Merge master into staging-next

This commit is contained in:
Frederik Rietdijk 2020-10-08 21:47:26 +02:00
commit ec28e32c9e
181 changed files with 11059 additions and 4669 deletions

View File

@ -1242,6 +1242,12 @@
githubId = 32319131;
name = "Brett L";
};
buckley310 = {
email = "sean.bck@gmail.com";
github = "buckley310";
githubId = 2379774;
name = "Sean Buckley";
};
buffet = {
email = "niclas@countingsort.com";
github = "buffet";
@ -4251,7 +4257,7 @@
name = "Julien Dehos";
};
julm = {
email = "julm+nixpkgs@sourcephile.fr";
email = "julm+nix@sourcephile.fr";
github = "ju1m";
githubId = 21160136;
name = "Julien Moutinho";
@ -6567,6 +6573,12 @@
githubId = 8641;
name = "Pierre Carrier";
};
penguwin = {
email = "penguwin@penguwin.eu";
github = "penguwin";
githubId = 13225611;
name = "Nicolas Martin";
};
periklis = {
email = "theopompos@gmail.com";
github = "periklis";
@ -9744,4 +9756,10 @@
fingerprint = "8597 4506 EC69 5392 0443 0805 9D98 CDAC FF04 FD78";
}];
};
hloeffler = {
name = "Hauke Löffler";
email = "nix@hauke-loeffler.de";
github = "hloeffler";
githubId = 6627191;
};
}

View File

@ -226,7 +226,29 @@ GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
<filename>testing-python.nix</filename> respectively.
</para>
</listitem>
</itemizedlist>
<listitem>
<para>
The Mediatomb service declares new options. It also adapts existing
options to make the configuration generation lazy. The existing option
<literal>customCfg</literal> (defaults to false), when enabled, stops
the service configuration generation completely. It then expects the
users to provide their own correct configuration at the right location
(whereas the configuration was generated and not used at all before).
The new option <literal>transcodingOption</literal> (defaults to no)
allows a generated configuration. It makes the mediatomb service pulls
the necessary runtime dependencies in the nix store (whereas it was
generated with hardcoded values before). The new option
<literal>mediaDirectories</literal> allows the users to declare autoscan
media directories from their nixos configuration:
<programlisting>
services.mediatomb.mediaDirectories = [
{ path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; }
{ path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; }
];
</programlisting>
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
@ -864,6 +886,23 @@ CREATE ROLE postgres LOGIN SUPERUSER;
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
The mediatomb service is now using the new and maintained <literal>gerbera</literal>
<literal>gerbera</literal> fork instead of the unmaintained
<literal>mediatomb</literal> package. If you want to keep the old
behavior, you must declare it with:
<programlisting>
services.mediatomb.package = pkgs.mediatomb;
</programlisting>
One new option <literal>openFirewall</literal> has been introduced which
defaults to false. If you relied on the service declaration to add the
firewall rules itself before, you should now declare it with:
<programlisting>
services.mediatomb.openFirewall = true;
</programlisting>
</para>
</listitem>
</itemizedlist>
</section>
@ -1009,24 +1048,6 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0";
to get the previous behavior of listening on all network interfaces.
</para>
</listitem>
<listitem>
<para>
The <literal>security.apparmor</literal> module,
for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>
Mandatory Access Control system,
has been substantialy improved along with related tools,
so that module maintainers can now more easily write AppArmor profiles for NixOS.
The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>,
replacing the previous <literal>profiles</literal> option
to provide a way to disable a profile
and to select whether to confine in enforce mode (default)
or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).
Before enabling this module, either directly
or by importing <literal>&lt;nixpkgs/nixos/modules/profiles/hardened.nix&gt;</literal>,
please be sure to read the documentation of <link linkend="opt-security.apparmor.enable">security.apparmor.enable</link>,
and especially the part about <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>.
</para>
</listitem>
<listitem>
<para>
With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>)

View File

@ -94,7 +94,16 @@
<itemizedlist>
<listitem>
<para />
<para>
The default-version of <literal>nextcloud</literal> is <package>nextcloud20</package>.
Please note that it's <emphasis>not</emphasis> possible to upgrade <literal>nextcloud</literal>
across multiple major versions! This means that it's e.g. not possible to upgrade
from <package>nextcloud18</package> to <package>nextcloud20</package> in a single deploy.
</para>
<para>
The package can be manually upgraded by setting <xref linkend="opt-services.nextcloud.package" />
to <package>nextcloud20</package>.
</para>
</listitem>
</itemizedlist>
</section>

View File

@ -448,40 +448,6 @@ in
(mkIf cfg.enable {
environment.systemPackages = [ pkgs.fontconfig ];
environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
security.apparmor.includes."abstractions/fonts" = ''
# fonts.conf
r ${pkg.out}/etc/fonts/fonts.conf,
# fontconfig default config files
r ${pkg.out}/etc/fonts/conf.d/*.conf,
# 00-nixos-cache.conf
r ${cacheConf},
# 10-nixos-rendering.conf
r ${renderConf},
# 50-user.conf
${optionalString cfg.includeUserConf ''
r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf,
''}
# local.conf (indirect priority 51)
${optionalString (cfg.localConf != "") ''
r ${localConf},
''}
# 52-nixos-default-fonts.conf
r ${defaultFontsConf},
# 53-no-bitmaps.conf
r ${rejectBitmaps},
${optionalString (!cfg.allowType1) ''
# 53-nixos-reject-type1.conf
r ${rejectType1},
''}
'';
})
(mkIf cfg.enable {
fonts.fontconfig.confPackages = [ confPkg ];

View File

@ -87,12 +87,5 @@ in
environment.etc."ld-nix.so.preload".text = ''
${providerLibPath}
'';
security.apparmor.includes = {
"abstractions/base" = ''
r /etc/ld-nix.so.preload,
r ${config.environment.etc."ld-nix.so.preload".source},
mr ${providerLibPath},
'';
};
};
}

View File

@ -186,6 +186,7 @@
./rename.nix
./security/acme.nix
./security/apparmor.nix
./security/apparmor-suid.nix
./security/audit.nix
./security/auditd.nix
./security/ca.nix
@ -331,6 +332,7 @@
./services/desktops/tumbler.nix
./services/desktops/zeitgeist.nix
./services/development/bloop.nix
./services/development/blackfire.nix
./services/development/hoogle.nix
./services/development/jupyter/default.nix
./services/development/jupyterhub/default.nix

View File

@ -110,6 +110,7 @@ let
protocolOpts = if useDns then (
[ "--dns" data.dnsProvider ]
++ optionals (!data.dnsPropagationCheck) [ "--dns.disable-cp" ]
++ optionals (data.dnsResolver != null) [ "--dns.resolvers" data.dnsResolver ]
) else (
[ "--http" "--http.webroot" data.webroot ]
);
@ -207,7 +208,7 @@ let
renewService = {
description = "Renew ACME certificate for ${cert}";
after = [ "network.target" "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps;
after = [ "network.target" "network-online.target" "acme-fixperms.service" "nss-lookup.target" ] ++ selfsignedDeps;
wants = [ "network-online.target" "acme-fixperms.service" ] ++ selfsignedDeps;
# https://github.com/NixOS/nixpkgs/pull/81371#issuecomment-605526099
@ -403,6 +404,17 @@ let
'';
};
dnsResolver = mkOption {
type = types.nullOr types.str;
default = null;
example = "1.1.1.1:53";
description = ''
Set the resolver to use for performing recursive DNS queries. Supported:
host:port. The default is to use the system resolvers, or Google's DNS
resolvers if the system's cannot be determined.
'';
};
credentialsFile = mkOption {
type = types.path;
description = ''

View File

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
let
cfg = config.security.apparmor;
in
with lib;
{
imports = [
(mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
];
options.security.apparmor.confineSUIDApplications = mkOption {
type = types.bool;
default = true;
description = ''
Install AppArmor profiles for commonly-used SUID application
to mitigate potential privilege escalation attacks due to bugs
in such applications.
Currently available profiles: ping
'';
};
config = mkIf (cfg.confineSUIDApplications) {
security.apparmor.profiles = [ (pkgs.writeText "ping" ''
#include <tunables/global>
/run/wrappers/bin/ping {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
${pkgs.stdenv.cc.libc.out}/lib/*.so mr,
${pkgs.libcap.lib}/lib/libcap.so* mr,
${pkgs.attr.out}/lib/libattr.so* mr,
${pkgs.iputils}/bin/ping mixr,
#/etc/modules.conf r,
## Site-specific additions and overrides. See local/README for details.
##include <local/bin.ping>
}
'') ];
};
}

View File

@ -1,198 +1,59 @@
{ config, lib, pkgs, ... }:
let
inherit (builtins) attrNames head map match readFile;
inherit (lib) types;
inherit (config.environment) etc;
inherit (lib) mkIf mkOption types concatMapStrings;
cfg = config.security.apparmor;
mkDisableOption = name: lib.mkEnableOption name // {
default = true;
example = false;
};
enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies;
in
{
imports = [
(lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
(lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")
(lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")
apparmor/includes.nix
apparmor/profiles.nix
];
options = {
security.apparmor = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable the AppArmor Mandatory Access Control system.";
};
profiles = mkOption {
type = types.listOf types.path;
default = [];
description = "List of files containing AppArmor profiles.";
};
packages = mkOption {
type = types.listOf types.package;
default = [];
description = "List of packages to be added to apparmor's include path";
};
};
};
options = {
security.apparmor = {
enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system.
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.apparmor-utils ];
If you're enabling this module on a running system,
note that a reboot will be required to activate AppArmor in the kernel.
boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
Also, beware that enabling this module will by default
try to kill unconfined but confinable running processes,
in order to obtain a confinement matching what is declared in the NixOS configuration.
This will happen when upgrading to a NixOS revision
introducing an AppArmor profile for the executable of a running process.
This is because enabling an AppArmor profile for an executable
can only confine new or already confined processes of that executable,
but leaves already running processes unconfined.
Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link>
to <literal>false</literal> if you prefer to leave those processes running'';
policies = lib.mkOption {
description = ''
AppArmor policies.
'';
type = types.attrsOf (types.submodule ({ name, config, ... }: {
options = {
enable = mkDisableOption "loading of the profile into the kernel";
enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
profile = lib.mkOption {
description = "The policy of the profile.";
type = types.lines;
apply = pkgs.writeText name;
};
};
}));
default = {};
};
includes = lib.mkOption {
type = types.attrsOf types.lines;
default = {};
description = ''
List of paths to be added to AppArmor's searched paths
when resolving <literal>include</literal> directives.
'';
apply = lib.mapAttrs pkgs.writeText;
};
packages = lib.mkOption {
type = types.listOf types.package;
default = [];
description = "List of packages to be added to AppArmor's include path";
};
enableCache = lib.mkEnableOption ''caching of AppArmor policies
in <literal>/var/cache/apparmor/</literal>.
Beware that AppArmor policies almost always contain Nix store paths,
and thus produce at each change of these paths
a new cached version accumulating in the cache'';
killUnconfinedConfinables = mkDisableOption ''killing of processes
which have an AppArmor profile enabled
(in <link linkend="opt-security.apparmor.policies">policies</link>)
but are not confined (because AppArmor can only confine new processes).
Beware that due to a current limitation of AppArmor,
only profiles with exact paths (and no name) can enable such kills'';
};
};
config = lib.mkIf cfg.enable {
assertions = map (policy:
{ assertion = match ".*/.*" policy == null;
message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";
# Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions
# which does not recurse into sub-directories.
}
) (attrNames cfg.policies);
environment.systemPackages = [ pkgs.apparmor-utils ];
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
# It's important to put only enabledPolicies here and not all cfg.policies
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++
lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes
);
environment.etc."apparmor/parser.conf".text = ''
${if cfg.enableCache then "write-cache" else "skip-cache"}
cache-loc /var/cache/apparmor
Include /etc/apparmor.d
'' +
lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
# For aa-logprof
environment.etc."apparmor/apparmor.conf".text = ''
'';
# For aa-logprof
environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db";
environment.etc."apparmor/logprof.conf".text = ''
[settings]
# /etc/apparmor.d/ is read-only on NixOS
profiledir = /var/cache/apparmor/logprof
inactive_profiledir = /etc/apparmor.d/disable
# Use: journalctl -b --since today --grep audit: | aa-logprof
logfiles = /dev/stdin
parser = ${pkgs.apparmor-parser}/bin/apparmor_parser
ldd = ${pkgs.glibc.bin}/bin/ldd
logger = ${pkgs.utillinux}/bin/logger
# customize how file ownership permissions are presented
# 0 - off
# 1 - default of what ever mode the log reported
# 2 - force the new permissions to be user
# 3 - force all perms on the rule to be user
default_owner_prompt = 1
custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}
[qualifiers]
${pkgs.runtimeShell} = icnu
${pkgs.bashInteractive}/bin/sh = icnu
${pkgs.bashInteractive}/bin/bash = icnu
'' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section.
(readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"));
boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
systemd.services.apparmor = {
after = [
"local-fs.target"
"systemd-journald-audit.socket"
];
before = [ "sysinit.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
Description="Load AppArmor policies";
DefaultDependencies = "no";
ConditionSecurity = "apparmor";
};
# Reloading instead of restarting enables to load new AppArmor profiles
# without necessarily restarting all services which have Requires=apparmor.service
reloadIfChanged = true;
restartTriggers = [
etc."apparmor/parser.conf".source
etc."apparmor.d".source
];
serviceConfig = let
killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" ''
set -eu
${pkgs.apparmor-utils}/bin/aa-status --json |
${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' |
xargs --verbose --no-run-if-empty --delimiter='\n' \
kill
'';
commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";
in {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;
ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
ExecReload =
# Add or replace into the kernel profiles in enabledPolicies
# (because AppArmor can do that without stopping the processes already confined).
lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++
# Remove from the kernel any profile whose name is not
# one of the names within the content of the profiles in enabledPolicies
# (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).
# Note that this does not remove profiles dynamically generated by libvirt.
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++
# Optionaly kill the processes which are unconfined but now have a profile loaded
# (because AppArmor can only start to confine new processes).
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
CacheDirectory = [ "apparmor" "apparmor/logprof" ];
CacheDirectoryMode = "0700";
};
};
};
meta.maintainers = with lib.maintainers; [ julm ];
systemd.services.apparmor = let
paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d")
([ pkgs.apparmor-profiles ] ++ cfg.packages);
in {
after = [ "local-fs.target" ];
before = [ "sysinit.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
DefaultDependencies = "no";
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = map (p:
''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"''
) cfg.profiles;
ExecStop = map (p:
''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''
) cfg.profiles;
ExecReload = map (p:
''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"''
) cfg.profiles;
};
};
};
}

