public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into postgresql-plugins-bin

Browse Source
This commit is contained in:
Danylo Hlynskyi
2019-07-16 11:32:52 +03:00
committed by GitHub
parent 517c52ec2e 0ddb9e0495
commit 475f1ebd98
4817 changed files with 114960 additions and 70598 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/doc/manual/administration/cleaning-store.xml
View File

@@ -11,12 +11,12 @@
Nixs <emphasis>garbage collector</emphasis> to remove old, unreferenced
packages. This is easy:
<screen>
$ nix-collect-garbage
<prompt>$ </prompt>nix-collect-garbage
</screen>
Alternatively, you can use a systemd unit that does the same in the
background:
<screen>
# systemctl start nix-gc.service
<prompt># </prompt>systemctl start nix-gc.service
</screen>
You can tell NixOS in <filename>configuration.nix</filename> to run this unit
automatically at certain points in time, for instance, every night at 03:15:
@@ -31,11 +31,11 @@ $ nix-collect-garbage
configurations. The following command deletes old roots, removing the ability
to roll back to them:
<screen>
$ nix-collect-garbage -d
<prompt>$ </prompt>nix-collect-garbage -d
</screen>
You can also do this for specific profiles, e.g.
<screen>
$ nix-env -p /nix/var/nix/profiles/per-user/eelco/profile --delete-generations old
<prompt>$ </prompt>nix-env -p /nix/var/nix/profiles/per-user/eelco/profile --delete-generations old
</screen>
Note that NixOS system configurations are stored in the profile
<filename>/nix/var/nix/profiles/system</filename>.
@@ -45,7 +45,7 @@ $ nix-env -p /nix/var/nix/profiles/per-user/eelco/profile --delete-generations o
Nix store) is to run Nixs store optimiser, which seeks out identical files
in the store and replaces them with hard links to a single copy.
<screen>
$ nix-store --optimise
<prompt>$ </prompt>nix-store --optimise
</screen>
Since this command needs to read the entire Nix store, it can take quite a
while to finish.

4
nixos/doc/manual/administration/container-networking.xml
View File

@@ -11,10 +11,10 @@
<literal>10.233.0.0/16</literal>. You can get the containers IPv4 address
as follows:
<screen>
# nixos-container show-ip foo
<prompt># </prompt>nixos-container show-ip foo
10.233.4.2
$ ping -c1 10.233.4.2
<prompt>$ </prompt>ping -c1 10.233.4.2
64 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms
</screen>
</para>

2
nixos/doc/manual/administration/control-groups.xml
View File

@@ -16,7 +16,7 @@
<literal>systemd</literal> hierarchy, which is what systemd uses to keep
track of the processes belonging to each service or user session:
<screen>
$ systemd-cgls
<prompt>$ </prompt>systemd-cgls
├─user
│ └─eelco
│ └─c1

7
nixos/doc/manual/administration/imperative-containers.xml
View File

@@ -29,6 +29,13 @@
<xref linkend="opt-services.openssh.enable"/> = true;
<link linkend="opt-users.users._name__.openssh.authorizedKeys.keys">users.users.root.openssh.authorizedKeys.keys</link> = ["ssh-dss AAAAB3N…"];
'
</screen>
By default the next free address in the <literal>10.233.0.0/16</literal> subnet will be chosen
as container IP. This behavior can be altered by setting <literal>--host-address</literal> and
<literal>--local-address</literal>:
<screen>
# nixos-container create test --config-file test-container.nix \
--local-address 10.235.1.2 --host-address 10.235.1.1
</screen>
</para>

6
nixos/doc/manual/administration/logging.xml
View File

@@ -11,14 +11,14 @@
The command <literal>journalctl</literal> allows you to see the contents of
the journal. For example,
<screen>
$ journalctl -b
<prompt>$ </prompt>journalctl -b
</screen>
shows all journal entries since the last reboot. (The output of
<command>journalctl</command> is piped into <command>less</command> by
default.) You can use various options and match operators to restrict output
to messages of interest. For instance, to get all messages from PostgreSQL:
<screen>
$ journalctl -u postgresql.service
<prompt>$ </prompt>journalctl -u postgresql.service
-- Logs begin at Mon, 2013-01-07 13:28:01 CET, end at Tue, 2013-01-08 01:09:57 CET. --
...
Jan 07 15:44:14 hagbard postgres[2681]: [2-1] LOG: database system is shut down
@@ -29,7 +29,7 @@ Jan 07 15:45:13 hagbard postgres[2500]: [1-1] LOG: database system is ready to
Or to get all messages since the last reboot that have at least a
“critical” severity level:
<screen>
$ journalctl -b -p crit
<prompt>$ </prompt>journalctl -b -p crit
Dec 17 21:08:06 mandark sudo[3673]: pam_unix(sudo:auth): auth could not identify password for [alice]
Dec 29 01:30:22 mandark kernel[6131]: [1053513.909444] CPU6: Core temperature above threshold, cpu clock throttled (total events = 1)
</screen>

2
nixos/doc/manual/administration/rollback.xml
View File

@@ -33,7 +33,7 @@
where <replaceable>N</replaceable> is the number of the NixOS system
configuration. To get a list of the available configurations, do:
<screen>
$ ls -l /nix/var/nix/profiles/system-*-link
<prompt>$ </prompt>ls -l /nix/var/nix/profiles/system-*-link
<replaceable>...</replaceable>
lrwxrwxrwx 1 root root 78 Aug 12 13:54 /nix/var/nix/profiles/system-268-link -> /nix/store/202b...-nixos-13.07pre4932_5a676e4-4be1055
</screen>

4
nixos/doc/manual/administration/service-mgmt.xml
View File

@@ -21,7 +21,7 @@
<command>systemd</command>. Without any arguments, it shows the status of
active units:
<screen>
$ systemctl
<prompt>$ </prompt>systemctl
-.mount loaded active mounted /
swapfile.swap loaded active active /swapfile
sshd.service loaded active running SSH Daemon
@@ -33,7 +33,7 @@ graphical.target loaded active active Graphical Interface
You can ask for detailed status information about a unit, for instance, the
PostgreSQL database service:
<screen>
$ systemctl status postgresql.service
<prompt>$ </prompt>systemctl status postgresql.service
postgresql.service - PostgreSQL Server
Loaded: loaded (/nix/store/pn3q73mvh75gsrl8w7fdlfk3fq5qm5mw-unit/postgresql.service)
Active: active (running) since Mon, 2013-01-07 15:55:57 CET; 9h ago

4
nixos/doc/manual/administration/store-corruption.xml
View File

@@ -18,7 +18,7 @@
If the corruption is in a path in the closure of the NixOS system
configuration, you can fix it by doing
<screen>
# nixos-rebuild switch --repair
<prompt># </prompt>nixos-rebuild switch --repair
</screen>
This will cause Nix to check every path in the closure, and if its
cryptographic hash differs from the hash recorded in Nixs database, the
@@ -28,7 +28,7 @@
<para>
You can also scan the entire Nix store for corrupt paths:
<screen>
# nix-store --verify --check-contents --repair
<prompt># </prompt>nix-store --verify --check-contents --repair
</screen>
Any corrupt paths will be redownloaded if theyre available in a binary
cache; otherwise, they cannot be repaired.

4
nixos/doc/manual/administration/user-sessions.xml
View File

@@ -10,7 +10,7 @@
allows querying and manipulating user sessions. For instance, to list all
user sessions:
<screen>
$ loginctl
<prompt>$ </prompt>loginctl
SESSION UID USER SEAT
c1 500 eelco seat0
c3 0 root seat0
@@ -21,7 +21,7 @@ $ loginctl
devices attached to the system; usually, there is only one seat.) To get
information about a session:
<screen>
$ loginctl session-status c3
<prompt>$ </prompt>loginctl session-status c3
c3 - root (0)
Since: Tue, 2013-01-08 01:17:56 CET; 4min 42s ago
Leader: 2536 (login)

10
nixos/doc/manual/configuration/ad-hoc-packages.xml
View File

@@ -9,7 +9,7 @@
With the command <command>nix-env</command>, you can install and uninstall
packages from the command line. For instance, to install Mozilla Thunderbird:
<screen>
$ nix-env -iA nixos.thunderbird</screen>
<prompt>$ </prompt>nix-env -iA nixos.thunderbird</screen>
If you invoke this as root, the package is installed in the Nix profile
<filename>/nix/var/nix/profiles/default</filename> and visible to all users
of the system; otherwise, the package ends up in
@@ -25,7 +25,7 @@ $ nix-env -iA nixos.thunderbird</screen>
Packages come from the NixOS channel. You typically upgrade a package by
updating to the latest version of the NixOS channel:
<screen>
$ nix-channel --update nixos
<prompt>$ </prompt>nix-channel --update nixos
</screen>
and then running <literal>nix-env -i</literal> again. Other packages in the
profile are <emphasis>not</emphasis> affected; this is the crucial difference
@@ -34,21 +34,21 @@ $ nix-channel --update nixos
their current versions in the NixOS channel. You can however upgrade all
packages for which there is a newer version by doing:
<screen>
$ nix-env -u '*'
<prompt>$ </prompt>nix-env -u '*'
</screen>
</para>
<para>
A package can be uninstalled using the <option>-e</option> flag:
<screen>
$ nix-env -e thunderbird
<prompt>$ </prompt>nix-env -e thunderbird
</screen>
</para>
<para>
Finally, you can roll back an undesirable <command>nix-env</command> action:
<screen>
$ nix-env --rollback
<prompt>$ </prompt>nix-env --rollback
</screen>
</para>

8
nixos/doc/manual/configuration/adding-custom-packages.xml
View File

@@ -14,8 +14,8 @@
xlink:href="http://nixos.org/nixpkgs/manual">Nixpkgs
manual</link>. In short, you clone Nixpkgs:
<screen>
$ git clone https://github.com/NixOS/nixpkgs
$ cd nixpkgs
<prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs
<prompt>$ </prompt>cd nixpkgs
</screen>
Then you write and test the package as described in the Nixpkgs manual.
Finally, you add it to <literal>environment.systemPackages</literal>, e.g.
@@ -65,8 +65,8 @@ stdenv.mkDerivation rec {
</programlisting>
This allows testing the package easily:
<screen>
$ nix-build my-hello.nix
$ ./result/bin/hello
<prompt>$ </prompt>nix-build my-hello.nix
<prompt>$ </prompt>./result/bin/hello
Hello, world!
</screen>
</para>

2
nixos/doc/manual/configuration/declarative-packages.xml
View File

@@ -22,7 +22,7 @@
<para>
You can get a list of the available packages as follows:
<screen>
$ nix-env -qaP '*' --description
<prompt>$ </prompt>nix-env -qaP '*' --description
nixos.firefox firefox-23.0 Mozilla Firefox - the browser, reloaded
<replaceable>...</replaceable>
</screen>

2
nixos/doc/manual/configuration/ipv6-config.xml
View File

@@ -39,7 +39,7 @@
<xref linkend="opt-networking.defaultGateway6"/> = {
address = "fe00::1";
interface = "enp0s3";
}
};
</programlisting>
</para>

192
nixos/doc/manual/configuration/matrix.xml
View File

@@ -33,91 +33,91 @@
<link xlink:href="https://github.com/matrix-org/synapse#synapse-installation">
installation instructions of Synapse </link>.
<programlisting>
let
fqdn =
let
fqdn =
let
join = hostName: domain: hostName + optionalString (domain != null) ".${domain}";
in join config.networking.hostName config.networking.domain;
in {
networking = {
hostName = "myhostname";
domain = "example.org";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
join = hostName: domain: hostName + optionalString (domain != null) ".${domain}";
in join config.networking.hostName config.networking.domain;
in {
networking = {
hostName = "myhostname";
domain = "example.org";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
# but the rest make sense as well
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
services.nginx = {
enable = true;
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
# but the rest make sense as well
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host being accessible as ${config.networking.domain}
# to another host actually running the Matrix homeserver.
"${config.networking.domain}" = {
locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow riot-web on any URL to request this json file
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
# Reverse proxy for Matrix client-server and server-server communication
${fqdn} = {
enableACME = true;
forceSSL = true;
# Or do a redirect instead of the 404, or whatever is appropriate for you.
# But do not put a Matrix Web client here! See the Riot Web section below.
locations."/".extraConfig = ''
return 404;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
proxyPass = "http://[::1]:8008";
virtualHosts = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host being accessible as ${config.networking.domain}
# to another host actually running the Matrix homeserver.
"${config.networking.domain}" = {
locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
};
# ACAO required to allow riot-web on any URL to request this json file
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
# Reverse proxy for Matrix client-server and server-server communication
${fqdn} = {
enableACME = true;
forceSSL = true;
# Or do a redirect instead of the 404, or whatever is appropriate for you.
# But do not put a Matrix Web client here! See the Riot Web section below.
locations."/".extraConfig = ''
return 404;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
proxyPass = "http://[::1]:8008/_matrix";
};
};
services.matrix-synapse = {
enable = true;
server_name = config.networking.domain;
listeners = [
{
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{ names = [ "client" "federation" ]; compress = false; }
];
}
];
};
};
</programlisting>
};
services.matrix-synapse = {
enable = true;
server_name = config.networking.domain;
listeners = [
{
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{ names = [ "client" "federation" ]; compress = false; }
];
}
];
};
};
</programlisting>
</para>
<para>
@@ -141,15 +141,15 @@
<option>services.matrix-synapse.registration_shared_secret</option>. To
create a new user or admin, run the following after you have set the secret
and have rebuilt NixOS:
<programlisting>
$ nix run nixpkgs.matrix-synapse
$ register_new_matrix_user -k &lt;your-registration-shared-secret&gt; http://localhost:8008
New user localpart: &lt;your-username&gt;
Password:
Confirm password:
Make admin [no]:
Success!
</programlisting>
<screen>
<prompt>$ </prompt>nix run nixpkgs.matrix-synapse
<prompt>$ </prompt>register_new_matrix_user -k <replaceable>your-registration-shared-secret</replaceable> http://localhost:8008
<prompt>New user localpart: </prompt><replaceable>your-username</replaceable>
<prompt>Password:</prompt>
<prompt>Confirm password:</prompt>
<prompt>Make admin [no]:</prompt>
Success!
</screen>
In the example, this would create a user with the Matrix Identifier
<literal>@your-username:example.org</literal>. Note that the registration
secret ends up in the nix store and therefore is world-readable by any user
@@ -177,16 +177,16 @@
Matrix Now!</link> for a list of existing clients and their supported
featureset.
<programlisting>
services.nginx.virtualHosts."riot.${fqdn}" = {
enableACME = true;
forceSSL = true;
serverAliases = [
"riot.${config.networking.domain}"
];
services.nginx.virtualHosts."riot.${fqdn}" = {
enableACME = true;
forceSSL = true;
serverAliases = [
"riot.${config.networking.domain}"
];
root = pkgs.riot-web;
};
</programlisting>
root = pkgs.riot-web;
};
</programlisting>
</para>
<para>

28
nixos/doc/manual/configuration/modularity.xml
View File

@@ -106,21 +106,21 @@ The unique option `services.httpd.adminAddr' is defined multiple times, in `/etc
configuration option is. The command <option>nixos-option</option> allows you
to find out:
<screen>
$ nixos-option <xref linkend="opt-services.xserver.enable"/>
<prompt>$ </prompt>nixos-option <xref linkend="opt-services.xserver.enable"/>
true
$ nixos-option <xref linkend="opt-boot.kernelModules"/>
<prompt>$ </prompt>nixos-option <xref linkend="opt-boot.kernelModules"/>
[ "tun" "ipv6" "loop" <replaceable>...</replaceable> ]
</screen>
Interactive exploration of the configuration is possible using <command>nix
repl</command>, a read-eval-print loop for Nix expressions. A typical use:
<screen>
$ nix repl '&lt;nixpkgs/nixos>'
<prompt>$ </prompt>nix repl '&lt;nixpkgs/nixos>'
nix-repl> config.<xref linkend="opt-networking.hostName"/>
<prompt>nix-repl> </prompt>config.<xref linkend="opt-networking.hostName"/>
"mandark"
nix-repl> map (x: x.hostName) config.<xref linkend="opt-services.httpd.virtualHosts"/>
<prompt>nix-repl> </prompt>map (x: x.hostName) config.<xref linkend="opt-services.httpd.virtualHosts"/>
[ "example.org" "example.gov" ]
</screen>
</para>
@@ -129,17 +129,17 @@ nix-repl> map (x: x.hostName) config.<xref linkend="opt-services.httpd.virtualHo
While abstracting your configuration, you may find it useful to generate
modules using code, instead of writing files. The example below would have
the same effect as importing a file which sets those options.
<screen>
{ config, pkgs, ... }:
<programlisting>
{ config, pkgs, ... }:
let netConfig = { hostName }: {
networking.hostName = hostName;
networking.useDHCP = false;
};
let netConfig = { hostName }: {
networking.hostName = hostName;
networking.useDHCP = false;
};
in
in
{ imports = [ (netConfig "nixos.localdomain") ]; }
</screen>
{ imports = [ (netConfig "nixos.localdomain") ]; }
</programlisting>
</para>
</section>

2
nixos/doc/manual/configuration/profiles.xml
View File

@@ -16,7 +16,7 @@
imports = [
&lt;nixpkgs/nixos/modules/profiles/profile-name.nix&gt;
];
</programlisting>
</programlisting>
<para>
Even if some of these profiles seem only useful in the context of install
media, many are actually intended to be used in real installs.

