarwin [ AudioUnit CoreAudio CoreMIDI CoreServices ];
|
||||
|
||||
cmakeFlags = [ "-Denable-framework=off" ];
|
||||
|
@ -1,12 +1,22 @@
|
||||
{lib, stdenv, fetchurl}:
|
||||
{lib, gcc10Stdenv, fetchurl}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
gcc10Stdenv.mkDerivation rec {
|
||||
version = "3.99-u4-b5";
|
||||
pname = "monkeys-audio";
|
||||
pname = "monkeys-audio-old";
|
||||
|
||||
patches = [ ./buildfix.diff ];
|
||||
|
||||
src = fetchurl {
|
||||
/*
|
||||
The real homepage is <https://monkeysaudio.com/>, but in fact we are
|
||||
getting an old, ported to Linux version of the sources, made by (quoting
|
||||
from the AUTHORS file found in the source):
|
||||
|
||||
Frank Klemm : First port to linux (with makefile)
|
||||
|
||||
SuperMMX <SuperMMX AT GMail DOT com> : Package the source, include the frontend and shared lib,
|
||||
porting to Big Endian platform and adding other non-win32 enhancement.
|
||||
*/
|
||||
url = "https://deb-multimedia.org/pool/main/m/${pname}/${pname}_${version}.orig.tar.gz";
|
||||
sha256 = "0kjfwzfxfx7f958b2b1kf8yj655lp0ppmn0sh57gbkjvj8lml7nz";
|
||||
};
|
||||
@ -14,7 +24,10 @@ stdenv.mkDerivation rec {
|
||||
meta = with lib; {
|
||||
description = "Lossless audio codec";
|
||||
platforms = platforms.linux;
|
||||
license = licenses.lgpl2;
|
||||
# This is not considered a GPL license, but it seems rather free although
|
||||
# it's not standard, see a quote of it:
|
||||
# https://github.com/NixOS/nixpkgs/pull/171682#issuecomment-1120260551
|
||||
license = licenses.free;
|
||||
maintainers = [ ];
|
||||
};
|
||||
}
|
||||
|
@ -1,17 +1,30 @@
|
||||
{ lib, stdenv, fetchurl, pkg-config, fetchFromGitLab
|
||||
{ stdenv
|
||||
, lib
|
||||
, fetchurl
|
||||
, fetchpatch
|
||||
, pkg-config
|
||||
, meson
|
||||
, ninja
|
||||
, fetchFromGitLab
|
||||
, python3
|
||||
, perl
|
||||
, perlPackages
|
||||
, vala
|
||||
, glib
|
||||
, gtk3
|
||||
, intltool
|
||||
, libpeas
|
||||
, libsoup
|
||||
, libxml2
|
||||
, libsecret
|
||||
, libnotify
|
||||
, libdmapsharing
|
||||
, gnome
|
||||
, gobject-introspection
|
||||
, totem-pl-parser
|
||||
, libgudev
|
||||
, libgpod
|
||||
, libmtp
|
||||
, lirc
|
||||
, brasero
|
||||
, grilo
|
||||
, tdb
|
||||
, json-glib
|
||||
, itstool
|
||||
@ -19,38 +32,32 @@
|
||||
, gst_all_1
|
||||
, gst_plugins ? with gst_all_1; [ gst-plugins-good gst-plugins-ugly ]
|
||||
}:
