public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into mptcp-v91.3

Browse Source
This commit is contained in:
Michael Raskin 2017-05-01 00:43:08 +02:00 committed by GitHub
commit 1cce0887ee
1856 changed files with 61241 additions and 35390 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.travis.yml
View File

@ -1,8 +1,14 @@
language: nix
sudo: true
# 'sudo: false' == containers that start fast, but only get 4G ram;
# 'sudo: true' == VMs that start slow, but with 8G
# ..as per: https://docs.travis-ci.com/user/ci-environment/#Virtualization-environments
# Nixpkgs PR tests OOM with 4G: https://github.com/NixOS/nixpkgs/issues/24200
matrix:
include:
- os: linux
sudo: false
sudo: required
script:
- ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball nixpkgs-unstable
- ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual

8
README.md
View File

@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
```
For stability and maximum binary package support, it is recommended to maintain
custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
release and `nixos-unstable` for the latest successful build of master:
```
% git remote update channels
% git rebase channels/nixos-16.09
% git rebase channels/nixos-17.03
```
For pull-requests, please rebase onto nixpkgs `master`.
@ -32,9 +32,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
* [Manual (NixOS)](https://nixos.org/nixos/manual/)
* [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
Communication:

64
doc/cross-compilation.xml
View File

@ -37,16 +37,9 @@
</para>
<para>
In Nixpkgs, these three platforms are defined as attribute sets under the names <literal>buildPlatform</literal>, <literal>hostPlatform</literal>, and <literal>targetPlatform</literal>.
All are guaranteed to contain at least a <varname>platform</varname> field, which contains detailed information on the platform.
All three are always defined at the top level, so one can get at them just like a dependency in a function that is imported with <literal>callPackage</literal>:
<programlisting>{ stdenv, buildPlatform, hostPlatform, fooDep, barDep, .. }: ...</programlisting>
</para>
<warning><para>
These platforms should all have the same structure in all scenarios, but that is currently not the case.
When not cross-compiling, they will each contain a <literal>system</literal> field with a short 2-part, hyphen-separated summering string name for the platform.
But, when when cross compiling, <literal>hostPlatform</literal> and <literal>targetPlatform</literal> may instead contain <literal>config</literal> with a fuller 3- or 4-part string in the manner of LLVM.
We should have all 3 platforms always contain both, and maybe give <literal>config</literal> a better name while we are at it.
</para></warning>
<variablelist>
<varlistentry>
<term><varname>buildPlatform</varname></term>
@ -83,7 +76,7 @@
Nixpkgs tries to avoid this where possible too, but still, because the concept of a target platform is so ingrained now in Autoconf and other tools, it is best to support it as is.
Tools like LLVM that don't need up-front target platforms can safely ignore it like normal packages, and it will do no harm.
</para>
</listitem>
</listitem>
</varlistentry>
</variablelist>
<note><para>
@ -91,6 +84,56 @@
This field defined as <varname>hostPlatform</varname> when the host and build platforms differ, but otherwise not defined at all.
This field is obsolete and will soon disappear—please do not use it.
</para></note>
<para>
The exact scheme these fields is a bit ill-defined due to a long and convoluted evolution, but this is slowly being cleaned up.
For now, here are few fields can count on them containing:
</para>
<variablelist>
<varlistentry>
<term><varname>system</varname></term>
<listitem>
<para>
This is a two-component shorthand for the platform.
Examples of this would be "x86_64-darwin" and "i686-linux"; see <literal>lib.systems.doubles</literal> for more.
This format isn't very standard, but has built-in support in Nix, such as the <varname>builtins.currentSystem</varname> impure string.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>config</varname></term>
<listitem>
<para>
This is a 3- or 4- component shorthand for the platform.
Examples of this would be "x86_64-unknown-linux-gnu" and "aarch64-apple-darwin14".
This is a standard format called the "LLVM target triple", as they are pioneered by LLVM and traditionally just used for the <varname>targetPlatform</varname>.
This format is strictly more informative than the "Nix host double", as the previous format could analogously be termed.
This needs a better name than <varname>config</varname>!
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>parsed</varname></term>
<listitem>
<para>
This is a nix representation of a parsed LLVM target triple with white-listed components.
This can be specified directly, or actually parsed from the <varname>config</varname>.
[Technically, only one need be specified and the others can be inferred, though the precision of inference may not be very good.]
See <literal>lib.systems.parse</literal> for the exact representation, along with some <literal>is*</literal>predicates.
These predicates are superior to the ones in <varname>stdenv</varname> as they aren't tied to the build platform (host, as previously discussed, would be a saner default).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>platform</varname></term>
<listitem>
<para>
This is, quite frankly, a dumping ground of ad-hoc settings (it's an attribute set).
See <literal>lib.systems.platforms</literal> for examples—there's hopefully one in there that will work verbatim for each platform one is working.
Please help us triage these flags and give them better homes!
</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section>
@ -124,6 +167,11 @@
Because of this, a best-of-both-worlds solution is in the works with no splicing or explicit access of <varname>buildPackages</varname> needed.
For now, feel free to use either method.
</para>
<note><para>
There is also a "backlink" <varname>__targetPackages</varname>, yielding a package set whose <varname>buildPackages</varname> is the current package set.
This is a hack, though, to accommodate compilers with lousy build systems.
Please do not use this unless you are absolutely sure you are packaging such a compiler and there is no other way.
</para></note>
</section>
</section>

2
doc/functions.xml
View File

@ -529,7 +529,7 @@
<note>
<para>
If you see errors similar to <literal>getProtocolByName: does not exist (no such protocol name: tcp)</literal>
you may need to add <literal>pkgs.iana_etc</literal> to <varname>contents</varname>.
you may need to add <literal>pkgs.iana-etc</literal> to <varname>contents</varname>.
</para>
</note>

3
doc/languages-frameworks/python.md
View File

@ -628,6 +628,9 @@ with import <nixpkgs> {};
In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
such as `ignoreCollisions = true` or `postBuild`. If you need them, you have to use `python.buildEnv`.
Python 2 namespace packages may provide `__init__.py` that collide. In that case `python.buildEnv`
should be used with `ignoreCollisions = true`.
### Development mode
Development or editable mode is supported. To develop Python packages

3
doc/languages-frameworks/ruby.xml
View File

@ -16,8 +16,7 @@ $ cd sensu
$ cat > Gemfile
source 'https://rubygems.org'
gem 'sensu'
$ nix-shell -p bundler --command "bundler package --path /tmp/vendor/bundle"
$ $(nix-build '<nixpkgs>' -A bundix)/bin/bundix
$ $(nix-build '<nixpkgs>' -A bundix)/bin/bundix --magic
$ cat > default.nix
{ lib, bundlerEnv, ruby }:

4
doc/languages-frameworks/rust.md
View File

@ -17,8 +17,8 @@ into the `environment.systemPackages` or bring them into scope with
`nix-shell -p rustStable.rustc -p rustStable.cargo`.
There are also `rustBeta` and `rustNightly` package sets available.
These are not updated very regulary. For daily builds see
[Using the Rust nightlies overlay](#using-the-rust-nightlies-overlay)
These are not updated very regulary. For daily builds use either rustup from
nixpkgs or use the [Rust nightlies overlay](#using-the-rust-nightlies-overlay).
## Packaging Rust applications

1
doc/multiple-output.xml
View File

@ -16,7 +16,6 @@
<section><title>Installing a split package</title>
<para>When installing a package via <varname>systemPackages</varname> or <command>nix-env</command> you have several options:</para>
<warning><para>Currently <command>nix-env</command> almost always installs all outputs until https://github.com/NixOS/nix/pull/815 gets merged.</para></warning>
<itemizedlist>
<listitem><para>You can install particular outputs explicitly, as each is available in the Nix language as an attribute of the package. The <varname>outputs</varname> attribute contains a list of output names.</para></listitem>
<listitem><para>You can let it use the default outputs. These are handled by <varname>meta.outputsToInstall</varname> attribute that contains a list of output names.</para>

4
doc/overlays.xml
View File

@ -34,7 +34,7 @@ first one present is considered, and all the rest are ignored:
<listitem>
<para>In the directory <filename>~/.nixpkgs/overlays/</filename>.</para>
<para>In the directory <filename>~/.config/nixpkgs/overlays/</filename>.</para>
</listitem>
</orderedlist>
@ -50,7 +50,7 @@ the same recipe. In the case where overlays are loaded from a directory, they ar
alphabetical order.</para>
<para>To install an overlay using the last option, you can clone the overlay's repository and add
a symbolic link to it in <filename>~/.nixpkgs/overlays/</filename> directory.</para>
a symbolic link to it in <filename>~/.config/nixpkgs/overlays/</filename> directory.</para>
</section>

23
lib/attrsets.nix
View File

@ -1,12 +1,12 @@
# Operations on attribute sets.
with {
let
inherit (builtins) head tail length;
inherit (import ./trivial.nix) or;
inherit (import ./trivial.nix) and or;
inherit (import ./default.nix) fold;
inherit (import ./strings.nix) concatStringsSep;
inherit (import ./lists.nix) concatMap concatLists all deepSeqList;
};
in
rec {
inherit (builtins) attrNames listToAttrs hasAttr isAttrs getAttr;
@ -116,7 +116,7 @@ rec {
listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
/* Filter an attribute set recursivelly by removing all attributes for
/* Filter an attribute set recursively by removing all attributes for
which the given predicate return false.
Example:
@ -334,7 +334,7 @@ rec {
value = f name (catAttrs name sets);
}) names);
/* Implentation note: Common names appear multiple times in the list of
/* Implementation note: Common names appear multiple times in the list of
names, hopefully this does not affect the system because the maximal
laziness avoid computing twice the same expression and listToAttrs does
not care about duplicated attribute names.
@ -353,7 +353,7 @@ rec {
zipAttrs = zipAttrsWith (name: values: values);
/* Does the same as the update operator '//' except that attributes are
merged until the given pedicate is verified. The predicate should
merged until the given predicate is verified. The predicate should
accept 3 arguments which are the path to reach the attribute, a part of
the first attribute set and a part of the second attribute set. When
the predicate is verified, the value of the first attribute set is
@ -417,18 +417,15 @@ rec {
/* Returns true if the pattern is contained in the set. False otherwise.
FIXME(zimbatm): this example doesn't work !!!
Example:
sys = mkSystem { }
matchAttrs { cpu = { bits = 64; }; } sys
matchAttrs { cpu = {}; } { cpu = { bits = 64; }; }
=> true
*/
matchAttrs = pattern: attrs:
fold or false (attrValues (zipAttrsWithNames (attrNames pattern) (n: values:
matchAttrs = pattern: attrs: assert isAttrs pattern;
fold and true (attrValues (zipAttrsWithNames (attrNames pattern) (n: values:
let pat = head values; val = head (tail values); in
if length values == 1 then false
else if isAttrs pat then isAttrs val && matchAttrs head values
else if isAttrs pat then isAttrs val && matchAttrs pat val
else pat == val
) [pattern attrs]));

4
lib/composable-derivation.nix
View File

@ -39,7 +39,7 @@ let inherit (lib) nv nvs; in
#
# issues:
# * its complicated to understand
# * some "features" such as exact merge behaviour are burried in mergeAttrBy
# * some "features" such as exact merge behaviour are buried in mergeAttrBy
# and defaultOverridableDelayableArgs assuming the default behaviour does
# the right thing in the common case
# * Eelco once said using such fix style functions are slow to evaluate
@ -48,7 +48,7 @@ let inherit (lib) nv nvs; in
# / add patches the way you want without having to declare function arguments
#
# nice features:
# declaring "optional featuers" is modular. For instance:
# declaring "optional features" is modular. For instance:
# flags.curl = {
# configureFlags = ["--with-curl=${curl.dev}" "--with-curlwrappers"];
# buildInputs = [curl openssl];

6
lib/customisation.nix
View File

@ -10,7 +10,7 @@ rec {
/* `overrideDerivation drv f' takes a derivation (i.e., the result
of a call to the builtin function `derivation') and returns a new
derivation in which the attributes of the original are overriden
derivation in which the attributes of the original are overridden
according to the function `f'. The function `f' is called with
the original derivation attributes.
@ -167,7 +167,7 @@ rec {
/* Make a set of packages with a common scope. All packages called
with the provided `callPackage' will be evaluated with the same
arguments. Any package in the set may depend on any other. The
`override' function allows subsequent modification of the package
`overrideScope' function allows subsequent modification of the package
set in a consistent way, i.e. all packages in the set will be
called with the overridden packages. The package sets may be
hierarchical: the packages in the set are called with the scope
@ -177,7 +177,7 @@ rec {
let self = f self // {
newScope = scope: newScope (self // scope);
callPackage = self.newScope {};
override = g:
overrideScope = g:
makeScope newScope
(self_: let super = f self_; in super // g super self_);
packages = f;

14
lib/default.nix
View File

@ -1,3 +1,8 @@
/* Library of low-level helper functions for nix expressions.
*
* Please implement (mostly) exhaustive unit tests
* for new functions in `./tests.nix'.
*/
let
# trivial, often used functions
@ -22,8 +27,7 @@ let
# constants
licenses = import ./licenses.nix;
platforms = import ./platforms.nix;
systems = import ./systems.nix;
systems = import ./systems;
# misc
debug = import ./debug.nix;
@ -42,13 +46,15 @@ in
attrsets lists strings stringsWithDeps
customisation maintainers meta sources
modules options types
licenses platforms systems
licenses systems
debug generators misc
sandbox fetchers filesystem;
# back-compat aliases
platforms = systems.doubles;
}
# !!! don't include everything at top-level; perhaps only the most
# commonly used functions.
// trivial // lists // strings // stringsWithDeps // attrsets // sources
// options // types // meta // debug // misc // modules
// systems
// customisation

4
lib/deprecated.nix
View File

@ -253,11 +253,11 @@ rec {
# eg { a = 7; } { a = [ 2 3 ]; } becomes { a = [ 7 2 3 ]; }
mergeAttrsConcatenateValues = mergeAttrsWithFunc ( a: b: (toList a) ++ (toList b) );
# merges attributes using //, if a name exisits in both attributes
# merges attributes using //, if a name exists in both attributes
# an error will be triggered unless its listed in mergeLists
# so you can mergeAttrsNoOverride { buildInputs = [a]; } { buildInputs = [a]; } {} to get
# { buildInputs = [a b]; }
# merging buildPhase does'nt really make sense. The cases will be rare where appending /prefixing will fit your needs?
# merging buildPhase doesn't really make sense. The cases will be rare where appending /prefixing will fit your needs?
# in these cases the first buildPhase will override the second one
# ! deprecated, use mergeAttrByFunc instead
mergeAttrsNoOverride = { mergeLists ? ["buildInputs" "propagatedBuildInputs"],

2
lib/fetchers.nix
View File

@ -1,4 +1,4 @@
# snippets that can be shared by mutliple fetchers (pkgs/build-support)
# snippets that can be shared by multiple fetchers (pkgs/build-support)
{
proxyImpureEnvVars = [

10
lib/licenses.nix
View File

@ -357,6 +357,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
fullName = "Lucent Public License v1.02";
};
miros = {
fullname = "MirOS License";
url = https://opensource.org/licenses/MirOS;
};
# spdx.org does not (yet) differentiate between the X11 and Expat versions
# for details see http://en.wikipedia.org/wiki/MIT_License#Various_versions
mit = spdx {
@ -526,6 +531,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
fullName = "Do What The F*ck You Want To Public License";
};
wxWindows = spdx {
spdxId = "WXwindows";
fullName = "wxWindows Library Licence, Version 3.1";
};
zlib = spdx {
spdxId = "Zlib";
fullName = "zlib License";

2
lib/lists.nix
View File

@ -191,7 +191,7 @@ rec {
*/
optional = cond: elem: if cond then [elem] else [];
/* Return a list or an empty list, dependening on a boolean value.
/* Return a list or an empty list, depending on a boolean value.
Example:
optionals true [ 2 3 ]

25
lib/maintainers.nix
View File

@ -25,6 +25,7 @@
aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
afranchuk = "Alex Franchuk <alex.franchuk@gmail.com>";
aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
ahmedtd = "Taahir Ahmed <ahmed.taahir@gmail.com>";
ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
akc = "Anders Claesson <akc@akc.is>";
@ -59,6 +60,7 @@
bachp = "Pascal Bach <pascal.bach@nextrem.ch>";
badi = "Badi' Abdul-Wahid <abdulwahidc@gmail.com>";
balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
basvandijk = "Bas van Dijk <v.dijk.bas@gmail.com>";
Baughn = "Svein Ove Aas <sveina@gmail.com>";
bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
@ -104,6 +106,7 @@
codsl = "codsl <codsl@riseup.net>";
codyopel = "Cody Opel <codyopel@gmail.com>";
colemickens = "Cole Mickens <cole.mickens@gmail.com>";
colescott = "Cole Scott <colescottsf@gmail.com>";
copumpkin = "Dan Peebles <pumpkingod@gmail.com>";
corngood = "David McFarland <corngood@gmail.com>";
coroa = "Jonas Hörsch <jonas@chaoflow.net>";
@ -135,6 +138,7 @@
dgonyeo = "Derek Gonyeo <derek@gonyeo.com>";
dipinhora = "Dipin Hora <dipinhora+github@gmail.com>";
dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
DmitryTsygankov = "Dmitry Tsygankov <dmitry.tsygankov@gmail.com>";
dmjio = "David Johnson <djohnson.m@gmail.com>";
dochang = "Desmond O. Chang <dochang@gmail.com>";
domenkozar = "Domen Kozar <domen@dev.si>";
@ -142,6 +146,7 @@
dpaetzel = "David Pätzel <david.a.paetzel@gmail.com>";
drets = "Dmytro Rets <dmitryrets@gmail.com>";
drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
dsferruzza = "David Sferruzza <david.sferruzza@gmail.com>";
dtzWill = "Will Dietz <nix@wdtz.org>";
e-user = "Alexander Kahl <nixos@sodosopa.io>";
ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
@ -157,6 +162,7 @@
eleanor = "Dejan Lukan <dejan@proteansec.com>";
elitak = "Eric Litak <elitak@gmail.com>";
ellis = "Ellis Whitehead <nixos@ellisw.net>";
eperuffo = "Emanuele Peruffo <info@emanueleperuffo.com>";
epitrochoid = "Mabry Cervin <mpcervin@uncg.edu>";
ericbmerritt = "Eric Merritt <eric@afiniate.com>";
ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
@ -181,6 +187,7 @@
ftrvxmtrx = "Siarhei Zirukin <ftrvxmtrx@gmail.com>";
funfunctor = "Edward O'Callaghan <eocallaghan@alterapraxis.com>";
fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
fuzzy-id = "Thomas Bach <hacking+nixos@babibo.de>";
fxfactorial = "Edgar Aroutiounian <edgar.factorial@gmail.com>";
gal_bolle = "Florent Becker <florent.becker@ens-lyon.org>";
garbas = "Rok Garbas <rok@garbas.si>";
@ -208,11 +215,13 @@
heel = "Sergii Paryzhskyi <parizhskiy@gmail.com>";
henrytill = "Henry Till <henrytill@gmail.com>";
hinton = "Tom Hinton <t@larkery.com>";
hodapp = "Chris Hodapp <hodapp87@gmail.com>";
hrdinka = "Christoph Hrdinka <c.nix@hrdinka.at>";
iand675 = "Ian Duncan <ian@iankduncan.com>";
ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
infinisil = "Silvan Mosberger <infinisil@icloud.com";
ivan-tkatchev = "Ivan Tkatchev <tkatchev@gmail.com>";
j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
@ -230,6 +239,7 @@
jgillich = "Jakob Gillich <jakob@gillich.me>";
jhhuh = "Ji-Haeng Huh <jhhuh.note@gmail.com>";
jirkamarsik = "Jirka Marsik <jiri.marsik89@gmail.com>";
jlesquembre = "José Luis Lafuente <jl@lafuente.me>";
joachifm = "Joachim Fasting <joachifm@fastmail.fm>";
joamaki = "Jussi Maki <joamaki@gmail.com>";
joelmo = "Joel Moberg <joel.moberg@gmail.com>";
@ -239,6 +249,7 @@
jonafato = "Jon Banafato <jon@jonafato.com>";
jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
jpierre03 = "Jean-Pierre PRUNARET <nix@prunetwork.fr>";
jpotier = "Martin Potier <jpo.contributes.to.nixos@marvid.fr>";
jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
jwiegley = "John Wiegley <johnw@newartisans.com>";
@ -316,6 +327,7 @@
michalrus = "Michal Rus <m@michalrus.com>";
michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
mikefaille = "Michaël Faille <michael@faille.io>";
miltador = "Vasiliy Solovey <miltador@yandex.ua>";
mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
mingchuan = "Ming Chuan <ming@culpring.com>";
mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
@ -377,6 +389,7 @@
paholg = "Paho Lurie-Gregg <paho@paholg.com>";
pakhfn = "Fedor Pakhomov <pakhfn@gmail.com>";
palo = "Ingolf Wanger <palipalo9@googlemail.com>";
panaeon = "Vitalii Voloshyn <vitalii.voloshyn@gmail.com";
paperdigits = "Mica Semrick <mica@silentumbrella.com>";
pashev = "Igor Pashev <pashev.igor@gmail.com>";
patternspandemic = "Brad Christensen <patternspandemic@live.com>";
@ -398,6 +411,7 @@
pjones = "Peter Jones <pjones@devalot.com>";
pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
plumps = "Maksim Bronsky <maks.bronsky@web.de";
pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
polyrod = "Maurizio Di Pietro <dc1mdp@gmail.com>";
@ -440,7 +454,7 @@
romildo = "José Romildo Malaquias <malaquias@gmail.com>";
rongcuid = "Rongcui Dong <rongcuid@outlook.com>";
ronny = "Ronny Pfannschmidt <nixos@ronnypfannschmidt.de>";
rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
rszibele = "Richard Szibele <richard@szibele.com>";
rtreffer = "Rene Treffer <treffer+nixos@measite.de>";
rushmorem = "Rushmore Mushambi <rushmore@webenchanter.com>";
rvl = "Rodney Lorrimar <dev+nix@rodney.id.au>";
@ -450,9 +464,11 @@
ryantm = "Ryan Mulligan <ryan@ryantm.com>";
rycee = "Robert Helgesson <robert@rycee.net>";
ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
rzetterberg = "Richard Zetterberg <richard.zetterberg@gmail.com>";
s1lvester = "Markus Silvester <s1lvester@bockhacker.me>";
samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
sargon = "Daniel Ehlers <danielehlers@mindeye.net>";
schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
schneefux = "schneefux <schneefux+nixos_pkg@schneefux.xyz>";
schristo = "Scott Christopher <schristopher@konputa.com>";
@ -460,11 +476,13 @@
sepi = "Raffael Mancini <raffael@mancini.lu>";
seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";
shawndellysse = "Shawn Dellysse <sdellysse@gmail.com>";
sheenobu = "Sheena Artrip <sheena.artrip@gmail.com>";
sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
shell = "Shell Turner <cam.turn@gmail.com>";
shlevy = "Shea Levy <shea@shealevy.com>";
siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
sigma = "Yann Hodique <yann.hodique@gmail.com>";
simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
sjagoe = "Simon Jagoe <simon@simonjagoe.com>";
sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
@ -485,6 +503,7 @@
sternenseemann = "Lukas Epple <post@lukasepple.de>";
stesie = "Stefan Siegl <stesie@brokenpipe.de>";
steveej = "Stefan Junker <mail@stefanjunker.de>";
SuprDewd = "Bjarki Ágúst Guðmundsson <suprdewd@gmail.com>";
swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
swistak35 = "Rafał Łasocha <me@swistak35.com>";
szczyp = "Szczyp <qb@szczyp.com>";
@ -493,6 +512,7 @@
tailhook = "Paul Colomiets <paul@colomiets.name>";
takikawa = "Asumu Takikawa <asumu@igalia.com>";
taktoa = "Remy Goldschmidt <taktoa@gmail.com>";
taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
teh = "Tom Hunger <tehunger@gmail.com>";
telotortium = "Robert Irelan <rirelan@gmail.com>";
@ -515,7 +535,8 @@
tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
twey = "James Twey Kay <twey@twey.co.uk>";
uralbash = "Svintsov Dmitry <root@uralbash.ru>";
urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
utdemir = "Utku Demir <me@utdemir.com>";
#urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
uwap = "uwap <me@uwap.name>";
vandenoever = "Jos van den Oever <jos@vandenoever.info>";
vanzef = "Ivan Solyankin <vanzef@gmail.com>";

2
lib/modules.nix
View File

@ -423,7 +423,7 @@ rec {
in concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
/* Sort a list of properties. The sort priority of a property is
1000 by default, but can be overriden by wrapping the property
1000 by default, but can be overridden by wrapping the property
using mkOrder. */
sortProperties = defs:
let

24
lib/platforms.nix
View File

@ -1,24 +0,0 @@
let lists = import ./lists.nix; in
rec {
all = linux ++ darwin ++ cygwin ++ freebsd ++ openbsd ++ netbsd ++ illumos;
allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
none = [];
arm = ["armv5tel-linux" "armv6l-linux" "armv7l-linux" ];
i686 = ["i686-linux" "i686-freebsd" "i686-netbsd" "i686-cygwin"];
mips = [ "mips64el-linux" ];
x86_64 = ["x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin"];
cygwin = ["i686-cygwin" "x86_64-cygwin"];
darwin = ["x86_64-darwin"];
freebsd = ["i686-freebsd" "x86_64-freebsd"];
gnu = linux; /* ++ hurd ++ kfreebsd ++ ... */
illumos = ["x86_64-solaris"];
linux = ["i686-linux" "x86_64-linux" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "aarch64-linux" "mips64el-linux"];
netbsd = ["i686-netbsd" "x86_64-netbsd"];
openbsd = ["i686-openbsd" "x86_64-openbsd"];
unix = linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos;
mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "aarch64-linux"];
}

4
lib/strings.nix
View File

@ -126,8 +126,8 @@ rec {
*/
makePerlPath = makeSearchPathOutput "lib" "lib/perl5/site_perl";
/* Dependening on the boolean `cond', return either the given string
or the empty string. Useful to contatenate against a bigger string.