2
nixos/doc/manual/configuration/user-mgmt.xml
View File

@@ -44,7 +44,7 @@
A user ID (uid) is assigned automatically. You can also specify a uid
manually by adding
<programlisting>
uid = 1000;
uid = 1000;
</programlisting>
to the user specification.
</para>

6
nixos/doc/manual/configuration/wireless.xml
View File

@@ -37,7 +37,7 @@
If you are using WPA2 you can generate pskRaw key using
<command>wpa_passphrase</command>:
<screen>
$ wpa_passphrase ESSID PSK
<prompt>$ </prompt>wpa_passphrase ESSID PSK
network={
ssid="echelon"
#psk="abcdefgh"
@@ -54,10 +54,10 @@ network={
or you can use it to directly generate the
<literal>wpa_supplicant.conf</literal>:
<screen>
# wpa_passphrase ESSID PSK > /etc/wpa_supplicant.conf</screen>
<prompt># </prompt>wpa_passphrase ESSID PSK > /etc/wpa_supplicant.conf</screen>
After you have edited the <literal>wpa_supplicant.conf</literal>, you need to
restart the wpa_supplicant service.
<screen>
# systemctl restart wpa_supplicant.service</screen>
<prompt># </prompt>systemctl restart wpa_supplicant.service</screen>
</para>
</section>

12
nixos/doc/manual/configuration/xfce.xml
View File

@@ -11,7 +11,7 @@
<link linkend="opt-services.xserver.desktopManager.xfce.enable">xfce.enable</link> = true;
<link linkend="opt-services.xserver.desktopManager.default">default</link> = "xfce";
};
</programlisting>
</programlisting>
</para>
<para>
Optionally, <emphasis>compton</emphasis> can be enabled for nice graphical
@@ -24,7 +24,7 @@
<link linkend="opt-services.compton.shadow">shadow</link> = true;
<link linkend="opt-services.compton.fadeDelta">fadeDelta</link> = 4;
};
</programlisting>
</programlisting>
</para>
<para>
Some Xfce programs are not installed automatically. To install them manually
@@ -37,7 +37,7 @@
To enable <emphasis>Thunar</emphasis> volume support, put
<programlisting>
<xref linkend="opt-services.xserver.desktopManager.xfce.enable"/> = true;
</programlisting>
</programlisting>
into your <emphasis>configuration.nix</emphasis>.
</para>
</simplesect>
@@ -58,14 +58,14 @@
on start (look at <command>journalctl --user -b</command>).
<programlisting>
Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
</programlisting>
</programlisting>
This is caused by some needed GNOME services not running. This is all fixed
by enabling "Launch GNOME services on startup" in the Advanced tab of the
Session and Startup settings panel. Alternatively, you can run this command
to do the same thing.
<programlisting>
$ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
</programlisting>
<prompt>$ </prompt>xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
</programlisting>
A log-out and re-log will be needed for this to take effect.
</para>
</simplesect>

8
nixos/doc/manual/development/building-nixos.xml
View File

@@ -14,14 +14,14 @@
Default CD/DVD configurations are available inside
<filename>nixos/modules/installer/cd-dvd</filename>.
<screen>
$ git clone https://github.com/NixOS/nixpkgs.git
$ cd nixpkgs/nixos
$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix</screen>
<prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs.git
<prompt>$ </prompt>cd nixpkgs/nixos
<prompt>$ </prompt>nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix default.nix</screen>
</para>
<para>
Before burning your CD/DVD, you can check the content of the image by
mounting anywhere like suggested by the following command:
<screen>
# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen>
<prompt># </prompt>mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen>
</para>
</chapter>

20
nixos/doc/manual/development/building-parts.xml
View File

@@ -8,8 +8,8 @@
With the command <command>nix-build</command>, you can build specific parts
of your NixOS configuration. This is done as follows:
<screen>
$ cd <replaceable>/path/to/nixpkgs/nixos</replaceable>
$ nix-build -A config.<replaceable>option</replaceable></screen>
<prompt>$ </prompt>cd <replaceable>/path/to/nixpkgs/nixos</replaceable>
<prompt>$ </prompt>nix-build -A config.<replaceable>option</replaceable></screen>
where <replaceable>option</replaceable> is a NixOS option with type
“derivation” (i.e. something that can be built). Attributes of interest
include:
@@ -28,7 +28,7 @@ $ nix-build -A config.<replaceable>option</replaceable></screen>
<para>
A shortcut to build this is:
<screen>
$ nix-build -A system</screen>
<prompt>$ </prompt>nix-build -A system</screen>
</para>
</listitem>
</varlistentry>
@@ -66,9 +66,9 @@ $ nix-build -A system</screen>
test whether the kernel and the initial ramdisk boot correctly, by using
QEMUs <option>-kernel</option> and <option>-initrd</option> options:
<screen>
$ nix-build -A config.system.build.initialRamdisk -o initrd
$ nix-build -A config.system.build.kernel -o kernel
$ qemu-system-x86_64 -kernel ./kernel/bzImage -initrd ./initrd/initrd -hda /dev/null
<prompt>$ </prompt>nix-build -A config.system.build.initialRamdisk -o initrd
<prompt>$ </prompt>nix-build -A config.system.build.kernel -o kernel
<prompt>$ </prompt>qemu-system-x86_64 -kernel ./kernel/bzImage -initrd ./initrd/initrd -hda /dev/null
</screen>
</para>
</listitem>
@@ -99,15 +99,15 @@ $ qemu-system-x86_64 -kernel ./kernel/bzImage -initrd ./initrd/initrd -hda /dev/
contain dots (e.g. <literal>httpd.service</literal>), you need to put
them between quotes, like this:
<screen>
$ nix-build -A 'config.systemd.units."httpd.service".unit'
<prompt>$ </prompt>nix-build -A 'config.systemd.units."httpd.service".unit'
</screen>
You can also test individual units, without rebuilding the whole system,
by putting them in <filename>/run/systemd/system</filename>:
<screen>
$ cp $(nix-build -A 'config.systemd.units."httpd.service".unit')/httpd.service \
<prompt>$ </prompt>cp $(nix-build -A 'config.systemd.units."httpd.service".unit')/httpd.service \
/run/systemd/system/tmp-httpd.service
# systemctl daemon-reload
# systemctl start tmp-httpd.service
<prompt># </prompt>systemctl daemon-reload
<prompt># </prompt>systemctl start tmp-httpd.service
</screen>
Note that the unit must not have the same name as any unit in
<filename>/etc/systemd/system</filename> since those take precedence over

18
nixos/doc/manual/development/running-nixos-tests-interactively.xml
View File

@@ -9,17 +9,17 @@
The test itself can be run interactively. This is particularly useful when
developing or debugging a test:
<screen>
$ nix-build nixos/tests/login.nix -A driver
$ ./result/bin/nixos-test-driver
<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driver
<prompt>$ </prompt>./result/bin/nixos-test-driver
starting VDE switch for network 1
&gt;
<prompt>&gt;</prompt>
</screen>
You can then take any Perl statement, e.g.
<screen>
&gt; startAll
&gt; testScript
&gt; $machine->succeed("touch /tmp/foo")
&gt; print($machine->succeed("pwd")) # Show stdout of command
<prompt>&gt;</prompt> startAll
<prompt>&gt;</prompt> testScript
<prompt>&gt;</prompt> $machine->succeed("touch /tmp/foo")
<prompt>&gt;</prompt> print($machine->succeed("pwd")) # Show stdout of command
</screen>
The function <command>testScript</command> executes the entire test script
and drops you back into the test driver command line upon its completion.
@@ -30,8 +30,8 @@ starting VDE switch for network 1
<para>
To just start and experiment with the VMs, run:
<screen>
$ nix-build nixos/tests/login.nix -A driver
$ ./result/bin/nixos-run-vms
<prompt>$ </prompt>nix-build nixos/tests/login.nix -A driver
<prompt>$ </prompt>./result/bin/nixos-run-vms
</screen>
The script <command>nixos-run-vms</command> starts the virtual machines
defined by test.

8
nixos/doc/manual/development/running-nixos-tests.xml
View File

@@ -12,12 +12,12 @@
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/login.nix">login.nix</filename>,
you just do:
<screen>
$ nix-build '&lt;nixpkgs/nixos/tests/login.nix>'
<prompt>$ </prompt>nix-build '&lt;nixpkgs/nixos/tests/login.nix>'
</screen>
or, if you dont want to rely on <envar>NIX_PATH</envar>:
<screen>
$ cd /my/nixpkgs/nixos/tests
$ nix-build login.nix
<prompt>$ </prompt>cd /my/nixpkgs/nixos/tests
<prompt>$ </prompt>nix-build login.nix
running the VM test script
machine: QEMU running (pid 8841)
@@ -30,7 +30,7 @@ machine: QEMU running (pid 8841)
fast, as no disk image needs to be created. Afterwards, you can view a
pretty-printed log of the test:
<screen>
$ firefox result/log.html
<prompt>$ </prompt>firefox result/log.html
</screen>
</para>
</section>

24
nixos/doc/manual/development/sources.xml
View File

@@ -11,10 +11,10 @@
modify NixOS, however, you should check out the latest sources from Git. This
is as follows:
<screen>
$ git clone https://github.com/NixOS/nixpkgs
$ cd nixpkgs
$ git remote add channels https://github.com/NixOS/nixpkgs-channels
$ git remote update channels
<prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs
<prompt>$ </prompt>cd nixpkgs
<prompt>$ </prompt>git remote add channels https://github.com/NixOS/nixpkgs-channels
<prompt>$ </prompt>git remote update channels
</screen>
This will check out the latest Nixpkgs sources to
<filename>./nixpkgs</filename> the NixOS sources to
@@ -32,23 +32,23 @@ $ git remote update channels
not have caught up yet and youll have to rebuild everything from source.
So you may want to create a local branch based on your current NixOS version:
<screen>
$ nixos-version
<prompt>$ </prompt>nixos-version
17.09pre104379.6e0b727 (Hummingbird)
$ git checkout -b local 6e0b727
<prompt>$ </prompt>git checkout -b local 6e0b727
</screen>
Or, to base your local branch on the latest version available in a NixOS
channel:
<screen>
$ git remote update channels
$ git checkout -b local channels/nixos-17.03
<prompt>$ </prompt>git remote update channels
<prompt>$ </prompt>git checkout -b local channels/nixos-17.03
</screen>
(Replace <literal>nixos-17.03</literal> with the name of the channel you want
to use.) You can use <command>git merge</command> or <command>git
rebase</command> to keep your local branch in sync with the channel, e.g.
<screen>
$ git remote update channels
$ git merge channels/nixos-17.03
<prompt>$ </prompt>git remote update channels
<prompt>$ </prompt>git merge channels/nixos-17.03
</screen>
You can use <command>git cherry-pick</command> to copy commits from your
local branch to the upstream branch.
@@ -58,7 +58,7 @@ $ git merge channels/nixos-17.03
tell <command>nixos-rebuild</command> about them using the
<option>-I</option> flag:
<screen>
# nixos-rebuild switch -I nixpkgs=<replaceable>/my/sources</replaceable>/nixpkgs
<prompt># </prompt>nixos-rebuild switch -I nixpkgs=<replaceable>/my/sources</replaceable>/nixpkgs
</screen>
</para>
<para>
@@ -67,7 +67,7 @@ $ git merge channels/nixos-17.03
<replaceable>/my/sources</replaceable>/nixpkgs</command>, or change the
default by adding a symlink in <filename>~/.nix-defexpr</filename>:
<screen>
$ ln -s <replaceable>/my/sources</replaceable>/nixpkgs ~/.nix-defexpr/nixpkgs
<prompt>$ </prompt>ln -s <replaceable>/my/sources</replaceable>/nixpkgs ~/.nix-defexpr/nixpkgs
</screen>
You may want to delete the symlink
<filename>~/.nix-defexpr/channels_root</filename> to prevent roots NixOS

12
nixos/doc/manual/development/testing-installer.xml
View File

@@ -8,15 +8,15 @@
Building, burning, and booting from an installation CD is rather tedious, so
here is a quick way to see if the installer works properly:
<screen>
# mount -t tmpfs none /mnt
# nixos-generate-config --root /mnt
$ nix-build '&lt;nixpkgs/nixos>' -A config.system.build.nixos-install
# ./result/bin/nixos-install</screen>
<prompt># </prompt>mount -t tmpfs none /mnt
<prompt># </prompt>nixos-generate-config --root /mnt
<prompt>$ </prompt>nix-build '&lt;nixpkgs/nixos>' -A config.system.build.nixos-install
<prompt># </prompt>./result/bin/nixos-install</screen>
To start a login shell in the new NixOS installation in
<filename>/mnt</filename>:
<screen>
$ nix-build '&lt;nixpkgs/nixos>' -A config.system.build.nixos-enter
# ./result/bin/nixos-enter
<prompt>$ </prompt>nix-build '&lt;nixpkgs/nixos>' -A config.system.build.nixos-enter
<prompt># </prompt>./result/bin/nixos-enter
</screen>
</para>
</chapter>

14
nixos/doc/manual/development/writing-nixos-tests.xml
View File

@@ -397,9 +397,9 @@ startAll;
</para>
<para>
<programlisting>
$machine->systemctl("list-jobs --no-pager"); // runs `systemctl list-jobs --no-pager`
$machine->systemctl("list-jobs --no-pager", "any-user"); // spawns a shell for `any-user` and runs `systemctl --user list-jobs --no-pager`
</programlisting>
$machine->systemctl("list-jobs --no-pager"); // runs `systemctl list-jobs --no-pager`
$machine->systemctl("list-jobs --no-pager", "any-user"); // spawns a shell for `any-user` and runs `systemctl --user list-jobs --no-pager`
</programlisting>
</para>
</listitem>
</varlistentry>
@@ -410,10 +410,10 @@ startAll;
To test user units declared by <literal>systemd.user.services</literal> the
optional <literal>$user</literal> argument can be used:
<programlisting>
$machine->start;
$machine->waitForX;
$machine->waitForUnit("xautolock.service", "x-session-user");
</programlisting>
$machine->start;
$machine->waitForX;
$machine->waitForUnit("xautolock.service", "x-session-user");
</programlisting>
This applies to <literal>systemctl</literal>, <literal>getUnitInfo</literal>,
<literal>waitForUnit</literal>, <literal>startJob</literal> and
<literal>stopJob</literal>.