View File

@ -1,301 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (builtins) attrNames hasAttr isAttrs;
inherit (lib) getLib;
inherit (config.environment) etc;
etcRule = arg:
let go = {path ? null, mode ? "r", trail ? ""}:
lib.optionalString (hasAttr path etc)
"${mode} ${config.environment.etc.${path}.source}${trail},";
in if isAttrs arg
then go arg
else go {path=arg;};
in
{
# FIXME: most of the etcRule calls below have been
# written systematically by converting from apparmor-profiles's profiles
# without testing nor deep understanding of their uses,
# and thus may need more rules or can have less rules;
# this remains to be determined case by case,
# some may even be completely useless.
config.security.apparmor.includes = {
# This one is included by <tunables/global>
# which is usualy included before any profile.
"abstractions/tunables/alias" = ''
alias /bin -> /run/current-system/sw/bin,
alias /lib/modules -> /run/current-system/kernel/lib/modules,
alias /sbin -> /run/current-system/sw/sbin,
alias /usr -> /run/current-system/sw,
'';
"abstractions/audio" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio"
${etcRule "asound.conf"}
${etcRule "esound/esd.conf"}
${etcRule "libao.conf"}
${etcRule {path="pulse"; trail="/";}}
${etcRule {path="pulse"; trail="/**";}}
${etcRule {path="sound"; trail="/";}}
${etcRule {path="sound"; trail="/**";}}
${etcRule {path="alsa/conf.d"; trail="/";}}
${etcRule {path="alsa/conf.d"; trail="/*";}}
${etcRule "openal/alsoft.conf"}
${etcRule "wildmidi/wildmidi.conf"}
'';
"abstractions/authentication" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication"
# Defined in security.pam
include <abstractions/pam>
${etcRule "nologin"}
${etcRule "securetty"}
${etcRule {path="security"; trail="/*";}}
${etcRule "shadow"}
${etcRule "gshadow"}
${etcRule "pwdb.conf"}
${etcRule "default/passwd"}
${etcRule "login.defs"}
'';
"abstractions/base" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"
r ${pkgs.stdenv.cc.libc}/share/locale/**,
r ${pkgs.stdenv.cc.libc}/share/locale.alias,
${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"}
${etcRule "localtime"}
r ${pkgs.tzdata}/share/zoneinfo/**,
r ${pkgs.stdenv.cc.libc}/share/i18n/**,
'';
"abstractions/bash" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash"
# system-wide bash configuration
${etcRule "profile.dos"}
${etcRule "profile"}
${etcRule "profile.d"}
${etcRule {path="profile.d"; trail="/*";}}
${etcRule "bashrc"}
${etcRule "bash.bashrc"}
${etcRule "bash.bashrc.local"}
${etcRule "bash_completion"}
${etcRule "bash_completion.d"}
${etcRule {path="bash_completion.d"; trail="/*";}}
# bash relies on system-wide readline configuration
${etcRule "inputrc"}
# bash inspects filesystems at startup
# and /etc/mtab is linked to /proc/mounts
@{PROC}/mounts
# run out of /etc/bash.bashrc
${etcRule "DIR_COLORS"}
'';
"abstractions/cups-client" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client"
${etcRule "cups/cups-client.conf"}
'';
"abstractions/consoles" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles"
'';
"abstractions/dbus-session-strict" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict"
${etcRule "machine-id"}
'';
"abstractions/dconf" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf"
${etcRule {path="dconf"; trail="/**";}}
'';
"abstractions/dri-common" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common"
${etcRule "drirc"}
'';
# The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/
# by symlinking them but without exporting them outside of its NixOS module,
# those are therefore added there to this "abstractions/fonts".
"abstractions/fonts" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts"
${etcRule {path="fonts"; trail="/**";}}
'';
"abstractions/gnome" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome"
${etcRule {path="gnome"; trail="/gtkrc*";}}
${etcRule {path="gtk"; trail="/*";}}
${etcRule {path="gtk-2.0"; trail="/*";}}
${etcRule {path="gtk-3.0"; trail="/*";}}
${etcRule "orbitrc"}
include <abstractions/fonts>
${etcRule {path="pango"; trail="/*";}}
${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}}
${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}}
${etcRule "papersize"}
${etcRule {path="cups"; trail="/lpoptions";}}
${etcRule {path="gnome"; trail="/defaults.list";}}
${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}}
${etcRule "xdg/mimeapps.list"}
'';
"abstractions/kde" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde"
${etcRule {path="qt3"; trail="/kstylerc";}}
${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}}
${etcRule {path="qt3"; trail="/qtrc";}}
${etcRule "kderc"}
${etcRule {path="kde3"; trail="/*";}}
${etcRule "kde4rc"}
${etcRule {path="xdg"; trail="/kdeglobals";}}
${etcRule {path="xdg"; trail="/Trolltech.conf";}}
'';
"abstractions/kerberosclient" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient"
${etcRule {path="krb5.keytab"; mode="rk";}}
${etcRule "krb5.conf"}
${etcRule "krb5.conf.d"}
${etcRule {path="krb5.conf.d"; trail="/*";}}
# config files found via strings on libs
${etcRule "krb.conf"}
${etcRule "krb.realms"}
${etcRule "srvtab"}
'';
"abstractions/ldapclient" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient"
${etcRule "ldap.conf"}
${etcRule "ldap.secret"}
${etcRule {path="openldap"; trail="/*";}}
${etcRule {path="openldap"; trail="/cacerts/*";}}
${etcRule {path="sasl2"; trail="/*";}}
'';
"abstractions/likewise" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise"
'';
"abstractions/mdns" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns"
${etcRule "nss_mdns.conf"}
'';
"abstractions/nameservice" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice"
# Many programs wish to perform nameservice-like operations, such as
# looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns,
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
${etcRule "group"}
${etcRule "host.conf"}
${etcRule "hosts"}
${etcRule "nsswitch.conf"}
${etcRule "gai.conf"}
${etcRule "passwd"}
${etcRule "protocols"}
# libtirpc (used for NIS/YP login) needs this
${etcRule "netconfig"}
${etcRule "resolv.conf"}
${etcRule {path="samba"; trail="/lmhosts";}}
${etcRule "services"}
${etcRule "default/nss"}
# libnl-3-200 via libnss-gw-name
${etcRule {path="libnl"; trail="/classid";}}
${etcRule {path="libnl-3"; trail="/classid";}}
mr ${getLib pkgs.nss}/lib/libnss_*.so*,
mr ${getLib pkgs.nss}/lib64/libnss_*.so*,
'';
"abstractions/nis" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis"
'';
"abstractions/nvidia" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia"
${etcRule "vdpau_wrapper.cfg"}
'';
"abstractions/opencl-common" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common"
${etcRule {path="OpenCL"; trail="/**";}}
'';
"abstractions/opencl-mesa" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa"
${etcRule "default/drirc"}
'';
"abstractions/openssl" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl"
${etcRule {path="ssl"; trail="/openssl.cnf";}}
'';
"abstractions/p11-kit" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit"
${etcRule {path="pkcs11"; trail="/";}}
${etcRule {path="pkcs11"; trail="/pkcs11.conf";}}
${etcRule {path="pkcs11"; trail="/modules/";}}
${etcRule {path="pkcs11"; trail="/modules/*";}}
'';
"abstractions/perl" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl"
${etcRule {path="perl"; trail="/**";}}
'';
"abstractions/php" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php"
${etcRule {path="php"; trail="/**/";}}
${etcRule {path="php5"; trail="/**/";}}
${etcRule {path="php7"; trail="/**/";}}
${etcRule {path="php"; trail="/**.ini";}}
${etcRule {path="php5"; trail="/**.ini";}}
${etcRule {path="php7"; trail="/**.ini";}}
'';
"abstractions/postfix-common" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common"
${etcRule "mailname"}
${etcRule {path="postfix"; trail="/*.cf";}}
${etcRule "postfix/main.cf"}
${etcRule "postfix/master.cf"}
'';
"abstractions/python" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python"
'';
"abstractions/qt5" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5"
${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}}
${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}}
${etcRule "xdg/QtProject/qtlogging.ini"}
'';
"abstractions/samba" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba"
${etcRule {path="samba"; trail="/*";}}
'';
"abstractions/ssl_certs" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs"
${etcRule "ssl/certs/ca-certificates.crt"}
${etcRule "ssl/certs/ca-bundle.crt"}
${etcRule "pki/tls/certs/ca-bundle.crt"}
${etcRule {path="ssl/trust"; trail="/";}}
${etcRule {path="ssl/trust"; trail="/*";}}
${etcRule {path="ssl/trust/anchors"; trail="/";}}
${etcRule {path="ssl/trust/anchors"; trail="/**";}}
${etcRule {path="pki/trust"; trail="/";}}
${etcRule {path="pki/trust"; trail="/*";}}
${etcRule {path="pki/trust/anchors"; trail="/";}}
${etcRule {path="pki/trust/anchors"; trail="/**";}}
# security.acme NixOS module
r /var/lib/acme/*/cert.pem,
r /var/lib/acme/*/chain.pem,
r /var/lib/acme/*/fullchain.pem,
'';
"abstractions/ssl_keys" = ''
# security.acme NixOS module
r /var/lib/acme/*/full.pem,
r /var/lib/acme/*/key.pem,
'';
"abstractions/vulkan" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan"
${etcRule {path="vulkan/icd.d"; trail="/";}}
${etcRule {path="vulkan/icd.d"; trail="/*.json";}}
'';
"abstractions/winbind" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind"
${etcRule {path="samba"; trail="/smb.conf";}}
${etcRule {path="samba"; trail="/dhcp.conf";}}
'';
"abstractions/X" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X"
${etcRule {path="X11/cursors"; trail="/";}}
${etcRule {path="X11/cursors"; trail="/**";}}
'';
};
}

View File

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
let apparmor = config.security.apparmor; in
{
config.security.apparmor.packages = [ pkgs.apparmor-profiles ];
config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable ''
include "${pkgs.iputils.apparmor}/bin.ping"
include "${pkgs.inetutils.apparmor}/bin.ping"
# Note that including those two profiles in the same profile
# would not work if the second one were to re-include <tunables/global>.
'';
}

View File

@ -366,7 +366,7 @@ let
${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
"auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"}
${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth
"auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"}"}
"auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}"}
${optionalString cfg.usbAuth
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
@ -653,6 +653,22 @@ in
xlink:href="https://developers.yubico.com/pam-u2f/">here</link>.
'';
};
appId = mkOption {
default = null;
type = with types; nullOr str;
description = ''
By default <literal>pam-u2f</literal> module sets the application
ID to <literal>pam://$HOSTNAME</literal>.
When using <command>pamu2fcfg</command>, you can specify your
application ID with the <literal>-i</literal> flag.
More information can be found <link
xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html">
here</link>
'';
};
control = mkOption {
default = "sufficient";
@ -834,61 +850,6 @@ in
runuser-l = { rootOK = true; unixAuth = false; };
};
security.apparmor.includes."abstractions/pam" = let
isEnabled = test: fold or false (map test (attrValues config.security.pam.services));
in ''
${lib.concatMapStringsSep "\n"
(name: "r ${config.environment.etc."pam.d/${name}".source},")
(attrNames config.security.pam.services)}
mr ${getLib pkgs.pam}/lib/security/pam_filter/*,
mr ${getLib pkgs.pam}/lib/security/pam_*.so,
r ${getLib pkgs.pam}/lib/security/,
${optionalString use_ldap
"mr ${pam_ldap}/lib/security/pam_ldap.so,"}
${optionalString config.services.sssd.enable
"mr ${pkgs.sssd}/lib/security/pam_sss.so,"}
${optionalString config.krb5.enable ''
mr ${pam_krb5}/lib/security/pam_krb5.so,
mr ${pam_ccreds}/lib/security/pam_ccreds.so,
''}
${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,
''}
${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication))
"mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"}
${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth))
"mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"}
${optionalString (isEnabled (cfg: cfg.fprintAuth))
"mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"}
${optionalString (isEnabled (cfg: cfg.u2fAuth))
"mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"}
${optionalString (isEnabled (cfg: cfg.usbAuth))
"mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"}
${optionalString (isEnabled (cfg: cfg.oathAuth))
"mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"}
${optionalString (isEnabled (cfg: cfg.yubicoAuth))
"mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"}
${optionalString (isEnabled (cfg: cfg.duoSecurity.enable))
"mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"}
${optionalString (isEnabled (cfg: cfg.otpwAuth))
"mr ${pkgs.otpw}/lib/security/pam_otpw.so,"}
${optionalString config.security.pam.enableEcryptfs
"mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"}
${optionalString (isEnabled (cfg: cfg.pamMount))
"mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"}
${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring))
"mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"}
${optionalString (isEnabled (cfg: cfg.startSession))
"mr ${pkgs.systemd}/lib/security/pam_systemd.so,"}
${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable)
"mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"}
${optionalString (isEnabled (cfg: cfg.enableKwallet))
"mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"}
${optionalString config.virtualisation.lxc.lxcfs.enable
"mr ${pkgs.lxc}/lib/security/pam_cgfs.so"}
'';
};
}

View File

@ -179,14 +179,6 @@ in
export PATH="${wrapperDir}:$PATH"
'';
security.apparmor.includes."nixos/security.wrappers" = ''
include "${pkgs.apparmorRulesFromClosure {} [
securityWrapper
pkgs.stdenv.cc.cc
pkgs.stdenv.cc.libc
]}"
'';
###### setcap activation script
system.activationScripts.wrappers =
lib.stringAfter [ "specialfs" "users" ]

View File

@ -38,13 +38,18 @@ let
cassandraYaml = builtins.toJSON cassandraConfigWithAddresses;
cassandraEnvPkg = "${cfg.package}/conf/cassandra-env.sh";
cassandraLogbackConfig = pkgs.writeText "logback.xml" cfg.logbackConfig;
passAsFile = [ "extraEnvSh" ];
inherit (cfg) extraEnvSh;
buildCommand = ''
mkdir -p "$out"
echo "$cassandraYaml" > "$out/cassandra.yaml"
ln -s "$cassandraLogbackConfig" "$out/logback.xml"
cp "$cassandraEnvPkg" "$out/cassandra-env.sh"
( cat "$cassandraEnvPkg"
echo "# lines from services.cassandra.extraEnvSh: "
cat "$extraEnvShPath"
) > "$out/cassandra-env.sh"
# Delete default JMX Port, otherwise we can't set it using env variable
sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh"
@ -224,6 +229,14 @@ in {
Extra options to be merged into cassandra.yaml as nix attribute set.
'';
};
extraEnvSh = mkOption {
type = types.lines;
default = "";
example = "CLASSPATH=$CLASSPATH:\${extraJar}";
description = ''
Extra shell lines to be appended onto cassandra-env.sh.
'';
};
fullRepairInterval = mkOption {
type = types.nullOr types.str;
default = "3w";

View File

@ -0,0 +1,65 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.blackfire-agent;
agentConfigFile = lib.generators.toINI {} {
blackfire = cfg.settings;
};
agentSock = "blackfire/agent.sock";
in {
meta = {
maintainers = pkgs.blackfire.meta.maintainers;
doc = ./blackfire.xml;
};
options = {
services.blackfire-agent = {
enable = lib.mkEnableOption "Blackfire profiler agent";
settings = lib.mkOption {
description = ''
See https://blackfire.io/docs/configuration/agent
'';
type = lib.types.submodule {
freeformType = with lib.types; attrsOf str;
options = {
server-id = lib.mkOption {
type = lib.types.str;
description = ''
Sets the server id used to authenticate with Blackfire
You can find your personal server-id at https://blackfire.io/my/settings/credentials
'';
};
server-token = lib.mkOption {
type = lib.types.str;
description = ''
Sets the server token used to authenticate with Blackfire
You can find your personal server-token at https://blackfire.io/my/settings/credentials
'';
};
};
};
};
};
};
config = lib.mkIf cfg.enable {
environment.etc."blackfire/agent".text = agentConfigFile;
services.blackfire-agent.settings.socket = "unix:///run/${agentSock}";
systemd.services.blackfire-agent = {
description = "Blackfire agent";
serviceConfig = {
ExecStart = "${pkgs.blackfire}/bin/blackfire-agent";
RuntimeDirectory = "blackfire";
};
};
};
}

View File

@ -0,0 +1,45 @@
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="module-services-blackfire">
<title>Blackfire profiler</title>
<para>
<emphasis>Source:</emphasis>
<filename>modules/services/development/blackfire.nix</filename>
</para>
<para>
<emphasis>Upstream documentation:</emphasis>
<link xlink:href="https://blackfire.io/docs/introduction"/>
</para>
<para>
<link xlink:href="https://blackfire.io">Blackfire</link> is a proprietary tool for profiling applications. There are several languages supported by the product but currently only PHP support is packaged in Nixpkgs. The back-end consists of a module that is loaded into the language runtime (called <firstterm>probe</firstterm>) and a service (<firstterm>agent</firstterm>) that the probe connects to and that sends the profiles to the server.
</para>
<para>
To use it, you will need to enable the agent and the probe on your server. The exact method will depend on the way you use PHP but here is an example of NixOS configuration for PHP-FPM:
<programlisting>let
php = pkgs.php.withExtensions ({ enabled, all }: enabled ++ (with all; [
blackfire
]));
in {
# Enable the probe extension for PHP-FPM.
services.phpfpm = {
phpPackage = php;
};
# Enable and configure the agent.
services.blackfire-agent = {
enable = true;
settings = {
# You will need to get credentials at https://blackfire.io/my/settings/credentials
# You can also use other options described in https://blackfire.io/docs/configuration/agent
server-id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
server-token = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};
};
# Make the agent run on start-up.
# Alternately, you can start it manually with `systemctl start blackfire-agent`.
systemd.services.blackfire-agent.wantedBy = [ "phpfpm-foo.service" ];
}</programlisting>
</para>
<para>
On your developer machine, you will also want to install <link xlink:href="https://blackfire.io/docs/up-and-running/installation#install-a-profiling-client">the client</link> (see <package>blackfire</package> package) or the browser extension to actually trigger the profiling.
</para>
</chapter>

