3
0
Fork 0
forked from mirrors/nixpkgs

Merge branch 'master' into fix-idris-modules

This commit is contained in:
Márton Boros 2018-02-03 10:12:37 +01:00 committed by GitHub
commit e3220fe6b5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2390 changed files with 97060 additions and 66721 deletions

10
.github/CODEOWNERS vendored
View file

@ -12,17 +12,17 @@
# Libraries
/lib @edolstra @nbp
/lib/systems @edolstra @nbp @ericson2314
/lib/systems @nbp @ericson2314
# Nixpkgs Internals
/default.nix @nbp
/pkgs/top-level/default.nix @nbp @Ericson2314
/pkgs/top-level/impure.nix @nbp @Ericson2314
/pkgs/top-level/stage.nix @nbp @Ericson2314
/pkgs/stdenv @edolstra
/pkgs/build-support/cc-wrapper @edolstra @Ericson2314
/pkgs/build-support/bintools-wrapper @edolstra @Ericson2314
/pkgs/build-support/setup-hooks @edolstra @Ericson2314
/pkgs/stdenv
/pkgs/build-support/cc-wrapper @Ericson2314 @orivej
/pkgs/build-support/bintools-wrapper @Ericson2314 @orivej
/pkgs/build-support/setup-hooks @Ericson2314
# NixOS Internals
/nixos/default.nix @nbp

View file

@ -1,4 +1,4 @@
Copyright (c) 2003-2017 Eelco Dolstra and the Nixpkgs/NixOS contributors
Copyright (c) 2003-2018 Eelco Dolstra and the Nixpkgs/NixOS contributors
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the

View file

@ -61,7 +61,7 @@
<listitem>
<para>
The "target platform" attribute is, unlike the other two attributes, not actually fundamental to the process of building software.
Instead, it is only relevant for compatability with building certain specific compilers and build tools.
Instead, it is only relevant for compatibility with building certain specific compilers and build tools.
It can be safely ignored for all other packages.
</para>
<para>
@ -162,7 +162,7 @@
<para>
A runtime dependency between 2 packages implies that between them both the host and target platforms match.
This is directly implied by the meaning of "host platform" and "runtime dependency":
The package dependency exists while both packages are runnign on a single host platform.
The package dependency exists while both packages are running on a single host platform.
</para>
<para>
A build time dependency, however, implies a shift in platforms between the depending package and the depended-on package.
@ -187,7 +187,7 @@
How does this work in practice? Nixpkgs is now structured so that build-time dependencies are taken from <varname>buildPackages</varname>, whereas run-time dependencies are taken from the top level attribute set.
For example, <varname>buildPackages.gcc</varname> should be used at build time, while <varname>gcc</varname> should be used at run time.
Now, for most of Nixpkgs's history, there was no <varname>buildPackages</varname>, and most packages have not been refactored to use it explicitly.
Instead, one can use the four attributes used for specifying dependencies as documented in <xref linkend="ssec-stdenv-attributes"/>.
Instead, one can use the six (<emphasis>gasp</emphasis>) attributes used for specifying dependencies as documented in <xref linkend="ssec-stdenv-dependencies"/>.
We "splice" together the run-time and build-time package sets with <varname>callPackage</varname>, and then <varname>mkDerivation</varname> for each of four attributes pulls the right derivation out.
This splicing can be skipped when not cross compiling as the package sets are the same, but is a bit slow for cross compiling.
Because of this, a best-of-both-worlds solution is in the works with no splicing or explicit access of <varname>buildPackages</varname> needed.
@ -200,6 +200,45 @@
</para></note>
</section>
<section>
<title>Cross packagaing cookbook</title>
<para>
Some frequently problems when packaging for cross compilation are good to just spell and answer.
Ideally the information above is exhaustive, so this section cannot provide any new information,
but its ludicrous and cruel to expect everyone to spend effort working through the interaction of many features just to figure out the same answer to the same common problem.
Feel free to add to this list!
</para>
<qandaset>
<qandaentry>
<question><para>
What if my package's build system needs to build a C program to be run under the build environment?
</para></question>
<answer><para>
<programlisting>depsBuildBuild = [ buildPackages.stdenv.cc ];</programlisting>
Add it to your <function>mkDerivation</function> invocation.
</para></answer>
</qandaentry>
<qandaentry>
<question><para>
My package fails to find <command>ar</command>.
</para></question>
<answer><para>
Many packages assume that an unprefixed <command>ar</command> is available, but Nix doesn't provide one.
It only provides a prefixed one, just as it only does for all the other binutils programs.
It may be necessary to patch the package to fix the build system to use a prefixed `ar`.
</para></answer>
</qandaentry>
<qandaentry>
<question><para>
My package's testsuite needs to run host platform code.
</para></question>
<answer><para>
<programlisting>doCheck = stdenv.hostPlatform != stdenv.buildPlatfrom;</programlisting>
Add it to your <function>mkDerivation</function> invocation.
</para></answer>
</qandaentry>
</qandaset>
</section>
</section>
<!--============================================================-->
@ -214,8 +253,19 @@
or also with <varname>crossSystem</varname>, in which case packages run on the latter, but all building happens on the former.
Both parameters take the same schema as the 3 (build, host, and target) platforms defined in the previous section.
As mentioned above, <literal>lib.systems.examples</literal> has some platforms which are used as arguments for these parameters in practice.
You can use them programmatically, or on the command line like <command>nix-build &lt;nixpkgs&gt; --arg crossSystem '(import &lt;nixpkgs/lib&gt;).systems.examples.fooBarBaz'</command>.
You can use them programmatically, or on the command line: <programlisting>
nix-build &lt;nixpkgs&gt; --arg crossSystem '(import &lt;nixpkgs/lib&gt;).systems.examples.fooBarBaz' -A whatever</programlisting>
</para>
<note>
<para>
Eventually we would like to make these platform examples an unnecessary convenience so that <programlisting>
nix-build &lt;nixpkgs&gt; --arg crossSystem.config '&lt;arch&gt;-&lt;os&gt;-&lt;vendor&gt;-&lt;abi&gt;' -A whatever</programlisting>
works in the vast majority of cases.
The problem today is dependencies on other sorts of configuration which aren't given proper defaults.
We rely on the examples to crudely to set those configuration parameters in some vaguely sane manner on the users behalf.
Issue <link xlink:href="https://github.com/NixOS/nixpkgs/issues/34274">#34274</link> tracks this inconvenience along with its root cause in crufty configuration options.
</para>
</note>
<para>
While one is free to pass both parameters in full, there's a lot of logic to fill in missing fields.
As discussed in the previous section, only one of <varname>system</varname>, <varname>config</varname>, and <varname>parsed</varname> is needed to infer the other two.

View file

@ -581,8 +581,8 @@ nix-shell "<nixpkgs>" -A haskellPackages.bar.env
Every Haskell package set takes a function called `overrides` that you can use
to manipulate the package as much as you please. One useful application of this
feature is to replace the default `mkDerivation` function with one that enables
library profiling for all packages. To accomplish that, add configure the
following snippet in your `~/.config/nixpkgs/config.nix` file:
library profiling for all packages. To accomplish that add the following
snippet to your `~/.config/nixpkgs/config.nix` file:
```nix
{
packageOverrides = super: let self = super.pkgs; in

View file

@ -191,7 +191,6 @@ building Python libraries is `buildPythonPackage`. Let's see how we can build th
toolz = buildPythonPackage rec {
pname = "toolz";
version = "0.7.4";
name = "${pname}-${version}";
src = fetchPypi {
inherit pname version;
@ -237,7 +236,6 @@ with import <nixpkgs> {};
my_toolz = python35.pkgs.buildPythonPackage rec {
pname = "toolz";
version = "0.7.4";
name = "${pname}-${version}";
src = python35.pkgs.fetchPypi {
inherit pname version;
@ -283,15 +281,15 @@ order to build [`datashape`](https://github.com/blaze/datashape).
{ # ...
datashape = buildPythonPackage rec {
name = "datashape-${version}";
pname = "datashape";
version = "0.4.7";
src = pkgs.fetchurl {
url = "mirror://pypi/D/DataShape/${name}.tar.gz";
src = fetchPypi {
inherit pname version;
sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
};
buildInputs = with self; [ pytest ];
checkInputs = with self; [ pytest ];
propagatedBuildInputs = with self; [ numpy multipledispatch dateutil ];
meta = {
@ -318,10 +316,11 @@ when building the bindings and are therefore added as `buildInputs`.
{ # ...
lxml = buildPythonPackage rec {
name = "lxml-3.4.4";
pname = "lxml";
version = "3.4.4";
src = pkgs.fetchurl {
url = "mirror://pypi/l/lxml/${name}.tar.gz";
src = fetchPypi {
inherit pname version;
sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
};
@ -351,11 +350,11 @@ and `CFLAGS`.
{ # ...
pyfftw = buildPythonPackage rec {
name = "pyfftw-${version}";
pname = "pyFFTW";
version = "0.9.2";
src = pkgs.fetchurl {
url = "mirror://pypi/p/pyFFTW/pyFFTW-${version}.tar.gz";
src = fetchPypi {
inherit pname version;
sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
};
@ -440,11 +439,11 @@ We first create a function that builds `toolz` in `~/path/to/toolz/release.nix`
{ pkgs, buildPythonPackage }:
buildPythonPackage rec {
name = "toolz-${version}";
pname = "toolz";
version = "0.7.4";
src = pkgs.fetchurl {
url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
src = fetchPypi {
inherit pname version;
sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
};
@ -549,25 +548,31 @@ The `buildPythonPackage` function is implemented in
The following is an example:
```nix
{ # ...
twisted = buildPythonPackage {
name = "twisted-8.1.0";
buildPythonPackage rec {
version = "3.3.1";
pname = "pytest";
src = pkgs.fetchurl {
url = http://tmrc.mit.edu/mirror/twisted/Twisted/8.1/Twisted-8.1.0.tar.bz2;
sha256 = "0q25zbr4xzknaghha72mq57kh53qw1bf8csgp63pm9sfi72qhirl";
};
preCheck = ''
# don't test bash builtins
rm testing/test_argcomplete.py
'';
propagatedBuildInputs = [ self.ZopeInterface ];
src = fetchPypi {
inherit pname version;
sha256 = "cf8436dc59d8695346fcd3ab296de46425ecab00d64096cebe79fb51ecb2eb93";
};
meta = {
homepage = http://twistedmatrix.com/;
description = "Twisted, an event-driven networking engine written in Python";
license = stdenv.lib.licenses.mit;
};
checkInputs = [ hypothesis ];
buildInputs = [ setuptools_scm ];
propagatedBuildInputs = [ attrs py setuptools six pluggy ];
meta = with stdenv.lib; {
maintainers = with maintainers; [ domenkozar lovek323 madjar lsix ];
description = "Framework for writing tests";
};
}
```
The `buildPythonPackage` mainly does four things:
@ -623,7 +628,6 @@ with import <nixpkgs> {};
packageOverrides = self: super: {
pandas = super.pandas.overridePythonAttrs(old: rec {
version = "0.19.1";
name = "pandas-${version}";
src = super.fetchPypi {
pname = "pandas";
inherit version;

View file

@ -179,6 +179,269 @@ genericBuild
</section>
<section xml:id="ssec-stdenv-dependencies"><title>Specifying dependencies</title>
<para>
As described in the Nix manual, almost any <filename>*.drv</filename> store path in a derivation's attribute set will induce a dependency on that derivation.
<varname>mkDerivation</varname>, however, takes a few attributes intended to, between them, include all the dependencies of a package.
This is done both for structure and consistency, but also so that certain other setup can take place.
For example, certain dependencies need their bin directories added to the <envar>PATH</envar>.
That is built-in, but other setup is done via a pluggable mechanism that works in conjunction with these dependency attributes.
See <xref linkend="ssec-setup-hooks"/> for details.
</para>
<para>
Dependencies can be broken down along three axes: their host and target platforms relative to the new derivation's, and whether they are propagated.
The platform distinctions are motivated by cross compilation; see <xref linkend="chap-cross"/> for exactly what each platform means.
<footnote><para>
The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency:
As a general programming principle, dependencies are always <emphasis>specified</emphasis> as interfaces, not concrete implementation.
</para></footnote>
But even if one is not cross compiling, the platforms imply whether or not the dependency is needed at run-time or build-time, a concept that makes perfect sense outside of cross compilation.
For now, the run-time/build-time distinction is just a hint for mental clarity, but in the future it perhaps could be enforced.
</para>
<para>
The extension of <envar>PATH</envar> with dependencies, alluded to above, proceeds according to the relative platforms alone.
The process is carried out only for dependencies whose host platform matches the new derivation's build platformi.e. which run on the platform where the new derivation will be built.
<footnote><para>
Currently, that means for native builds all dependencies are put on the <envar>PATH</envar>.
But in the future that may not be the case for sake of matching cross:
the platforms would be assumed to be unique for native and cross builds alike, so only the <varname>depsBuild*</varname> and <varname>nativeBuildDependencies</varname> dependencies would affect the <envar>PATH</envar>.
</para></footnote>
For each dependency <replaceable>dep</replaceable> of those dependencies, <filename><replaceable>dep</replaceable>/bin</filename>, if present, is added to the <envar>PATH</envar> environment variable.
</para>
<para>
The dependency is propagated when it forces some of its other-transitive (non-immediate) downstream dependencies to also take it on as an immediate dependency.
Nix itself already takes a package's transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like setup hooks (mentioned above) also are run as if the propagated dependency.
</para>
<para>
It is important to note dependencies are not necessary propagated as the same sort of dependency that they were before, but rather as the corresponding sort so that the platform rules still line up.
The exact rules for dependency propagation can be given by assigning each sort of dependency two integers based one how it's host and target platforms are offset from the depending derivation's platforms.
Those offsets are given are given below in the descriptions of each dependency list attribute.
Algorithmically, we traverse propagated inputs, accumulating every propagated dep's propagated deps and adjusting them to account for the "shift in perspective" described by the current dep's platform offsets.
This results in sort a transitive closure of the dependency relation, with the offsets being approximately summed when two dependency links are combined.
We also prune transitive deps whose combined offsets go out-of-bounds, which can be viewed as a filter over that transitive closure removing dependencies that are blatantly absurd.
</para>
<para>
We can define the process precisely with <link xlink:href="https://en.wikipedia.org/wiki/Natural_deduction">Natural Deduction</link> using the inference rules.
This probably seems a bit obtuse, but so is the bash code that actually implements it!
<footnote><para>
The <function>findInputs</function> function, currently residing in <filename>pkgs/stdenv/generic/setup.sh</filename>, implements the propagation logic.
</para></footnote>
They're confusing in very different ways so...hopefully if something doesn't make sense in one presentation, it does in the other!
<programlisting>
let mapOffset(h, t, i) = i + (if i &lt;= 0 then h else t - 1)
propagated-dep(h0, t0, A, B)
propagated-dep(h1, t1, B, C)
h0 + h1 in {-1, 0, 1}
h0 + t1 in {-1, 0, 1}
-------------------------------------- Transitive property
propagated-dep(mapOffset(h0, t0, h1),
mapOffset(h0, t0, t1),
A, C)</programlisting>
<programlisting>
let mapOffset(h, t, i) = i + (if i &lt;= 0 then h else t - 1)
dep(h0, _, A, B)
propagated-dep(h1, t1, B, C)
h0 + h1 in {-1, 0, 1}
h0 + t1 in {-1, 0, -1}
-------------------------------------- Take immediate deps' propagated deps
propagated-dep(mapOffset(h0, t0, h1),
mapOffset(h0, t0, t1),
A, C)</programlisting>
<programlisting>
propagated-dep(h, t, A, B)
-------------------------------------- Propagated deps count as deps
dep(h, t, A, B)</programlisting>
Some explanation of this monstrosity is in order.
In the common case, the target offset of a dependency is the successor to the target offset: <literal>t = h + 1</literal>.
That means that:
<programlisting>
let f(h, t, i) = i + (if i &lt;= 0 then h else t - 1)
let f(h, h + 1, i) = i + (if i &lt;= 0 then h else (h + 1) - 1)
let f(h, h + 1, i) = i + (if i &lt;= 0 then h else h)
let f(h, h + 1, i) = i + h
</programlisting>
This is where the "sum-like" comes from above:
We can just sum all the host offset to get the host offset of the transitive dependency.
The target offset is the transitive dep is simply the host offset + 1, just as it was with the dependencies composed to make this transitive one;
it can be ignored as it doesn't add any new information.
</para>
<para>
Because of the bounds checks, the uncommon cases are <literal>h = t</literal> and <literal>h + 2 = t</literal>.
In the former case, the motivation for <function>mapOffset</function> is that since its host and target platforms are the same, no transitive dep of it should be able to "discover" an offset greater than its reduced target offsets.
<function>mapOffset</function> effectively "squashes" all its transitive dependencies' offsets so that none will ever be greater than the target offset of the original <literal>h = t</literal> package.
In the other case, <literal>h + 1</literal> is skipped over between the host and target offsets.
Instead of squashing the offsets, we need to "rip" them apart so no transitive dependencies' offset is that one.
</para>
<para>
Overall, the unifying theme here is that propagation shouldn't be introducing transitive dependencies involving platforms the needing package is unaware of.
The offset bounds checking and definition of <function>mapOffset</function> together ensure that this is the case.
Discovering a new offset is discovering a new platform, and since those platforms weren't in the derivation "spec" of the needing package, they cannot be relevant.
From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency.
</para>
<variablelist>
<title>Variables specifying dependencies</title>
<varlistentry>
<term><varname>depsBuildBuild</varname></term>
<listitem>
<para>
A list of dependencies whose host and target platforms are the new derivation's build platform.
This means a <literal>-1</literal> host and <literal>-1</literal> target offset from the new derivation's platforms.
They are programs/libraries used at build time that furthermore produce programs/libraries also used at build time.
If the dependency doesn't care about the target platform (i.e. isn't a compiler or similar tool), put it in <varname>nativeBuildInputs</varname>instead.
The most common use for this <literal>buildPackages.stdenv.cc</literal>, the default C compiler for this role.
That example crops up more than one might think in old commonly used C libraries.
</para>
<para>
Since these packages are able to be run at build time, that are always added to the <envar>PATH</envar>, as described above.
But since these packages are only guaranteed to be able to run then, they shouldn't persist as run-time dependencies.
This isn't currently enforced, but could be in the future.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>nativeBuildInputs</varname></term>
<listitem>
<para>
A list of dependencies whose host platform is the new derivation's build platform, and target platform is the new derivation's host platform.
This means a <literal>-1</literal> host offset and <literal>0</literal> target offset from the new derivation's platforms.
They are programs/libraries used at build time that, if they are a compiler or similar tool, produce code to run at run time—i.e. tools used to build the new derivation.
If the dependency doesn't care about the target platform (i.e. isn't a compiler or similar tool), put it here, rather than in <varname>depsBuildBuild</varname> or <varname>depsBuildTarget</varname>.
This would be called <varname>depsBuildHost</varname> but for historical continuity.
</para>
<para>
Since these packages are able to be run at build time, that are added to the <envar>PATH</envar>, as described above.
But since these packages only are guaranteed to be able to run then, they shouldn't persist as run-time dependencies.
This isn't currently enforced, but could be in the future.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>depsBuildTarget</varname></term>
<listitem>
<para>
A list of dependencies whose host platform is the new derivation's build platform, and target platform is the new derivation's target platform.
This means a <literal>-1</literal> host offset and <literal>1</literal> target offset from the new derivation's platforms.
They are programs used at build time that produce code to run at run with code produced by the depending package.
Most commonly, these would tools used to build the runtime or standard library the currently-being-built compiler will inject into any code it compiles.
In many cases, the currently-being built compiler is itself employed for that task, but when that compiler won't run (i.e. its build and host platform differ) this is not possible.
Other times, the compiler relies on some other tool, like binutils, that is always built separately so the dependency is unconditional.
</para>
<para>
This is a somewhat confusing dependency to wrap ones head around, and for good reason.
As the only one where the platform offsets are not adjacent integers, it requires thinking of a bootstrapping stage <emphasis>two</emphasis> away from the current one.
It and it's use-case go hand in hand and are both considered poor form:
try not to need this sort dependency, and try not avoid building standard libraries / runtimes in the same derivation as the compiler produces code using them.
Instead strive to build those like a normal library, using the newly-built compiler just as a normal library would.
In short, do not use this attribute unless you are packaging a compiler and are sure it is needed.
</para>
<para>
Since these packages are able to be run at build time, that are added to the <envar>PATH</envar>, as described above.
But since these packages only are guaranteed to be able to run then, they shouldn't persist as run-time dependencies.
This isn't currently enforced, but could be in the future.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>depsHostHost</varname></term>
<listitem><para>
A list of dependencies whose host and target platforms match the new derivation's host platform.
This means a both <literal>0</literal> host offset and <literal>0</literal> target offset from the new derivation's host platform.
These are packages used at run-time to generate code also used at run-time.
In practice, that would usually be tools used by compilers for metaprogramming/macro systems, or libraries used by the macros/metaprogramming code itself.
It's always preferable to use a <varname>depsBuildBuild</varname> dependency in the derivation being built than a <varname>depsHostHost</varname> on the tool doing the building for this purpose.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>buildInputs</varname></term>
<listitem>
<para>
A list of dependencies whose host platform and target platform match the new derivation's.
This means a <literal>0</literal> host offset and <literal>1</literal> target offset from the new derivation's host platform.
This would be called <varname>depsHostTarget</varname> but for historical continuity.
If the dependency doesn't care about the target platform (i.e. isn't a compiler or similar tool), put it here, rather than in <varname>depsBuildBuild</varname>.
</para>
<para>
These often are programs/libraries used by the new derivation at <emphasis>run</emphasis>-time, but that isn't always the case.
For example, the machine code in a statically linked library is only used at run time, but the derivation containing the library is only needed at build time.
Even in the dynamic case, the library may also be needed at build time to appease the linker.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>depsTargetTarget</varname></term>
<listitem><para>
A list of dependencies whose host platform matches the new derivation's target platform.
This means a <literal>1</literal> offset from the new derivation's platforms.
These are packages that run on the target platform, e.g. the standard library or run-time deps of standard library that a compiler insists on knowing about.
It's poor form in almost all cases for a package to depend on another from a future stage [future stage corresponding to positive offset].
Do not use this attribute unless you are packaging a compiler and are sure it is needed.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>depsBuildBuildPropagated</varname></term>
<listitem><para>
The propagated equivalent of <varname>depsBuildBuild</varname>.
This perhaps never ought to be used, but it is included for consistency [see below for the others].
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>propagatedNativeBuildInputs</varname></term>
<listitem><para>
The propagated equivalent of <varname>nativeBuildInputs</varname>.
This would be called <varname>depsBuildHostPropagated</varname> but for historical continuity.
For example, if package <varname>Y</varname> has <literal>propagatedNativeBuildInputs = [X]</literal>, and package <varname>Z</varname> has <literal>buildInputs = [Y]</literal>, then package <varname>Z</varname> will be built as if it included package <varname>X</varname> in its <varname>nativeBuildInputs</varname>.
If instead, package <varname>Z</varname> has <literal>nativeBuildInputs = [Y]</literal>, then <varname>Z</varname> will be built as if it included <varname>X</varname> in the <varname>depsBuildBuild</varname> of package <varname>Z</varname>, because of the sum of the two <literal>-1</literal> host offsets.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>depsBuildTargetPropagated</varname></term>
<listitem><para>
The propagated equivalent of <varname>depsBuildTarget</varname>.
This is prefixed for the same reason of alerting potential users.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>depsHostHostPropagated</varname></term>
<listitem><para>
The propagated equivalent of <varname>depsHostHost</varname>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>propagatedBuildInputs</varname></term>
<listitem><para>
The propagated equivalent of <varname>buildInputs</varname>.
This would be called <varname>depsHostTargetPropagated</varname> but for historical continuity.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>depsTargetTarget</varname></term>
<listitem><para>
The propagated equivalent of <varname>depsTargetTarget</varname>.
This is prefixed for the same reason of alerting potential users.
</para></listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="ssec-stdenv-attributes"><title>Attributes</title>
<variablelist>
@ -198,54 +461,6 @@ genericBuild
</variablelist>
<variablelist>
<title>Variables specifying dependencies</title>
<varlistentry>
<term><varname>nativeBuildInputs</varname></term>
<listitem><para>
A list of dependencies used by the new derivation at <emphasis>build</emphasis>-time.
I.e. these dependencies should not make it into the package's runtime-closure, though this is currently not checked.
For each dependency <replaceable>dir</replaceable>, the directory <filename><replaceable>dir</replaceable>/bin</filename>, if it exists, is added to the <envar>PATH</envar> environment variable.
Other environment variables are also set up via a pluggable mechanism.
For instance, if <varname>buildInputs</varname> contains Perl, then the <filename>lib/site_perl</filename> subdirectory of each input is added to the <envar>PERL5LIB</envar> environment variable.
See <xref linkend="ssec-setup-hooks"/> for details.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>buildInputs</varname></term>
<listitem><para>
A list of dependencies used by the new derivation at <emphasis>run</emphasis>-time.
Currently, the build-time environment is modified in the exact same way as with <varname>nativeBuildInputs</varname>.
This is problematic in that when cross-compiling, foreign executables can clobber native ones on the <envar>PATH</envar>.
Even more confusing is static-linking.
A statically-linked library should be listed here because ultimately that generated machine code will be used at run-time, even though a derivation containing the object files or static archives will only be used at build-time.
A less confusing solution to this would be nice.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>propagatedNativeBuildInputs</varname></term>
<listitem><para>
Like <varname>nativeBuildInputs</varname>, but these dependencies are <emphasis>propagated</emphasis>:
that is, the dependencies listed here are added to the <varname>nativeBuildInputs</varname> of any package that uses <emphasis>this</emphasis> package as a dependency.
So if package Y has <literal>propagatedNativeBuildInputs = [X]</literal>, and package Z has <literal>nativeBuildInputs = [Y]</literal>,
then package X will appear in Zs build environment automatically.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>propagatedBuildInputs</varname></term>
<listitem><para>
Like <varname>buildInputs</varname>, but propagated just like <varname>propagatedNativeBuildInputs</varname>.
This inherits <varname>buildInputs</varname>'s flaws of clobbering native executables when cross-compiling and being confusing for static linking.