/* Depending on the boolean `cond', return either the given string
or the empty string. Useful to concatenate against a bigger string.
Example:
optionalString true "some-string"

126
lib/systems.nix
View File

@ -1,126 +0,0 @@
# Define the list of system with their properties. Only systems tested for
# Nixpkgs are listed below
with import ./lists.nix;
with import ./types.nix;
with import ./attrsets.nix;
let
lib = import ./default.nix;
setTypes = type:
mapAttrs (name: value:
setType type ({inherit name;} // value)
);
in
rec {
isSignificantByte = isType "significant-byte";
significantBytes = setTypes "significant-byte" {
bigEndian = {};
littleEndian = {};
};
isCpuType = x: isType "cpu-type" x
&& elem x.bits [8 16 32 64 128]
&& (8 < x.bits -> isSignificantByte x.significantByte);
cpuTypes = with significantBytes;
setTypes "cpu-type" {
arm = { bits = 32; significantByte = littleEndian; };
armv5tel = { bits = 32; significantByte = littleEndian; };
armv7l = { bits = 32; significantByte = littleEndian; };
i686 = { bits = 32; significantByte = littleEndian; };
powerpc = { bits = 32; significantByte = bigEndian; };
x86_64 = { bits = 64; significantByte = littleEndian; };
};
isExecFormat = isType "exec-format";
execFormats = setTypes "exec-format" {
aout = {}; # a.out
elf = {};
macho = {};
pe = {};
unknow = {};
};
isKernel = isType "kernel";
kernels = with execFormats;
setTypes "kernel" {
cygwin = { execFormat = pe; };
darwin = { execFormat = macho; };
freebsd = { execFormat = elf; };
linux = { execFormat = elf; };
netbsd = { execFormat = elf; };
none = { execFormat = unknow; };
openbsd = { execFormat = elf; };
win32 = { execFormat = pe; };
};
isArchitecture = isType "architecture";
architectures = setTypes "architecture" {
apple = {};
pc = {};
unknow = {};
};
isSystem = x: isType "system" x
&& isCpuType x.cpu
&& isArchitecture x.arch
&& isKernel x.kernel;
mkSystem = {
cpu ? cpuTypes.i686,
arch ? architectures.pc,
kernel ? kernels.linux,
name ? "${cpu.name}-${arch.name}-${kernel.name}"
}: setType "system" {
inherit name cpu arch kernel;
};
is64Bit = matchAttrs { cpu = { bits = 64; }; };
isDarwin = matchAttrs { kernel = kernels.darwin; };
isi686 = matchAttrs { cpu = cpuTypes.i686; };
isLinux = matchAttrs { kernel = kernels.linux; };
# This should revert the job done by config.guess from the gcc compiler.
mkSystemFromString = s: let
l = lib.splitString "-" s;
getCpu = name:
attrByPath [name] (throw "Unknow cpuType `${name}'.")
cpuTypes;
getArch = name:
attrByPath [name] (throw "Unknow architecture `${name}'.")
architectures;
getKernel = name:
attrByPath [name] (throw "Unknow kernel `${name}'.")
kernels;
system =
if builtins.length l == 2 then
mkSystem rec {
name = s;
cpu = getCpu (head l);
arch =
if isDarwin system
then architectures.apple
else architectures.pc;
kernel = getKernel (head (tail l));
}
else
mkSystem {
name = s;
cpu = getCpu (head l);
arch = getArch (head (tail l));
kernel = getKernel (head (tail (tail l)));
};
in assert isSystem system; system;
}

23
lib/systems/default.nix Normal file
View File

@ -0,0 +1,23 @@
rec {
doubles = import ./doubles.nix;
parse = import ./parse.nix;
platforms = import ./platforms.nix;
# Elaborate a `localSystem` or `crossSystem` so that it contains everything
# necessary.
#
# `parsed` is inferred from args, both because there are two options with one
# clearly prefered, and to prevent cycles. A simpler fixed point where the RHS
# always just used `final.*` would fail on both counts.
elaborate = args: let
final = {
# Prefer to parse `config` as it is strictly more informative.
parsed = parse.mkSystemFromString (if args ? config then args.config else args.system);
# Either of these can be losslessly-extracted from `parsed` iff parsing succeeds.
system = parse.doubleFromSystem final.parsed;
config = parse.tripleFromSystem final.parsed;
# Just a guess, based on `system`
platform = platforms.selectBySystem final.system;
} // args;
in final;
}

44
lib/systems/doubles.nix Normal file
View File

@ -0,0 +1,44 @@
let lists = import ../lists.nix; in
let parse = import ./parse.nix; in
let inherit (import ../attrsets.nix) matchAttrs; in
let
all = [
"aarch64-linux"
"armv5tel-linux" "armv6l-linux" "armv7l-linux"
"mips64el-linux"
"i686-cygwin" "i686-freebsd" "i686-linux" "i686-netbsd" "i686-openbsd"
"x86_64-cygwin" "x86_64-darwin" "x86_64-freebsd" "x86_64-linux"
"x86_64-netbsd" "x86_64-openbsd" "x86_64-solaris"
];
allParsed = map parse.mkSystemFromString all;
filterDoubles = f: map parse.doubleFromSystem (lists.filter f allParsed);
in rec {
inherit all;
allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
none = [];
arm = filterDoubles (matchAttrs { cpu = { family = "arm"; bits = 32; }; });
i686 = filterDoubles parse.isi686;
mips = filterDoubles (matchAttrs { cpu = { family = "mips"; }; });
x86_64 = filterDoubles parse.isx86_64;
cygwin = filterDoubles parse.isCygwin;
darwin = filterDoubles parse.isDarwin;
freebsd = filterDoubles (matchAttrs { kernel = parse.kernels.freebsd; });
gnu = filterDoubles (matchAttrs { kernel = parse.kernels.linux; abi = parse.abis.gnu; }); # Should be better
illumos = filterDoubles (matchAttrs { kernel = parse.kernels.solaris; });
linux = filterDoubles parse.isLinux;
netbsd = filterDoubles (matchAttrs { kernel = parse.kernels.netbsd; });
openbsd = filterDoubles (matchAttrs { kernel = parse.kernels.openbsd; });
unix = filterDoubles parse.isUnix;
mesaPlatforms = ["i686-linux" "x86_64-linux" "x86_64-darwin" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "aarch64-linux"];
}

181
lib/systems/parse.nix Normal file
View File

@ -0,0 +1,181 @@
# Define the list of system with their properties.
#
# See https://clang.llvm.org/docs/CrossCompilation.html and
# http://llvm.org/docs/doxygen/html/Triple_8cpp_source.html especially
# Triple::normalize. Parsing should essentially act as a more conservative
# version of that last function.
with import ../lists.nix;
with import ../types.nix;
with import ../attrsets.nix;
let
lib = import ../default.nix;
setTypesAssert = type: pred:
mapAttrs (name: value:
assert pred value;
setType type ({ inherit name; } // value));
setTypes = type: setTypesAssert type (_: true);
in
rec {
isSignificantByte = isType "significant-byte";
significantBytes = setTypes "significant-byte" {
bigEndian = {};
littleEndian = {};
};
isCpuType = isType "cpu-type";
cpuTypes = with significantBytes; setTypesAssert "cpu-type"
(x: elem x.bits [8 16 32 64 128]
&& (if 8 < x.bits
then isSignificantByte x.significantByte
else !(x ? significantByte)))
{
arm = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv5tel = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv6l = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv7a = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv7l = { bits = 32; significantByte = littleEndian; family = "arm"; };
aarch64 = { bits = 64; significantByte = littleEndian; family = "arm"; };
i686 = { bits = 32; significantByte = littleEndian; family = "x86"; };
x86_64 = { bits = 64; significantByte = littleEndian; family = "x86"; };
mips64el = { bits = 32; significantByte = littleEndian; family = "mips"; };
powerpc = { bits = 32; significantByte = bigEndian; family = "powerpc"; };
};
isVendor = isType "vendor";
vendors = setTypes "vendor" {
apple = {};
pc = {};
unknown = {};
};
isExecFormat = isType "exec-format";
execFormats = setTypes "exec-format" {
aout = {}; # a.out
elf = {};
macho = {};
pe = {};
unknown = {};
};
isKernelFamily = isType "kernel-family";
kernelFamilies = setTypes "kernel-family" {
bsd = {};
unix = {};
};
isKernel = x: isType "kernel" x;
kernels = with execFormats; with kernelFamilies; setTypesAssert "kernel"
(x: isExecFormat x.execFormat && all isKernelFamily (attrValues x.families))
{
darwin = { execFormat = macho; families = { inherit unix; }; };
freebsd = { execFormat = elf; families = { inherit unix bsd; }; };
linux = { execFormat = elf; families = { inherit unix; }; };
netbsd = { execFormat = elf; families = { inherit unix bsd; }; };
none = { execFormat = unknown; families = { inherit unix; }; };
openbsd = { execFormat = elf; families = { inherit unix bsd; }; };
solaris = { execFormat = elf; families = { inherit unix; }; };
windows = { execFormat = pe; families = { }; };
} // { # aliases
win32 = kernels.windows;
};
isAbi = isType "abi";
abis = setTypes "abi" {
cygnus = {};
gnu = {};
msvc = {};
eabi = {};
androideabi = {};
gnueabi = {};
gnueabihf = {};
unknown = {};
};
isSystem = isType "system";
mkSystem = { cpu, vendor, kernel, abi }:
assert isCpuType cpu && isVendor vendor && isKernel kernel && isAbi abi;
setType "system" {
inherit cpu vendor kernel abi;
};
is64Bit = matchAttrs { cpu = { bits = 64; }; };
is32Bit = matchAttrs { cpu = { bits = 32; }; };
isi686 = matchAttrs { cpu = cpuTypes.i686; };
isx86_64 = matchAttrs { cpu = cpuTypes.x86_64; };
isDarwin = matchAttrs { kernel = kernels.darwin; };
isLinux = matchAttrs { kernel = kernels.linux; };
isUnix = matchAttrs { kernel = { families = { inherit (kernelFamilies) unix; }; }; };
isWindows = matchAttrs { kernel = kernels.windows; };
isCygwin = matchAttrs { kernel = kernels.windows; abi = abis.cygnus; };
isMinGW = matchAttrs { kernel = kernels.windows; abi = abis.gnu; };
mkSkeletonFromList = l: {
"2" = # We only do 2-part hacks for things Nix already supports
if elemAt l 1 == "cygwin"
then { cpu = elemAt l 0; kernel = "windows"; abi = "cygnus"; }
else { cpu = elemAt l 0; kernel = elemAt l 1; };
"3" = # Awkwards hacks, beware!
if elemAt l 1 == "apple"
then { cpu = elemAt l 0; vendor = "apple"; kernel = elemAt l 2; }
else if (elemAt l 1 == "linux") || (elemAt l 2 == "gnu")
then { cpu = elemAt l 0; kernel = elemAt l 1; abi = elemAt l 2; }
else if (elemAt l 2 == "mingw32") # autotools breaks on -gnu for window
then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = "windows"; abi = "gnu"; }
else throw "Target specification with 3 components is ambiguous";
"4" = { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; abi = elemAt l 3; };
}.${toString (length l)}
or (throw "system string has invalid number of hyphen-separated components");
# This should revert the job done by config.guess from the gcc compiler.
mkSystemFromSkeleton = { cpu
, # Optional, but fallback too complex for here.
# Inferred below instead.
vendor ? assert false; null
, kernel
, # Also inferred below
abi ? assert false; null
} @ args: let
getCpu = name: cpuTypes.${name} or (throw "Unknown CPU type: ${name}");
getVendor = name: vendors.${name} or (throw "Unknown vendor: ${name}");
getKernel = name: kernels.${name} or (throw "Unknown kernel: ${name}");
getAbi = name: abis.${name} or (throw "Unknown ABI: ${name}");
system = rec {
cpu = getCpu args.cpu;
vendor =
/**/ if args ? vendor then getVendor args.vendor
else if isDarwin system then vendors.apple
else if isWindows system then vendors.pc
else vendors.unknown;
kernel = getKernel args.kernel;
abi =
/**/ if args ? abi then getAbi args.abi
else if isLinux system then abis.gnu
else if isWindows system then abis.gnu
else abis.unknown;
};
in mkSystem system;
mkSystemFromString = s: mkSystemFromSkeleton (mkSkeletonFromList (lib.splitString "-" s));
doubleFromSystem = { cpu, vendor, kernel, abi, ... }:
if vendor == kernels.windows && abi == abis.cygnus
then "${cpu.name}-cygwin"
else "${cpu.name}-${kernel.name}";
tripleFromSystem = { cpu, vendor, kernel, abi, ... } @ sys: assert isSystem sys; let
optAbi = lib.optionalString (abi != abis.unknown) "-${abi.name}";
in "${cpu.name}-${vendor.name}-${kernel.name}${optAbi}";
}

486
lib/systems/platforms.nix Normal file
View File

@ -0,0 +1,486 @@
rec {
pcBase = {
name = "pc";
uboot = null;
kernelHeadersBaseConfig = "defconfig";
kernelBaseConfig = "defconfig";
# Build whatever possible as a module, if not stated in the extra config.
kernelAutoModules = true;
kernelTarget = "bzImage";
};
pc64 = pcBase // { kernelArch = "x86_64"; };
pc32 = pcBase // { kernelArch = "i386"; };
pc32_simplekernel = pc32 // {
kernelAutoModules = false;
};
pc64_simplekernel = pc64 // {
kernelAutoModules = false;
};
sheevaplug = {
name = "sheevaplug";
kernelMajor = "2.6";
kernelHeadersBaseConfig = "multi_v5_defconfig";
kernelBaseConfig = "multi_v5_defconfig";
kernelArch = "arm";
kernelAutoModules = false;
kernelExtraConfig = ''
BLK_DEV_RAM y
BLK_DEV_INITRD y
BLK_DEV_CRYPTOLOOP m
BLK_DEV_DM m
DM_CRYPT m
MD y
REISERFS_FS m
BTRFS_FS m
XFS_FS m
JFS_FS m
EXT4_FS m
USB_STORAGE_CYPRESS_ATACB m
# mv cesa requires this sw fallback, for mv-sha1
CRYPTO_SHA1 y
# Fast crypto
CRYPTO_TWOFISH y
CRYPTO_TWOFISH_COMMON y
CRYPTO_BLOWFISH y
CRYPTO_BLOWFISH_COMMON y
IP_PNP y
IP_PNP_DHCP y
NFS_FS y
ROOT_NFS y
TUN m
NFS_V4 y
NFS_V4_1 y
NFS_FSCACHE y
NFSD m
NFSD_V2_ACL y
NFSD_V3 y
NFSD_V3_ACL y
NFSD_V4 y
NETFILTER y
IP_NF_IPTABLES y
IP_NF_FILTER y
IP_NF_MATCH_ADDRTYPE y
IP_NF_TARGET_LOG y
IP_NF_MANGLE y
IPV6 m
VLAN_8021Q m
CIFS y
CIFS_XATTR y
CIFS_POSIX y
CIFS_FSCACHE y
CIFS_ACL y
WATCHDOG y
WATCHDOG_CORE y
ORION_WATCHDOG m
ZRAM m
NETCONSOLE m
# Disable OABI to have seccomp_filter (required for systemd)
# https://github.com/raspberrypi/firmware/issues/651
OABI_COMPAT n
# Fail to build
DRM n
SCSI_ADVANSYS n
USB_ISP1362_HCD n
SND_SOC n
SND_ALI5451 n
FB_SAVAGE n
SCSI_NSP32 n
ATA_SFF n
SUNGEM n
IRDA n
ATM_HE n
SCSI_ACARD n
BLK_DEV_CMD640_ENHANCED n
FUSE_FS m
# systemd uses cgroups
CGROUPS y
# Latencytop
LATENCYTOP y
# Ubi for the mtd
MTD_UBI y
UBIFS_FS y
UBIFS_FS_XATTR y
UBIFS_FS_ADVANCED_COMPR y
UBIFS_FS_LZO y
UBIFS_FS_ZLIB y
UBIFS_FS_DEBUG n
# Kdb, for kernel troubles
KGDB y
KGDB_SERIAL_CONSOLE y
KGDB_KDB y
'';
kernelMakeFlags = [ "LOADADDR=0x0200000" ];
kernelTarget = "uImage";
uboot = "sheevaplug";
# Only for uboot = uboot :
ubootConfig = "sheevaplug_config";
kernelDTB = true; # Beyond 3.10
gcc = {
arch = "armv5te";
float = "soft";
};
};
raspberrypi = {
name = "raspberrypi";
kernelMajor = "2.6";
kernelHeadersBaseConfig = "bcm2835_defconfig";
kernelBaseConfig = "bcmrpi_defconfig";
kernelDTB = true;
kernelArch = "arm";
kernelAutoModules = false;
kernelExtraConfig = ''
BLK_DEV_RAM y
BLK_DEV_INITRD y
BLK_DEV_CRYPTOLOOP m
BLK_DEV_DM m
DM_CRYPT m
MD y
REISERFS_FS m
BTRFS_FS y
XFS_FS m
JFS_FS y
EXT4_FS y
IP_PNP y
IP_PNP_DHCP y
NFS_FS y
ROOT_NFS y
TUN m
NFS_V4 y
NFS_V4_1 y
NFS_FSCACHE y
NFSD m
NFSD_V2_ACL y
NFSD_V3 y
NFSD_V3_ACL y
NFSD_V4 y
NETFILTER y
IP_NF_IPTABLES y
IP_NF_FILTER y
IP_NF_MATCH_ADDRTYPE y
IP_NF_TARGET_LOG y
IP_NF_MANGLE y
IPV6 m
VLAN_8021Q m
CIFS y
CIFS_XATTR y
CIFS_POSIX y
CIFS_FSCACHE y
CIFS_ACL y
ZRAM m
# Disable OABI to have seccomp_filter (required for systemd)
# https://github.com/raspberrypi/firmware/issues/651
OABI_COMPAT n
# Fail to build
DRM n
SCSI_ADVANSYS n
USB_ISP1362_HCD n
SND_SOC n
SND_ALI5451 n
FB_SAVAGE n
SCSI_NSP32 n
ATA_SFF n
SUNGEM n
IRDA n
ATM_HE n
SCSI_ACARD n
BLK_DEV_CMD640_ENHANCED n
FUSE_FS m
# nixos mounts some cgroup
CGROUPS y
# Latencytop
LATENCYTOP y
'';
kernelTarget = "zImage";
uboot = null;
gcc = {
arch = "armv6";
fpu = "vfp";
float = "hard";
};
};
raspberrypi2 = armv7l-hf-multiplatform // {
name = "raspberrypi2";
kernelBaseConfig = "bcm2709_defconfig";
kernelDTB = true;
kernelAutoModules = false;
kernelExtraConfig = ''
BLK_DEV_RAM y
BLK_DEV_INITRD y
BLK_DEV_CRYPTOLOOP m
BLK_DEV_DM m
DM_CRYPT m
MD y
REISERFS_FS m
BTRFS_FS y
XFS_FS m
JFS_FS y
EXT4_FS y
IP_PNP y
IP_PNP_DHCP y
NFS_FS y
ROOT_NFS y
TUN m
NFS_V4 y
NFS_V4_1 y
NFS_FSCACHE y
NFSD m
NFSD_V2_ACL y
NFSD_V3 y
NFSD_V3_ACL y
NFSD_V4 y
NETFILTER y
IP_NF_IPTABLES y
IP_NF_FILTER y
IP_NF_MATCH_ADDRTYPE y
IP_NF_TARGET_LOG y
IP_NF_MANGLE y
IPV6 m
VLAN_8021Q m
CIFS y
CIFS_XATTR y
CIFS_POSIX y
CIFS_FSCACHE y
CIFS_ACL y
ZRAM m
# Disable OABI to have seccomp_filter (required for systemd)
# https://github.com/raspberrypi/firmware/issues/651
OABI_COMPAT n
# Fail to build
DRM n
SCSI_ADVANSYS n
USB_ISP1362_HCD n
SND_SOC n
SND_ALI5451 n
FB_SAVAGE n
SCSI_NSP32 n
ATA_SFF n
SUNGEM n
IRDA n
ATM_HE n
SCSI_ACARD n
BLK_DEV_CMD640_ENHANCED n
FUSE_FS m
# nixos mounts some cgroup
CGROUPS y
# Latencytop
LATENCYTOP y
# Disable the common config Xen, it doesn't build on ARM
XEN? n
'';
kernelTarget = "zImage";
uboot = null;
};