View File

@ -6,37 +6,97 @@ let
gid = config.ids.gids.mediatomb;
cfg = config.services.mediatomb;
name = cfg.package.pname;
pkg = cfg.package;
optionYesNo = option: if option then "yes" else "no";
# configuration on media directory
mediaDirectory = {
options = {
path = mkOption {
type = types.str;
description = ''
Absolute directory path to the media directory to index.
'';
};
recursive = mkOption {
type = types.bool;
default = false;
description = "Whether the indexation must take place recursively or not.";
};
hidden-files = mkOption {
type = types.bool;
default = true;
description = "Whether to index the hidden files or not.";
};
};
};
toMediaDirectory = d: "<directory location=\"${d.path}\" mode=\"inotify\" recursive=\"${optionYesNo d.recursive}\" hidden-files=\"${optionYesNo d.hidden-files}\" />\n";
mtConf = pkgs.writeText "config.xml" ''
<?xml version="1.0" encoding="UTF-8"?>
<config version="2" xmlns="http://mediatomb.cc/config/2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://mediatomb.cc/config/2 http://mediatomb.cc/config/2.xsd">
transcodingConfig = if cfg.transcoding then with pkgs; ''
<transcoding enabled="yes">
<mimetype-profile-mappings>
<transcode mimetype="video/x-flv" using="vlcmpeg" />
<transcode mimetype="application/ogg" using="vlcmpeg" />
<transcode mimetype="audio/ogg" using="ogg2mp3" />
<transcode mimetype="audio/x-flac" using="oggflac2raw"/>
</mimetype-profile-mappings>
<profiles>
<profile name="ogg2mp3" enabled="no" type="external">
<mimetype>audio/mpeg</mimetype>
<accept-url>no</accept-url>
<first-resource>yes</first-resource>
<accept-ogg-theora>no</accept-ogg-theora>
<agent command="${ffmpeg}/bin/ffmpeg" arguments="-y -i %in -f mp3 %out" />
<buffer size="1048576" chunk-size="131072" fill-size="262144" />
</profile>
<profile name="vlcmpeg" enabled="no" type="external">
<mimetype>video/mpeg</mimetype>
<accept-url>yes</accept-url>
<first-resource>yes</first-resource>
<accept-ogg-theora>yes</accept-ogg-theora>
<agent command="${libsForQt5.vlc}/bin/vlc"
arguments="-I dummy %in --sout #transcode{venc=ffmpeg,vcodec=mp2v,vb=4096,fps=25,aenc=ffmpeg,acodec=mpga,ab=192,samplerate=44100,channels=2}:standard{access=file,mux=ps,dst=%out} vlc:quit" />
<buffer size="14400000" chunk-size="512000" fill-size="120000" />
</profile>
</profiles>
</transcoding>
'' else ''
<transcoding enabled="no">
</transcoding>
'';
configText = optionalString (! cfg.customCfg) ''
<?xml version="1.0" encoding="UTF-8"?>
<config version="2" xmlns="http://mediatomb.cc/config/2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://mediatomb.cc/config/2 http://mediatomb.cc/config/2.xsd">
<server>
<ui enabled="yes" show-tooltips="yes">
<accounts enabled="no" session-timeout="30">
<account user="mediatomb" password="mediatomb"/>
<account user="${name}" password="${name}"/>
</accounts>
</ui>
<name>${cfg.serverName}</name>
<udn>uuid:${cfg.uuid}</udn>
<home>${cfg.dataDir}</home>
<webroot>${pkgs.mediatomb}/share/mediatomb/web</webroot>
<interface>${cfg.interface}</interface>
<webroot>${pkg}/share/${name}/web</webroot>
<pc-directory upnp-hide="${optionYesNo cfg.pcDirectoryHide}"/>
<storage>
<sqlite3 enabled="yes">
<database-file>mediatomb.db</database-file>
<database-file>${name}.db</database-file>
</sqlite3>
</storage>
<protocolInfo extend="${if cfg.ps3Support then "yes" else "no"}"/>
${if cfg.dsmSupport then ''
<protocolInfo extend="${optionYesNo cfg.ps3Support}"/>
${optionalString cfg.dsmSupport ''
<custom-http-headers>
<add header="X-User-Agent: redsonic"/>
</custom-http-headers>
<manufacturerURL>redsonic.com</manufacturerURL>
<modelNumber>105</modelNumber>
'' else ""}
${if cfg.tg100Support then ''
''}
${optionalString cfg.tg100Support ''
<upnp-string-limit>101</upnp-string-limit>
'' else ""}
''}
<extended-runtime-options>
<mark-played-items enabled="yes" suppress-cds-updates="yes">
<string mode="prepend">*</string>
@ -47,11 +107,14 @@ let
</extended-runtime-options>
</server>
<import hidden-files="no">
<autoscan use-inotify="auto">
${concatMapStrings toMediaDirectory cfg.mediaDirectories}
</autoscan>
<scripting script-charset="UTF-8">
<common-script>${pkgs.mediatomb}/share/mediatomb/js/common.js</common-script>
<playlist-script>${pkgs.mediatomb}/share/mediatomb/js/playlists.js</playlist-script>
<common-script>${pkg}/share/${name}/js/common.js</common-script>
<playlist-script>${pkg}/share/${name}/js/playlists.js</playlist-script>
<virtual-layout type="builtin">
<import-script>${pkgs.mediatomb}/share/mediatomb/js/import.js</import-script>
<import-script>${pkg}/share/${name}/js/import.js</import-script>
</virtual-layout>
</scripting>
<mappings>
@ -75,12 +138,12 @@ let
<map from="flv" to="video/x-flv"/>
<map from="mkv" to="video/x-matroska"/>
<map from="mka" to="audio/x-matroska"/>
${if cfg.ps3Support then ''
${optionalString cfg.ps3Support ''
<map from="avi" to="video/divx"/>
'' else ""}
${if cfg.dsmSupport then ''
''}
${optionalString cfg.dsmSupport ''
<map from="avi" to="video/avi"/>
'' else ""}
''}
</extension-mimetype>
<mimetype-upnpclass>
<map from="audio/*" to="object.item.audioItem.musicTrack"/>
@ -108,46 +171,27 @@ let
</mappings>
<online-content>
<YouTube enabled="no" refresh="28800" update-at-start="no" purge-after="604800" racy-content="exclude" format="mp4" hd="no">
<favorites user="mediatomb"/>
<favorites user="${name}"/>
<standardfeed feed="most_viewed" time-range="today"/>
<playlists user="mediatomb"/>
<uploads user="mediatomb"/>
<playlists user="${name}"/>
<uploads user="${name}"/>
<standardfeed feed="recently_featured" time-range="today"/>
</YouTube>
</online-content>
</import>
<transcoding enabled="${if cfg.transcoding then "yes" else "no"}">
<mimetype-profile-mappings>
<transcode mimetype="video/x-flv" using="vlcmpeg"/>
<transcode mimetype="application/ogg" using="vlcmpeg"/>
<transcode mimetype="application/ogg" using="oggflac2raw"/>
<transcode mimetype="audio/x-flac" using="oggflac2raw"/>
</mimetype-profile-mappings>
<profiles>
<profile name="oggflac2raw" enabled="no" type="external">
<mimetype>audio/L16</mimetype>
<accept-url>no</accept-url>
<first-resource>yes</first-resource>
<accept-ogg-theora>no</accept-ogg-theora>
<agent command="ogg123" arguments="-d raw -o byteorder:big -f %out %in"/>
<buffer size="1048576" chunk-size="131072" fill-size="262144"/>
</profile>
<profile name="vlcmpeg" enabled="no" type="external">
<mimetype>video/mpeg</mimetype>
<accept-url>yes</accept-url>
<first-resource>yes</first-resource>
<accept-ogg-theora>yes</accept-ogg-theora>
<agent command="vlc" arguments="-I dummy %in --sout #transcode{venc=ffmpeg,vcodec=mp2v,vb=4096,fps=25,aenc=ffmpeg,acodec=mpga,ab=192,samplerate=44100,channels=2}:standard{access=file,mux=ps,dst=%out} vlc:quit"/>
<buffer size="14400000" chunk-size="512000" fill-size="120000"/>
</profile>
</profiles>
</transcoding>
${transcodingConfig}
</config>
'';
'';
defaultFirewallRules = {
# udp 1900 port needs to be opened for SSDP (not configurable within
# mediatomb/gerbera) cf.
# http://docs.gerbera.io/en/latest/run.html?highlight=udp%20port#network-setup
allowedUDPPorts = [ 1900 cfg.port ];
allowedTCPPorts = [ cfg.port ];
};
in {
###### interface
options = {
@ -158,18 +202,27 @@ in {
type = types.bool;
default = false;
description = ''
Whether to enable the mediatomb DLNA server.
Whether to enable the Gerbera/Mediatomb DLNA server.
'';
};
serverName = mkOption {
type = types.str;
default = "mediatomb";
default = "Gerbera (Mediatomb)";
description = ''
How to identify the server on the network.
'';
};
package = mkOption {
type = types.package;
example = literalExample "pkgs.mediatomb";
default = pkgs.gerbera;
description = ''
Underlying package to be used with the module (default: pkgs.gerbera).
'';
};
ps3Support = mkOption {
type = types.bool;
default = false;
@ -206,23 +259,34 @@ in {
dataDir = mkOption {
type = types.path;
default = "/var/lib/mediatomb";
default = "/var/lib/${name}";
description = ''
The directory where mediatomb stores its state, data, etc.
The directory where Gerbera/Mediatomb stores its state, data, etc.
'';
};
pcDirectoryHide = mkOption {
type = types.bool;
default = true;
description = ''
Whether to list the top-level directory or not (from upnp client standpoint).
'';
};
user = mkOption {
type = types.str;
default = "mediatomb";
description = "User account under which mediatomb runs.";
description = "User account under which ${name} runs.";
};
group = mkOption {
type = types.str;
default = "mediatomb";
description = "Group account under which mediatomb runs.";
description = "Group account under which ${name} runs.";
};
port = mkOption {
type = types.int;
default = 49152;
description = ''
The network port to listen on.
@ -230,40 +294,76 @@ in {
};
interface = mkOption {
type = types.str;
default = "";
description = ''
A specific interface to bind to.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
If false (the default), this is up to the user to declare the firewall rules.
If true, this opens port 1900 (tcp and udp) and the port specified by
<option>sercvices.mediatomb.port</option>.
If the option <option>services.mediatomb.interface</option> is set,
the firewall rules opened are dedicated to that interface. Otherwise,
those rules are opened globally.
'';
};
uuid = mkOption {
type = types.str;
default = "fdfc8a4e-a3ad-4c1d-b43d-a2eedb03a687";
description = ''
A unique (on your network) to identify the server by.
'';
};
mediaDirectories = mkOption {
type = with types; listOf (submodule mediaDirectory);
default = {};
description = ''
Declare media directories to index.
'';
example = [
{ path = "/data/pictures"; recursive = false; hidden-files = false; }
{ path = "/data/audio"; recursive = true; hidden-files = false; }
];
};
customCfg = mkOption {
type = types.bool;
default = false;
description = ''
Allow mediatomb to create and use its own config file inside ${cfg.dataDir}.
Allow ${name} to create and use its own config file inside the <literal>dataDir</literal> as
configured by <option>services.mediatomb.dataDir</option>.
Deactivated by default, the service then runs with the configuration generated from this module.
Otherwise, when enabled, no service configuration is generated. Gerbera/Mediatomb then starts using
config.xml within the configured <literal>dataDir</literal>. It's up to the user to make a correct
configuration file.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
config = let binaryCommand = "${pkg}/bin/${name}";
interfaceFlag = optionalString ( cfg.interface != "") "--interface ${cfg.interface}";
configFlag = optionalString (! cfg.customCfg) "--config ${pkgs.writeText "config.xml" configText}";
in mkIf cfg.enable {
systemd.services.mediatomb = {
description = "MediaTomb media Server";
description = "${cfg.serverName} media Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.mediatomb ];
serviceConfig.ExecStart = "${pkgs.mediatomb}/bin/mediatomb -p ${toString cfg.port} ${if cfg.interface!="" then "-e ${cfg.interface}" else ""} ${if cfg.customCfg then "" else "-c ${mtConf}"} -m ${cfg.dataDir}";
serviceConfig.User = "${cfg.user}";
serviceConfig.ExecStart = "${binaryCommand} --port ${toString cfg.port} ${interfaceFlag} ${configFlag} --home ${cfg.dataDir}";
serviceConfig.User = cfg.user;
};
users.groups = optionalAttrs (cfg.group == "mediatomb") {
@ -274,15 +374,18 @@ in {
mediatomb = {
isSystemUser = true;
group = cfg.group;
home = "${cfg.dataDir}";
home = cfg.dataDir;
createHome = true;
description = "Mediatomb DLNA Server User";
description = "${name} DLNA Server User";
};
};
networking.firewall = {
allowedUDPPorts = [ 1900 cfg.port ];
allowedTCPPorts = [ cfg.port ];
};
# Open firewall only if users enable it
networking.firewall = mkMerge [
(mkIf (cfg.openFirewall && cfg.interface != "") {
interfaces."${cfg.interface}" = defaultFirewallRules;
})
(mkIf (cfg.openFirewall && cfg.interface == "") defaultFirewallRules)
];
};
}

View File

@ -241,6 +241,34 @@ in
default = "";
description = "Extra configuration to put into murmur.ini.";
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/lib/murmur/murmurd.env";
description = ''
Environment file as defined in <citerefentry>
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>.
Secrets may be passed to the service without adding them to the world-readable
Nix store, by specifying placeholder variables as the option value in Nix and
setting these variables accordingly in the environment file.
<programlisting>
# snippet of murmur-related config
services.murmur.password = "$MURMURD_PASSWORD";
</programlisting>
<programlisting>
# content of the environment file
MURMURD_PASSWORD=verysecretpassword
</programlisting>
Note that this file needs to be available on the host on which
<literal>murmur</literal> is running.
'';
};
};
};
@ -256,14 +284,22 @@ in
description = "Murmur Chat Service";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target "];
preStart = ''
${pkgs.envsubst}/bin/envsubst \
-o /run/murmur/murmurd.ini \
-i ${configFile}
'';
serviceConfig = {
# murmurd doesn't fork when logging to the console.
Type = if forking then "forking" else "simple";
PIDFile = mkIf forking "/run/murmur/murmurd.pid";
RuntimeDirectory = mkIf forking "murmur";
User = "murmur";
ExecStart = "${pkgs.murmur}/bin/murmurd -ini ${configFile}";
Type = if forking then "forking" else "simple";
PIDFile = mkIf forking "/run/murmur/murmurd.pid";
EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
ExecStart = "${pkgs.murmur}/bin/murmurd -ini /run/murmur/murmurd.ini";
Restart = "always";
RuntimeDirectory = "murmur";
RuntimeDirectoryMode = "0700";
User = "murmur";
};
};
};

View File

@ -5,7 +5,7 @@ with lib;
let
cfg = config.services.transmission;
inherit (config.environment) etc;
apparmor = config.security.apparmor;
apparmor = config.security.apparmor.enable;
rootDir = "/run/transmission";
homeDir = "/var/lib/transmission";
settingsDir = ".config/transmission-daemon";
@ -184,8 +184,8 @@ in
systemd.services.transmission = {
description = "Transmission BitTorrent Service";
after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service";
requires = optional apparmor.enable "apparmor.service";
after = [ "network.target" ] ++ optional apparmor "apparmor.service";
requires = optional apparmor "apparmor.service";
wantedBy = [ "multi-user.target" ];
environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source;
@ -357,21 +357,61 @@ in
})
];
security.apparmor.policies."bin.transmission-daemon".profile = ''
security.apparmor.profiles = mkIf apparmor [
(pkgs.writeText "apparmor-transmission-daemon" ''
include <tunables/global>
${pkgs.transmission}/bin/transmission-daemon {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include "${pkgs.apparmorRulesFromClosure {} [pkgs.transmission]}"
include <local/bin.transmission-daemon>
# NOTE: https://github.com/NixOS/nixpkgs/pull/93457
# will remove the need for these by fixing <abstractions/base>
r ${etc."hosts".source},
r /etc/ld-nix.so.preload,
${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) ''
r ${etc."ld-nix.so.preload".source},
${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n"))
(splitString "\n" config.environment.etc."ld-nix.so.preload".text)}
''}
r ${etc."ssl/certs/ca-certificates.crt".source},
r ${pkgs.tzdata}/share/zoneinfo/**,
r ${pkgs.stdenv.cc.libc}/share/i18n/**,
r ${pkgs.stdenv.cc.libc}/share/locale/**,
mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*,
mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*,
mr ${getLib pkgs.attr}/lib/libattr*.so*,
mr ${getLib pkgs.c-ares}/lib/libcares*.so*,
mr ${getLib pkgs.curl}/lib/libcurl*.so*,
mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*,
mr ${getLib pkgs.libcap}/lib/libcap*.so*,
mr ${getLib pkgs.libevent}/lib/libevent*.so*,
mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*,
mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*,
mr ${getLib pkgs.libkrb5}/lib/lib*.so*,
mr ${getLib pkgs.libssh2}/lib/libssh2*.so*,
mr ${getLib pkgs.lz4}/lib/liblz4*.so*,
mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*,
mr ${getLib pkgs.openssl}/lib/libcrypto*.so*,
mr ${getLib pkgs.openssl}/lib/libssl*.so*,
mr ${getLib pkgs.systemd}/lib/libsystemd*.so*,
mr ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so*,
mr ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so*,
mr ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so*,
mr ${getLib pkgs.xz}/lib/liblzma*.so*,
mr ${getLib pkgs.zlib}/lib/libz*.so*,
r @{PROC}/sys/kernel/random/uuid,
r @{PROC}/sys/vm/overcommit_memory,
r @{PROC}/@{pid}/environ,
# @{pid} is not a kernel variable yet but a regexp
#r @{PROC}/@{pid}/environ,
r @{PROC}/@{pid}/mounts,
rwk /tmp/tr_session_id_*,
r ${pkgs.openssl.out}/etc/**,
r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},
r ${pkgs.transmission}/share/transmission/**,
owner rw ${cfg.home}/${settingsDir}/**,
rw ${cfg.settings.download-dir}/**,
@ -399,9 +439,12 @@ in
# https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs
px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},
''}
# FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457
# include <local/transmission-daemon>
}
'';
security.apparmor.includes."local/bin.transmission-daemon" = "";
'')
];
};
meta.maintainers = with lib.maintainers; [ julm ];

View File

@ -85,7 +85,7 @@ in {
package = mkOption {
type = types.package;
description = "Which package to use for the Nextcloud instance.";
relatedPackages = [ "nextcloud18" "nextcloud19" ];
relatedPackages = [ "nextcloud18" "nextcloud19" "nextcloud20" ];
};
maxUploadSize = mkOption {
@ -330,37 +330,28 @@ in {
}
];
warnings = []
++ (optional (cfg.poolConfig != null) ''
warnings = let
latest = 20;
upgradeWarning = major: nixos:
''
A legacy Nextcloud install (from before NixOS ${nixos}) may be installed.
After nextcloud${toString major} is installed successfully, you can safely upgrade
to ${toString (major + 1)}. The latest version available is nextcloud${toString latest}.
Please note that Nextcloud doesn't support upgrades across multiple major versions
(i.e. an upgrade from 16 is possible to 17, but not 16 to 18).
The package can be upgraded by explicitly declaring the service-option
`services.nextcloud.package`.
'';
in (optional (cfg.poolConfig != null) ''
Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release.
Please migrate your configuration to config.services.nextcloud.poolSettings.
'')
++ (optional (versionOlder cfg.package.version "18") ''
A legacy Nextcloud install (from before NixOS 20.03) may be installed.
You're currently deploying an older version of Nextcloud. This may be needed
since Nextcloud doesn't allow major version upgrades that skip multiple
versions (i.e. an upgrade from 16 is possible to 17, but not 16 to 18).
It is assumed that Nextcloud will be upgraded from version 16 to 17.
* If this is a fresh install, there will be no upgrade to do now.
* If this server already had Nextcloud installed, first deploy this to your
server, and wait until the upgrade to 17 is finished.
Then, set `services.nextcloud.package` to `pkgs.nextcloud18` to upgrade to
Nextcloud version 18. Please note that Nextcloud 19 is already out and it's
recommended to upgrade to nextcloud19 after that.
'')
++ (optional (versionOlder cfg.package.version "19") ''
A legacy Nextcloud install (from before NixOS 20.09) may be installed.
If/After nextcloud18 is installed successfully, you can safely upgrade to
nextcloud19. If not, please upgrade to nextcloud18 first since Nextcloud doesn't
support upgrades that skip multiple versions (i.e. an upgrade from 17 to 19 isn't
possible, but an upgrade from 18 to 19).
'');
++ (optional (versionOlder cfg.package.version "18") (upgradeWarning 17 "20.03"))
++ (optional (versionOlder cfg.package.version "19") (upgradeWarning 18 "20.09"))
++ (optional (versionOlder cfg.package.version "20") (upgradeWarning 19 "21.03"));
services.nextcloud.package = with pkgs;
mkDefault (
@ -372,7 +363,8 @@ in {
''
else if versionOlder stateVersion "20.03" then nextcloud17
else if versionOlder stateVersion "20.09" then nextcloud18
else nextcloud19
else if versionOlder stateVersion "21.03" then nextcloud19
else nextcloud20
);
}
@ -435,7 +427,7 @@ in {
then ''"$(<"${toString c.dbpassFile}")"''
else if c.dbpass != null
then ''"${toString c.dbpass}"''
else null;
else ''""'';
adminpass = if c.adminpassFile != null
then ''"$(<"${toString c.adminpassFile}")"''
else ''"${toString c.adminpass}"'';
@ -449,8 +441,7 @@ in {
${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"'';
${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"'';
${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"'';
${if (any (x: x != null) [c.dbpass c.dbpassFile])
then "--database-pass" else null} = dbpass;
"--database-pass" = dbpass;
${if c.dbtableprefix != null
then "--database-table-prefix" else null} = ''"${toString c.dbtableprefix}"'';
"--admin-user" = ''"${c.adminuser}"'';
@ -543,9 +534,9 @@ in {
services.nginx.enable = mkDefault true;
# FIXME(ma27) make sure that the config works fine with Nextcloud 19
# *and* Nextcloud 20 as soon as it gets released.
services.nginx.virtualHosts.${cfg.hostName} = {
services.nginx.virtualHosts.${cfg.hostName} = let
major = toInt (versions.major cfg.package.version);
in {
root = cfg.package;
locations = {
"= /robots.txt" = {
@ -558,7 +549,9 @@ in {
};
"/" = {
priority = 900;
extraConfig = "rewrite ^ /index.php;";
extraConfig = if major < 20
then "rewrite ^ /index.php;"
else "try_files $uri $uri/ /index.php$request_uri;";
};
"~ ^/store-apps" = {
priority = 201;
@ -582,7 +575,7 @@ in {
"~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)".extraConfig = ''
return 404;
'';
"~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = {
${if major < 20 then "~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" else "~ \\.php(?:$|/)"} = {
priority = 500;
extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi.conf;
@ -600,20 +593,19 @@ in {
fastcgi_read_timeout 120s;
'';
};
"~ \\.(?:css|js|svg|gif|map)$".extraConfig = ''
"~ \\.(?:css|js|woff2?|svg|gif|map)$".extraConfig = ''
try_files $uri /index.php$request_uri;
expires 6M;
access_log off;
'';
"~ \\.woff2?$".extraConfig = ''
try_files $uri /index.php$request_uri;
expires 7d;
access_log off;
'';
"~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
try_files $uri/ =404;
index index.php;
'';
"~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
try_files $uri /index.php$request_uri;
access_log off;
'';
};
extraConfig = ''
index index.php index.html /index.php$request_uri;