|
||||
let
|
||||
|
||||
# The API version of libdmapsharing required by rhythmbox 3.4.4 is 3.0.
|
||||
|
||||
# This PR would solve the issue:
|
||||
# https://gitlab.gnome.org/GNOME/rhythmbox/-/merge_requests/12
|
||||
# Unfortunately applying this patch produces a rhythmbox which
|
||||
# cannot fetch data from DAAP shares.
|
||||
|
||||
libdmapsharing_3 = libdmapsharing.overrideAttrs (old: rec {
|
||||
version = "2.9.41";
|
||||
src = fetchFromGitLab {
|
||||
domain = "gitlab.gnome.org";
|
||||
owner = "GNOME";
|
||||
repo = old.pname;
|
||||
rev = "${lib.toUpper old.pname}_${lib.replaceStrings ["."] ["_"] version}";
|
||||
sha256 = "05kvrzf0cp3mskdy6iv7zqq24qdczl800q2dn1h4bk3d9wchgm4p";
|
||||
};
|
||||
});
|
||||
|
||||
in stdenv.mkDerivation rec {
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "rhythmbox";
|
||||
version = "3.4.4";
|
||||
version = "3.4.5";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
|
||||
sha256 = "142xcvw4l19jyr5i72nbnrihs953pvrrzcbijjn9dxmxszbv03pf";
|
||||
sha256 = "l+u8YPN4sibaRbtEbYmQL26hgx4j8Q76ujZVk7HnTyo=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
# Fix stuff linking against rhythmdb not finding libxml headers
|
||||
# included by rhythmdb.h header.
|
||||
# https://gitlab.gnome.org/GNOME/rhythmbox/-/merge_requests/147
|
||||
(fetchpatch {
|
||||
url = "https://gitlab.gnome.org/GNOME/rhythmbox/-/commit/7e8c7b803a45b7badf350132f8e78e3d75b99a21.patch";
|
||||
sha256 = "5CE/NVlmx7FItNJCVQxx+x0DCYhUkAi/UuksfAiyWBg=";
|
||||
})
|
||||
];
|
||||
|
||||
nativeBuildInputs = [
|
||||
pkg-config
|
||||
intltool perl perlPackages.XMLParser
|
||||
meson
|
||||
ninja
|
||||
vala
|
||||
glib
|
||||
itstool
|
||||
wrapGAppsHook
|
||||
];
|
||||
@ -58,13 +65,20 @@ in stdenv.mkDerivation rec {
|
||||
buildInputs = [
|
||||
python3
|
||||
libsoup
|
||||
libxml2
|
||||
tdb
|
||||
json-glib
|
||||
|
||||
glib
|
||||
gtk3
|
||||
libpeas
|
||||
totem-pl-parser
|
||||
gnome.adwaita-icon-theme
|
||||
libgudev
|
||||
libgpod
|
||||
libmtp
|
||||
lirc
|
||||
brasero
|
||||
grilo
|
||||
|
||||
gobject-introspection
|
||||
python3.pkgs.pygobject3
|
||||
@ -76,16 +90,14 @@ in stdenv.mkDerivation rec {
|
||||
gst_all_1.gst-plugins-ugly
|
||||
gst_all_1.gst-libav
|
||||
|
||||
libdmapsharing_3 # necessary for daap support
|
||||
libdmapsharing # for daap support
|
||||
libsecret
|
||||
libnotify
|
||||
] ++ gst_plugins;
|
||||
|
||||
configureFlags = [
|
||||
"--enable-daap"
|
||||
"--enable-libnotify"
|
||||
"--with-libsecret"
|
||||
];
|
||||
postInstall = ''
|
||||
glib-compile-schemas "$out/share/glib-2.0/schemas"
|
||||
'';
|
||||
|
||||
preFixup = ''
|
||||
gappsWrapperArgs+=(
|
||||
@ -93,8 +105,6 @@ in stdenv.mkDerivation rec {
|
||||
)
|
||||
'';
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
passthru = {
|
||||
updateScript = gnome.updateScript {
|
||||
packageName = pname;
|
||||
|
@ -14,7 +14,8 @@ stdenv.mkDerivation rec {
|
||||