</para></listitem>
</varlistentry>
</variablelist>
<variablelist>
<title>Variables affecting build properties</title>
@ -656,7 +871,7 @@ script) if it exists.</para>
By default, when cross compiling, the configure script has <option>--build=...</option> and <option>--host=...</option> passed.
Packages can instead pass <literal>[ "build" "host" "target" ]</literal> or a subset to control exactly which platform flags are passed.
Compilers and other tools should use this to also pass the target platform, for example.
Note eventually these will be passed when in native builds too, to improve determinism: build-time guessing, as is done today, is a risk of impurity.
<footnote><para>Eventually these will be passed when in native builds too, to improve determinism: build-time guessing, as is done today, is a risk of impurity.</para></footnote>
</para></listitem>
</varlistentry>
@ -780,13 +995,14 @@ but only if the <varname>doCheck</varname> variable is enabled.</para>
<varlistentry>
<term><varname>doCheck</varname></term>
<listitem><para>If set to a non-empty string, the check phase is
executed, otherwise it is skipped (default). Thus you should set
<programlisting>
doCheck = true;</programlisting>
in the derivation to enable checks.</para></listitem>
<listitem><para>
Controls whether the check phase is executed.
By default it is skipped, but if <varname>doCheck</varname> is set to true, the check phase is usually executed.
Thus you should set <programlisting>doCheck = true;</programlisting> in the derivation to enable checks.
The exception is cross compilation.
Cross compiled builds never run tests, no matter how <varname>doCheck</varname> is set,
as the newly-built program won't run on the platform used to build it.
</para></listitem>
</varlistentry>
<varlistentry>
@ -923,6 +1139,20 @@ following:
<listitem><para>If set, libraries and executables are not
stripped. By default, they are.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>dontStripHost</varname></term>
<listitem><para>
Like <varname>dontStripHost</varname>, but only affects the <command>strip</command> command targetting the package's host platform.
Useful when supporting cross compilation, but otherwise feel free to ignore.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>dontStripTarget</varname></term>
<listitem><para>
Like <varname>dontStripHost</varname>, but only affects the <command>strip</command> command targetting the packages' target platform.
Useful when supporting cross compilation, but otherwise feel free to ignore.
</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>dontMoveSbin</varname></term>
@ -1051,12 +1281,14 @@ installcheck</command>.</para>
<varlistentry>
<term><varname>doInstallCheck</varname></term>
<listitem><para>If set to a non-empty string, the installCheck phase is
executed, otherwise it is skipped (default). Thus you should set
<programlisting>doInstallCheck = true;</programlisting>
in the derivation to enable install checks.</para></listitem>
<listitem><para>
Controls whether the installCheck phase is executed.
By default it is skipped, but if <varname>doInstallCheck</varname> is set to true, the installCheck phase is usually executed.
Thus you should set <programlisting>doInstallCheck = true;</programlisting> in the derivation to enable install checks.
The exception is cross compilation.
Cross compiled builds never run tests, no matter how <varname>doInstallCheck</varname> is set,
as the newly-built program won't run on the platform used to build it.
</para></listitem>
</varlistentry>
<varlistentry>
@ -1353,8 +1585,55 @@ someVar=$(stripHash $name)
<section xml:id="ssec-setup-hooks"><title>Package setup hooks</title>
<para>The following packages provide a setup hook:
<para>
Nix itself considers a build-time dependency merely something that should previously be built and accessible at build time—packages themselves are on their own to perform any additional setup.
In most cases, that is fine, and the downstream derivation can deal with it's own dependencies.
But for a few common tasks, that would result in almost every package doing the same sort of setup work---depending not on the package itself, but entirely on which dependencies were used.
</para>
<para>
In order to alleviate this burden, the <firstterm>setup hook></firstterm>mechanism was written, where any package can include a shell script that [by convention rather than enforcement by Nix], any downstream reverse-dependency will source as part of its build process.
That allows the downstream dependency to merely specify its dependencies, and lets those dependencies effectively initialize themselves.
No boilerplate mirroring the list of dependencies is needed.
</para>
<para>
The Setup hook mechanism is a bit of a sledgehammer though: a powerful feature with a broad and indiscriminate area of effect.
The combination of its power and implicit use may be expedient, but isn't without costs.
Nix itself is unchanged, but the spirit of adding dependencies being effect-free is violated even if the letter isn't.
For example, if a derivation path is mentioned more than once, Nix itself doesn't care and simply makes sure the dependency derivation is already built just the same—depending is just needing something to exist, and needing is idempotent.
However, a dependency specified twice will have its setup hook run twice, and that could easily change the build environment (though a well-written setup hook will therefore strive to be idempotent so this is in fact not observable).
More broadly, setup hooks are anti-modular in that multiple dependencies, whether the same or different, should not interfere and yet their setup hooks may well do so.
</para>
<para>
The most typical use of the setup hook is actually to add other hooks which are then run (i.e. after all the setup hooks) on each dependency.
For example, the C compiler wrapper's setup hook feeds itself flags for each dependency that contains relevant libaries and headers.
This is done by defining a bash function, and appending its name to one of
<envar>envBuildBuildHooks</envar>`,
<envar>envBuildHostHooks</envar>`,
<envar>envBuildTargetHooks</envar>`,
<envar>envHostHostHooks</envar>`,
<envar>envHostTargetHooks</envar>`, or
<envar>envTargetTargetHooks</envar>`.
These 6 bash variables correspond to the 6 sorts of dependencies by platform (there's 12 total but we ignore the propagated/non-propagated axis).
</para>
<para>
Packages adding a hook should not hard code a specific hook, but rather choose a variable <emphasis>relative</emphasis> to how they are included.
Returning to the C compiler wrapper example, if it itself is an <literal>n</literal> dependency, then it only wants to accumulate flags from <literal>n + 1</literal> dependencies, as only those ones match the compiler's target platform.
The <envar>hostOffset</envar> variable is defined with the current dependency's host offset <envar>targetOffset</envar> with its target offset, before it's setup hook is sourced.
Additionally, since most environment hooks don't care about the target platform,
That means the setup hook can append to the right bash array by doing something like
<programlisting language="bash">
addEnvHooks "$hostOffset" myBashFunction
</programlisting>
</para>
<para>
The <emphasis>existence</emphasis> of setups hooks has long been documented and packages inside Nixpkgs are free to use these mechanism.
Other packages, however, should not rely on these mechanisms not changing between Nixpkgs versions.
Because of the existing issues with this system, there's little benefit from mandating it be stable for any period of time.
</para>
<para>
Here are some packages that provide a setup hook.
Since the mechanism is modular, this probably isn't an exhaustive list.
Then again, since the mechanism is only to be used as a last resort, it might be.
<variablelist>
<varlistentry>
@ -1421,9 +1700,12 @@ someVar=$(stripHash $name)
<varlistentry>
<term>Perl</term>
<listitem><para>Adds the <filename>lib/site_perl</filename> subdirectory
of each build input to the <envar>PERL5LIB</envar>
environment variable.</para></listitem>
<listitem>
<para>
Adds the <filename>lib/site_perl</filename> subdirectory of each build input to the <envar>PERL5LIB</envar> environment variable.
For instance, if <varname>buildInputs</varname> contains Perl, then the <filename>lib/site_perl</filename> subdirectory of each input is added to the <envar>PERL5LIB</envar> environment variable.
</para>
</listitem>
</varlistentry>
<varlistentry>

View file

@ -1,7 +1,7 @@
{ lib }:
let
inherit (builtins) attrNames isFunction;
inherit (builtins) attrNames;
in
@ -36,7 +36,7 @@ rec {
overrideDerivation = drv: f:
let
newDrv = derivation (drv.drvAttrs // (f drv));
in addPassthru newDrv (
in lib.flip (extendDerivation true) newDrv (
{ meta = drv.meta or {};
passthru = if drv ? passthru then drv.passthru else {};
}
@ -72,7 +72,7 @@ rec {
makeOverridable = f: origArgs:
let
ff = f origArgs;
overrideWith = newArgs: origArgs // (if builtins.isFunction newArgs then newArgs origArgs else newArgs);
overrideWith = newArgs: origArgs // (if lib.isFunction newArgs then newArgs origArgs else newArgs);
in
if builtins.isAttrs ff then (ff // {
override = newArgs: makeOverridable f (overrideWith newArgs);
@ -81,7 +81,7 @@ rec {
${if ff ? overrideAttrs then "overrideAttrs" else null} = fdrv:
makeOverridable (args: (f args).overrideAttrs fdrv) origArgs;
})
else if builtins.isFunction ff then {
else if lib.isFunction ff then {
override = newArgs: makeOverridable f (overrideWith newArgs);
__functor = self: ff;
overrideDerivation = throw "overrideDerivation not yet supported for functors";
@ -112,8 +112,8 @@ rec {
*/
callPackageWith = autoArgs: fn: args:
let
f = if builtins.isFunction fn then fn else import fn;
auto = builtins.intersectAttrs (builtins.functionArgs f) autoArgs;
f = if lib.isFunction fn then fn else import fn;
auto = builtins.intersectAttrs (lib.functionArgs f) autoArgs;
in makeOverridable f (auto // args);
@ -122,8 +122,8 @@ rec {
individual attributes. */
callPackagesWith = autoArgs: fn: args:
let
f = if builtins.isFunction fn then fn else import fn;
auto = builtins.intersectAttrs (builtins.functionArgs f) autoArgs;
f = if lib.isFunction fn then fn else import fn;
auto = builtins.intersectAttrs (lib.functionArgs f) autoArgs;
origArgs = auto // args;
pkgs = f origArgs;
mkAttrOverridable = name: pkg: makeOverridable (newArgs: (f newArgs).${name}) origArgs;
@ -131,8 +131,8 @@ rec {
/* Add attributes to each output of a derivation without changing
the derivation itself. */
addPassthru = drv: passthru:
the derivation itself and check a given condition when evaluating. */
extendDerivation = condition: passthru: drv:
let
outputs = drv.outputs or [ "out" ];
@ -142,13 +142,24 @@ rec {
outputToAttrListElement = outputName:
{ name = outputName;
value = commonAttrs // {
inherit (drv.${outputName}) outPath drvPath type outputName;
inherit (drv.${outputName}) type outputName;
drvPath = assert condition; drv.${outputName}.drvPath;
outPath = assert condition; drv.${outputName}.outPath;
};
};
outputsList = map outputToAttrListElement outputs;
in commonAttrs // { outputUnspecified = true; };
in commonAttrs // {
outputUnspecified = true;
drvPath = assert condition; drv.drvPath;
outPath = assert condition; drv.outPath;
};
/* Add attributes to each output of a derivation without changing
the derivation itself. */
addPassthru =
lib.warn "`addPassthru drv passthru` is deprecated, replace with `extendDerivation true passthru drv`"
(drv: passthru: extendDerivation true passthru drv);
/* Strip a derivation of all non-essential attributes, returning
only those needed by hydra-eval-jobs. Also strictly evaluate the

View file

@ -2,10 +2,10 @@
let
inherit (builtins) trace attrNamesToStr isAttrs isFunction isList isInt
inherit (builtins) trace attrNamesToStr isAttrs isList isInt
isString isBool head substring attrNames;
inherit (lib) all id mapAttrsFlatten elem;
inherit (lib) all id mapAttrsFlatten elem isFunction;
in

View file

@ -51,12 +51,12 @@ let
inherit (builtins) add addErrorContext attrNames
concatLists deepSeq elem elemAt filter genericClosure genList
getAttr hasAttr head isAttrs isBool isFunction isInt isList
getAttr hasAttr head isAttrs isBool isInt isList
isString length lessThan listToAttrs pathExists readFile
replaceStrings seq stringLength sub substring tail;
inherit (trivial) id const concat or and boolToString mergeAttrs
flip mapNullable inNixShell min max importJSON warn info
nixpkgsVersion mod;
nixpkgsVersion mod functionArgs setFunctionArgs isFunction;
inherit (fixedPoints) fix fix' extends composeExtensions
makeExtensible makeExtensibleWithCustomName;
@ -87,13 +87,14 @@ let
inherit (stringsWithDeps) textClosureList textClosureMap
noDepEntry fullDepEntry packEntry stringAfter;
inherit (customisation) overrideDerivation makeOverridable
callPackageWith callPackagesWith addPassthru hydraJob makeScope;
callPackageWith callPackagesWith extendDerivation addPassthru
hydraJob makeScope;
inherit (meta) addMetaAttrs dontDistribute setName updateName
appendToName mapDerivationAttrset lowPrio lowPrioSet hiPrio
hiPrioSet;
inherit (sources) pathType pathIsDirectory cleanSourceFilter
cleanSource sourceByRegex sourceFilesBySuffices
commitIdFromGitRepo;
commitIdFromGitRepo cleanSourceWith pathHasContext canCleanSource;
inherit (modules) evalModules closeModules unifyModuleSyntax
applyIfFunction unpackSubmodule packSubmodule mergeModules
mergeModules' mergeOptionDecls evalOptionValue mergeDefinitions

View file

@ -1,6 +1,6 @@
{ lib }:
let
inherit (builtins) isFunction head tail isList isAttrs isInt attrNames;
inherit (builtins) head tail isList isAttrs isInt attrNames;
in
@ -53,7 +53,7 @@ rec {
f: # the function applied to the arguments
initial: # you pass attrs, the functions below are passing a function taking the fix argument
let
takeFixed = if isFunction initial then initial else (fixed : initial); # transform initial to an expression always taking the fixed argument
takeFixed = if lib.isFunction initial then initial else (fixed : initial); # transform initial to an expression always taking the fixed argument
tidy = args:
let # apply all functions given in "applyPreTidy" in sequence
applyPreTidyFun = fold ( n: a: x: n ( a x ) ) lib.id (maybeAttr "applyPreTidy" [] args);
@ -63,7 +63,7 @@ rec {
let args = takeFixed fixed;
mergeFun = args.${n};
in if isAttrs x then (mergeFun args x)
else assert isFunction x;
else assert lib.isFunction x;
mergeFun args (x ( args // { inherit fixed; }));
in overridableDelayableArgs f newArgs;
in
@ -374,7 +374,7 @@ rec {
if isAttrs x then
if x ? outPath then "derivation"
else "attrs"
else if isFunction x then "function"
else if lib.isFunction x then "function"
else if isList x then "list"
else if x == true then "bool"
else if x == false then "bool"

View file

@ -14,6 +14,8 @@ let
libAttr = lib.attrsets;
flipMapAttrs = flip libAttr.mapAttrs;
inherit (lib) isFunction;
in
rec {
@ -110,7 +112,7 @@ rec {
else if isString v then "\"" + v + "\""
else if null == v then "null"
else if isFunction v then
let fna = functionArgs v;
let fna = lib.functionArgs v;
showFnas = concatStringsSep "," (libAttr.mapAttrsToList
(name: hasDefVal: if hasDefVal then "(${name})" else name)
fna);
@ -130,6 +132,6 @@ rec {
(name: value:
"${toPretty args name} = ${toPretty args value};") v)
+ " }"
else "toPretty: should never happen (v = ${v})";
else abort "toPretty: should never happen (v = ${v})";
}

View file

@ -200,6 +200,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
fullName = "Eclipse Public License 1.0";
};
epl20 = spdx {
spdxId = "EPL-2.0";
fullName = "Eclipse Public License 2.0";
};
epson = {
fullName = "Seiko Epson Corporation Software License Agreement for Linux";
url = https://download.ebz.epson.net/dsc/du/02/eula/global/LINUX_EN.html;
@ -309,6 +314,12 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
free = false;
};
inria-icesl = {
fullName = "INRIA Non-Commercial License Agreement for IceSL";
url = "http://shapeforge.loria.fr/icesl/EULA_IceSL_binary.pdf";
free = false;
};
ipa = spdx {
spdxId = "IPA";
fullName = "IPA Font License";

View file

@ -29,6 +29,7 @@
aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
ahmedtd = "Taahir Ahmed <ahmed.taahir@gmail.com>";
aij = "Ivan Jager <aij+git@mrph.org>";
ajgrf = "Alex Griffin <a@ajgrf.com>";
ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
akc = "Anders Claesson <akc@akc.is>";
@ -54,11 +55,13 @@
antonxy = "Anton Schirg <anton.schirg@posteo.de>";
apeschar = "Albert Peschar <albert@peschar.net>";
apeyroux = "Alexandre Peyroux <alex@px.io>";
arcadio = "Arcadio Rubio García <arc@well.ox.ac.uk>";
ardumont = "Antoine R. Dumont <eniotna.t@gmail.com>";
aristid = "Aristid Breitkreuz <aristidb@gmail.com>";
arobyn = "Alexei Robyn <shados@shados.net>";
artuuge = "Artur E. Ruuge <artuuge@gmail.com>";
ashalkhakov = "Artyom Shalkhakov <artyom.shalkhakov@gmail.com>";
ashgillman = "Ashley Gillman <gillmanash@gmail.com>";
aske = "Kirill Boltaev <aske@fmap.me>";
asppsa = "Alastair Pharo <asppsa@gmail.com>";
astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
@ -97,6 +100,7 @@
bradediger = "Brad Ediger <brad@bradediger.com>";
bramd = "Bram Duvigneau <bram@bramd.nl>";
bstrik = "Berno Strik <dutchman55@gmx.com>";
bugworm = "Roman Gerasimenko <bugworm@zoho.com>";
bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
c0bw3b = "Renaud <c0bw3b@gmail.com>";
c0dehero = "CodeHero <codehero@nerdpol.ch>";
@ -115,8 +119,10 @@
chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
chattered = "Phil Scott <me@philscotted.com>";
ChengCat = "Yucheng Zhang <yu@cheng.cat>";
chiiruno = "Okina Matara <okinan@protonmail.com>";
choochootrain = "Hurshal Patel <hurshal@imap.cc>";
chpatrick = "Patrick Chilton <chpatrick@gmail.com>";
chreekat = "Bryan Richter <b@chreekat.net>";
chris-martin = "Chris Martin <ch.martin@gmail.com>";
chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
chrisrosset = "Christopher Rosset <chris@rosset.org.uk>";
@ -124,7 +130,7 @@
ciil = "Simon Lackerbauer <simon@lackerbauer.com>";
ck3d = "Christian Kögler <ck3d@gmx.de>";
ckampka = "Christian Kampka <christian@kampka.net>";
ckauhaus = "Christian Kauhaus <christian@kauhaus.de>";
ckauhaus = "Christian Kauhaus <kc@flyingcircus.io>";
cko = "Christine Koppelt <christine.koppelt@gmail.com>";
cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
@ -188,6 +194,7 @@
dtzWill = "Will Dietz <nix@wdtz.org>";
dupgit = "Olivier Delhomme <olivier.delhomme@free.fr>";
dywedir = "Vladyslav M. <dywedir@protonmail.ch>";
dzabraev = "Maksim Dzabraev <dzabraew@gmail.com>";
e-user = "Alexander Kahl <nixos@sodosopa.io>";
earldouglas = "James Earl Douglas <james@earldouglas.com>";
ebzzry = "Rommel Martinez <ebzzry@ebzzry.io>";
@ -224,6 +231,7 @@
fadenb = "Tristan Helmich <tristan.helmich+nixos@gmail.com>";
falsifian = "James Cook <james.cook@utoronto.ca>";
fare = "Francois-Rene Rideau <fahree@gmail.com>";
f-breidenstein = "Felix Breidenstein <mail@felixbreidenstein.de>";
fgaz = "Francesco Gazzetta <francygazz@gmail.com>";
FireyFly = "Jonas Höglund <nix@firefly.nu>";
flokli = "Florian Klink <flokli@flokli.de>";
@ -282,6 +290,7 @@
hodapp = "Chris Hodapp <hodapp87@gmail.com>";
hrdinka = "Christoph Hrdinka <c.nix@hrdinka.at>";
htr = "Hugo Tavares Reis <hugo@linux.com>";
hyphon81 = "Masato Yonekawa <zero812n@gmail.com>";
iand675 = "Ian Duncan <ian@iankduncan.com>";
ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
iblech = "Ingo Blechschmidt <iblech@speicherleck.de>";
@ -293,6 +302,7 @@
ivan-tkatchev = "Ivan Tkatchev <tkatchev@gmail.com>";
ixmatus = "Parnell Springmeyer <parnell@digitalmentat.com>";
izorkin = "Yurii Izorkin <Izorkin@gmail.com>";
ixxie = "Matan Bendix Shenhav <matan@fluxcraft.net>";
j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
jammerful = "jammerful <jammerful@gmail.com>";
@ -319,11 +329,13 @@
joelmo = "Joel Moberg <joel.moberg@gmail.com>";
joelteon = "Joel Taylor <me@joelt.io>";
johbo = "Johannes Bornhold <johannes@bornhold.name>";
johnazoidberg = "Daniel Schäfer <git@danielschaefer.me>";
johnmh = "John M. Harris, Jr. <johnmh@openblox.org>";
johnramsden = "John Ramsden <johnramsden@riseup.net>";
joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
jonafato = "Jon Banafato <jon@jonafato.com>";
joncojonathan = "Jonathan Haddock <joncojonathan@gmail.com>";
jpdoyle = "Joe Doyle <joethedoyle@gmail.com>";
jpierre03 = "Jean-Pierre PRUNARET <nix@prunetwork.fr>";
jpotier = "Martin Potier <jpo.contributes.to.nixos@marvid.fr>";
jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
@ -359,6 +371,7 @@
ldesgoui = "Lucas Desgouilles <ldesgoui@gmail.com>";
league = "Christopher League <league@contrapunctus.net>";
lebastr = "Alexander Lebedev <lebastr@gmail.com>";
ledif = "Adam Fidel <refuse@gmail.com>";
leemachin = "Lee Machin <me@mrl.ee>";
leenaars = "Michiel Leenaars <ml.software@leenaa.rs>";
leonardoce = "Leonardo Cecchi <leonardo.cecchi@gmail.com>";
@ -376,12 +389,14 @@
lovek323 = "Jason O'Conal <jason@oconal.id.au>";
lowfatcomputing = "Andreas Wagner <andreas.wagner@lowfatcomputing.org>";
lsix = "Lancelot SIX <lsix@lancelotsix.com>";
lschuermann = "Leon Schuermann <leon.git@is.currently.online>";
ltavard = "Laure Tavard <laure.tavard@univ-grenoble-alpes.fr>";
lucas8 = "Luc Chabassier <luc.linux@mailoo.org>";
ludo = "Ludovic Courtès <ludo@gnu.org>";
lufia = "Kyohei Kadota <lufia@lufia.org>";
luispedro = "Luis Pedro Coelho <luis@luispedro.org>";
lukego = "Luke Gorrie <luke@snabb.co>";
luz = "Luz <luz666@daum.net>";
lw = "Sergey Sofeychuk <lw@fmap.me>";
lyt = "Tim Liou <wheatdoge@gmail.com>";
m3tti = "Mathaeus Sander <mathaeus.peter.sander@gmail.com>";
@ -416,6 +431,7 @@
meisternu = "Matt Miemiec <meister@krutt.org>";
metabar = "Celine Mercier <softs@metabarcoding.org>";
mgdelacroix = "Miguel de la Cruz <mgdelacroix@gmail.com>";
mgttlinger = "Merlin Göttlinger <megoettlinger@gmail.com";
mguentner = "Maximilian Güntner <code@klandest.in>";
mic92 = "Jörg Thalheim <joerg@thalheim.io>";
michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
@ -432,6 +448,8 @@
mjanczyk = "Marcin Janczyk <m@dragonvr.pl>";
mjp = "Mike Playle <mike@mythik.co.uk>"; # github = "MikePlayle";
mlieberman85 = "Michael Lieberman <mlieberman85@gmail.com>";
mmahut = "Marek Mahut <marek.mahut@gmail.com>";
moaxcp = "John Mercier <moaxcp@gmail.com>";
modulistic = "Pablo Costa <modulistic@gmail.com>";
mog = "Matthew O'Gorman <mog-lists@rldn.net>";
montag451 = "montag451 <montag451@laposte.net>";
@ -448,6 +466,7 @@
mrVanDalo = "Ingolf Wanger <contact@ingolf-wagner.de>";
msackman = "Matthew Sackman <matthew@wellquite.org>";
mschristiansen = "Mikkel Christiansen <mikkel@rheosystems.com>";
mstarzyk = "Maciek Starzyk <mstarzyk@gmail.com>";
msteen = "Matthijs Steen <emailmatthijs@gmail.com>";
mt-caret = "Masayuki Takeda <mtakeda.enigsol@gmail.com>";
mtreskin = "Max Treskin <zerthurd@gmail.com>";
@ -470,6 +489,7 @@
nico202 = "Nicolò Balzarotti <anothersms@gmail.com>";
NikolaMandic = "Ratko Mladic <nikola@mandic.email>";
nixy = "Andrew R. M. <nixy@nixy.moe>";
nmattia = "Nicolas Mattia <nicolas@nmattia.com>";
nocoolnametom = "Tom Doggett <nocoolnametom@gmail.com>";
notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
@ -495,6 +515,7 @@
pakhfn = "Fedor Pakhomov <pakhfn@gmail.com>";
panaeon = "Vitalii Voloshyn <vitalii.voloshyn@gmail.com";
paperdigits = "Mica Semrick <mica@silentumbrella.com>";
paraseba = "Sebastian Galkin <paraseba@gmail.com>";
pashev = "Igor Pashev <pashev.igor@gmail.com>";
patternspandemic = "Brad Christensen <patternspandemic@live.com>";
pawelpacana = "Paweł Pacana <pawel.pacana@gmail.com>";
@ -522,6 +543,7 @@
pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
pmeunier = "Pierre-Étienne Meunier <pierre-etienne.meunier@inria.fr>";
pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
pneumaticat = "Kevin Liu <kevin@potatofrom.space>";
polyrod = "Maurizio Di Pietro <dc1mdp@gmail.com>";
pradeepchhetri = "Pradeep Chhetri <pradeep.chhetri89@gmail.com>";
prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
@ -572,16 +594,18 @@
rushmorem = "Rushmore Mushambi <rushmore@webenchanter.com>";
rvl = "Rodney Lorrimar <dev+nix@rodney.id.au>";
rvlander = "Gaëtan André <rvlander@gaetanandre.eu>";
rvolosatovs = "Roman Volosatovs <rvolosatovs@riseup.net";
rvolosatovs = "Roman Volosatovs <rvolosatovs@riseup.net>";
ryanartecona = "Ryan Artecona <ryanartecona@gmail.com>";
ryansydnor = "Ryan Sydnor <ryan.t.sydnor@gmail.com>";
ryantm = "Ryan Mulligan <ryan@ryantm.com>";
ryantrinkle = "Ryan Trinkle <ryan.trinkle@gmail.com>";
rybern = "Ryan Bernstein <ryan.bernstein@columbia.edu>";
rycee = "Robert Helgesson <robert@rycee.net>";
ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
rzetterberg = "Richard Zetterberg <richard.zetterberg@gmail.com>";
s1lvester = "Markus Silvester <s1lvester@bockhacker.me>";
samdroid-apps = "Sam Parkinson <sam@sam.today>";
samueldr = "Samuel Dionne-Riel <samuel@dionne-riel.com>";
samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
sargon = "Daniel Ehlers <danielehlers@mindeye.net>";
@ -589,11 +613,14 @@
schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
schneefux = "schneefux <schneefux+nixos_pkg@schneefux.xyz>";
schristo = "Scott Christopher <schristopher@konputa.com>";
scode = "Peter Schuller <peter.schuller@infidyne.com>";
scolobb = "Sergiu Ivanov <sivanov@colimite.fr>";
sdll = "Sasha Illarionov <sasha.delly@gmail.com>";
SeanZicari = "Sean Zicari <sean.zicari@gmail.com>";
sellout = "Greg Pfeil <greg@technomadic.org>";
sepi = "Raffael Mancini <raffael@mancini.lu>";
seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
sfrijters = "Stefan Frijters <sfrijters@gmail.com>";
shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";
shawndellysse = "Shawn Dellysse <sdellysse@gmail.com>";
sheenobu = "Sheena Artrip <sheena.artrip@gmail.com>";
@ -627,6 +654,7 @@
sternenseemann = "Lukas Epple <post@lukasepple.de>";
stesie = "Stefan Siegl <stesie@brokenpipe.de>";
steveej = "Stefan Junker <mail@stefanjunker.de>";
StillerHarpo = "Florian Engel <florianengel39@gmail.com>";
stumoss = "Stuart Moss <samoss@gmail.com>";
SuprDewd = "Bjarki Ágúst Guðmundsson <suprdewd@gmail.com>";
swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
@ -656,8 +684,10 @@
ThomasMader = "Thomas Mader <thomas.mader@gmail.com>";
thoughtpolice = "Austin Seipp <aseipp@pobox.com>";
thpham = "Thomas Pham <thomas.pham@ithings.ch>";
tilpner = "Till Höppner <till@hoeppner.ws>";
timbertson = "Tim Cuthbertson <tim@gfxmonk.net>";
timokau = "Timo Kaufmann <timokau@zoho.com>";
tiramiseb = "Sébastien Maccagnoni <sebastien@maccagnoni.eu>";
titanous = "Jonathan Rudenberg <jonathan@titanous.com>";
tnias = "Philipp Bartsch <phil@grmr.de>";
tohl = "Tomas Hlavaty <tom@logand.com>";
@ -674,6 +704,7 @@
tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
tweber = "Thorsten Weber <tw+nixpkgs@360vier.de>";
twey = "James Twey Kay <twey@twey.co.uk>";
unode = "Renato Alves <alves.rjc@gmail.com>";
uralbash = "Svintsov Dmitry <root@uralbash.ru>";
utdemir = "Utku Demir <me@utdemir.com>";
#urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
@ -687,7 +718,9 @@
vbmithr = "Vincent Bernardoff <vb@luminar.eu.org>";
vcunat = "Vladimír Čunát <vcunat@gmail.com>";
vdemeester = "Vincent Demeester <vincent@sbr.pm>";
velovix = "Tyler Compton <xaviosx@gmail.com>";
veprbl = "Dmitry Kalinkin <veprbl@gmail.com>";
vidbina = "David Asabina <vid@bina.me>";
vifino = "Adrian Pistol <vifino@tty.sh>";
vinymeuh = "VinyMeuh <vinymeuh@gmail.com>";
viric = "Lluís Batlle i Rossell <viric@viric.name>";
@ -715,9 +748,11 @@
wyvie = "Elijah Rum <elijahrum@gmail.com>";
xaverdh = "Dominik Xaver Hörl <hoe.dom@gmx.de>";
xnwdd = "Guillermo NWDD <nwdd+nixos@no.team>";
xurei = "Olivier Bourdoux <olivier.bourdoux@gmail.com>";
xvapx = "Marti Serra <marti.serra.coscollano@gmail.com>";
xwvvvvwx = "David Terry <davidterry@posteo.de>";
xzfc = "Albert Safin <xzfcpw@gmail.com>";
y0no = "Yoann Ono <y0no@y0no.fr>";
yarr = "Dmitry V. <savraz@gmail.com>";
yegortimoshenko = "Yegor Timoshenko <yegortimoshenko@gmail.com>";
ylwghst = "Burim Augustin Berisa <ylwghst@onionmail.info>";

View file