23
nixos/doc/manual/installation/changing-config.xml
View File

@@ -9,7 +9,8 @@
<link linkend="ch-configuration">changed something</link> in that file, you
should do
<screen>
# nixos-rebuild switch</screen>
<prompt># </prompt>nixos-rebuild switch
</screen>
to build the new configuration, make it the default configuration for
booting, and try to realise the configuration in the running system (e.g., by
restarting system services).
@@ -23,7 +24,8 @@
<para>
You can also do
<screen>
# nixos-rebuild test</screen>
<prompt># </prompt>nixos-rebuild test
</screen>
to build the configuration and switch the running system to it, but without
making it the boot default. So if (say) the configuration locks up your
machine, you can just reboot to get back to a working configuration.
@@ -31,7 +33,8 @@
<para>
There is also
<screen>
# nixos-rebuild boot</screen>
<prompt># </prompt>nixos-rebuild boot
</screen>
to build the configuration and make it the boot default, but not switch to it
now (so it will only take effect after the next reboot).
</para>
@@ -39,7 +42,8 @@
You can make your configuration show up in a different submenu of the GRUB 2
boot screen by giving it a different <emphasis>profile name</emphasis>, e.g.
<screen>
# nixos-rebuild switch -p test </screen>
<prompt># </prompt>nixos-rebuild switch -p test
</screen>
which causes the new configuration (and previous ones created using
<literal>-p test</literal>) to show up in the GRUB submenu “NixOS - Profile
'test'”. This can be useful to separate test configurations from
@@ -48,7 +52,8 @@
<para>
Finally, you can do
<screen>
$ nixos-rebuild build</screen>
<prompt>$ </prompt>nixos-rebuild build
</screen>
to build the configuration but nothing more. This is useful to see whether
everything compiles cleanly.
</para>
@@ -58,8 +63,8 @@ $ nixos-rebuild build</screen>
<emphasis>virtual machine</emphasis> that contains the desired configuration.
Just do
<screen>
$ nixos-rebuild build-vm
$ ./result/bin/run-*-vm
<prompt>$ </prompt>nixos-rebuild build-vm
<prompt>$ </prompt>./result/bin/run-*-vm
</screen>
The VM does not have any data from your host system, so your existing user
accounts and home directories will not be available unless you have set
@@ -74,12 +79,12 @@ $ ./result/bin/run-*-vm
guest. For instance, the following will forward host port 2222 to guest port
22 (SSH):
<screen>
$ QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
<prompt>$ </prompt>QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
</screen>
allowing you to log in via SSH (assuming you have set the appropriate
passwords or SSH authorized keys):
<screen>
$ ssh -p 2222 localhost
<prompt>$ </prompt>ssh -p 2222 localhost
</screen>
</para>
</chapter>

45
nixos/doc/manual/installation/installing-from-other-distro.xml
View File

@@ -47,8 +47,8 @@
Short version:
</para>
<screen>
$ curl https://nixos.org/nix/install | sh
$ . $HOME/.nix-profile/etc/profile.d/nix.sh # …or open a fresh shell</screen>
<prompt>$ </prompt>curl https://nixos.org/nix/install | sh
<prompt>$ </prompt>. $HOME/.nix-profile/etc/profile.d/nix.sh # …or open a fresh shell</screen>
<para>
More details in the
<link
@@ -65,14 +65,14 @@ $ . $HOME/.nix-profile/etc/profile.d/nix.sh # …or open a fresh shell</screen>
the <literal>nixpkgs</literal> channel by default.
</para>
<screen>
$ nix-channel --list
<prompt>$ </prompt>nix-channel --list
nixpkgs https://nixos.org/channels/nixpkgs-unstable</screen>
<para>
As that channel gets released without running the NixOS tests, it will be
safer to use the <literal>nixos-*</literal> channels instead:
</para>
<screen>
$ nix-channel --add https://nixos.org/channels/nixos-<replaceable>version</replaceable> nixpkgs</screen>
<prompt>$ </prompt>nix-channel --add https://nixos.org/channels/nixos-<replaceable>version</replaceable> nixpkgs</screen>
<para>
You may want to throw in a <literal>nix-channel --update</literal> for good
measure.
@@ -89,7 +89,7 @@ $ nix-channel --add https://nixos.org/channels/nixos-<replaceable>version</repla
NixOS partition. They are installed by default on NixOS, but you don't have
NixOS yet..
</para>
<screen>$ nix-env -iE "_: with import &lt;nixpkgs/nixos&gt; { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]"</screen>
<screen><prompt>$ </prompt>nix-env -iE "_: with import &lt;nixpkgs/nixos&gt; { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]"</screen>
</listitem>
<listitem>
<note>
@@ -116,7 +116,7 @@ $ nix-channel --add https://nixos.org/channels/nixos-<replaceable>version</repla
<para>
Generate your NixOS configuration:
</para>
<screen>$ sudo `which nixos-generate-config` --root /mnt</screen>
<screen><prompt>$ </prompt>sudo `which nixos-generate-config` --root /mnt</screen>
<para>
You'll probably want to edit the configuration files. Refer to the
<literal>nixos-generate-config</literal> step in
@@ -148,8 +148,8 @@ $ nix-channel --add https://nixos.org/channels/nixos-<replaceable>version</repla
distribution:
</para>
<screen>
$ sudo groupadd -g 30000 nixbld
$ sudo useradd -u 30000 -g nixbld -G nixbld nixbld</screen>
<prompt>$ </prompt>sudo groupadd -g 30000 nixbld
<prompt>$ </prompt>sudo useradd -u 30000 -g nixbld -G nixbld nixbld</screen>
</listitem>
<listitem>
<para>
@@ -161,7 +161,7 @@ $ sudo useradd -u 30000 -g nixbld -G nixbld nixbld</screen>
existing systems without the help of a rescue USB drive or similar.
</para>
</warning>
<screen>$ sudo PATH="$PATH" NIX_PATH="$NIX_PATH" `which nixos-install` --root /mnt</screen>
<screen><prompt>$ </prompt>sudo PATH="$PATH" NIX_PATH="$NIX_PATH" `which nixos-install` --root /mnt</screen>
<para>
Again, please refer to the <literal>nixos-install</literal> step in
<xref linkend="sec-installation" /> for more information.
@@ -175,8 +175,8 @@ $ sudo useradd -u 30000 -g nixbld -G nixbld nixbld</screen>
Optionally, you may want to clean up your non-NixOS distribution:
</para>
<screen>
$ sudo userdel nixbld
$ sudo groupdel nixbld</screen>
<prompt>$ </prompt>sudo userdel nixbld
<prompt>$ </prompt>sudo groupdel nixbld</screen>
<para>
If you do not wish to keep the Nix package manager installed either, run
something like <literal>sudo rm -rv ~/.nix-* /nix</literal> and remove the
@@ -193,7 +193,7 @@ $ sudo groupdel nixbld</screen>
<para>
Generate your NixOS configuration:
</para>
<screen>$ sudo `which nixos-generate-config` --root /</screen>
<screen><prompt>$ </prompt>sudo `which nixos-generate-config` --root /</screen>
<para>
Note that this will place the generated configuration files in
<literal>/etc/nixos</literal>. You'll probably want to edit the
@@ -212,21 +212,21 @@ $ sudo groupdel nixbld</screen>
</para>
<programlisting>
<link linkend="opt-users.users._name__.initialHashedPassword">users.users.root.initialHashedPassword</link> = "";
</programlisting>
</programlisting>
</listitem>
<listitem>
<para>
Build the NixOS closure and install it in the <literal>system</literal>
profile:
</para>
<screen>$ nix-env -p /nix/var/nix/profiles/system -f '&lt;nixpkgs/nixos&gt;' -I nixos-config=/etc/nixos/configuration.nix -iA system</screen>
<screen><prompt>$ </prompt>nix-env -p /nix/var/nix/profiles/system -f '&lt;nixpkgs/nixos&gt;' -I nixos-config=/etc/nixos/configuration.nix -iA system</screen>
</listitem>
<listitem>
<para>
Change ownership of the <literal>/nix</literal> tree to root (since your
Nix install was probably single user):
</para>
<screen>$ sudo chown -R 0.0 /nix</screen>
<screen><prompt>$ </prompt>sudo chown -R 0.0 /nix</screen>
</listitem>
<listitem>
<para>
@@ -284,16 +284,16 @@ $ sudo groupdel nixbld</screen>
Let's create the files:
</para>
<screen>
$ sudo touch /etc/NIXOS
$ sudo touch /etc/NIXOS_LUSTRATE
</screen>
<prompt>$ </prompt>sudo touch /etc/NIXOS
<prompt>$ </prompt>sudo touch /etc/NIXOS_LUSTRATE
</screen>
<para>
Let's also make sure the NixOS configuration files are kept once we reboot
on NixOS:
</para>
<screen>
$ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE
</screen>
<prompt>$ </prompt>echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE
</screen>
</listitem>
<listitem>
<para>
@@ -312,8 +312,9 @@ $ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE
</para>
</warning>
<screen>
$ sudo mv -v /boot /boot.bak &amp;&amp;
sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot</screen>
<prompt>$ </prompt>sudo mv -v /boot /boot.bak &amp;&amp;
sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot
</screen>
<para>
Cross your fingers, reboot, hopefully you should get a NixOS prompt!
</para>

10
nixos/doc/manual/installation/installing-usb.xml
View File

@@ -15,16 +15,16 @@
<note>
<title>On macOS</title>
<para>
<programlisting>
$ diskutil list
<screen>
<prompt>$ </prompt>diskutil list
[..]
/dev/diskN (external, physical):
#: TYPE NAME SIZE IDENTIFIER
[..]
$ diskutil unmountDisk diskN
<prompt>$ </prompt>diskutil unmountDisk diskN
Unmount of all volumes on diskN was successful
$ sudo dd if=nix.iso of=/dev/rdiskN
</programlisting>
<prompt>$ </prompt>sudo dd if=nix.iso of=/dev/rdiskN
</screen>
Using the 'raw' <command>rdiskN</command> device instead of
<command>diskN</command> completes in minutes instead of hours. After
<command>dd</command> completes, a GUI dialog "The disk you inserted was