postPatch = ''
|
||||
substituteInPlace config.mk.def \
|
||||
--replace "/usr/include/freetype2" "${freetype.dev}/include/freetype2" \
|
||||
--replace "CC=gcc" "CC=${stdenv.cc.targetPrefix}cc"
|
||||
--replace "CC=gcc" "CC=${stdenv.cc.targetPrefix}cc" \
|
||||
--replace "RXPATH=/usr/bin/ssh" "RXPATH=ssh"
|
||||
'';
|
||||
|
||||
CFLAGS = "-D_DARWIN_C_SOURCE";
|
||||
@ -24,8 +25,12 @@ stdenv.mkDerivation rec {
|
||||
enableParallelBuilding = false;
|
||||
|
||||
postInstall = ''
|
||||
substituteInPlace deadpixi-sam.desktop \
|
||||
--replace "accessories-text-editor" "$out/share/icons/hicolor/scalable/apps/sam.svg"
|
||||
mkdir -p $out/share/applications
|
||||
mkdir -p $out/share/icons/hicolor/scalable/apps
|
||||
mv deadpixi-sam.desktop $out/share/applications
|
||||
mv sam.svg $out/share/icons/hicolor/scalable/apps
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
|
@ -13,13 +13,13 @@
|
||||
|
||||
trivialBuild {
|
||||
pname = "ement";
|
||||
version = "unstable-2022-04-22";
|
||||
version = "unstable-2022-05-05";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "alphapapa";
|
||||
repo = "ement.el";
|
||||
rev = "70da19e4c9210d362b1d6d9c17ab2c034a03250d";
|
||||
sha256 = "sha256-Pxul0WrtyH2XZzF0fOOitLc3x/kc+Qc11RDH0n+Hm04=";
|
||||
rev = "84739451afa8355360966dfa788d469d9dc4a8e3";
|
||||
sha256 = "sha256-XdegBKZfoKbFaMM/l8249VD9KKC5/4gQIK6ggPcoOaE=";
|
||||
};
|
||||
|
||||
packageRequires = [
|
||||
|
@ -1,7 +1,6 @@
|
||||
{ lib
|
||||
, stdenv
|
||||
{ stdenv
|
||||
, lib
|
||||
, fetchurl
|
||||
, fetchpatch
|
||||
, autoreconfHook
|
||||
, gtk-doc
|
||||
, vala
|
||||
@ -22,22 +21,14 @@
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
version = "3.38.0";
|
||||
version = "3.40.0";
|
||||
pname = "gnome-latex";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
|
||||
sha256 = "0xqd49pgi82dygqnxj08i1v22b0vwwhx3zvdinhrx4jny339yam8";
|
||||
sha256 = "xad/55vUDjeOooyPRaZjJ/vIzFw7W48PCcAhfufMCpA=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
# Fix build with latest tepl.
|
||||
(fetchpatch {
|
||||
url = "https://gitlab.gnome.org/Archive/gnome-latex/commit/e1b01186f8a4e5d3fee4c9ccfbedd6d098517df9.patch";
|
||||
sha256 = "H8cbp5hDZoXytEdKE2D/oYHNKIbEFwxQoEaC4JMfGHY=";
|
||||
})
|
||||
];
|
||||
|
||||
nativeBuildInputs = [
|
||||
pkg-config
|
||||
autoreconfHook
|
||||
|
@ -16,11 +16,11 @@ let
|
||||
|
||||
in stdenv.mkDerivation rec {
|
||||
pname = "nano";
|
||||
version = "6.2";
|
||||
version = "6.3";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://gnu/nano/${pname}-${version}.tar.xz";
|
||||
sha256 = "K8oYBL6taq9K15H3VuR0m7Ve2GDuwQWpf7qGS8anfLM=";
|
||||
sha256 = "61MtpJhWcnMLUA9oXbqriFpGbQj7v3QVgyuVgF5vhoc=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ texinfo ] ++ optional enableNls gettext;
|
||||
@ -41,9 +41,7 @@ in stdenv.mkDerivation rec {
|
||||
enableParallelBuilding = true;
|
||||
|
||||
passthru = {
|
||||
tests = {
|
||||