guruplug = sheevaplug // {
# Define `CONFIG_MACH_GURUPLUG' (see
# <http://kerneltrap.org/mailarchive/git-commits-head/2010/5/19/33618>)
# and other GuruPlug-specific things. Requires the `guruplug-defconfig'
# patch.
kernelBaseConfig = "guruplug_defconfig";
#kernelHeadersBaseConfig = "guruplug_defconfig";
};
fuloong2f_n32 = {
name = "fuloong2f_n32";
kernelMajor = "2.6";
kernelHeadersBaseConfig = "fuloong2e_defconfig";
kernelBaseConfig = "lemote2f_defconfig";
kernelArch = "mips";
kernelAutoModules = false;
kernelExtraConfig = ''
MIGRATION n
COMPACTION n
# nixos mounts some cgroup
CGROUPS y
BLK_DEV_RAM y
BLK_DEV_INITRD y
BLK_DEV_CRYPTOLOOP m
BLK_DEV_DM m
DM_CRYPT m
MD y
REISERFS_FS m
EXT4_FS m
USB_STORAGE_CYPRESS_ATACB m
IP_PNP y
IP_PNP_DHCP y
IP_PNP_BOOTP y
NFS_FS y
ROOT_NFS y
TUN m
NFS_V4 y
NFS_V4_1 y
NFS_FSCACHE y
NFSD m
NFSD_V2_ACL y
NFSD_V3 y
NFSD_V3_ACL y
NFSD_V4 y
# Fail to build
DRM n
SCSI_ADVANSYS n
USB_ISP1362_HCD n
SND_SOC n
SND_ALI5451 n
FB_SAVAGE n
SCSI_NSP32 n
ATA_SFF n
SUNGEM n
IRDA n
ATM_HE n
SCSI_ACARD n
BLK_DEV_CMD640_ENHANCED n
FUSE_FS m
# Needed for udev >= 150
SYSFS_DEPRECATED_V2 n
VGA_CONSOLE n
VT_HW_CONSOLE_BINDING y
SERIAL_8250_CONSOLE y
FRAMEBUFFER_CONSOLE y
EXT2_FS y
EXT3_FS y
REISERFS_FS y
MAGIC_SYSRQ y
# The kernel doesn't boot at all, with FTRACE
FTRACE n
'';
kernelTarget = "vmlinux";
uboot = null;
gcc.arch = "loongson2f";
};
beaglebone = armv7l-hf-multiplatform // {
name = "beaglebone";
kernelBaseConfig = "omap2plus_defconfig";
kernelAutoModules = false;
kernelExtraConfig = ""; # TBD kernel config
kernelTarget = "zImage";
uboot = null;
};
armv7l-hf-multiplatform = {
name = "armv7l-hf-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelHeadersBaseConfig = "multi_v7_defconfig";
kernelBaseConfig = "multi_v7_defconfig";
kernelArch = "arm";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
uboot = null;
kernelTarget = "zImage";
kernelExtraConfig = ''
# Fix broken sunxi-sid nvmem driver.
TI_CPTS y
# Hangs ODROID-XU4
ARM_BIG_LITTLE_CPUIDLE n
'';
gcc = {
# Some table about fpu flags:
# http://community.arm.com/servlet/JiveServlet/showImage/38-1981-3827/blogentry-103749-004812900+1365712953_thumb.png
# Cortex-A5: -mfpu=neon-fp16
# Cortex-A7 (rpi2): -mfpu=neon-vfpv4
# Cortex-A8 (beaglebone): -mfpu=neon
# Cortex-A9: -mfpu=neon-fp16
# Cortex-A15: -mfpu=neon-vfpv4
# More about FPU:
# https://wiki.debian.org/ArmHardFloatPort/VfpComparison
# vfpv3-d16 is what Debian uses and seems to be the best compromise: NEON is not supported in e.g. Scaleway or Tegra 2,
# and the above page suggests NEON is only an improvement with hand-written assembly.
arch = "armv7-a";
fpu = "vfpv3-d16";
float = "hard";
# For Raspberry Pi the 2 the best would be:
# cpu = "cortex-a7";
# fpu = "neon-vfpv4";
};
};
aarch64-multiplatform = {
name = "aarch64-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelHeadersBaseConfig = "defconfig";
kernelBaseConfig = "defconfig";
kernelArch = "arm64";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
kernelExtraConfig = ''
# Raspberry Pi 3 stuff. Not needed for kernels >= 4.10.
ARCH_BCM2835 y
BCM2835_MBOX y
BCM2835_WDT y
RASPBERRYPI_FIRMWARE y
RASPBERRYPI_POWER y
SERIAL_8250_BCM2835AUX y
SERIAL_8250_EXTENDED y
SERIAL_8250_SHARE_IRQ y
# Cavium ThunderX stuff.
PCI_HOST_THUNDER_ECAM y
'';
uboot = null;
kernelTarget = "Image";
gcc = {
arch = "armv8-a";
};
};
selectBySystem = system: {
"i686-linux" = pc32;
"x86_64-linux" = pc64;
"armv5tel-linux" = sheevaplug;
"armv6l-linux" = raspberrypi;
"armv7l-linux" = armv7l-hf-multiplatform;
"aarch64-linux" = aarch64-multiplatform;
"mips64el-linux" = fuloong2f_n32;
}.${system} or pcBase;
}

14
lib/tests.nix
View File

@ -231,7 +231,7 @@ runTests {
};
in {
expr = generators.toJSON {} val;
# trival implementation
# trivial implementation
expected = builtins.toJSON val;
};
@ -243,7 +243,7 @@ runTests {
};
in {
expr = generators.toYAML {} val;
# trival implementation
# trivial implementation
expected = builtins.toJSON val;
};
@ -277,4 +277,14 @@ runTests {
expected = [ "2001" "db8" "0" "0042" "" "8a2e" "370" "" ];
};
testComposeExtensions = {
expr = let obj = makeExtensible (self: { foo = self.bar; });
f = self: super: { bar = false; baz = true; };
g = self: super: { bar = super.baz or false; };
f_o_g = composeExtensions f g;
composed = obj.extend f_o_g;
in composed.foo;
expected = true;
};
}

57
lib/tests/release.nix
View File

@ -1,31 +1,40 @@
{ nixpkgs }:
{ nixpkgs ? { outPath = (import ../.).cleanSource ../..; revCount = 1234; shortRev = "abcdef"; }
, # The platforms for which we build Nixpkgs.
supportedSystems ? [ builtins.currentSystem ]
, # Strip most of attributes when evaluating to spare memory usage
scrubJobs ? true
}:
with import ../.. { };
with import ../../pkgs/top-level/release-lib.nix { inherit supportedSystems scrubJobs; };
with lib;
stdenv.mkDerivation {
name = "nixpkgs-lib-tests";
buildInputs = [ nix ];
NIX_PATH="nixpkgs=${nixpkgs}";
{
systems = import ./systems.nix { inherit lib assertTrue; };
buildCommand = ''
datadir="${nix}/share"
export TEST_ROOT=$(pwd)/test-tmp
export NIX_BUILD_HOOK=
export NIX_CONF_DIR=$TEST_ROOT/etc
export NIX_DB_DIR=$TEST_ROOT/db
export NIX_LOCALSTATE_DIR=$TEST_ROOT/var
export NIX_LOG_DIR=$TEST_ROOT/var/log/nix
export NIX_MANIFESTS_DIR=$TEST_ROOT/var/nix/manifests
export NIX_STATE_DIR=$TEST_ROOT/var/nix
export NIX_STORE_DIR=$TEST_ROOT/store
export PAGER=cat
cacheDir=$TEST_ROOT/binary-cache
nix-store --init
moduleSystem = pkgs.stdenv.mkDerivation {
name = "nixpkgs-lib-tests";
buildInputs = [ pkgs.nix ];
NIX_PATH="nixpkgs=${nixpkgs}";
cd ${nixpkgs}/lib/tests
./modules.sh
buildCommand = ''
datadir="${pkgs.nix}/share"
export TEST_ROOT=$(pwd)/test-tmp
export NIX_BUILD_HOOK=
export NIX_CONF_DIR=$TEST_ROOT/etc
export NIX_DB_DIR=$TEST_ROOT/db
export NIX_LOCALSTATE_DIR=$TEST_ROOT/var
export NIX_LOG_DIR=$TEST_ROOT/var/log/nix
export NIX_MANIFESTS_DIR=$TEST_ROOT/var/nix/manifests
export NIX_STATE_DIR=$TEST_ROOT/var/nix
export NIX_STORE_DIR=$TEST_ROOT/store
export PAGER=cat
cacheDir=$TEST_ROOT/binary-cache
nix-store --init
touch $out
'';
cd ${nixpkgs}/lib/tests
./modules.sh
touch $out
'';
};
}

31
lib/tests/systems.nix Normal file
View File

@ -0,0 +1,31 @@
# We assert that the new algorithmic way of generating these lists matches the
# way they were hard-coded before.
#
# One might think "if we exhaustively test, what's the point of procedurally
# calculating the lists anyway?". The answer is one can mindlessly update these
# tests as new platforms become supported, and then just give the diff a quick
# sanity check before committing :).
{ lib, assertTrue }:
with lib.systems.doubles;
let mseteq = x: y: lib.sort lib.lessThan x == lib.sort lib.lessThan y; in
{
all = assertTrue (mseteq all (linux ++ darwin ++ cygwin ++ freebsd ++ openbsd ++ netbsd ++ illumos));
arm = assertTrue (mseteq arm [ "armv5tel-linux" "armv6l-linux" "armv7l-linux" ]);
i686 = assertTrue (mseteq i686 [ "i686-linux" "i686-freebsd" "i686-netbsd" "i686-openbsd" "i686-cygwin" ]);
mips = assertTrue (mseteq mips [ "mips64el-linux" ]);
x86_64 = assertTrue (mseteq x86_64 [ "x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin" "x86_64-solaris" ]);
cygwin = assertTrue (mseteq cygwin [ "i686-cygwin" "x86_64-cygwin" ]);
darwin = assertTrue (mseteq darwin [ "x86_64-darwin" ]);
freebsd = assertTrue (mseteq freebsd [ "i686-freebsd" "x86_64-freebsd" ]);
gnu = assertTrue (mseteq gnu (linux /* ++ hurd ++ kfreebsd ++ ... */));
illumos = assertTrue (mseteq illumos [ "x86_64-solaris" ]);
linux = assertTrue (mseteq linux [ "i686-linux" "x86_64-linux" "armv5tel-linux" "armv6l-linux" "armv7l-linux" "aarch64-linux" "mips64el-linux" ]);
netbsd = assertTrue (mseteq netbsd [ "i686-netbsd" "x86_64-netbsd" ]);
openbsd = assertTrue (mseteq openbsd [ "i686-openbsd" "x86_64-openbsd" ]);
unix = assertTrue (mseteq unix (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos));
}

19
lib/trivial.nix
View File

@ -30,10 +30,15 @@ rec {
/* boolean and */
and = x: y: x && y;
/* Convert a boolean to a string.
Note that toString on a bool returns "1" and "".
*/
boolToString = b: if b then "true" else "false";
/* Merge two attribute sets shallowly, right side trumps left
Example:
mergeAttrs { a = 1; b = 2; } // { b = 3; c = 4; }
mergeAttrs { a = 1; b = 2; } { b = 3; c = 4; }
=> { a = 1; b = 3; c = 4; }
*/
mergeAttrs = x: y: x // y;
@ -80,6 +85,15 @@ rec {
# argument, but it's nice this way if several uses of `extends` are cascaded.
extends = f: rattrs: self: let super = rattrs self; in super // f self super;
# Compose two extending functions of the type expected by 'extends'
# into one where changes made in the first are available in the
# 'super' of the second
composeExtensions =
f: g: self: super:
let fApplied = f self super;
super' = super // fApplied;
in fApplied // g self super';
# Create an overridable, recursive attribute set. For example:
#
# nix-repl> obj = makeExtensible (self: { })
@ -108,6 +122,9 @@ rec {
# Flip the order of the arguments of a binary function.
flip = f: a: b: f b a;
# Apply function if argument is non-null
mapNullable = f: a: if isNull a then a else f a;
# Pull in some builtins not included elsewhere.
inherit (builtins)
pathExists readFile isBool isFunction

4
lib/types.nix
View File

@ -6,7 +6,7 @@ with import ./attrsets.nix;
with import ./options.nix;
with import ./trivial.nix;
with import ./strings.nix;
with {inherit (import ./modules.nix) mergeDefinitions filterOverrides; };
let inherit (import ./modules.nix) mergeDefinitions filterOverrides; in
rec {
@ -52,7 +52,7 @@ rec {
{ # Human-readable representation of the type, should be equivalent to
# the type function name.
name
, # Description of the type, defined recursively by embedding the the wrapped type if any.
, # Description of the type, defined recursively by embedding the wrapped type if any.
description ? null
, # Function applied to each definition that should return true if
# its type-correct, false otherwise.

2
maintainers/scripts/all-tarballs.nix
View File

@ -14,5 +14,5 @@ removeAttrs (import ../../pkgs/top-level/release.nix
supportedSystems = [ "x86_64-linux" ];
})
[ # Remove jobs whose evaluation depends on a writable Nix store.
"tarball" "unstable"
"tarball" "unstable" "darwin-tested"
]

4
maintainers/scripts/hydra-eval-failures.py
View File

@ -48,8 +48,8 @@ def get_maintainers(attr_name):
@click.command()
@click.option(
'--jobset',
default="nixos/release-16.09",
help='Hydra project like nixos/release-16.09')
default="nixos/release-17.03",
help='Hydra project like nixos/release-17.03')
def cli(jobset):
"""
Given a Hydra project, inspect latest evaluation

13
nixos/doc/manual/administration/imperative-containers.xml
View File

@ -29,8 +29,10 @@ line. For instance, to create a container that has
<literal>root</literal>:
<screen>
# nixos-container create foo --config 'services.openssh.enable = true; \
users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'
# nixos-container create foo --config '
services.openssh.enable = true;
users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];
'
</screen>
</para>
@ -97,8 +99,11 @@ This will build and activate the new configuration. You can also
specify a new configuration on the command line:
<screen>
# nixos-container update foo --config 'services.httpd.enable = true; \
services.httpd.adminAddr = "foo@example.org";'
# nixos-container update foo --config '
services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org";
networking.firewall.allowedTCPPorts = [ 80 ];
'
# curl http://$(nixos-container show-ip foo)/
&lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…

6
nixos/doc/manual/configuration/file-systems.xml
View File

@ -35,6 +35,12 @@ or <literal>ext4</literal>, then its best to specify
<option>fsType</option> to ensure that the kernel module is
available.</para>
<note><para>System startup will fail if any of the filesystems fails to mount,
dropping you to the emergency shell.
You can make a mount asynchronous and non-critical by adding
<literal>options = [ "nofail" ];</literal>.
</para></note>
<xi:include href="luks-file-systems.xml" />
</chapter>

22
nixos/doc/manual/development/sources.xml
View File

@ -8,7 +8,7 @@
<para>By default, NixOSs <command>nixos-rebuild</command> command
uses the NixOS and Nixpkgs sources provided by the
<literal>nixos-unstable</literal> channel (kept in
<literal>nixos</literal> channel (kept in
<filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>).
To modify NixOS, however, you should check out the latest sources from
Git. This is as follows:
@ -27,8 +27,8 @@ a subdirectory of the Nixpkgs repository.) The remote
<literal>channels</literal> refers to a read-only repository that
tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/>
for more information about channels). Thus, the Git branch
<literal>channels/nixos-14.12</literal> will contain the latest built
and tested version available in the <literal>nixos-14.12</literal>
<literal>channels/nixos-17.03</literal> will contain the latest built
and tested version available in the <literal>nixos-17.03</literal>
channel.</para>
<para>Its often inconvenient to develop directly on the master
@ -39,9 +39,9 @@ branch based on your current NixOS version:
<screen>
$ nixos-version
14.04.273.ea1952b (Baboon)
17.09pre104379.6e0b727 (Hummingbird)
$ git checkout -b local ea1952b
$ git checkout -b local 6e0b727
</screen>
Or, to base your local branch on the latest version available in a
@ -49,17 +49,17 @@ NixOS channel:
<screen>
$ git remote update channels
$ git checkout -b local channels/nixos-14.12
$ git checkout -b local channels/nixos-17.03
</screen>
(Replace <literal>nixos-14.12</literal> with the name of the channel
(Replace <literal>nixos-17.03</literal> with the name of the channel
you want to use.) You can use <command>git merge</command> or
<command>git rebase</command> to keep your local branch in sync with
the channel, e.g.
<screen>
$ git remote update channels
$ git merge channels/nixos-14.12
$ git merge channels/nixos-17.03
</screen>
You can use <command>git cherry-pick</command> to copy commits from
@ -87,7 +87,11 @@ $ ln -s <replaceable>/my/sources</replaceable>/nixpkgs ~/.nix-defexpr/nixpkgs
You may want to delete the symlink
<filename>~/.nix-defexpr/channels_root</filename> to prevent roots
NixOS channel from clashing with your own tree.</para>
NixOS channel from clashing with your own tree (this may break the
command-not-found utility though). If you want to go back to the default
state, you may just remove the <filename>~/.nix-defexpr</filename>
directory completely, log out and log in again and it should have been
recreated with a link to the root channels.</para>
<!-- FIXME: not sure what this means.
<para>You should not pass the base directory

3
nixos/doc/manual/installation/installing-uefi.xml
View File

@ -26,7 +26,8 @@ changes:
<literal>vfat</literal> filesystem.</para>
</listitem>
<listitem>
<para>You must set <option>boot.loader.systemd-boot.enable</option> to
<para>Instead of <option>boot.loader.grub.device</option>,
you must set <option>boot.loader.systemd-boot.enable</option> to
<literal>true</literal>. <command>nixos-generate-config</command>
should do this automatically for new configurations when booted in
UEFI mode.</para>

5
nixos/doc/manual/installation/installing-usb.xml
View File

@ -34,6 +34,11 @@ ISO, copy its contents verbatim to your drive, then either:
in <link xlink:href="https://www.kernel.org/doc/Documentation/kernel-parameters.txt">
the kernel documentation</link> for more details).</para>
</listitem>
<listitem>
<para>If you want to load the contents of the ISO to ram after bootin
(So you can remove the stick after bootup) you can append the parameter
<literal>copytoram</literal>to the <literal>options</literal> field.</para>
</listitem>
</itemizedlist>
</para>

22
nixos/doc/manual/installation/upgrading.xml
View File

@ -15,12 +15,12 @@ been built. These channels are:
<itemizedlist>
<listitem>
<para><emphasis>Stable channels</emphasis>, such as <literal
xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
xlink:href="https://nixos.org/channels/nixos-17.03">nixos-17.03</literal>.