88
nixos/doc/manual/installation/installing.xml
View File

@@ -110,7 +110,7 @@
<listitem>
<para>
Create a <emphasis>GPT</emphasis> partition table.
<screen language="commands"># parted /dev/sda -- mklabel gpt</screen>
<screen language="commands"><prompt># </prompt>parted /dev/sda -- mklabel gpt</screen>
</para>
</listitem>
<listitem>
@@ -118,14 +118,14 @@
Add the <emphasis>root</emphasis> partition. This will fill the disk
except for the end part, where the swap will live, and the space left in
front (512MiB) which will be used by the boot partition.
<screen language="commands"># parted /dev/sda -- mkpart primary 512MiB -8GiB</screen>
<screen language="commands"><prompt># </prompt>parted /dev/sda -- mkpart primary 512MiB -8GiB</screen>
</para>
</listitem>
<listitem>
<para>
Next, add a <emphasis>swap</emphasis> partition. The size required will
vary according to needs, here a 8GiB one is created.
<screen language="commands"># parted /dev/sda -- mkpart primary linux-swap -8GiB 100%</screen>
<screen language="commands"><prompt># </prompt>parted /dev/sda -- mkpart primary linux-swap -8GiB 100%</screen>
<note>
<para>
The swap partition size rules are no different than for other Linux
@@ -140,8 +140,8 @@
the ESP (EFI system partition) as its <emphasis>/boot</emphasis>
partition. It uses the initially reserved 512MiB at the start of the
disk.
<screen language="commands"># parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB
# parted /dev/sda -- set 3 boot on</screen>
<screen language="commands"><prompt># </prompt>parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB
<prompt># </prompt>parted /dev/sda -- set 3 boot on</screen>
</para>
</listitem>
</orderedlist>
@@ -172,21 +172,21 @@
<listitem>
<para>
Create a <emphasis>MBR</emphasis> partition table.
<screen language="commands"># parted /dev/sda -- mklabel msdos</screen>
<screen language="commands"><prompt># </prompt>parted /dev/sda -- mklabel msdos</screen>
</para>
</listitem>
<listitem>
<para>
Add the <emphasis>root</emphasis> partition. This will fill the the disk
except for the end part, where the swap will live.
<screen language="commands"># parted /dev/sda -- mkpart primary 1MiB -8GiB</screen>
<screen language="commands"><prompt># </prompt>parted /dev/sda -- mkpart primary 1MiB -8GiB</screen>
</para>
</listitem>
<listitem>
<para>
Finally, add a <emphasis>swap</emphasis> partition. The size required
will vary according to needs, here a 8GiB one is created.
<screen language="commands"># parted /dev/sda -- mkpart primary linux-swap -8GiB 100%</screen>
<screen language="commands"><prompt># </prompt>parted /dev/sda -- mkpart primary linux-swap -8GiB 100%</screen>
<note>
<para>
The swap partition size rules are no different than for other Linux
@@ -218,7 +218,7 @@
since this makes the file system configuration independent from device
changes. For example:
<screen>
# mkfs.ext4 -L nixos /dev/sda1</screen>
<prompt># </prompt>mkfs.ext4 -L nixos /dev/sda1</screen>
</para>
</listitem>
<listitem>
@@ -227,7 +227,7 @@
recommended to assign a label to the swap partition: <option>-L
<replaceable>label</replaceable></option>. For example:
<screen>
# mkswap -L swap /dev/sda2</screen>
<prompt># </prompt>mkswap -L swap /dev/sda2</screen>
</para>
</listitem>
<listitem>
@@ -242,7 +242,7 @@
its recommended to assign a label to the boot partition:
<option>-n <replaceable>label</replaceable></option>. For example:
<screen>
# mkfs.fat -F 32 -n boot /dev/sda3</screen>
<prompt># </prompt>mkfs.fat -F 32 -n boot /dev/sda3</screen>
</para>
</listitem>
</varlistentry>
@@ -273,7 +273,7 @@
Mount the target file system on which NixOS should be installed on
<filename>/mnt</filename>, e.g.
<screen>
# mount /dev/disk/by-label/nixos /mnt
<prompt># </prompt>mount /dev/disk/by-label/nixos /mnt
</screen>
</para>
</listitem>
@@ -287,8 +287,8 @@
<para>
Mount the boot file system on <filename>/mnt/boot</filename>, e.g.
<screen>
# mkdir -p /mnt/boot
# mount /dev/disk/by-label/boot /mnt/boot
<prompt># </prompt>mkdir -p /mnt/boot
<prompt># </prompt>mount /dev/disk/by-label/boot /mnt/boot
</screen>
</para>
</listitem>
@@ -303,7 +303,7 @@
the build actions that it may spawn) may need quite a bit of RAM,
depending on your configuration.
<screen>
# swapon /dev/sda2</screen>
<prompt># </prompt>swapon /dev/sda2</screen>
</para>
</listitem>
<listitem>
@@ -325,11 +325,11 @@
The command <command>nixos-generate-config</command> can generate an
initial configuration file for you:
<screen>
# nixos-generate-config --root /mnt</screen>
<prompt># </prompt>nixos-generate-config --root /mnt</screen>
You should then edit <filename>/mnt/etc/nixos/configuration.nix</filename>
to suit your needs:
<screen>
# nano /mnt/etc/nixos/configuration.nix
<prompt># </prompt>nano /mnt/etc/nixos/configuration.nix
</screen>
If youre using the graphical ISO image, other editors may be available
(such as <command>vim</command>). If you have network access, you can also
@@ -412,7 +412,7 @@
<para>
Do the installation:
<screen>
# nixos-install</screen>
<prompt># </prompt>nixos-install</screen>
Cross fingers. If this fails due to a temporary problem (such as a network
issue while downloading binaries from the NixOS binary cache), you can
just re-run <command>nixos-install</command>. Otherwise, fix your
@@ -439,7 +439,7 @@ Retype new UNIX password: ***</screen>
<para>
If everything went well:
<screen>
# reboot</screen>
<prompt># </prompt>reboot</screen>
</para>
</listitem>
<listitem>
@@ -460,16 +460,16 @@ Retype new UNIX password: ***</screen>
Youll probably want to create some user accounts as well, which can be
done with <command>useradd</command>:
<screen>
$ useradd -c 'Eelco Dolstra' -m eelco
$ passwd eelco</screen>
<prompt>$ </prompt>useradd -c 'Eelco Dolstra' -m eelco
<prompt>$ </prompt>passwd eelco</screen>
</para>
<para>
You may also want to install some software. For instance,
<screen>
$ nix-env -qa \*</screen>
<prompt>$ </prompt>nix-env -qa \*</screen>
shows what packages are available, and
<screen>
$ nix-env -i w3m</screen>
<prompt>$ </prompt>nix-env -i w3m</screen>
install the <literal>w3m</literal> browser.
</para>
</listitem>
@@ -489,19 +489,19 @@ $ nix-env -i w3m</screen>
<example xml:id="ex-partition-scheme-MBR">
<title>Example partition schemes for NixOS on <filename>/dev/sda</filename> (MBR)</title>
<screen language="commands">
# parted /dev/sda -- mklabel msdos
# parted /dev/sda -- mkpart primary 1MiB -8GiB
# parted /dev/sda -- mkpart primary linux-swap -8GiB 100%</screen>
<prompt># </prompt>parted /dev/sda -- mklabel msdos
<prompt># </prompt>parted /dev/sda -- mkpart primary 1MiB -8GiB
<prompt># </prompt>parted /dev/sda -- mkpart primary linux-swap -8GiB 100%</screen>
</example>
<example xml:id="ex-partition-scheme-UEFI">
<title>Example partition schemes for NixOS on <filename>/dev/sda</filename> (UEFI)</title>
<screen language="commands">
# parted /dev/sda -- mklabel gpt
# parted /dev/sda -- mkpart primary 512MiB -8GiB
# parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
# parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB
# parted /dev/sda -- set 3 boot on</screen>
<prompt># </prompt>parted /dev/sda -- mklabel gpt
<prompt># </prompt>parted /dev/sda -- mkpart primary 512MiB -8GiB
<prompt># </prompt>parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
<prompt># </prompt>parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB
<prompt># </prompt>parted /dev/sda -- set 3 boot on</screen>
</example>
<example xml:id="ex-install-sequence">
@@ -509,23 +509,23 @@ $ nix-env -i w3m</screen>
<para>
With a partitioned disk.
<screen language="commands">
# mkfs.ext4 -L nixos /dev/sda1
# mkswap -L swap /dev/sda2
# swapon /dev/sda2
# mkfs.fat -F 32 -n boot /dev/sda3 # <lineannotation>(for UEFI systems only)</lineannotation>
# mount /dev/disk/by-label/nixos /mnt
# mkdir -p /mnt/boot # <lineannotation>(for UEFI systems only)</lineannotation>
# mount /dev/disk/by-label/boot /mnt/boot # <lineannotation>(for UEFI systems only)</lineannotation>
# nixos-generate-config --root /mnt
# nano /mnt/etc/nixos/configuration.nix
# nixos-install
# reboot</screen>
<prompt># </prompt>mkfs.ext4 -L nixos /dev/sda1
<prompt># </prompt>mkswap -L swap /dev/sda2
<prompt># </prompt>swapon /dev/sda2
<prompt># </prompt>mkfs.fat -F 32 -n boot /dev/sda3 # <lineannotation>(for UEFI systems only)</lineannotation>
<prompt># </prompt>mount /dev/disk/by-label/nixos /mnt
<prompt># </prompt>mkdir -p /mnt/boot # <lineannotation>(for UEFI systems only)</lineannotation>
<prompt># </prompt>mount /dev/disk/by-label/boot /mnt/boot # <lineannotation>(for UEFI systems only)</lineannotation>
<prompt># </prompt>nixos-generate-config --root /mnt
<prompt># </prompt>nano /mnt/etc/nixos/configuration.nix
<prompt># </prompt>nixos-install
<prompt># </prompt>reboot</screen>
</para>
</example>
<example xml:id='ex-config'>
<title>NixOS Configuration</title>
<screen>
<programlisting>
{ config, pkgs, ... }: {
imports = [
# Include the results of the hardware scan.
@@ -543,7 +543,7 @@ $ nix-env -i w3m</screen>
# Enable the OpenSSH server.
services.sshd.enable = true;
}
</screen>
</programlisting>
</example>
</section>
<section xml:id="sec-installation-additional-notes">

10
nixos/doc/manual/man-nixos-generate-config.xml
View File

@@ -13,18 +13,18 @@
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nixos-generate-config</command>
<command>nixos-generate-config</command>
<arg>
<option>--force</option>
</arg>
<arg>
<arg choice='plain'>
<option>--root</option>
</arg>
<replaceable>root</replaceable>
</arg>
<arg>
<arg choice='plain'>
<option>--dir</option>
@@ -154,7 +154,7 @@
file systems on <filename>/mnt</filename> and
<filename>/mnt/boot</filename>, you would run:
<screen>
$ nixos-generate-config --root /mnt
<prompt>$ </prompt>nixos-generate-config --root /mnt
</screen>
The resulting file
<filename>/mnt/etc/nixos/hardware-configuration.nix</filename> might look
@@ -204,7 +204,7 @@ $ nixos-generate-config --root /mnt
<para>
After installation, if your hardware configuration changes, you can run:
<screen>
$ nixos-generate-config
<prompt>$ </prompt>nixos-generate-config
</screen>
to update <filename>/etc/nixos/hardware-configuration.nix</filename>. Your
<filename>/etc/nixos/configuration.nix</filename> will

38
nixos/doc/manual/man-nixos-install.xml
View File

@@ -13,72 +13,72 @@
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nixos-install</command>
<command>nixos-install</command>
<arg>
<arg choice='plain'>
<option>-I</option>
</arg>
<replaceable>path</replaceable>
</arg>
<arg>
<arg choice='plain'>
<option>--root</option>
</arg>
<replaceable>root</replaceable>
</arg>
<arg>
<arg choice='plain'>
<option>--system</option>
</arg>
<replaceable>path</replaceable>
</arg>
<arg>
<arg choice='plain'>
<option>--no-channel-copy</option>
</arg>
</arg>
<arg>
<arg choice='plain'>
<option>--no-root-passwd</option>
</arg>
</arg>
<arg>
<arg choice='plain'>
<option>--no-bootloader</option>
</arg>
</arg>
<arg>
<group choice='req'>
<group choice='req'>
<arg choice='plain'>
<option>--max-jobs</option>
</arg>
<arg choice='plain'>
<option>-j</option>
</arg>
</group> <replaceable>number</replaceable>
</arg>
<arg>
<option>--cores</option> <replaceable>number</replaceable>
</arg>
<arg>
<option>--option</option> <replaceable>name</replaceable> <replaceable>value</replaceable>
</arg>
<arg>
<arg choice='plain'>
<option>--show-trace</option>
</arg>
</arg>
<arg>
<arg choice='plain'>
<option>--help</option>
@@ -255,12 +255,12 @@
on an <literal>ext4</literal> file system created in
<filename>/dev/sda1</filename>:
<screen>
$ mkfs.ext4 /dev/sda1
$ mount /dev/sda1 /mnt
$ nixos-generate-config --root /mnt
$ # edit /mnt/etc/nixos/configuration.nix
$ nixos-install
$ reboot
<prompt>$ </prompt>mkfs.ext4 /dev/sda1
<prompt>$ </prompt>mount /dev/sda1 /mnt
<prompt>$ </prompt>nixos-generate-config --root /mnt
<prompt>$ </prompt># edit /mnt/etc/nixos/configuration.nix
<prompt>$ </prompt>nixos-install
<prompt>$ </prompt>reboot
</screen>
</para>
</refsection>

12
nixos/doc/manual/man-nixos-option.xml
View File

@@ -13,19 +13,19 @@
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nixos-option</command>
<command>nixos-option</command>
<arg>
<option>-I</option> <replaceable>path</replaceable>
</arg>
<arg>
<option>--verbose</option>
</arg>
<arg>
<option>--xml</option>
</arg>
<arg choice="plain">
<replaceable>option.name</replaceable>
</arg>
@@ -103,13 +103,13 @@
<title>Examples</title>
<para>
Investigate option values:
<screen>$ nixos-option boot.loader
<screen><prompt>$ </prompt>nixos-option boot.loader
This attribute set contains:
generationsDir
grub
initScript
$ nixos-option boot.loader.grub.enable
<prompt>$ </prompt>nixos-option boot.loader.grub.enable
Value:
true

40
nixos/doc/manual/man-nixos-rebuild.xml
View File

@@ -13,39 +13,39 @@
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nixos-rebuild</command><group choice='req'>
<command>nixos-rebuild</command><group choice='req'>
<arg choice='plain'>
<option>switch</option>
</arg>
<arg choice='plain'>
<option>boot</option>
</arg>
<arg choice='plain'>
<option>test</option>
</arg>
<arg choice='plain'>
<option>build</option>
</arg>
<arg choice='plain'>
<option>dry-build</option>
</arg>
<arg choice='plain'>
<option>dry-activate</option>
</arg>
<arg choice='plain'>
<option>edit</option>
</arg>
<arg choice='plain'>
<option>build-vm</option>
</arg>
<arg choice='plain'>
<option>build-vm-with-bootloader</option>
</arg>
@@ -54,33 +54,33 @@
<arg>
<option>--upgrade</option>
</arg>
<arg>
<option>--install-bootloader</option>
</arg>
<arg>
<option>--no-build-nix</option>
</arg>
<arg>
<option>--fast</option>
</arg>
<arg>
<option>--rollback</option>
</arg>
<arg>
<option>--builders</option> <replaceable>builder-spec</replaceable>
</arg>
<sbr />
<arg>
<group choice='req'>
<group choice='req'>
<arg choice='plain'>
<option>--profile-name</option>
</arg>
<arg choice='plain'>
<option>-p</option>
</arg>
@@ -160,7 +160,7 @@
the current directory, which points to the output of the top-level
“system” derivation. This is essentially the same as doing
<screen>
$ nix-build /path/to/nixpkgs/nixos -A system
<prompt>$ </prompt>nix-build /path/to/nixpkgs/nixos -A system
</screen>
Note that you do not need to be <literal>root</literal> to run
<command>nixos-rebuild build</command>.
@@ -215,8 +215,8 @@ $ nix-build /path/to/nixpkgs/nixos -A system
at the script that starts the VM. Thus, to test a NixOS configuration in
a virtual machine, you should do the following:
<screen>
$ nixos-rebuild build-vm
$ ./result/bin/run-*-vm
<prompt>$ </prompt>nixos-rebuild build-vm
<prompt>$ </prompt>./result/bin/run-*-vm
</screen>
</para>
<para>
@@ -375,7 +375,7 @@ $ ./result/bin/run-*-vm
<filename>test.nix</filename> without affecting the default system
profile, you would do:
<screen>
$ nixos-rebuild switch -p test -I nixos-config=./test.nix
<prompt>$ </prompt>nixos-rebuild switch -p test -I nixos-config=./test.nix
</screen>
The new configuration will appear in the GRUB 2 submenu “NixOS -
Profile 'test'”.

2
nixos/doc/manual/release-notes/rl-1509.xml
View File

@@ -627,7 +627,7 @@ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA haskellPackages.pandoc
In case of an infinite loop, use the <command>--show-trace</command>
command line argument and read the line just above the error message.
<screen>
$ nixos-rebuild build --show-trace
<prompt>$ </prompt>nixos-rebuild build --show-trace
while evaluating the module argument `pkgs' in "/etc/nixos/my-module.nix":
infinite recursion encountered

16
nixos/doc/manual/release-notes/rl-1703.xml
View File

@@ -626,17 +626,17 @@
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link>. For example, the following code:
<programlisting>
let
pkgs = import &lt;nixpkgs&gt; {};
in
pkgs.overridePackages (self: super: ...)
let
pkgs = import &lt;nixpkgs&gt; {};
in
pkgs.overridePackages (self: super: ...)
</programlisting>
should be replaced by:
<programlisting>
let
pkgs = import &lt;nixpkgs&gt; {};
in
import pkgs.path { overlays = [(self: super: ...)]; }
let
pkgs = import &lt;nixpkgs&gt; {};
in
import pkgs.path { overlays = [(self: super: ...)]; }
</programlisting>
</para>
</listitem>

7
nixos/doc/manual/release-notes/rl-1903.xml
View File

@@ -3,7 +3,7 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-19.03">
<title>Release 19.03 (“Koi”, 2019/03/??)</title>
<title>Release 19.03 (“Koi”, 2019/04/11)</title>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
@@ -18,6 +18,11 @@
</para>
<itemizedlist>
<listitem>
<para>
End of support is planned for end of October 2019, handing over to 19.09.
</para>
</listitem>
<listitem>
<para>
The default Python 3 interpreter is now CPython 3.7 instead of CPython