expect = callPackage ./test-with-expect.nix {};
|
||||
};
|
||||
tests = { expect = callPackage ./test-with-expect.nix { }; };
|
||||
|
||||
updateScript = writeScript "update.sh" ''
|
||||
#!${stdenv.shell}
|
||||
|
@ -24,9 +24,10 @@ stdenv.mkDerivation rec {
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://github.com/ibara/oed";
|
||||
description = "Portable ed editor from OpenBSD";
|
||||
homepage = "https://github.com/ibara/oed";
|
||||
license = with licenses; [ bsd2 ];
|
||||
mainProgram = "ed";
|
||||
platforms = platforms.unix;
|
||||
};
|
||||
}
|
||||
|
@ -49,6 +49,7 @@ in appimageTools.wrapType2 rec {
|
||||
# fixup and install desktop file
|
||||
${desktop-file-utils}/bin/desktop-file-install --dir $out/share/applications \
|
||||
--set-key Exec --set-value ${pname} standard-notes.desktop
|
||||
mv usr/share/icons share
|
||||
|
||||
rm usr/lib/* AppRun standard-notes.desktop .so*
|
||||
'';
|
||||
|
@ -1,12 +1,12 @@
|
||||
{ lib, fetchFromGitHub }:
|
||||
rec {
|
||||
version = "8.2.4609";
|
||||
version = "8.2.4816";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "vim";
|
||||
repo = "vim";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-IiWZJ4zT+VbcxwKChl847pS9jU9AlxZ/yQUIL8I2MhQ=";
|
||||
sha256 = "1lgqr3ki50hwkz4vhdyaryirrs99qq4kgkhmpx7ygvn6aj2wapg5";
|
||||
};
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
@ -3,7 +3,7 @@
|
||||
, libX11, libXext, libSM, libXpm, libXt, libXaw, libXau, libXmu
|
||||
, libICE
|
||||
, vimPlugins
|
||||
, makeWrapper, makeBinaryWrapper
|
||||
, makeWrapper
|
||||
, wrapGAppsHook
|
||||
, runtimeShell
|
||||
|
||||
@ -133,9 +133,7 @@ in stdenv.mkDerivation rec {
|
||||
++ lib.optional wrapPythonDrv makeWrapper
|
||||
++ lib.optional nlsSupport gettext
|
||||
++ lib.optional perlSupport perl
|
||||
# Make the inner wrapper binary to avoid double wrapping issues with wrapPythonDrv
|
||||
# (https://github.com/NixOS/nixpkgs/pull/164163)
|
||||
++ lib.optional (guiSupport == "gtk3") (wrapGAppsHook.override { makeWrapper = makeBinaryWrapper; })
|
||||
++ lib.optional (guiSupport == "gtk3") wrapGAppsHook
|
||||
;
|
||||
|
||||
buildInputs = [
|
||||
|
@ -1,6 +1,7 @@
|
||||
{ lib, stdenv, fetchFromGitHub, pkg-config, makeWrapper, makeDesktopItem
|
||||
, ncurses, libtermkey, lua
|
||||
, acl ? null, libselinux ? null
|
||||
{ lib, stdenv, fetchFromGitHub, pkg-config, makeWrapper
|
||||
, copyDesktopItems, makeDesktopItem
|
||||
, ncurses, libtermkey, lua, tre
|
||||
, acl, libselinux
|
||||
}:
|
||||
|
||||
let
|
||||
@ -17,12 +18,13 @@ stdenv.mkDerivation rec {
|
||||
owner = "martanne";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ pkg-config makeWrapper ];
|
||||
nativeBuildInputs = [ pkg-config makeWrapper copyDesktopItems ];
|
||||
|
||||
buildInputs = [
|
||||
ncurses
|
||||
libtermkey
|
||||
luaEnv
|
||||
tre
|
||||
] ++ lib.optionals stdenv.isLinux [
|
||||
acl
|
||||
libselinux
|
||||
@ -33,28 +35,27 @@ stdenv.mkDerivation rec {