View File

@ -53,6 +53,8 @@ let
flashbackEnabled = cfg.flashback.enableMetacity || length cfg.flashback.customSessions > 0;
notExcluded = pkg: mkDefault (!(lib.elem pkg config.environment.gnome3.excludePackages));
in
{
@ -68,6 +70,38 @@ in
core-shell.enable = mkEnableOption "GNOME Shell services";
core-utilities.enable = mkEnableOption "GNOME core utilities";
games.enable = mkEnableOption "GNOME games";
experimental-features = {
realtime-scheduling = mkOption {
type = types.bool;
default = false;
description = ''
Makes mutter (which propagates to gnome-shell) request a low priority real-time
scheduling which is only available on the wayland session.
To enable this experimental feature it requires a restart of the compositor.
Note that enabling this option only enables the <emphasis>capability</emphasis>
for realtime-scheduling to be used. It doesn't automatically set the gsetting
so that mutter actually uses realtime-scheduling. This would require adding <literal>
rt-scheduler</literal> to <literal>/org/gnome/mutter/experimental-features</literal>
with dconf-editor. You cannot use extraGSettingsOverrides because that will only
change the default value of the setting.
Please be aware of these known issues with the feature in nixos:
<itemizedlist>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/90201">NixOS/nixpkgs#90201</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/86730">NixOS/nixpkgs#86730</link>
</para>
</listitem>
</itemizedlist>
'';
};
};
};
services.xserver.desktopManager.gnome3 = {
@ -289,26 +323,6 @@ in
source-sans-pro
];
## Enable soft realtime scheduling, only supported on wayland ##
security.wrappers.".gnome-shell-wrapped" = {
source = "${pkgs.gnome3.gnome-shell}/bin/.gnome-shell-wrapped";
capabilities = "cap_sys_nice=ep";
};
systemd.user.services.gnome-shell-wayland = let
gnomeShellRT = with pkgs.gnome3; pkgs.runCommand "gnome-shell-rt" {} ''
mkdir -p $out/bin/
cp ${gnome-shell}/bin/gnome-shell $out/bin
sed -i "s@${gnome-shell}/bin/@${config.security.wrapperDir}/@" $out/bin/gnome-shell
'';
in {
# Note we need to clear ExecStart before overriding it
serviceConfig.ExecStart = ["" "${gnomeShellRT}/bin/gnome-shell"];
# Do not use the default environment, it provides a broken PATH
environment = mkForce {};
};
# Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-36/elements/core/meta-gnome-core-shell.bst
environment.systemPackages = with pkgs.gnome3; [
adwaita-icon-theme
@ -333,6 +347,27 @@ in
];
})
# Enable soft realtime scheduling, only supported on wayland
(mkIf serviceCfg.experimental-features.realtime-scheduling {
security.wrappers.".gnome-shell-wrapped" = {
source = "${pkgs.gnome3.gnome-shell}/bin/.gnome-shell-wrapped";
capabilities = "cap_sys_nice=ep";
};
systemd.user.services.gnome-shell-wayland = let
gnomeShellRT = with pkgs.gnome3; pkgs.runCommand "gnome-shell-rt" {} ''
mkdir -p $out/bin/
cp ${gnome-shell}/bin/gnome-shell $out/bin
sed -i "s@${gnome-shell}/bin/@${config.security.wrapperDir}/@" $out/bin/gnome-shell
'';
in {
# Note we need to clear ExecStart before overriding it
serviceConfig.ExecStart = ["" "${gnomeShellRT}/bin/gnome-shell"];
# Do not use the default environment, it provides a broken PATH
environment = mkForce {};
};
})
# Adapt from https://gitlab.gnome.org/GNOME/gnome-build-meta/blob/gnome-3-36/elements/core/meta-gnome-core-utilities.bst
(mkIf serviceCfg.core-utilities.enable {
environment.systemPackages = (with pkgs.gnome3; removePackagesByName [
@ -363,6 +398,18 @@ in
/* gnome-boxes */
] config.environment.gnome3.excludePackages);
# Enable default program modules
# Since some of these have a corresponding package, we only
# enable that program module if the package hasn't been excluded
# through `environment.gnome3.excludePackages`
programs.evince.enable = notExcluded pkgs.gnome3.evince;
programs.file-roller.enable = notExcluded pkgs.gnome3.file-roller;
programs.geary.enable = notExcluded pkgs.gnome3.geary;
programs.gnome-disks.enable = notExcluded pkgs.gnome3.gnome-disk-utility;
programs.gnome-terminal.enable = notExcluded pkgs.gnome3.gnome-terminal;
programs.seahorse.enable = notExcluded pkgs.gnome3.seahorse;
services.gnome3.sushi.enable = notExcluded pkgs.gnome3.sushi;
# Let nautilus find extensions
# TODO: Create nautilus-with-extensions package
environment.sessionVariables.NAUTILUS_EXTENSION_DIR = "${config.system.path}/lib/nautilus/extensions-3.0";
@ -375,25 +422,6 @@ in
];
})
# Enable default program modules
# Since some of these have a corresponding package, we only
# enable that program module if the package hasn't been excluded
# through `environment.gnome3.excludePackages`
(
let
notExcluded = pkg: mkDefault (!(lib.elem pkg config.environment.gnome3.excludePackages));
in
with pkgs.gnome3;
{
programs.evince.enable = notExcluded evince;
programs.file-roller.enable = notExcluded file-roller;
programs.geary.enable = notExcluded geary;
programs.gnome-disks.enable = notExcluded gnome-disk-utility;
programs.gnome-terminal.enable = notExcluded gnome-terminal;
programs.seahorse.enable = notExcluded seahorse;
services.gnome3.sushi.enable = notExcluded sushi;
})
(mkIf serviceCfg.games.enable {
environment.systemPackages = (with pkgs.gnome3; removePackagesByName [
aisleriot atomix five-or-more four-in-a-row gnome-chess gnome-klotski

View File

@ -274,6 +274,7 @@ in
plasma-browser-integration
plasma-integration
polkit-kde-agent
spectacle
systemsettings
plasma-desktop

View File

@ -1090,21 +1090,6 @@ in
} else {
ping.source = "${pkgs.iputils.out}/bin/ping";
};
security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
/run/wrappers/bin/ping {
include <abstractions/base>
include <nixos/security.wrappers>
rpx /run/wrappers/wrappers.*/ping,
}
/run/wrappers/wrappers.*/ping {
include <abstractions/base>
include <nixos/security.wrappers>
r /run/wrappers/wrappers.*/ping.real,
mrpx ${config.security.wrappers.ping.source},
capability net_raw,
capability setpcap,
}
'');
# Set the host and domain names in the activation script. Don't
# clear it if it's not configured in the NixOS configuration,

View File

@ -74,13 +74,9 @@ in
systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];
security.apparmor.packages = [ pkgs.lxc ];
security.apparmor.policies = {
"bin.lxc-start".profile = ''
include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start
'';
"lxc-containers".profile = ''
include ${pkgs.lxc}/etc/apparmor.d/lxc-containers
'';
};
security.apparmor.profiles = [
"${pkgs.lxc}/etc/apparmor.d/lxc-containers"
"${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start"
];
};
}

View File

@ -93,15 +93,11 @@ in
security.apparmor = {
enable = true;
profiles = [
"${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start"
"${cfg.lxcPackage}/etc/apparmor.d/lxc-containers"
];
packages = [ cfg.lxcPackage ];
policies = {
"bin.lxc-start".profile = ''
include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start
'';
"lxc-containers".profile = ''
include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers
'';
};
};
systemd.services.lxd = {

View File

@ -44,6 +44,7 @@ in
caddy = handleTest ./caddy.nix {};
cadvisor = handleTestOn ["x86_64-linux"] ./cadvisor.nix {};
cage = handleTest ./cage.nix {};
cagebreak = handleTest ./cagebreak.nix {};
cassandra = handleTest ./cassandra.nix {};
ceph-single-node = handleTestOn ["x86_64-linux"] ./ceph-single-node.nix {};
ceph-multi-node = handleTestOn ["x86_64-linux"] ./ceph-multi-node.nix {};

98
nixos/tests/cagebreak.nix Normal file
View File

@ -0,0 +1,98 @@
import ./make-test-python.nix ({ pkgs, lib, ...} :
let
cagebreakConfigfile = pkgs.writeText "config" ''
workspaces 1
escape C-t
bind t exec env DISPLAY=:0 ${pkgs.xterm}/bin/xterm -cm -pc
bind a exec ${pkgs.alacritty}/bin/alacritty
'';
in
{
name = "cagebreak";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ berbiche ];
};
machine = { config, ... }:
let
alice = config.users.users.alice;
in {
imports = [ ./common/user-account.nix ];
environment.systemPackages = [ pkgs.cagebreak ];
services.xserver = {
enable = true;
displayManager.autoLogin = {
enable = true;
user = alice.name;
};
};
services.xserver.windowManager.session = lib.singleton {
manage = "desktop";
name = "cagebreak";
start = ''
export XDG_RUNTIME_DIR=/run/user/${toString alice.uid}
${pkgs.cagebreak}/bin/cagebreak &
waitPID=$!
'';
};
systemd.services.setupCagebreakConfig = {
wantedBy = [ "multi-user.target" ];
before = [ "multi-user.target" ];
environment = {
HOME = alice.home;
};
unitConfig = {
type = "oneshot";
RemainAfterExit = true;
user = alice.name;
};
script = ''
cd $HOME
CONFFILE=$HOME/.config/cagebreak/config
mkdir -p $(dirname $CONFFILE)
cp ${cagebreakConfigfile} $CONFFILE
'';
};
# Copied from cage:
# this needs a fairly recent kernel, otherwise:
# [backend/drm/util.c:215] Unable to add DRM framebuffer: No such file or directory
# [backend/drm/legacy.c:15] Virtual-1: Failed to set CRTC: No such file or directory
# [backend/drm/util.c:215] Unable to add DRM framebuffer: No such file or directory
# [backend/drm/legacy.c:15] Virtual-1: Failed to set CRTC: No such file or directory
# [backend/drm/drm.c:618] Failed to initialize renderer on connector 'Virtual-1': initial page-flip failed
# [backend/drm/drm.c:701] Failed to initialize renderer for plane
boot.kernelPackages = pkgs.linuxPackages_latest;
virtualisation.memorySize = 1024;
};
enableOCR = true;
testScript = { nodes, ... }: let
user = nodes.machine.config.users.users.alice;
in ''
start_all()
machine.wait_for_unit("multi-user.target")
machine.wait_for_file("/run/user/${toString user.uid}/wayland-0")
with subtest("ensure wayland works with alacritty"):
machine.send_key("ctrl-t")
machine.send_key("a")
machine.wait_until_succeeds("pgrep alacritty")
machine.wait_for_text("alice@machine")
machine.screenshot("screen")
machine.send_key("ctrl-d")
with subtest("ensure xwayland works with xterm"):
machine.send_key("ctrl-t")
machine.send_key("t")
machine.wait_until_succeeds("pgrep xterm")
machine.wait_for_text("alice@machine")
machine.screenshot("screen")
machine.send_key("ctrl-d")
'';
})

81
nixos/tests/mediatomb.nix Normal file
View File

@ -0,0 +1,81 @@
import ./make-test-python.nix ({ pkgs, ... }:
{
name = "mediatomb";
nodes = {
serverGerbera =
{ ... }:
let port = 49152;
in {
imports = [ ../modules/profiles/minimal.nix ];
services.mediatomb = {
enable = true;
serverName = "Gerbera";
package = pkgs.gerbera;
interface = "eth1"; # accessible from test
openFirewall = true;
mediaDirectories = [
{ path = "/var/lib/gerbera/pictures"; recursive = false; hidden-files = false; }
{ path = "/var/lib/gerbera/audio"; recursive = true; hidden-files = false; }
];
};
};
serverMediatomb =
{ ... }:
let port = 49151;
in {
imports = [ ../modules/profiles/minimal.nix ];
services.mediatomb = {
enable = true;
serverName = "Mediatomb";
package = pkgs.mediatomb;
interface = "eth1";
inherit port;
mediaDirectories = [
{ path = "/var/lib/mediatomb/pictures"; recursive = false; hidden-files = false; }
{ path = "/var/lib/mediatomb/audio"; recursive = true; hidden-files = false; }
];
};
networking.firewall.interfaces.eth1 = {
allowedUDPPorts = [ 1900 port ];
allowedTCPPorts = [ port ];
};
};
client = { ... }: { };
};
testScript =
''
start_all()
port = 49151
serverMediatomb.succeed("mkdir -p /var/lib/mediatomb/{pictures,audio}")
serverMediatomb.succeed("chown -R mediatomb:mediatomb /var/lib/mediatomb")
serverMediatomb.wait_for_unit("mediatomb")
serverMediatomb.wait_for_open_port(port)
serverMediatomb.succeed(f"curl --fail http://serverMediatomb:{port}/")
page = client.succeed(f"curl --fail http://serverMediatomb:{port}/")
assert "MediaTomb" in page and "Gerbera" not in page
serverMediatomb.shutdown()
port = 49152
serverGerbera.succeed("mkdir -p /var/lib/mediatomb/{pictures,audio}")
serverGerbera.succeed("chown -R mediatomb:mediatomb /var/lib/mediatomb")
# service running gerbera fails the first time claiming something is already bound
# gerbera[715]: 2020-07-18 23:52:14 info: Please check if another instance of Gerbera or
# gerbera[715]: 2020-07-18 23:52:14 info: another application is running on port TCP 49152 or UDP 1900.
# I did not find anything so here I work around this
serverGerbera.succeed("sleep 2")
serverGerbera.wait_until_succeeds("systemctl restart mediatomb")
serverGerbera.wait_for_unit("mediatomb")
serverGerbera.succeed(f"curl --fail http://serverGerbera:{port}/")
page = client.succeed(f"curl --fail http://serverGerbera:{port}/")
assert "Gerbera" in page and "MediaTomb" not in page
serverGerbera.shutdown()
client.shutdown()
'';
})

View File

@ -5,6 +5,12 @@ let
imports = [ ./common/x11.nix ];
environment.systemPackages = [ pkgs.mumble ];
};
# outside of tests, this file should obviously not come from the nix store
envFile = pkgs.writeText "nixos-test-mumble-murmurd.env" ''
MURMURD_PASSWORD=testpassword
'';
in
{
name = "mumble";
@ -14,8 +20,10 @@ in
nodes = {
server = { config, ... }: {
services.murmur.enable = true;
services.murmur.enable = true;
services.murmur.registerName = "NixOS tests";
services.murmur.password = "$MURMURD_PASSWORD";
services.murmur.environmentFile = envFile;
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
};
@ -30,8 +38,8 @@ in
client1.wait_for_x()
client2.wait_for_x()
client1.execute("mumble mumble://client1\@server/test &")
client2.execute("mumble mumble://client2\@server/test &")
client1.execute("mumble mumble://client1:testpassword\@server/test &")
client2.execute("mumble mumble://client2:testpassword\@server/test &")
# cancel client audio configuration
client1.wait_for_window(r"Audio Tuning Wizard")
@ -63,8 +71,12 @@ in
client2.send_chars("y")
# Find clients in logs
server.wait_until_succeeds("journalctl -eu murmur -o cat | grep -q client1")
server.wait_until_succeeds("journalctl -eu murmur -o cat | grep -q client2")
server.wait_until_succeeds(
"journalctl -eu murmur -o cat | grep -q 'client1.\+Authenticated'"
)
server.wait_until_succeeds(
"journalctl -eu murmur -o cat | grep -q 'client2.\+Authenticated'"
)
server.sleep(5) # wait to get screenshot
client1.screenshot("screen1")

View File

@ -14,13 +14,13 @@
mkDerivation rec {
pname = "MellowPlayer";
version = "3.6.5";
version = "3.6.6";
src = fetchFromGitLab {
owner = "ColinDuquesnoy";
repo = "MellowPlayer";
rev = version;
sha256 = "1fnfqyy52hnh9vwq4rcndcqwh0zsm1sd3vi4h5gzaj4zbniq5v2f";
sha256 = "14y175fl6wg04fz0fhx553r8z3nwqrs2lr3rdls70bhwx5x6lavw";
};
nativeBuildInputs = [ cmake pkgconfig ];

View File

@ -58,7 +58,7 @@ in pythonPackages.buildPythonApplication rec {
homepage = "https://picard.musicbrainz.org/";
description = "The official MusicBrainz tagger";
maintainers = with maintainers; [ ehmry ];
license = licenses.gpl2;
license = licenses.gpl2Plus;
platforms = platforms.all;
};
}

View File

@ -2,17 +2,17 @@
buildGoModule rec {
pname = "go-ethereum";
version = "1.9.21";
version = "1.9.22";
src = fetchFromGitHub {
owner = "ethereum";
repo = pname;
rev = "v${version}";
sha256 = "0mr5pw08jka11lzgl28555nb90cqxx9vlqd1plfmyic6rb5z11df";
sha256 = "08i31xil2lygfcn2igsvn4hpg8xnf8l6g914f78hgl4wj6v1dja9";
};
runVend = true;
vendorSha256 = "155hmny3543h02ryn1nnlpmvs0qvhd0lb66vmkhw5351m6gkbx7x";
vendorSha256 = "1qbg44cryiv9kvcak6qjrbmkc9bxyk5fybj62vdkskqfjvv86068";
doCheck = false;