@ -155,7 +155,7 @@ rec {
# a module will resolve strictly the attributes used as argument but
# not their values. The values are forwarding the result of the
# evaluation of the option.
requiredArgs = builtins.attrNames (builtins.functionArgs f);
requiredArgs = builtins.attrNames (lib.functionArgs f);
context = name: ''while evaluating the module argument `${name}' in "${key}":'';
extraArgs = builtins.listToAttrs (map (name: {
inherit name;

View file

@ -26,14 +26,35 @@ rec {
(type == "symlink" && lib.hasPrefix "result" baseName)
);
cleanSource = builtins.filterSource cleanSourceFilter;
cleanSource = src: cleanSourceWith { filter = cleanSourceFilter; inherit src; };
# Like `builtins.filterSource`, except it will compose with itself,
# allowing you to chain multiple calls together without any
# intermediate copies being put in the nix store.
#
# lib.cleanSourceWith f (lib.cleanSourceWith g ./.) # Succeeds!
# builtins.filterSource f (builtins.filterSource g ./.) # Fails!
cleanSourceWith = { filter, src }:
let
isFiltered = src ? _isLibCleanSourceWith;
origSrc = if isFiltered then src.origSrc else src;
filter' = if isFiltered then name: type: filter name type && src.filter name type else filter;
in {
inherit origSrc;
filter = filter';
outPath = builtins.filterSource filter' origSrc;
_isLibCleanSourceWith = true;
};
# Filter sources by a list of regular expressions.
#
# E.g. `src = sourceByRegex ./my-subproject [".*\.py$" "^database.sql$"]`
sourceByRegex = src: regexes: builtins.filterSource (path: type:
let relPath = lib.removePrefix (toString src + "/") (toString path);
in lib.any (re: builtins.match re relPath != null) regexes) src;
sourceByRegex = src: regexes: cleanSourceWith {
filter = (path: type:
let relPath = lib.removePrefix (toString src + "/") (toString path);
in lib.any (re: builtins.match re relPath != null) regexes);
inherit src;
};
# Get all files ending with the specified suffices from the given
# directory or its descendants. E.g. `sourceFilesBySuffices ./dir
@ -42,7 +63,7 @@ rec {
let filter = name: type:
let base = baseNameOf (toString name);
in type == "directory" || lib.any (ext: lib.hasSuffix ext base) exts;
in builtins.filterSource filter path;
in cleanSourceWith { inherit filter; src = path; };
# Get the commit id of a git repo
@ -72,4 +93,8 @@ rec {
else lib.head matchRef
else throw ("Not a .git directory: " + path);
in lib.flip readCommitFromFile "HEAD";
pathHasContext = builtins.hasContext or (lib.hasPrefix builtins.storeDir);
canCleanSource = src: src ? _isLibCleanSourceWith || !(pathHasContext (toString src));
}

View file

@ -1,8 +1,8 @@
{ lib }:
let
inherit (lib) lists;
parse = import ./parse.nix { inherit lib; };
inherit (import ./inspect.nix { inherit lib; }) predicates;
inherit (lib.systems) parse;
inherit (lib.systems.inspect) predicates;
inherit (lib.attrsets) matchAttrs;
all = [

View file

@ -11,44 +11,33 @@ rec {
sheevaplug = rec {
config = "armv5tel-unknown-linux-gnueabi";
bigEndian = false;
arch = "armv5tel";
float = "soft";
withTLS = true;
libc = "glibc";
platform = platforms.sheevaplug;
openssl.system = "linux-generic32";
};
raspberryPi = rec {
config = "armv6l-unknown-linux-gnueabihf";
bigEndian = false;
arch = "armv6l";
float = "hard";
fpu = "vfp";
withTLS = true;
libc = "glibc";
platform = platforms.raspberrypi;
openssl.system = "linux-generic32";
};
armv7l-hf-multiplatform = rec {
config = "arm-unknown-linux-gnueabihf";
bigEndian = false;
arch = "armv7-a";
float = "hard";
fpu = "vfpv3-d16";
withTLS = true;
libc = "glibc";
platform = platforms.armv7l-hf-multiplatform;
openssl.system = "linux-generic32";
};
aarch64-multiplatform = rec {
config = "aarch64-unknown-linux-gnu";
bigEndian = false;
arch = "aarch64";
withTLS = true;
libc = "glibc";
platform = platforms.aarch64-multiplatform;
};
@ -62,24 +51,16 @@ rec {
arch = "armv5tel";
config = "armv5tel-unknown-linux-gnueabi";
float = "soft";
platform = platforms.pogoplug4;
libc = "glibc";
withTLS = true;
openssl.system = "linux-generic32";
platform = platforms.pogoplug4;
};
fuloongminipc = rec {
config = "mips64el-unknown-linux-gnu";
bigEndian = false;
arch = "mips";
float = "hard";
withTLS = true;
libc = "glibc";
platform = platforms.fuloong2f_n32;
openssl.system = "linux-generic32";
};
#

View file

@ -5,8 +5,6 @@ with lib.lists;
rec {
patterns = rec {
"32bit" = { cpu = { bits = 32; }; };
"64bit" = { cpu = { bits = 64; }; };
i686 = { cpu = cpuTypes.i686; };
x86_64 = { cpu = cpuTypes.x86_64; };
PowerPC = { cpu = cpuTypes.powerpc; };
@ -14,6 +12,11 @@ rec {
Arm = { cpu = { family = "arm"; }; };
Aarch64 = { cpu = { family = "aarch64"; }; };
Mips = { cpu = { family = "mips"; }; };
RiscV = { cpu = { family = "riscv"; }; };
Wasm = { cpu = { family = "wasm"; }; };
"32bit" = { cpu = { bits = 32; }; };
"64bit" = { cpu = { bits = 64; }; };
BigEndian = { cpu = { significantByte = significantBytes.bigEndian; }; };
LittleEndian = { cpu = { significantByte = significantBytes.littleEndian; }; };

View file

@ -4,6 +4,16 @@
# http://llvm.org/docs/doxygen/html/Triple_8cpp_source.html especially
# Triple::normalize. Parsing should essentially act as a more conservative
# version of that last function.
#
# Most of the types below come in "open" and "closed" pairs. The open ones
# specify what information we need to know about systems in general, and the
# closed ones are sub-types representing the whitelist of systems we support in
# practice.
#
# Code in the remainder of nixpkgs shouldn't rely on the closed ones in
# e.g. exhaustive cases. Its more a sanity check to make sure nobody defines
# systems that overlap with existing ones and won't notice something amiss.
#
{ lib }:
with lib.lists;
with lib.types;
@ -11,29 +21,52 @@ with lib.attrsets;
with (import ./inspect.nix { inherit lib; }).predicates;
let
setTypesAssert = type: pred:
inherit (lib.options) mergeOneOption;
setTypes = type:
mapAttrs (name: value:
assert pred value;
setType type ({ inherit name; } // value));
setTypes = type: setTypesAssert type (_: true);
assert type.check value;
setType type.name ({ inherit name; } // value));
in
rec {
isSignificantByte = isType "significant-byte";
significantBytes = setTypes "significant-byte" {
################################################################################
types.openSignifiantByte = mkOptionType {
name = "significant-byte";
description = "Endianness";
merge = mergeOneOption;
};
types.significantByte = enum (attrValues significantBytes);
significantBytes = setTypes types.openSignifiantByte {
bigEndian = {};
littleEndian = {};
};
isCpuType = isType "cpu-type";
cpuTypes = with significantBytes; setTypesAssert "cpu-type"
(x: elem x.bits [8 16 32 64 128]
&& (if 8 < x.bits
then isSignificantByte x.significantByte
else !(x ? significantByte)))
{
################################################################################
# Reasonable power of 2
types.bitWidth = enum [ 8 16 32 64 128 ];
################################################################################
types.openCpuType = mkOptionType {
name = "cpu-type";
description = "instruction set architecture name and information";
merge = mergeOneOption;
check = x: types.bitWidth.check x.bits
&& (if 8 < x.bits
then types.significantByte.check x.significantByte
else !(x ? significantByte));
};
types.cpuType = enum (attrValues cpuTypes);
cpuTypes = with significantBytes; setTypes types.openCpuType {
arm = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv5tel = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv6l = { bits = 32; significantByte = littleEndian; family = "arm"; };
@ -44,18 +77,40 @@ rec {
x86_64 = { bits = 64; significantByte = littleEndian; family = "x86"; };
mips64el = { bits = 32; significantByte = littleEndian; family = "mips"; };
powerpc = { bits = 32; significantByte = bigEndian; family = "power"; };
riscv32 = { bits = 32; significantByte = littleEndian; family = "riscv"; };
riscv64 = { bits = 64; significantByte = littleEndian; family = "riscv"; };
wasm32 = { bits = 32; significantByte = littleEndian; family = "wasm"; };
wasm64 = { bits = 64; significantByte = littleEndian; family = "wasm"; };
};
isVendor = isType "vendor";
vendors = setTypes "vendor" {
################################################################################
types.openVendor = mkOptionType {
name = "vendor";
description = "vendor for the platform";
merge = mergeOneOption;
};
types.vendor = enum (attrValues vendors);
vendors = setTypes types.openVendor {
apple = {};
pc = {};
unknown = {};
};
isExecFormat = isType "exec-format";
execFormats = setTypes "exec-format" {
################################################################################
types.openExecFormat = mkOptionType {
name = "exec-format";
description = "executable container used by the kernel";
merge = mergeOneOption;
};
types.execFormat = enum (attrValues execFormats);
execFormats = setTypes types.openExecFormat {
aout = {}; # a.out
elf = {};
macho = {};
@ -64,15 +119,33 @@ rec {
unknown = {};
};
isKernelFamily = isType "kernel-family";
kernelFamilies = setTypes "kernel-family" {
################################################################################
types.openKernelFamily = mkOptionType {
name = "exec-format";
description = "executable container used by the kernel";
merge = mergeOneOption;
};
types.kernelFamily = enum (attrValues kernelFamilies);
kernelFamilies = setTypes types.openKernelFamily {
bsd = {};
};
isKernel = x: isType "kernel" x;
kernels = with execFormats; with kernelFamilies; setTypesAssert "kernel"
(x: isExecFormat x.execFormat && all isKernelFamily (attrValues x.families))
{
################################################################################
types.openKernel = mkOptionType {
name = "kernel";
description = "kernel name and information";
merge = mergeOneOption;
check = x: types.execFormat.check x.execFormat
&& all types.kernelFamily.check (attrValues x.families);
};
types.kernel = enum (attrValues kernels);
kernels = with execFormats; with kernelFamilies; setTypes types.openKernel {
darwin = { execFormat = macho; families = { }; };
freebsd = { execFormat = elf; families = { inherit bsd; }; };
hurd = { execFormat = elf; families = { }; };
@ -89,8 +162,17 @@ rec {
win32 = kernels.windows;
};
isAbi = isType "abi";
abis = setTypes "abi" {
################################################################################
types.openAbi = mkOptionType {
name = "abi";
description = "binary interface for compiled code and syscalls";
merge = mergeOneOption;
};
types.abi = enum (attrValues abis);
abis = setTypes types.openAbi {
cygnus = {};
gnu = {};
msvc = {};
@ -102,12 +184,24 @@ rec {
unknown = {};
};
################################################################################
types.system = mkOptionType {
name = "system";
description = "fully parsed representation of llvm- or nix-style platform tuple";
merge = mergeOneOption;
check = { cpu, vendor, kernel, abi }:
types.cpuType.check cpu
&& types.vendor.check vendor
&& types.kernel.check kernel
&& types.abi.check abi;
};
isSystem = isType "system";
mkSystem = { cpu, vendor, kernel, abi }:
assert isCpuType cpu && isVendor vendor && isKernel kernel && isAbi abi;
setType "system" {
inherit cpu vendor kernel abi;
};
mkSystem = components:
assert types.system.check components;
setType "system" components;
mkSkeletonFromList = l: {
"2" = # We only do 2-part hacks for things Nix already supports
@ -170,4 +264,6 @@ rec {
optAbi = lib.optionalString (abi != abis.unknown) "-${abi.name}";
in "${cpu.name}-${vendor.name}-${kernel.name}${optAbi}";
################################################################################
}

View file

@ -52,7 +52,7 @@ rec {
# Pull in some builtins not included elsewhere.
inherit (builtins)
pathExists readFile isBool isFunction
pathExists readFile isBool
isInt add sub lessThan
seq deepSeq genericClosure;
@ -99,4 +99,29 @@ rec {
*/
warn = msg: builtins.trace "WARNING: ${msg}";
info = msg: builtins.trace "INFO: ${msg}";
# | Add metadata about expected function arguments to a function.
# The metadata should match the format given by
# builtins.functionArgs, i.e. a set from expected argument to a bool
# representing whether that argument has a default or not.
# setFunctionArgs : (a → b) → Map String Bool → (a → b)
#
# This function is necessary because you can't dynamically create a
# function of the { a, b ? foo, ... }: format, but some facilities
# like callPackage expect to be able to query expected arguments.
setFunctionArgs = f: args:
{ # TODO: Should we add call-time "type" checking like built in?
__functor = self: f;
__functionArgs = args;
};
# | Extract the expected function arguments from a function.
# This works both with nix-native { a, b ? foo, ... }: style
# functions and functions with args set with 'setFunctionArgs'. It
# has the same return type and semantics as builtins.functionArgs.
# setFunctionArgs : (a → b) → Map String Bool.
functionArgs = f: f.__functionArgs or (builtins.functionArgs f);
isFunction = f: builtins.isFunction f ||
(f ? __functor && isFunction (f.__functor f));
}

View file

@ -1,5 +1,5 @@
#! /usr/bin/env nix-shell
#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp nixUnstable
#! nix-shell -i perl -p perl perlPackages.NetAmazonS3 perlPackages.FileSlurp nixUnstable nixUnstable.perl-bindings
# This command uploads tarballs to tarballs.nixos.org, the
# content-addressed cache used by fetchurl as a fallback for when
@ -59,6 +59,7 @@ my $s3 = Net::Amazon::S3->new(
{ aws_access_key_id => $aws_access_key_id,
aws_secret_access_key => $aws_secret_access_key,
retry => 1,
host => "s3-eu-west-1.amazonaws.com",
});
my $bucket = $s3->bucket("nixpkgs-tarballs") or die;

View file

@ -4,11 +4,13 @@
# Usage $0 debian-patches.txt debian-patches.nix
# An example input and output files can be found in applications/graphics/xara/
DEB_URL=http://patch-tracker.debian.org/patch/series/dl
DEB_URL=https://sources.debian.org/data/main
declare -a deb_patches
mapfile -t deb_patches < $1
prefix="${DEB_URL}/${deb_patches[0]}"
# First letter
deb_prefix="${deb_patches[0]:0:1}"
prefix="${DEB_URL}/${deb_prefix}/${deb_patches[0]}/debian/patches"
if [[ -n "$2" ]]; then
exec 1> $2

View file

@ -21,7 +21,7 @@ find . -type f | while read src; do
# Sanitize file name
filename=$(basename "$src" | tr '@' '_')
nameVersion="${filename%.tar.*}"
name=$(echo "$nameVersion" | sed -e 's,-[[:digit:]].*,,' | sed -e 's,-opensource-src$,,')
name=$(echo "$nameVersion" | sed -e 's,-[[:digit:]].*,,' | sed -e 's,-opensource-src$,,' | sed -e 's,-everywhere-src$,,')
version=$(echo "$nameVersion" | sed -e 's,^\([[:alpha:]][[:alnum:]]*-\)\+,,')
echo "$name,$version,$src,$filename" >>$csv
done

View file

@ -1,9 +1,16 @@
#!/usr/bin/env bash
set -e
# --print: avoid dependency on environment
optPrint=
if [ "$1" == "--print" ]; then
optPrint=true
shift
fi
if [ "$#" != 1 ] && [ "$#" != 2 ]; then
cat <<-EOF
Usage: $0 commit-spec [commit-spec]
Usage: $0 [--print] commit-spec [commit-spec]
You need to be in a git-controlled nixpkgs tree.
The current state of the tree will be used if the second commit is missing.
EOF
@ -113,3 +120,8 @@ newPkgs "${tree[1]}" "${tree[2]}" '--argstr system "x86_64-linux"' > "$newlist"
sed -n 's/\([^. ]*\.\)*\([^. ]*\) .*$/\2/p' < "$newlist" \
| sort | uniq -c
if [ -n "$optPrint" ]; then
echo
cat "$newlist"
fi

View file

@ -1,5 +1,5 @@
#! /usr/bin/env nix-shell
#! nix-shell -i python3 -p 'python3.withPackages(ps: with ps; [ requests toolz ])'
#! nix-shell -i python3 -p 'python3.withPackages(ps: with ps; [ packaging requests toolz ])' -p git
"""
Update a Python package expression by passing in the `.nix` file, or the directory containing it.
@ -18,7 +18,12 @@ import os
import re
import requests
import toolz
from concurrent.futures import ThreadPoolExecutor as pool
from concurrent.futures import ThreadPoolExecutor as Pool
from packaging.version import Version as _Version
from packaging.version import InvalidVersion
from packaging.specifiers import SpecifierSet
import collections
import subprocess
INDEX = "https://pypi.io/pypi"
"""url of PyPI"""
@ -26,10 +31,30 @@ INDEX = "https://pypi.io/pypi"
EXTENSIONS = ['tar.gz', 'tar.bz2', 'tar', 'zip', '.whl']
"""Permitted file extensions. These are evaluated from left to right and the first occurance is returned."""
PRERELEASES = False
import logging
logging.basicConfig(level=logging.INFO)
class Version(_Version, collections.abc.Sequence):
def __init__(self, version):
super().__init__(version)
# We cannot use `str(Version(0.04.21))` because that becomes `0.4.21`
# https://github.com/avian2/unidecode/issues/13#issuecomment-354538882
self.raw_version = version
def __getitem__(self, i):
return self._version.release[i]
def __len__(self):
return len(self._version.release)
def __iter__(self):
yield from self._version.release
def _get_values(attribute, text):
"""Match attribute in text and return all matches.
@ -82,13 +107,59 @@ def _fetch_page(url):
else:
raise ValueError("request for {} failed".format(url))
def _get_latest_version_pypi(package, extension):
SEMVER = {
'major' : 0,
'minor' : 1,
'patch' : 2,
}
def _determine_latest_version(current_version, target, versions):
"""Determine latest version, given `target`.
"""
current_version = Version(current_version)
def _parse_versions(versions):
for v in versions:
try:
yield Version(v)
except InvalidVersion:
pass
versions = _parse_versions(versions)
index = SEMVER[target]
ceiling = list(current_version[0:index])
if len(ceiling) == 0:
ceiling = None
else:
ceiling[-1]+=1
ceiling = Version(".".join(map(str, ceiling)))
# We do not want prereleases
versions = SpecifierSet(prereleases=PRERELEASES).filter(versions)
if ceiling is not None:
versions = SpecifierSet(f"<{ceiling}").filter(versions)
return (max(sorted(versions))).raw_version
def _get_latest_version_pypi(package, extension, current_version, target):
"""Get latest version and hash from PyPI."""
url = "{}/{}/json".format(INDEX, package)
json = _fetch_page(url)
version = json['info']['version']
for release in json['releases'][version]:
versions = json['releases'].keys()
version = _determine_latest_version(current_version, target, versions)
try:
releases = json['releases'][version]
except KeyError as e:
raise KeyError('Could not find version {} for {}'.format(version, package)) from e
for release in releases:
if release['filename'].endswith(extension):
# TODO: In case of wheel we need to do further checks!
sha256 = release['digests']['sha256']
@ -98,7 +169,7 @@ def _get_latest_version_pypi(package, extension):
return version, sha256
def _get_latest_version_github(package, extension):
def _get_latest_version_github(package, extension, current_version, target):
raise ValueError("updating from GitHub is not yet supported.")
@ -141,9 +212,9 @@ def _determine_extension(text, fetcher):
"""
if fetcher == 'fetchPypi':
try:
format = _get_unique_value('format', text)
src_format = _get_unique_value('format', text)
except ValueError as e:
format = None # format was not given
src_format = None # format was not given
try:
extension = _get_unique_value('extension', text)
@ -151,9 +222,11 @@ def _determine_extension(text, fetcher):
extension = None # extension was not given
if extension is None:
if format is None:
format = 'setuptools'
extension = FORMATS[format]
if src_format is None:
src_format = 'setuptools'
elif src_format == 'flit':
raise ValueError("Don't know how to update a Flit package.")
extension = FORMATS[src_format]
elif fetcher == 'fetchurl':
url = _get_unique_value('url', text)
@ -167,9 +240,7 @@ def _determine_extension(text, fetcher):
return extension
def _update_package(path):
def _update_package(path, target):
# Read the expression
with open(path, 'r') as f:
@ -186,11 +257,13 @@ def _update_package(path):
extension = _determine_extension(text, fetcher)
new_version, new_sha256 = _get_latest_version_pypi(pname, extension)
new_version, new_sha256 = FETCHERS[fetcher](pname, extension, version, target)
if new_version == version:
logging.info("Path {}: no update available for {}.".format(path, pname))
return False
elif new_version <= version:
raise ValueError("downgrade for {}.".format(pname))
if not new_sha256:
raise ValueError("no file available for {}.".format(pname))
@ -202,10 +275,19 @@ def _update_package(path):
logging.info("Path {}: updated {} from {} to {}".format(path, pname, version, new_version))
return True
result = {
'path' : path,
'target': target,
'pname': pname,
'old_version' : version,
'new_version' : new_version,
#'fetcher' : fetcher,
}
return result
def _update(path):
def _update(path, target):
# We need to read and modify a Nix expression.
if os.path.isdir(path):
@ -222,24 +304,58 @@ def _update(path):
return False
try:
return _update_package(path)
return _update_package(path, target)
except ValueError as e:
logging.warning("Path {}: {}".format(path, e))
return False
def _commit(path, pname, old_version, new_version, **kwargs):
"""Commit result.