|
||||
'';
|
||||
|
||||
postInstall = ''
|
||||
mkdir -p "$out/share/applications"
|
||||
cp $desktopItem/share/applications/* $out/share/applications
|
||||
echo wrapping $out/bin/vis with runtime environment
|
||||
wrapProgram $out/bin/vis \
|
||||
--prefix LUA_CPATH ';' "${luaEnv}/lib/lua/${lua.luaversion}/?.so" \
|
||||
--prefix LUA_PATH ';' "${luaEnv}/share/lua/${lua.luaversion}/?.lua" \
|
||||
--prefix VIS_PATH : "\$HOME/.config:$out/share/vis"
|
||||
'';
|
||||
|
||||
desktopItem = makeDesktopItem {
|
||||
name = "vis";
|
||||
exec = "vis %U";
|
||||
type = "Application";
|
||||
icon = "accessories-text-editor";
|
||||
comment = meta.description;
|
||||
desktopName = "vis";
|
||||
genericName = "Text editor";
|
||||
categories = [ "Application" "Development" "IDE" ];
|
||||
mimeTypes = [ "text/plain" "application/octet-stream" ];
|
||||
startupNotify = false;
|
||||
terminal = true;
|
||||
};
|
||||
desktopItems = [
|
||||
(makeDesktopItem {
|
||||
name = "vis";
|
||||
exec = "vis %U";
|
||||
type = "Application";
|
||||
icon = "accessories-text-editor";
|
||||
comment = meta.description;
|
||||
desktopName = "vis";
|
||||
genericName = "Text editor";
|
||||
categories = [ "Application" "Development" "IDE" ];
|
||||
mimeTypes = [ "text/plain" "application/octet-stream" ];
|
||||
startupNotify = false;
|
||||
terminal = true;
|
||||
})
|
||||
];
|
||||
|
||||
meta = with lib; {
|
||||
description = "A vim like editor";
|
||||
|
@ -79,6 +79,18 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
alefragnani.bookmarks = buildVscodeMarketplaceExtension {
|
||||
mktplcRef = {
|
||||
name = "bookmarks";
|
||||
publisher = "alefragnani";
|
||||
version = "13.0.1";
|
||||
sha256 = "sha256-4IZCPNk7uBqPw/FKT5ypU2QxadQzYfwbGxxT/bUnKdE=";
|
||||
};
|
||||
meta = {
|
||||
license = lib.licenses.gpl3;
|
||||
};
|
||||
};
|
||||
|
||||
alefragnani.project-manager = buildVscodeMarketplaceExtension {
|
||||
mktplcRef = {
|
||||
name = "project-manager";
|
||||
|
@ -14,17 +14,17 @@ let
|
||||
archive_fmt = if stdenv.isDarwin then "zip" else "tar.gz";
|
||||
|
||||
sha256 = {
|
||||
x86_64-linux = "1si0r8nww5m3yn3vzw0pk3nykfvxnlwna4pp11bsli4vqj1ym2nz";
|
||||
x86_64-darwin = "002rkvc8fa7r9x2dsjhkwzmc1sp5mq998frrw5xd6bym0cp4j76l";
|
||||
aarch64-linux = "0w9gjk2a5z8cqlg43jn2r588asymiklm1b28l54gvqp7jawlb0fd";
|
||||
aarch64-darwin = "18h2kk6fcdz38xzyn37brbbj4nbrjgzv9xsz7c7iai8d01vh7s33";
|
||||
armv7l-linux = "16cs2ald40nh76m3fxxfd233hr687dhwbqdkvjz4s6xxwi0rhvwc";
|
||||
x86_64-linux = "0ss7c0dvlgnfqi0snhx73ndzjbw24xz6pcny4v52mrd1kfhcmpvd";
|
||||
x86_64-darwin = "0ds5jv5q6k1hzrwhcgkyvx0ls9p1q7zh0fqigpxandx6ysrd7cga";
|
||||
aarch64-linux = "12zz02hdhhw19rx9kbi3yd5x81w1vs8vxjrnqqvva8bj0jnwf4iq";
|
||||
aarch64-darwin = "07ws2dc2il7ky77j5pxaxqp5cyw0v04jnv98z1494pdmxyn8gf7q";
|
||||
armv7l-linux = "0khyzc69rbfz2pnbab9v3as1hdzkzxfg3mxvf6g7ax9npvsrqw92";
|
||||
}.${system};