View File

@ -1,62 +1,87 @@
{ stdenv, wrapQtAppsHook, makeDesktopItem
, fetchFromGitHub, qmake, qttools, pkgconfig
, fetchFromGitHub
, cmake, qttools, pkgconfig
, qtbase, qtdeclarative, qtgraphicaleffects
, qtmultimedia, qtxmlpatterns
, qtquickcontrols, qtquickcontrols2
, monero, unbound, readline, boost, libunwind
, libsodium, pcsclite, zeromq, libgcrypt, libgpgerror
, hidapi, libusb-compat-0_1, protobuf, randomx
, monero, miniupnpc, unbound, readline
, boost, libunwind, libsodium, pcsclite
, randomx, zeromq, libgcrypt, libgpgerror
, hidapi, rapidjson
, trezorSupport ? true
, libusb1 ? null
, protobuf ? null
, python3 ? null
}:
with stdenv.lib;
assert trezorSupport -> all (x: x!=null) [ libusb1 protobuf python3 ];
let
arch = if stdenv.isx86_64 then "x86-64"
else if stdenv.isi686 then "i686"
else if stdenv.isAarch64 then "armv8-a"
else throw "unsupported architecture";
in
stdenv.mkDerivation rec {
pname = "monero-gui";
version = "0.16.0.3";
version = "0.17.0.1";
src = fetchFromGitHub {
owner = "monero-project";
repo = "monero-gui";
rev = "v${version}";
sha256 = "0iwjp8x5swy8i8pzrlm5v55awhm54cf48pm1vz98lcq361lhfzk6";
sha256 = "1i9a3ampppyzsl4sllbqlr3w43sjpb3fdfxhb1j4n49p8g0jzmf3";
};
nativeBuildInputs = [ qmake pkgconfig wrapQtAppsHook ];
nativeBuildInputs = [
cmake pkgconfig wrapQtAppsHook
(getDev qttools)
];
buildInputs = [
qtbase qtdeclarative qtgraphicaleffects
qtmultimedia qtquickcontrols qtquickcontrols2
qtxmlpatterns
monero unbound readline libgcrypt libgpgerror
boost libunwind libsodium pcsclite zeromq
hidapi libusb-compat-0_1 protobuf randomx
];
monero miniupnpc unbound readline
randomx libgcrypt libgpgerror
boost libunwind libsodium pcsclite
zeromq hidapi rapidjson
] ++ optionals trezorSupport [ libusb1 protobuf python3 ];
NIX_CFLAGS_COMPILE = [ "-Wno-error=format-security" ];
postUnpack = ''
# copy monero sources here
# (needs to be writable)
cp -r ${monero.source}/* source/monero
chmod -R +w source/monero
'';
patches = [ ./move-log-file.patch ];
postPatch = ''
echo '
var GUI_VERSION = "${version}";
var GUI_MONERO_VERSION = "${getVersion monero}";
' > version.js
substituteInPlace monero-wallet-gui.pro \
--replace '$$[QT_INSTALL_BINS]/lrelease' '${getDev qttools}/bin/lrelease'
# set monero-gui version
substituteInPlace src/version.js.in \
--replace '@VERSION_TAG_GUI@' '${version}'
# remove this line on the next release
rm cmake/Version.cmake
# use monerod from the monero package
substituteInPlace src/daemon/DaemonManager.cpp \
--replace 'QApplication::applicationDirPath() + "' '"${monero}/bin'
# only build external deps, *not* the full monero
substituteInPlace CMakeLists.txt \
--replace 'add_subdirectory(monero)' \
'add_subdirectory(monero EXCLUDE_FROM_ALL)'
'';
makeFlags = [ "INSTALL_ROOT=$(out)" ];
preBuild = ''
sed -i s#/opt/monero-wallet-gui##g Makefile
make -C src/zxcvbn-c
# use nixpkgs monero sources
rmdir monero
ln -s "${monero.src}" monero
'';
cmakeFlags = [
"-DCMAKE_INSTALL_PREFIX=$out/bin"
"-DARCH=${arch}"
];
desktopItem = makeDesktopItem {
name = "monero-wallet-gui";
@ -69,15 +94,15 @@ stdenv.mkDerivation rec {
postInstall = ''
# install desktop entry
mkdir -p $out/share/applications
cp ${desktopItem}/share/applications/* $out/share/applications
install -Dm644 -t $out/share/applications \
${desktopItem}/share/applications/*
# install icons
for n in 16 24 32 48 64 96 128 256; do
size=$n"x"$n
mkdir -p $out/share/icons/hicolor/$size/apps
cp $src/images/appicons/$size.png \
$out/share/icons/hicolor/$size/apps/monero.png
install -Dm644 \
-t $out/share/icons/hicolor/$size/apps/monero.png \
$src/images/appicons/$size.png
done;
'';

View File

@ -1,40 +1,69 @@
{ stdenv, fetchFromGitHub
{ stdenv, fetchFromGitHub, fetchpatch
, cmake, pkgconfig
, boost, miniupnpc, openssl, unbound
, zeromq, pcsclite, readline, libsodium, hidapi
, protobuf, randomx, rapidjson, libusb-compat-0_1
, randomx, rapidjson
, CoreData, IOKit, PCSC
, trezorSupport ? true
, libusb1 ? null
, protobuf ? null
, python3 ? null
}:
with stdenv.lib;
assert stdenv.isDarwin -> IOKit != null;
assert trezorSupport -> all (x: x!=null) [ libusb1 protobuf python3 ];
stdenv.mkDerivation rec {
pname = "monero";
version = "0.16.0.3";
version = "0.17.0.1";
src = fetchFromGitHub {
owner = "monero-project";
repo = "monero";
rev = "v${version}";
sha256 = "1r9x3712vhb24dxxirfiwj5f9x0h4m7x0ngiiavf5983dfdlgz33";
sha256 = "1v0phvg5ralli4dr09a60nq032xqlci5d6v4zfq8304vgrn1ffgp";
fetchSubmodules = true;
};
patches = [
./use-system-libraries.patch
# This fixes a bug in the monero-gui build system,
# remove it once the PR has been merged
(fetchpatch {
url = "https://github.com/monero-project/monero/pull/6867.patch";
sha256 = "0nxa6861df1fadrm9bmhqf2g6mljgr4jndsbxqp7g501hv9z51j3";
})
];
postPatch = ''
# remove vendored libraries
rm -r external/{miniupnp,randomx,rapidjson,unbound}
# export patched source for monero-gui
cp -r . $source
'';
nativeBuildInputs = [ cmake pkgconfig ];
buildInputs = [
boost miniupnpc openssl unbound
zeromq pcsclite readline
libsodium hidapi randomx rapidjson
protobuf libusb-compat-0_1
] ++ stdenv.lib.optionals stdenv.isDarwin [ IOKit CoreData PCSC ];
protobuf
] ++ optionals stdenv.isDarwin [ IOKit CoreData PCSC ]
++ optionals trezorSupport [ libusb1 protobuf python3 ];
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
"-DUSE_DEVICE_TREZOR=ON"
"-DBUILD_GUI_DEPS=ON"
"-DReadline_ROOT_DIR=${readline.dev}"
] ++ stdenv.lib.optional stdenv.isDarwin "-DBoost_USE_MULTITHREADED=OFF";
"-DRandomX_ROOT_DIR=${randomx}"
] ++ optional stdenv.isDarwin "-DBoost_USE_MULTITHREADED=OFF";
outputs = [ "out" "source" ];
meta = with stdenv.lib; {
description = "Private, secure, untraceable currency";

View File

@ -0,0 +1,69 @@
diff --git a/external/CMakeLists.txt b/external/CMakeLists.txt
index a8916a7d0..39ec7747b 100644
--- a/external/CMakeLists.txt
+++ b/external/CMakeLists.txt
@@ -37,34 +37,16 @@
find_package(Miniupnpc REQUIRED)
-message(STATUS "Using in-tree miniupnpc")
-add_subdirectory(miniupnp/miniupnpc)
-set_property(TARGET libminiupnpc-static PROPERTY FOLDER "external")
-if(MSVC)
- set_property(TARGET libminiupnpc-static APPEND_STRING PROPERTY COMPILE_FLAGS " -wd4244 -wd4267")
-elseif(NOT MSVC)
- set_property(TARGET libminiupnpc-static APPEND_STRING PROPERTY COMPILE_FLAGS " -Wno-undef -Wno-unused-result -Wno-unused-value")
-endif()
-if(CMAKE_SYSTEM_NAME MATCHES "NetBSD")
- set_property(TARGET libminiupnpc-static APPEND_STRING PROPERTY COMPILE_FLAGS " -D_NETBSD_SOURCE")
-endif()
-
-set(UPNP_LIBRARIES "libminiupnpc-static" PARENT_SCOPE)
+set(UPNP_STATIC false PARENT_SCOPE)
+set(UPNP_INCLUDE ${MINIUPNP_INCLUDE_DIR} PARENT_SCOPE)
+set(UPNP_LIBRARIES ${MINIUPNP_LIBRARY} PARENT_SCOPE)
find_package(Unbound)
if(NOT UNBOUND_INCLUDE_DIR OR STATIC)
- # NOTE: If STATIC is true, CMAKE_FIND_LIBRARY_SUFFIXES has been reordered.
- # unbound has config tests which used OpenSSL libraries, so -ldl may need to
- # be set in this case.
- # The unbound CMakeLists.txt can set it, since it's also needed for the
- # static OpenSSL libraries set up there after with target_link_libraries.
- add_subdirectory(unbound)
-
- set(UNBOUND_STATIC true PARENT_SCOPE)
- set(UNBOUND_INCLUDE "${CMAKE_CURRENT_SOURCE_DIR}/unbound/libunbound" PARENT_SCOPE)
- set(UNBOUND_LIBRARY "unbound" PARENT_SCOPE)
- set(UNBOUND_LIBRARY_DIRS "${LIBEVENT2_LIBDIR}" PARENT_SCOPE)
+ set(UNBOUND_STATIC false PARENT_SCOPE)
+ set(UPNP_INCLUDE ${MINIUPNP_INCLUDE_DIR} PARENT_SCOPE)
+ set(UPNP_LIBRARIES ${MINIUPNP_LIBRARY} PARENT_SCOPE)
else()
message(STATUS "Found libunbound include (unbound.h) in ${UNBOUND_INCLUDE_DIR}")
if(UNBOUND_LIBRARIES)
@@ -81,4 +63,5 @@ endif()
add_subdirectory(db_drivers)
add_subdirectory(easylogging++)
add_subdirectory(qrcodegen)
-add_subdirectory(randomx EXCLUDE_FROM_ALL)
+
+find_library(RANDOMX_LIBRARIES NAMES RandomX)
diff --git a/src/p2p/net_node.inl b/src/p2p/net_node.inl
index 175741146..088b582f7 100644
--- a/src/p2p/net_node.inl
+++ b/src/p2p/net_node.inl
@@ -60,9 +60,9 @@
#include "cryptonote_core/cryptonote_core.h"
#include "net/parse.h"
-#include <miniupnp/miniupnpc/miniupnpc.h>
-#include <miniupnp/miniupnpc/upnpcommands.h>
-#include <miniupnp/miniupnpc/upnperrors.h>
+#include <miniupnpc/miniupnpc.h>
+#include <miniupnpc/upnpcommands.h>
+#include <miniupnpc/upnperrors.h>
#undef MONERO_DEFAULT_LOG_CATEGORY
#define MONERO_DEFAULT_LOG_CATEGORY "net.p2p"

View File

@ -85,7 +85,7 @@ let
description = "A hackable text editor for the 21st Century";
homepage = "https://atom.io/";
license = licenses.mit;
maintainers = with maintainers; [ offline nequissimus ysndr ];
maintainers = with maintainers; [ offline ysndr ];
platforms = platforms.x86_64;
};
};

View File

@ -2,25 +2,25 @@
buildGoModule rec {
pname = "glow";
version = "0.2.0";
version = "1.0.1";
src = fetchFromGitHub {
owner = "charmbracelet";
repo = "glow";
rev = "v${version}";
sha256 = "0vhl8d7xxqqyl916nh8sgm1xdaf7xlc3r18464bd2av22q9yz68n";
sha256 = "05scgdivb0hf0lfznikn20b6pgb479jhs24hgf5f5i60v37v930y";
};
vendorSha256 = "1c16s5xiqr36azh2w90wg14jlw67ca2flbgjijpz7qd0ypxyfqlk";
vendorSha256 = "180g6d9w3lfmxj4843kqvq4ikg8lwmwprgfxdgz1lzvjmbfjj3g9";
doCheck = false;
buildFlagsArray = [ "-ldflags=" "-X=main.Version=${version}" ];
meta = with lib; {
description = "Render markdown on the CLI";
description = "Render markdown on the CLI, with pizzazz!";
homepage = "https://github.com/charmbracelet/glow";
license = licenses.mit;
maintainers = with maintainers; [ ehmry filalex77 ];
maintainers = with maintainers; [ ehmry filalex77 penguwin ];
};
}

View File

@ -20,11 +20,11 @@ let
in stdenv.mkDerivation rec {
pname = "nano";
version = "5.2";
version = "5.3";
src = fetchurl {
url = "mirror://gnu/nano/${pname}-${version}.tar.xz";
sha256 = "1qd7pn9g5dgzbfg4fb3nqxqgi2iqq0g6x33x8d1mx6mfw51xmhij";
sha256 = "0lj3fcfzprmv9raydx8yq25lw81bs6g40rhd0fv9d6idcb7wphf5";
};
nativeBuildInputs = [ texinfo ] ++ optional enableNls gettext;

View File

@ -2,13 +2,13 @@
stdenv.mkDerivation {
pname = "nanorc";
version = "2018-09-05";
version = "2020-01-25";
src = fetchFromGitHub {
owner = "scopatz";
repo = "nanorc";
rev = "1e589cb729d24fba470228d429e6dde07973d597";
sha256 = "136yxr38lzrfv8bar0c6c56rh54q9s94zpwa19f425crh44drppl";
rev = "2020.1.25";
sha256 = "1y8jk3jsl4bd6r4hzmxzcf77hv8bwm0318yv7y2npkkd3a060z8d";
};
dontBuild = true;

View File

@ -52,13 +52,13 @@ let
python = python2.withPackages (pp: [ pp.pygtk ]);
in stdenv.mkDerivation rec {
pname = "gimp";
version = "2.10.20";
version = "2.10.22";
outputs = [ "out" "dev" ];
src = fetchurl {
url = "http://download.gimp.org/pub/gimp/v${lib.versions.majorMinor version}/${pname}-${version}.tar.bz2";
sha256 = "4S+fh0saAHxCd7YKqB4LZzML5+YVPldJ6tg5uQL8ezw=";
sha256 = "1fqqyshakvdarf1jipk2n33ibqr23ni22z3d8srq13bpydblpf1d";
};
patches = [

View File

@ -2,11 +2,11 @@
stdenv.mkDerivation rec {
pname = "ArchiSteamFarm";
version = "4.2.4.0";
version = "4.3.0.6";
src = fetchurl {
url = "https://github.com/JustArchiNET/ArchiSteamFarm/releases/download/${version}/ASF-generic.zip";
sha256 = "1nkbyy9gnp8nkr04bbiapwvv2nspnl36fvnzjwaq4a13mj49m5zq";
sha256 = "1i8cb9j1dk2ikrdr11gah48wrsmw52gj70pv7yml1pzb435madm8";
};
nativeBuildInputs = [ unzip makeWrapper jq ];

View File

@ -0,0 +1,26 @@
{ lib, buildGoModule, fetchFromGitHub }:
buildGoModule rec {
pname = "charm";
version = "0.8.3";
src = fetchFromGitHub {
owner = "charmbracelet";
repo = "charm";
rev = "v${version}";
sha256 = "1nbix7fi6g9jadak5zyx7fdz7d6367aly6fnrs0v98zsl1kxyvx3";
};
vendorSha256 = "0lhml6m0j9ksn09j7z4d9pix5aszhndpyqajycwj3apvi3ic90il";
doCheck = false;
buildFlagsArray = [ "-ldflags=" "-X=main.Version=${version}" ];
meta = with lib; {
description = "Manage your charm account on the CLI";
homepage = "https://github.com/charmbracelet/charm";
license = licenses.mit;
maintainers = with maintainers; [ penguwin ];
};
}

View File

@ -7,7 +7,7 @@
stdenv.mkDerivation rec {
pname = "dbeaver-ce";
version = "7.2.1";
version = "7.2.2";
desktopItem = makeDesktopItem {
name = "dbeaver";
@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
src = fetchurl {
url = "https://dbeaver.io/files/${version}/dbeaver-ce-${version}-linux.gtk.x86_64.tar.gz";
sha256 = "0vdwbgff55aq5l67fczdvw7kn7kf0dsz183x5lz2v1sb2blsjvjj";
sha256 = "08dm10smmzrpsc4vc5p3p6fbkg6a5r1sgmbdgr2ihkbk28gylfh0";
};
installPhase = ''

View File

@ -21,14 +21,14 @@
with python3Packages;
buildPythonApplication rec {
pname = "kitty";
version = "0.19.0";
version = "0.19.1";
format = "other";
src = fetchFromGitHub {
owner = "kovidgoyal";
repo = "kitty";
rev = "v${version}";
sha256 = "0j2ci6acfl21mm111iis0aa5jp1hl1fnlvlhhfps9j5w4ba8sy7z";
sha256 = "145fx4nnn0gszawllfwqf1h65ak0ij6ffargs7y0cgaxsc991s6m";
};
buildInputs = [

View File

@ -0,0 +1,41 @@
{ stdenv, fetchFromGitHub, prevo-tools }:
stdenv.mkDerivation rec {
pname = "prevo-data";
version = "2020-03-08";
src = fetchFromGitHub {
owner = "bpeel";
repo = "revo";
rev = "1e8d7197c0bc831e2127909e77e64dfc26906bdd";
sha256 = "1ldhzpi3d5cbssv8r7acsn7qwxcl8qpqi8ywpsp7cbgx3w7hhkyz";
};
nativeBuildInputs = [ prevo-tools ];
dontUnpack = true;
buildPhase = ''
prevodb -s -i $src -o prevo.db
'';
installPhase = ''
mkdir -p $out/share/prevo
cp prevo.db $out/share/prevo/
'';
meta = with stdenv.lib; {
description =
"data for offline version of the Esperanto dictionary Reta Vortaro";
longDescription = ''
PReVo is the "portable" ReVo, i.e., the offline version
of the Esperanto dictionary Reta Vortaro.
This package provides the ReVo database for the prevo command line application.
'';
homepage = "https://github.com/bpeel/revo";
license = licenses.gpl2Only;
maintainers = [ maintainers.das-g ];
platforms = platforms.linux;
};
}