"""
msg = f'python: {pname}: {old_version} -> {new_version}'
try:
subprocess.check_call(['git', 'add', path])
subprocess.check_call(['git', 'commit', '-m', msg])
except subprocess.CalledProcessError as e:
subprocess.check_call(['git', 'checkout', path])
raise subprocess.CalledProcessError(f'Could not commit {path}') from e
return True
def main():
parser = argparse.ArgumentParser()
parser.add_argument('package', type=str, nargs='+')
parser.add_argument('--target', type=str, choices=SEMVER.keys(), default='major')
parser.add_argument('--commit', action='store_true', help='Create a commit for each package update')
args = parser.parse_args()
target = args.target
packages = map(os.path.abspath, args.package)
packages = list(map(os.path.abspath, args.package))
logging.info("Updating packages...")
# Use threads to update packages concurrently
with Pool() as p:
results = list(p.map(lambda pkg: _update(pkg, target), packages))
logging.info("Finished updating packages.")
# Commits are created sequentially.
if args.commit:
logging.info("Committing updates...")
list(map(lambda x: _commit(**x), filter(bool, results)))
logging.info("Finished committing updates")
count = sum(map(bool, results))
logging.info("{} package(s) updated".format(count))
with pool() as p:
count = list(p.map(_update, packages))
logging.info("{} package(s) updated".format(sum(count)))
if __name__ == '__main__':
main()

View file

@ -12,7 +12,7 @@ let
substFunction = x:
if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
else if builtins.isList x then map substFunction x
else if builtins.isFunction x then "<function>"
else if lib.isFunction x then "<function>"
else x;
# Clean up declaration sites to not refer to the NixOS source tree.

View file

@ -272,8 +272,37 @@ startAll;
</listitem>
</varlistentry>
<varlistentry>
<term><methodname>systemctl</methodname></term>
<listitem>
<para>Runs <literal>systemctl</literal> commands with optional support for
<literal>systemctl --user</literal></para>
<para>
<programlisting>
$machine->systemctl("list-jobs --no-pager"); // runs `systemctl list-jobs --no-pager`
$machine->systemctl("list-jobs --no-pager", "any-user"); // spawns a shell for `any-user` and runs `systemctl --user list-jobs --no-pager`
</programlisting>
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
To test user units declared by <literal>systemd.user.services</literal> the optional <literal>$user</literal>
argument can be used:
<programlisting>
$machine->start;
$machine->waitForX;
$machine->waitForUnit("xautolock.service", "x-session-user");
</programlisting>
This applies to <literal>systemctl</literal>, <literal>getUnitInfo</literal>,
<literal>waitForUnit</literal>, <literal>startJob</literal>
and <literal>stopJob</literal>.
</para>
</section>

View file

@ -11,10 +11,24 @@ a USB stick. You can use the <command>dd</command> utility to write the image:
<command>dd if=<replaceable>path-to-image</replaceable>
of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
correct drive; you can use the <command>lsblk</command> command to get a list of
block devices. If you're on macOS you can run <command>diskutil list</command>
to see the list of devices; the device you'll use for the USB must be ejected
before writing the image.</para>
block devices.</para>
<para>On macOS:
<programlisting>
$ diskutil list
[..]
/dev/diskN (external, physical):
#: TYPE NAME SIZE IDENTIFIER
[..]
$ diskutil unmountDisk diskN
Unmount of all volumes on diskN was successful
$ sudo dd bs=1m if=nix.iso of=/dev/rdiskN
</programlisting>
Using the 'raw' <command>rdiskN</command> device instead of <command>diskN</command>
completes in minutes instead of hours. After <command>dd</command> completes, a GUI
dialog "The disk you inserted was not readable by this computer" will pop up, which
can be ignored.</para>
<para>The <command>dd</command> utility will write the image verbatim to the drive,
making it the recommended option for both UEFI and non-UEFI installations. For
non-UEFI installations, you can alternatively use

View file

@ -4,18 +4,18 @@
version="5.0"
xml:id="sec-instaling-virtualbox-guest">
<title>Installing in a Virtualbox guest</title>
<title>Installing in a VirtualBox guest</title>
<para>
Installing NixOS into a Virtualbox guest is convenient for users who want to
Installing NixOS into a VirtualBox guest is convenient for users who want to
try NixOS without installing it on bare metal. If you want to use a pre-made
Virtualbox appliance, it is available at <link
VirtualBox appliance, it is available at <link
xlink:href="https://nixos.org/nixos/download.html">the downloads page</link>.
If you want to set up a Virtualbox guest manually, follow these instructions:
If you want to set up a VirtualBox guest manually, follow these instructions:
</para>
<orderedlist>
<listitem><para>Add a New Machine in Virtualbox with OS Type "Linux / Other
<listitem><para>Add a New Machine in VirtualBox with OS Type "Linux / Other
Linux"</para></listitem>
<listitem><para>Base Memory Size: 768 MB or higher.</para></listitem>

View file

@ -45,7 +45,10 @@ for a UEFI installation is by and large the same as a BIOS installation. The dif
using <command>ifconfig</command>.</para>
<para>To manually configure the network on the graphical installer,
first disable network-manager with
<command>systemctl stop network-manager</command>.</para></listitem>
<command>systemctl stop network-manager</command>.</para>
<para>To manually configure the wifi on the minimal installer, run
<command>wpa_supplicant -B -i interface -c &lt;(wpa_passphrase 'SSID' 'key')</command>.</para></listitem>
<listitem><para>If you would like to continue the installation from a different
machine you need to activate the SSH daemon via <literal>systemctl start sshd</literal>.

View file

@ -12,11 +12,10 @@ download page</link>. There are a number of installation options. If
you happen to have an optical drive and a spare CD, burning the
image to CD and booting from that is probably the easiest option.
Most people will need to prepare a USB stick to boot from.
Unetbootin is recommended and the process is described in brief below.
Note that systems which use UEFI require some additional manual steps.
If you run into difficulty a number of alternative methods are presented
in the <link
xlink:href="https://nixos.org/wiki/Installing_NixOS_from_a_USB_stick">NixOS
<xref linkend="sec-booting-from-usb"/> describes the preferred method
to prepare a USB stick.
A number of alternative methods are presented in the <link
xlink:href="https://nixos.wiki/wiki/NixOS_Installation_Guide#Making_the_installation_media">NixOS
Wiki</link>.</para>
<para>As an alternative to installing NixOS yourself, you can get a

View file

@ -20,6 +20,22 @@ has the following highlights: </para>
<itemizedlist>
<listitem>
<para>
MariaDB 10.2, updated from 10.1, is now the default MySQL implementation. While upgrading a few changes
have been made to the infrastructure involved:
<itemizedlist>
<listitem>
<para>
<literal>libmysql</literal> has been deprecated, please use <literal>mysql.connector-c</literal>
instead, a compatibility passthru has been added to the MySQL packages.
</para>
</listitem>
<listitem>
<para>
The <literal>mysql57</literal> package has a new <literal>static</literal> output containing
the static libraries including <literal>libmysqld.a</literal>
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
</itemizedlist>
@ -72,6 +88,28 @@ following incompatible changes:</para>
<option>services.pgmanage</option>.
</para>
</listitem>
<listitem>
<para>
Package attributes starting with a digit have been prefixed with an
underscore sign. This is to avoid quoting in the configuration and
other issues with command-line tools like <literal>nix-env</literal>.
The change affects the following packages:
<itemizedlist>
<listitem>
<para><literal>2048-in-terminal</literal><literal>_2048-in-terminal</literal></para>
</listitem>
<listitem>
<para><literal>90secondportraits</literal><literal>_90secondportraits</literal></para>
</listitem>
<listitem>
<para><literal>2bwm</literal><literal>_2bwm</literal></para>
</listitem>
<listitem>
<para><literal>389-ds-base</literal><literal>_389-ds-base</literal></para>
</listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
<emphasis role="strong">
@ -95,6 +133,55 @@ following incompatible changes:</para>
<link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>.
</para>
</listitem>
<listitem>
<para>
<literal>cc-wrapper</literal> has been split in two; there is now also a <literal>bintools-wrapper</literal>.
The most commonly used files in <filename>nix-support</filename> are now split between the two wrappers.
Some commonly used ones, like <filename>nix-support/dynamic-linker</filename>, are duplicated for backwards compatability, even though they rightly belong only in <literal>bintools-wrapper</literal>.
Other more obscure ones are just moved.
</para>
</listitem>
<listitem>
<para>
The propagation logic has been changed.
The new logic, along with new types of dependencies that go with, is thoroughly documented in the "Specifying dependencies" section of the "Standard Environment" chapter of the nixpkgs manual.
<!-- That's <xref linkend="ssec-stdenv-attributes"> were we to merge the manuals. -->
The old logic isn't but is easy to describe: dependencies were propagated as the same type of dependency no matter what.
In practice, that means that many <function>propagatedNativeBuildInputs</function> should instead be <function>propagatedBuildInputs</function>.
Thankfully, that was and is the least used type of dependency.
Also, it means that some <function>propagatedBuildInputs</function> should instead be <function>depsTargetTargetPropagated</function>.
Other types dependencies should be unaffected.
</para>
</listitem>
<listitem>
<para>
<literal>lib.addPassthru drv passthru</literal> is removed. Use <literal>lib.extendDerivation true passthru drv</literal> instead. <emphasis role="strong">TODO: actually remove it before branching 18.03 off.</emphasis>
</para>
</listitem>
<listitem>
<para>
The <literal>memcached</literal> service no longer accept dynamic socket
paths via <option>services.memcached.socket</option>. Unix sockets can be
still enabled by <option>services.memcached.enableUnixSocket</option> and
will be accessible at <literal>/run/memcached/memcached.sock</literal>.
</para>
</listitem>
<listitem>
<para>
The <varname>hardware.amdHybridGraphics.disable</varname> option was removed for lack of a maintainer. If you still need this module, you may wish to include a copy of it from an older version of nixos in your imports.
</para>
</listitem>
<listitem>
<para>
The merging of config options for <varname>services.postfix.config</varname>
was buggy. Previously, if other options in the Postfix module like
<varname>services.postfix.useSrs</varname> were set and the user set config
options that were also set by such options, the resulting config wouldn't
include all options that were needed. They are now merged correctly. If
config options need to be overridden, <literal>lib.mkForce</literal> or
<literal>lib.mkOverride</literal> can be used.
</para>
</listitem>
</itemizedlist>
</section>
@ -145,6 +232,58 @@ following incompatible changes:</para>
corrupted blocks.
</para>
</listitem>
<listitem>
<para>
<literal>displayManager.lightdm.greeters.gtk.clock-format.</literal>
has been added, the clock format string (as expected by
strftime, e.g. <literal>%H:%M</literal>) to use with the lightdm
gtk greeter panel.
</para>
<para>
If set to null the default clock format is used.
</para>
</listitem>
<listitem>
<para>
<literal>displayManager.lightdm.greeters.gtk.indicators</literal>
has been added, a list of allowed indicator modules to use with
the lightdm gtk greeter panel.
</para>
<para>
Built-in indicators include <literal>~a11y</literal>,
<literal>~language</literal>, <literal>~session</literal>,
<literal>~power</literal>, <literal>~clock</literal>,
<literal>~host</literal>, <literal>~spacer</literal>. Unity
indicators can be represented by short name
(e.g. <literal>sound</literal>, <literal>power</literal>),
service file name, or absolute path.
</para>
<para>
If set to <literal>null</literal> the default indicators are
used.
</para>
<para>
In order to have the previous default configuration add
<programlisting>
services.xserver.displayManager.lightdm.greeters.gtk.indicators = [
"~host" "~spacer"
"~clock" "~spacer"
"~session"
"~language"
"~a11y"
"~power"
];
</programlisting>
to your <literal>configuration.nix</literal>.
</para>
</listitem>
<listitem>
<para>
The NixOS test driver supports user services declared by <literal>systemd.user.services</literal>.
The methods <literal>waitForUnit</literal>, <literal>getUnitInfo</literal>, <literal>startJob</literal>
and <literal>stopJob</literal> provide an optional <literal>$user</literal> argument for that purpose.
</para>
</listitem>
</itemizedlist>
</section>

View file

@ -3,7 +3,7 @@
let pkgs = import ../.. { inherit system config; }; in
with pkgs.lib;
with import ../lib/qemu-flags.nix;
with import ../lib/qemu-flags.nix { inherit pkgs; };
rec {

View file

@ -13,10 +13,16 @@
# grafted in the file system at path `target'.
, contents ? []
, # Whether the disk should be partitioned (with a single partition
# containing the root filesystem) or contain the root filesystem
# directly.
partitioned ? true
, # Type of partition table to use; either "legacy", "efi", or "none".
# For "efi" images, the GPT partition table is used and a mandatory ESP
# partition of reasonable size is created in addition to the root partition.
# If `installBootLoader` is true, GRUB will be installed in EFI mode.
# For "legacy", the msdos partition table is used and a single large root
# partition is created. If `installBootLoader` is true, GRUB will be
# installed in legacy mode.
# For "none", no partition table is created. Enabling `installBootLoader`
# most likely fails as GRUB will probably refuse to install.
partitionTableType ? "legacy"
# Whether to invoke switch-to-configuration boot during image creation
, installBootLoader ? true
@ -37,6 +43,10 @@
format ? "raw"
}:
assert partitionTableType == "legacy" || partitionTableType == "efi" || partitionTableType == "none";
# We use -E offset=X below, which is only supported by e2fsprogs
assert partitionTableType != "none" -> fsType == "ext4";
with lib;
let format' = format; in let
@ -51,6 +61,27 @@ let format' = format; in let
raw = "img";
}.${format};
rootPartition = { # switch-case
legacy = "1";
efi = "2";
}.${partitionTableType};
partitionDiskScript = { # switch-case
legacy = ''
parted --script $diskImage -- \
mklabel msdos \
mkpart primary ext4 1MiB -1
'';
efi = ''
parted --script $diskImage -- \
mklabel gpt \
mkpart ESP fat32 8MiB 256MiB \
set 1 boot on \
mkpart primary ext4 256MiB -1
'';
none = "";
}.${partitionTableType};
nixpkgs = cleanSource pkgs.path;
channelSources = pkgs.runCommand "nixos-${config.system.nixosVersion}" {} ''
@ -79,20 +110,31 @@ let format' = format; in let
targets = map (x: x.target) contents;
prepareImage = ''
export PATH=${makeSearchPathOutput "bin" "bin" prepareImageInputs}
export PATH=${makeBinPath prepareImageInputs}
# Yes, mkfs.ext4 takes different units in different contexts. Fun.
sectorsToKilobytes() {
echo $(( ( "$1" * 512 ) / 1024 ))
}
sectorsToBytes() {
echo $(( "$1" * 512 ))
}
mkdir $out
diskImage=nixos.raw
truncate -s ${toString diskSize}M $diskImage
${if partitioned then ''
parted --script $diskImage -- mklabel msdos mkpart primary ext4 1M -1s
offset=$((2048*512))
'' else ''
offset=0
''}
${partitionDiskScript}
mkfs.${fsType} -F -L nixos -E offset=$offset $diskImage
${if partitionTableType != "none" then ''
# Get start & length of the root partition in sectors to $START and $SECTORS.
eval $(partx $diskImage -o START,SECTORS --nr ${rootPartition} --pairs)
mkfs.${fsType} -F -L nixos $diskImage -E offset=$(sectorsToBytes $START) $(sectorsToKilobytes $SECTORS)K
'' else ''
mkfs.${fsType} -F -L nixos $diskImage
''}
root="$PWD/root"
mkdir -p $root
@ -133,12 +175,12 @@ let format' = format; in let
find $root/nix/store -mindepth 1 -maxdepth 1 -type f -o -type d | xargs chmod -R a-w
echo "copying staging root to image..."
cptofs ${optionalString partitioned "-P 1"} -t ${fsType} -i $diskImage $root/* /
cptofs -p ${optionalString (partitionTableType != "none") "-P ${rootPartition}"} -t ${fsType} -i $diskImage $root/* /
'';
in pkgs.vmTools.runInLinuxVM (
pkgs.runCommand name
{ preVM = prepareImage;
buildInputs = with pkgs; [ utillinux e2fsprogs ];
buildInputs = with pkgs; [ utillinux e2fsprogs dosfstools ];
exportReferencesGraph = [ "closure" metaClosure ];
postVM = ''
${if format == "raw" then ''
@ -152,11 +194,7 @@ in pkgs.vmTools.runInLinuxVM (
memSize = 1024;
}
''
${if partitioned then ''
rootDisk=/dev/vda1
'' else ''
rootDisk=/dev/vda
''}
rootDisk=${if partitionTableType != "none" then "/dev/vda${rootPartition}" else "/dev/vda"}
# Some tools assume these exist
ln -s vda /dev/xvda
@ -166,6 +204,14 @@ in pkgs.vmTools.runInLinuxVM (
mkdir $mountPoint
mount $rootDisk $mountPoint
# Create the ESP and mount it. Unlike e2fsprogs, mkfs.vfat doesn't support an
# '-E offset=X' option, so we can't do this outside the VM.
${optionalString (partitionTableType == "efi") ''
mkdir -p /mnt/boot
mkfs.vfat -n ESP /dev/vda1
mount /dev/vda1 /mnt/boot
''}
# Install a configuration.nix
mkdir -p /mnt/etc/nixos
${optionalString (configFile != null) ''

View file

@ -10,7 +10,7 @@
pkgs.stdenv.mkDerivation {
name = "ext4-fs.img";
buildInputs = with pkgs; [e2fsprogs libfaketime perl];
nativeBuildInputs = with pkgs; [e2fsprogs libfaketime perl];
# For obtaining the closure of `storePaths'.
exportReferencesGraph =

View file

@ -8,7 +8,7 @@
stdenv.mkDerivation {
name = "squashfs.img";
buildInputs = [perl squashfsTools];
nativeBuildInputs = [perl squashfsTools];
# For obtaining the closure of `storeContents'.
exportReferencesGraph =

View file

@ -1,4 +1,5 @@
# QEMU flags shared between various Nix expressions.
{ pkgs }:
{
@ -7,4 +8,14 @@
"-net vde,vlan=${toString nic},sock=$QEMU_VDE_SOCKET_${toString net}"
];
qemuSerialDevice = if pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64 then "ttyS0"
else if pkgs.stdenv.isArm || pkgs.stdenv.isAarch64 then "ttyAMA0"
else throw "Unknown QEMU serial device for system '${pkgs.stdenv.system}'";
qemuBinary = qemuPkg: {
"i686-linux" = "${qemuPkg}/bin/qemu-kvm";
"x86_64-linux" = "${qemuPkg}/bin/qemu-kvm -cpu kvm64";
"armv7l-linux" = "${qemuPkg}/bin/qemu-system-arm -enable-kvm -machine virt -cpu host";
"aarch64-linux" = "${qemuPkg}/bin/qemu-system-aarch64 -enable-kvm -machine virt,gic-version=host -cpu host";
}.${pkgs.stdenv.system} or (throw "Unknown QEMU binary for '${pkgs.stdenv.system}'");
}

View file

@ -362,8 +362,8 @@ sub mustFail {
sub getUnitInfo {
my ($self, $unit) = @_;
my ($status, $lines) = $self->execute("systemctl --no-pager show '$unit'");
my ($self, $unit, $user) = @_;
my ($status, $lines) = $self->systemctl("--no-pager show \"$unit\"", $user);
return undef if $status != 0;
my $info = {};
foreach my $line (split '\n', $lines) {
@ -373,6 +373,16 @@ sub getUnitInfo {
return $info;
}
sub systemctl {
my ($self, $q, $user) = @_;
if ($user) {
$q =~ s/'/\\'/g;
return $self->execute("su -l $user -c \$'XDG_RUNTIME_DIR=/run/user/`id -u` systemctl --user $q'");
}
return $self->execute("systemctl $q");
}
# Fail if the given systemd unit is not in the "active" state.
sub requireActiveUnit {
my ($self, $unit) = @_;
@ -387,16 +397,16 @@ sub requireActiveUnit {
# Wait for a systemd unit to reach the "active" state.
sub waitForUnit {
my ($self, $unit) = @_;
my ($self, $unit, $user) = @_;
$self->nest("waiting for unit $unit", sub {
retry sub {
my $info = $self->getUnitInfo($unit);
my $info = $self->getUnitInfo($unit, $user);
my $state = $info->{ActiveState};
die "unit $unit reached state $state\n" if $state eq "failed";
if ($state eq "inactive") {
# If there are no pending jobs, then assume this unit
# will never reach active state.
my ($status, $jobs) = $self->execute("systemctl list-jobs --full 2>&1");
my ($status, $jobs) = $self->systemctl("list-jobs --full 2>&1", $user);
if ($jobs =~ /No jobs/) { # FIXME: fragile
# Handle the case where the unit may have started
# between the previous getUnitInfo() and
@ -430,14 +440,14 @@ sub waitForFile {
}
sub startJob {
my ($self, $jobName) = @_;
$self->execute("systemctl start $jobName");
my ($self, $jobName, $user) = @_;
$self->systemctl("start $jobName", $user);
# FIXME: check result
}
sub stopJob {
my ($self, $jobName) = @_;
$self->execute("systemctl stop $jobName");
my ($self, $jobName, $user) = @_;
$self->systemctl("stop $jobName", $user);
}

View file

@ -85,7 +85,7 @@ rec {
testScript' =
# Call the test script with the computed nodes.
if builtins.isFunction testScript
if lib.isFunction testScript
then testScript { inherit nodes; }
else testScript;

View file

@ -46,7 +46,7 @@ in {
inherit lib config;
inherit (cfg) contents format name;
pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
partitioned = config.ec2.hvm;
partitionTableType = if config.ec2.hvm then "legacy" else "none";
diskSize = cfg.sizeMB;
configFile = pkgs.writeText "configuration.nix"
''

View file

@ -69,9 +69,6 @@ in
config = mkIf cfg.enable {
# Leftover for old setups, should be set by nixos-generate-config now
powerManagement.cpuFreqGovernor = mkDefault "ondemand";
systemd.targets.post-resume = {
description = "Post-Resume Actions";
requires = [ "post-resume.service" ];

View file

@ -36,7 +36,7 @@ in
default = {};
description = ''
A set of environment variables used in the global environment.
These variables will be set on shell initialisation.
These variables will be set on shell initialisation (e.g. in /etc/profile).
The value of each variable can be either a string or a list of
strings. The latter is concatenated, interspersed with colon
characters.