|
||||
in
|
||||
callPackage ./generic.nix rec {
|
||||
# Please backport all compatible updates to the stable release.
|
||||
# This is important for the extension ecosystem.
|
||||
version = "1.66.2";
|
||||
version = "1.67.0";
|
||||
pname = "vscode";
|
||||
|
||||
executableName = "code" + lib.optionalString isInsiders "-insiders";
|
||||
|
@ -60,6 +60,7 @@ in
|
||||
downloadPage = "https://github.com/VSCodium/vscodium/releases";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ synthetica turion bobby285271 ];
|
||||
mainProgram = "codium";
|
||||
platforms = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" "armv7l-linux" ];
|
||||
};
|
||||
}
|
||||
|
@ -77,9 +77,11 @@ stdenv.mkDerivation {
|
||||
chmod -R a+w externals/zstd
|
||||
'';
|
||||
|
||||
# Todo: cubeb audio backend (the default one) doesn't work on the SDL interface.
|
||||
# This seems to be a problem with libpulseaudio, other applications have similar problems (e.g Duckstation).
|
||||
# Note that the two interfaces have two separate configuration files.
|
||||
# Fixes https://github.com/NixOS/nixpkgs/issues/171173
|
||||
postInstall = lib.optionalString (enableCubeb && enableSdl2) ''
|
||||
wrapProgram "$out/bin/citra" \
|
||||
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ libpulseaudio ]}
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://citra-emu.org";
|
||||
|
@ -29,10 +29,11 @@ stdenv.mkDerivation rec {
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://www.commanderx16.com/forum/index.php?/home/";
|
||||
description = "The official emulator of CommanderX16 8-bit computer";
|
||||
homepage = "https://www.commanderx16.com/forum/index.php?/home/";
|
||||
license = licenses.bsd2;
|
||||
maintainers = with maintainers; [ AndersonTorres ];
|
||||
mainProgram = "x16emu";
|
||||
inherit (SDL2.meta) platforms;
|
||||
};
|
||||
|
||||
|
@ -90,8 +90,9 @@ mkDerivation rec {
|
||||
runHook postCheck
|
||||
'';
|
||||
|
||||
# Libpulseaudio fixes https://github.com/NixOS/nixpkgs/issues/171173
|
||||
qtWrapperArgs = [
|
||||
"--prefix LD_LIBRARY_PATH : ${vulkan-loader}/lib"
|
||||
"--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ libpulseaudio vulkan-loader ]}"
|
||||
];
|
||||
|
||||
meta = with lib; {
|
||||
@ -102,5 +103,3 @@ mkDerivation rec {
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
||||
# TODO: default sound backend (cubeb) does not work, but SDL does. Strangely,
|
||||
# switching to cubeb while a game is running makes it work.
|
||||
|
@ -22,6 +22,11 @@ stdenv.mkDerivation rec {
|
||||
|
||||
dontConfigure = true;
|
||||
|
||||
# Workaround to build against upstream gcc-10 and clang-11.
|
||||
# Can be removed when next release contains
|
||||
# https://github.com/simh/simh/issues/794
|
||||
NIX_CFLAGS_COMPILE = [ "-fcommon" ];
|
||||
|
||||
makeFlags = [ "GCC=${stdenv.cc.targetPrefix}cc" "CC_STD=-std=c99" "LDFLAGS=-lm" ];
|
||||
|
||||
preInstall = ''
|
||||
|
@ -45,13 +45,13 @@ in
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "imagemagick";
|
||||
version = "7.1.0-32";
|
||||
version = "7.1.0-33";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "ImageMagick";