View File

@ -0,0 +1,27 @@
{ stdenv, symlinkJoin, prevo-tools, prevo-data, makeWrapper }:
symlinkJoin rec {
name = "prevo-${version}";
inherit (prevo-tools) version;
paths = [ prevo-tools ];
nativeBuildInputs = [ makeWrapper ];
postBuild = ''
wrapProgram $out/bin/prevo \
--prefix XDG_DATA_DIRS : "${prevo-data}/share"
'';
meta = with stdenv.lib; {
description = "offline version of the Esperanto dictionary Reta Vortaro";
longDescription = ''
PReVo is the "portable" ReVo, i.e., the offline version
of the Esperanto dictionary Reta Vortaro.
'';
homepage = "https://github.com/bpeel/prevodb";
license = licenses.gpl2Only;
maintainers = [ maintainers.das-g ];
platforms = platforms.linux;
};
}

View File

@ -0,0 +1,38 @@
{ stdenv, fetchFromGitHub, autoreconfHook, pkg-config, glib, expat
, installShellFiles }:
stdenv.mkDerivation rec {
pname = "prevo-tools";
version = "0.2";
src = fetchFromGitHub {
owner = "bpeel";
repo = "prevodb";
rev = version;
sha256 = "1fyrc4g9qdq04nxs4g8x0krxfani5xady6v9m0qfqpbh4xk2ry2d";
};
nativeBuildInputs = [ autoreconfHook pkg-config installShellFiles ];
buildInputs = [ glib expat ];
postInstall = ''
installShellCompletion --bash $out/etc/bash_completion.d/prevo-completion
'';
meta = with stdenv.lib; {
description =
"CLI tools for the offline version of the Esperanto dictionary Reta Vortaro";
longDescription = ''
PReVo is the "portable" ReVo, i.e., the offline version
of the Esperanto dictionary Reta Vortaro.
This package provides the command line application prevo to query a local
ReVo database, as well as the command line tool revodb to create such a
database for this application or for the Android app of the same name.
'';
homepage = "https://github.com/bpeel/prevodb";
license = licenses.gpl2Only;
maintainers = [ maintainers.das-g ];
platforms = platforms.linux;
};
}

View File

@ -3,20 +3,21 @@
, lib
, makeWrapper
, ncurses
, stdenv
}:
buildGoModule rec {
pname = "wtf";
version = "0.31.0";
version = "0.32.0";
src = fetchFromGitHub {
owner = "wtfutil";
repo = pname;
rev = "v${version}";
sha256 = "07ngk83p753w9qxm8bvw6n5vk0zldn14yv08d900sxny8cg2h0rb";
sha256 = "1055shnf716ga46wwcaffdpgc1glr8vrqrbs2sqbkr3wjan6n0nw";
};
vendorSha256 = "09iy148pnbdrzjj2j50lbd8s9mkv7vggrx77mj88p1gnqclz3lip";
vendorSha256 = "0l1q29mdb13ir7n1x65jfnrmy1lamlsa6hm2jagf6yjbm6wf1kw4";
doCheck = false;
@ -37,5 +38,6 @@ buildGoModule rec {
license = licenses.mpl20;
maintainers = with maintainers; [ kalbasit ];
platforms = platforms.linux ++ platforms.darwin;
broken = stdenv.isDarwin;
};
}

View File

@ -2,16 +2,16 @@
rustPlatform.buildRustPackage rec {
pname = "zola";
version = "0.12.1";
version = "0.12.2";
src = fetchFromGitHub {
owner = "getzola";
repo = pname;
rev = "v${version}";
sha256 = "00fkcrr40v93z23h3q2wqlfx0120g59j6j9szk8nx9x85i40j3if";
sha256 = "sha256:0fb227kgani32ljnw73a0h5zn5361z5lraf79y34a0chcby2qv35";
};
cargoSha256 = "1wdypyy787dzdq5q64a9mjfygg0kli49yjzw7xh66sjd7263w9fs";
cargoSha256 = "sha256:0ilfr32zcajag05qcpwi5ixz250s427i4xrjf4wrk7qy32bblnr5";
nativeBuildInputs = [ cmake pkg-config ];
buildInputs = [ openssl oniguruma ]
@ -32,6 +32,6 @@ rustPlatform.buildRustPackage rec {
description = "A fast static site generator with everything built-in";
homepage = "https://www.getzola.org/";
license = licenses.mit;
maintainers = with maintainers; [ dywedir ];
maintainers = with maintainers; [ dywedir _0x4A6F ];
};
}

View File

@ -21,8 +21,9 @@
, pulseaudioSupport ? stdenv.isLinux, libpulseaudio
, ffmpegSupport ? true
, gtk3Support ? true, gtk2, gtk3, wrapGAppsHook
, waylandSupport ? true, libxkbcommon, pipewire
, waylandSupport ? true, libxkbcommon
, gssSupport ? true, kerberos
, pipewireSupport ? waylandSupport && webrtcSupport, pipewire
## privacy-related options
@ -69,6 +70,7 @@
}:
assert stdenv.cc.libc or null != null;
assert pipewireSupport -> !waylandSupport || !webrtcSupport -> throw "pipewireSupport requires both wayland and webrtc support.";
let
flag = tf: x: [(if tf then "--enable-${x}" else "--disable-${x}")];
@ -84,6 +86,7 @@ let
execdir = if stdenv.isDarwin
then "/Applications/${binaryNameCapitalized}.app/Contents/MacOS"
else "/bin";
in
stdenv.mkDerivation ({
@ -94,12 +97,12 @@ stdenv.mkDerivation ({
patches = [
./env_var_for_system_dir.patch
] ++ lib.optional pipewireSupport
(fetchpatch {
# https://src.fedoraproject.org/rpms/firefox/blob/master/f/firefox-pipewire-0-3.patch
url = "https://src.fedoraproject.org/rpms/firefox/raw/e99b683a352cf5b2c9ff198756859bae408b5d9d/f/firefox-pipewire-0-3.patch";
sha256 = "0qc62di5823r7ly2lxkclzj9rhg2z7ms81igz44nv0fzv3dszdab";
})
]
++ patches;
@ -128,7 +131,8 @@ stdenv.mkDerivation ({
++ lib.optional pulseaudioSupport libpulseaudio # only headers are needed
++ lib.optional gtk3Support gtk3
++ lib.optional gssSupport kerberos
++ lib.optionals waylandSupport [ libxkbcommon pipewire ]
++ lib.optionals waylandSupport [ libxkbcommon ]
++ lib.optionals pipewireSupport [ pipewire ]
++ lib.optionals stdenv.isDarwin [ CoreMedia ExceptionHandling Kerberos
AVFoundation MediaToolbox CoreLocation
Foundation libobjc AddressBook cups ];
@ -142,8 +146,10 @@ stdenv.mkDerivation ({
postPatch = ''
rm -rf obj-x86_64-pc-linux-gnu
# needed for enabling webrtc+pipewire
'' + lib.optionalString pipewireSupport ''
# substitute the /usr/include/ lines for the libraries that pipewire provides.
# The patch we pick from fedora only contains the generated moz.build files
# which hardcode the dependency paths instead of running pkg_config.
substituteInPlace \
media/webrtc/trunk/webrtc/modules/desktop_capture/desktop_capture_generic_gn/moz.build \
--replace /usr/include ${pipewire.dev}/include

View File

@ -2,7 +2,7 @@
, pkgconfig, autoconf213, alsaLib, bzip2, cairo
, dbus, dbus-glib, ffmpeg_3, file, fontconfig, freetype
, gnome2, gnum4, gtk2, hunspell, libevent, libjpeg
, libnotify, libstartup_notification, makeWrapper
, libnotify, libstartup_notification, wrapGAppsHook
, libGLU, libGL, perl, python2, libpulseaudio
, unzip, xorg, wget, which, yasm, zip, zlib
@ -16,13 +16,13 @@ let
in stdenv.mkDerivation rec {
pname = "palemoon";
version = "28.13.0";
version = "28.14.2";
src = fetchFromGitHub {
owner = "MoonchildProductions";
repo = "Pale-Moon";
rev = "${version}_Release";
sha256 = "1lza6239kb32wnwd9cwddn11npg1qx7p69l7qy63h9c59w29iypa";
sha256 = "1qz2sqc8rcg5z5kncabgmpl6v4i6wrs9dlgmna69255qrmsshwgm";
fetchSubmodules = true;
};
@ -42,7 +42,7 @@ in stdenv.mkDerivation rec {
'';
nativeBuildInputs = [
desktop-file-utils file gnum4 makeWrapper perl pkgconfig python2 wget which
desktop-file-utils file gnum4 perl pkgconfig python2 wget which wrapGAppsHook
];
buildInputs = [
@ -126,9 +126,15 @@ in stdenv.mkDerivation rec {
size=$n"x"$n
install -Dm644 $src/palemoon/branding/official/$iconname.png $out/share/icons/hicolor/$size/apps/palemoon.png
done
'';
wrapProgram $out/lib/palemoon-${version}/palemoon \
dontWrapGApps = true;
preFixup = ''
gappsWrapperArgs+=(
--prefix LD_LIBRARY_PATH : "${libPath}"
)
wrapGApp $out/lib/palemoon-${version}/palemoon
'';
meta = with lib; {

View File

@ -90,7 +90,7 @@ in stdenv.mkDerivation rec {
description = "A Browser for our Friends, powerful and personal";
homepage = "https://vivaldi.com";
license = licenses.unfree;
maintainers = with maintainers; [ otwieracz nequissimus badmutex ];
maintainers = with maintainers; [ otwieracz badmutex ];
platforms = [ "x86_64-linux" ];
};
}

View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "pidgin-skypeweb";
version = "1.6";
version = "1.7";
src = fetchFromGitHub {
owner = "EionRobb";
repo = "skype4pidgin";
rev = version;
sha256 = "1q3m8hyr77mxm4y0zify2xhjp9d8y4pgwvqyfly4zcpmyd2argi1";
sha256 = "11snyrjhm58gjvdmr5h5ajii3ah4a7c8zw3cavjv9xnnwrpfm5rb";
};
setSourceRoot = ''

View File

@ -22,13 +22,13 @@ let
pname = "wire-desktop";
version = {
x86_64-darwin = "3.19.3799";
x86_64-linux = "3.19.2928";
x86_64-darwin = "3.20.3912";
x86_64-linux = "3.20.2934";
}.${system} or throwSystem;
sha256 = {
x86_64-darwin = "1sv8n4g1pd4nwpwsg0m61zhrfjlh7sj29rnh46xjw1qg332g6cw9";
x86_64-linux = "038h1j59qfj5ckaxk823qpfflxay47v0jrqc0hmrdmnd2y59dpx7";
x86_64-darwin = "1crkdqzq3iccxbrqlrar4ai43qzjsgd4hvcajgzmz2y33f30xgqr";
x86_64-linux = "0z6vrhzrhrrnl3swjbxrbl1dhk2fx86s45n2z2in2shdlv08dcx7";
}.${system} or throwSystem;
meta = with stdenv.lib; {

View File

@ -5,12 +5,12 @@
let
pname = "zulip";
version = "5.4.0";
version = "5.4.3";
name = "${pname}-${version}";
src = fetchurl {
url = "https://github.com/zulip/zulip-desktop/releases/download/v${version}/Zulip-${version}-x86_64.AppImage";
sha256 = "14p0nly144rivd9yk273asfjza5p9qncpbmh4qxnd4gq01f98igh";
sha256 = "0yd4g87kcwiy1arx3y2nyb7lq1nlh4cn87762k2sd8n4s9i52c7r";
name="${pname}-${version}.AppImage";
};

View File

@ -1,36 +1,30 @@
{ stdenv, lib, fetchFromGitHub, fetchpatch, libiconv, ruby ? null }:
{ stdenv, lib, fetchFromGitHub, installShellFiles, libiconv, ruby ? null }:
stdenv.mkDerivation rec {
pname = "mblaze";
version = "0.5.1";
version = "1.0";
nativeBuildInputs = [ installShellFiles ];
buildInputs = [ ruby ] ++ lib.optionals stdenv.isDarwin [ libiconv ];
src = fetchFromGitHub {
owner = "chneukirchen";
owner = "leahneukirchen";
repo = "mblaze";
rev = "v${version}";
sha256 = "11x548dl2jy9cmgsakqrzfdq166whhk4ja7zkiaxrapkjmkf6pbh";
sha256 = "0hxy3mjjv4hg856sl1r15fdmqaw4s9c26b3lidsd5x0kpqy601ai";
};
patches = [
(fetchpatch {
url = "https://github.com/leahneukirchen/mblaze/commit/53151f4f890f302291eb8d3375dec4f8ecb66ed7.patch";
sha256 = "1mcyrh053iiyzdhgm09g5h3a77np496whnc7jr4agpk1nkbcpfxc";
})
];
makeFlags = [ "PREFIX=$(out)" ];
postInstall = ''
install -Dm644 -t $out/share/zsh/site-functions contrib/_mblaze
installShellCompletion contrib/_mblaze
'' + lib.optionalString (ruby != null) ''
install -Dt $out/bin contrib/msuck contrib/mblow
'';
meta = with lib; {
homepage = "https://github.com/chneukirchen/mblaze";
description = "Unix utilities to deal with Maildir";
homepage = "https://github.com/leahneukirchen/mblaze";
description = "Unix utilities for processing and interacting with mail messages which are stored in maildir folders";
license = licenses.cc0;
platforms = platforms.all;
maintainers = [ maintainers.ajgrf ];

View File

@ -12,7 +12,7 @@
with stdenv.lib;
stdenv.mkDerivation rec {
version = "0.30.1c80020";
version = "0.31";
pname = "notmuch";
passthru = {
@ -22,8 +22,8 @@ stdenv.mkDerivation rec {
src = fetchgit {
url = "https://git.notmuchmail.org/git/notmuch";
sha256 = "0xj944c4ayps1bg21pksjih3y9v6lb34dd582df14i14q0yzji51";
rev = "1c80020e701c7323de137c0616fc8864443d7bd3";
sha256 = "0f9d9k9avb46yh2r8fvijvw7bryqwckvyzc68f9phax2g4c99x4x";
rev = version;
};
nativeBuildInputs = [

View File

@ -0,0 +1,80 @@
{ stdenv, buildFHSUserEnv, fetchurl, makeWrapper, makeDesktopItem, libxslt, atk
, fontconfig, freetype, gdk-pixbuf, glib, gtk2, libudev0-shim, libxml2
, pango, pixman, libX11, libXext, libXinerama, libXrandr , libXrender
, libXtst, libXcursor, libXi, libxkbfile , libXScrnSaver, zlib, liberation_ttf
, libtiff, dbus, at-spi2-atk, harfbuzz, gtk3-x11, libuuid, pcsclite
}:
let
version = "2006";
sysArch =
if stdenv.hostPlatform.system == "x86_64-linux" then "x64"
else throw "Unsupported system: ${stdenv.hostPlatform.system}";
# The downloaded archive also contains i386 and ARM binaries, but these have not been tested.
vmwareHorizonClientFiles = stdenv.mkDerivation {
name = "vmwareHorizonClientFiles";
inherit version;
src = fetchurl {
url = https://download3.vmware.com/software/view/viewclients/CART21FQ2/vmware-view-client-linux-2006-8.0.0-16522670.tar.gz;
sha256 = "8c46d49fea42f8c1f7cf32a5f038f5a47d2b304743b1e4f4c68c658621b0e79c";
};
buildInputs = [ makeWrapper ];
installPhase = ''
mkdir ext $out
find ${sysArch} -type f -print0 | xargs -0n1 tar -Cext --strip-components=1 -xf
mv ext/bin ext/lib ext/share "$out"/
# Horizon includes a copy of libstdc++ which is loaded via $LD_LIBRARY_PATH
# when it cannot detect a new enough version already present on the system.
# The checks are distribution-specific and do not function correctly on NixOS.
# Deleting the bundled library is the simplest way to force it to use our version.
rm -f "$out/lib/vmware/gcc/libstdc++.so.6"
# Force the default GTK theme (Adwaita) because Horizon is prone to
# UI usability issues when using non-default themes, such as Adwaita-dark.
makeWrapper "$out/bin/vmware-view" "$out/bin/vmware-view_wrapper" \
--set GTK_THEME Adwaita \
--suffix LD_LIBRARY_PATH : "$out/lib/vmware/view/crtbora:$out/lib/vmware"
'';
};
vmwareFHSUserEnv = buildFHSUserEnv {
name = "vmware-view";
runScript = "${vmwareHorizonClientFiles}/bin/vmware-view_wrapper";
targetPkgs = pkgs: [
pcsclite dbus vmwareHorizonClientFiles atk fontconfig freetype gdk-pixbuf glib gtk2
libudev0-shim libxml2 pango pixman liberation_ttf libX11 libXext libXinerama
libXrandr libXrender libXtst libXcursor libXi libxkbfile at-spi2-atk libXScrnSaver
zlib libtiff harfbuzz gtk3-x11 libuuid
];
};
desktopItem = makeDesktopItem {
name = "vmware-view";
desktopName = "VMware Horizon Client";
icon = "${vmwareHorizonClientFiles}/share/icons/vmware-view.png";
exec = "${vmwareFHSUserEnv}/bin/vmware-view %u";
mimeType = "x-scheme-handler/vmware-view";
};
in stdenv.mkDerivation {
name = "vmware-view";
dontUnpack = true;
installPhase = ''
mkdir -p $out/bin $out/share/applications
cp "${desktopItem}"/share/applications/* $out/share/applications/
ln -s "${vmwareFHSUserEnv}/bin/vmware-view" "$out/bin/"
'';
meta = with stdenv.lib; {
description = "Allows you to connect to your VMware Horizon virtual desktop";
homepage = "https://www.vmware.com/go/viewclients";
license = licenses.unfree;
platforms = platforms.linux;
maintainers = with maintainers; [ buckley310 ];
};
}

View File

@ -3,17 +3,17 @@
let
common = { stname, target, postInstall ? "" }:
buildGoModule rec {
version = "1.9.0";
version = "1.10.0";
name = "${stname}-${version}";
src = fetchFromGitHub {
owner = "syncthing";
repo = "syncthing";
rev = "v${version}";
sha256 = "1p5wmcmv72hbd3dap9hqv4ryarsj8ljn833x9mcfgh8ff4k25qwr";
sha256 = "0wi8k248qr80vscb5qwh2ygiyy2am9hh6a8c1il1h2702ch2cd45";
};
vendorSha256 = "1mwjfv0l2n21srxsh8w18my2j8diim91jlg00ailiq9fwnvxxn8c";
vendorSha256 = "0as1kn7bpgp5b82pf1bgr23az1qq8x85zr2zwgqsx57yjbc18658";
doCheck = false;
@ -45,6 +45,7 @@ let
meta = with lib; {
homepage = "https://syncthing.net/";
description = "Open Source Continuous File Synchronization";
changelog = "https://github.com/syncthing/syncthing/releases/tag/v${version}";
license = licenses.mpl20;
maintainers = with maintainers; [ pshendry joko peterhoeg andrew-d ];
platforms = platforms.unix;