226
nixos/doc/manual/release-notes/rl-1909.xml
View File

@@ -19,7 +19,19 @@
<itemizedlist>
<listitem>
<para />
<para>
End of support is planned for end of April 2020, handing over to 20.03.
</para>
</listitem>
<listitem>
<para>
PHP now defaults to PHP 7.3, updated from 7.2.
</para>
</listitem>
<listitem>
<para>
PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.
</para>
</listitem>
</itemizedlist>
</section>
@@ -69,37 +81,118 @@
</listitem>
<listitem>
<para>
The options <option>services.prometheus.alertmanager.user</option> and
<option>services.prometheus.alertmanager.group</option> have been removed
because the alertmanager service is now using systemd's <link
xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html">
DynamicUser mechanism</link> which obviates these options.
The options <option>services.prometheus.alertmanager.user</option> and
<option>services.prometheus.alertmanager.group</option> have been removed
because the alertmanager service is now using systemd's <link
xlink:href="http://0pointer.net/blog/dynamic-users-with-systemd.html">
DynamicUser mechanism</link> which obviates these options.
</para>
</listitem>
<listitem>
<para>
The NetworkManager systemd unit was renamed back from network-manager.service to
NetworkManager.service for better compatibility with other applications expecting this name.
The same applies to ModemManager where modem-manager.service is now called ModemManager.service again.
The NetworkManager systemd unit was renamed back from network-manager.service to
NetworkManager.service for better compatibility with other applications expecting this name.
The same applies to ModemManager where modem-manager.service is now called ModemManager.service again.
</para>
</listitem>
<listitem>
<para>
The <option>services.nzbget.configFile</option> and <option>services.nzbget.openFirewall</option>
options were removed as they are managed internally by the nzbget. The
<option>services.nzbget.dataDir</option> option hadn't actually been used by
the module for some time and so was removed as cleanup.
The <option>services.nzbget.configFile</option> and <option>services.nzbget.openFirewall</option>
options were removed as they are managed internally by the nzbget. The
<option>services.nzbget.dataDir</option> option hadn't actually been used by
the module for some time and so was removed as cleanup.
</para>
</listitem>
<listitem>
<para>
The <option>services.emby.enable</option> module has been removed, see
<option>services.jellyfin.enable</option> instead for a free software fork of Emby.
The <option>services.mysql.pidDir</option> option was removed, as it was only used by the wordpress
apache-httpd service to wait for mysql to have started up.
This can be accomplished by either describing a dependency on mysql.service (preferred)
or waiting for the (hardcoded) <filename>/run/mysqld/mysql.sock</filename> file to appear.
</para>
</listitem>
<listitem>
<para>
The <option>services.emby.enable</option> module has been removed, see
<option>services.jellyfin.enable</option> instead for a free software fork of Emby.
See the Jellyfin documentation:
<link xlink:href="https://jellyfin.readthedocs.io/en/latest/administrator-docs/migrate-from-emby/">
Migrating from Emby to Jellyfin
</link>
See the Jellyfin documentation:
<link xlink:href="https://jellyfin.readthedocs.io/en/latest/administrator-docs/migrate-from-emby/">
Migrating from Emby to Jellyfin
</link>
</para>
</listitem>
<listitem>
<para>
IPv6 Privacy Extensions are now enabled by default for undeclared
interfaces. The previous behaviour was quite misleading — even though
the default value for
<option>networking.interfaces.*.preferTempAddress</option> was
<literal>true</literal>, undeclared interfaces would not prefer temporary
addresses. Now, interfaces not mentioned in the config will prefer
temporary addresses. EUI64 addresses can still be set as preferred by
explicitly setting the option to <literal>false</literal> for the
interface in question.
</para>
</listitem>
<listitem>
<para>
Since Bittorrent Sync was superseded by Resilio Sync in 2016, the
<literal>bittorrentSync</literal>, <literal>bittorrentSync14</literal>,
and <literal>bittorrentSync16</literal> packages have been removed in
favor of <literal>resilio-sync</literal>.
</para>
<para>
The corresponding module, <option>services.btsync</option> has been
replaced by the <option>services.resilio</option> module.
</para>
</listitem>
<listitem>
<para>
Several of the apache subservices have been replaced with full NixOS
modules including LimeSurvey, WordPress, and Zabbix.
These modules can be enabled using the <option>services.limesurvey.enable</option>,
<option>services.wordpress.enable</option>, and <option>services.zabbixWeb.enable</option> options.
</para>
</listitem>
<listitem>
<para>
The option <option>systemd.network.networks.&lt;name&gt;.routes.*.routeConfig.GatewayOnlink</option>
was renamed to <option>systemd.network.networks.&lt;name&gt;.routes.*.routeConfig.GatewayOnLink</option>
(capital <literal>L</literal>). This follows
<link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c">
upstreams renaming
</link> of the setting.
</para>
</listitem>
<listitem>
<para>
As of this release the NixOps feature <literal>autoLuks</literal> is deprecated. It no longer works
with our systemd version without manual intervention.
</para>
<para>
Whenever the usage of the module is detected the evaluation will fail with a message
explaining why and how to deal with the situation.
</para>
<para>
A new knob named <literal>nixops.enableDeprecatedAutoLuks</literal>
has been introduced to disable the eval failure and to acknowledge the notice was received and read.
If you plan on using the feature please note that it might break with subsequent updates.
</para>
<para>
Make sure you set the <literal>_netdev</literal> option for each of the file systems referring to block
devices provided by the autoLuks module. Not doing this might render the system in a
state where it doesn't boot anymore.
</para>
<para>
If you are actively using the <literal>autoLuks</literal> module please let us know in
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue #62211</link>.
</para>
</listitem>
<listitem>
<para>
The setopt declarations will be evaluated at the end of <literal>/etc/zshrc</literal>, so any code in <xref linkend="opt-programs.zsh.interactiveShellInit" />,
<xref linkend="opt-programs.zsh.loginShellInit" /> and <xref linkend="opt-programs.zsh.promptInit" /> may break if it relies on those options being set.
</para>
</listitem>
</itemizedlist>
@@ -154,6 +247,101 @@
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
The <literal>hunspellDicts.fr-any</literal> dictionary now ships with <literal>fr_FR.{aff,dic}</literal>
which is linked to <literal>fr-toutesvariantes.{aff,dic}</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>mysql</literal> service now runs as <literal>mysql</literal>
user. Previously, systemd did execute it as root, and mysql dropped privileges
itself.
This includes <literal>ExecStartPre=</literal> and
<literal>ExecStartPost=</literal> phases.
To accomplish that, runtime and data directory setup was delegated to
RuntimeDirectory and tmpfiles.
</para>
</listitem>
<listitem>
<para>
With the upgrade to systemd version 242 the <literal>systemd-timesyncd</literal>
service is no longer using <literal>DynamicUser=yes</literal>. In order for the
upgrade to work we rely on an activation script to move the state from the old
to the new directory. The older directory (prior <literal>19.09</literal>) was
<literal>/var/lib/private/systemd/timesync</literal>.
</para>
<para>
As long as the <literal>system.config.stateVersion</literal> is below
<literal>19.09</literal> the state folder will migrated to its proper location
(<literal>/var/lib/systemd/timesync</literal>), if required.
</para>
</listitem>
<listitem>
<para>
The package <literal>avahi</literal> is now built to look up service
definitions from <literal>/etc/avahi/services</literal> instead of its
output directory in the nix store. Accordingly the module
<option>avahi</option> now supports custom service definitions via
<option>services.avahi.extraServiceFiles</option>, which are then placed
in the aforementioned directory. See <citerefentry>
<refentrytitle>avahi.service</refentrytitle><manvolnum>5</manvolnum>
</citerefentry> for more information on custom service definitions.
</para>
</listitem>
<listitem>
<para>
Since version 0.1.19, <literal>cargo-vendor</literal> honors package
includes that are specified in the <filename>Cargo.toml</filename>
file of Rust crates. <literal>rustPlatform.buildRustPackage</literal> uses
<literal>cargo-vendor</literal> to collect and build dependent crates.
Since this change in <literal>cargo-vendor</literal> changes the set of
vendored files for most Rust packages, the hash that use used to verify
the dependencies, <literal>cargoSha256</literal>, also changes.
</para>
<para>
The <literal>cargoSha256</literal> hashes of all in-tree derivations that
use <literal>buildRustPackage</literal> have been updated to reflect this
change. However, third-party derivations that use
<literal>buildRustPackage</literal> may have to be updated as well.
</para>
</listitem>
<listitem>
<para>
The <literal>consul</literal> package was upgraded past version <literal>1.5</literal>,
so its deprecated legacy UI is no longer available.
</para>
</listitem>
<listitem>
<para>
The default resample-method for PulseAudio has been changed from the upstream default <literal>speex-float-1</literal>
to <literal>speex-float-5</literal>. Be aware that low-powered ARM-based and MIPS-based boards will struggle with this
so you'll need to set <option>hardware.pulseaudio.daemon.config.resample-method</option> back to <literal>speex-float-1</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>phabricator</literal> package and associated <literal>httpd.extraSubservice</literal>, as well as the
<literal>phd</literal> service have been removed from nixpkgs due to lack of maintainer.
</para>
</listitem>
<listitem>
<para>
The <literal>mercurial</literal> <literal>httpd.extraSubservice</literal> has been removed from nixpkgs due to lack of maintainer.
</para>
</listitem>
<listitem>
<para>
The <literal>trac</literal> <literal>httpd.extraSubservice</literal> has been removed from nixpkgs because it was unmaintained.
</para>
</listitem>
<listitem>
<para>
The <literal>foswiki</literal> package and associated <literal>httpd.extraSubservice</literal> have been removed
from nixpkgs due to lack of maintainer.
</para>
</listitem>
</itemizedlist>
</section>
</section>

8
nixos/lib/build-vms.nix
View File

@@ -32,14 +32,14 @@ rec {
import ./eval-config.nix {
inherit system;
modules = configurations ++
modules = configurations ++ extraConfigurations;
baseModules = (import ../modules/module-list.nix) ++
[ ../modules/virtualisation/qemu-vm.nix
../modules/testing/test-instrumentation.nix # !!! should only get added for automated test runs
{ key = "no-manual"; documentation.nixos.enable = false; }
{ key = "qemu"; system.build.qemu = qemu; }
] ++ optional minimal ../modules/testing/minimal-kernel.nix
++ extraConfigurations;
extraArgs = { inherit nodes; };
{ key = "nodes"; _module.args.nodes = nodes; }
] ++ optional minimal ../modules/testing/minimal-kernel.nix;
};

25
nixos/lib/make-ext4-fs.nix
View File

@@ -1,9 +1,14 @@
# Builds an ext4 image containing a populated /nix/store with the closure
# of store paths passed in the storePaths parameter. The generated image
# is sized to only fit its contents, with the expectation that a script
# resizes the filesystem at boot time.
# of store paths passed in the storePaths parameter, in addition to the
# contents of a directory that can be populated with commands. The
# generated image is sized to only fit its contents, with the expectation
# that a script resizes the filesystem at boot time.
{ pkgs
# List of derivations to be included
, storePaths
# Shell commands to populate the ./files directory.
# All files in that directory are copied to the root of the FS.
, populateImageCommands ? ""
, volumeLabel
, uuid ? "44444444-4444-4444-8888-888888888888"
, e2fsprogs
@@ -23,13 +28,17 @@ pkgs.stdenv.mkDerivation {
buildCommand =
''
(
mkdir -p ./files
${populateImageCommands}
)
# Add the closures of the top-level store objects.
storePaths=$(cat ${sdClosureInfo}/store-paths)
# Make a crude approximation of the size of the target image.
# If the script starts failing, increase the fudge factors here.
numInodes=$(find $storePaths | wc -l)
numDataBlocks=$(du -c -B 4096 --apparent-size $storePaths | awk '$2 == "total" { print int($1 * 1.03) }')
numInodes=$(find $storePaths ./files | wc -l)
numDataBlocks=$(du -s -c -B 4096 --apparent-size $storePaths ./files | tail -1 | awk '{ print int($1 * 1.03) }')
bytes=$((2 * 4096 * $numInodes + 4096 * $numDataBlocks))
echo "Creating an EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks)"
@@ -47,6 +56,12 @@ pkgs.stdenv.mkDerivation {
echo "copying store paths to image..."
cptofs -t ext4 -i $out $storePaths /nix/store/
(
echo "copying files to image..."
cd ./files
cptofs -t ext4 -i $out ./* /
)
# I have ended up with corrupted images sometimes, I suspect that happens when the build machine's disk gets full during the build.
if ! fsck.ext4 -n -f $out; then
echo "--- Fsck failed for EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks) ---"

5
nixos/lib/test-driver/Machine.pm
View File

@@ -31,9 +31,12 @@ sub new {
if (!$startCommand) {
# !!! merge with qemu-vm.nix.
my $netArgs = "";
$netArgs .= ",romfile=$args->{netRomFile}"
if defined $args->{netRomFile};
$startCommand =
"qemu-kvm -m 384 " .
"-net nic,model=virtio \$QEMU_OPTS ";
"-device virtio-net-pci,netdev=net0${netArgs} \$QEMU_OPTS ";
if (defined $args->{hda}) {
if ($args->{hdaInterface} eq "scsi") {

2
nixos/lib/testing.nix
View File

@@ -24,7 +24,7 @@ in rec {
buildInputs = [ makeWrapper perl ];
unpackPhase = "true";
dontUnpack = true;
preferLocalBuild = true;

2
nixos/lib/testing/jquery.nix
View File

@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
sha256 = "1v956yf5spw0156rni5z77hzqwmby7ajwdcd6mkhb6zvl36awr90";
};
unpackPhase = "true";
dontUnpack = true;
installPhase =
''

2
nixos/maintainers/option-usages.nix
View File

@@ -145,7 +145,7 @@ let
displayOptionsGraph =
let
checkList =
if !(isNull testOption) then [ testOption ]
if testOption != null then [ testOption ]
else testOptions;
checkAll = checkList == [];
in

2
nixos/modules/config/fonts/fontconfig-penultimate.nix
View File

@@ -31,7 +31,7 @@ let
# use latest when no version is passed
makeCacheConf = { version ? null }:
let
fcPackage = if builtins.isNull version
fcPackage = if version == null
then "fontconfig"
else "fontconfig_${version}";
makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };

2
nixos/modules/config/fonts/fontconfig.nix
View File

@@ -46,7 +46,7 @@ let cfg = config.fonts.fontconfig;
# use latest when no version is passed
makeCacheConf = { version ? null }:
let
fcPackage = if builtins.isNull version
fcPackage = if version == null
then "fontconfig"
else "fontconfig_${version}";
makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };

91
nixos/modules/config/malloc.nix Normal file
View File

@@ -0,0 +1,91 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.environment.memoryAllocator;
# The set of alternative malloc(3) providers.
providers = {
"graphene-hardened" = rec {
libPath = "${pkgs.graphene-hardened-malloc}/lib/libhardened_malloc.so";
description = ''
An allocator designed to mitigate memory corruption attacks, such as
those caused by use-after-free bugs.
'';
};
"jemalloc" = {
libPath = "${pkgs.jemalloc}/lib/libjemalloc.so";
description = ''
A general purpose allocator that emphasizes fragmentation avoidance
and scalable concurrency support.
'';
};
"scudo" = {
libPath = "${pkgs.llvmPackages.compiler-rt}/lib/linux/libclang_rt.scudo-x86_64.so";
description = ''
A user-mode allocator based on LLVM Sanitizers CombinedAllocator,
which aims at providing additional mitigations against heap based
vulnerabilities, while maintaining good performance.
'';
};
};
providerConf = providers."${cfg.provider}";
# An output that contains only the shared library, to avoid
# needlessly bloating the system closure
mallocLib = pkgs.runCommand "malloc-provider-${cfg.provider}"
rec {
preferLocalBuild = true;
allowSubstitutes = false;
origLibPath = providerConf.libPath;
libName = baseNameOf origLibPath;
}
''
mkdir -p $out/lib
cp -L $origLibPath $out/lib/$libName
'';
# The full path to the selected provider shlib.
providerLibPath = "${mallocLib}/lib/${mallocLib.libName}";
in
{
meta = {
maintainers = [ maintainers.joachifm ];
};
options = {
environment.memoryAllocator.provider = mkOption {
type = types.enum ([ "libc" ] ++ attrNames providers);
default = "libc";
description = ''
The system-wide memory allocator.
Briefly, the system-wide memory allocator providers are:
<itemizedlist>
<listitem><para><literal>libc</literal>: the standard allocator provided by libc</para></listitem>
${toString (mapAttrsToList
(name: value: "<listitem><para><literal>${name}</literal>: ${value.description}</para></listitem>")
providers)}
</itemizedlist>
<warning>
<para>
Selecting an alternative allocator (i.e., anything other than
<literal>libc</literal>) may result in instability, data loss,
and/or service failure.
</para>
</warning>
'';
};
};
config = mkIf (cfg.provider != "libc") {
environment.etc."ld-nix.so.preload".text = ''
${providerLibPath}
'';
};
}

9
nixos/modules/config/networking.nix
View File

@@ -233,7 +233,7 @@ in
oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip};
allToString = set: concatMapStringsSep "\n" (oneToString set) (attrNames set);
in ''
${allToString cfg.hosts}
${allToString (filterAttrs (_: v: v != []) cfg.hosts)}
${cfg.extraHosts}
'';
@@ -309,8 +309,11 @@ in
ln -s /run/systemd/resolve/resolv.conf /run/resolvconf/interfaces/systemd
''}
# Make sure resolv.conf is up to date if not managed manually or by systemd
${optionalString (!config.environment.etc?"resolv.conf") ''
# Make sure resolv.conf is up to date if not managed manually, by systemd or
# by NetworkManager
${optionalString (!config.environment.etc?"resolv.conf" &&
(cfg.networkmanager.enable ->
cfg.networkmanager.rc-manager == "resolvconf")) ''
${pkgs.openresolv}/bin/resolvconf -u
''}
'';