View file

@ -27,6 +27,7 @@ in
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
boot.kernelPackages = pkgs.linuxPackages_latest;
# The serial ports listed here are:
@ -42,8 +43,17 @@ in
populateBootCommands = let
configTxt = pkgs.writeText "config.txt" ''
kernel=u-boot-rpi3.bin
# Boot in 64-bit mode.
arm_control=0x200
# U-Boot used to need this to work, regardless of whether UART is actually used or not.
# TODO: check when/if this can be removed.
enable_uart=1
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
avoid_warnings=1
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)

View file

@ -27,6 +27,7 @@ in
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
boot.kernelPackages = pkgs.linuxPackages_latest;
# The serial ports listed here are:
# - ttyS0: for Tegra (Jetson TK1)

View file

@ -27,6 +27,7 @@ in
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.consoleLogLevel = lib.mkDefault 7;
boot.kernelPackages = pkgs.linuxPackages_rpi;
# FIXME: this probably should be in installation-device.nix

View file

@ -65,7 +65,7 @@
foldingathome = 37;
sabnzbd = 38;
#kdm = 39; # dropped in 17.03
ghostone = 40;
#ghostone = 40; # dropped in 18.03
git = 41;
fourstore = 42;
fourstorehttp = 43;
@ -197,10 +197,10 @@
#input = 174; # unused
sddm = 175;
tss = 176;
memcached = 177;
#memcached = 177; removed 2018-01-03
ntp = 179;
zabbix = 180;
redis = 181;
#redis = 181; removed 2018-01-03
unifi = 183;
uptimed = 184;
zope2 = 185;
@ -301,6 +301,8 @@
pykms = 282;
kodi = 283;
restya-board = 284;
mighttpd2 = 285;
hass = 286;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -348,7 +350,7 @@
#foldingathome = 37; # unused
#sabnzd = 38; # unused
#kdm = 39; # unused, even before 17.03
ghostone = 40;
#ghostone = 40; # dropped in 18.03
git = 41;
fourstore = 42;
fourstorehttp = 43;
@ -475,10 +477,10 @@
input = 174;
sddm = 175;
tss = 176;
#memcached = 177; # unused
#memcached = 177; # unused, removed 2018-01-03
#ntp = 179; # unused
#zabbix = 180; # unused
#redis = 181; # unused
#redis = 181; # unused, removed 2018-01-03
#unifi = 183; # unused
#uptimed = 184; # unused
#zope2 = 185; # unused
@ -570,6 +572,8 @@
pykms = 282;
kodi = 283;
restya-board = 284;
mighttpd2 = 285;
hass = 286;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

View file

@ -4,10 +4,10 @@ with lib;
let
isConfig = x:
builtins.isAttrs x || builtins.isFunction x;
builtins.isAttrs x || lib.isFunction x;
optCall = f: x:
if builtins.isFunction f
if lib.isFunction f
then f x
else f;
@ -38,7 +38,7 @@ let
overlayType = mkOptionType {
name = "nixpkgs-overlay";
description = "nixpkgs overlay";
check = builtins.isFunction;
check = lib.isFunction;
merge = lib.mergeOneOption;
};

View file

@ -84,6 +84,7 @@
./programs/info.nix
./programs/java.nix
./programs/kbdlight.nix
./programs/less.nix
./programs/light.nix
./programs/man.nix
./programs/mosh.nix
@ -200,6 +201,7 @@
./services/desktops/dleyna-server.nix
./services/desktops/geoclue2.nix
./services/desktops/gnome3/at-spi2-core.nix
./services/desktops/gnome3/chrome-gnome-shell.nix
./services/desktops/gnome3/evolution-data-server.nix
./services/desktops/gnome3/gnome-disks.nix
./services/desktops/gnome3/gnome-documents.nix
@ -220,13 +222,11 @@
./services/editors/emacs.nix
./services/editors/infinoted.nix
./services/games/factorio.nix
./services/games/ghost-one.nix
./services/games/minecraft-server.nix
./services/games/minetest-server.nix
./services/games/terraria.nix
./services/hardware/acpid.nix
./services/hardware/actkbd.nix
./services/hardware/amd-hybrid-graphics.nix
./services/hardware/bluetooth.nix
./services/hardware/brltty.nix
./services/hardware/freefall.nix
@ -246,6 +246,7 @@
./services/hardware/udev.nix
./services/hardware/udisks2.nix
./services/hardware/upower.nix
./services/hardware/usbmuxd.nix
./services/hardware/thermald.nix
./services/logging/SystemdJournal2Gelf.nix
./services/logging/awstats.nix
@ -261,6 +262,8 @@
./services/logging/rsyslogd.nix
./services/logging/syslog-ng.nix
./services/logging/syslogd.nix
./services/mail/clamsmtp.nix
./services/mail/dkimproxy-out.nix
./services/mail/dovecot.nix
./services/mail/dspam.nix
./services/mail/exim.nix
@ -312,6 +315,7 @@
./services/misc/gogs.nix
./services/misc/gollum.nix
./services/misc/gpsd.nix
./services/misc/home-assistant.nix
./services/misc/ihaskell.nix
./services/misc/irkerd.nix
./services/misc/jackett.nix
@ -404,6 +408,7 @@
./services/monitoring/vnstat.nix
./services/monitoring/zabbix-agent.nix
./services/monitoring/zabbix-server.nix
./services/network-filesystems/beegfs.nix
./services/network-filesystems/cachefilesd.nix
./services/network-filesystems/davfs2.nix
./services/network-filesystems/drbd.nix
@ -421,6 +426,7 @@
./services/network-filesystems/yandex-disk.nix
./services/network-filesystems/xtreemfs.nix
./services/networking/amuled.nix
./services/networking/aria2.nix
./services/networking/asterisk.nix
./services/networking/atftpd.nix
./services/networking/avahi-daemon.nix
@ -537,6 +543,7 @@
./services/networking/ssh/lshd.nix
./services/networking/ssh/sshd.nix
./services/networking/strongswan.nix
./services/networking/stunnel.nix
./services/networking/supplicant.nix
./services/networking/supybot.nix
./services/networking/syncthing.nix
@ -631,6 +638,7 @@
./services/web-servers/lighttpd/default.nix
./services/web-servers/lighttpd/gitweb.nix
./services/web-servers/lighttpd/inginious.nix
./services/web-servers/mighttpd2.nix
./services/web-servers/minio.nix
./services/web-servers/nginx/default.nix
./services/web-servers/phpfpm/default.nix
@ -679,6 +687,7 @@
./system/activation/top-level.nix
./system/boot/coredump.nix
./system/boot/emergency-mode.nix
./system/boot/grow-partition.nix
./system/boot/initrd-network.nix
./system/boot/initrd-ssh.nix
./system/boot/kernel.nix
@ -745,6 +754,7 @@
./virtualisation/lxcfs.nix
./virtualisation/lxd.nix
./virtualisation/amazon-options.nix
./virtualisation/hyperv-guest.nix
./virtualisation/openvswitch.nix
./virtualisation/parallels-guest.nix
./virtualisation/rkt.nix

View file

@ -19,13 +19,12 @@
"sata_sil" "sata_sil24" "sata_sis" "sata_svw" "sata_sx4"
"sata_uli" "sata_via" "sata_vsc"
"pata_ali" "pata_amd" "pata_artop" "pata_atiixp"
"pata_cs5520" "pata_cs5530" "pata_cs5535" "pata_efar"
"pata_ali" "pata_amd" "pata_artop" "pata_atiixp" "pata_efar"
"pata_hpt366" "pata_hpt37x" "pata_hpt3x2n" "pata_hpt3x3"
"pata_it8213" "pata_it821x" "pata_jmicron" "pata_marvell"
"pata_mpiix" "pata_netcell" "pata_ns87410" "pata_oldpiix"
"pata_pcmcia" "pata_pdc2027x" "pata_qdi" "pata_rz1000"
"pata_sc1200" "pata_serverworks" "pata_sil680" "pata_sis"
"pata_serverworks" "pata_sil680" "pata_sis"
"pata_sl82c105" "pata_triflex" "pata_via"
"pata_winbond"

View file

@ -17,7 +17,7 @@ let
# you should use files).
moduleFiles =
# FIXME: use typeOf (Nix 1.6.1).
filter (x: !isAttrs x && !builtins.isFunction x) modules;
filter (x: !isAttrs x && !lib.isFunction x) modules;
# Partition module files because between NixOS and non-NixOS files. NixOS
# files may change if the repository is updated.

View file

@ -0,0 +1,118 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.less;
configFile = ''
#command
${concatStringsSep "\n"
(mapAttrsToList (command: action: "${command} ${action}") cfg.commands)
}
${if cfg.clearDefaultCommands then "#stop" else ""}
#line-edit
${concatStringsSep "\n"
(mapAttrsToList (command: action: "${command} ${action}") cfg.lineEditingKeys)
}
#env
${concatStringsSep "\n"
(mapAttrsToList (variable: values: "${variable}=${values}") cfg.envVariables)
}
'';
lessKey = pkgs.runCommand "lesskey"
{ src = pkgs.writeText "lessconfig" configFile; }
"${pkgs.less}/bin/lesskey -o $out $src";
in
{
options = {
programs.less = {
enable = mkEnableOption "less";
commands = mkOption {
type = types.attrsOf types.str;
default = {};
example = {
"h" = "noaction 5\e(";
"l" = "noaction 5\e)";
};
description = "Defines new command keys.";
};
clearDefaultCommands = mkOption {
type = types.bool;
default = false;
description = ''
Clear all default commands.
You should remember to set the quit key.
Otherwise you will not be able to leave less without killing it.
'';
};
lineEditingKeys = mkOption {
type = types.attrsOf types.str;
default = {};
example = {
"\e" = "abort";
};
description = "Defines new line-editing keys.";
};
envVariables = mkOption {
type = types.attrsOf types.str;
default = {};
example = {
LESS = "--quit-if-one-screen";
};
description = "Defines environment variables.";
};
lessopen = mkOption {
type = types.nullOr types.str;
default = "|${pkgs.lesspipe}/bin/lesspipe.sh %s";
description = ''
Before less opens a file, it first gives your input preprocessor a chance to modify the way the contents of the file are displayed.
'';
};
lessclose = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
When less closes a file opened in such a way, it will call another program, called the input postprocessor, which may perform any desired clean-up action (such as deleting the replacement file created by LESSOPEN).
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.less ];
environment.variables = {
"LESSKEY_SYSTEM" = toString lessKey;
} // optionalAttrs (cfg.lessopen != null) {
"LESSOPEN" = cfg.lessopen;
} // optionalAttrs (cfg.lessclose != null) {
"LESSCLOSE" = cfg.lessclose;
};
warnings = optional (
cfg.clearDefaultCommands && (all (x: x != "quit") (attrValues cfg.commands))
) ''
config.programs.less.clearDefaultCommands clears all default commands of less but there is no alternative binding for exiting.
Consider adding a binding for 'quit'.
'';
};
meta.maintainers = with maintainers; [ johnazoidberg ];
}

View file

@ -10,6 +10,7 @@ let
if [[ "$#" -ge 1 ]]; then
exec ${pkgs.rootston}/bin/rootston "$@"
else
${cfg.extraSessionCommands}
exec ${pkgs.rootston}/bin/rootston -C ${cfg.configFile}
fi
'';
@ -21,14 +22,28 @@ in {
Wayland compositor you should e.g. use Sway instead). You can manually
start the compositor by running "rootston" from a terminal'';
extraSessionCommands = mkOption {
type = types.lines;
default = "";
example = ''
# Define a keymap (US QWERTY is the default)
export XKB_DEFAULT_LAYOUT=de,us
export XKB_DEFAULT_VARIANT=nodeadkeys
export XKB_DEFAULT_OPTIONS=grp:alt_shift_toggle,caps:escape
'';
description = ''
Shell commands executed just before rootston is started.
'';
};
extraPackages = mkOption {
type = with types; listOf package;
default = with pkgs; [
xwayland rxvt_unicode dmenu
westonLite xwayland rofi
];
defaultText = literalExample ''
with pkgs; [
xwayland dmenu rxvt_unicode
westonLite xwayland rofi
]
'';
example = literalExample "[ ]";
@ -55,9 +70,8 @@ in {
Logo+q = close
Logo+m = maximize
Alt+Tab = next_window
Logo+Return = exec urxvt
# Note: Dmenu will only work properly while e.g. urxvt is running.
Logo+d = exec dmenu_run
Logo+Return = exec weston-terminal
Logo+d = exec rofi -show run
'';
description = ''
Default configuration for rootston (used when called without any
@ -82,7 +96,8 @@ in {
hardware.opengl.enable = mkDefault true;
fonts.enableDefaultFonts = mkDefault true;
programs.dconf.enable = mkDefault true;
};
meta.maintainers = with lib.maintainers; [ primeos ];
meta.maintainers = with lib.maintainers; [ primeos gnidorah ];
}

View file

@ -151,6 +151,15 @@ in {
type = types.str;
description = "Set the $TERM variable.";
};
secureSocket = mkOption {
default = true;
type = types.bool;
description = ''
Store tmux socket under /run, which is more secure than /tmp, but as a
downside it doesn't survive user logout.
'';
};
};
};
@ -163,7 +172,7 @@ in {
systemPackages = [ pkgs.tmux ];
variables = {
TMUX_TMPDIR = ''''${XDG_RUNTIME_DIR:-"/run/user/\$(id -u)"}'';
TMUX_TMPDIR = lib.optional cfg.secureSocket ''''${XDG_RUNTIME_DIR:-"/run/user/\$(id -u)"}'';
};
};
};

View file

@ -48,6 +48,15 @@ in
Name of the theme to be used by oh-my-zsh.
'';
};
cacheDir = mkOption {
default = "$HOME/.cache/oh-my-zsh";
type = types.str;
description = ''
Cache directory to be used by `oh-my-zsh`.
Without this option it would default to the read-only nix store.
'';
};
};
};
@ -74,6 +83,13 @@ in
"ZSH_THEME=\"${cfg.theme}\""
}
${optionalString (cfg.cacheDir != null) ''
if [[ ! -d "${cfg.cacheDir}" ]]; then
mkdir -p "${cfg.cacheDir}"
fi
ZSH_CACHE_DIR=${cfg.cacheDir}
''}
source $ZSH/oh-my-zsh.sh
'';
};

View file

@ -36,8 +36,9 @@ in
shellAliases = mkOption {
default = config.environment.shellAliases;
description = ''
Set of aliases for zsh shell. See <option>environment.shellAliases</option>
for an option format description.
Set of aliases for zsh shell. Overrides the default value taken from
<option>environment.shellAliases</option>.
See <option>environment.shellAliases</option> for an option format description.
'';
type = types.attrs; # types.attrsOf types.stringOrPath;
};

View file

@ -186,6 +186,9 @@ with lib;
(mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "config" "fonts" "fontconfig" "forceAutohint" ])
(mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "config" "fonts" "fontconfig" "renderMonoTTFAsBitmap" ])
# Profile splitting
(mkRenamedOptionModule [ "virtualization" "growPartition" ] [ "boot" "growPartition" ])
# Options that are obsolete and have no replacement.
(mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
(mkRemovedOptionModule [ "programs" "bash" "enable" ] "")

View file

@ -139,6 +139,14 @@ in
'';
};
tosHash = mkOption {
type = types.string;
default = "cc88d8d9517f490191401e7b54e9ffd12a2b9082ec7a1d4cec6101f9f1647e7b";
description = ''
SHA256 of the Terms of Services document. This changes once in a while.
'';
};
production = mkOption {
type = types.bool;
default = true;
@ -188,7 +196,7 @@ in
domain = if data.domain != null then data.domain else cert;
cpath = "${cfg.directory}/${cert}";
rights = if data.allowKeysForGroup then "750" else "700";
cmdline = [ "-v" "-d" domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
cmdline = [ "-v" "-d" domain "--default_root" data.webroot "--valid_min" cfg.validMin "--tos_sha256" cfg.tosHash ]
++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains)

View file

@ -223,6 +223,17 @@ let
'';
};
enableGnomeKeyring = mkOption {
default = false;
type = types.bool;
description = ''
If enabled, pam_gnome_keyring will attempt to automatically unlock the
user's default Gnome keyring upon login. If the user login password does
not match their keyring password, Gnome Keyring will prompt separately
after login.
'';
};
text = mkOption {
type = types.nullOr types.lines;
description = "Contents of the PAM service file.";
@ -273,7 +284,7 @@ let
# prompts the user for password so we run it once with 'required' at an
# earlier point and it will run again with 'sufficient' further down.
# We use try_first_pass the second time to avoid prompting password twice
(optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet)) ''
(optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring)) ''
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
${optionalString config.security.pam.enableEcryptfs
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
@ -282,6 +293,8 @@ let
${optionalString cfg.enableKwallet
("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
" kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
${optionalString cfg.enableGnomeKeyring
("auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so")}
'') + ''
${optionalString cfg.unixAuth
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
@ -351,6 +364,10 @@ let
${optionalString (cfg.enableKwallet)
("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
" kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
${optionalString (cfg.enableGnomeKeyring)
"session optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so auto_start"}
${optionalString (config.virtualisation.lxc.lxcfs.enable)
"session optional ${pkgs.lxcfs}/lib/security/pam_cgfs.so -c freezer,memory,name=systemd,unified,cpuset"}
'');
};

View file

@ -8,6 +8,22 @@ let
inherit (pkgs) sudo;
toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}";
toCommandOptionsString = options:
"${concatStringsSep ":" options}${optionalString (length options != 0) ":"} ";
toCommandsString = commands:
concatStringsSep ", " (
map (command:
if (isString command) then
command
else
"${toCommandOptionsString command.options}${command.command}"
) commands
);
in
{
@ -47,6 +63,97 @@ in
'';
};
security.sudo.extraRules = mkOption {
description = ''
Define specific rules to be in the <filename>sudoers</filename> file.
'';
default = [];
example = [
# Allow execution of any command by all users in group sudo,
# requiring a password.
{ groups = [ "sudo" ]; commands = [ "ALL" ]; }
# Allow execution of "/home/root/secret.sh" by user `backup`, `database`
# and the group with GID `1006` without a password.
{ users = [ "backup" ]; groups = [ 1006 ];
commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }
# Allow all users of group `bar` to run two executables as user `foo`
# with arguments being pre-set.
{ groups = [ "bar" ]; runAs = "foo";
commands =
[ "/home/baz/cmd1.sh hello-sudo"
{ command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; }
];
type = with types; listOf (submodule {
options = {
users = mkOption {
type = with types; listOf (either string int);
description = ''
The usernames / UIDs this rule should apply for.
'';
default = [];
};
groups = mkOption {
type = with types; listOf (either string int);
description = ''
The groups / GIDs this rule should apply for.
'';
default = [];
};
host = mkOption {
type = types.string;
default = "ALL";
description = ''
For what host this rule should apply.
'';
};
runAs = mkOption {
type = with types; string;
default = "ALL:ALL";
description = ''
Under which user/group the specified command is allowed to run.
A user can be specified using just the username: <code>"foo"</code>.
It is also possible to specify a user/group combination using <code>"foo:bar"</code>
or to only allow running as a specific group with <code>":bar"</code>.
'';
};
commands = mkOption {
description = ''
The commands for which the rule should apply.
'';
type = with types; listOf (either string (submodule {
options = {
command = mkOption {
type = with types; string;
description = ''
A command being either just a path to a binary to allow any arguments,
the full command with arguments pre-set or with <code>""</code> used as the argument,
not allowing arguments to the command at all.
'';
};
options = mkOption {
type = with types; listOf (enum [ "NOPASSWD" "PASSWD" "NOEXEC" "EXEC" "SETENV" "NOSETENV" "LOG_INPUT" "NOLOG_INPUT" "LOG_OUTPUT" "NOLOG_OUTPUT" ]);
description = ''
Options for running the command. Refer to the <a href="https://www.sudo.ws/man/1.7.10/sudoers.man.html">sudo manual</a>.
'';
default = [];
};
};
}));
};
};
});
};
security.sudo.extraConfig = mkOption {
type = types.lines;
default = "";
@ -61,10 +168,16 @@ in
config = mkIf cfg.enable {
security.sudo.extraRules = [
{ groups = [ "wheel" ];
commands = [ { command = "ALL"; options = (if cfg.wheelNeedsPassword then [ "SETENV" ] else [ "NOPASSWD" "SETENV" ]); } ];
}
];
security.sudo.configFile =
''
# Don't edit this file. Set the NixOS options security.sudo.configFile
# or security.sudo.extraConfig instead.
# or security.sudo.extraRules instead.
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
@ -72,8 +185,18 @@ in
# "root" is allowed to do anything.
root ALL=(ALL:ALL) SETENV: ALL
# Users in the "wheel" group can do anything.
%wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
# extraRules
${concatStringsSep "\n" (
lists.flatten (
map (
rule: if (length rule.commands != 0) then [
(map (user: "${toUserString user} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.users)
(map (group: "${toGroupString group} ${rule.host}=(${rule.runAs}) ${toCommandsString rule.commands}") rule.groups)
] else []
) cfg.extraRules
)
)}
${cfg.extraConfig}
'';

View file

@ -17,7 +17,7 @@ let
hardeningEnable = [ "pie" ];
installPhase = ''
mkdir -p $out/bin
gcc -Wall -O2 -DWRAPPER_DIR=\"${parentWrapperDir}\" \
$CC -Wall -O2 -DWRAPPER_DIR=\"${parentWrapperDir}\" \
-lcap-ng -lcap ${./wrapper.c} -o $out/bin/security-wrapper
'';
};
@ -79,7 +79,7 @@ let
({ owner = "root";
group = "root";
} // s)
else if
else if
(s ? "setuid" && s.setuid) ||
(s ? "setgid" && s.setgid) ||
(s ? "permissions")

View file

@ -4,17 +4,22 @@ with pkgs;
with lib;
let
uid = config.ids.uids.mopidy;
gid = config.ids.gids.mopidy;
cfg = config.services.mopidy;
mopidyConf = writeText "mopidy.conf" cfg.configuration;
mopidyEnv = python.buildEnv.override {
extraLibs = [ mopidy ] ++ cfg.extensionPackages;
mopidyEnv = buildEnv {
name = "mopidy-with-extensions-${mopidy.version}";
paths = closePropagation cfg.extensionPackages;
pathsToLink = [ "/${python.sitePackages}" ];
buildInputs = [ makeWrapper ];
postBuild = ''
makeWrapper ${mopidy}/bin/mopidy $out/bin/mopidy \
--prefix PYTHONPATH : $out/${python.sitePackages}
'';
};
in {
options = {
@ -61,7 +66,6 @@ in {
};
###### implementation
config = mkIf cfg.enable {

View file

@ -1,39 +1,372 @@
{ config, lib, pkgs, ... }:
with lib;
with types;
let
# Converts a plan like
# { "1d" = "1h"; "1w" = "1d"; }
# into
# "1d=>1h,1w=>1d"
attrToPlan = attrs: concatStringsSep "," (builtins.attrValues (
mapAttrs (n: v: "${n}=>${v}") attrs));
planDescription = ''
The znapzend backup plan to use for the source.
</para>
<para>
The plan specifies how often to backup and for how long to keep the
backups. It consists of a series of retention periodes to interval
associations:
</para>
<para>
<literal>
retA=>intA,retB=>intB,...
</literal>
</para>
<para>
Both intervals and retention periods are expressed in standard units
of time or multiples of them. You can use both the full name or a
shortcut according to the following listing:
</para>
<para>
<literal>
second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|y
</literal>
</para>
<para>
See <citerefentry><refentrytitle>znapzendzetup</refentrytitle><manvolnum>1</manvolnum></citerefentry> for more info.
'';
planExample = "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m";
# A type for a string of the form number{b|k|M|G}
mbufferSizeType = str // {
check = x: str.check x && builtins.isList (builtins.match "^[0-9]+[bkMG]$" x);
description = "string of the form number{b|k|M|G}";
};
# Type for a string that must contain certain other strings (the list parameter).
# Note that these would need regex escaping.
stringContainingStrings = list: let
matching = s: map (str: builtins.match ".*${str}.*" s) list;
in str // {
check = x: str.check x && all isList (matching x);
description = "string containing all of the characters ${concatStringsSep ", " list}";
};
timestampType = stringContainingStrings [ "%Y" "%m" "%d" "%H" "%M" "%S" ];
destType = srcConfig: submodule ({ name, ... }: {
options = {
label = mkOption {
type = str;
description = "Label for this destination. Defaults to the attribute name.";
};
plan = mkOption {
type = str;
description = planDescription;
example = planExample;
};
dataset = mkOption {
type = str;
description = "Dataset name to send snapshots to.";
example = "tank/main";
};
host = mkOption {
type = nullOr str;
description = ''
Host to use for the destination dataset. Can be prefixed with
<literal>user@</literal> to specify the ssh user.
'';
default = null;
example = "john@example.com";
};
presend = mkOption {
type = nullOr str;
description = ''
Command to run before sending the snapshot to the destination.
Intended to run a remote script via <command>ssh</command> on the
destination, e.g. to bring up a backup disk or server or to put a
zpool online/offline. See also <option>postsend</option>.
'';
default = null;
example = "ssh root@bserv zpool import -Nf tank";
};
postsend = mkOption {
type = nullOr str;
description = ''
Command to run after sending the snapshot to the destination.
Intended to run a remote script via <command>ssh</command> on the
destination, e.g. to bring up a backup disk or server or to put a
zpool online/offline. See also <option>presend</option>.
'';
default = null;
example = "ssh root@bserv zpool export tank";
};
};
config = {
label = mkDefault name;
plan = mkDefault srcConfig.plan;
};
});
srcType = submodule ({ name, config, ... }: {
options = {
enable = mkOption {
type = bool;
description = "Whether to enable this source.";
default = true;
};
recursive = mkOption {
type = bool;
description = "Whether to do recursive snapshots.";
default = false;
};
mbuffer = {
enable = mkOption {
type = bool;
description = "Whether to use <command>mbuffer</command>.";
default = false;
};
port = mkOption {
type = nullOr ints.u16;
description = ''
Port to use for <command>mbuffer</command>.
</para>
<para>
If this is null, it will run <command>mbuffer</command> through
ssh.
</para>
<para>
If this is not null, it will run <command>mbuffer</command>
directly through TCP, which is not encrypted but faster. In that
case the given port needs to be open on the destination host.
'';
default = null;
};
size = mkOption {
type = mbufferSizeType;
description = ''
The size for <command>mbuffer</command>.
Supports the units b, k, M, G.
'';
default = "1G";
example = "128M";
};
};
presnap = mkOption {
type = nullOr str;
description = ''
Command to run before snapshots are taken on the source dataset,
e.g. for database locking/flushing. See also
<option>postsnap</option>.
'';
default = null;
example = literalExample ''
''${pkgs.mariadb}/bin/mysql -e "set autocommit=0;flush tables with read lock;\\! ''${pkgs.coreutils}/bin/sleep 600" & ''${pkgs.coreutils}/bin/echo $! > /tmp/mariadblock.pid ; sleep 10
'';
};
postsnap = mkOption {
type = nullOr str;
description = ''
Command to run after snapshots are taken on the source dataset,
e.g. for database unlocking. See also <option>presnap</option>.
'';
default = null;
example = literalExample ''
''${pkgs.coreutils}/bin/kill `''${pkgs.coreutils}/bin/cat /tmp/mariadblock.pid`;''${pkgs.coreutils}/bin/rm /tmp/mariadblock.pid
'';
};
timestampFormat = mkOption {
type = timestampType;
description = ''
The timestamp format to use for constructing snapshot names.
The syntax is <literal>strftime</literal>-like. The string must
consist of the mandatory <literal>%Y %m %d %H %M %S</literal>.
Optionally <literal>- _ . :</literal> characters as well as any
alphanumeric character are allowed. If suffixed by a
<literal>Z</literal>, times will be in UTC.
'';
default = "%Y-%m-%d-%H%M%S";
example = "znapzend-%m.%d.%Y-%H%M%SZ";
};
sendDelay = mkOption {
type = int;
description = ''
Specify delay (in seconds) before sending snaps to the destination.
May be useful if you want to control sending time.
'';
default = 0;
example = 60;
};
plan = mkOption {
type = str;
description = planDescription;
example = planExample;
};
dataset = mkOption {
type = str;
description = "The dataset to use for this source.";
example = "tank/home";
};
destinations = mkOption {
type = loaOf (destType config);
description = "Additional destinations.";
default = {};
example = literalExample ''
{
local = {
dataset = "btank/backup";
presend = "zpool import -N btank";
postsend = "zpool export btank";
};
remote = {
host = "john@example.com";
dataset = "tank/john";
};
};
'';
};
};
config = {
dataset = mkDefault name;
};
});
### Generating the configuration from here
cfg = config.services.znapzend;
onOff = b: if b then "on" else "off";
nullOff = b: if isNull b then "off" else toString b;
stripSlashes = replaceStrings [ "/" ] [ "." ];
attrsToFile = config: concatStringsSep "\n" (builtins.attrValues (
mapAttrs (n: v: "${n}=${v}") config));
mkDestAttrs = dst: with dst;
mapAttrs' (n: v: nameValuePair "dst_${label}${n}" v) ({
"" = optionalString (! isNull host) "${host}:" + dataset;
_plan = plan;
} // optionalAttrs (presend != null) {
_precmd = presend;
} // optionalAttrs (postsend != null) {
_pstcmd = postsend;
});
mkSrcAttrs = srcCfg: with srcCfg; {
enabled = onOff enable;
mbuffer = with mbuffer; if enable then "${pkgs.mbuffer}/bin/mbuffer"
+ optionalString (port != null) ":${toString port}" else "off";
mbuffer_size = mbuffer.size;
post_znap_cmd = nullOff postsnap;
pre_znap_cmd = nullOff presnap;
recursive = onOff recursive;
src = dataset;
src_plan = plan;
tsformat = timestampFormat;
zend_delay = toString sendDelay;
} // fold (a: b: a // b) {} (
map mkDestAttrs (builtins.attrValues destinations)
);
files = mapAttrs' (n: srcCfg: let
fileText = attrsToFile (mkSrcAttrs srcCfg);
in {
name = srcCfg.dataset;
value = pkgs.writeText (stripSlashes srcCfg.dataset) fileText;
}) cfg.zetup;
in
{
options = {
services.znapzend = {
enable = mkEnableOption "ZnapZend daemon";
enable = mkEnableOption "ZnapZend ZFS backup daemon";
logLevel = mkOption {
default = "debug";
example = "warning";
type = lib.types.enum ["debug" "info" "warning" "err" "alert"];
description = "The log level when logging to file. Any of debug, info, warning, err, alert. Default in daemonized form is debug.";
type = enum ["debug" "info" "warning" "err" "alert"];
description = ''
The log level when logging to file. Any of debug, info, warning, err,
alert. Default in daemonized form is debug.