These only get conservative bug fixes and package upgrades. For
instance, a channel update may cause the Linux kernel on your
system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
not from 3.4.<replaceable>x</replaceable> to
3.11.<replaceable>x</replaceable> (a major change that has the
system to be upgraded from 4.9.16 to 4.9.17 (a minor bug fix), but
not from 4.9.<replaceable>x</replaceable> to
4.11.<replaceable>x</replaceable> (a major change that has the
potential to break things). Stable channels are generally
maintained until the next stable branch is created.</para>
<para></para>
@ -34,7 +34,7 @@ been built. These channels are:
</listitem>
<listitem>
<para><emphasis>Small channels</emphasis>, such as <literal
xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
xlink:href="https://nixos.org/channels/nixos-17.03-small">nixos-17.03-small</literal>
or <literal
xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
are identical to the stable and unstable channels described above,
@ -55,8 +55,8 @@ appliances.)</para>
<para>When you first install NixOS, youre automatically subscribed to
the NixOS channel that corresponds to your installation source. For
instance, if you installed from a 14.12 ISO, you will be subscribed to
the <literal>nixos-14.12</literal> channel. To see which NixOS
instance, if you installed from a 17.03 ISO, you will be subscribed to
the <literal>nixos-17.03</literal> channel. To see which NixOS
channel youre subscribed to, run the following as root:
<screen>
@ -71,16 +71,16 @@ To switch to a different NixOS channel, do
</screen>
(Be sure to include the <literal>nixos</literal> parameter at the
end.) For instance, to use the NixOS 14.12 stable channel:
end.) For instance, to use the NixOS 17.03 stable channel:
<screen>
# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
# nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
</screen>
If you have a server, you may want to use the “small” channel instead:
<screen>
# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
# nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
</screen>
And if you want to live on the bleeding edge:
@ -130,7 +130,7 @@ runs, see <command>systemctl list-timers</command>.) You can also
specify a channel explicitly, e.g.
<programlisting>
system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
system.autoUpgrade.channel = https://nixos.org/channels/nixos-17.03;
</programlisting>
</para>

239
nixos/doc/manual/release-notes/rl-1703.xml
View File

@ -4,7 +4,15 @@
version="5.0"
xml:id="sec-release-17.03">
<title>Release 17.03 (“XXX”, 2017/03/??)</title>
<title>Release 17.03 (“Gorilla”, 2017/03/31)</title>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-highlights">
<title>Highlights</title>
<para>In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
@ -16,19 +24,40 @@ has the following highlights: </para>
manual</link> for more information.</para>
</listitem>
<listitem>
<para>This release is based on Glibc 2.25, GCC 5.4.0 and systemd
232. The default Linux kernel is 4.9 and Nix is at 1.11.8.</para>
</listitem>
<listitem>
<para>The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed</para>
</listitem>
<listitem>
<para>The setuid wrapper functionality now supports setting
capabilities.</para>
</listitem>
<listitem>
<para>X.org server uses branch 1.19. Due to ABI incompatibilities,
<para>X.org server uses branch 1.19. Due to ABI incompatibilities,
<literal>ati_unfree</literal> keeps forcing 1.17
and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
</listitem>
<listitem>
<para>PHP now defaults to PHP 7.1</para>
<para>
Cross compilation has been rewritten. See the nixpkgs manual for
details. The most obvious breaking change is that in derivations there is no
<literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now
cross by default, not native.
</para>
</listitem>
<listitem>
<para>The <literal>overridePackages</literal> function has been rewritten
to be replaced by <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link></para>
</listitem>
<listitem>
@ -38,16 +67,115 @@ has the following highlights: </para>
manual</link> for more information.</para>
</listitem>
<listitem>
<para>PHP now defaults to PHP 7.1</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-new-services">
<title>New Services</title>
<para>The following new services were added since the last release:</para>
<itemizedlist>
<listitem>
<para></para>
</listitem>
<listitem><para><literal>hardware/ckb.nix</literal></para></listitem>
<listitem><para><literal>hardware/mcelog.nix</literal></para></listitem>
<listitem><para><literal>hardware/usb-wwan.nix</literal></para></listitem>
<listitem><para><literal>hardware/video/capture/mwprocapture.nix</literal></para></listitem>
<listitem><para><literal>programs/adb.nix</literal></para></listitem>
<listitem><para><literal>programs/chromium.nix</literal></para></listitem>
<listitem><para><literal>programs/gphoto2.nix</literal></para></listitem>
<listitem><para><literal>programs/java.nix</literal></para></listitem>
<listitem><para><literal>programs/mtr.nix</literal></para></listitem>
<listitem><para><literal>programs/oblogout.nix</literal></para></listitem>
<listitem><para><literal>programs/vim.nix</literal></para></listitem>
<listitem><para><literal>programs/wireshark.nix</literal></para></listitem>
<listitem><para><literal>security/dhparams.nix</literal></para></listitem>
<listitem><para><literal>services/audio/ympd.nix</literal></para></listitem>
<listitem><para><literal>services/computing/boinc/client.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/buildbot/master.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/buildbot/worker.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/gitlab-runner.nix</literal></para></listitem>
<listitem><para><literal>services/databases/riak-cs.nix</literal></para></listitem>
<listitem><para><literal>services/databases/stanchion.nix</literal></para></listitem>
<listitem><para><literal>services/desktops/gnome3/gnome-terminal-server.nix</literal></para></listitem>
<listitem><para><literal>services/editors/infinoted.nix</literal></para></listitem>
<listitem><para><literal>services/hardware/illum.nix</literal></para></listitem>
<listitem><para><literal>services/hardware/trezord.nix</literal></para></listitem>
<listitem><para><literal>services/logging/journalbeat.nix</literal></para></listitem>
<listitem><para><literal>services/mail/offlineimap.nix</literal></para></listitem>
<listitem><para><literal>services/mail/postgrey.nix</literal></para></listitem>
<listitem><para><literal>services/misc/couchpotato.nix</literal></para></listitem>
<listitem><para><literal>services/misc/docker-registry.nix</literal></para></listitem>
<listitem><para><literal>services/misc/errbot.nix</literal></para></listitem>
<listitem><para><literal>services/misc/geoip-updater.nix</literal></para></listitem>
<listitem><para><literal>services/misc/gogs.nix</literal></para></listitem>
<listitem><para><literal>services/misc/leaps.nix</literal></para></listitem>
<listitem><para><literal>services/misc/nix-optimise.nix</literal></para></listitem>
<listitem><para><literal>services/misc/ssm-agent.nix</literal></para></listitem>
<listitem><para><literal>services/misc/sssd.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/arbtt.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/netdata.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/default.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/alertmanager.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/blackbox-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/json-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/nginx-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/node-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/snmp-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/unifi-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/varnish-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/sysstat.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/telegraf.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/vnstat.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/cachefilesd.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/glusterfs.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/ipfs.nix</literal></para></listitem>
<listitem><para><literal>services/networking/dante.nix</literal></para></listitem>
<listitem><para><literal>services/networking/dnscrypt-wrapper.nix</literal></para></listitem>
<listitem><para><literal>services/networking/fakeroute.nix</literal></para></listitem>
<listitem><para><literal>services/networking/flannel.nix</literal></para></listitem>
<listitem><para><literal>services/networking/htpdate.nix</literal></para></listitem>
<listitem><para><literal>services/networking/miredo.nix</literal></para></listitem>
<listitem><para><literal>services/networking/nftables.nix</literal></para></listitem>
<listitem><para><literal>services/networking/powerdns.nix</literal></para></listitem>
<listitem><para><literal>services/networking/pdns-recursor.nix</literal></para></listitem>
<listitem><para><literal>services/networking/quagga.nix</literal></para></listitem>
<listitem><para><literal>services/networking/redsocks.nix</literal></para></listitem>
<listitem><para><literal>services/networking/wireguard.nix</literal></para></listitem>
<listitem><para><literal>services/system/cgmanager.nix</literal></para></listitem>
<listitem><para><literal>services/torrent/opentracker.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/atlassian/confluence.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/atlassian/crowd.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/atlassian/jira.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/frab.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/nixbot.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/selfoss.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/quassel-webserver.nix</literal></para></listitem>
<listitem><para><literal>services/x11/unclutter-xfixes.nix</literal></para></listitem>
<listitem><para><literal>services/x11/urxvtd.nix</literal></para></listitem>
<listitem><para><literal>system/boot/systemd-nspawn.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/ecs-agent.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/lxcfs.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/openstack/keystone.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/openstack/glance.nix</literal></para></listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-incompatibilities">
<title>Backward Incompatibilities</title>
<para>When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
@ -55,10 +183,8 @@ following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>
Cross compilation has been rewritten. See the nixpkgs manual for
details. The most obvious breaking change is that derivations absent a
<literal>.nativeDrv</literal> or <literal>.crossDrv</literal> are now
cross by default, not native.
Derivations have no <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal>
and are now cross by default, not native.
</para>
</listitem>
@ -174,7 +300,7 @@ following incompatible changes:</para>
<para><literal>overridePackages</literal> function no longer exists.
It is replaced by <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link>. For example, the following code:
overlays</link>. For example, the following code:
<programlisting>
let
@ -219,7 +345,7 @@ following incompatible changes:</para>
<listitem>
<para>
Iputils no longer provide ping6 and traceroute6. The functionality of
these tools have been integrated into ping and traceroute respectively. To
these tools has been integrated into ping and traceroute respectively. To
enforce an address family the new flags <literal>-4</literal> and
<literal>-6</literal> have been added. One notable incompatibility is that
specifying an interface (for link-local IPv6 for instance) is no longer done
@ -247,10 +373,41 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy module interface has been streamlined around the
<option>extraArgs</option> option. Where possible, legacy option
declarations are mapped to <option>extraArgs</option> but will emit
warnings. The <option>resolverList</option> has been outright
removed: to use an unlisted resolver, use the
<option>customResolver</option> option.
</para>
</listitem>
<listitem>
<para>
torbrowser now stores local state under
<filename>~/.local/share/tor-browser</filename> by default. Any
browser profile data from the old location,
<filename>~/.torbrowser4</filename>, must be migrated manually.
</para>
</listitem>
<listitem>
<para>
The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-notable-changes">
<para>Other notable changes:</para>
<title>Other Notable Changes</title>
<itemizedlist>
@ -276,7 +433,11 @@ following incompatible changes:</para>
</listitem>
<listitem>
<para>The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.</para>
<para>
The Python 2.7 interpreter does not use modules anymore. Instead, all
CPython interpreters now include the whole standard library except for `tkinter`,
which is available in the Python package set.
</para>
</listitem>
<listitem>
@ -290,11 +451,17 @@ following incompatible changes:</para>
</listitem>
<listitem>
<para>The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.</para>
<para>
The Python package sets now use a fixed-point combinator and the sets are
available as attributes of the interpreters.
</para>
</listitem>
<listitem>
<para>The Python function `buildPythonPackage` has been improved and can be used to build from Setuptools source, Flit source, and precompiled Wheels.</para>
<para>
The Python function <literal>buildPythonPackage</literal> has been improved and can be
used to build from Setuptools source, Flit source, and precompiled Wheels.
</para>
</listitem>
<listitem>
@ -305,7 +472,43 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy service supports synchronizing the list of public
resolvers without working DNS resolution. This fixes issues caused by the
resolver list becoming outdated. It also improves the viability of
DNSCrypt only configurations.
</para>
</listitem>
<listitem>
<para>
Containers using bridged networking no longer lose their connection after
changes to the host networking.
</para>
</listitem>
<listitem>
<para>
ZFS supports pool auto scrubbing.
</para>
</listitem>
<listitem>
<para>
The bind DNS utilities (e.g. dig) have been split into their own output and
are now also available in <literal>pkgs.dnsutils</literal> and it is no longer
necessary to pull in all of <literal>bind</literal> to use them.
</para>
</listitem>
<listitem>
<para>
Per-user configuration was moved from <filename>~/.nixpkgs</filename> to
<filename>~/.config/nixpkgs</filename>. The former is still valid for
<filename>config.nix</filename> for backwards compatibility.
</para>
</listitem>
</itemizedlist>
</section>
</section>

20
nixos/doc/manual/release-notes/rl-1709.xml
View File

@ -11,7 +11,11 @@ has the following highlights: </para>
<itemizedlist>
<listitem>
<para></para>
<para>
The user handling now keeps track of deallocated UIDs/GIDs. When a user
or group is revived, this allows it to be allocated the UID/GID it had before.
A consequence is that UIDs and GIDs are no longer reused.
</para>
</listitem>
</itemizedlist>
@ -31,6 +35,8 @@ following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>
Top-level <literal>idea</literal> package collection was renamed.
All JetBrains IDEs are now at <literal>jetbrains</literal>.
</para>
</listitem>
</itemizedlist>
@ -49,6 +55,18 @@ following incompatible changes:</para>
rest of the system on a stable release.
</para>
</listitem>
<listitem>
<para>
Updated to FreeType 2.7.1, including a new TrueType engine.
The new engine replaces the Infinality engine which was the default in
NixOS. The default font rendering settings are now provided by
fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults
are less invasive and provide rendering that is more consistent with
other systems and hopefully with each font designer's intent. Some
system-wide configuration has been removed from the Fontconfig NixOS
module where user Fontconfig settings are available.
</para>
</listitem>
</itemizedlist>

204
nixos/lib/make-disk-image.nix
View File

@ -33,42 +33,124 @@
, name ? "nixos-disk-image"
# This prevents errors while checking nix-store validity, see
# https://github.com/NixOS/nix/issues/1134
, fixValidity ? true
, format ? "raw"
}:
with lib;
pkgs.vmTools.runInLinuxVM (
let
# Copied from https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/installer/cd-dvd/channel.nix
# TODO: factor out more cleanly
# Do not include these things:
# - The '.git' directory
# - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
# - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
filterFn = path: type: let basename = baseNameOf (toString path); in
if type == "directory" then basename != ".git"
else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
nixpkgs = builtins.filterSource filterFn pkgs.path;
channelSources = pkgs.runCommand "nixos-${config.system.nixosVersion}" {} ''
mkdir -p $out
cp -prd ${nixpkgs} $out/nixos
chmod -R u+w $out/nixos
if [ ! -e $out/nixos/nixpkgs ]; then
ln -s . $out/nixos/nixpkgs
fi
rm -rf $out/nixos/.git
echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix
'';
metaClosure = pkgs.writeText "meta" ''
${config.system.build.toplevel}
${config.nix.package.out}
${channelSources}
'';
prepareImageInputs = with pkgs; [ rsync utillinux parted e2fsprogs lkl fakeroot config.system.build.nixos-prepare-root ] ++ stdenv.initialPath;
# I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate
# image building logic. The comment right below this now appears in 4 different places in nixpkgs :)
# !!! should use XML.
sources = map (x: x.source) contents;
targets = map (x: x.target) contents;
prepareImage = ''
export PATH=${pkgs.lib.makeSearchPathOutput "bin" "bin" prepareImageInputs}
mkdir $out
diskImage=nixos.raw
truncate -s ${toString diskSize}M $diskImage
${if partitioned then ''
parted $diskImage -- mklabel msdos mkpart primary ext4 1M -1s
offset=$((2048*512))
'' else ''
offset=0
''}
mkfs.${fsType} -F -L nixos -E offset=$offset $diskImage
root="$PWD/root"
mkdir -p $root
# Copy arbitrary other files into the image
# Semi-shamelessly copied from make-etc.sh. I (@copumpkin) shall factor this stuff out as part of
# https://github.com/NixOS/nixpkgs/issues/23052.
set -f
sources_=(${concatStringsSep " " sources})
targets_=(${concatStringsSep " " targets})
set +f
for ((i = 0; i < ''${#targets_[@]}; i++)); do
source="''${sources_[$i]}"
target="''${targets_[$i]}"
if [[ "$source" =~ '*' ]]; then
# If the source name contains '*', perform globbing.
mkdir -p $root/$target
for fn in $source; do
rsync -a --no-o --no-g "$fn" $root/$target/
done
else
mkdir -p $root/$(dirname $target)
if ! [ -e $root/$target ]; then
rsync -a --no-o --no-g $source $root/$target
else
echo "duplicate entry $target -> $source"
exit 1
fi
fi
done
# TODO: Nix really likes to chown things it creates to its current user...
fakeroot nixos-prepare-root $root ${channelSources} ${config.system.build.toplevel} closure
echo "copying staging root to image..."
cptofs ${pkgs.lib.optionalString partitioned "-P 1"} -t ${fsType} -i $diskImage $root/* /
'';
in pkgs.vmTools.runInLinuxVM (
pkgs.runCommand name
{ preVM =
''
mkdir $out
diskImage=$out/nixos.${if format == "qcow2" then "qcow2" else "img"}
${pkgs.vmTools.qemu}/bin/qemu-img create -f ${format} $diskImage "${toString diskSize}M"
mv closure xchg/
'';
buildInputs = with pkgs; [ utillinux perl e2fsprogs parted rsync ];
# I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate
# image building logic. The comment right below this now appears in 4 different places in nixpkgs :)
# !!! should use XML.
sources = map (x: x.source) contents;
targets = map (x: x.target) contents;
exportReferencesGraph =
[ "closure" config.system.build.toplevel ];
inherit postVM;
{ preVM = prepareImage;
buildInputs = with pkgs; [ utillinux e2fsprogs ];
exportReferencesGraph = [ "closure" metaClosure ];
postVM = ''
${if format == "raw" then ''
mv $diskImage $out/nixos.img
diskImage=$out/nixos.img
'' else ''
${pkgs.qemu}/bin/qemu-img convert -f raw -O qcow2 $diskImage $out/nixos.qcow2
diskImage=$out/nixos.qcow2
''}
${postVM}
'';
memSize = 1024;
}
''
${if partitioned then ''
# Create a single / partition.
parted /dev/vda mklabel msdos
parted /dev/vda -- mkpart primary ext2 1M -1s
. /sys/class/block/vda1/uevent
mknod /dev/vda1 b $MAJOR $MINOR
rootDisk=/dev/vda1
@ -76,74 +158,34 @@ pkgs.vmTools.runInLinuxVM (
rootDisk=/dev/vda
''}
# Create an empty filesystem and mount it.
mkfs.${fsType} -L nixos $rootDisk
mkdir /mnt
mount $rootDisk /mnt
# Register the paths in the Nix database.
printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
${if fixValidity then ''
# Add missing size/hash fields to the database. FIXME:
# exportReferencesGraph should provide these directly.
${config.nix.package.out}/bin/nix-store --verify --check-contents --option build-users-group ""
'' else ""}
# In case the bootloader tries to write to /dev/sda…
# Some tools assume these exist
ln -s vda /dev/xvda
ln -s vda /dev/sda
# Install the closure onto the image
USER=root ${config.system.build.nixos-install}/bin/nixos-install \
--closure ${config.system.build.toplevel} \
--no-channel-copy \
--no-root-passwd \
${optionalString (!installBootLoader) "--no-bootloader"}
mountPoint=/mnt
mkdir $mountPoint
mount $rootDisk $mountPoint
# Install a configuration.nix.
# Install a configuration.nix
mkdir -p /mnt/etc/nixos
${optionalString (configFile != null) ''
cp ${configFile} /mnt/etc/nixos/configuration.nix
''}
# Remove /etc/machine-id so that each machine cloning this image will get its own id
rm -f /mnt/etc/machine-id
mount --rbind /dev $mountPoint/dev
mount --rbind /proc $mountPoint/proc
mount --rbind /sys $mountPoint/sys
# Copy arbitrary other files into the image
# Semi-shamelessly copied from make-etc.sh. I (@copumpkin) shall factor this stuff out as part of
# https://github.com/NixOS/nixpkgs/issues/23052.
set -f
sources_=($sources)
targets_=($targets)
set +f
# Set up core system link, GRUB, etc.
NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint /nix/var/nix/profiles/system/bin/switch-to-configuration boot
for ((i = 0; i < ''${#targets_[@]}; i++)); do
source="''${sources_[$i]}"
target="''${targets_[$i]}"
# TODO: figure out if I should activate, but for now I won't
# chroot $mountPoint /nix/var/nix/profiles/system/activate
if [[ "$source" =~ '*' ]]; then
# The above scripts will generate a random machine-id and we don't want to bake a single ID into all our images
rm -f $mountPoint/etc/machine-id
# If the source name contains '*', perform globbing.
mkdir -p /mnt/$target
for fn in $source; do
rsync -a --no-o --no-g "$fn" /mnt/$target/
done
else
mkdir -p /mnt/$(dirname $target)
if ! [ -e /mnt/$target ]; then
rsync -a --no-o --no-g $source /mnt/$target
else
echo "duplicate entry $target -> $source"
exit 1
fi
fi
done
umount /mnt
umount -R /mnt
# Make sure resize2fs works. Note that resize2fs has stricter criteria for resizing than a normal
# mount, so the `-c 0` and `-i 0` don't affect it. Setting it to `now` doesn't produce deterministic

18
nixos/lib/test-driver/Machine.pm
View File

@ -542,16 +542,20 @@ sub getScreenText {
$self->nest("performing optical character recognition", sub {
my $tmpbase = Cwd::abs_path(".")."/ocr";
my $tmpin = $tmpbase."in.ppm";
my $tmpout = "$tmpbase.ppm";
$self->sendMonitorCommand("screendump $tmpin");
system("ppmtopgm $tmpin | pamscale 4 -filter=lanczos > $tmpout") == 0
or die "cannot scale screenshot";
my $magickArgs = "-filter Catrom -density 72 -resample 300 "
. "-contrast -normalize -despeckle -type grayscale "
. "-sharpen 1 -posterize 3 -negate -gamma 100 "
. "-blur 1x65535";
my $tessArgs = "-c debug_file=/dev/null --psm 11 --oem 2";
$text = `convert $magickArgs $tmpin tiff:- | tesseract - - $tessArgs`;
my $status = $? >> 8;
unlink $tmpin;
system("tesseract $tmpout $tmpbase") == 0 or die "OCR failed";
unlink $tmpout;
$text = read_file("$tmpbase.txt");
unlink "$tmpbase.txt";
die "OCR failed with exit code $status" if $status != 0;
});
return $text;
}

5
nixos/lib/testing.nix
View File

@ -93,7 +93,7 @@ rec {
vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
ocrProg = tesseract;
ocrProg = tesseract_4.override { enableLanguages = [ "eng" ]; };
# Generate onvenience wrappers for running the test driver
# interactively with the specified network, and for starting the
@ -111,7 +111,8 @@ rec {
vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
wrapProgram $out/bin/nixos-test-driver \
--add-flags "''${vms[*]}" \
${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
${lib.optionalString enableOCR
"--prefix PATH : '${ocrProg}/bin:${imagemagick}/bin'"} \
--run "testScript=\"\$(cat $out/test-script)\"" \
--set testScript '$testScript' \
--set VLANS '${toString vlans}'

5
nixos/maintainers/scripts/ec2/amazon-image.nix
View File

@ -6,10 +6,7 @@ let
cfg = config.amazonImage;
in {
imports =
[ ../../../modules/installer/cd-dvd/channel.nix
../../../modules/virtualisation/amazon-image.nix
];
imports = [ ../../../modules/virtualisation/amazon-image.nix ];
options.amazonImage = {
contents = mkOption {

15
nixos/maintainers/scripts/ec2/create-amis.sh
View File

@ -3,21 +3,20 @@
# To start with do: nix-shell -p awscli --run "aws configure"
set -e
set -o pipefail
#set -x
stateDir=${TMPDIR:-/tmp}/ec2-image
echo "keeping state in $stateDir"
mkdir -p $stateDir
version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
major=${version:0:5}
echo "NixOS version is $version ($major)"
stateDir=/var/tmp/ec2-image-$version
echo "keeping state in $stateDir"
mkdir -p $stateDir
rm -f ec2-amis.nix
types="hvm pv"
types="hvm"
stores="ebs s3"
regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
@ -206,7 +205,7 @@ for type in $types; do
# Register the AMI.
if [ $type = pv ]; then
kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.05-$arch.gz" | jq -r .Images[0].ImageId)
if [ "$kernel" = null ]; then break; fi
echo "using PV-GRUB kernel $kernel"
extraFlags+=" --virtualization-type paravirtual --kernel $kernel"

28
nixos/maintainers/scripts/gce/create-gce.sh
View File

@ -1,15 +1,23 @@
#! /bin/sh -e
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p google-cloud-sdk
BUCKET_NAME=${BUCKET_NAME:-nixos-images}
export NIX_PATH=nixpkgs=../../../..