|
||||
repo = "ImageMagick";
|
||||
rev = version;
|
||||
hash = "sha256-blDdNZJCyBdPEgdZXwgNUGSdSIwnqRaVLsLdFeA4JzQ=";
|
||||
hash = "sha256-qiXTSQcc48IIzz7RUcyOH2w8JUOTdU1zg43gJhoELXo=";
|
||||
};
|
||||
|
||||
outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
|
||||
|
@ -11,11 +11,11 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "drawio";
|
||||
version = "17.4.2";
|
||||
version = "18.0.1";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/jgraph/drawio-desktop/releases/download/v${version}/drawio-x86_64-${version}.rpm";
|
||||
sha256 = "294f99d9060bc394490b20d2ddab75ed5c0166d7960850f065eb8897ef31a2e3";
|
||||
sha256 = "4f3893f53e47a3937320676e02337a61c358c684d5cd0b378809b3d7deab0139";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [
|
||||
|
@ -15,6 +15,7 @@ stdenv.mkDerivation rec {
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
NIX_CFLAGS_COMPILE = "-fcommon";
|
||||
NIX_LDFLAGS = "-lm";
|
||||
|
||||
meta = with lib; {
|
||||
|
@ -10,14 +10,14 @@
|
||||
|
||||
python3Packages.buildPythonPackage rec {
|
||||
pname = "hydrus";
|
||||
version = "482";
|
||||
version = "483";
|
||||
format = "other";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "hydrusnetwork";
|
||||
repo = "hydrus";
|
||||
rev = "refs/tags/v${version}";
|
||||
sha256 = "sha256-b7zMHwsyZv4dCn4Gd/2a+MHhT3IHISJup/zm95pEcQ4=";
|
||||
sha256 = "sha256-UU3XQ0NC/apJ0S/uDDNG+8DOD+sRyX98yMcjtL2Htig=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [
|
||||
|
@ -80,6 +80,13 @@ stdenv.mkDerivation rec {
|
||||
url = "https://gitlab.com/inkscape/inkscape/-/commit/a18c57ffff313fd08bc8a44f6b6bf0b01d7e9b75.patch";
|
||||
sha256 = "UZb8ZTtfA5667uo5ZlVQ5vPowiSgd4ItAJ9U1BOsRQg=";
|
||||
})
|
||||
|
||||
# Fix build with poppler 22.04
|
||||
# https://gitlab.com/inkscape/inkscape/-/merge_requests/4266
|
||||
(fetchpatch {
|
||||
url = "https://gitlab.com/inkscape/inkscape/-/commit/d989cdf1059c78bc3bb6414330242073768d640b.patch";
|
||||
sha256 = "2cJZdunbRgPIwhJgz1dQoQRw3ZYZ2Fp6c3hpVBV2PbE=";
|
||||
})
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
|
@ -1,15 +1,17 @@
|
||||
{ lib, stdenv, fetchFromGitHub, makeWrapper, libjpeg_turbo, perl, perlPackages }:
|
||||
{ lib, stdenv, fetchFromGitHub, makeWrapper, perl, perlPackages, libjpeg_original }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "jpegrescan";
|
||||
date = "2016-06-01";
|
||||
name = "${pname}-${date}";
|
||||
version = "unstable-2019-03-27";
|
||||
|
||||
dontBuild = true;
|
||||
dontConfigure = true;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "kud";
|
||||
repo = pname;
|
||||
rev = "e5e39cd972b48ccfb2cba4da6855c511385c05f9";
|
||||
sha256 = "0jbx1vzkzif6yjx1fnsm7fjsmq166sh7mn22lf01ll7s245nmpdp";
|
||||
rev = "3a7de06feabeb3c3235c3decbe2557893c1abe51";
|
||||
sha256 = "0cnl46z28lkqc5x27b8rpghvagahivrqcfvhzcsv9w1qs8qbd6dm";
|
||||
};
|
||||
|
||||
patchPhase = ''
|
||||
@ -23,24 +25,23 @@ stdenv.mkDerivation rec {
|
||||
mv jpegrescan $out/bin
|
||||
chmod +x $out/bin/jpegrescan
|
||||
|
||||
wrapProgram $out/bin/jpegrescan --prefix PERL5LIB : $PERL5LIB
|
||||
wrapProgram $out/bin/jpegrescan \
|
||||