'';
};
logTo = mkOption {
type = types.str;
type = str;
default = "syslog::daemon";
example = "/var/log/znapzend.log";
description = "Where to log to (syslog::&lt;facility&gt; or &lt;filepath&gt;).";
description = ''
Where to log to (syslog::&lt;facility&gt; or &lt;filepath&gt;).
'';
};
noDestroy = mkOption {
type = types.bool;
type = bool;
default = false;
description = "Does all changes to the filesystem except destroy.";
};
autoCreation = mkOption {
type = types.bool;
type = bool;
default = false;
description = "Automatically create the destination dataset if it does not exists.";
};
zetup = mkOption {
type = loaOf srcType;
description = "Znapzend configuration.";
default = {};
example = literalExample ''
{
"tank/home" = {
# Make snapshots of tank/home every hour, keep those for 1 day,
# keep every days snapshot for 1 month, etc.
plan = "1d=>1h,1m=>1d,1y=>1m";
recursive = true;
# Send all those snapshots to john@example.com:rtank/john as well
destinations.remote = {
host = "john@example.com";
dataset = "rtank/john";
};
};
};
'';
};
pure = mkOption {
type = bool;
description = ''
Do not persist any stateful znapzend setups. If this option is
enabled, your previously set znapzend setups will be cleared and only
the ones defined with this module will be applied.
'';
default = false;
description = "Automatically create the dataset on dest if it does not exists.";
};
};
};
@ -49,12 +382,30 @@ in
path = with pkgs; [ zfs mbuffer openssh ];
preStart = optionalString cfg.pure ''
echo Resetting znapzend zetups
${pkgs.znapzend}/bin/znapzendzetup list \
| grep -oP '(?<=\*\*\* backup plan: ).*(?= \*\*\*)' \
| xargs ${pkgs.znapzend}/bin/znapzendzetup delete
'' + concatStringsSep "\n" (mapAttrsToList (dataset: config: ''
echo Importing znapzend zetup ${config} for dataset ${dataset}
${pkgs.znapzend}/bin/znapzendzetup import --write ${dataset} ${config}
'') files);
serviceConfig = {
ExecStart = "${pkgs.znapzend}/bin/znapzend --logto=${cfg.logTo} --loglevel=${cfg.logLevel} ${optionalString cfg.noDestroy "--nodestroy"} ${optionalString cfg.autoCreation "--autoCreation"}";
ExecStart = let
args = concatStringsSep " " [
"--logto=${cfg.logTo}"
"--loglevel=${cfg.logLevel}"
(optionalString cfg.noDestroy "--nodestroy")
(optionalString cfg.autoCreation "--autoCreation")
]; in "${pkgs.znapzend}/bin/znapzend ${args}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
};
};
};
};
meta.maintainers = with maintainers; [ infinisil ];
}

View file

@ -48,6 +48,15 @@ in
'';
};
hooksPath = mkOption {
type = types.path;
default = "${pkgs.buildkite-agent}/share/hooks";
defaultText = "${pkgs.buildkite-agent}/share/hooks";
description = ''
Path to the directory storing the hooks.
'';
};
meta-data = mkOption {
type = types.str;
default = "";
@ -114,8 +123,8 @@ in
token="$(cat ${toString cfg.tokenPath})"
name="${cfg.name}"
meta-data="${cfg.meta-data}"
hooks-path="${pkgs.buildkite-agent}/share/hooks"
build-path="${cfg.dataDir}/builds"
hooks-path="${cfg.hooksPath}"
bootstrap-script="${pkgs.buildkite-agent}/share/bootstrap.sh"
EOF
'';

View file

@ -40,11 +40,7 @@ in
description = "The port to bind to";
};
socket = mkOption {
default = "";
description = "Unix socket path to listen on. Setting this will disable network support";
example = "/var/run/memcached";
};
enableUnixSocket = mkEnableOption "unix socket at /run/memcached/memcached.sock";
maxMemory = mkOption {
default = 64;
@ -68,31 +64,40 @@ in
config = mkIf config.services.memcached.enable {
users.extraUsers.memcached =
{ name = cfg.user;
uid = config.ids.uids.memcached;
description = "Memcached server user";
};
users.extraUsers = optional (cfg.user == "memcached") {
name = "memcached";
description = "Memcached server user";
};
environment.systemPackages = [ memcached ];
systemd.services.memcached =
{ description = "Memcached server";
systemd.services.memcached = {
description = "Memcached server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart =
let
networking = if cfg.socket != ""
then "-s ${cfg.socket}"
else "-l ${cfg.listen} -p ${toString cfg.port}";
in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}";
serviceConfig = {
PermissionsStartOnly = true;
ExecStartPre = optionals cfg.enableUnixSocket [
"${pkgs.coreutils}/bin/install -d -o ${cfg.user} /run/memcached/"
"${pkgs.coreutils}/bin/chown -R ${cfg.user} /run/memcached/"
];
ExecStart =
let
networking = if cfg.enableUnixSocket
then "-s /run/memcached/memcached.sock"
else "-l ${cfg.listen} -p ${toString cfg.port}";
in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}";
User = cfg.user;
};
User = cfg.user;
};
};
};
imports = [
(mkRemovedOptionModule ["services" "memcached" "socket"] ''
This option was replaced by a fixed unix socket path at /run/memcached/memcached.sock enabled using services.memached.enableUnixSocket.
'')
];
}

View file

@ -7,14 +7,12 @@ let
cfg = config.services.mysql;
mysql = cfg.package;
isMariaDB =
isMariaDB =
let
pName = _p: (builtins.parseDrvName (_p.name)).name;
in pName mysql == pName pkgs.mariadb;
atLeast55 = versionAtLeast mysql.mysqlVersion "5.5";
pidFile = "${cfg.pidDir}/mysqld.pid";
mysqldOptions =
@ -28,13 +26,6 @@ let
${optionalString (cfg.bind != null) "bind-address = ${cfg.bind}" }
${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "log-bin=mysql-bin"}
${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave") "server-id = ${toString cfg.replication.serverId}"}
${optionalString (cfg.replication.role == "slave" && !atLeast55)
''
master-host = ${cfg.replication.masterHost}
master-user = ${cfg.replication.masterUser}
master-password = ${cfg.replication.masterPassword}
master-port = ${toString cfg.replication.masterPort}
''}
${optionalString (cfg.ensureUsers != [])
''
plugin-load-add = auth_socket.so
@ -315,7 +306,7 @@ in
fi
'') cfg.initialDatabases}
${optionalString (cfg.replication.role == "master" && atLeast55)
${optionalString (cfg.replication.role == "master")
''
# Set up the replication master
@ -326,7 +317,7 @@ in
) | ${mysql}/bin/mysql -u root -N
''}
${optionalString (cfg.replication.role == "slave" && atLeast55)
${optionalString (cfg.replication.role == "slave")
''
# Set up the replication slave

View file

@ -219,7 +219,6 @@ in
users.extraUsers.redis =
{ name = cfg.user;
uid = config.ids.uids.redis;
description = "Redis database user";
};

View file

@ -0,0 +1,27 @@
# Chrome GNOME Shell native host connector.
{ config, lib, pkgs, ... }:
with lib;
{
###### interface
options = {
services.gnome3.chrome-gnome-shell.enable = mkEnableOption ''
Chrome GNOME Shell native host connector, a DBus service
allowing to install GNOME Shell extensions from a web browser.
'';
};
###### implementation
config = mkIf config.services.gnome3.chrome-gnome-shell.enable {
environment.etc = {
"chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.chrome-gnome-shell}/etc/chromium/native-messaging-hosts/org.gnome.chrome_gnome_shell.json";
"opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json".source = "${pkgs.chrome-gnome-shell}/etc/opt/chrome/native-messaging-hosts/org.gnome.chrome_gnome_shell.json";
};
environment.systemPackages = [ pkgs.chrome-gnome-shell ];
services.dbus.packages = [ pkgs.chrome-gnome-shell ];
};
}

View file

@ -1,105 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.ghostOne;
ghostUser = "ghostone";
stateDir = "/var/lib/ghost-one";
in
{
###### interface
options = {
services.ghostOne = {
enable = mkOption {
default = false;
description = "Enable Ghost-One Warcraft3 game hosting server.";
};
language = mkOption {
default = "English";
type = types.enum [ "English" "Spanish" "Russian" "Serbian" "Turkish" ];
description = "The language of bot messages: English, Spanish, Russian, Serbian or Turkish.";
};
war3path = mkOption {
default = "";
description = ''
The path to your local Warcraft III directory, which must contain war3.exe, storm.dll, and game.dll.
'';
};
mappath = mkOption {
default = "";
description = ''
The path to the directory where you keep your map files. GHost One doesn't require
map files but if it has access to them it can send them to players and automatically
calculate most map config values. GHost One will search [bot_mappath + map_localpath]
for the map file (map_localpath is set in each map's config file).
'';
};
config = mkOption {
default = "";
description = "Extra configuration options.";
};
};
};
###### implementation
config = mkIf cfg.enable {
users.extraUsers = singleton
{ name = ghostUser;
uid = config.ids.uids.ghostone;
description = "Ghost One game server user";
home = stateDir;
};
users.extraGroups = singleton
{ name = ghostUser;
gid = config.ids.gids.ghostone;
};
services.ghostOne.config = ''
# bot_log = /dev/stderr
bot_language = ${pkgs.ghostOne}/share/ghost-one/languages/${cfg.language}.cfg
bot_war3path = ${cfg.war3path}
bot_mapcfgpath = mapcfgs
bot_savegamepath = savegames
bot_mappath = ${cfg.mappath}
bot_replaypath = replays
'';
systemd.services."ghost-one" = {
wantedBy = [ "multi-user.target" ];
script = ''
mkdir -p ${stateDir}
cd ${stateDir}
chown ${ghostUser}:${ghostUser} .
mkdir -p mapcfgs
chown ${ghostUser}:${ghostUser} mapcfgs
mkdir -p replays
chown ${ghostUser}:${ghostUser} replays
mkdir -p savegames
chown ${ghostUser}:${ghostUser} savegames
ln -sf ${pkgs.writeText "ghost.cfg" cfg.config} ghost.cfg
ln -sf ${pkgs.ghostOne}/share/ghost-one/ip-to-country.csv
${pkgs.su}/bin/su -s ${pkgs.stdenv.shell} ${ghostUser} \
-c "LANG=C ${pkgs.ghostOne}/bin/ghost++"
'';
};
};
}

View file

@ -1,46 +0,0 @@
{ config, pkgs, lib, ... }:
{
###### interface
options = {
hardware.amdHybridGraphics.disable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Completely disable the AMD graphics card and use the
integrated graphics processor instead.
'';
};
};
###### implementation
config = lib.mkIf config.hardware.amdHybridGraphics.disable {
systemd.services."amd-hybrid-graphics" = {
path = [ pkgs.bash ];
description = "Disable AMD Card";
after = [ "sys-kernel-debug.mount" ];
before = [ "systemd-vconsole-setup.service" "display-manager.service" ];
requires = [ "sys-kernel-debug.mount" "vgaswitcheroo.path" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.bash}/bin/sh -c 'echo -e \"IGD\\nOFF\" > /sys/kernel/debug/vgaswitcheroo/switch'";
ExecStop = "${pkgs.bash}/bin/sh -c 'echo ON >/sys/kernel/debug/vgaswitcheroo/switch'";
};
};
systemd.paths."vgaswitcheroo" = {
pathConfig = {
PathExists = "/sys/kernel/debug/vgaswitcheroo/switch";
Unit = "amd-hybrid-graphics.service";
};
wantedBy = ["multi-user.target"];
};
};
}

View file

@ -0,0 +1,74 @@
{ config, lib, pkgs, ... }:
with lib;
let
defaultUserGroup = "usbmux";
apple = "05ac";
cfg = config.services.usbmuxd;
in
{
options.services.usbmuxd = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable the usbmuxd ("USB multiplexing daemon") service. This daemon is
in charge of multiplexing connections over USB to an iOS device. This is
needed for transferring data from and to iOS devices (see ifuse). Also
this may enable plug-n-play tethering for iPhones.
'';
};
user = mkOption {
type = types.str;
default = defaultUserGroup;
description = ''
The user usbmuxd should use to run after startup.
'';
};
group = mkOption {
type = types.str;
default = defaultUserGroup;
description = ''
The group usbmuxd should use to run after startup.
'';
};
};
config = mkIf cfg.enable {
users.extraUsers = optional (cfg.user == defaultUserGroup) {
name = cfg.user;
description = "usbmuxd user";
group = cfg.group;
};
users.extraGroups = optional (cfg.group == defaultUserGroup) {
name = cfg.group;
};
# Give usbmuxd permission for Apple devices
services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTR{idVendor}=="${apple}", GROUP="${cfg.group}"
'';
systemd.services.usbmuxd = {
description = "usbmuxd";
wantedBy = [ "multi-user.target" ];
unitConfig.Documentation = "man:usbmuxd(8)";
serviceConfig = {
# Trigger the udev rule manually. This doesn't require replugging the
# device when first enabling the option to get it to work
ExecStartPre = "${pkgs.libudev}/bin/udevadm trigger -s usb -a idVendor=${apple}";
ExecStart = "${pkgs.usbmuxd}/bin/usbmuxd -U ${cfg.user} -f";
};
};
};
}

View file

@ -0,0 +1,179 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.clamsmtp;
clamdSocket = "/run/clamav/clamd.ctl"; # See services/security/clamav.nix
in
{
##### interface
options = {
services.clamsmtp = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable clamsmtp.";
};
instances = mkOption {
description = "Instances of clamsmtp to run.";
type = types.listOf (types.submodule { options = {
action = mkOption {
type = types.enum [ "bounce" "drop" "pass" ];
default = "drop";
description =
''
Action to take when a virus is detected.
Note that viruses often spoof sender addresses, so bouncing is
in most cases not a good idea.
'';
};
header = mkOption {
type = types.str;
default = "";
example = "X-Virus-Scanned: ClamAV using ClamSMTP";
description =
''
A header to add to scanned messages. See clamsmtpd.conf(5) for
more details. Empty means no header.
'';
};
keepAlives = mkOption {
type = types.int;
default = 0;
description =
''
Number of seconds to wait between each NOOP sent to the sending
server. 0 to disable.
This is meant for slow servers where the sending MTA times out
waiting for clamd to scan the file.
'';
};
listen = mkOption {
type = types.str;
example = "127.0.0.1:10025";
description =
''
Address to wait for incoming SMTP connections on. See
clamsmtpd.conf(5) for more details.
'';
};
quarantine = mkOption {
type = types.bool;
default = false;
description =
''
Whether to quarantine files that contain viruses by leaving them
in the temporary directory.
'';
};
maxConnections = mkOption {
type = types.int;
default = 64;
description = "Maximum number of connections to accept at once.";
};
outAddress = mkOption {
type = types.str;
description =
''
Address of the SMTP server to send email to once it has been
scanned.
'';
};
tempDirectory = mkOption {
type = types.str;
default = "/tmp";
description =
''
Temporary directory that needs to be accessible to both clamd
and clamsmtpd.
'';
};
timeout = mkOption {
type = types.int;
default = 180;
description = "Time-out for network connections.";
};
transparentProxy = mkOption {
type = types.bool;
default = false;
description = "Enable clamsmtp's transparent proxy support.";
};
virusAction = mkOption {
type = with types; nullOr path;
default = null;
description =
''
Command to run when a virus is found. Please see VIRUS ACTION in
clamsmtpd(8) for a discussion of this option and its safe use.
'';
};
xClient = mkOption {
type = types.bool;
default = false;
description =
''
Send the XCLIENT command to the receiving server, for forwarding
client addresses and connection information if the receiving
server supports this feature.
'';
};
};});
};
};
};
##### implementation
config = let
configfile = conf: pkgs.writeText "clamsmtpd.conf"
''
Action: ${conf.action}
ClamAddress: ${clamdSocket}
Header: ${conf.header}
KeepAlives: ${toString conf.keepAlives}
Listen: ${conf.listen}
Quarantine: ${if conf.quarantine then "on" else "off"}
MaxConnections: ${toString conf.maxConnections}
OutAddress: ${conf.outAddress}
TempDirectory: ${conf.tempDirectory}
TimeOut: ${toString conf.timeout}
TransparentProxy: ${if conf.transparentProxy then "on" else "off"}
User: clamav
${optionalString (conf.virusAction != null) "VirusAction: ${conf.virusAction}"}
XClient: ${if conf.xClient then "on" else "off"}
'';
in
mkIf cfg.enable {
assertions = [
{ assertion = config.services.clamav.daemon.enable;
message = "clamsmtp requires clamav to be enabled";
}
];
systemd.services = listToAttrs (imap1 (i: conf:
nameValuePair "clamsmtp-${toString i}" {
description = "ClamSMTP instance ${toString i}";
wantedBy = [ "multi-user.target" ];
script = "exec ${pkgs.clamsmtp}/bin/clamsmtpd -f ${configfile conf}";
after = [ "clamav-daemon.service" ];
requires = [ "clamav-daemon.service" ];
serviceConfig.Type = "forking";
serviceConfig.PrivateTmp = "yes";
unitConfig.JoinsNamespaceOf = "clamav-daemon.service";
}
) cfg.instances);
};
}

View file

@ -0,0 +1,118 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dkimproxy-out;
keydir = "/var/lib/dkimproxy-out";
privkey = "${keydir}/private.key";
pubkey = "${keydir}/public.key";
in
{
##### interface
options = {
services.dkimproxy-out = {
enable = mkOption {
type = types.bool;
default = false;
description =
''
Whether to enable dkimproxy_out.
Note that a key will be auto-generated, and can be found in
${keydir}.
'';
};
listen = mkOption {
type = types.str;
example = "127.0.0.1:10027";
description = "Address:port DKIMproxy should listen on.";
};
relay = mkOption {
type = types.str;
example = "127.0.0.1:10028";
description = "Address:port DKIMproxy should forward mail to.";
};
domains = mkOption {
type = with types; listOf str;
example = [ "example.org" "example.com" ];
description = "List of domains DKIMproxy can sign for.";
};
selector = mkOption {
type = types.str;
example = "selector1";
description =
''
The selector to use for DKIM key identification.
For example, if 'selector1' is used here, then for each domain
'example.org' given in `domain`, 'selector1._domainkey.example.org'
should contain the TXT record indicating the public key is the one
in ${pubkey}: "v=DKIM1; t=s; p=[THE PUBLIC KEY]".
'';
};
keySize = mkOption {
type = types.int;
default = 2048;
description =
''
Size of the RSA key to use to sign outgoing emails. Note that the
maximum mandatorily verified as per RFC6376 is 2048.
'';
};
# TODO: allow signature for other schemes than dkim(c=relaxed/relaxed)?
# This being the scheme used by gmail, maybe nothing more is needed for
# reasonable use.
};
};
##### implementation
config = let
configfile = pkgs.writeText "dkimproxy_out.conf"
''
listen ${cfg.listen}
relay ${cfg.relay}
domain ${concatStringsSep "," cfg.domains}
selector ${cfg.selector}
signature dkim(c=relaxed/relaxed)
keyfile ${privkey}
'';
in
mkIf cfg.enable {
users.groups.dkimproxy-out = {};
users.users.dkimproxy-out = {
description = "DKIMproxy_out daemon";
group = "dkimproxy-out";
isSystemUser = true;
};
systemd.services.dkimproxy-out = {
description = "DKIMproxy_out";
wantedBy = [ "multi-user.target" ];
preStart = ''
if [ ! -d "${keydir}" ]; then
mkdir -p "${keydir}"
chmod 0700 "${keydir}"
${pkgs.openssl}/bin/openssl genrsa -out "${privkey}" ${toString cfg.keySize}
${pkgs.openssl}/bin/openssl rsa -in "${privkey}" -pubout -out "${pubkey}"
chown -R dkimproxy-out:dkimproxy-out "${keydir}"
fi
'';
script = ''
exec ${pkgs.dkimproxy}/bin/dkimproxy.out --conf_file=${configfile}
'';
serviceConfig = {
User = "dkimproxy-out";
PermissionsStartOnly = true;
};
};
};
}

View file

@ -15,20 +15,18 @@ let
haveVirtual = cfg.virtual != "";
clientAccess =
if (cfg.dnsBlacklistOverrides != "")
then [ "check_client_access hash:/etc/postfix/client_access" ]
else [];
optional (cfg.dnsBlacklistOverrides != "")
"check_client_access hash:/etc/postfix/client_access";
dnsBl =
if (cfg.dnsBlacklists != [])
then [ (concatStringsSep ", " (map (s: "reject_rbl_client " + s) cfg.dnsBlacklists)) ]
else [];
optionals (cfg.dnsBlacklists != [])
(map (s: "reject_rbl_client " + s) cfg.dnsBlacklists);
clientRestrictions = concatStringsSep ", " (clientAccess ++ dnsBl);
mainCf = let
escape = replaceStrings ["$"] ["$$"];
mkList = items: "\n " + concatStringsSep "\n " items;
mkList = items: "\n " + concatStringsSep ",\n " items;
mkVal = value:
if isList value then mkList value
else " " + (if value == true then "yes"
@ -36,72 +34,9 @@ let
else toString value);
mkEntry = name: value: "${escape name} =${mkVal value}";
in
concatStringsSep "\n" (mapAttrsToList mkEntry (recursiveUpdate defaultConf cfg.config))
concatStringsSep "\n" (mapAttrsToList mkEntry cfg.config)
+ "\n" + cfg.extraConfig;
defaultConf = {
compatibility_level = "9999";
mail_owner = user;
default_privs = "nobody";
# NixOS specific locations
data_directory = "/var/lib/postfix/data";
queue_directory = "/var/lib/postfix/queue";
# Default location of everything in package
meta_directory = "${pkgs.postfix}/etc/postfix";
command_directory = "${pkgs.postfix}/bin";
sample_directory = "/etc/postfix";
newaliases_path = "${pkgs.postfix}/bin/newaliases";
mailq_path = "${pkgs.postfix}/bin/mailq";
readme_directory = false;
sendmail_path = "${pkgs.postfix}/bin/sendmail";
daemon_directory = "${pkgs.postfix}/libexec/postfix";
manpage_directory = "${pkgs.postfix}/share/man";
html_directory = "${pkgs.postfix}/share/postfix/doc/html";
shlib_directory = false;
relayhost = if cfg.relayHost == "" then "" else
if cfg.lookupMX
then "${cfg.relayHost}:${toString cfg.relayPort}"
else "[${cfg.relayHost}]:${toString cfg.relayPort}";
mail_spool_directory = "/var/spool/mail/";
setgid_group = setgidGroup;
}
// optionalAttrs config.networking.enableIPv6 { inet_protocols = "all"; }
// optionalAttrs (cfg.networks != null) { mynetworks = cfg.networks; }
// optionalAttrs (cfg.networksStyle != "") { mynetworks_style = cfg.networksStyle; }
// optionalAttrs (cfg.hostname != "") { myhostname = cfg.hostname; }
// optionalAttrs (cfg.domain != "") { mydomain = cfg.domain; }
// optionalAttrs (cfg.origin != "") { myorigin = cfg.origin; }
// optionalAttrs (cfg.destination != null) { mydestination = cfg.destination; }
// optionalAttrs (cfg.relayDomains != null) { relay_domains = cfg.relayDomains; }
// optionalAttrs (cfg.recipientDelimiter != "") { recipient_delimiter = cfg.recipientDelimiter; }
// optionalAttrs haveAliases { alias_maps = "${cfg.aliasMapType}:/etc/postfix/aliases"; }
// optionalAttrs haveTransport { transport_maps = "hash:/etc/postfix/transport"; }
// optionalAttrs haveVirtual { virtual_alias_maps = "${cfg.virtualMapType}:/etc/postfix/virtual"; }
// optionalAttrs (cfg.dnsBlacklists != []) { smtpd_client_restrictions = clientRestrictions; }
// optionalAttrs cfg.useSrs {
sender_canonical_maps = "tcp:127.0.0.1:10001";
sender_canonical_classes = "envelope_sender";
recipient_canonical_maps = "tcp:127.0.0.1:10002";
recipient_canonical_classes= "envelope_recipient";
}
// optionalAttrs cfg.enableHeaderChecks { header_checks = "regexp:/etc/postfix/header_checks"; }
// optionalAttrs (cfg.sslCert != "") {
smtp_tls_CAfile = cfg.sslCACert;
smtp_tls_cert_file = cfg.sslCert;
smtp_tls_key_file = cfg.sslKey;
smtp_use_tls = true;
smtpd_tls_CAfile = cfg.sslCACert;
smtpd_tls_cert_file = cfg.sslCert;
smtpd_tls_key_file = cfg.sslKey;
smtpd_use_tls = true;
};
masterCfOptions = { options, config, name, ... }: {
options = {
name = mkOption {
@ -507,7 +442,6 @@ in
config = mkOption {
type = with types; attrsOf (either bool (either str (listOf str)));
default = defaultConf;
description = ''
The main.cf configuration file as key value set.