export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/google-compute-image.nix
export TIMESTAMP=$(date +%Y%m%d%H%M)
set -euo pipefail
BUCKET_NAME="${BUCKET_NAME:-nixos-images}"
TIMESTAMP="$(date +%Y%m%d%H%M)"
export TIMESTAMP
nix-build '<nixpkgs/nixos>' \
-A config.system.build.googleComputeImage --argstr system x86_64-linux -o gce --option extra-binary-caches http://hydra.nixos.org -j 10
-A config.system.build.googleComputeImage \
--arg configuration "{ imports = [ <nixpkgs/nixos/modules/virtualisation/google-compute-image.nix> ]; }" \
--argstr system x86_64-linux \
-o gce \
-j 10
img=$(echo gce/*.tar.gz)
if ! gsutil ls gs://${BUCKET_NAME}/$(basename $img); then
gsutil cp $img gs://${BUCKET_NAME}/$(basename $img)
img_path=$(echo gce/*.tar.gz)
img_name=$(basename "$img_path")
img_id=$(echo "$img_name" | sed 's|.raw.tar.gz$||;s|\.|-|g;s|_|-|g')
if ! gsutil ls "gs://${BUCKET_NAME}/$img_name"; then
gsutil cp "$img_path" "gs://${BUCKET_NAME}/$img_name"
fi
gcloud compute images create $(basename $img .raw.tar.gz | sed 's|\.|-|' | sed 's|_|-|') --source-uri gs://${BUCKET_NAME}/$(basename $img)
gcloud compute images create "$img_id" --source-uri "gs://${BUCKET_NAME}/$img_name"

270
nixos/modules/config/fonts/fontconfig-penultimate.nix Normal file
View File

@ -0,0 +1,270 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.fonts.fontconfig;
fcBool = x: "<bool>" + (boolToString x) + "</bool>";
# back-supported fontconfig version and package
# version is used for font cache generation
supportVersion = "210";
supportPkg = pkgs."fontconfig_${supportVersion}";
# latest fontconfig version and package
# version is used for configuration folder name, /etc/fonts/VERSION/
# note: format differs from supportVersion and can not be used with makeCacheConf
latestVersion = pkgs.fontconfig.configVersion;
latestPkg = pkgs.fontconfig;
# supported version fonts.conf
supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; };
# configuration file to read fontconfig cache
# version dependent
# priority 0
cacheConfSupport = makeCacheConf { version = supportVersion; };
cacheConfLatest = makeCacheConf {};
# generate the font cache setting file for a fontconfig version
# use latest when no version is passed
makeCacheConf = { version ? null }:
let
fcPackage = if builtins.isNull version
then "fontconfig"
else "fontconfig_${version}";
makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
cache = makeCache pkgs."${fcPackage}";
cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}";
in
pkgs.writeText "fc-00-nixos-cache.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Font directories -->
${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
<!-- Pre-generated font caches -->
<cachedir>${cache}</cachedir>
${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
<cachedir>${cache32}</cachedir>
''}
</fontconfig>
'';
# The configuration to be included in /etc/font/
penultimateConf = pkgs.runCommand "font-penultimate-conf" {} ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder
mkdir -p $latest_folder
ln -s ${supportFontsConf} $support_folder/../fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/../fonts.conf
# fontconfig-penultimate various configuration files
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$support_folder
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$latest_folder
ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf
rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
ln -s ${antialiasConf} $support_folder/10-antialias.conf
ln -s ${antialiasConf} $latest_folder/10-antialias.conf
rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
ln -s ${hintingConf} $support_folder/10-hinting.conf
ln -s ${hintingConf} $latest_folder/10-hinting.conf
${optionalString cfg.useEmbeddedBitmaps ''
rm $support_folder/10-no-embedded-bitmaps.conf
rm $latest_folder/10-no-embedded-bitmaps.conf
''}
rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
ln -s ${subpixelConf} $support_folder/10-subpixel.conf
ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
${optionalString (cfg.dpi != 0) ''
ln -s ${dpiConf} $support_folder/11-dpi.conf
ln -s ${dpiConf} $latest_folder/11-dpi.conf
''}
${optionalString (!cfg.includeUserConf) ''
rm $support_folder/50-user.conf
rm $latest_folder/50-user.conf
''}
# 51-local.conf
rm $latest_folder/51-local.conf
substitute \
${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
$latest_folder/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
ln -s ${defaultFontsConf} $support_folder/52-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/52-default-fonts.conf
${optionalString cfg.allowBitmaps ''
rm $support_folder/53-no-bitmaps.conf
rm $latest_folder/53-no-bitmaps.conf
''}
${optionalString (!cfg.allowType1) ''
ln -s ${rejectType1} $support_folder/53-no-type1.conf
ln -s ${rejectType1} $latest_folder/53-no-type1.conf
''}
'';
hintingConf = pkgs.writeText "fc-10-hinting.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="hinting">
${fcBool cfg.hinting.enable}
</edit>
<edit mode="append" name="autohint">
${fcBool cfg.hinting.autohint}
</edit>
<edit mode="append" name="hintstyle">
<const>hintslight</const>
</edit>
</match>
</fontconfig>
'';
antialiasConf = pkgs.writeText "fc-10-antialias.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="antialias">
${fcBool cfg.antialias}
</edit>
</match>
</fontconfig>
'';
subpixelConf = pkgs.writeText "fc-10-subpixel.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="rgba">
<const>${cfg.subpixel.rgba}</const>
</edit>
<edit mode="append" name="lcdfilter">
<const>lcd${cfg.subpixel.lcdfilter}</const>
</edit>
</match>
</fontconfig>
'';
dpiConf = pkgs.writeText "fc-11-dpi.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<match target="pattern">
<edit name="dpi" mode="assign">
<double>${toString cfg.dpi}</double>
</edit>
</match>
</fontconfig>
'';
defaultFontsConf =
let genDefault = fonts: name:
optionalString (fonts != []) ''
<alias>
<family>${name}</family>
<prefer>
${concatStringsSep ""
(map (font: ''
<family>${font}</family>
'') fonts)}
</prefer>
</alias>
'';
in
pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default fonts -->
${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
${genDefault cfg.defaultFonts.serif "serif"}
${genDefault cfg.defaultFonts.monospace "monospace"}
</fontconfig>
'';
rejectType1 = pkgs.writeText "fc-53-no-type1.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<!-- Reject Type 1 fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="fontformat"><string>Type 1</string></patelt>
</pattern>
</rejectfont>
</selectfont>
</fontconfig>
'';
in
{
options = {
fonts = {
fontconfig = {
penultimate = {
enable = mkOption {
type = types.bool;
default = true;
description = ''
Enable fontconfig-penultimate settings to supplement the
NixOS defaults by providing per-font rendering defaults and
metric aliases.
'';
};
};
};
};
};
config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
fonts.fontconfig.confPackages = [ penultimateConf ];
};
}

2
nixos/modules/config/fonts/fontconfig-ultimate.nix
View File

@ -43,7 +43,7 @@ in
ultimate = {
enable = mkOption {
type = types.bool;
default = true;
default = false;
description = ''
Enable fontconfig-ultimate settings (formerly known as
Infinality). Besides the customizable settings in this NixOS

107
nixos/modules/config/fonts/fontconfig.nix
View File

@ -20,7 +20,7 @@ with lib;
let cfg = config.fonts.fontconfig;
fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
fcBool = x: "<bool>" + (boolToString x) + "</bool>";
# back-supported fontconfig version and package
# version is used for font cache generation
@ -75,23 +75,23 @@ let cfg = config.fonts.fontconfig;
<fontconfig>
<!-- Default rendering settings -->
<match target="font">
<edit mode="assign" name="hinting">
<match target="pattern">
<edit mode="append" name="hinting">
${fcBool cfg.hinting.enable}
</edit>
<edit mode="assign" name="autohint">
<edit mode="append" name="autohint">
${fcBool cfg.hinting.autohint}
</edit>
<edit mode="assign" name="hintstyle">
<const>hint${cfg.hinting.style}</const>
<edit mode="append" name="hintstyle">
<const>hintslight</const>
</edit>
<edit mode="assign" name="antialias">
<edit mode="append" name="antialias">
${fcBool cfg.antialias}
</edit>
<edit mode="assign" name="rgba">
<edit mode="append" name="rgba">
<const>${cfg.subpixel.rgba}</const>
</edit>
<edit mode="assign" name="lcdfilter">
<edit mode="append" name="lcdfilter">
<const>lcd${cfg.subpixel.lcdfilter}</const>
</edit>
</match>
@ -104,13 +104,6 @@ let cfg = config.fonts.fontconfig;
</match>
''}
<!-- Force autohint always -->
<match target="font">
<edit name="force_autohint" mode="assign">
${fcBool cfg.forceAutohint}
</edit>
</match>
</fontconfig>
'';
@ -174,13 +167,6 @@ let cfg = config.fonts.fontconfig;
</edit>
</match>
<!-- Render some monospace TTF fonts as bitmaps -->
<match target="pattern">
<edit name="bitmap_monospace" mode="assign">
${fcBool cfg.renderMonoTTFAsBitmap}
</edit>
</match>
</fontconfig>
'';
@ -304,7 +290,11 @@ in
antialias = mkOption {
type = types.bool;
default = true;
description = "Enable font antialiasing.";
description = ''
Enable font antialiasing. At high resolution (> 200 DPI),
antialiasing has no visible effect; users of such displays may want
to disable this option.
'';
};
dpi = mkOption {
@ -358,26 +348,21 @@ in
enable = mkOption {
type = types.bool;
default = true;
description = "Enable TrueType hinting.";
description = ''
Enable font hinting. Hinting aligns glyphs to pixel boundaries to
improve rendering sharpness at low resolution. At high resolution
(> 200 dpi) hinting will do nothing (at best); users of such
displays may want to disable this option.
'';
};
autohint = mkOption {
type = types.bool;
default = true;
default = false;
description = ''
Enable the autohinter, which provides hinting for otherwise
un-hinted fonts. The results are usually lower quality than
correctly-hinted fonts.
'';
};
style = mkOption {
type = types.enum ["none" "slight" "medium" "full"];
default = "full";
description = ''
TrueType hinting style, one of <literal>none</literal>,
<literal>slight</literal>, <literal>medium</literal>, or
<literal>full</literal>.
Enable the autohinter in place of the default interpreter.
The results are usually lower quality than correctly-hinted
fonts, but better than unhinted fonts.
'';
};
};
@ -398,7 +383,15 @@ in
default = "rgb";
type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"];
description = ''
Subpixel order.
Subpixel order. The overwhelming majority of displays are
<literal>rgb</literal> in their normal orientation. Select
<literal>vrgb</literal> for mounting such a display 90 degrees
clockwise from its normal orientation or <literal>vbgr</literal>
for mounting 90 degrees counter-clockwise. Select
<literal>bgr</literal> in the unlikely event of mounting 180
degrees from the normal orientation. Reverse these directions in
the improbable event that the display's native subpixel order is
<literal>bgr</literal>.
'';
};
@ -406,7 +399,9 @@ in
default = "default";
type = types.enum ["none" "default" "light" "legacy"];
description = ''
FreeType LCD filter.
FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering
has no visible effect; users of such displays may want to select
<literal>none</literal>.
'';
};
@ -444,31 +439,19 @@ in
description = ''Use embedded bitmaps in fonts like Calibri.'';
};
forceAutohint = mkOption {
type = types.bool;
default = false;
description = ''
Force use of the TrueType Autohinter. Useful for debugging or
free-software purists.
'';
};
renderMonoTTFAsBitmap = mkOption {
type = types.bool;
default = false;
description = ''Render some monospace TTF fonts as bitmaps.'';
};
};
};
};
config = mkIf cfg.enable {
fonts.fontconfig.confPackages = [ confPkg ];
environment.systemPackages = [ pkgs.fontconfig ];
environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
};
config = mkMerge [
(mkIf cfg.enable {
environment.systemPackages = [ pkgs.fontconfig ];
environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
})
(mkIf (cfg.enable && !cfg.penultimate.enable) {
fonts.fontconfig.confPackages = [ confPkg ];
})
];
}

1
nixos/modules/config/fonts/fonts.nix
View File

@ -37,6 +37,7 @@ with lib;
pkgs.xorg.fontbhlucidatypewriter75dpi
pkgs.dejavu_fonts
pkgs.freefont_ttf
pkgs.gyre-fonts # TrueType substitutes for standard PostScript fonts
pkgs.liberation_ttf
pkgs.xorg.fontbh100dpi
pkgs.xorg.fontmiscmisc

28
nixos/modules/config/i18n.nix
View File

@ -2,21 +2,27 @@
with lib;
let
glibcLocales = pkgs.glibcLocales.override {
allLocales = any (x: x == "all") config.i18n.supportedLocales;
locales = config.i18n.supportedLocales;
};
in
{
###### interface
options = {
i18n = {
glibcLocales = mkOption {
type = types.path;
default = pkgs.glibcLocales.override {
allLocales = any (x: x == "all") config.i18n.supportedLocales;
locales = config.i18n.supportedLocales;
};
example = literalExample "pkgs.glibcLocales";
description = ''
Customized pkg.glibcLocales package.
Changing this option can disable handling of i18n.defaultLocale
and supportedLocale.
'';
};
defaultLocale = mkOption {
type = types.str;
default = "en_US.UTF-8";
@ -118,7 +124,7 @@ in
'');
environment.systemPackages =
optional (config.i18n.supportedLocales != []) glibcLocales;
optional (config.i18n.supportedLocales != []) config.i18n.glibcLocales;
environment.sessionVariables =
{ LANG = config.i18n.defaultLocale;
@ -126,7 +132,7 @@ in
};
systemd.globalEnvironment = mkIf (config.i18n.supportedLocales != []) {
LOCALE_ARCHIVE = "${glibcLocales}/lib/locale/locale-archive";
LOCALE_ARCHIVE = "${config.i18n.glibcLocales}/lib/locale/locale-archive";
};
# /etc/locale.conf is used by systemd.

4
nixos/modules/config/networking.nix
View File

@ -178,10 +178,10 @@ in
environment.etc =
{ # /etc/services: TCP/UDP port assignments.
"services".source = pkgs.iana_etc + "/etc/services";
"services".source = pkgs.iana-etc + "/etc/services";
# /etc/protocols: IP protocol numbers.
"protocols".source = pkgs.iana_etc + "/etc/protocols";
"protocols".source = pkgs.iana-etc + "/etc/protocols";
# /etc/rpc: RPC program numbers.
"rpc".source = pkgs.glibc.out + "/etc/rpc";

3
nixos/modules/config/shells-environment.nix
View File

@ -168,9 +168,6 @@ in
${cfg.extraInit}
# The setuid/setcap wrappers override other bin directories.
export PATH="${config.security.wrapperDir}:$PATH"
# ~/bin if it exists overrides other bin directories.
export PATH="$HOME/bin:$PATH"
'';

70
nixos/modules/config/update-users-groups.pl
View File

@ -6,6 +6,21 @@ use JSON;
make_path("/var/lib/nixos", { mode => 0755 });
# Keep track of deleted uids and gids.
my $uidMapFile = "/var/lib/nixos/uid-map";
my $uidMap = -e $uidMapFile ? decode_json(read_file($uidMapFile)) : {};
my $gidMapFile = "/var/lib/nixos/gid-map";
my $gidMap = -e $gidMapFile ? decode_json(read_file($gidMapFile)) : {};
sub updateFile {
my ($path, $contents, $perms) = @_;
write_file("$path.tmp", { binmode => ':utf8', perms => $perms // 0644 }, $contents);
rename("$path.tmp", $path) or die;
}
sub hashPassword {
my ($password) = @_;
my $salt = "";
@ -18,10 +33,10 @@ sub hashPassword {
# Functions for allocating free GIDs/UIDs. FIXME: respect ID ranges in
# /etc/login.defs.
sub allocId {
my ($used, $idMin, $idMax, $up, $getid) = @_;
my ($used, $prevUsed, $idMin, $idMax, $up, $getid) = @_;
my $id = $up ? $idMin : $idMax;
while ($id >= $idMin && $id <= $idMax) {
if (!$used->{$id} && !defined &$getid($id)) {
if (!$used->{$id} && !$prevUsed->{$id} && !defined &$getid($id)) {
$used->{$id} = 1;
return $id;
}
@ -31,23 +46,36 @@ sub allocId {
die "$0: out of free UIDs or GIDs\n";
}
my (%gidsUsed, %uidsUsed);
my (%gidsUsed, %uidsUsed, %gidsPrevUsed, %uidsPrevUsed);
sub allocGid {
return allocId(\%gidsUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
my ($name) = @_;
my $prevGid = $gidMap->{$name};
if (defined $prevGid && !defined $gidsUsed{$prevGid}) {
print STDERR "reviving group '$name' with GID $prevGid\n";
$gidsUsed{$prevGid} = 1;
return $prevGid;
}
return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
}
sub allocUid {
my ($isSystemUser) = @_;
my ($name, $isSystemUser) = @_;
my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1);
return allocId(\%uidsUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
my $prevUid = $uidMap->{$name};
if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
print STDERR "reviving user '$name' with UID $prevUid\n";
$uidsUsed{$prevUid} = 1;
return $prevUid;
}
return allocId(\%uidsUsed, \%uidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
}
# Read the declared users/groups.
my $spec = decode_json(read_file($ARGV[0]));
# Don't allocate UIDs/GIDs that are already in use.
# Don't allocate UIDs/GIDs that are manually assigned.
foreach my $g (@{$spec->{groups}}) {
$gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
}
@ -56,6 +84,11 @@ foreach my $u (@{$spec->{users}}) {
$uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
}
# Likewise for previously used but deleted UIDs/GIDs.
$uidsPrevUsed{$_} = 1 foreach values %{$uidMap};
$gidsPrevUsed{$_} = 1 foreach values %{$gidMap};
# Read the current /etc/group.
sub parseGroup {
chomp;
@ -114,16 +147,18 @@ foreach my $g (@{$spec->{groups}}) {
}
}
} else {
$g->{gid} = allocGid if !defined $g->{gid};
$g->{gid} = allocGid($name) if !defined $g->{gid};
$g->{password} = "x";
}
$g->{members} = join ",", sort(keys(%members));
$groupsOut{$name} = $g;
$gidMap->{$name} = $g->{gid};
}
# Update the persistent list of declarative groups.
write_file($declGroupsFile, { binmode => ':utf8' }, join(" ", sort(keys %groupsOut)));
updateFile($declGroupsFile, join(" ", sort(keys %groupsOut)));
# Merge in the existing /etc/group.
foreach my $name (keys %groupsCur) {
@ -140,8 +175,8 @@ foreach my $name (keys %groupsCur) {
# Rewrite /etc/group. FIXME: acquire lock.
my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
(sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
write_file("/etc/group.tmp", { binmode => ':utf8' }, @lines);
rename("/etc/group.tmp", "/etc/group") or die;
updateFile($gidMapFile, encode_json($gidMap));
updateFile("/etc/group", \@lines);
system("nscd --invalidate group");