View File

@ -13,11 +13,11 @@ with stdenv.lib;
stdenv.mkDerivation rec {
pname = "znc";
version = "1.8.1";
version = "1.8.2";
src = fetchurl {
url = "https://znc.in/releases/archive/${pname}-${version}.tar.gz";
sha256 = "0hb1v167aa6gv5bcwz352l6b8gnd74ymjw92y4x882l099hzg59i";
sha256 = "03fyi0j44zcanj1rsdx93hkdskwfvhbywjiwd17f9q1a7yp8l8zz";
};
nativeBuildInputs = [ pkgconfig ];

View File

@ -1,20 +1,25 @@
{ stdenv, fetchFromGitHub, xen_4_10 }:
{ stdenv
, fetchFromGitHub
, xen_4_10
}:
stdenv.mkDerivation rec {
pname = "qubes-core-vchan-xen";
version = "4.1.2";
version = "4.1.4";
src = fetchFromGitHub {
owner = "QubesOS";
repo = pname;
rev = "v${version}";
sha256 = "1wj4vv8nkzzig52r2nzkd4jy0cwznfkyddx379hfsdl4pzsp55mj";
sha256 = "sha256:02l1vs5c2jfw22gxvl2fb66m0d99n8ya1i7rphsb5cxsljvxary0";
};
buildInputs = [ xen_4_10 ];
buildPhase = ''
make all PREFIX=/
make all PREFIX=/ LIBDIR="$out/lib" INCLUDEDIR="$out/include"
'';
installPhase = ''
make install DESTDIR=$out PREFIX=/
'';
@ -26,4 +31,5 @@ stdenv.mkDerivation rec {
maintainers = with maintainers; [ _0x4A6F ];
platforms = platforms.linux;
};
}

View File

@ -1,6 +1,6 @@
{ stdenv, fetchFromGitHub, qt4, qmake4Hook, libpulseaudio }:
let
version = "1.1.8";
version = "1.1.9";
in
stdenv.mkDerivation {
pname = "multimon-ng";
@ -10,7 +10,7 @@ stdenv.mkDerivation {
owner = "EliasOenal";
repo = "multimon-ng";
rev = version;
sha256 = "1973xfyvzl1viz19zr83cgqlx5laxbjrca35rqabn6dlb6xb5xk8";
sha256 = "01716cfhxfzsab9zjply9giaa4nn4b7rm3p3vizrwi7n253yiwm2";
};
buildInputs = [ qt4 libpulseaudio ];

View File

@ -2,7 +2,7 @@
stdenv.mkDerivation rec {
pname = "EZminc";
name = "${pname}-unstable-2019-03-12";
version = "unstable-2019-03-12";
src = fetchFromGitHub {
owner = "BIC-MNI";
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ cmake pkgconfig ];
buildInputs = [ itk4 libminc bicpl fftwFloat gsl ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/"
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/cmake"
"-DEZMINC_BUILD_TOOLS=TRUE"
"-DEZMINC_BUILD_MRFSEG=TRUE"
"-DEZMINC_BUILD_DD=TRUE" ];

View File

@ -4,20 +4,20 @@
stdenv.mkDerivation rec {
pname = "N3";
name = "${pname}-2017-09-18";
version = "unstable-2018-08-09";
src = fetchFromGitHub {
owner = "BIC-MNI";
repo = pname;
rev = "2fdd939f0f2b24a4039bc6a8ade4a190a1d8e75d";
sha256 = "13z21c4r09hna3q1csvcn4i7ws5ixbdaja6ch421xv6nydjh2w5g";
rev = "010fc2ac58ce1d67b8e6a863fac0809d3203cb9b";
sha256 = "06hci7gzhy8p34ggvx7gah2k9yxpwhgmq1cgw8pcd1r82g4rg6kd";
};
nativeBuildInputs = [ cmake makeWrapper ];
buildInputs = [ libminc EBTKS ];
propagatedBuildInputs = with perlPackages; [ perl MNI-Perllib GetoptTabular ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/" "-DEBTKS_DIR=${EBTKS}/lib/" ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/cmake" "-DEBTKS_DIR=${EBTKS}/lib/" ];
postFixup = ''
for p in $out/bin/*; do
@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
'';
meta = with stdenv.lib; {
homepage = "https://github.com/BIC-MNI/${pname}";
homepage = "https://github.com/BIC-MNI/N3";
description = "MRI non-uniformity correction for MINC files";
maintainers = with maintainers; [ bcdarwin ];
platforms = platforms.unix;

View File

@ -3,7 +3,7 @@
stdenv.mkDerivation rec {
pname = "conglomerate";
name = "${pname}-2017-09-10";
version = "unstable-2017-09-10";
src = fetchFromGitHub {
owner = "BIC-MNI";
@ -16,7 +16,10 @@ stdenv.mkDerivation rec {
buildInputs = [ libminc zlib bicpl ];
propagatedBuildInputs = [ coreutils minc_tools ] ++ (with perlPackages; [ perl GetoptTabular MNI-Perllib ]);
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/" "-DBICPL_DIR=${bicpl}/lib/" ];
cmakeFlags = [
"-DLIBMINC_DIR=${libminc}/lib/cmake"
"-DBICPL_DIR=${bicpl}/lib"
];
postFixup = ''
for p in $out/bin/*; do

View File

@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
buildInputs = [ libminc EBTKS ];
propagatedBuildInputs = with perlPackages; [ perl GetoptTabular MNI-Perllib ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/" "-DEBTKS_DIR=${EBTKS}/lib/" ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/cmake" "-DEBTKS_DIR=${EBTKS}/lib/" ];
postFixup = ''
for p in $out/bin/*; do

View File

@ -3,28 +3,20 @@
stdenv.mkDerivation rec {
pname = "minc-tools";
version = "unstable-2019-12-04";
version = "unstable-2020-07-25";
src = fetchFromGitHub {
owner = "BIC-MNI";
repo = pname;
rev = "d4dddfdb4e4fa0cea389b8fdce51cfc076565d94";
sha256 = "1wwdss59qq4hz1jp35qylfswzzv0d37if23al0srnxkkgc5f8zng";
rev = "fb0a68a07d281e4e099c5d54df29925240de14c1";
sha256 = "0zcv2sdj3k6k0xjqdq8j5bxq8smm48dzai90vwsmz8znmbbm6kvw";
};
patches = [ ./fix-netcdf-header.patch ];
# add missing CMake module to build NIFTI support
# (the maintainers normally build libminc and minc-tools in a meta-project)
postPatch = ''
cp ${libminc.src}/cmake-modules/FindNIFTI.cmake cmake-modules
'';
nativeBuildInputs = [ cmake flex bison makeWrapper ];
buildInputs = [ libminc libjpeg nifticlib zlib ];
propagatedBuildInputs = [ perl TextFormat ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/"
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/cmake"
"-DZNZ_INCLUDE_DIR=${nifticlib}/include/nifti"
"-DNIFTI_INCLUDE_DIR=${nifticlib}/include/nifti" ];

View File

@ -1,12 +0,0 @@
diff --git a/progs/mincdump/mincdump.h b/progs/mincdump/mincdump.h
index 14c95cd..117ab26 100644
--- a/progs/mincdump/mincdump.h
+++ b/progs/mincdump/mincdump.h
@@ -3,6 +3,7 @@
* See netcdf/COPYRIGHT file for copying and redistribution conditions.
* $Header: /private-cvsroot/minc/progs/mincdump/mincdump.h,v 1.1 2004-04-27 15:35:15 bert Exp $
*********************************************************************/
+#include <netcdf_meta.h>
/* error checking macro */

View File

@ -2,7 +2,7 @@
stdenv.mkDerivation rec {
pname = "mni_autoreg";
name = "${pname}-2017-09-22";
version = "unstable-2017-09-22";
src = fetchFromGitHub {
owner = "BIC-MNI";
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
buildInputs = [ libminc ];
propagatedBuildInputs = with perlPackages; [ perl GetoptTabular MNI-Perllib ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/" ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/cmake" ];
# testing broken: './minc_wrapper: Permission denied' from Testing/ellipse0.mnc
postFixup = ''

View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "gh";
version = "1.0.0";
version = "1.1.0";
src = fetchFromGitHub {
owner = "cli";
repo = "cli";
rev = "v${version}";
sha256 = "10ixjrb56ddqxla7mfxqnf74zissjx66akcyvgl9xfmww0bvg64x";
sha256 = "1jf1y6135p30dlr42fnl0w7782fczizq8yya4bsd6xf66bcq0zzn";
};
vendorSha256 = "079zbm57xfcskwhsfj1x0c0lg6ip6c6dbk8hfwrzkpy8gfs2ysmr";
vendorSha256 = "12ka5x5m4h8dfpcdhfjc5lz6bm8pzfqkbhs9j3a8w08xsi93dvdz";
nativeBuildInputs = [ installShellFiles ];

View File

@ -189,7 +189,7 @@ rec {
homepage = "https://www.docker.com/";
description = "An open source project to pack, ship and run any application as a lightweight container";
license = licenses.asl20;
maintainers = with maintainers; [ nequissimus offline tailhook vdemeester periklis ];
maintainers = with maintainers; [ offline tailhook vdemeester periklis ];
platforms = with platforms; linux ++ darwin;
};
});

View File

@ -0,0 +1,52 @@
{ stdenv, fetchFromGitHub
, meson, ninja, pkg-config, wayland, scdoc, makeWrapper
, wlroots, wayland-protocols, pixman, libxkbcommon
, cairo , pango, fontconfig, pandoc, systemd
, withXwayland ? true, xwayland
, nixosTests
}:
stdenv.mkDerivation rec {
pname = "cagebreak";
version = "1.4.2";
src = fetchFromGitHub {
owner = "project-repo";
repo = "cagebreak";
rev = version;
hash = "sha256-+Ww1rsUR7qe/BixLPR8GiRc3C6QmpLzWpT2wym8b4/M=";
};
nativeBuildInputs = [ meson ninja pkg-config wayland scdoc makeWrapper ];
buildInputs = [
wlroots wayland wayland-protocols pixman libxkbcommon cairo
pango fontconfig pandoc systemd
];
outputs = [ "out" "contrib" ];
mesonFlags = [
"-Dxwayland=${stdenv.lib.boolToString withXwayland}"
"-Dversion_override=${version}"
];
postInstall = ''
mkdir -p $contrib/share/cagebreak
cp $src/examples/config $contrib/share/cagebreak/config
'';
postFixup = stdenv.lib.optionalString withXwayland ''
wrapProgram $out/bin/cagebreak --prefix PATH : "${xwayland}/bin"
'';
passthru.tests.basic = nixosTests.cagebreak;
meta = with stdenv.lib; {
description = "A Wayland tiling compositor inspired by ratpoison";
homepage = "https://github.com/project-repo/cagebreak";
license = licenses.mit;
platforms = platforms.linux;
maintainers = with maintainers; [ berbiche ];
};
}

View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "flat-remix-icon-theme";
version = "20200116";
version = "20200710";
src = fetchFromGitHub {
owner = "daniruiz";
repo = "flat-remix";
rev = version;
sha256 = "14n5wydhd5ifmsbj770s2qg2ksd3xa3m61qxydid6jq39k0lxbd8";
sha256 = "0rlrmgimvs9rrj64g5jn04jgyi7wmn2dnsk7ckmxk6p8cdfjd0hx";
};
nativeBuildInputs = [

View File

@ -1,4 +1,4 @@
{ stdenv, lib, fetchFromGitHub, gnome3 }:
{ stdenv, lib, fetchFromGitHub, gnome3, fetchpatch }:
stdenv.mkDerivation rec {
pname = "gnome-shell-extension-material-shell";
@ -11,6 +11,15 @@ stdenv.mkDerivation rec {
sha256 = "076cv1l5qr5x71przjwvbzx0m91n4z0byc2gc3r48l8vsr2d0hwf";
};
patches = [
# Fix for https://github.com/material-shell/material-shell/issues/284
# (Remove this patch when updating to version >= 8)
(fetchpatch {
url = "https://github.com/material-shell/material-shell/commit/fc27489a1ec503a4a5c7cb2f4e1eefa84a7ea2f1.patch";
sha256 = "0x2skg955c4jqgwbkfhk7plm8bh1qnk66cdds796bzkp3hb5syw8";
})
];
# This package has a Makefile, but it's used for building a zip for
# publication to extensions.gnome.org. Disable the build phase so
# installing doesn't build an unnecessary release.

File diff suppressed because it is too large Load Diff

View File

@ -1,53 +1,107 @@
{ stdenv, fetchurl, makeWrapper
{ stdenv, lib, fetchurl, makeWrapper, writeText
, fpc, gtk2, glib, pango, atk, gdk-pixbuf
, libXi, xorgproto, libX11, libXext
, gdb, gnumake, binutils
, withQt ? false, qtbase ? null, libqt5pas ? null, wrapQtAppsHook ? null
}:
# TODO:
# 1. the build date is embedded in the binary through `$I %DATE%` - we should dump that
let
version = "2.0.10-2";
# as of 2.0.10 a suffix is being added. That may or may not disappear and then
# come back, so just leave this here.
majorMinorPatch = v:
builtins.concatStringsSep "." (lib.take 3 (lib.splitVersion v));
overrides = writeText "revision.inc" (lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v:
"const ${k} = '${v}';") {
# this is technically the SVN revision but as we don't have that replace
# it with the version instead of showing "Unknown"
RevisionStr = version;
}));
in
stdenv.mkDerivation rec {
pname = "lazarus";
version = "2.0.8";
pname = "lazarus-${LCL_PLATFORM}";
inherit version;
src = fetchurl {
url = "mirror://sourceforge/lazarus/Lazarus%20Zip%20_%20GZip/Lazarus%20${version}/lazarus-${version}.tar.gz";
sha256 = "1iciqydb0miqdrh89aj59gy7kfcwikkycqssq9djcqsw1ql3gc4h";
url = "mirror://sourceforge/lazarus/Lazarus%20Zip%20_%20GZip/Lazarus%20${majorMinorPatch version}/lazarus-${version}.tar.gz";
sha256 = "sha256-ZNViZGjdJKMzKyBfOr0KWBq33hsGCi1X4hhkBmz9Q7c=";
};
postPatch = ''
cp ${overrides} ide/${overrides.name}
'';
buildInputs = [
# we need gtk2 unconditionally as that is the default target when building applications with lazarus
fpc gtk2 glib libXi xorgproto
libX11 libXext pango atk
stdenv.cc makeWrapper gdk-pixbuf
];
stdenv.cc gdk-pixbuf
]
++ lib.optionals withQt [ libqt5pas qtbase ];
nativeBuildInputs = [
makeWrapper
] ++ lib.optional withQt wrapQtAppsHook;
makeFlags = [
"FPC=fpc"
"PP=fpc"
"LAZARUS_INSTALL_DIR=${placeholder "out"}/share/lazarus/"
"INSTALL_PREFIX=${placeholder "out"}/"
"REQUIRE_PACKAGES+=tachartlazaruspkg"
"bigide"
];
LCL_PLATFORM = if withQt then "qt5" else "gtk2";
NIX_LDFLAGS = lib.concatStringsSep " " ([
"-L${stdenv.cc.cc.lib}/lib"
"-lX11"
"-lXext"
"-lXi"
"-latk-1.0"
"-lc"
"-lcairo"
"-lgcc_s"
"-lgdk-x11-2.0"
"-lgdk_pixbuf-2.0"
"-lglib-2.0"
"-lgtk-x11-2.0"
"-lpango-1.0"
]
++ lib.optionals withQt [
"-L${lib.getLib libqt5pas}/lib"
"-lQt5Pas"
]);
preBuild = ''
export makeFlags="$makeFlags LAZARUS_INSTALL_DIR=$out/share/lazarus/ INSTALL_PREFIX=$out/"
export NIX_LDFLAGS="$NIX_LDFLAGS -L${stdenv.cc.cc.lib}/lib -lXi -lX11 -lglib-2.0 -lgtk-x11-2.0 -lgdk-x11-2.0 -lc -lXext -lpango-1.0 -latk-1.0 -lgdk_pixbuf-2.0 -lcairo -lgcc_s"
export LCL_PLATFORM=gtk2
mkdir -p $out/share "$out/lazarus"
tar xf ${fpc.src} --strip-components=1 -C $out/share -m
sed -e 's@/usr/fpcsrc@'"$out/share/fpcsrc@" -i ide/include/unix/lazbaseconf.inc
substituteInPlace ide/include/unix/lazbaseconf.inc \
--replace '/usr/fpcsrc' "$out/share/fpcsrc"
'';
postInstall = ''
wrapProgram $out/bin/startlazarus --prefix NIX_LDFLAGS ' ' \
"$(echo "$NIX_LDFLAGS" | sed -re 's/-rpath [^ ]+//g')" \
--prefix NIX_LDFLAGS_${binutils.suffixSalt} ' ' \
"$(echo "$NIX_LDFLAGS" | sed -re 's/-rpath [^ ]+//g')" \
postInstall = let
ldFlags = ''$(echo "$NIX_LDFLAGS" | sed -re 's/-rpath [^ ]+//g')'';
in ''
wrapProgram $out/bin/startlazarus \
--prefix NIX_LDFLAGS ' ' "${ldFlags}" \
--prefix NIX_LDFLAGS_${binutils.suffixSalt} ' ' "${ldFlags}" \
--prefix LCL_PLATFORM ' ' "$LCL_PLATFORM" \
--prefix PATH ':' "${fpc}/bin:${gdb}/bin:${gnumake}/bin:${binutils}/bin"
--prefix PATH ':' "${lib.makeBinPath [ fpc gdb gnumake binutils ]}"
'';
meta = with stdenv.lib; {
description = "Lazarus graphical IDE for FreePascal language";
homepage = "http://www.lazarus.freepascal.org";
description = "Lazarus graphical IDE for the FreePascal language";
homepage = "https://www.lazarus.freepascal.org";
license = licenses.gpl2Plus ;
maintainers = with maintainers; [ raskin ];
platforms = platforms.linux;
maintainers = [ maintainers.raskin ];
};
}