'';
@ -749,6 +683,67 @@ in
'';
};
services.postfix.config = (mapAttrs (_: v: mkDefault v) {
compatibility_level = "9999";
mail_owner = cfg.user;
default_privs = "nobody";
# NixOS specific locations
data_directory = "/var/lib/postfix/data";
queue_directory = "/var/lib/postfix/queue";
# Default location of everything in package
meta_directory = "${pkgs.postfix}/etc/postfix";
command_directory = "${pkgs.postfix}/bin";
sample_directory = "/etc/postfix";
newaliases_path = "${pkgs.postfix}/bin/newaliases";
mailq_path = "${pkgs.postfix}/bin/mailq";
readme_directory = false;
sendmail_path = "${pkgs.postfix}/bin/sendmail";
daemon_directory = "${pkgs.postfix}/libexec/postfix";
manpage_directory = "${pkgs.postfix}/share/man";
html_directory = "${pkgs.postfix}/share/postfix/doc/html";
shlib_directory = false;
mail_spool_directory = "/var/spool/mail/";
setgid_group = cfg.setgidGroup;
})
// optionalAttrs (cfg.relayHost != "") { relayhost = if cfg.lookupMX
then "${cfg.relayHost}:${toString cfg.relayPort}"
else "[${cfg.relayHost}]:${toString cfg.relayPort}"; }
// optionalAttrs config.networking.enableIPv6 { inet_protocols = mkDefault "all"; }
// optionalAttrs (cfg.networks != null) { mynetworks = cfg.networks; }
// optionalAttrs (cfg.networksStyle != "") { mynetworks_style = cfg.networksStyle; }
// optionalAttrs (cfg.hostname != "") { myhostname = cfg.hostname; }
// optionalAttrs (cfg.domain != "") { mydomain = cfg.domain; }
// optionalAttrs (cfg.origin != "") { myorigin = cfg.origin; }
// optionalAttrs (cfg.destination != null) { mydestination = cfg.destination; }
// optionalAttrs (cfg.relayDomains != null) { relay_domains = cfg.relayDomains; }
// optionalAttrs (cfg.recipientDelimiter != "") { recipient_delimiter = cfg.recipientDelimiter; }
// optionalAttrs haveAliases { alias_maps = [ "${cfg.aliasMapType}:/etc/postfix/aliases" ]; }
// optionalAttrs haveTransport { transport_maps = [ "hash:/etc/postfix/transport" ]; }
// optionalAttrs haveVirtual { virtual_alias_maps = [ "${cfg.virtualMapType}:/etc/postfix/virtual" ]; }
// optionalAttrs (cfg.dnsBlacklists != []) { smtpd_client_restrictions = clientRestrictions; }
// optionalAttrs cfg.useSrs {
sender_canonical_maps = [ "tcp:127.0.0.1:10001" ];
sender_canonical_classes = [ "envelope_sender" ];
recipient_canonical_maps = [ "tcp:127.0.0.1:10002" ];
recipient_canonical_classes = [ "envelope_recipient" ];
}
// optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; }
// optionalAttrs (cfg.sslCert != "") {
smtp_tls_CAfile = cfg.sslCACert;
smtp_tls_cert_file = cfg.sslCert;
smtp_tls_key_file = cfg.sslKey;
smtp_use_tls = true;
smtpd_tls_CAfile = cfg.sslCACert;
smtpd_tls_cert_file = cfg.sslCert;
smtpd_tls_key_file = cfg.sslKey;
smtpd_use_tls = true;
};
services.postfix.masterConfig = {
smtp_inet = {
name = "smtp";

View file

@ -31,6 +31,8 @@ let
${mkBindSockets cfg.bindUISocket}
.include "$CONFDIR/worker-controller.inc"
}
${cfg.extraConfig}
'';
in
@ -79,6 +81,15 @@ in
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration to add at the end of the rspamd configuration
file.
'';
};
user = mkOption {
type = types.string;
default = "rspamd";

View file

@ -29,8 +29,12 @@ let
gitalyToml = pkgs.writeText "gitaly.toml" ''
socket_path = "${lib.escape ["\""] gitalySocket}"
bin_dir = "${cfg.packages.gitaly}/bin"
prometheus_listen_addr = "localhost:9236"
[git]
bin_path = "${pkgs.git}/bin/git"
[gitaly-ruby]
dir = "${cfg.packages.gitaly.ruby}"
@ -70,7 +74,7 @@ let
secret_key_base: ${cfg.secrets.secret}
otp_key_base: ${cfg.secrets.otp}
db_key_base: ${cfg.secrets.db}
jws_private_key: ${builtins.toJSON cfg.secrets.jws}
openid_connect_signing_key: ${builtins.toJSON cfg.secrets.jws}
'';
gitlabConfig = {
@ -104,6 +108,7 @@ let
ldap.enabled = false;
omniauth.enabled = false;
shared.path = "${cfg.statePath}/shared";
gitaly.client_path = "${cfg.packages.gitaly}/bin";
backup.path = "${cfg.backupPath}";
gitlab_shell = {
path = "${cfg.packages.gitlab-shell}";
@ -117,8 +122,6 @@ let
};
git = {
bin_path = "git";
max_size = 20971520; # 20MB
timeout = 10;
};
monitoring = {
ip_whitelist = [ "127.0.0.0/8" "::1/128" ];
@ -489,7 +492,9 @@ in {
after = [ "network.target" "gitlab.service" ];
wantedBy = [ "multi-user.target" ];
environment.HOME = gitlabEnv.HOME;
path = with pkgs; [ gitAndTools.git cfg.packages.gitaly.rubyEnv ];
environment.GEM_HOME = "${cfg.packages.gitaly.rubyEnv}/${ruby.gemPath}";
environment.GITLAB_SHELL_CONFIG_PATH = gitlabEnv.GITLAB_SHELL_CONFIG_PATH;
path = with pkgs; [ gitAndTools.git cfg.packages.gitaly.rubyEnv ruby ];
serviceConfig = {
#PermissionsStartOnly = true; # preStart must be run as root
Type = "simple";

View file

@ -0,0 +1,116 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.home-assistant;
configFile = pkgs.writeText "configuration.yaml" (builtins.toJSON cfg.config);
availableComponents = pkgs.home-assistant.availableComponents;
# Returns whether component is used in config
useComponent = component: hasAttrByPath (splitString "." component) cfg.config;
# List of components used in config
extraComponents = filter useComponent availableComponents;
package = if cfg.autoExtraComponents
then (cfg.package.override { inherit extraComponents; })
else cfg.package;
in {
meta.maintainers = with maintainers; [ dotlambda ];
options.services.home-assistant = {
enable = mkEnableOption "Home Assistant";
configDir = mkOption {
default = "/var/lib/hass";
type = types.path;
description = "The config directory, where your <filename>configuration.yaml</filename> is located.";
};
config = mkOption {
default = null;
type = with types; nullOr attrs;
example = literalExample ''
{
homeassistant = {
name = "Home";
time_zone = "UTC";
};
frontend = { };
http = { };
feedreader.urls = [ "https://nixos.org/blogs.xml" ];
}
'';
description = ''
Your <filename>configuration.yaml</filename> as a Nix attribute set.
Beware that setting this option will delete your previous <filename>configuration.yaml</filename>.
'';
};
package = mkOption {
default = pkgs.home-assistant;
defaultText = "pkgs.home-assistant";
type = types.package;
example = literalExample ''
pkgs.home-assistant.override {
extraPackages = ps: with ps; [ colorlog ];
}
'';
description = ''
Home Assistant package to use.
Override <literal>extraPackages</literal> in order to add additional dependencies.
'';
};
autoExtraComponents = mkOption {
default = true;
type = types.bool;
description = ''
If set to <literal>true</literal>, the components used in <literal>config</literal>
are set as the specified package's <literal>extraComponents</literal>.
This in turn adds all packaged dependencies to the derivation.
You might still see import errors in your log.
In this case, you will need to package the necessary dependencies yourself
or ask for someone else to package them.
If a dependency is packaged but not automatically added to this list,
you might need to specify it in <literal>extraPackages</literal>.
'';
};
};
config = mkIf cfg.enable {
systemd.services.home-assistant = {
description = "Home Assistant";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
preStart = lib.optionalString (cfg.config != null) ''
rm -f ${cfg.configDir}/configuration.yaml
ln -s ${configFile} ${cfg.configDir}/configuration.yaml
'';
serviceConfig = {
ExecStart = ''
${package}/bin/hass --config "${cfg.configDir}"
'';
User = "hass";
Group = "hass";
Restart = "on-failure";
ProtectSystem = "strict";
ReadWritePaths = "${cfg.configDir}";
PrivateTmp = true;
};
};
users.extraUsers.hass = {
home = cfg.configDir;
createHome = true;
group = "hass";
uid = config.ids.uids.hass;
};
users.extraGroups.hass.gid = config.ids.gids.hass;
};
}

View file

@ -578,6 +578,18 @@ in {
Extra config options for matrix-synapse.
'';
};
extraConfigFiles = mkOption {
type = types.listOf types.path;
default = [];
description = ''
Extra config files to include.
The configuration files will be included based on the command line
argument --config-path. This allows to configure secrets without
having to go through the Nix store, e.g. based on deployment keys if
NixOPS is in use.
'';
};
logConfig = mkOption {
type = types.lines;
default = readFile ./matrix-synapse-log_config.yaml;
@ -627,7 +639,11 @@ in {
Group = "matrix-synapse";
WorkingDirectory = cfg.dataDir;
PermissionsStartOnly = true;
ExecStart = "${cfg.package}/bin/homeserver --config-path ${configFile} --keys-directory ${cfg.dataDir}";
ExecStart = ''
${cfg.package}/bin/homeserver \
${ concatMapStringsSep "\n " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }
--keys-directory ${cfg.dataDir}
'';
Restart = "on-failure";
};
};

View file

@ -8,7 +8,7 @@ let
nix = cfg.package.out;
isNix112 = versionAtLeast (getVersion nix) "1.12pre";
isNix20 = versionAtLeast (getVersion nix) "2.0pre";
makeNixBuildUser = nr:
{ name = "nixbld${toString nr}";
@ -26,32 +26,40 @@ let
nixConf =
let
# If we're using sandbox for builds, then provide /bin/sh in
# the sandbox as a bind-mount to bash. This means we also need to
# include the entire closure of bash.
# In Nix < 2.0, If we're using sandbox for builds, then provide
# /bin/sh in the sandbox as a bind-mount to bash. This means we
# also need to include the entire closure of bash. Nix >= 2.0
# provides a /bin/sh by default.
sh = pkgs.stdenv.shell;
binshDeps = pkgs.writeReferencesToFile sh;
in
pkgs.runCommand "nix.conf" {extraOptions = cfg.extraOptions; } ''
extraPaths=$(for i in $(cat ${binshDeps}); do if test -d $i; then echo $i; fi; done)
pkgs.runCommand "nix.conf" { extraOptions = cfg.extraOptions; inherit binshDeps; } ''
${optionalString (!isNix20) ''
extraPaths=$(for i in $(cat binshDeps); do if test -d $i; then echo $i; fi; done)
''}
cat > $out <<END
# WARNING: this file is generated from the nix.* options in
# your NixOS configuration, typically
# /etc/nixos/configuration.nix. Do not edit it!
build-users-group = nixbld
build-max-jobs = ${toString (cfg.maxJobs)}
build-cores = ${toString (cfg.buildCores)}
build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox}
build-sandbox-paths = ${toString cfg.sandboxPaths} /bin/sh=${sh} $(echo $extraPaths)
binary-caches = ${toString cfg.binaryCaches}
trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
${if isNix20 then "max-jobs" else "build-max-jobs"} = ${toString (cfg.maxJobs)}
${if isNix20 then "cores" else "build-cores"} = ${toString (cfg.buildCores)}
${if isNix20 then "sandbox" else "build-use-sandbox"} = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox}
${if isNix20 then "extra-sandbox-paths" else "build-sandbox-paths"} = ${toString cfg.sandboxPaths} ${optionalString (!isNix20) "/bin/sh=${sh} $(echo $extraPaths)"}
${if isNix20 then "substituters" else "binary-caches"} = ${toString cfg.binaryCaches}
${if isNix20 then "trusted-substituters" else "trusted-binary-caches"} = ${toString cfg.trustedBinaryCaches}
${if isNix20 then "trusted-public-keys" else "binary-cache-public-keys"} = ${toString cfg.binaryCachePublicKeys}
auto-optimise-store = ${boolToString cfg.autoOptimiseStore}
${optionalString cfg.requireSignedBinaryCaches ''
signed-binary-caches = *
${if isNix20 then ''
require-sigs = ${if cfg.requireSignedBinaryCaches then "true" else "false"}
'' else ''
signed-binary-caches = ${if cfg.requireSignedBinaryCaches then "*" else ""}
''}
trusted-users = ${toString cfg.trustedUsers}
allowed-users = ${toString cfg.allowedUsers}
${optionalString (isNix20 && !cfg.distributedBuilds) ''
builders =
''}
$extraOptions
END
'';
@ -377,8 +385,9 @@ in
systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
systemd.services.nix-daemon =
{ path = [ nix pkgs.openssl.bin pkgs.utillinux config.programs.ssh.package ]
++ optionals cfg.distributedBuilds [ pkgs.gzip ];
{ path = [ nix pkgs.utillinux ]
++ optionals cfg.distributedBuilds [ config.programs.ssh.package pkgs.gzip ]
++ optionals (!isNix20) [ pkgs.openssl.bin ];
environment = cfg.envVars
// { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; }
@ -396,10 +405,9 @@ in
};
nix.envVars =
{ NIX_CONF_DIR = "/etc/nix";
}
optionalAttrs (!isNix20) {
NIX_CONF_DIR = "/etc/nix";
// optionalAttrs (!isNix112) {
# Enable the copy-from-other-stores substituter, which allows
# builds to be sped up by copying build results from remote
# Nix stores. To do this, mount the remote file system on a
@ -407,12 +415,8 @@ in
NIX_OTHER_STORES = "/run/nix/remote-stores/*/nix";
}
// optionalAttrs cfg.distributedBuilds {
NIX_BUILD_HOOK =
if isNix112 then
"${nix}/libexec/nix/build-remote"
else
"${nix}/libexec/nix/build-remote.pl";
// optionalAttrs (cfg.distributedBuilds && !isNix20) {
NIX_BUILD_HOOK = "${nix}/libexec/nix/build-remote.pl";
};
# Set up the environment variables for running Nix.
@ -420,7 +424,7 @@ in
{ NIX_PATH = concatStringsSep ":" cfg.nixPath;
};
environment.extraInit =
environment.extraInit = optionalString (!isNix20)
''
# Set up secure multi-user builds: non-root users build through the
# Nix daemon.

View file

@ -5,18 +5,25 @@ with lib;
let
cfg = config.services.netdata;
configFile = pkgs.writeText "netdata.conf" cfg.configText;
wrappedPlugins = pkgs.runCommand "wrapped-plugins" {} ''
mkdir -p $out/libexec/netdata/plugins.d
ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin
'';
localConfig = {
global = {
"plugins directory" = "${wrappedPlugins}/libexec/netdata/plugins.d ${pkgs.netdata}/libexec/netdata/plugins.d";
};
};
mkConfig = generators.toINI {} (recursiveUpdate localConfig cfg.config);
configFile = pkgs.writeText "netdata.conf" (if cfg.configText != null then cfg.configText else mkConfig);
defaultUser = "netdata";
in {
options = {
services.netdata = {
enable = mkOption {
default = false;
type = types.bool;
description = "Whether to enable netdata monitoring.";
};
enable = mkEnableOption "netdata";
user = mkOption {
type = types.str;
@ -31,9 +38,9 @@ in {
};
configText = mkOption {
type = types.lines;
default = "";
description = "netdata.conf configuration.";
type = types.nullOr types.lines;
description = "Verbatim netdata.conf, cannot be combined with config.";
default = null;
example = ''
[global]
debug log = syslog
@ -42,11 +49,29 @@ in {
'';
};
config = mkOption {
type = types.attrsOf types.attrs;
default = {};
description = "netdata.conf configuration as nix attributes. cannot be combined with configText.";
example = literalExample ''
global = {
"debug log" = "syslog";
"access log" = "syslog";
"error log" = "syslog";
};
'';
};
};
};
};
config = mkIf cfg.enable {
assertions =
[ { assertion = cfg.config != {} -> cfg.configText == null ;
message = "Cannot specify both config and configText";
}
];
systemd.services.netdata = {
path = with pkgs; [ gawk curl ];
description = "Real time performance monitoring";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
@ -66,6 +91,15 @@ in {
};
};
security.wrappers."apps.plugin" = {
source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin";
capabilities = "cap_dac_read_search,cap_sys_ptrace+ep";
owner = cfg.user;
group = cfg.group;
permissions = "u+rx,g+rx,o-rwx";
};
users.extraUsers = optional (cfg.user == defaultUser) {
name = defaultUser;
};

View file

@ -0,0 +1,343 @@
{ config, lib, pkgs, ...} :
with lib;
let
cfg = config.services.beegfs;
# functions for the generations of config files
configMgmtd = name: cfg: pkgs.writeText "mgmt-${name}.conf" ''
storeMgmtdDirectory = ${cfg.mgmtd.storeDir}
storeAllowFirstRunInit = false
connAuthFile = ${cfg.connAuthFile}
connPortShift = ${toString cfg.connPortShift}
${cfg.mgmtd.extraConfig}
'';
configAdmon = name: cfg: pkgs.writeText "admon-${name}.conf" ''
sysMgmtdHost = ${cfg.mgmtdHost}
connAuthFile = ${cfg.connAuthFile}
connPortShift = ${toString cfg.connPortShift}
${cfg.admon.extraConfig}
'';
configMeta = name: cfg: pkgs.writeText "meta-${name}.conf" ''
storeMetaDirectory = ${cfg.meta.storeDir}
sysMgmtdHost = ${cfg.mgmtdHost}
connAuthFile = ${cfg.connAuthFile}
connPortShift = ${toString cfg.connPortShift}
storeAllowFirstRunInit = false
${cfg.mgmtd.extraConfig}
'';
configStorage = name: cfg: pkgs.writeText "storage-${name}.conf" ''
storeStorageDirectory = ${cfg.storage.storeDir}
sysMgmtdHost = ${cfg.mgmtdHost}
connAuthFile = ${cfg.connAuthFile}
connPortShift = ${toString cfg.connPortShift}
storeAllowFirstRunInit = false
${cfg.storage.extraConfig}
'';
configHelperd = name: cfg: pkgs.writeText "helperd-${name}.conf" ''
connAuthFile = ${cfg.connAuthFile}
${cfg.helperd.extraConfig}
'';
configClientFilename = name : "/etc/beegfs/client-${name}.conf";
configClient = name: cfg: ''
sysMgmtdHost = ${cfg.mgmtdHost}
connAuthFile = ${cfg.connAuthFile}
connPortShift = ${toString cfg.connPortShift}
${cfg.client.extraConfig}
'';
serviceList = [
{ service = "admon"; cfgFile = configAdmon; }
{ service = "meta"; cfgFile = configMeta; }
{ service = "mgmtd"; cfgFile = configMgmtd; }
{ service = "storage"; cfgFile = configStorage; }
];
# functions to generate systemd.service entries
systemdEntry = service: cfgFile: (mapAttrs' ( name: cfg:
(nameValuePair "beegfs-${service}-${name}" (mkIf cfg."${service}".enable {
wantedBy = [ "multi-user.target" ];
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
serviceConfig = rec {
ExecStart = ''
${pkgs.beegfs}/bin/beegfs-${service} \
cfgFile=${cfgFile name cfg} \
pidFile=${PIDFile}
'';
PIDFile = "/run/beegfs-${service}-${name}.pid";
TimeoutStopSec = "300";
};
}))) cfg);
systemdHelperd = mapAttrs' ( name: cfg:
(nameValuePair "beegfs-helperd-${name}" (mkIf cfg.client.enable {
wantedBy = [ "multi-user.target" ];
requires = [ "network-online.target" ];
after = [ "network-online.target" ];
serviceConfig = rec {
ExecStart = ''
${pkgs.beegfs}/bin/beegfs-helperd \
cfgFile=${configHelperd name cfg} \
pidFile=${PIDFile}
'';
PIDFile = "/run/beegfs-helperd-${name}.pid";
TimeoutStopSec = "300";
};
}))) cfg;
# wrappers to beegfs tools. Avoid typing path of config files
utilWrappers = mapAttrsToList ( name: cfg:
( pkgs.runCommand "beegfs-utils-${name}" { nativeBuildInputs = [ pkgs.makeWrapper ]; } ''
mkdir -p $out/bin
makeWrapper ${pkgs.beegfs}/bin/beegfs-check-servers \
$out/bin/beegfs-check-servers-${name} \
--add-flags "-c ${configClientFilename name}" \
--prefix PATH : ${lib.makeBinPath [ pkgs.beegfs ]}
makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \
$out/bin/beegfs-ctl-${name} \
--add-flags "--cfgFile=${configClientFilename name}"
makeWrapper ${pkgs.beegfs}/bin/beegfs-ctl \
$out/bin/beegfs-df-${name} \
--add-flags "--cfgFile=${configClientFilename name}" \
--add-flags --listtargets \
--add-flags --hidenodeid \
--add-flags --pools \
--add-flags --spaceinfo
makeWrapper ${pkgs.beegfs}/bin/beegfs-fsck \
$out/bin/beegfs-fsck-${name} \
--add-flags "--cfgFile=${configClientFilename name}"
''
)) cfg;
in
{
###### interface
options = {
services.beegfsEnable = mkEnableOption "BeeGFS";
services.beegfs = mkOption {
default = {};
description = ''
BeeGFS configurations. Every mount point requires a separate configuration.
'';
type = with types; attrsOf (submodule ({ config, ... } : {
options = {
mgmtdHost = mkOption {
type = types.str;
default = null;
example = "master";
description = ''Hostname of managament host.'';
};
connAuthFile = mkOption {
type = types.str;
default = "";
example = "/etc/my.key";
description = "File containing shared secret authentication.";
};
connPortShift = mkOption {
type = types.int;
default = 0;
example = 5;
description = ''
For each additional beegfs configuration shift all
service TCP/UDP ports by at least 5.
'';
};
client = {
enable = mkEnableOption "BeeGFS client";
mount = mkOption {
type = types.bool;
default = true;
description = "Create fstab entry automatically";
};
mountPoint = mkOption {
type = types.str;
default = "/run/beegfs";
description = ''
Mount point under which the beegfs filesytem should be mounted.
If mounted manually the mount option specifing the config file is needed:
cfgFile=/etc/beegfs/beegfs-client-&lt;name&gt;.conf
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Additional lines for beegfs-client.conf.
See documentation for further details.
'';
};
};
helperd = {
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Additional lines for beegfs-helperd.conf. See documentation
for further details.
'';
};
};
mgmtd = {
enable = mkEnableOption "BeeGFS mgmtd daemon";
storeDir = mkOption {
type = types.path;
default = null;
example = "/data/beegfs-mgmtd";
description = ''
Data directory for mgmtd.
Must not be shared with other beegfs daemons.
This directory must exist and it must be initialized
with beegfs-setup-mgmtd, e.g. "beegfs-setup-mgmtd -C -p &lt;storeDir&gt;"
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Additional lines for beegfs-mgmtd.conf. See documentation
for further details.
'';
};
};
admon = {
enable = mkEnableOption "BeeGFS admon daemon";
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Additional lines for beegfs-admon.conf. See documentation
for further details.
'';
};
};
meta = {
enable = mkEnableOption "BeeGFS meta data daemon";
storeDir = mkOption {
type = types.path;
default = null;
example = "/data/beegfs-meta";
description = ''
Data directory for meta data service.
Must not be shared with other beegfs daemons.
The underlying filesystem must be mounted with xattr turned on.
This directory must exist and it must be initialized
with beegfs-setup-meta, e.g.
"beegfs-setup-meta -C -s &lt;serviceID&gt; -p &lt;storeDir&gt;"
'';
};
extraConfig = mkOption {
type = types.str;
default = "";
description = ''
Additional lines for beegfs-meta.conf. See documentation
for further details.
'';
};
};
storage = {
enable = mkEnableOption "BeeGFS storage daemon";
storeDir = mkOption {
type = types.path;
default = null;
example = "/data/beegfs-storage";
description = ''
Data directories for storage service.
Must not be shared with other beegfs daemons.
The underlying filesystem must be mounted with xattr turned on.
This directory must exist and it must be initialized
with beegfs-setup-storage, e.g.
"beegfs-setup-storage -C -s &lt;serviceID&gt; -i &lt;storageTargetID&gt; -p &lt;storeDir&gt;"
'';
};
extraConfig = mkOption {
type = types.str;
default = "";
description = ''
Addional lines for beegfs-storage.conf. See documentation
for further details.
'';
};
};
};
}));
};
};
###### implementation
config =
mkIf config.services.beegfsEnable {
environment.systemPackages = utilWrappers;
# Put the client.conf files in /etc since they are needed
# by the commandline tools
environment.etc = mapAttrs' ( name: cfg:
(nameValuePair "beegfs/client-${name}.conf" (mkIf (cfg.client.enable)
{
enable = true;
text = configClient name cfg;
}))) cfg;
# Kernel module, we need it only once per host.
boot = mkIf (
foldr (a: b: a || b) false
(map (x: x.client.enable) (collect (x: x ? client) cfg)))
{
kernelModules = [ "beegfs" ];
extraModulePackages = [ pkgs.linuxPackages.beegfs-module ];
};
# generate fstab entries
fileSystems = mapAttrs' (name: cfg:
(nameValuePair cfg.client.mountPoint (optionalAttrs cfg.client.mount (mkIf cfg.client.enable {
device = "beegfs_nodev";
fsType = "beegfs";
mountPoint = cfg.client.mountPoint;
options = [ "cfgFile=${configClientFilename name}" "_netdev" ];
})))) cfg;
# generate systemd services
systemd.services = systemdHelperd //
foldr (a: b: a // b) {}
(map (x: systemdEntry x.service x.cfgFile) serviceList);
};
}

View file

@ -54,10 +54,12 @@ let
};
serviceConfig = {
ExecStart = "${samba}/sbin/${appName} ${args}";
ExecStart = "${samba}/sbin/${appName} --foreground --no-process-group ${args}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
LimitNOFILE = 16384;
PIDFile = "/run/${appName}.pid";
Type = "notify";
NotifyAccess = "all"; #may not do anything...