3
nixos/modules/config/pulseaudio.nix
View File

@@ -245,6 +245,9 @@ in {
# Disable flat volumes to enable relative ones
hardware.pulseaudio.daemon.config.flat-volumes = mkDefault "no";
# Upstream defaults to speex-float-1 which results in audible artifacts
hardware.pulseaudio.daemon.config.resample-method = mkDefault "speex-float-5";
# Allow PulseAudio to get realtime priority using rtkit.
security.rtkit.enable = true;

2
nixos/modules/config/sysctl.nix
View File

@@ -8,7 +8,7 @@ let
name = "sysctl option value";
check = val:
let
checkType = x: isBool x || isString x || isInt x || isNull x;
checkType = x: isBool x || isString x || isInt x || x == null;
in
checkType val || (val._type or "" == "override" && checkType val.content);
merge = loc: defs: mergeOneOption loc (filterOverrides defs);

2
nixos/modules/config/xdg/mime.nix
View File

@@ -24,7 +24,7 @@ with lib;
environment.extraSetup = ''
if [ -w $out/share/mime ] && [ -d $out/share/mime/packages ]; then
XDG_DATA_DIRS=$out/share ${pkgs.buildPackages.shared-mime-info}/bin/update-mime-database -V $out/share/mime > /dev/null
XDG_DATA_DIRS=$out/share PKGSYSTEM_ENABLE_FSYNC=0 ${pkgs.buildPackages.shared-mime-info}/bin/update-mime-database -V $out/share/mime > /dev/null
fi
if [ -w $out/share/applications ]; then

3
nixos/modules/hardware/all-firmware.nix
View File

@@ -63,8 +63,7 @@ in {
b43Firmware_5_1_138
b43Firmware_6_30_163_46
b43FirmwareCutter
facetimehd-firmware
];
] ++ optional (pkgs.stdenv.hostPlatform.isi686 || pkgs.stdenv.hostPlatform.isx86_64) facetimehd-firmware;
})
];
}

22
nixos/modules/hardware/ksm.nix
View File

@@ -1,9 +1,24 @@
{ config, lib, ... }:
{
options.hardware.enableKSM = lib.mkEnableOption "Kernel Same-Page Merging";
with lib;
config = lib.mkIf config.hardware.enableKSM {
let
cfg = config.hardware.ksm;
in {
options.hardware.ksm = {
enable = mkEnableOption "Kernel Same-Page Merging";
sleep = mkOption {
type = types.nullOr types.int;
default = null;
description = ''
How many milliseconds ksmd should sleep between scans.
Setting it to <literal>null</literal> uses the kernel's default time.
'';
};
};
config = mkIf cfg.enable {
systemd.services.enable-ksm = {
description = "Enable Kernel Same-Page Merging";
wantedBy = [ "multi-user.target" ];
@@ -11,6 +26,7 @@
script = ''
if [ -e /sys/kernel/mm/ksm ]; then
echo 1 > /sys/kernel/mm/ksm/run
${optionalString (cfg.sleep != null) ''echo ${toString cfg.sleep} > /sys/kernel/mm/ksm/sleep_millisecs''}
fi
'';
};

24
nixos/modules/hardware/opengl.nix
View File

@@ -11,9 +11,9 @@ let
videoDrivers = config.services.xserver.videoDrivers;
makePackage = p: pkgs.buildEnv {
name = "mesa-drivers+txc-${p.mesa_drivers.version}";
name = "mesa-drivers+txc-${p.mesa.version}";
paths =
[ p.mesa_drivers
[ p.mesa.drivers
(if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
];
};
@@ -118,6 +118,19 @@ in
set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc.
'';
};
setLdLibraryPath = mkOption {
type = types.bool;
internal = true;
default = false;
description = ''
Whether the <literal>LD_LIBRARY_PATH</literal> environment variable
should be set to the locations of driver libraries. Drivers which
rely on overriding libraries should set this to true. Drivers which
support <literal>libglvnd</literal> and other dispatch libraries
instead of overriding libraries should not set this.
'';
};
};
};
@@ -145,11 +158,8 @@ in
)
];
environment.sessionVariables.LD_LIBRARY_PATH =
[ "/run/opengl-driver/lib" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/lib";
environment.variables.XDG_DATA_DIRS =
[ "/run/opengl-driver/share" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/share";
environment.sessionVariables.LD_LIBRARY_PATH = mkIf cfg.setLdLibraryPath
([ "/run/opengl-driver/lib" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/lib");
hardware.opengl.package = mkDefault (makePackage pkgs);
hardware.opengl.package32 = mkDefault (makePackage pkgs.pkgsi686Linux);

3
nixos/modules/hardware/video/amdgpu-pro.nix
View File

@@ -30,10 +30,11 @@ in
nixpkgs.config.xorg.abiCompat = "1.19";
services.xserver.drivers = singleton
{ name = "amdgpu"; modules = [ package ]; libPath = [ package ]; };
{ name = "amdgpu"; modules = [ package ]; };
hardware.opengl.package = package;
hardware.opengl.package32 = package32;
hardware.opengl.setLdLibraryPath = true;
boot.extraModulePackages = [ package ];

3
nixos/modules/hardware/video/ati.nix
View File

@@ -21,10 +21,11 @@ in
nixpkgs.config.xorg.abiCompat = "1.17";
services.xserver.drivers = singleton
{ name = "fglrx"; modules = [ ati_x11 ]; libPath = [ "${ati_x11}/lib" ]; };
{ name = "fglrx"; modules = [ ati_x11 ]; };
hardware.opengl.package = ati_x11;
hardware.opengl.package32 = pkgs.pkgsi686Linux.linuxPackages.ati_drivers_x11.override { libsOnly = true; kernel = null; };
hardware.opengl.setLdLibraryPath = true;
environment.systemPackages = [ ati_x11 ];

3
nixos/modules/hardware/video/nvidia.nix
View File

@@ -1,6 +1,6 @@
# This module provides the proprietary NVIDIA X11 / OpenGL drivers.
{ stdenv, config, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
with lib;
@@ -138,7 +138,6 @@ in
services.xserver.drivers = singleton {
name = "nvidia";
modules = [ nvidia_x11.bin ];
libPath = [ nvidia_x11 ];
deviceSection = optionalString optimusCfg.enable
''
BusID "${optimusCfg.nvidiaBusId}"

2
nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix
View File

@@ -1,7 +1,7 @@
# This module contains the basic configuration for building a graphical NixOS
# installation CD.
{ config, lib, pkgs, ... }:
{ lib, pkgs, ... }:
with lib;

2
nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix
View File

@@ -1,7 +1,7 @@
# This module defines a NixOS installation CD that contains X11 and
# GNOME 3.
{ config, lib, pkgs, ... }:
{ lib, ... }:
with lib;

4
nixos/modules/installer/cd-dvd/iso-image.nix
View File

@@ -198,7 +198,7 @@ let
fi
${ # When there is a theme configured, use it, otherwise use the background image.
if (!isNull config.isoImage.grubTheme) then ''
if config.isoImage.grubTheme != null then ''
# Sets theme.
set theme=(hd0)/EFI/boot/grub-theme/theme.txt
# Load theme fonts
@@ -622,7 +622,7 @@ in
{ source = "${pkgs.memtest86plus}/memtest.bin";
target = "/boot/memtest.bin";
}
] ++ optionals (!isNull config.isoImage.grubTheme) [
] ++ optionals (config.isoImage.grubTheme != null) [
{ source = config.isoImage.grubTheme;
target = "/EFI/boot/grub-theme";
}

20
nixos/modules/installer/cd-dvd/sd-image-aarch64.nix
View File

@@ -26,8 +26,15 @@ in
# Also increase the amount of CMA to ensure the virtual console on the RPi3 works.
boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];
boot.initrd.availableKernelModules = [
# Allows early (earlier) modesetting for the Raspberry Pi
"vc4" "bcm2835_dma" "i2c_bcm2835"
# Allows early (earlier) modesetting for Allwinner SoCs
"sun4i_drm" "sun8i_drm_hdmi" "sun8i_mixer"
];
sdImage = {
populateBootCommands = let
populateFirmwareCommands = let
configTxt = pkgs.writeText "config.txt" ''
kernel=u-boot-rpi3.bin
@@ -43,10 +50,13 @@ in
avoid_warnings=1
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin boot/u-boot-rpi3.bin
cp ${configTxt} boot/config.txt
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
cp ${pkgs.ubootRaspberryPi3_64bit}/u-boot.bin firmware/u-boot-rpi3.bin
cp ${configTxt} firmware/config.txt
'';
populateRootCommands = ''
mkdir -p ./files/boot
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./files/boot
'';
};
}

15
nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
View File

@@ -29,7 +29,7 @@ in
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"];
sdImage = {
populateBootCommands = let
populateFirmwareCommands = let
configTxt = pkgs.writeText "config.txt" ''
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
@@ -46,11 +46,14 @@ in
enable_uart=1
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
cp ${pkgs.ubootRaspberryPi2}/u-boot.bin boot/u-boot-rpi2.bin
cp ${pkgs.ubootRaspberryPi3_32bit}/u-boot.bin boot/u-boot-rpi3.bin
cp ${configTxt} boot/config.txt
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
cp ${pkgs.ubootRaspberryPi2}/u-boot.bin firmware/u-boot-rpi2.bin
cp ${pkgs.ubootRaspberryPi3_32bit}/u-boot.bin firmware/u-boot-rpi3.bin
cp ${configTxt} firmware/config.txt
'';
populateRootCommands = ''
mkdir -p ./files/boot
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./files/boot
'';
};
}

15
nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
View File

@@ -22,7 +22,7 @@ in
boot.kernelPackages = pkgs.linuxPackages_rpi;
sdImage = {
populateBootCommands = let
populateFirmwareCommands = let
configTxt = pkgs.writeText "config.txt" ''
# Prevent the firmware from smashing the framebuffer setup done by the mainline kernel
# when attempting to show low-voltage or overtemperature warnings.
@@ -35,11 +35,14 @@ in
kernel=u-boot-rpi1.bin
'';
in ''
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
cp ${pkgs.ubootRaspberryPiZero}/u-boot.bin boot/u-boot-rpi0.bin
cp ${pkgs.ubootRaspberryPi}/u-boot.bin boot/u-boot-rpi1.bin
cp ${configTxt} boot/config.txt
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot
(cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/)
cp ${pkgs.ubootRaspberryPiZero}/u-boot.bin firmware/u-boot-rpi0.bin
cp ${pkgs.ubootRaspberryPi}/u-boot.bin firmware/u-boot-rpi1.bin
cp ${configTxt} firmware/config.txt
'';
populateRootCommands = ''
mkdir -p ./files/boot
${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./files/boot
'';
};
}

94
nixos/modules/installer/cd-dvd/sd-image.nix
View File

@@ -1,8 +1,12 @@
# This module creates a bootable SD card image containing the given NixOS
# configuration. The generated image is MBR partitioned, with a FAT /boot
# partition, and ext4 root partition. The generated image is sized to fit
# its contents, and a boot script automatically resizes the root partition
# to fit the device on the first boot.
# configuration. The generated image is MBR partitioned, with a FAT
# /boot/firmware partition, and ext4 root partition. The generated image
# is sized to fit its contents, and a boot script automatically resizes
# the root partition to fit the device on the first boot.
#
# The firmware partition is built with expectation to hold the Raspberry
# Pi firmware and bootloader, and be removed and replaced with a firmware
# build for the target SoC for other board families.
#
# The derivation for the SD image will be placed in
# config.system.build.sdImage
@@ -14,12 +18,18 @@ with lib;
let
rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({
inherit (config.sdImage) storePaths;
populateImageCommands = config.sdImage.populateRootCommands;
volumeLabel = "NIXOS_SD";
} // optionalAttrs (config.sdImage.rootPartitionUUID != null) {
uuid = config.sdImage.rootPartitionUUID;
});
in
{
imports = [
(mkRemovedOptionModule [ "sdImage" "bootPartitionID" ] "The FAT partition for SD image now only holds the Raspberry Pi firmware files. Use firmwarePartitionID to configure that partition's ID.")
(mkRemovedOptionModule [ "sdImage" "bootSize" ] "The boot files for SD image have been moved to the main ext4 partition. The FAT partition now only holds the Raspberry Pi firmware files. Changing its size may not be required.")
];
options.sdImage = {
imageName = mkOption {
default = "${config.sdImage.imageBaseName}-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.img";
@@ -43,12 +53,12 @@ in
'';
};
bootPartitionID = mkOption {
firmwarePartitionID = mkOption {
type = types.string;
default = "0x2178694e";
description = ''
Volume ID for the /boot partition on the SD card. This value must be a
32-bit hexadecimal number.
Volume ID for the /boot/firmware partition on the SD card. This value
must be a 32-bit hexadecimal number.
'';
};
@@ -61,29 +71,44 @@ in
'';
};
bootSize = mkOption {
firmwareSize = mkOption {
type = types.int;
default = 120;
# As of 2019-05-31 the Raspberry pi firmware + u-bot takes ~13MiB
default = 20;
description = ''
Size of the /boot partition, in megabytes.
Size of the /boot/firmware partition, in megabytes.
'';
};
populateBootCommands = mkOption {
example = literalExample "'' cp \${pkgs.myBootLoader}/u-boot.bin boot/ ''";
populateFirmwareCommands = mkOption {
example = literalExample "'' cp \${pkgs.myBootLoader}/u-boot.bin firmware/ ''";
description = ''
Shell commands to populate the ./boot directory.
Shell commands to populate the ./firmware directory.
All files in that directory are copied to the
/boot partition on the SD image.
/boot/firmware partition on the SD image.
'';
};
populateRootCommands = mkOption {
example = literalExample "''\${extlinux-conf-builder} -t 3 -c \${config.system.build.toplevel} -d ./files/boot''";
description = ''
Shell commands to populate the ./files directory.
All files in that directory are copied to the
root (/) partition on the SD image. Use this to
populate the ./files/boot (/boot) directory.
'';
};
};
config = {
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
"/boot/firmware" = {
device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
# Alternatively, this could be removed from the configuration.
# The filesystem is not needed at runtime, it could be treated
# as an opaque blob instead of a discrete FAT32 filesystem.
options = [ "nofail" "noauto" ];
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
@@ -105,39 +130,44 @@ in
echo "${pkgs.stdenv.buildPlatform.system}" > $out/nix-support/system
echo "file sd-image $img" >> $out/nix-support/hydra-build-products
# Create the image file sized to fit /boot and /, plus 20M of slack
# Gap in front of the first partition, in MiB
gap=8
# Create the image file sized to fit /boot/firmware and /, plus slack for the gap.
rootSizeBlocks=$(du -B 512 --apparent-size ${rootfsImage} | awk '{ print $1 }')
bootSizeBlocks=$((${toString config.sdImage.bootSize} * 1024 * 1024 / 512))
imageSize=$((rootSizeBlocks * 512 + bootSizeBlocks * 512 + 20 * 1024 * 1024))
firmwareSizeBlocks=$((${toString config.sdImage.firmwareSize} * 1024 * 1024 / 512))
imageSize=$((rootSizeBlocks * 512 + firmwareSizeBlocks * 512 + gap * 1024 * 1024))
truncate -s $imageSize $img
# type=b is 'W95 FAT32', type=83 is 'Linux'.
# The "bootable" partition is where u-boot will look file for the bootloader
# information (dtbs, extlinux.conf file).
sfdisk $img <<EOF
label: dos
label-id: ${config.sdImage.bootPartitionID}
label-id: ${config.sdImage.firmwarePartitionID}
start=8M, size=$bootSizeBlocks, type=b, bootable
start=${toString (8 + config.sdImage.bootSize)}M, type=83
start=''${gap}M, size=$firmwareSizeBlocks, type=b
start=$((gap + ${toString config.sdImage.firmwareSize}))M, type=83, bootable
EOF
# Copy the rootfs into the SD image
eval $(partx $img -o START,SECTORS --nr 2 --pairs)
dd conv=notrunc if=${rootfsImage} of=$img seek=$START count=$SECTORS
# Create a FAT32 /boot partition of suitable size into bootpart.img
# Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img
eval $(partx $img -o START,SECTORS --nr 1 --pairs)
truncate -s $((SECTORS * 512)) bootpart.img
faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.bootPartitionID} -n NIXOS_BOOT bootpart.img
truncate -s $((SECTORS * 512)) firmware_part.img
faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n FIRMWARE firmware_part.img
# Populate the files intended for /boot
mkdir boot
${config.sdImage.populateBootCommands}
# Populate the files intended for /boot/firmware
mkdir firmware
${config.sdImage.populateFirmwareCommands}
# Copy the populated /boot into the SD image
(cd boot; mcopy -psvm -i ../bootpart.img ./* ::)
# Copy the populated /boot/firmware into the SD image
(cd firmware; mcopy -psvm -i ../firmware_part.img ./* ::)
# Verify the FAT partition before copying it.
fsck.vfat -vn bootpart.img
dd conv=notrunc if=bootpart.img of=$img seek=$START count=$SECTORS
fsck.vfat -vn firmware_part.img
dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS
'';
}) {};