# Generate a new /etc/passwd containing the declared users.
@ -167,7 +202,7 @@ foreach my $u (@{$spec->{users}}) {
$u->{uid} = $existing->{uid};
}
} else {
$u->{uid} = allocUid($u->{isSystemUser}) if !defined $u->{uid};
$u->{uid} = allocUid($name, $u->{isSystemUser}) if !defined $u->{uid};
if (defined $u->{initialPassword}) {
$u->{hashedPassword} = hashPassword($u->{initialPassword});
@ -195,10 +230,12 @@ foreach my $u (@{$spec->{users}}) {
$u->{fakePassword} = $existing->{fakePassword} // "x";
$usersOut{$name} = $u;
$uidMap->{$name} = $u->{uid};
}
# Update the persistent list of declarative users.
write_file($declUsersFile, { binmode => ':utf8' }, join(" ", sort(keys %usersOut)));
updateFile($declUsersFile, join(" ", sort(keys %usersOut)));
# Merge in the existing /etc/passwd.
foreach my $name (keys %usersCur) {
@ -214,8 +251,8 @@ foreach my $name (keys %usersCur) {
# Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
(sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
write_file("/etc/passwd.tmp", { binmode => ':utf8' }, @lines);
rename("/etc/passwd.tmp", "/etc/passwd") or die;
updateFile($uidMapFile, encode_json($uidMap));
updateFile("/etc/passwd", \@lines);
system("nscd --invalidate passwd");
@ -242,5 +279,4 @@ foreach my $u (values %usersOut) {
push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n";
}
write_file("/etc/shadow.tmp", { binmode => ':utf8', perms => 0600 }, @shadowNew);
rename("/etc/shadow.tmp", "/etc/shadow") or die;
updateFile("/etc/shadow", \@shadowNew, 0600);

1
nixos/modules/hardware/all-firmware.nix
View File

@ -26,6 +26,7 @@ with lib;
firmwareLinuxNonfree
intel2200BGFirmware
rtl8723bs-firmware
rtl8192su-firmware
];
};

13
nixos/modules/installer/cd-dvd/channel.nix
View File

@ -6,6 +6,16 @@
with lib;
let
# Do not include these things:
# - The '.git' directory
# - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
# - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
filterFn = path: type: let basename = baseNameOf (toString path); in
if type == "directory" then basename != ".git"
else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
nixpkgs = builtins.filterSource filterFn pkgs.path;
# We need a copy of the Nix expressions for Nixpkgs and NixOS on the
# CD. These are installed into the "nixos" channel of the root
@ -15,12 +25,11 @@ let
{ }
''
mkdir -p $out
cp -prd ${pkgs.path} $out/nixos
cp -prd ${nixpkgs} $out/nixos
chmod -R u+w $out/nixos
if [ ! -e $out/nixos/nixpkgs ]; then
ln -s . $out/nixos/nixpkgs
fi
rm -rf $out/nixos/.git
echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix
'';

6
nixos/modules/installer/tools/nix-fallback-paths.nix
View File

@ -1,5 +1,5 @@
{
x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8";
i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8";
x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8";
x86_64-linux = "/nix/store/71im965h634iy99zsmlncw6qhx5jcclx-nix-1.11.9";
i686-linux = "/nix/store/cgvavixkayc36l6kl92i8mxr6k0p2yhy-nix-1.11.9";
x86_64-darwin = "/nix/store/w1c96v5yxvdmq4nvqlxjvg6kp7xa2lag-nix-1.11.9";
}

153
nixos/modules/installer/tools/nixos-install.sh
View File

@ -87,38 +87,6 @@ if ! test -e "$mountPoint"; then
exit 1
fi
# Mount some stuff in the target root directory.
mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
mkdir -m 01777 -p $mountPoint/tmp
mkdir -m 0755 -p $mountPoint/tmp/root
mkdir -m 0755 -p $mountPoint/var
mkdir -m 0700 -p $mountPoint/root
mount --rbind /dev $mountPoint/dev
mount --rbind /proc $mountPoint/proc
mount --rbind /sys $mountPoint/sys
mount --rbind / $mountPoint/tmp/root
mount -t tmpfs -o "mode=0755" none $mountPoint/run
rm -rf $mountPoint/var/run
ln -s /run $mountPoint/var/run
for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
for f in /etc/passwd /etc/group; do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done
cp -Lf "@cacert@" "$mountPoint/tmp/ca-cert.crt"
export SSL_CERT_FILE=/tmp/ca-cert.crt
# For Nix 1.7
export CURL_CA_BUNDLE=/tmp/ca-cert.crt
if [ -n "$runChroot" ]; then
if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
echo "$0: installation not finished; cannot chroot into installation directory"
exit 1
fi
ln -s /nix/var/nix/profiles/system $mountPoint/run/current-system
exec chroot $mountPoint "${chrootCommand[@]}"
fi
# Get the path of the NixOS configuration file.
if test -z "$NIXOS_CONFIG"; then
NIXOS_CONFIG=/etc/nixos/configuration.nix
@ -130,121 +98,60 @@ if [ ! -e "$mountPoint/$NIXOS_CONFIG" ] && [ -z "$closure" ]; then
fi
# Create the necessary Nix directories on the target device, if they
# don't already exist.
mkdir -m 0755 -p \
$mountPoint/nix/var/nix/gcroots \
$mountPoint/nix/var/nix/temproots \
$mountPoint/nix/var/nix/userpool \
$mountPoint/nix/var/nix/profiles \
$mountPoint/nix/var/nix/db \
$mountPoint/nix/var/log/nix/drvs
mkdir -m 1775 -p $mountPoint/nix/store
chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
# There is no daemon in the chroot.
unset NIX_REMOTE
# We don't have locale-archive in the chroot, so clear $LANG.
export LANG=
export LC_ALL=
export LC_TIME=
# Builds will use users that are members of this group
extraBuildFlags+=(--option "build-users-group" "$buildUsersGroup")
# Inherit binary caches from the host
# TODO: will this still work with Nix 1.12 now that it has no perl? Probably not...
binary_caches="$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')"
extraBuildFlags+=(--option "binary-caches" "$binary_caches")
nixpkgs="$(readlink -f "$(nix-instantiate --find-file nixpkgs)")"
export NIX_PATH="nixpkgs=$nixpkgs:nixos-config=$mountPoint/$NIXOS_CONFIG"
unset NIXOS_CONFIG
# Copy Nix to the Nix store on the target device, unless it's already there.
if ! NIX_DB_DIR=$mountPoint/nix/var/nix/db nix-store --check-validity @nix@ 2> /dev/null; then
echo "copying Nix to $mountPoint...."
for i in $(@perl@/bin/perl @pathsFromGraph@ @nixClosure@); do
echo " $i"
chattr -R -i $mountPoint/$i 2> /dev/null || true # clear immutable bit
@rsync@/bin/rsync -a $i $mountPoint/nix/store/
done
# Register the paths in the Nix closure as valid. This is necessary
# to prevent them from being deleted the first time we install
# something. (I.e., Nix will see that, e.g., the glibc path is not
# valid, delete it to get it out of the way, but as a result nothing
# will work anymore.)
chroot $mountPoint @nix@/bin/nix-store --register-validity < @nixClosure@
fi
# TODO: do I need to set NIX_SUBSTITUTERS here or is the --option binary-caches above enough?
# Create the required /bin/sh symlink; otherwise lots of things
# (notably the system() function) won't work.
mkdir -m 0755 -p $mountPoint/bin
# !!! assuming that @shell@ is in the closure
ln -sf @shell@ $mountPoint/bin/sh
# A place to drop temporary closures
trap "rm -rf $tmpdir" EXIT
tmpdir="$(mktemp -d)"
# Build a closure (on the host; we then copy it into the guest)
function closure() {
nix-build "${extraBuildFlags[@]}" --no-out-link -E "with import <nixpkgs> {}; runCommand \"closure\" { exportReferencesGraph = [ \"x\" (buildEnv { name = \"env\"; paths = [ ($1) stdenv ]; }) ]; } \"cp x \$out\""
}
# Build hooks likely won't function correctly in the minimal chroot; just disable them.
unset NIX_BUILD_HOOK
# Make the build below copy paths from the CD if possible. Note that
# /tmp/root in the chroot is the root of the CD.
export NIX_OTHER_STORES=/tmp/root/nix:$NIX_OTHER_STORES
p=@nix@/libexec/nix/substituters
export NIX_SUBSTITUTERS=$p/copy-from-other-stores.pl:$p/download-from-binary-cache.pl
system_closure="$tmpdir/system.closure"
if [ -z "$closure" ]; then
# Get the absolute path to the NixOS/Nixpkgs sources.
nixpkgs="$(readlink -f $(nix-instantiate --find-file nixpkgs))"
nixEnvAction="-f <nixpkgs/nixos> --set -A system"
expr="(import <nixpkgs/nixos> {}).system"
system_root="$(nix-build -E "$expr")"
system_closure="$(closure "$expr")"
else
nixpkgs=""
nixEnvAction="--set $closure"
system_root=$closure
# Create a temporary file ending in .closure (so nixos-prepare-root knows to --import it) to transport the store closure
# to the filesytem we're preparing. Also delete it on exit!
nix-store --export $(nix-store -qR $closure) > $system_closure
fi
# Build the specified Nix expression in the target store and install
# it into the system configuration profile.
echo "building the system configuration..."
NIX_PATH="nixpkgs=/tmp/root/$nixpkgs:nixos-config=$NIXOS_CONFIG" NIXOS_CONFIG= \
chroot $mountPoint @nix@/bin/nix-env \
"${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system $nixEnvAction
channel_root="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")"
channel_closure="$tmpdir/channel.closure"
nix-store --export $channel_root > $channel_closure
# Populate the target root directory with the basics
@prepare_root@/bin/nixos-prepare-root $mountPoint $channel_root $system_root @nixClosure@ $system_closure $channel_closure
# Copy the NixOS/Nixpkgs sources to the target as the initial contents
# of the NixOS channel.
mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles
mkdir -m 1777 -p $mountPoint/nix/var/nix/profiles/per-user
mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles/per-user/root
srcs=$(nix-env "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")
if [ -z "$noChannelCopy" ] && [ -n "$srcs" ]; then
echo "copying NixOS/Nixpkgs sources..."
chroot $mountPoint @nix@/bin/nix-env \
"${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -i "$srcs" --quiet
fi
mkdir -m 0700 -p $mountPoint/root/.nix-defexpr
ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels
# Get rid of the /etc bind mounts.
for f in /etc/passwd /etc/group; do [ -f "$f" ] && umount $mountPoint/$f; done
# nixos-prepare-root doesn't currently do anything with file ownership, so we set it up here instead
chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
mount --rbind /dev $mountPoint/dev
mount --rbind /proc $mountPoint/proc
mount --rbind /sys $mountPoint/sys
# Grub needs an mtab.
ln -sfn /proc/mounts $mountPoint/etc/mtab
# Mark the target as a NixOS installation, otherwise
# switch-to-configuration will chicken out.
touch $mountPoint/etc/NIXOS
# Switch to the new system configuration. This will install Grub with
# a menu default pointing at the kernel/initrd/etc of the new
# configuration.

105
nixos/modules/installer/tools/nixos-prepare-root.sh Normal file
View File

@ -0,0 +1,105 @@
#! @shell@
# This script's goal is to perform all "static" setup of a filesystem structure from pre-built store paths. Everything
# in here should run in a non-root context and inside a Nix builder. It's designed primarily to be called from image-
# building scripts and from nixos-install, but because it makes very few assumptions about the context in which it runs,
# it could be useful in other contexts as well.
#
# Current behavior:
# - set up basic filesystem structure
# - make Nix store etc.
# - copy Nix, system, channel, and misceallaneous closures to target Nix store
# - register validity of all paths in the target store
# - set up channel and system profiles
# Ensure a consistent umask.
umask 0022
set -e
mountPoint="$1"
channel="$2"
system="$3"
shift 3
closures="$@"
PATH="@coreutils@/bin:@nix@/bin:@perl@/bin:@utillinux@/bin:@rsync@/bin"
if ! test -e "$mountPoint"; then
echo "mount point $mountPoint doesn't exist"
exit 1
fi
# Create a few of the standard directories in the target root directory.
mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
mkdir -m 01777 -p $mountPoint/tmp
mkdir -m 0755 -p $mountPoint/tmp/root
mkdir -m 0755 -p $mountPoint/var
mkdir -m 0700 -p $mountPoint/root
ln -s /run $mountPoint/var/run
# Create the necessary Nix directories on the target device
mkdir -m 0755 -p \
$mountPoint/nix/var/nix/gcroots \
$mountPoint/nix/var/nix/temproots \
$mountPoint/nix/var/nix/userpool \
$mountPoint/nix/var/nix/profiles \
$mountPoint/nix/var/nix/db \
$mountPoint/nix/var/log/nix/drvs
mkdir -m 1775 -p $mountPoint/nix/store
# All Nix operations below should operate on our target store, not /nix/store.
# N.B: this relies on Nix 1.12 or higher
export NIX_REMOTE=local?root=$mountPoint
# Copy our closures to the Nix store on the target mount point, unless they're already there.
for i in $closures; do
# We support closures both in the format produced by `nix-store --export` and by `exportReferencesGraph`,
# mostly because there doesn't seem to be a single format that can be produced outside of a nix build and
# inside one. See https://github.com/NixOS/nix/issues/1242 for more discussion.
if [[ "$i" =~ \.closure$ ]]; then
echo "importing serialized closure $i to $mountPoint..."
nix-store --import < $i
else
# There has to be a better way to do this, right?
echo "copying closure $i to $mountPoint..."
for j in $(perl @pathsFromGraph@ $i); do
echo " $j... "
rsync -a $j $mountPoint/nix/store/
done
nix-store --option build-users-group root --register-validity < $i
fi
done
# Create the required /bin/sh symlink; otherwise lots of things
# (notably the system() function) won't work.
if [ ! -x $mountPoint/@shell@ ]; then
echo "Error: @shell@ wasn't included in the closure" >&2
exit 1
fi
mkdir -m 0755 -p $mountPoint/bin
ln -sf @shell@ $mountPoint/bin/sh
echo "setting the system closure to '$system'..."
nix-env "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/system --set "$system"
ln -sfn /nix/var/nix/profiles/system $mountPoint/run/current-system
# Copy the NixOS/Nixpkgs sources to the target as the initial contents of the NixOS channel.
mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles
mkdir -m 1777 -p $mountPoint/nix/var/nix/profiles/per-user
mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles/per-user/root
if [ -z "$noChannelCopy" ] && [ -n "$channel" ]; then
echo "copying channel..."
nix-env --option build-use-substitutes false "${extraBuildFlags[@]}" -p $mountPoint/nix/var/nix/profiles/per-user/root/channels --set "$channel" --quiet
fi
mkdir -m 0700 -p $mountPoint/root/.nix-defexpr
ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels
# Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out.
touch $mountPoint/etc/NIXOS

13
nixos/modules/installer/tools/tools.nix
View File

@ -4,7 +4,6 @@
{ config, pkgs, modulesPath, ... }:
let
cfg = config.installer;
makeProg = args: pkgs.substituteAll (args // {
@ -17,6 +16,14 @@ let
src = ./nixos-build-vms/nixos-build-vms.sh;
};
nixos-prepare-root = makeProg {
name = "nixos-prepare-root";
src = ./nixos-prepare-root.sh;
nix = pkgs.nixUnstable;
inherit (pkgs) perl pathsFromGraph rsync utillinux coreutils;
};
nixos-install = makeProg {
name = "nixos-install";
src = ./nixos-install.sh;
@ -26,6 +33,7 @@ let
cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
root_uid = config.ids.uids.root;
nixbld_gid = config.ids.gids.nixbld;
prepare_root = nixos-prepare-root;
nixClosure = pkgs.runCommand "closure"
{ exportReferencesGraph = ["refs" config.nix.package.out]; }
@ -69,6 +77,7 @@ in
environment.systemPackages =
[ nixos-build-vms
nixos-prepare-root
nixos-install
nixos-rebuild
nixos-generate-config
@ -77,7 +86,7 @@ in
];
system.build = {
inherit nixos-install nixos-generate-config nixos-option nixos-rebuild;
inherit nixos-install nixos-prepare-root nixos-generate-config nixos-option nixos-rebuild;
};
};

10
nixos/modules/misc/extra-arguments.nix
View File

@ -2,16 +2,6 @@
{
_module.args = {
pkgs_i686 = import ../../.. {
system = "i686-linux";
# FIXME: we enable config.allowUnfree to make packages like
# nvidia-x11 available. This isn't a problem because if the user has
# nixpkgs.config.allowUnfree = false, then evaluation will fail on
# the 64-bit package anyway. However, it would be cleaner to respect
# nixpkgs.config here.
config.allowUnfree = true;
};
utils = import ../../lib/utils.nix pkgs;
};
}

8
nixos/modules/misc/ids.nix
View File

@ -289,6 +289,10 @@
rpc = 271;
geoip = 272;
fcron = 273;
sonarr = 274;
radarr = 275;
jackett = 276;
aria2 = 277;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -547,6 +551,10 @@
#rpc = 271; # unused
#geoip = 272; # unused
fcron = 273;
sonarr = 274;
radarr = 275;
jackett = 276;
aria2 = 277;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

7
nixos/modules/misc/nixpkgs.nix
View File

@ -42,6 +42,8 @@ let
merge = lib.mergeOneOption;
};
_pkgs = import ../../.. config.nixpkgs;
in
{
@ -97,6 +99,9 @@ in
};
config = {
_module.args.pkgs = import ../../.. config.nixpkgs;
_module.args = {
pkgs = _pkgs;
pkgs_i686 = _pkgs.pkgsi686Linux;
};
};
}

22
nixos/modules/module-list.nix
View File

@ -1,8 +1,9 @@
[
./config/debug-info.nix
./config/fonts/corefonts.nix
./config/fonts/fontconfig-ultimate.nix
./config/fonts/fontconfig.nix
./config/fonts/fontconfig-penultimate.nix
./config/fonts/fontconfig-ultimate.nix
./config/fonts/fontdir.nix
./config/fonts/fonts.nix
./config/fonts/ghostscript.nix
@ -87,7 +88,9 @@
./programs/mtr.nix
./programs/nano.nix
./programs/oblogout.nix
./programs/qt5ct.nix
./programs/screen.nix
./programs/slock.nix
./programs/shadow.nix
./programs/shell.nix
./programs/spacefm.nix
@ -100,7 +103,9 @@
./programs/wvdial.nix
./programs/xfs_quota.nix
./programs/xonsh.nix
./programs/zsh/oh-my-zsh.nix
./programs/zsh/zsh.nix
./programs/zsh/zsh-syntax-highlighting.nix
./rename.nix
./security/acme.nix
./security/apparmor.nix
@ -112,6 +117,7 @@
./security/duosec.nix
./security/grsecurity.nix
./security/hidepid.nix
./security/lock-kernel-modules.nix
./security/oath.nix
./security/pam.nix
./security/pam_usb.nix
@ -129,6 +135,7 @@
./services/audio/liquidsoap.nix
./services/audio/mpd.nix
./services/audio/mopidy.nix
./services/audio/slimserver.nix
./services/audio/squeezelite.nix
./services/audio/ympd.nix
./services/backup/almir.nix
@ -137,7 +144,6 @@
./services/backup/mysql-backup.nix
./services/backup/postgresql-backup.nix
./services/backup/rsnapshot.nix
./services/backup/sitecopy-backup.nix
./services/backup/tarsnap.nix
./services/backup/znapzend.nix
./services/cluster/fleet.nix
@ -247,6 +253,7 @@
./services/mail/rmilter.nix
./services/misc/apache-kafka.nix
./services/misc/autofs.nix
./services/misc/autorandr.nix
./services/misc/bepasty.nix
./services/misc/canto-daemon.nix
./services/misc/calibre-server.nix
@ -274,6 +281,7 @@
./services/misc/gpsd.nix
#./services/misc/ihaskell.nix
./services/misc/irkerd.nix
./services/misc/jackett.nix
./services/misc/leaps.nix
./services/misc/mantisbt.nix
./services/misc/mathics.nix
@ -294,6 +302,7 @@
./services/misc/parsoid.nix
./services/misc/phd.nix
./services/misc/plex.nix
./services/misc/radarr.nix
./services/misc/redmine.nix
./services/misc/rippled.nix
./services/misc/ripple-rest.nix
@ -415,6 +424,7 @@
./services/networking/i2p.nix
./services/networking/iodine.nix
./services/networking/ircd-hybrid/default.nix
./services/networking/keepalived/default.nix
./services/networking/kippo.nix
./services/networking/kresd.nix
./services/networking/lambdabot.nix
@ -453,7 +463,7 @@
./services/networking/prayer.nix
./services/networking/privoxy.nix
./services/networking/prosody.nix
./services/networking/quagga.nix
# ./services/networking/quagga.nix
./services/networking/quassel.nix
./services/networking/racoon.nix
./services/networking/radicale.nix
@ -496,6 +506,7 @@
./services/networking/wpa_supplicant.nix
./services/networking/xinetd.nix
./services/networking/xl2tpd.nix
./services/networking/xrdp.nix
./services/networking/zerobin.nix
./services/networking/zerotierone.nix
./services/networking/znc.nix
@ -521,12 +532,14 @@
./services/security/munge.nix
./services/security/oauth2_proxy.nix
./services/security/physlock.nix
./services/security/torify.nix
./services/security/sshguard.nix
./services/security/tor.nix
./services/security/torify.nix
./services/security/torsocks.nix
./services/system/cgmanager.nix
./services/system/cloud-init.nix
./services/system/dbus.nix
./services/system/earlyoom.nix
./services/system/kerberos.nix
./services/system/nscd.nix
./services/system/uptimed.nix
@ -654,6 +667,7 @@
./tasks/scsi-link-power-management.nix
./tasks/swraid.nix
./tasks/trackpoint.nix
./tasks/powertop.nix
./testing/service-runner.nix
./virtualisation/container-config.nix
./virtualisation/containers.nix

62
nixos/modules/profiles/hardened.nix Normal file
View File

@ -0,0 +1,62 @@
# A profile with most (vanilla) hardening options enabled by default,
# potentially at the cost of features and performance.
{ config, lib, pkgs, ... }:
with lib;
{
boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true;
security.apparmor.enable = mkDefault true;
boot.kernelParams = [
# Overwrite free'd memory
"page_poison=1"
# Disable legacy virtual syscalls
"vsyscall=none"
# Disable hibernation (allows replacing the running kernel)
"nohibernate"
];
# Restrict ptrace() usage to processes with a pre-defined relationship
# (e.g., parent/child)
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
# Restrict access to kernel ring buffer (information leaks)
boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
# Hide kptrs even for processes with CAP_SYSLOG
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
# Unprivileged access to bpf() has been used for privilege escalation in
# the past
boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
# Disable bpf() JIT (to eliminate spray attacks)
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
# ... or at least apply some hardening to it
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
# A recurring problem with user namespaces is that there are
# still code paths where the kernel's permission checking logic
# fails to account for namespacing, instead permitting a
# namespaced process to act outside the namespace with the
# same privileges as it would have inside it. This is particularly
# bad in the common case of running as root within the namespace.
#
# Setting the number of allowed userns to 0 effectively disables
# the feature at runtime. Attempting to create a user namespace
# with unshare will then fail with "no space left on device".
boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
}

93
nixos/modules/programs/command-not-found/command-not-found.nix
View File

@ -8,13 +8,14 @@
with lib;
let
cfg = config.programs.command-not-found;
commandNotFound = pkgs.substituteAll {
name = "command-not-found";
dir = "bin";
src = ./command-not-found.pl;
isExecutable = true;
inherit (pkgs) perl;
inherit (cfg) dbPath;
perlFlags = concatStrings (map (path: "-I ${path}/lib/perl5/site_perl ")
[ pkgs.perlPackages.DBI pkgs.perlPackages.DBDSQLite pkgs.perlPackages.StringShellQuote ]);
};
@ -22,50 +23,66 @@ let
in
{
options.programs.command-not-found = {
programs.bash.interactiveShellInit =
''
# This function is called whenever a command is not found.
command_not_found_handle() {
local p=/run/current-system/sw/bin/command-not-found
if [ -x $p -a -f /nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite ]; then
# Run the helper program.
$p "$@"
# Retry the command if we just installed it.
if [ $? = 126 ]; then
"$@"
enable = mkEnableOption "command-not-found hook for interactive shell";
dbPath = mkOption {
default = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite" ;
description = ''
Absolute path to programs.sqlite.