};
restartTriggers = [ configFile ];
@ -231,11 +233,12 @@ in
after = [ "samba-setup.service" "network.target" ];
wantedBy = [ "multi-user.target" ];
};
# Refer to https://github.com/samba-team/samba/tree/master/packaging/systemd
# for correct use with systemd
services = {
"samba-smbd" = daemonService "smbd" "-F";
"samba-nmbd" = mkIf cfg.enableNmbd (daemonService "nmbd" "-F");
"samba-winbindd" = mkIf cfg.enableWinbindd (daemonService "winbindd" "-F");
"samba-smbd" = daemonService "smbd" "";
"samba-nmbd" = mkIf cfg.enableNmbd (daemonService "nmbd" "");
"samba-winbindd" = mkIf cfg.enableWinbindd (daemonService "winbindd" "");
"samba-setup" = {
description = "Samba Setup Task";
script = setupScript;

View file

@ -10,9 +10,9 @@ let
settingsDir = "${homeDir}";
sessionFile = "${homeDir}/aria2.session";
downloadDir = "${homeDir}/Downloads";
rangesToStringList = map (x: builtins.toString x.from +"-"+ builtins.toString x.to);
settingsFile = pkgs.writeText "aria2.conf"
''
dir=${cfg.downloadDir}
@ -110,12 +110,12 @@ in
mkdir -m 0770 -p "${homeDir}"
chown aria2:aria2 "${homeDir}"
if [[ ! -d "${config.services.aria2.downloadDir}" ]]
then
then
mkdir -m 0770 -p "${config.services.aria2.downloadDir}"
chown aria2:aria2 "${config.services.aria2.downloadDir}"
fi
if [[ ! -e "${sessionFile}" ]]
then
then
touch "${sessionFile}"
chown aria2:aria2 "${sessionFile}"
fi
@ -132,4 +132,4 @@ in
};
};
};
}
}

View file

@ -10,7 +10,7 @@ let
# This is somewhat more flexible than preloading the key as an
# embedded string.
upstreamResolverListPubKey = pkgs.fetchurl {
url = https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/minisign.pub;
url = https://raw.githubusercontent.com/dyne/dnscrypt-proxy/master/minisign.pub;
sha256 = "18lnp8qr6ghfc2sd46nn1rhcpr324fqlvgsp4zaigw396cd7vnnh";
};
@ -258,9 +258,9 @@ in
domain=raw.githubusercontent.com
get="curl -fSs --resolve $domain:443:$(hostip -r 8.8.8.8 $domain | head -1)"
$get -o dnscrypt-resolvers.csv.tmp \
https://$domain/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv
https://$domain/dyne/dnscrypt-proxy/master/dnscrypt-resolvers.csv
$get -o dnscrypt-resolvers.csv.minisig.tmp \
https://$domain/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv.minisig
https://$domain/dyne/dnscrypt-proxy/master/dnscrypt-resolvers.csv.minisig
mv dnscrypt-resolvers.csv.minisig{.tmp,}
if ! minisign -q -V -p ${upstreamResolverListPubKey} \
-m dnscrypt-resolvers.csv.tmp -x dnscrypt-resolvers.csv.minisig ; then

View file

@ -145,6 +145,16 @@ in {
};
users.groups.dnscrypt-wrapper = { };
security.polkit.extraConfig = ''
// Allow dnscrypt-wrapper user to restart dnscrypt-wrapper.service
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "dnscrypt-wrapper.service" &&
subject.user == "dnscrypt-wrapper") {
return polkit.Result.YES;
}
});
'';
systemd.services.dnscrypt-wrapper = {
description = "dnscrypt-wrapper daemon";

View file

@ -43,7 +43,7 @@ in
type = with types; listOf str;
default = [ "::1" "127.0.0.1" ];
description = ''
What addresses the server should listen on.
What addresses the server should listen on. (UDP+TCP 53)
'';
};
# TODO: perhaps options for more common stuff like cache size or forwarding
@ -72,6 +72,7 @@ in
(iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53")
cfg.interfaces;
socketConfig.ListenDatagram = listenStreams;
socketConfig.FreeBind = true;
};
systemd.sockets.kresd-control = rec {
@ -82,20 +83,11 @@ in
socketConfig = {
FileDescriptorName = "control";
Service = "kresd.service";
SocketMode = "0660"; # only root user/group may connect
SocketMode = "0660"; # only root user/group may connect and control kresd
};
};
# Create the cacheDir; tmpfiles don't work on nixos-rebuild switch.
systemd.services.kresd-cachedir = {
serviceConfig.Type = "oneshot";
script = ''
if [ ! -d '${cfg.cacheDir}' ]; then
mkdir -p '${cfg.cacheDir}'
chown kresd:kresd '${cfg.cacheDir}'
fi
'';
};
systemd.tmpfiles.rules = [ "d '${cfg.cacheDir}' 0770 kresd kresd - -" ];
systemd.services.kresd = {
description = "Knot-resolver daemon";
@ -104,16 +96,15 @@ in
User = "kresd";
Type = "notify";
WorkingDirectory = cfg.cacheDir;
Restart = "on-failure";
};
# Trust anchor goes from dns-root-data by default.
script = ''
exec '${package}/bin/kresd' --config '${configFile}' \
-k '${cfg.cacheDir}/root.key'
exec '${package}/bin/kresd' --config '${configFile}' --forks=1
'';
after = [ "kresd-cachedir.service" ];
requires = [ "kresd.socket" "kresd-cachedir.service" ];
wantedBy = [ "sockets.target" ];
requires = [ "kresd.socket" ];
};
};
}

View file

@ -24,6 +24,7 @@ in
description = "lldpd user";
group = "_lldpd";
home = "/var/run/lldpd";
isSystemUser = true;
};
users.extraGroups._lldpd = {};

View file

@ -12,6 +12,10 @@ let
keyfile ${cfg.ssl.keyfile}
'';
passwordConf = optionalString cfg.checkPasswords ''
password_file ${cfg.dataDir}/passwd
'';
mosquittoConf = pkgs.writeText "mosquitto.conf" ''
pid_file /run/mosquitto/pid
acl_file ${aclFile}
@ -19,6 +23,7 @@ let
allow_anonymous ${boolToString cfg.allowAnonymous}
bind_address ${cfg.host}
port ${toString cfg.port}
${passwordConf}
${listenerConf}
${cfg.extraConf}
'';
@ -153,6 +158,15 @@ in
'';
};
checkPasswords = mkOption {
default = false;
example = true;
type = types.bool;
description = ''
Refuse connection when clients provide incorrect passwords.
'';
};
extraConf = mkOption {
default = "";
type = types.lines;

View file

@ -19,6 +19,8 @@ let
iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true
iptables -w -t nat -F nixos-nat-post 2>/dev/null || true
iptables -w -t nat -X nixos-nat-post 2>/dev/null || true
${cfg.extraStopCommands}
'';
setupNat = ''
@ -59,6 +61,8 @@ let
--to-destination ${cfg.dmzHost}
''}
${cfg.extraCommands}
# Append our chains to the nat tables
iptables -w -t nat -A PREROUTING -j nixos-nat-pre
iptables -w -t nat -A POSTROUTING -j nixos-nat-post
@ -170,6 +174,28 @@ in
'';
};
networking.nat.extraCommands = mkOption {
type = types.lines;
default = "";
example = "iptables -A INPUT -p icmp -j ACCEPT";
description =
''
Additional shell commands executed as part of the nat
initialisation script.
'';
};
networking.nat.extraStopCommands = mkOption {
type = types.lines;
default = "";
example = "iptables -D INPUT -p icmp -j ACCEPT || true";
description =
''
Additional shell commands executed as part of the nat
teardown script.
'';
};
};

View file

@ -11,6 +11,8 @@ let
# build nsd with the options needed for the given config
nsdPkg = pkgs.nsd.override {
configFile = "${configFile}/nsd.conf";
bind8Stats = cfg.bind8Stats;
ipv6 = cfg.ipv6;
ratelimit = cfg.ratelimit.enable;
@ -788,6 +790,8 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ nsdPkg ];
users.extraGroups = singleton {
name = username;
gid = config.ids.gids.nsd;
@ -845,4 +849,6 @@ in
};
};
meta.maintainers = with lib.maintainers; [ hrdinka ];
}

View file

@ -50,6 +50,11 @@ let
"up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
${optionalString (cfg.down != "" || cfg.updateResolvConf)
"down ${pkgs.writeScript "openvpn-${name}-down" downScript}"}
${optionalString (cfg.authUserPass != null)
"auth-user-pass ${pkgs.writeText "openvpn-credentials-${name}" ''
${cfg.authUserPass.username}
${cfg.authUserPass.password}
''}"}
'';
in {
@ -161,6 +166,29 @@ in
'';
};
authUserPass = mkOption {
default = null;
description = ''
This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method.
WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store!
'';
type = types.nullOr (types.submodule {
options = {
username = mkOption {
description = "The username to store inside the credentials file.";
type = types.string;
};
password = mkOption {
description = "The password to store inside the credentials file.";
type = types.string;
};
};
});
};
};
});

View file

@ -17,7 +17,7 @@ let
search_lan = entry.searchLAN;
use_sync_trash = entry.useSyncTrash;
known_hosts = knownHosts;
known_hosts = entry.knownHosts;
}) cfg.sharedFolders;
configFile = pkgs.writeText "config.json" (builtins.toJSON ({

View file

@ -21,7 +21,7 @@ let
daemon reads in addition to the the user's authorized_keys file.
You can combine the <literal>keys</literal> and
<literal>keyFiles</literal> options.
Warning: If you are using <literal>NixOps</literal> then don't use this
Warning: If you are using <literal>NixOps</literal> then don't use this
option since it will replace the key required for deployment via ssh.
'';
};
@ -137,6 +137,14 @@ in
'';
};
openFirewall = mkOption {
type = types.bool;
default = true;
description = ''
Whether to automatically open the specified ports in the firewall.
'';
};
listenAddresses = mkOption {
type = with types; listOf (submodule {
options = {
@ -302,7 +310,7 @@ in
};
networking.firewall.allowedTCPPorts = cfg.ports;
networking.firewall.allowedTCPPorts = if cfg.openFirewall then cfg.ports else [];
security.pam.services.sshd =
{ startSession = true;

View file

@ -0,0 +1,221 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.stunnel;
yesNo = val: if val then "yes" else "no";
verifyChainPathAssert = n: c: {
assertion = c.verifyHostname == null || (c.verifyChain || c.verifyPeer);
message = "stunnel: \"${n}\" client configuration - hostname verification " +
"is not possible without either verifyChain or verifyPeer enabled";
};
serverConfig = {
options = {
accept = mkOption {
type = types.int;
description = "On which port stunnel should listen for incoming TLS connections.";
};
connect = mkOption {
type = types.int;
description = "To which port the decrypted connection should be forwarded.";
};
cert = mkOption {
type = types.path;
description = "File containing both the private and public keys.";
};
};
};
clientConfig = {
options = {
accept = mkOption {
type = types.string;
description = "IP:Port on which connections should be accepted.";
};
connect = mkOption {
type = types.string;
description = "IP:Port destination to connect to.";
};
verifyChain = mkOption {
type = types.bool;
default = true;
description = "Check if the provided certificate has a valid certificate chain (against CAPath).";
};
verifyPeer = mkOption {
type = types.bool;
default = false;
description = "Check if the provided certificate is contained in CAPath.";
};
CAPath = mkOption {
type = types.path;
default = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
description = "Path to a file containing certificates to validate against.";
};
verifyHostname = mkOption {
type = with types; nullOr string;
default = null;
description = "If set, stunnel checks if the provided certificate is valid for the given hostname.";
};
};
};
in
{
###### interface
options = {
services.stunnel = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable the stunnel TLS tunneling service.";
};
user = mkOption {
type = with types; nullOr string;
default = "nobody";
description = "The user under which stunnel runs.";
};
group = mkOption {
type = with types; nullOr string;
default = "nogroup";
description = "The group under which stunnel runs.";
};
logLevel = mkOption {
type = types.enum [ "emerg" "alert" "crit" "err" "warning" "notice" "info" "debug" ];
default = "info";
description = "Verbosity of stunnel output.";
};
fipsMode = mkOption {
type = types.bool;
default = false;
description = "Enable FIPS 140-2 mode required for compliance.";
};
enableInsecureSSLv3 = mkOption {
type = types.bool;
default = false;
description = "Enable support for the insecure SSLv3 protocol.";
};
servers = mkOption {
description = "Define the server configuations.";
type = with types; attrsOf (submodule serverConfig);
example = {
fancyWebserver = {
enable = true;
accept = 443;
connect = 8080;
cert = "/path/to/pem/file";
};
};
default = { };
};
clients = mkOption {
description = "Define the client configurations.";
type = with types; attrsOf (submodule clientConfig);
example = {
foobar = {
accept = "0.0.0.0:8080";
connect = "nixos.org:443";
verifyChain = false;
};
};
default = { };
};
};
};
###### implementation
config = mkIf cfg.enable {
assertions = concatLists [
(singleton {
assertion = (length (attrValues cfg.servers) != 0) || ((length (attrValues cfg.clients)) != 0);
message = "stunnel: At least one server- or client-configuration has to be present.";
})
(mapAttrsToList verifyChainPathAssert cfg.clients)
];
environment.systemPackages = [ pkgs.stunnel ];
environment.etc."stunnel.cfg".text = ''
${ if cfg.user != null then "setuid = ${cfg.user}" else "" }
${ if cfg.group != null then "setgid = ${cfg.group}" else "" }
debug = ${cfg.logLevel}
${ optionalString cfg.fipsMode "fips = yes" }
${ optionalString cfg.enableInsecureSSLv3 "options = -NO_SSLv3" }
; ----- SERVER CONFIGURATIONS -----
${ lib.concatStringsSep "\n"
(lib.mapAttrsToList
(n: v: ''
[${n}]
accept = ${toString v.accept}
connect = ${toString v.connect}
cert = ${v.cert}
'')
cfg.servers)
}
; ----- CLIENT CONFIGURATIONS -----
${ lib.concatStringsSep "\n"
(lib.mapAttrsToList
(n: v: ''
[${n}]
client = yes
accept = ${v.accept}
connect = ${v.connect}
verifyChain = ${yesNo v.verifyChain}
verifyPeer = ${yesNo v.verifyPeer}
${optionalString (v.CAPath != null) "CApath = ${v.CAPath}"}
${optionalString (v.verifyHostname != null) "checkHost = ${v.verifyHostname}"}
OCSPaia = yes
'')
cfg.clients)
}
'';
systemd.services.stunnel = {
description = "stunnel TLS tunneling service";
after = [ "network.target" ];
wants = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."stunnel.cfg".source ];
serviceConfig = {
ExecStart = "${pkgs.stunnel}/bin/stunnel ${config.environment.etc."stunnel.cfg".source}";
Type = "forking";
};
};
};
}

View file

@ -90,16 +90,24 @@ in
[ (allowdeny "allow" (cfg.allow))
(allowdeny "deny" cfg.deny)
# see man 5 fcron.conf
{ source = pkgs.writeText "fcron.conf" ''
fcrontabs = /var/spool/fcron
pidfile = /var/run/fcron.pid
fifofile = /var/run/fcron.fifo
fcronallow = /etc/fcron.allow
fcrondeny = /etc/fcron.deny
shell = /bin/sh
sendmail = /run/wrappers/bin/sendmail
editor = ${pkgs.vim}/bin/vim
'';
{ source =
let
isSendmailWrapped =
lib.hasAttr "sendmail" config.security.wrappers;
sendmailPath =
if isSendmailWrapped then "/run/wrappers/bin/sendmail"
else "${config.system.path}/bin/sendmail";
in
pkgs.writeText "fcron.conf" ''
fcrontabs = /var/spool/fcron
pidfile = /var/run/fcron.pid
fifofile = /var/run/fcron.fifo
fcronallow = /etc/fcron.allow
fcrondeny = /etc/fcron.deny
shell = /bin/sh
sendmail = ${sendmailPath}
editor = ${pkgs.vim}/bin/vim
'';
target = "fcron.conf";
gid = config.ids.gids.fcron;
mode = "0644";

View file

@ -6,6 +6,7 @@ let
cfg = config.services.elasticsearch;
es5 = builtins.compareVersions (builtins.parseDrvName cfg.package.name).version "5" >= 0;
es6 = builtins.compareVersions (builtins.parseDrvName cfg.package.name).version "6" >= 0;
esConfig = ''
network.host: ${cfg.listenAddress}
@ -92,8 +93,6 @@ in {
node.name: "elasticsearch"
node.master: true
node.data: false
index.number_of_shards: 5
index.number_of_replicas: 1
'';
};
@ -165,7 +164,10 @@ in {
path = [ pkgs.inetutils ];
environment = {
ES_HOME = cfg.dataDir;
ES_JAVA_OPTS = toString ([ "-Des.path.conf=${configDir}" ] ++ cfg.extraJavaOptions);
ES_JAVA_OPTS = toString ( optional (!es6) [ "-Des.path.conf=${configDir}" ]
++ cfg.extraJavaOptions);
} // optionalAttrs es6 {
ES_PATH_CONF = configDir;
};
serviceConfig = {
ExecStart = "${cfg.package}/bin/elasticsearch ${toString cfg.extraCmdLineOptions}";

View file

@ -97,8 +97,8 @@ in
systemd.services.clamav-daemon = optionalAttrs cfg.daemon.enable {
description = "ClamAV daemon (clamd)";
after = mkIf cfg.updater.enable [ "clamav-freshclam.service" ];
requires = mkIf cfg.updater.enable [ "clamav-freshclam.service" ];
after = optional cfg.updater.enable "clamav-freshclam.service";
requires = optional cfg.updater.enable "clamav-freshclam.service";
wantedBy = [ "multi-user.target" ];
restartTriggers = [ clamdConfigFile ];

View file

@ -56,7 +56,7 @@ in {
};
rules = mkOption {
type = types.nullOr types.str;
type = types.nullOr types.lines;
default = null;
example = ''
allow with-interface equals { 08:*:* }

View file

@ -99,8 +99,8 @@ let
user = mkOption {
type = types.str;
default = "nginx";
example = "nginx";
default = "tt_rss";
example = "tt_rss";
description = ''
User account under which both the update daemon and the web-application run.
'';
@ -466,26 +466,28 @@ let
'';
};
services.nginx.virtualHosts = mkIf (cfg.virtualHost != null) {
"${cfg.virtualHost}" = {
root = "${cfg.root}";
services.nginx = {
enable = true;
# NOTE: No configuration is done if not using virtual host
virtualHosts = mkIf (cfg.virtualHost != null) {
"${cfg.virtualHost}" = {
root = "${cfg.root}";
locations."/" = {
index = "index.php";
};
locations."/" = {
index = "index.php";
};
locations."~ \.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${phpfpmSocketName};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME ${cfg.root}/$fastcgi_script_name;
'';
locations."~ \.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${phpfpmSocketName};
fastcgi_index index.php;
'';
};
};
};
};
systemd.services.tt-rss = let
dbService = if cfg.database.type == "pgsql" then "postgresql.service" else "mysql.service";
in {
@ -496,7 +498,7 @@ let
callSql = e:
if cfg.database.type == "pgsql" then ''
${optionalString (cfg.database.password != null) "PGPASSWORD=${cfg.database.password}"} \
${pkgs.postgresql95}/bin/psql \
${pkgs.sudo}/bin/sudo -u ${cfg.user} ${config.services.postgresql.package}/bin/psql \
-U ${cfg.database.user} \
${optionalString (cfg.database.host != null) "-h ${cfg.database.host} --port ${toString dbPort}"} \
-c '${e}' \
@ -521,6 +523,14 @@ let
''
+ (optionalString (cfg.database.type == "pgsql") ''
${optionalString (cfg.database.host == null && cfg.database.password == null) ''
if ! [ -e ${cfg.root}/.db-created ]; then
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createuser ${cfg.database.user}
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O ${cfg.database.user} ${cfg.database.name}
touch ${cfg.root}/.db-created
fi
''}
exists=$(${callSql "select count(*) > 0 from pg_tables where tableowner = user"} \
| tail -n+3 | head -n-2 | sed -e 's/[ \n\t]*//')
@ -554,5 +564,28 @@ let
requires = ["${dbService}"];
after = ["network.target" "${dbService}"];
};
services.mysql = optionalAttrs (cfg.database.type == "mysql") {
enable = true;
package = mkDefault pkgs.mysql;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{
name = cfg.user;
ensurePermissions = {
"${cfg.database.name}.*" = "ALL PRIVILEGES";
};
}
];
};
services.postgresql = optionalAttrs (cfg.database.type == "pgsql") {
enable = mkDefault true;
};
users = optionalAttrs (cfg.user == "tt_rss") {
extraUsers.tt_rss.group = "tt_rss";
extraGroups.tt_rss = {};
};
};
}

View file

@ -0,0 +1,132 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.mighttpd2;
configFile = pkgs.writeText "mighty-config" cfg.config;
routingFile = pkgs.writeText "mighty-routing" cfg.routing;
in {
options.services.mighttpd2 = {
enable = mkEnableOption "Mighttpd2 web server";
config = mkOption {
default = "";
example = ''
# Example configuration for Mighttpd 2
Port: 80
# IP address or "*"
Host: *
Debug_Mode: Yes # Yes or No
# If available, "nobody" is much more secure for User:.
User: root
# If available, "nobody" is much more secure for Group:.
Group: root
Pid_File: /var/run/mighty.pid
Logging: Yes # Yes or No
Log_File: /var/log/mighty # The directory must be writable by User:
Log_File_Size: 16777216 # bytes
Log_Backup_Number: 10
Index_File: index.html
Index_Cgi: index.cgi
Status_File_Dir: /usr/local/share/mighty/status
Connection_Timeout: 30 # seconds
Fd_Cache_Duration: 10 # seconds
# Server_Name: Mighttpd/3.x.y
Tls_Port: 443
Tls_Cert_File: cert.pem # should change this with an absolute path
# should change this with comma-separated absolute paths
Tls_Chain_Files: chain.pem
# Currently, Tls_Key_File must not be encrypted.
Tls_Key_File: privkey.pem # should change this with an absolute path
Service: 0 # 0 is HTTP only, 1 is HTTPS only, 2 is both
'';
type = types.lines;
description = ''
Verbatim config file to use
(see http://www.mew.org/~kazu/proj/mighttpd/en/config.html)
'';
};
routing = mkOption {
default = "";
example = ''
# Example routing for Mighttpd 2
# Domain lists
[localhost www.example.com]
# Entries are looked up in the specified order
# All paths must end with "/"
# A path to CGI scripts should be specified with "=>"
/~alice/cgi-bin/ => /home/alice/public_html/cgi-bin/
# A path to static files should be specified with "->"
/~alice/ -> /home/alice/public_html/
/cgi-bin/ => /export/cgi-bin/
# Reverse proxy rules should be specified with ">>"
# /path >> host:port/path2
# Either "host" or ":port" can be committed, but not both.
/app/cal/ >> example.net/calendar/
# Yesod app in the same server
/app/wiki/ >> 127.0.0.1:3000/
/ -> /export/www/
'';
type = types.lines;
description = ''
Verbatim routing file to use
(see http://www.mew.org/~kazu/proj/mighttpd/en/config.html)
'';
};
cores = mkOption {
default = null;
type = types.nullOr types.int;
description = ''
How many cores to use.
If null it will be determined automatically
'';
};
};
config = mkIf cfg.enable {
assertions =
[ { assertion = cfg.routing != "";
message = "You need at least one rule in mighttpd2.routing";
}
];
systemd.services.mighttpd2 = {
description = "Mighttpd2 web server";
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.haskellPackages.mighttpd2}/bin/mighty \
${configFile} \
${routingFile} \
+RTS -N${optionalString (cfg.cores != null) "${cfg.cores}"}
'';
Type = "simple";
User = "mighttpd2";
Group = "mighttpd2";
Restart = "on-failure";
AmbientCapabilities = "cap_net_bind_service";
CapabilityBoundingSet = "cap_net_bind_service";
};
};
users.extraUsers.mighttpd2 = {
group = "mighttpd2";
uid = config.ids.uids.mighttpd2;
isSystemUser = true;
};
users.extraGroups.mighttpd2.gid = config.ids.gids.mighttpd2;
};
meta.maintainers = with lib.maintainers; [ fgaz ];
}

View file

@ -15,6 +15,9 @@ let
} // (optionalAttrs vhostConfig.enableACME {
sslCertificate = "/var/lib/acme/${serverName}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${serverName}/key.pem";
}) // (optionalAttrs (vhostConfig.useACMEHost != null) {
sslCertificate = "/var/lib/acme/${vhostConfig.useACMEHost}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${vhostConfig.useACMEHost}/key.pem";
})
) cfg.virtualHosts;
enableIPv6 = config.networking.enableIPv6;
@ -168,13 +171,13 @@ let
listenString = { addr, port, ssl, ... }:
"listen ${addr}:${toString port} "
+ optionalString ssl "ssl "
+ optionalString vhost.http2 "http2 "
+ optionalString (ssl && vhost.http2) "http2 "
+ optionalString vhost.default "default_server "
+ ";";
redirectListen = filter (x: !x.ssl) defaultListen;
acmeLocation = ''
acmeLocation = optionalString (vhost.enableACME || vhost.useACMEHost != null) ''
location /.well-known/acme-challenge {
${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
root ${vhost.acmeRoot};
@ -194,7 +197,7 @@ let
${concatMapStringsSep "\n" listenString redirectListen}
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};
${optionalString vhost.enableACME acmeLocation}
${acmeLocation}
location / {
return 301 https://$host$request_uri;
}
@ -204,7 +207,7 @@ let
server {
${concatMapStringsSep "\n" listenString hostListen}
server_name ${vhost.serverName} ${concatStringsSep " " vhost.serverAliases};
${optionalString vhost.enableACME acmeLocation}
${acmeLocation}
${optionalString (vhost.root != null) "root ${vhost.root};"}
${optionalString (vhost.globalRedirect != null) ''
return 301 http${optionalString hasSSL "s"}://${vhost.globalRedirect}$request_uri;
@ -555,6 +558,14 @@ in
are mutually exclusive.
'';
}
{
assertion = all (conf: !(conf.enableACME && conf.useACMEHost != null)) (attrValues virtualHosts);
message = ''
Options services.nginx.service.virtualHosts.<name>.enableACME and
services.nginx.virtualHosts.<name>.useACMEHost are mutually exclusive.
'';
}
];
systemd.services.nginx = {
@ -580,7 +591,7 @@ in
security.acme.certs = filterAttrs (n: v: v != {}) (
let
vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME) vhostsConfigs;
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;
acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = {
user = cfg.user;
group = lib.mkDefault cfg.group;

Some files were not shown because too many files have changed in this diff Show more