5
nixos/modules/installer/netboot/netboot.nix
View File

@@ -65,8 +65,7 @@ with lib;
[ config.system.build.toplevel ];
# Create the squashfs image that contains the Nix store.
system.build.squashfsStore = import ../../../lib/make-squashfs.nix {
inherit (pkgs) stdenv squashfsTools closureInfo;
system.build.squashfsStore = pkgs.callPackage ../../../lib/make-squashfs.nix {
storeContents = config.netboot.storeContents;
};
@@ -85,7 +84,7 @@ with lib;
system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
#!ipxe
kernel ${pkgs.stdenv.hostPlatform.platform.kernelTarget} init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}
kernel ${pkgs.stdenv.hostPlatform.platform.kernelTarget} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams}
initrd initrd
boot
'';

48
nixos/modules/installer/tools/nixos-generate-config.pl
View File

@@ -258,6 +258,16 @@ foreach my $path (glob "/sys/class/{block,mmc_host}/*") {
}
}
# Add bcache module, if needed.
my @bcacheDevices = glob("/dev/bcache*");
if (scalar @bcacheDevices > 0) {
push @initrdAvailableKernelModules, "bcache";
}
# Prevent unbootable systems if LVM snapshots are present at boot time.
if (`lsblk -o TYPE` =~ "lvm") {
push @initrdKernelModules, "dm-snapshot";
}
my $virt = `systemd-detect-virt`;
chomp $virt;
@@ -319,10 +329,19 @@ my @swapDevices;
if (@swaps) {
shift @swaps;
foreach my $swap (@swaps) {
$swap =~ /^(\S+)\s/;
next unless -e $1;
my $dev = findStableDevPath $1;
push @swapDevices, "{ device = \"$dev\"; }";
my @fields = split ' ', $swap;
my $swapFilename = $fields[0];
my $swapType = $fields[1];
next unless -e $swapFilename;
my $dev = findStableDevPath $swapFilename;
if ($swapType =~ "partition") {
push @swapDevices, "{ device = \"$dev\"; }";
} elsif ($swapType =~ "file") {
# swap *files* are more likely specified in configuration.nix, so
# ignore them here.
} else {
die "Unsupported swap type: $swapType\n";
}
}
}
@@ -422,6 +441,10 @@ EOF
}
}
# Don't emit tmpfs entry for /tmp, because it most likely comes from the
# boot.tmpOnTmpfs option in configuration.nix (managed declaratively).
next if ($mountPoint eq "/tmp" && $fsType eq "tmpfs");
# Emit the filesystem.
$fileSystems .= <<EOF;
fileSystems.\"$mountPoint\" =
@@ -464,6 +487,21 @@ EOF
}
}
# For lack of a better way to determine it, guess whether we should use a
# bigger font for the console from the display mode on the first
# framebuffer. A way based on the physical size/actual DPI reported by
# the monitor would be nice, but I don't know how to do this without X :)
my $fb_modes_file = "/sys/class/graphics/fb0/modes";
if (-f $fb_modes_file && -r $fb_modes_file) {
my $modes = read_file($fb_modes_file);
$modes =~ m/([0-9]+)x([0-9]+)/;
my $console_width = $1, my $console_height = $2;
if ($console_width > 1920) {
push @attrs, "# High-DPI console";
push @attrs, 'i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";';
}
}
# Generate the hardware configuration file.
@@ -497,6 +535,7 @@ sub multiLineList {
}
my $initrdAvailableKernelModules = toNixStringList(uniq @initrdAvailableKernelModules);
my $initrdKernelModules = toNixStringList(uniq @initrdKernelModules);
my $kernelModules = toNixStringList(uniq @kernelModules);
my $modulePackages = toNixList(uniq @modulePackages);
@@ -516,6 +555,7 @@ my $hwConfig = <<EOF;
imports =${\multiLineList(" ", @imports)};
boot.initrd.availableKernelModules = [$initrdAvailableKernelModules ];
boot.initrd.kernelModules = [$initrdKernelModules ];
boot.kernelModules = [$kernelModules ];
boot.extraModulePackages = [$modulePackages ];
$fsAndSwap

2
nixos/modules/installer/tools/tools.nix
View File

@@ -36,7 +36,7 @@ let
nixos-generate-config = makeProg {
name = "nixos-generate-config";
src = ./nixos-generate-config.pl;
path = [ pkgs.btrfs-progs ];
path = lib.optionals (lib.elem "btrfs" config.boot.supportedFilesystems) [ pkgs.btrfs-progs ];
perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/${pkgs.perl.libPrefix}";
inherit (config.system.nixos) release;
};

8
nixos/modules/misc/documentation.nix
View File

@@ -49,11 +49,7 @@ let
if [ -z "$browser" ]; then
browser="$(type -P xdg-open || true)"
if [ -z "$browser" ]; then
browser="$(type -P w3m || true)"
if [ -z "$browser" ]; then
echo "$0: unable to start a web browser; please set \$BROWSER"
exit 1
fi
browser="${pkgs.w3m-nographics}/bin/w3m"
fi
fi
exec "$browser" ${manual.manualHTMLIndex}
@@ -187,8 +183,6 @@ in
})
(mkIf cfg.doc.enable {
# TODO(@oxij): put it here and remove from profiles?
# environment.systemPackages = [ pkgs.w3m ]; # w3m-nox?
environment.pathsToLink = [ "/share/doc" ];
environment.extraOutputsToInstall = [ "doc" ] ++ optional cfg.dev.enable "devdoc";
})

16
nixos/modules/misc/ids.nix
View File

@@ -44,7 +44,7 @@
vsftpd = 7;
ftp = 8;
bitlbee = 9;
avahi = 10;
#avahi = 10; # removed 2019-05-22
nagios = 11;
atd = 12;
postfix = 13;
@@ -145,7 +145,7 @@
#notbit = 111; # unused
aerospike = 111;
ngircd = 112;
btsync = 113;
#btsync = 113; # unused
minecraft = 114;
vault = 115;
rippled = 116;
@@ -265,7 +265,7 @@
syncthing = 237;
caddy = 239;
taskd = 240;
factorio = 241;
# factorio = 241; # DynamicUser = true
# emby = 242; # unusued, removed 2019-05-01
graylog = 243;
sniproxy = 244;
@@ -339,6 +339,7 @@
rss2email = 312;
cockroachdb = 313;
zoneminder = 314;
paperless = 315;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@@ -357,7 +358,7 @@
vsftpd = 7;
ftp = 8;
bitlbee = 9;
avahi = 10;
#avahi = 10; # removed 2019-05-22
#nagios = 11; # unused
atd = 12;
postfix = 13;
@@ -456,7 +457,7 @@
#notbit = 111; # unused
aerospike = 111;
#ngircd = 112; # unused
btsync = 113;
#btsync = 113; # unused
#minecraft = 114; # unused
vault = 115;
#ripped = 116; # unused
@@ -515,7 +516,7 @@
tss = 176;
#memcached = 177; # unused, removed 2018-01-03
#ntp = 179; # unused
#zabbix = 180; # unused
zabbix = 180;
#redis = 181; # unused, removed 2018-01-03
#unifi = 183; # unused
#uptimed = 184; # unused
@@ -566,7 +567,7 @@
syncthing = 237;
caddy = 239;
taskd = 240;
factorio = 241;
# factorio = 241; # unused
# emby = 242; # unused, removed 2019-05-01
sniproxy = 244;
nzbget = 245;
@@ -638,6 +639,7 @@
rss2email = 312;
cockroachdb = 313;
zoneminder = 314;
paperless = 315;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

43
nixos/modules/misc/nixops-autoluks.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, options, lib, ... }:
let
path = [ "deployment" "autoLuks" ];
hasAutoLuksConfig = lib.hasAttrByPath path config && (lib.attrByPath path {} config) != {};
inherit (config.nixops) enableDeprecatedAutoLuks;
in {
options.nixops.enableDeprecatedAutoLuks = lib.mkEnableOption "Enable the deprecated NixOps AutoLuks module";
config = {
assertions = [
{
assertion = if hasAutoLuksConfig then hasAutoLuksConfig && enableDeprecatedAutoLuks else true;
message = ''
!!! WARNING !!!
NixOps autoLuks is deprecated. The feature was never widely used and the maintenance did outgrow the benefit.
If you still want to use the module:
a) Please raise your voice in the issue tracking usage of the module:
https://github.com/NixOS/nixpkgs/issues/62211
b) make sure you set the `_netdev` option for each of the file
systems referring to block devices provided by the autoLuks module.
If you do not set the option your system will not boot anymore!
{
fileSystems."/secret" = { options = [ "_netdev" ]; };
}
b) set the option >nixops.enableDeprecatedAutoLuks = true< to remove this error.
For more details read through the following resources:
- https://github.com/NixOS/nixops/pull/1156
- https://github.com/NixOS/nixpkgs/issues/47550
- https://github.com/NixOS/nixpkgs/issues/62211
- https://github.com/NixOS/nixpkgs/pull/61321
'';
}
];
};
}

8
nixos/modules/misc/nixpkgs.nix
View File

@@ -127,13 +127,14 @@ in
default = [];
example = literalExample
''
[ (self: super: {
[
(self: super: {
openssh = super.openssh.override {
hpnSupport = true;
kerberos = self.libkrb5;
};
};
) ]
})
]
'';
type = types.listOf overlayType;
description = ''
@@ -195,7 +196,6 @@ in
system = mkOption {
type = types.str;
example = "i686-linux";
default = { system = builtins.currentSystem; };
description = ''
Specifies the Nix platform type on which NixOS should be built.
It is better to specify <code>nixpkgs.localSystem</code> instead.

3
nixos/modules/misc/version.nix
View File

@@ -1,4 +1,4 @@
{ options, config, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
with lib;
@@ -95,6 +95,7 @@ in
PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})"
LOGO="nix-snowflake"
HOME_URL="https://nixos.org/"
DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html"
SUPPORT_URL="https://nixos.org/nixos/support.html"
BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
'';

24
nixos/modules/module-list.nix
View File

@@ -19,6 +19,7 @@
./config/iproute2.nix
./config/krb5/default.nix
./config/ldap.nix
./config/malloc.nix
./config/networking.nix
./config/no-x-libs.nix
./config/nsswitch.nix
@@ -49,6 +50,7 @@
./hardware/logitech.nix
./hardware/mcelog.nix
./hardware/network/b43.nix
./hardware/network/intel-2200bg.nix
./hardware/nitrokey.nix
./hardware/opengl.nix
./hardware/pcmcia.nix
@@ -83,6 +85,7 @@
./misc/nixpkgs.nix
./misc/passthru.nix
./misc/version.nix
./misc/nixops-autoluks.nix
./programs/adb.nix
./programs/atop.nix
./programs/autojump.nix
@@ -90,9 +93,11 @@
./programs/bcc.nix
./programs/blcr.nix
./programs/browserpass.nix
./programs/captive-browser.nix
./programs/ccache.nix
./programs/cdemu.nix
./programs/chromium.nix
./programs/clickshare.nix
./programs/command-not-found/command-not-found.nix
./programs/criu.nix
./programs/dconf.nix
@@ -144,6 +149,7 @@
./programs/xonsh.nix
./programs/xss-lock.nix
./programs/yabar.nix
./programs/zmap.nix
./programs/zsh/oh-my-zsh.nix
./programs/zsh/zsh.nix
./programs/zsh/zsh-autoenv.nix
@@ -180,10 +186,12 @@
./services/amqp/activemq/default.nix
./services/amqp/rabbitmq.nix
./services/audio/alsa.nix
./services/audio/jack.nix
./services/audio/icecast.nix
./services/audio/liquidsoap.nix
./services/audio/mpd.nix
./services/audio/mopidy.nix
./services/audio/roon-server.nix
./services/audio/slimserver.nix
./services/audio/snapserver.nix
./services/audio/squeezelite.nix
@@ -256,8 +264,7 @@
./services/databases/virtuoso.nix
./services/desktops/accountsservice.nix
./services/desktops/bamf.nix
./services/desktops/deepin/dde-daemon.nix
./services/desktops/deepin/deepin-menu.nix
./services/desktops/deepin/deepin.nix
./services/desktops/dleyna-renderer.nix
./services/desktops/dleyna-server.nix
./services/desktops/pantheon/contractor.nix
@@ -323,6 +330,7 @@
./services/hardware/tcsd.nix
./services/hardware/tlp.nix
./services/hardware/thinkfan.nix
./services/hardware/throttled.nix
./services/hardware/trezord.nix
./services/hardware/triggerhappy.nix
./services/hardware/u2f.nix
@@ -436,8 +444,8 @@
./services/misc/octoprint.nix
./services/misc/osrm.nix
./services/misc/packagekit.nix
./services/misc/paperless.nix
./services/misc/parsoid.nix
./services/misc/phd.nix
./services/misc/plex.nix
./services/misc/tautulli.nix
./services/misc/pykms.nix
@@ -484,6 +492,7 @@
./services/monitoring/heapster.nix
./services/monitoring/incron.nix
./services/monitoring/kapacitor.nix
./services/monitoring/loki.nix
./services/monitoring/longview.nix
./services/monitoring/monit.nix
./services/monitoring/munin.nix
@@ -507,6 +516,7 @@
./services/monitoring/uptime.nix
./services/monitoring/vnstat.nix
./services/monitoring/zabbix-agent.nix
./services/monitoring/zabbix-proxy.nix
./services/monitoring/zabbix-server.nix
./services/network-filesystems/beegfs.nix
./services/network-filesystems/cachefilesd.nix
@@ -534,10 +544,10 @@
./services/networking/avahi-daemon.nix
./services/networking/babeld.nix
./services/networking/bind.nix
./services/networking/bitcoind.nix
./services/networking/autossh.nix
./services/networking/bird.nix
./services/networking/bitlbee.nix
./services/networking/btsync.nix
./services/networking/charybdis.nix
./services/networking/chrony.nix
./services/networking/cjdns.nix
@@ -606,6 +616,7 @@
./services/networking/morty.nix
./services/networking/miredo.nix
./services/networking/mstpd.nix
./services/networking/mtprotoproxy.nix
./services/networking/murmur.nix
./services/networking/mxisd.nix
./services/networking/namecoind.nix
@@ -754,10 +765,12 @@
./services/web-apps/atlassian/crowd.nix
./services/web-apps/atlassian/jira.nix
./services/web-apps/codimd.nix
./services/web-apps/cryptpad.nix
./services/web-apps/documize.nix
./services/web-apps/frab.nix
./services/web-apps/icingaweb2/icingaweb2.nix
./services/web-apps/icingaweb2/module-monitoring.nix
./services/web-apps/limesurvey.nix
./services/web-apps/mattermost.nix
./services/web-apps/miniflux.nix
./services/web-apps/nextcloud.nix
@@ -768,7 +781,9 @@
./services/web-apps/tt-rss.nix
./services/web-apps/selfoss.nix
./services/web-apps/virtlyst.nix
./services/web-apps/wordpress.nix
./services/web-apps/youtrack.nix
./services/web-apps/zabbix.nix
./services/web-servers/apache-httpd/default.nix
./services/web-servers/caddy.nix
./services/web-servers/fcgiwrap.nix
@@ -791,7 +806,6 @@
./services/web-servers/traefik.nix
./services/web-servers/uwsgi.nix
./services/web-servers/varnish/default.nix
./services/web-servers/winstone.nix
./services/web-servers/zope2.nix
./services/x11/colord.nix
./services/x11/compton.nix