By default this file will be provided by your channel
(nixexprs.tar.xz).
'';
type = types.path;
};
};
config = mkIf cfg.enable {
programs.bash.interactiveShellInit =
''
# This function is called whenever a command is not found.
command_not_found_handle() {
local p=${commandNotFound}/bin/command-not-found
if [ -x $p -a -f ${cfg.dbPath} ]; then
# Run the helper program.
$p "$@"
# Retry the command if we just installed it.
if [ $? = 126 ]; then
"$@"
else
return 127
fi
else
echo "$1: command not found" >&2
return 127
fi
else
echo "$1: command not found" >&2
return 127
fi
}
'';
}
'';
programs.zsh.interactiveShellInit =
''
# This function is called whenever a command is not found.
command_not_found_handler() {
local p=/run/current-system/sw/bin/command-not-found
if [ -x $p -a -f /nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite ]; then
# Run the helper program.
$p "$@"
programs.zsh.interactiveShellInit =
''
# This function is called whenever a command is not found.
command_not_found_handler() {
local p=${commandNotFound}/bin/command-not-found
if [ -x $p -a -f ${cfg.dbPath} ]; then
# Run the helper program.
$p "$@"
# Retry the command if we just installed it.
if [ $? = 126 ]; then
"$@"
# Retry the command if we just installed it.
if [ $? = 126 ]; then
"$@"
fi
else
# Indicate than there was an error so ZSH falls back to its default handler
echo "$1: command not found" >&2
return 127
fi
else
# Indicate than there was an error so ZSH falls back to its default handler
return 127
fi
}
'';
}
'';
environment.systemPackages = [ commandNotFound ];
# TODO: tab completion for uninstalled commands! :-)
environment.systemPackages = [ commandNotFound ];
};
}

2
nixos/modules/programs/command-not-found/command-not-found.pl
View File

@ -8,7 +8,7 @@ use Config;
my $program = $ARGV[0];
my $dbPath = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite";
my $dbPath = "@dbPath@";
my $dbh = DBI->connect("dbi:SQLite:dbname=$dbPath", "", "")
or die "cannot open database `$dbPath'";

2
nixos/modules/programs/environment.nix
View File

@ -20,6 +20,7 @@ in
{ NIXPKGS_CONFIG = "/etc/nix/nixpkgs-config.nix";
PAGER = mkDefault "less -R";
EDITOR = mkDefault "nano";
XCURSOR_PATH = "$HOME/.icons";
};
environment.profiles =
@ -42,6 +43,7 @@ in
GTK_PATH = [ "/lib/gtk-2.0" "/lib/gtk-3.0" ];
XDG_CONFIG_DIRS = [ "/etc/xdg" ];
XDG_DATA_DIRS = [ "/share" ];
XCURSOR_PATH = [ "/share/icons" ];
MOZ_PLUGIN_PATH = [ "/lib/mozilla/plugins" ];
LIBEXEC_PATH = [ "/lib/libexec" ];
};

31
nixos/modules/programs/qt5ct.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
with lib;
{
meta.maintainers = [ maintainers.romildo ];
###### interface
options = {
programs.qt5ct = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Whether to enable the Qt5 Configuration Tool (qt5ct), a
program that allows users to configure Qt5 settings (theme,
font, icons, etc.) under desktop environments or window
manager without Qt integration.
Official home page: <link xlink:href="https://sourceforge.net/projects/qt5ct/">https://sourceforge.net/projects/qt5ct/</link>
'';
};
};
};
###### implementation
config = mkIf config.programs.qt5ct.enable {
environment.variables.QT_QPA_PLATFORMTHEME = "qt5ct";
environment.systemPackages = [ pkgs.qt5ct ];
};
}

26
nixos/modules/programs/slock.nix Normal file
View File

@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.slock;
in
{
options = {
programs.slock = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Whether to install slock screen locker with setuid wrapper.
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.slock ];
security.wrappers.slock.source = "${pkgs.slock.out}/bin/slock";
};
}

41
nixos/modules/programs/ssmtp.nix
View File

@ -39,7 +39,8 @@ in
example = "mail.example.org";
description = ''
The host name of the default mail server to use to deliver
e-mail.
e-mail. Can also contain a port number (ex: mail.example.org:587),
defaults to port 25 if no port is given.
'';
};
@ -95,6 +96,25 @@ in
example = "correctHorseBatteryStaple";
description = ''
Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
It's recommended to use <option>authPassFile</option>
which takes precedence over <option>authPass</option>.
'';
};
authPassFile = mkOption {
type = types.nullOr types.str;
default = null;
example = "/run/keys/ssmtp-authpass";
description = ''
Path to a file that contains the password used for SMTP auth. The file
should not contain a trailing newline, if the password does not contain one.
This file should be readable by the users that need to execute ssmtp.
<option>authPassFile</option> takes precedence over <option>authPass</option>.
Warning: when <option>authPass</option> is non-empty <option>authPassFile</option>
defaults to a file in the WORLD-READABLE Nix store containing that password.
'';
};
@ -111,17 +131,24 @@ in
config = mkIf cfg.directDelivery {
networking.defaultMailServer.authPassFile = mkIf (cfg.authPass != "")
(mkDefault (toString (pkgs.writeTextFile {
name = "ssmtp-authpass";
text = cfg.authPass;
})));
environment.etc."ssmtp/ssmtp.conf".text =
let yesNo = yes : if yes then "YES" else "NO"; in
''
MailHub=${cfg.hostName}
FromLineOverride=YES
${if cfg.root != "" then "root=${cfg.root}" else ""}
${if cfg.domain != "" then "rewriteDomain=${cfg.domain}" else ""}
UseTLS=${if cfg.useTLS then "YES" else "NO"}
UseSTARTTLS=${if cfg.useSTARTTLS then "YES" else "NO"}
${optionalString (cfg.root != "") "root=${cfg.root}"}
${optionalString (cfg.domain != "") "rewriteDomain=${cfg.domain}"}
UseTLS=${yesNo cfg.useTLS}
UseSTARTTLS=${yesNo cfg.useSTARTTLS}
#Debug=YES
${if cfg.authUser != "" then "AuthUser=${cfg.authUser}" else ""}
${if cfg.authPass != "" then "AuthPass=${cfg.authPass}" else ""}
${optionalString (cfg.authUser != "") "AuthUser=${cfg.authUser}"}
${optionalString (!isNull cfg.authPassFile) "AuthPassFile=${cfg.authPassFile}"}
'';
environment.systemPackages = [pkgs.ssmtp];

66
nixos/modules/programs/zsh/oh-my-zsh.nix Normal file
View File

@ -0,0 +1,66 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.zsh.oh-my-zsh;
in
{
options = {
programs.zsh.oh-my-zsh = {
enable = mkOption {
default = false;
description = ''
Enable oh-my-zsh.
'';
};
plugins = mkOption {
default = [];
type = types.listOf(types.str);
description = ''
List of oh-my-zsh plugins
'';
};
custom = mkOption {
default = "";
type = types.str;
description = ''
Path to a custom oh-my-zsh package to override config of oh-my-zsh.
'';
};
theme = mkOption {
default = "";
type = types.str;
description = ''
Name of the theme to be used by oh-my-zsh.
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ oh-my-zsh ];
programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
# oh-my-zsh configuration generated by NixOS
export ZSH=${oh-my-zsh}/share/oh-my-zsh
${optionalString (length(cfg.plugins) > 0)
"plugins=(${concatStringsSep " " cfg.plugins})"
}
${optionalString (stringLength(cfg.custom) > 0)
"ZSH_CUSTOM=\"${cfg.custom}\""
}
${optionalString (stringLength(cfg.theme) > 0)
"ZSH_THEME=\"${cfg.theme}\""
}
source $ZSH/oh-my-zsh.sh
'';
};
}

53
nixos/modules/programs/zsh/zsh-syntax-highlighting.nix Normal file
View File

@ -0,0 +1,53 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.zsh.syntax-highlighting;
in
{
options = {
programs.zsh.syntax-highlighting = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enable zsh-syntax-highlighting.
'';
};
highlighters = mkOption {
default = [ "main" ];
# https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
type = types.listOf(types.enum([
"main"
"brackets"
"pattern"
"cursor"
"root"
"line"
]));
description = ''
Specifies the highlighters to be used by zsh-syntax-highlighting.
The following defined options can be found here:
https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [ zsh-syntax-highlighting ];
programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
${optionalString (length(cfg.highlighters) > 0)
"ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})"
}
'';
};
}

16
nixos/modules/programs/zsh/zsh.nix
View File

@ -84,14 +84,6 @@ in
type = types.bool;
};
enableSyntaxHighlighting = mkOption {
default = false;
description = ''
Enable zsh-syntax-highlighting
'';
type = types.bool;
};
enableAutosuggestions = mkOption {
default = false;
description = ''
@ -130,10 +122,6 @@ in
${if cfg.enableCompletion then "autoload -U compinit && compinit" else ""}
${optionalString (cfg.enableSyntaxHighlighting)
"source ${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
}
${optionalString (cfg.enableAutosuggestions)
"source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh"
}
@ -143,7 +131,6 @@ in
${cfge.interactiveShellInit}
HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help"
'';
@ -206,8 +193,7 @@ in
environment.etc."zinputrc".source = ./zinputrc;
environment.systemPackages = [ pkgs.zsh ]
++ optional cfg.enableCompletion pkgs.nix-zsh-completions
++ optional cfg.enableSyntaxHighlighting pkgs.zsh-syntax-highlighting;
++ optional cfg.enableCompletion pkgs.nix-zsh-completions;
environment.pathsToLink = optional cfg.enableCompletion "/share/zsh";

9
nixos/modules/rename.nix
View File

@ -141,9 +141,6 @@ with lib;
# Unity3D
(mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
# fontconfig-ultimate
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
# murmur
(mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
@ -202,7 +199,13 @@ with lib;
"See the 16.09 release notes for more information.")
(mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
(mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
(mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "")
(mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ]
"Set the option `services.xserver.displayManager.sddm.package' instead.")
(mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
(mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
# ZSH
(mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntax-highlighting" "enable" ])
];
}

11
nixos/modules/security/acme.nix
View File

@ -19,6 +19,12 @@ let
'';
};
domain = mkOption {
type = types.nullOr types.str;
default = null;
description = "Domain to fetch certificate for (defaults to the entry name)";
};
email = mkOption {
type = types.nullOr types.str;
default = null;
@ -157,9 +163,10 @@ in
servicesLists = mapAttrsToList certToServices cfg.certs;
certToServices = cert: data:
let
domain = if data.domain != null then data.domain else cert;
cpath = "${cfg.directory}/${cert}";
rights = if data.allowKeysForGroup then "750" else "700";
cmdline = [ "-v" "-d" cert "--default_root" data.webroot "--valid_min" cfg.validMin ]
cmdline = [ "-v" "-d" domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
++ optionals (data.email != null) [ "--email" data.email ]
++ concatMap (p: [ "-f" p ]) data.plugins
++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
@ -178,7 +185,7 @@ in
path = [ pkgs.simp_le ];
preStart = ''
mkdir -p '${cfg.directory}'
chown '${data.user}:${data.group}' '${cfg.directory}'
chown -R '${data.user}:${data.group}' '${cfg.directory}'
if [ ! -d '${cpath}' ]; then
mkdir '${cpath}'
fi

2
nixos/modules/security/grsecurity.nix
View File

@ -13,7 +13,7 @@ in
{
meta = {
maintainers = with maintainers; [ joachifm ];
maintainers = with maintainers; [ ];
doc = ./grsecurity.xml;
};

8
nixos/modules/security/grsecurity.xml
View File

@ -26,9 +26,11 @@
<link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
Linux wiki page on grsecurity</link>.
<note><para>grsecurity/PaX is only available for the latest linux -stable
kernel; patches against older kernels are available from upstream only for
a fee.</para></note>
<warning><para>Upstream has ceased free support for grsecurity/PaX. See
<link xlink:href="https://grsecurity.net/passing_the_baton.php">
the announcement</link> for more information. Consequently, NixOS
support for grsecurity/PaX also must cease. Enabling this module will
result in a build error.</para></warning>
<note><para>We standardise on a desktop oriented configuration primarily due
to lack of resources. The grsecurity/PaX configuration state space is huge
and each configuration requires quite a bit of testing to ensure that the

36
nixos/modules/security/lock-kernel-modules.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, lib, ... }:
with lib;
{
options = {
security.lockKernelModules = mkOption {
type = types.bool;
default = false;
description = ''
Disable kernel module loading once the system is fully initialised.
Module loading is disabled until the next reboot. Problems caused
by delayed module loading can be fixed by adding the module(s) in
question to <option>boot.kernelModules</option>.
'';
};
};
config = mkIf config.security.lockKernelModules {
systemd.services.disable-kernel-module-loading = rec {
description = "Disable kernel module loading";
wantedBy = [ config.systemd.defaultUnit ];
after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;
script = "echo -n 1 > /proc/sys/kernel/modules_disabled";
unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
};
};
}

2
nixos/modules/security/polkit.nix
View File

@ -64,7 +64,7 @@ in
systemd.packages = [ pkgs.polkit.out ];
systemd.services.polkit.restartTriggers = [ config.system.path ];
systemd.services.polkit.unitConfig.X-StopIfChanged = false;
systemd.services.polkit.stopIfChanged = false;
# The polkit daemon reads action/rule files
environment.pathsToLink = [ "/share/polkit-1" ];

69
nixos/modules/services/audio/slimserver.nix Normal file
View File

@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.slimserver;
in {
options = {
services.slimserver = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable slimserver.
'';
};
package = mkOption {
type = types.package;
default = pkgs.slimserver;
defaultText = "pkgs.slimserver";
description = "Slimserver package to use.";
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/slimserver";
description = ''
The directory where slimserver stores its state, tag cache,
playlists etc.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
systemd.services.slimserver = {
after = [ "network.target" ];
description = "Slim Server for Logitech Squeezebox Players";
wantedBy = [ "multi-user.target" ];
preStart = "mkdir -p ${cfg.dataDir} && chown -R slimserver:slimserver ${cfg.dataDir}";
serviceConfig = {
User = "slimserver";
PermissionsStartOnly = true;
ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache";
};
};
users = {
users.slimserver = {
description = "Slimserver daemon user";
home = cfg.dataDir;
group = "slimserver";
};
groups.slimserver = {};
};
};
}

106
nixos/modules/services/backup/sitecopy-backup.nix
View File

@ -1,106 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (pkgs) sitecopy;
stateDir = "/var/spool/sitecopy";
sitecopyCron = backup : ''
${if backup ? period then backup.period else config.services.sitecopy.period} root ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${backup.name}.conf --update ${backup.name} >> /var/log/sitecopy.log 2>&1
'';
in
{
options = {
services.sitecopy = {
enable = mkOption {
default = false;
description = ''
Whether to enable <command>sitecopy</command> backups of specified
directories.
'';
};
period = mkOption {
default = "15 04 * * *";
description = ''
This option defines (in the format used by <command>cron</command>)
when the <command>sitecopy</command> backups are to be run.
The default is to update at 04:15 (at night) every day.
'';
};
backups = mkOption {
example = [
{ name = "test";
local = "/tmp/backup";
remote = "/staff-groups/ewi/st/strategoxt/backup/test";
server = "webdata.tudelft.nl";
protocol = "webdav";
https = true ;
symlinks = "maintain" ;
}
];
default = [];
description = ''
List of attribute sets describing the backups.