View File

@ -1,6 +1,6 @@
{ stdenv, lazarus, qt5 }:
{ mkDerivation, lib, lazarus, qmake, qtbase, qtx11extras }:
stdenv.mkDerivation {
mkDerivation {
pname = "libqt5pas";
inherit (lazarus) version src;
@ -8,14 +8,14 @@ stdenv.mkDerivation {
postPatch = ''
substituteInPlace Qt5Pas.pro \
--replace "target.path = \$\$[QT_INSTALL_LIBS]" "target.path = $out/lib"
--replace 'target.path = $$[QT_INSTALL_LIBS]' "target.path = $out/lib"
'';
nativeBuildInputs = with qt5; [ qmake ];
nativeBuildInputs = [ qmake ];
buildInputs = with qt5; [ qtbase qtx11extras ];
buildInputs = [ qtbase qtx11extras ];
meta = with stdenv.lib; {
meta = with lib; {
description = "Free Pascal Qt5 binding library";
homepage = "https://wiki.freepascal.org/Qt5_Interface#libqt5pas";
maintainers = with maintainers; [ sikmir ];

View File

@ -40,7 +40,7 @@ in stdenv.mkDerivation {
homepage = "https://kotlinlang.org/";
license = stdenv.lib.licenses.asl20;
maintainers = with stdenv.lib.maintainers;
[ nequissimus ];
[ ];
platforms = stdenv.lib.platforms.all;
};
}

View File

@ -260,7 +260,7 @@ let
homepage = "http://openjdk.java.net/";
license = licenses.gpl2;
description = "The open-source Java Development Kit";
maintainers = with maintainers; [ edwtjo nequissimus ];
maintainers = with maintainers; [ edwtjo ];
platforms = [ "i686-linux" "x86_64-linux" "aarch64-linux" ];
};

View File

@ -76,7 +76,7 @@ in stdenv.mkDerivation {
Certified builds of OpenJDK that can be deployed across multiple
operating systems, containers, hypervisors and Cloud platforms.
'';
maintainers = with maintainers; [ nequissimus fpletz ];
maintainers = with maintainers; [ fpletz ];
platforms = [ "x86_64-linux" "x86_64-darwin" ];
};
}

View File

@ -73,7 +73,7 @@ in stdenv.mkDerivation {
Certified builds of OpenJDK that can be deployed across multiple
operating systems, containers, hypervisors and Cloud platforms.
'';
maintainers = with maintainers; [ nequissimus fpletz ];
maintainers = with maintainers; [ fpletz ];
platforms = [ "x86_64-linux" "x86_64-darwin" ];
};
}

View File

@ -1,10 +1,10 @@
{ self, callPackage, lib }:
callPackage ./default.nix {
inherit self;
version = "2.0.5-2020-08-09";
rev = "e296f56";
version = "2.0.5-2020-09-27";
rev = "e8ec6fe";
isStable = true;
sha256 = "0g4wvpmmrxj8ir6yi86gg93khy8ri7x4w091jihpxsmn670da21f";
sha256 = "0v7g216j0zrjp32nfjqqxzgxgvgbdx89h3x0djbqg3avsgxjwnbk";
extraMeta = { # this isn't precise but it at least stops the useless Hydra build
platforms = with lib; filter (p: p != "aarch64-linux")
(platforms.linux ++ platforms.darwin);

View File

@ -1,8 +1,8 @@
{ self, callPackage }:
callPackage ./default.nix {
inherit self;
version = "2.1.0-2020-08-27";
rev = "ff1e72a";
version = "2.1.0-2020-09-30";
rev = "e9af1ab";
isStable = false;
sha256 = "0rlh5y48jbxnamr3a5i3szzh7y9ycvq052rw6m82gdhrb1jlamdz";
sha256 = "081vrr4snr1c38cscbq1a8barv7abc9czqqlm4qlbdksa8g32bbj";
}

View File

@ -11,7 +11,7 @@
, enableFFI ? true
, enableJIT ? true
, enableJITDebugModule ? enableJIT
, enableGC64 ? stdenv.hostPlatform.isAarch64
, enableGC64 ? true
, enable52Compat ? false
, enableValgrindSupport ? false
, valgrind ? null

View File

@ -106,7 +106,7 @@ let
name = "php-with-extensions-${version}";
inherit (php) version;
nativeBuildInputs = [ makeWrapper ];
passthru = {
passthru = php.passthru // {
buildEnv = mkBuildEnv allArgs allExtensionFunctions;
withExtensions = mkWithExtensions allArgs allExtensionFunctions;
phpIni = "${phpWithExtensions}/lib/php.ini";
@ -259,6 +259,7 @@ let
passthru = {
buildEnv = mkBuildEnv {} [];
withExtensions = mkWithExtensions {} [];
inherit ztsSupport;
};
meta = with stdenv.lib; {

View File

@ -2,17 +2,17 @@
rustPlatform.buildRustPackage rec {
pname = "wasmtime";
version = "0.19.0";
version = "0.20.0";
src = fetchFromGitHub {
owner = "bytecodealliance";
repo = "${pname}";
rev = "v${version}";
sha256 = "0gb8xk27ych553b7knflbbks9q64m39v40sdirycm6prqfnfrnm8";
sha256 = "01k1fpk2qp4kv0xr4f0xmrjkr98j5ws48r1aks8l80mffs4ynqfr";
fetchSubmodules = true;
};
cargoSha256 = "1dqaxpwfm234yjwrhglzvsqhh2fr5nsx7bpk7bmycyk6lml8vxy7";
cargoSha256 = "0vghcs1nbxlkmw9wfikzb1ndscx7fkmgv5q8dnfcisl05zpkj7si";
nativeBuildInputs = [ python cmake clang ];
buildInputs = [ llvmPackages.libclang ] ++
@ -23,7 +23,7 @@ rustPlatform.buildRustPackage rec {
meta = with lib; {
description = "Standalone JIT-style runtime for WebAssembly, using Cranelift";
homepage = "https://github.com/CraneStation/wasmtime";
homepage = "https://github.com/bytecodealliance/wasmtime";
license = licenses.asl20;
maintainers = [ maintainers.matthewbauer ];
platforms = platforms.unix;

View File

@ -29,7 +29,7 @@ in stdenv.mkDerivation rec {
meta = with stdenv.lib; {
description = "An interface to banking tasks, file formats and country information";
homepage = "http://www2.aquamaniac.de/sites/download/packages.php?package=03&showall=1";
homepage = "https://www.aquamaniac.de/";
hydraPlatforms = [];
license = licenses.gpl2Plus;
maintainers = with maintainers; [ goibhniu ];

View File

@ -10,13 +10,13 @@
stdenv.mkDerivation rec {
pname = "babl";
version = "0.1.80";
version = "0.1.82";
outputs = [ "out" "dev" ];
src = fetchurl {
url = "https://download.gimp.org/pub/babl/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
sha256 = "13jgq2i1xkbqw9ijy8sy5iabf5jkviqi0wxlpjcm0n22mwwwqp7p";
sha256 = "1iddkwdfw1bmfl6n8y1d4kkm3rb15rzvrfri6a7cnx37mpa96bf6";
};
nativeBuildInputs = [

View File

@ -1,15 +1,15 @@
{ stdenv, fetchFromGitHub, cmake, pkgconfig, ispc, tbb, glfw,
openimageio, libjpeg, libpng, libpthreadstubs, libX11 }:
{ stdenv, lib, fetchFromGitHub, cmake, pkgconfig, ispc, tbb, glfw,
openimageio, libjpeg, libpng, libpthreadstubs, libX11, glib }:
stdenv.mkDerivation rec {
pname = "embree";
version = "3.11.0";
version = "3.12.0";
src = fetchFromGitHub {
owner = "embree";
repo = "embree";
rev = "v${version}";
sha256 = "0v5gqi8jp09xxcbyyknji83412bq4l0w35b6hnrqxycgdrnf7hkr";
sha256 = "1q06fkfww8z8pcnhaqc4d2zi8hn620i9h9dmpnrfy3azalvizhkq";
};
postPatch = ''
@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
sed -i "s|SET(EMBREE_ROOT_DIR .*)|set(EMBREE_ROOT_DIR $out)|" \
common/cmake/embree-config.cmake
sed -i "s|$""{EMBREE_ROOT_DIR}/||" common/cmake/embree-config.cmake
substituteInPlace common/math/math.h --replace 'defined(__MACOSX__) && !defined(__INTEL_COMPILER)' 0
substituteInPlace common/math/math.h --replace 'defined(__WIN32__) || defined(__FreeBSD__)' 'defined(__WIN32__) || defined(__FreeBSD__) || defined(__MACOSX__)'
'';
cmakeFlags = [
@ -24,8 +26,10 @@ stdenv.mkDerivation rec {
"-DEMBREE_RAY_MASK=ON"
];
nativeBuildInputs = [ ispc pkgconfig cmake ];
buildInputs = [ tbb glfw openimageio libjpeg libpng libX11 libpthreadstubs ];
buildInputs = [ tbb glfw openimageio libjpeg libpng libX11 libpthreadstubs ]
++ lib.optionals stdenv.isDarwin [ glib ];
meta = with stdenv.lib; {
description = "High performance ray tracing kernels from Intel";

View File

@ -4,13 +4,13 @@
stdenv.mkDerivation rec {
pname = "libfsm";
version = "0.1pre1905_${builtins.substring 0 8 src.rev}";
version = "0.1pre2442_${builtins.substring 0 8 src.rev}";
src = fetchFromGitHub {
owner = "katef";
repo = pname;
rev = "bd5937fad42b26a86bac1fe3ec49eff73581bd1d";
sha256 = "1q3grbmvjnnvc2sshswbd40cc2j2hnwibmljcqx9jqgda0wd6pgv";
rev = "9c5095f7364fa464efff6c81fad9b60b19dfcc99";
sha256 = "1bs51agvrrwqid0slq2svj2yj7kkjdsnv3xsrk8zmf1jbgza6jrm";
fetchSubmodules = true;
};

View File

@ -2,15 +2,15 @@
stdenv.mkDerivation rec {
pname = "libminc";
version = "2.4.03";
version = "unstable-2020-07-17";
owner = "BIC-MNI";
src = fetchFromGitHub {
inherit owner;
repo = pname;
rev = "release-${version}";
sha256 = "0kpmqs9df836ywsqj749qbsfavf5bnldblxrmnmxqq9pywc8yfrm";
rev = "ffb5fb234a852ea7e8da8bb2b3b49f67acbe56ca";
sha256 = "0yr4ksghpvxh9zg0a4p7hvln3qirsi08plvjp5kxx2qiyj96zsdm";
};
postPatch = ''
@ -18,7 +18,8 @@ stdenv.mkDerivation rec {
'';
nativeBuildInputs = [ cmake ];
buildInputs = [ zlib netcdf nifticlib hdf5 ];
buildInputs = [ zlib nifticlib ];
propagatedBuildInputs = [ netcdf hdf5 ];
cmakeFlags = [
"-DLIBMINC_MINC1_SUPPORT=ON"
@ -29,17 +30,16 @@ stdenv.mkDerivation rec {
doCheck = !stdenv.isDarwin;
checkPhase = ''
export LD_LIBRARY_PATH="$(pwd)" # see #22060
ctest -E 'ezminc_rw_test|minc_conversion' --output-on-failure
# ezminc_rw_test can't find libminc_io.so.5.2.0; minc_conversion hits netcdf compilation issue
ctest -j1 -E 'ezminc_rw_test' --output-on-failure
# -j1: see https://github.com/BIC-MNI/libminc/issues/110
# ezminc_rw_test: can't find libminc_io.so.5.2.0
'';
enableParallelBuilding = true;
meta = with stdenv.lib; {
homepage = "https://github.com/${owner}/${pname}";
homepage = "https://github.com/BIC-MNI/libminc";
description = "Medical imaging library based on HDF5";
maintainers = with maintainers; [ bcdarwin ];
platforms = platforms.unix;
license = licenses.free;
license = licenses.free;
};
}

View File

@ -69,7 +69,7 @@ in {
};
libressl_3_1 = generic {
version = "3.1.3";
sha256 = "184znscbkww65aavy2p4v4xncalp1ni19c2w5yvfq4pnmhb06sy7";
version = "3.1.4";
sha256 = "1dnbbnr43jashxivnafmh9gnn57c7ayva788ba03z633k6f18k21";
};
}

View File

@ -1,41 +1,24 @@
{ stdenv, fetchurl, autoconf, automake, libtool, libX11, xorgproto
, libXi, libXaw, libXmu, libXt }:
let
majorVersion = "1";
minorVersion = "3";
in
{ stdenv, lib, fetchFromGitHub, cmake, libX11, Cocoa, IOKit, Kernel }:
stdenv.mkDerivation rec {
pname = "ois";
version = "${majorVersion}.${minorVersion}";
version = "1.5";
src = fetchurl {
url = "mirror://sourceforge/project/wgois/Source%20Release/${version}/ois_v${majorVersion}-${minorVersion}.tar.gz";
sha256 = "18gs6xxhbqb91x2gm95hh1pmakimqim1k9c65h7ah6g14zc7dyjh";
src = fetchFromGitHub {
owner = "wgois";
repo = "OIS";
rev = "v${version}";
sha256 = "0g8krgq5bdx2rw7ig0xva4kqv4x815672i7z6lljp3n8847wmypa";
};
patches = [
(fetchurl {
url = "http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-games/ois/files/ois-1.3-gcc47.patch";
sha256 = "026jw06n42bcrmg0sbdhzc4cqxsnf7fw30a2z9cigd9x282zhii8";
name = "gcc47.patch";
})
];
nativeBuildInputs = [ cmake ];
patchFlags = [ "-p0" ];
buildInputs = [
autoconf automake libtool libX11 xorgproto libXi libXaw
libXmu libXt
];
preConfigure = "sh bootstrap";
buildInputs = [ libX11 ] ++ lib.optionals stdenv.isDarwin [ Cocoa IOKit Kernel ];
meta = with stdenv.lib; {
description = "Object-oriented C++ input system";
maintainers = [ maintainers.raskin ];
platforms = platforms.linux;
platforms = platforms.unix;
license = licenses.zlib;
};
}

View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "libupnp";
version = "1.12.0";
version = "1.14.0";
src = fetchFromGitHub {
owner = "mrjimenez";
repo = "pupnp";
rev = "release-${version}";
sha256 = "17jhbzx8khz5vbl0lhcipjzgg897p1k2lp5wcc3hiddcfyh05pdj";
sha256 = "1wp9sz2ld4g6ak9v59i3s5mbsraxsphi9k91vw9xgrbzfmg8w0a6";
};
outputs = [ "dev" "out" ];

View File

@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ cmake ];
buildInputs = [ libminc ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/" ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/cmake" ];
meta = with stdenv.lib; {
homepage = "https://github.com/BIC-MNI/${pname}";

View File

@ -2,21 +2,24 @@
stdenv.mkDerivation rec {
pname = "bicgl";
name = "${pname}-2017-09-10";
version = "unstable-2018-04-06";
owner = "BIC-MNI";
src = fetchFromGitHub {
inherit owner;
repo = pname;
rev = "b7f7e52d1039d6202a93d9055f516186033656cc";
rev = "61a035751c9244fcca1edf94d6566fa2a709ce90";
sha256 = "0lzirdi1mf4yl8srq7vjn746sbydz7h0wjh7wy8gycy6hq04qrg4";
};
nativeBuildInputs = [ cmake ];
buildInputs = [ libminc bicpl freeglut mesa_glu ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib" "-DBICPL_DIR=${bicpl}/lib" ];
cmakeFlags = [
"-DLIBMINC_DIR=${libminc}/lib/cmake"
"-DBICPL_DIR=${bicpl}/lib"
];
meta = with stdenv.lib; {
homepage = "https://github.com/${owner}/${pname}";

View File

@ -2,7 +2,7 @@
stdenv.mkDerivation rec {
pname = "bicpl";
name = "${pname}-2017-09-10";
version = "unstable-2017-09-10";
owner = "BIC-MNI";
@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ cmake ];
buildInputs = [ libminc netpbm ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib" ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/cmake" ];
doCheck = false;
# internal_volume_io.h: No such file or directory

View File

@ -2,7 +2,7 @@
stdenv.mkDerivation rec {
pname = "oobicpl";
name = "${pname}-2016-03-02";
version = "unstable-2016-03-02";
owner = "BIC-MNI";
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ cmake ];
buildInputs = [ libminc bicpl arguments pcre-cpp ];
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib"
cmakeFlags = [ "-DLIBMINC_DIR=${libminc}/lib/cmake"
"-DBICPL_DIR=${bicpl}/lib"
"-DARGUMENTS_DIR=${arguments}/lib"
"-DOOBICPL_BUILD_SHARED_LIBS=TRUE" ];

View File

@ -1,15 +1,19 @@
{ gnustep, lib, fetchFromGitHub , libxml2, openssl_1_1
, openldap, mysql, libmysqlclient, postgresql }: with lib; gnustep.stdenv.mkDerivation rec {
, openldap, mysql, libmysqlclient, postgresql }:
with lib;
gnustep.stdenv.mkDerivation rec {
pname = "sope";
version = "5.0.0";
version = "5.0.1";
src = fetchFromGitHub {
owner = "inverse-inc";
repo = pname;
rev = "SOPE-${version}";
sha256 = "sha256-7NM9wcyHDSVmjjqu489Ff3iJgl9VM+UBF3XYWoiHHTg=";
sha256 = "031m8ydr4jhh29332mfbsw0i5d0cjfqfyfs55jm832dlmv4447gb";
};
hardeningDisable = [ "format" ];
nativeBuildInputs = [ gnustep.make ];
buildInputs = flatten ([ gnustep.base libxml2 openssl_1_1 ]
++ optional (openldap != null) openldap

View File

@ -3,7 +3,7 @@
lib.fix (self:
let
version = "1.2.28";
version = "1.2.30";
in
stdenv.mkDerivation {
pname = "xmlsec";
@ -11,7 +11,7 @@ stdenv.mkDerivation {
src = fetchurl {
url = "https://www.aleksey.com/xmlsec/download/xmlsec1-${version}.tar.gz";
sha256 = "1m12caglhyx08g8lh2sl3nkldlpryzdx2d572q73y3m33s0w9vhk";
sha256 = "1j5bf7ni45jghyrbf7a14wx2pvfara557zyry7g7h8840c5kd11d";
};
patches = [
@ -29,6 +29,7 @@ stdenv.mkDerivation {
enableParallelBuilding = true;
doCheck = true;
checkInputs = [ nss.tools ];
# enable deprecated soap headers required by lasso
# https://dev.entrouvert.org/issues/18771

Some files were not shown because too many files have changed in this diff Show More