--prefix PATH : "${libjpeg_original}/bin:" \
|
||||
--prefix PERL5LIB : $PERL5LIB
|
||||
'';
|
||||
|
||||
propagatedBuildInputs = [ perlPackages.FileSlurp ];
|
||||
|
||||
nativeBuildInputs = [
|
||||
makeWrapper
|
||||
];
|
||||
nativeBuildInputs = [ makeWrapper ];
|
||||
|
||||
buildInputs = [
|
||||
perl libjpeg_turbo
|
||||
];
|
||||
buildInputs = [ perl ];
|
||||
|
||||
meta = with lib; {
|
||||
description = "losslessly shrink any JPEG file";
|
||||
description = "Losslessly shrink any JPEG file";
|
||||
homepage = "https://github.com/kud/jpegrescan";
|
||||
license = licenses.publicDomain;
|
||||
maintainers = [ maintainers.ramkromberg ];
|
||||
maintainers = with maintainers; [ ramkromberg ];
|
||||
platforms = platforms.all;
|
||||
mainProgram = "jpegrescan";
|
||||
};
|
||||
}
|
||||
|
@ -1,6 +1,7 @@
|
||||
{ lib
|
||||
, stdenv
|
||||
, fetchFromGitHub
|
||||
, alsa-lib
|
||||
, appstream-glib
|
||||
, desktop-file-utils
|
||||
, gio-sharp
|
||||
@ -21,19 +22,20 @@
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "rnote";
|
||||
version = "0.4.0";
|
||||
version = "0.5.1-hotfix-1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "flxzt";
|
||||
repo = "rnote";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-J7IW329rWFEoB+44762DAkWA8Hq4IVmXgc+QoDQaxV0=";
|
||||
fetchSubmodules = true;
|
||||
hash = "sha256-Oq/RKeKICyImSPr4GSNjPXZWtuRQ7+9nRfl9MmC+UYI=";
|
||||
};
|
||||
|
||||
cargoDeps = rustPlatform.fetchCargoTarball {
|
||||
inherit src;
|
||||
name = "${pname}-${version}";
|
||||
hash = "sha256-elXaikB/RemMxA4OXyZNQOgP1alImQMJHng5oX2j480=";
|
||||
hash = "sha256-gdVy+7xSQVkI84Ta6KLOLR9UUsDoD2Cd0cuNU+OXf2M=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [
|
||||
@ -51,6 +53,7 @@ stdenv.mkDerivation rec {
|
||||
];
|
||||
|
||||
buildInputs = [
|
||||
alsa-lib
|
||||
gio-sharp
|
||||
glib
|
||||
gstreamer
|
||||
|
@ -40,18 +40,19 @@ stdenv.mkDerivation {
|
||||
buildInputs = [
|
||||
avahi
|
||||
libgphoto2
|
||||
libieee1284
|
||||
libjpeg
|
||||
libpng
|
||||
libtiff
|
||||
libusb1
|
||||
libv4l
|
||||
net-snmp
|
||||
curl
|
||||
systemd
|
||||
libxml2
|
||||
poppler
|
||||
gawk
|
||||
] ++ lib.optionals stdenv.isLinux [
|
||||
libieee1284
|
||||
libv4l
|
||||
net-snmp
|
||||
systemd
|
||||
];
|
||||
|
||||
enableParallelBuilding = true;
|
||||
@ -113,6 +114,6 @@ stdenv.mkDerivation {
|
||||
'';
|
||||
homepage = "http://www.sane-project.org/";
|
||||
license = licenses.gpl2Plus;
|
||||
platforms = platforms.linux;
|
||||
platforms = platforms.linux ++ platforms.darwin;
|
||||
};
|
||||
}
|
||||
|
@ -42,11 +42,11 @@ let
|
||||
|
||||
in stdenv.mkDerivation rec {
|
||||
pname = "1password";
|
||||
version = "8.7.0-49.BETA";
|
||||
version = "8.8.0-11.BETA";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://downloads.1password.com/linux/tar/beta/x86_64/1password-${version}.x64.tar.gz";
|
||||
sha256 = "sha256-cYT9Pi2WEjZQ5P7Dr84l65AHyD8tZrYC+m4hFxSsNd4=";
|
||||
sha256 = "sha256-HU+nIz3aKXXdBWEBMSRlbi8yZ+JEsE33o6nfbWRgpBo=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ makeWrapper ];
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user