Username/password are extracted from
<filename>${stateDir}/sitecopy.secrets</filename> at activation
time. The secrets file lines should have the following structure:
<screen>
server username password
</screen>
'';
};
};
};
config = mkIf config.services.sitecopy.enable {
environment.systemPackages = [ sitecopy ];
services.cron.systemCronJobs = map sitecopyCron config.services.sitecopy.backups;
system.activationScripts.sitecopyBackup = stringAfter [ "stdio" "users" ]
''
mkdir -m 0700 -p ${stateDir}
chown root ${stateDir}
touch ${stateDir}/sitecopy.secrets
chown root ${stateDir}/sitecopy.secrets
${lib.concatStrings (map ( b: ''
unset secrets
unset secret
secrets=`grep '^${b.server}' ${stateDir}/sitecopy.secrets | head -1`
secret=($secrets)
cat > ${stateDir}/${b.name}.conf << EOF
site ${b.name}
server ${b.server}
protocol ${b.protocol}
username ''${secret[1]}
password ''${secret[2]}
local ${b.local}
remote ${b.remote}
symlinks ${b.symlinks}
${if b.https then "http secure" else ""}
EOF
chmod 0600 ${stateDir}/${b.name}.conf
if ! test -e ${stateDir}/${b.name} ; then
echo " * Initializing sitecopy '${b.name}'"
${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${b.name}.conf --initialize ${b.name}
else
echo " * Sitecopy '${b.name}' already initialized"
fi
'' ) config.services.sitecopy.backups
)}
'';
};
}

39
nixos/modules/services/cluster/kubernetes.nix
View File

@ -45,7 +45,7 @@ let
cniConfig = pkgs.buildEnv {
name = "kubernetes-cni-config";
paths = imap (i: entry:
pkgs.writeTextDir "${10+i}-${entry.type}.conf" (builtins.toJSON entry)
pkgs.writeTextDir "${toString (10+i)}-${entry.type}.conf" (builtins.toJSON entry)
) cfg.kubelet.cni.config;
};
@ -597,7 +597,7 @@ in {
(mkIf cfg.kubelet.enable {
systemd.services.kubelet = {
description = "Kubernetes Kubelet Service";
wantedBy = [ "multi-user.target" ];
wantedBy = [ "kubernetes.target" ];
after = [ "network.target" "docker.service" "kube-apiserver.service" ];
path = with pkgs; [ gitMinimal openssh docker utillinux iproute ethtool thin-provisioning-tools iptables ];
preStart = ''
@ -606,14 +606,15 @@ in {
${concatMapStringsSep "\n" (p: "ln -fs ${p.plugins}/* /opt/cni/bin") cfg.kubelet.cni.packages}
'';
serviceConfig = {
Slice = "kubernetes.slice";
ExecStart = ''${cfg.package}/bin/kubelet \
--pod-manifest-path=${manifests} \
--kubeconfig=${kubeconfig} \
--require-kubeconfig \
--address=${cfg.kubelet.address} \
--port=${toString cfg.kubelet.port} \
--register-node=${if cfg.kubelet.registerNode then "true" else "false"} \
--register-schedulable=${if cfg.kubelet.registerSchedulable then "true" else "false"} \
--register-node=${boolToString cfg.kubelet.registerNode} \
--register-schedulable=${boolToString cfg.kubelet.registerSchedulable} \
${optionalString (cfg.kubelet.tlsCertFile != null)
"--tls-cert-file=${cfg.kubelet.tlsCertFile}"} \
${optionalString (cfg.kubelet.tlsKeyFile != null)
@ -621,7 +622,7 @@ in {
--healthz-bind-address=${cfg.kubelet.healthz.bind} \
--healthz-port=${toString cfg.kubelet.healthz.port} \
--hostname-override=${cfg.kubelet.hostname} \
--allow-privileged=${if cfg.kubelet.allowPrivileged then "true" else "false"} \
--allow-privileged=${boolToString cfg.kubelet.allowPrivileged} \
--root-dir=${cfg.dataDir} \
--cadvisor_port=${toString cfg.kubelet.cadvisorPort} \
${optionalString (cfg.kubelet.clusterDns != "")
@ -655,9 +656,10 @@ in {
(mkIf cfg.apiserver.enable {
systemd.services.kube-apiserver = {
description = "Kubernetes Kubelet Service";
wantedBy = [ "multi-user.target" ];
wantedBy = [ "kubernetes.target" ];
after = [ "network.target" "docker.service" ];
serviceConfig = {
Slice = "kubernetes.slice";
ExecStart = ''${cfg.package}/bin/kube-apiserver \
--etcd-servers=${concatStringsSep "," cfg.etcd.servers} \
${optionalString (cfg.etcd.caFile != null)
@ -670,14 +672,14 @@ in {
--bind-address=0.0.0.0 \
${optionalString (cfg.apiserver.advertiseAddress != null)
"--advertise-address=${cfg.apiserver.advertiseAddress}"} \
--allow-privileged=${if cfg.apiserver.allowPrivileged then "true" else "false"} \
--allow-privileged=${boolToString cfg.apiserver.allowPrivileged}\
${optionalString (cfg.apiserver.tlsCertFile != null)
"--tls-cert-file=${cfg.apiserver.tlsCertFile}"} \
${optionalString (cfg.apiserver.tlsKeyFile != null)
"--tls-private-key-file=${cfg.apiserver.tlsKeyFile}"} \
${optionalString (cfg.apiserver.tokenAuth != null)
"--token-auth-file=${cfg.apiserver.tokenAuth}"} \
--kubelet-https=${if cfg.apiserver.kubeletHttps then "true" else "false"} \
--kubelet-https=${boolToString cfg.apiserver.kubeletHttps} \
${optionalString (cfg.apiserver.kubeletClientCaFile != null)
"--kubelet-certificate-authority=${cfg.apiserver.kubeletClientCaFile}"} \
${optionalString (cfg.apiserver.kubeletClientCertFile != null)
@ -713,13 +715,14 @@ in {
(mkIf cfg.scheduler.enable {
systemd.services.kube-scheduler = {
description = "Kubernetes Scheduler Service";
wantedBy = [ "multi-user.target" ];
wantedBy = [ "kubernetes.target" ];
after = [ "kube-apiserver.service" ];
serviceConfig = {
Slice = "kubernetes.slice";
ExecStart = ''${cfg.package}/bin/kube-scheduler \
--address=${cfg.scheduler.address} \
--port=${toString cfg.scheduler.port} \
--leader-elect=${if cfg.scheduler.leaderElect then "true" else "false"} \
--leader-elect=${boolToString cfg.scheduler.leaderElect} \
--kubeconfig=${kubeconfig} \
${optionalString cfg.verbose "--v=6"} \
${optionalString cfg.verbose "--log-flush-frequency=1s"} \
@ -735,16 +738,17 @@ in {
(mkIf cfg.controllerManager.enable {
systemd.services.kube-controller-manager = {
description = "Kubernetes Controller Manager Service";
wantedBy = [ "multi-user.target" ];
wantedBy = [ "kubernetes.target" ];
after = [ "kube-apiserver.service" ];
serviceConfig = {
RestartSec = "30s";
Restart = "on-failure";
Slice = "kubernetes.slice";
ExecStart = ''${cfg.package}/bin/kube-controller-manager \
--address=${cfg.controllerManager.address} \
--port=${toString cfg.controllerManager.port} \
--kubeconfig=${kubeconfig} \
--leader-elect=${if cfg.controllerManager.leaderElect then "true" else "false"} \
--leader-elect=${boolToString cfg.controllerManager.leaderElect} \
${if (cfg.controllerManager.serviceAccountKeyFile!=null)
then "--service-account-private-key-file=${cfg.controllerManager.serviceAccountKeyFile}"
else "--service-account-private-key-file=/var/run/kubernetes/apiserver.key"} \
@ -767,10 +771,11 @@ in {
(mkIf cfg.proxy.enable {
systemd.services.kube-proxy = {
description = "Kubernetes Proxy Service";
wantedBy = [ "multi-user.target" ];
wantedBy = [ "kubernetes.target" ];
after = [ "kube-apiserver.service" ];
path = [pkgs.iptables];
serviceConfig = {
Slice = "kubernetes.slice";
ExecStart = ''${cfg.package}/bin/kube-proxy \
--kubeconfig=${kubeconfig} \
--bind-address=${cfg.proxy.address} \
@ -786,9 +791,10 @@ in {
(mkIf cfg.dns.enable {
systemd.services.kube-dns = {
description = "Kubernetes Dns Service";
wantedBy = [ "multi-user.target" ];
wantedBy = [ "kubernetes.target" ];
after = [ "kube-apiserver.service" ];
serviceConfig = {
Slice = "kubernetes.slice";
ExecStart = ''${cfg.package}/bin/kube-dns \
--kubecfg-file=${kubeconfig} \
--dns-port=${toString cfg.dns.port} \
@ -836,6 +842,11 @@ in {
cfg.proxy.enable ||
cfg.dns.enable
) {
systemd.targets.kubernetes = {
description = "Kubernetes";
wantedBy = [ "multi-user.target" ];
};
systemd.tmpfiles.rules = [
"d /opt/cni/bin 0755 root root -"
"d /var/run/kubernetes 0755 kubernetes kubernetes -"

13
nixos/modules/services/continuous-integration/gitlab-runner.nix
View File

@ -20,6 +20,14 @@ in
description = "The working directory used";
};
package = mkOption {
description = "Gitlab Runner package to use";
default = pkgs.gitlab-runner;
defaultText = "pkgs.gitlab-runner";
type = types.package;
example = literalExample "pkgs.gitlab-runner_1_11";
};
};
config = mkIf cfg.enable {
@ -29,7 +37,7 @@ in
requires = [ "docker.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''${pkgs.gitlab-runner.bin}/bin/gitlab-runner run \
ExecStart = ''${cfg.package.bin}/bin/gitlab-runner run \
--working-directory ${cfg.workDir} \
--config ${configFile} \
--service gitlab-runner \
@ -38,6 +46,9 @@ in
};
};
# Make the gitlab-runner command availabe so users can query the runner
environment.systemPackages = [ cfg.package ];
users.extraUsers.gitlab-runner = {
group = "gitlab-runner";
extraGroups = [ "docker" ];

3
nixos/modules/services/continuous-integration/hydra/default.nix
View File

@ -233,6 +233,7 @@ in
hydra_logo ${cfg.logo}
''}
gc_roots_dir ${cfg.gcRootsDir}
use-substitutes = ${if cfg.useSubstitutes then "1" else "0"}
'';
environment.systemPackages = [ cfg.package ];
@ -328,7 +329,7 @@ in
IN_SYSTEMD = "1"; # to get log severity levels
};
serviceConfig =
{ ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v --option build-use-substitutes ${if cfg.useSubstitutes then "true" else "false"}";
{ ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v --option build-use-substitutes ${boolToString cfg.useSubstitutes}";
ExecStopPost = "${cfg.package}/bin/hydra-queue-runner --unlock";
User = "hydra-queue-runner";
Restart = "always";

8
nixos/modules/services/databases/cassandra.nix
View File

@ -21,8 +21,8 @@ let
cassandraConf = ''
cluster_name: ${cfg.clusterName}
num_tokens: 256
auto_bootstrap: ${if cfg.autoBootstrap then "true" else "false"}
hinted_handoff_enabled: ${if cfg.hintedHandOff then "true" else "false"}
auto_bootstrap: ${boolToString cfg.autoBootstrap}
hinted_handoff_enabled: ${boolToString cfg.hintedHandOff}
hinted_handoff_throttle_in_kb: ${builtins.toString cfg.hintedHandOffThrottle}
max_hints_delivery_threads: 2
max_hint_window_in_ms: 10800000 # 3 hours
@ -62,7 +62,7 @@ let
rpc_keepalive: true
rpc_server_type: sync
thrift_framed_transport_size_in_mb: 15
incremental_backups: ${if cfg.incrementalBackups then "true" else "false"}
incremental_backups: ${boolToString cfg.incrementalBackups}
snapshot_before_compaction: false
auto_snapshot: true
column_index_size_in_kb: 64
@ -89,7 +89,7 @@ let
truststore: ${cfg.trustStorePath}
truststore_password: ${cfg.trustStorePassword}
client_encryption_options:
enabled: ${if cfg.clientEncryption then "true" else "false"}
enabled: ${boolToString cfg.clientEncryption}
keystore: ${cfg.keyStorePath}
keystore_password: ${cfg.keyStorePassword}
internode_compression: all

2
nixos/modules/services/databases/mongodb.nix
View File

@ -4,8 +4,6 @@ with lib;
let
b2s = x: if x then "true" else "false";
cfg = config.services.mongodb;
mongodb = cfg.package;

15
nixos/modules/services/hardware/amd-hybrid-graphics.nix
View File

@ -25,15 +25,22 @@
path = [ pkgs.bash ];
description = "Disable AMD Card";
after = [ "sys-kernel-debug.mount" ];
requires = [ "sys-kernel-debug.mount" ];
wantedBy = [ "multi-user.target" ];
before = [ "systemd-vconsole-setup.service" "display-manager.service" ];
requires = [ "sys-kernel-debug.mount" "vgaswitcheroo.path" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.bash}/bin/sh -c 'echo -e \"IGD\\nOFF\" > /sys/kernel/debug/vgaswitcheroo/switch; exit 0'";
ExecStop = "${pkgs.bash}/bin/sh -c 'echo ON >/sys/kernel/debug/vgaswitcheroo/switch; exit 0'";
ExecStart = "${pkgs.bash}/bin/sh -c 'echo -e \"IGD\\nOFF\" > /sys/kernel/debug/vgaswitcheroo/switch'";
ExecStop = "${pkgs.bash}/bin/sh -c 'echo ON >/sys/kernel/debug/vgaswitcheroo/switch'";
};
};
systemd.paths."vgaswitcheroo" = {
pathConfig = {
PathExists = "/sys/kernel/debug/vgaswitcheroo/switch";
Unit = "amd-hybrid-graphics.service";
};
wantedBy = ["multi-user.target"];
};
};
}

31
nixos/modules/services/hardware/bluetooth.nix
View File

@ -6,9 +6,7 @@ let
bluez-bluetooth = pkgs.bluez;
cfg = config.hardware.bluetooth;
in
{
in {
###### interface
@ -32,6 +30,8 @@ in
'';
description = ''
Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf).
NOTE: We already include [Policy], so any configuration under the Policy group should come first.
'';
};
};
@ -45,7 +45,12 @@ in
environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ];
environment.etc = singleton {
source = pkgs.writeText "main.conf" cfg.extraConfig;
source = pkgs.writeText "main.conf" ''
[Policy]
AutoEnable=${lib.boolToString cfg.powerOnBoot}
${cfg.extraConfig}
'';
target = "bluetooth/main.conf";
};
@ -53,29 +58,11 @@ in
services.dbus.packages = [ bluez-bluetooth ];
systemd.packages = [ bluez-bluetooth ];
services.udev.extraRules = optionalString cfg.powerOnBoot ''
ACTION=="add", KERNEL=="hci[0-9]*", ENV{SYSTEMD_WANTS}="bluetooth-power@%k.service"
'';
systemd.services = {
bluetooth = {
wantedBy = [ "bluetooth.target" ];
aliases = [ "dbus-org.bluez.service" ];
};
"bluetooth-power@" = mkIf cfg.powerOnBoot {
description = "Power up bluetooth controller";
after = [
"bluetooth.service"
"suspend.target"
"sys-subsystem-bluetooth-devices-%i.device"
];
wantedBy = [ "suspend.target" ];
serviceConfig.Type = "oneshot";
serviceConfig.ExecStart = "${pkgs.bluez.out}/bin/hciconfig %i up";
};
};
systemd.user.services = {

3
nixos/modules/services/hardware/tlp.nix
View File

@ -58,6 +58,9 @@ in
powerManagement.cpuFreqGovernor = null;
systemd.services = {
"systemd-rfkill@".enable = false;
"systemd-rfkill".enable = false;
tlp = {
description = "TLP system startup/shutdown";

5
nixos/modules/services/logging/graylog.nix
View File

@ -4,16 +4,15 @@ with lib;
let
cfg = config.services.graylog;
configBool = b: if b then "true" else "false";
confFile = pkgs.writeText "graylog.conf" ''
is_master = ${configBool cfg.isMaster}
is_master = ${boolToString cfg.isMaster}
node_id_file = ${cfg.nodeIdFile}
password_secret = ${cfg.passwordSecret}
root_username = ${cfg.rootUsername}
root_password_sha2 = ${cfg.rootPasswordSha2}
elasticsearch_cluster_name = ${cfg.elasticsearchClusterName}
elasticsearch_discovery_zen_ping_multicast_enabled = ${configBool cfg.elasticsearchDiscoveryZenPingMulticastEnabled}
elasticsearch_discovery_zen_ping_multicast_enabled = ${boolToString cfg.elasticsearchDiscoveryZenPingMulticastEnabled}
elasticsearch_discovery_zen_ping_unicast_hosts = ${cfg.elasticsearchDiscoveryZenPingUnicastHosts}
message_journal_dir = ${cfg.messageJournalDir}
mongodb_uri = ${cfg.mongodbUri}

43
nixos/modules/services/misc/autorandr.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.autorandr;
in {
options = {
services.autorandr = {
enable = mkEnableOption "handling of hotplug and sleep events by autorandr";
};
};
config = mkIf cfg.enable {
services.udev.packages = [ pkgs.autorandr ];
environment.systemPackages = [ pkgs.autorandr ];
# systemd.unitPackages = [ pkgs.autorandr ];
systemd.services.autorandr = {
unitConfig = {
Description = "autorandr execution hook";
After = [ "sleep.target" ];
StartLimitInterval = "5";
StartLimitBurst = "1";
};
serviceConfig = {
ExecStart = "${pkgs.autorandr}/bin/autorandr --batch --change --default default";
Type = "oneshot";
RemainAfterExit = false;
};
wantedBy = [ "sleep.target" ];
};
};
}

36
nixos/modules/services/misc/bepasty.nix
View File

@ -21,7 +21,7 @@ in
configure a number of bepasty servers which will be started with
gunicorn.
'';
type = with types ; attrsOf (submodule ({
type = with types ; attrsOf (submodule ({ config, ... } : {
options = {
@ -34,7 +34,6 @@ in
default = "127.0.0.1:8000";
};
dataDir = mkOption {
type = types.str;
description = ''
@ -73,10 +72,28 @@ in
type = types.str;
description = ''
server secret for safe session cookies, must be set.
Warning: this secret is stored in the WORLD-READABLE Nix store!
It's recommended to use <option>secretKeyFile</option>
which takes precedence over <option>secretKey</option>.
'';
default = "";
};
secretKeyFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
A file that contains the server secret for safe session cookies, must be set.
<option>secretKeyFile</option> takes precedence over <option>secretKey</option>.
Warning: when <option>secretKey</option> is non-empty <option>secretKeyFile</option>
defaults to a file in the WORLD-READABLE Nix store containing that secret.
'';
};
workDir = mkOption {
type = types.str;
description = ''
@ -87,11 +104,22 @@ in
};
};
config = {
secretKeyFile = mkDefault (
if config.secretKey != ""
then toString (pkgs.writeTextFile {
name = "bepasty-secret-key";
text = config.secretKey;
})
else null
);
};
}));
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ bepasty ];
# creates gunicorn systemd service for each configured server
@ -115,7 +143,7 @@ in
serviceConfig = {
Type = "simple";
PrivateTmp = true;
ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
ExecStartPre = assert !isNull server.secretKeyFile; pkgs.writeScript "bepasty-server.${name}-init" ''
#!/bin/sh
mkdir -p "${server.workDir}"
mkdir -p "${server.dataDir}"
@ -123,7 +151,7 @@ in
cat > ${server.workDir}/bepasty-${name}.conf <<EOF
SITENAME="${name}"
STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
SECRET_KEY="${server.secretKey}"
SECRET_KEY="$(cat "${server.secretKeyFile}")"
DEFAULT_PERMISSIONS="${server.defaultPermissions}"
${server.extraConfig}
EOF

2
nixos/modules/services/misc/cgminer.nix
View File

@ -6,7 +6,7 @@ let
cfg = config.services.cgminer;
convType = with builtins;
v: if isBool v then (if v then "true" else "false") else toString v;
v: if isBool v then boolToString v else toString v;
mergedHwConfig =
mapAttrsToList (n: v: ''"${n}": "${(concatStringsSep "," (map convType v))}"'')
(foldAttrs (n: a: [n] ++ a) [] cfg.hardware);

2
nixos/modules/services/misc/confd.nix
View File

@ -12,7 +12,7 @@ let
nodes = [ ${concatMapStringsSep "," (s: ''"${s}"'') cfg.nodes}, ]
prefix = "${cfg.prefix}"
log-level = "${cfg.logLevel}"
watch = ${if cfg.watch then "true" else "false"}
watch = ${boolToString cfg.watch}
'';
in {

2
nixos/modules/services/misc/etcd.nix
View File

@ -119,7 +119,7 @@ in {
extraConf = mkOption {
description = ''
Etcd extra configuration. See
<link xlink:href='https://github.com/coreos/etcd/blob/master/Documentation/configuration.md#environment-variables' />
<link xlink:href='https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags' />
'';
type = types.attrsOf types.str;
default = {};

47
nixos/modules/services/misc/jackett.nix Normal file
View File

@ -0,0 +1,47 @@
{ config, pkgs, lib, mono, ... }:
with lib;
let
cfg = config.services.jackett;
in
{
options = {
services.jackett = {
enable = mkEnableOption "Jackett";
};
};
config = mkIf cfg.enable {
systemd.services.jackett = {
description = "Jackett";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
test -d /var/lib/jackett/ || {
echo "Creating jackett data directory in /var/lib/jackett/"
mkdir -p /var/lib/jackett/
}
chown -R jackett:jackett /var/lib/jackett/
chmod 0700 /var/lib/jackett/
'';
serviceConfig = {
Type = "simple";
User = "jackett";
Group = "jackett";
PermissionsStartOnly = "true";
ExecStart = "${pkgs.jackett}/bin/Jackett";
Restart = "on-failure";
};
};
users.extraUsers.jackett = {
uid = config.ids.uids.jackett;
home = "/var/lib/jackett";
group = "jackett";
};
users.extraGroups.jackett.gid = config.ids.gids.jackett;
};
}

25
nixos/modules/services/misc/matrix-synapse.nix
View File

@ -5,9 +5,8 @@ with lib;
let
cfg = config.services.matrix-synapse;
logConfigFile = pkgs.writeText "log_config.yaml" cfg.logConfig;
mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${fromBool r.compress}}'';
mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${fromBool l.tls}, x_forwarded: ${fromBool l.x_forwarded}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';
fromBool = x: if x then "true" else "false";
mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${boolToString r.compress}}'';
mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${boolToString l.tls}, x_forwarded: ${boolToString l.x_forwarded}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';
configFile = pkgs.writeText "homeserver.yaml" ''
${optionalString (cfg.tls_certificate_path != null) ''
tls_certificate_path: "${cfg.tls_certificate_path}"
@ -18,7 +17,7 @@ tls_private_key_path: "${cfg.tls_private_key_path}"
${optionalString (cfg.tls_dh_params_path != null) ''
tls_dh_params_path: "${cfg.tls_dh_params_path}"
''}
no_tls: ${fromBool cfg.no_tls}
no_tls: ${boolToString cfg.no_tls}
${optionalString (cfg.bind_port != null) ''
bind_port: ${toString cfg.bind_port}
''}
@ -30,7 +29,7 @@ bind_host: "${cfg.bind_host}"
''}
server_name: "${cfg.server_name}"
pid_file: "/var/run/matrix-synapse.pid"
web_client: ${fromBool cfg.web_client}
web_client: ${boolToString cfg.web_client}
${optionalString (cfg.public_baseurl != null) ''
public_baseurl: "${cfg.public_baseurl}"
''}
@ -58,8 +57,8 @@ media_store_path: "/var/lib/matrix-synapse/media"
uploads_path: "/var/lib/matrix-synapse/uploads"
max_upload_size: "${cfg.max_upload_size}"
max_image_pixels: "${cfg.max_image_pixels}"
dynamic_thumbnails: ${fromBool cfg.dynamic_thumbnails}
url_preview_enabled: ${fromBool cfg.url_preview_enabled}
dynamic_thumbnails: ${boolToString cfg.dynamic_thumbnails}
url_preview_enabled: ${boolToString cfg.url_preview_enabled}
${optionalString (cfg.url_preview_enabled == true) ''
url_preview_ip_range_blacklist: ${builtins.toJSON cfg.url_preview_ip_range_blacklist}
url_preview_ip_range_whitelist: ${builtins.toJSON cfg.url_preview_ip_range_whitelist}
@ -67,10 +66,10 @@ url_preview_url_blacklist: ${builtins.toJSON cfg.url_preview_url_blacklist}
''}
recaptcha_private_key: "${cfg.recaptcha_private_key}"
recaptcha_public_key: "${cfg.recaptcha_public_key}"
enable_registration_captcha: ${fromBool cfg.enable_registration_captcha}
enable_registration_captcha: ${boolToString cfg.enable_registration_captcha}
turn_uris: ${builtins.toJSON cfg.turn_uris}
turn_shared_secret: "${cfg.turn_shared_secret}"
enable_registration: ${fromBool cfg.enable_registration}
enable_registration: ${boolToString cfg.enable_registration}
${optionalString (cfg.registration_shared_secret != null) ''
registration_shared_secret: "${cfg.registration_shared_secret}"
''}
@ -78,15 +77,15 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
turn_user_lifetime: "${cfg.turn_user_lifetime}"
user_creation_max_duration: ${cfg.user_creation_max_duration}
bcrypt_rounds: ${cfg.bcrypt_rounds}
allow_guest_access: ${fromBool cfg.allow_guest_access}
allow_guest_access: ${boolToString cfg.allow_guest_access}
trusted_third_party_id_servers: ${builtins.toJSON cfg.trusted_third_party_id_servers}
room_invite_state_types: ${builtins.toJSON cfg.room_invite_state_types}
${optionalString (cfg.macaroon_secret_key != null) ''
macaroon_secret_key: "${cfg.macaroon_secret_key}"
''}
expire_access_token: ${fromBool cfg.expire_access_token}
enable_metrics: ${fromBool cfg.enable_metrics}
report_stats: ${fromBool cfg.report_stats}
expire_access_token: ${boolToString cfg.expire_access_token}
enable_metrics: ${boolToString cfg.enable_metrics}
report_stats: ${boolToString cfg.report_stats}
signing_key_path: "/var/lib/matrix-synapse/homeserver.signing.key"
key_refresh_interval: "${cfg.key_refresh_interval}"
perspectives:

4
nixos/modules/services/misc/nix-daemon.nix
View File

@ -41,12 +41,12 @@ let
build-users-group = nixbld
build-max-jobs = ${toString (cfg.maxJobs)}
build-cores = ${toString (cfg.buildCores)}
build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then (if cfg.useSandbox then "true" else "false") else cfg.useSandbox}
build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then boolToString cfg.useSandbox else cfg.useSandbox}
build-sandbox-paths = ${toString cfg.sandboxPaths} /bin/sh=${sh} $(echo $extraPaths)
binary-caches = ${toString cfg.binaryCaches}
trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
auto-optimise-store = ${if cfg.autoOptimiseStore then "true" else "false"}
auto-optimise-store = ${boolToString cfg.autoOptimiseStore}
${optionalString cfg.requireSignedBinaryCaches ''
signed-binary-caches = *
''}

Some files were not shown because too many files have changed in this diff Show More