35
nixos/modules/profiles/hardened.nix
View File

@@ -14,6 +14,8 @@ with lib;
nix.allowedUsers = mkDefault [ "@users" ];
environment.memoryAllocator.provider = mkDefault "graphene-hardened";
security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true;
@@ -87,4 +89,37 @@ with lib;
#
# The value is taken from the KSPP recommendations (Debian uses 4096).
boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
# Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
# Enable reverse path filtering (that is, do not attempt to route packets
# that "obviously" do not belong to the iface's network; dropped packets are
# logged as martians).
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true;
# Ignore broadcast ICMP (mitigate SMURF)
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
# Ignore route information from sender
boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
# setting is applied to interfaces added after the sysctls are set)
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
# Ignore outgoing ICMP redirects (this is ipv4 only)
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
}

2
nixos/modules/programs/bash/bash.nix
View File

@@ -34,7 +34,7 @@ let
bashAliases = concatStringsSep "\n" (
mapAttrsFlatten (k: v: "alias ${k}=${escapeShellArg v}")
(filterAttrs (k: v: !isNull v) cfg.shellAliases)
(filterAttrs (k: v: v != null) cfg.shellAliases)
);
in

122
nixos/modules/programs/captive-browser.nix Normal file
View File

@@ -0,0 +1,122 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.programs.captive-browser;
in
{
###### interface
options = {
programs.captive-browser = {
enable = mkEnableOption "captive browser";
package = mkOption {
type = types.package;
default = pkgs.captive-browser;
defaultText = "pkgs.captive-browser";
description = "Which package to use for captive-browser";
};
interface = mkOption {
type = types.str;
description = "your public network interface (wlp3s0, wlan0, eth0, ...)";
};
# the options below are the same as in "captive-browser.toml"
browser = mkOption {
type = types.str;
default = concatStringsSep " " [ ''${pkgs.chromium}/bin/chromium''
''--user-data-dir=$HOME/.chromium-captive''
''--proxy-server="socks5://$PROXY"''
''--host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost"''
''--no-first-run''
''--new-window''
''--incognito''
''http://cache.nixos.org/''
];
description = ''
The shell (/bin/sh) command executed once the proxy starts.
When browser exits, the proxy exits. An extra env var PROXY is available.
Here, we use a separate Chrome instance in Incognito mode, so that
it can run (and be waited for) alongside the default one, and that
it maintains no state across runs. To configure this browser open a
normal window in it, settings will be preserved.
@volth: chromium is to open a plain HTTP (not HTTPS nor redirect to HTTPS!) website.
upstream uses http://example.com but I have seen captive portals whose DNS server resolves "example.com" to 127.0.0.1
'';
};
dhcp-dns = mkOption {
type = types.str;
description = ''
The shell (/bin/sh) command executed to obtain the DHCP
DNS server address. The first match of an IPv4 regex is used.
IPv4 only, because let's be real, it's a captive portal.
'';
};
socks5-addr = mkOption {
type = types.str;
default = "localhost:1666";
description = ''the listen address for the SOCKS5 proxy server'';
};
bindInterface = mkOption {
default = true;
type = types.bool;
description = ''
Binds <package>captive-browser</package> to the network interface declared in
<literal>cfg.interface</literal>. This can be used to avoid collisions
with private subnets.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
programs.captive-browser.dhcp-dns = mkOptionDefault (
if config.networking.networkmanager.enable then
"${pkgs.networkmanager}/bin/nmcli dev show ${escapeShellArg cfg.interface} | ${pkgs.gnugrep}/bin/fgrep IP4.DNS"
else if config.networking.dhcpcd.enable then
"${pkgs.dhcpcd}/bin/dhcpcd -U ${escapeShellArg cfg.interface} | ${pkgs.gnugrep}/bin/fgrep domain_name_servers"
else if config.networking.useNetworkd then
"${cfg.package}/bin/systemd-networkd-dns ${escapeShellArg cfg.interface}"
else
"${config.security.wrapperDir}/udhcpc --quit --now -f -i ${escapeShellArg cfg.interface} -O dns --script ${
pkgs.writeScript "udhcp-script" ''
#!/bin/sh
if [ "$1" = bound ]; then
echo "$dns"
fi
''}"
);
security.wrappers.udhcpc = {
capabilities = "cap_net_raw+p";
source = "${pkgs.busybox}/bin/udhcpc";
};
security.wrappers.captive-browser = {
capabilities = "cap_net_raw+p";
source = pkgs.writeScript "captive-browser" ''
#!${pkgs.bash}/bin/bash
export XDG_CONFIG_HOME=${pkgs.writeTextDir "captive-browser.toml" ''
browser = """${cfg.browser}"""
dhcp-dns = """${cfg.dhcp-dns}"""
socks5-addr = """${cfg.socks5-addr}"""
${optionalString cfg.bindInterface ''
bind-device = """${cfg.interface}"""
''}
''}
exec ${cfg.package}/bin/captive-browser
'';
};
};
}

21
nixos/modules/programs/clickshare.nix Normal file
View File

@@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }:
{
options.programs.clickshare-csc1.enable =
lib.options.mkEnableOption ''
Barco ClickShare CSC-1 driver/client.
This allows users in the <literal>clickshare</literal>
group to access and use a ClickShare USB dongle
that is connected to the machine
'';
config = lib.modules.mkIf config.programs.clickshare-csc1.enable {
environment.systemPackages = [ pkgs.clickshare-csc1 ];
services.udev.packages = [ pkgs.clickshare-csc1 ];
users.groups.clickshare = {};
};
meta.maintainers = [ lib.maintainers.yarny ];
}

2
nixos/modules/programs/fish.nix
View File

@@ -10,7 +10,7 @@ let
fishAliases = concatStringsSep "\n" (
mapAttrsFlatten (k: v: "alias ${k} ${escapeShellArg v}")
(filterAttrs (k: v: !isNull v) cfg.shellAliases)
(filterAttrs (k: v: v != null) cfg.shellAliases)
);
in

2
nixos/modules/programs/ssmtp.nix
View File

@@ -148,7 +148,7 @@ in
UseSTARTTLS=${yesNo cfg.useSTARTTLS}
#Debug=YES
${optionalString (cfg.authUser != "") "AuthUser=${cfg.authUser}"}
${optionalString (!isNull cfg.authPassFile) "AuthPassFile=${cfg.authPassFile}"}
${optionalString (cfg.authPassFile != null) "AuthPassFile=${cfg.authPassFile}"}
'';
environment.systemPackages = [pkgs.ssmtp];

2
nixos/modules/programs/tmux.nix
View File

@@ -177,7 +177,7 @@ in {
systemPackages = [ pkgs.tmux ];
variables = {
TMUX_TMPDIR = lib.optional cfg.secureSocket ''''${XDG_RUNTIME_DIR:-"/run/user/\$(id -u)"}'';
TMUX_TMPDIR = lib.optional cfg.secureSocket ''''${XDG_RUNTIME_DIR:-"/run/user/$(id -u)"}'';
};
};
};

19
nixos/modules/programs/xss-lock.nix
View File

@@ -8,12 +8,23 @@ in
{
options.programs.xss-lock = {
enable = mkEnableOption "xss-lock";
lockerCommand = mkOption {
default = "${pkgs.i3lock}/bin/i3lock";
example = literalExample ''''${pkgs.i3lock-fancy}/bin/i3lock-fancy'';
type = types.string;
description = "Locker to be used with xsslock";
};
extraOptions = mkOption {
default = [ ];
example = [ "--ignore-sleep" ];
type = types.listOf types.str;
description = ''
Additional command-line arguments to pass to
<command>xss-lock</command>.
'';
};
};
config = mkIf cfg.enable {
@@ -21,7 +32,13 @@ in
description = "XSS Lock Daemon";
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig.ExecStart = "${pkgs.xss-lock}/bin/xss-lock ${cfg.lockerCommand}";
serviceConfig.ExecStart = with lib;
strings.concatStringsSep " " ([
"${pkgs.xss-lock}/bin/xss-lock"
] ++ (map escapeShellArg cfg.extraOptions) ++ [
"--"
cfg.lockerCommand
]);
};
};
}

18
nixos/modules/programs/zmap.nix Normal file
View File

@@ -0,0 +1,18 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.programs.zmap;
in {
options.programs.zmap = {
enable = mkEnableOption "ZMap";
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.zmap ];
environment.etc."zmap/blacklist.conf".source = "${pkgs.zmap}/etc/zmap/blacklist.conf";
environment.etc."zmap/zmap.conf".source = "${pkgs.zmap}/etc/zmap.conf";
};
}

6
nixos/modules/programs/zsh/zsh.nix
View File

@@ -12,7 +12,7 @@ let
zshAliases = concatStringsSep "\n" (
mapAttrsFlatten (k: v: "alias ${k}=${escapeShellArg v}")
(filterAttrs (k: v: !isNull v) cfg.shellAliases)
(filterAttrs (k: v: v != null) cfg.shellAliases)
);
in
@@ -194,8 +194,6 @@ in
HISTSIZE=${toString cfg.histSize}
HISTFILE=${cfg.histFile}
${optionalString (cfg.setOptions != []) "setopt ${concatStringsSep " " cfg.setOptions}"}
HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help"
# Tell zsh how to find installed completions
@@ -209,6 +207,8 @@ in
${cfg.interactiveShellInit}
${optionalString (cfg.setOptions != []) "setopt ${concatStringsSep " " cfg.setOptions}"}
${zshAliases}
${cfg.promptInit}

16
nixos/modules/rename.nix
View File

@@ -113,9 +113,10 @@ with lib;
# murmur
(mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
(mkRemovedOptionModule [ "services" "murmur" "pidfile" ] "Hardcoded to /run/murmur/murmurd.pid now")
# parsoid
(mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] [ "services" "parsoid" "wikis" ])
(mkRemovedOptionModule [ "services" "parsoid" "interwikis" ] "Use services.parsoid.wikis instead")
# plexpy / tautulli
(mkRenamedOptionModule [ "services" "plexpy" ] [ "services" "tautulli" ])
@@ -170,6 +171,9 @@ with lib;
The starting time can be configured via <literal>services.postgresqlBackup.startAt</literal>.
'')
# zabbixServer
(mkRenamedOptionModule [ "services" "zabbixServer" "dbServer" ] [ "services" "zabbixServer" "database" "host" ])
# Profile splitting
(mkRenamedOptionModule [ "virtualisation" "growPartition" ] [ "boot" "growPartition" ])
@@ -210,6 +214,10 @@ with lib;
(mkRemovedOptionModule [ "virtualisation" "xen" "qemu" ] "You don't need this option anymore, it will work without it.")
(mkRemovedOptionModule [ "services" "logstash" "enableWeb" ] "The web interface was removed from logstash")
(mkRemovedOptionModule [ "boot" "zfs" "enableLegacyCrypto" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd")
(mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.")
(mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.")
# ZSH
(mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
@@ -234,6 +242,12 @@ with lib;
(mkRenamedOptionModule [ "hardware" "ckb" "enable" ] [ "hardware" "ckb-next" "enable" ])
(mkRenamedOptionModule [ "hardware" "ckb" "package" ] [ "hardware" "ckb-next" "package" ])
# binfmt
(mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ])
# KSM
(mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ])
] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
"jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
"snmpExporter" "unifiExporter" "varnishExporter" ]

2
nixos/modules/security/apparmor.nix
View File

@@ -29,6 +29,8 @@ in
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.apparmor-utils ];
boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
systemd.services.apparmor = let
paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d")
([ pkgs.apparmor-profiles ] ++ cfg.packages);

18
nixos/modules/security/misc.nix
View File

@@ -13,23 +13,17 @@ with lib;
default = true;
description = ''
Whether to allow creation of user namespaces.
</para>
<para>
The motivation for disabling user namespaces is the potential
presence of code paths where the kernel's permission checking
logic fails to account for namespacing, instead permitting a
namespaced process to act outside the namespace with the same
privileges as it would have inside it. This is particularly
damaging in the common case of running as root within the namespace.
</para>
<para>
When user namespace creation is disallowed, attempting to create a
user namespace fails with "no space left on device" (ENOSPC).
root may re-enable user namespace creation at runtime.
</para>
<para>
'';
};
@@ -48,21 +42,15 @@ with lib;
Whether to allow SMT/hyperthreading. Disabling SMT means that only
physical CPU cores will be usable at runtime, potentially at
significant performance cost.
</para>
<para>
The primary motivation for disabling SMT is to mitigate the risk of
leaking data between threads running on the same CPU core (due to
e.g., shared caches). This attack vector is unproven.
</para>
<para>
Disabling SMT is a supplement to the L1 data cache flushing mitigation
(see <xref linkend="opt-security.virtualization.flushL1DataCache"/>)
versus malicious VM guests (SMT could "bring back" previously flushed
data).
</para>
<para>
'';
};
@@ -73,10 +61,8 @@ with lib;
Whether the hypervisor should flush the L1 data cache before
entering guests.
See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>.
</para>
<para>
<variablelist>
<variablelist>
<varlistentry>
<term><literal>null</literal></term>
<listitem><para>uses the kernel default</para></listitem>
@@ -98,7 +84,7 @@ with lib;
enters the guest. May incur significant performance cost.
</para></listitem>
</varlistentry>
</variablelist>
</variablelist>
'';
};
};

38
nixos/modules/security/rngd.nix
View File

@@ -2,20 +2,30 @@
with lib;
let
cfg = config.security.rngd;
in
{
options = {
security.rngd.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to enable the rng daemon, which adds entropy from
hardware sources of randomness to the kernel entropy pool when
available.
'';
security.rngd = {
enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to enable the rng daemon, which adds entropy from
hardware sources of randomness to the kernel entropy pool when
available.
'';
};
debug = mkOption {
type = types.bool;
default = false;
description = "Whether to enable debug output (-d).";
};
};
};
config = mkIf config.security.rngd.enable {
config = mkIf cfg.enable {
services.udev.extraRules = ''
KERNEL=="random", TAG+="systemd"
SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
@@ -29,7 +39,15 @@ with lib;
description = "Hardware RNG Entropy Gatherer Daemon";
serviceConfig.ExecStart = "${pkgs.rng-tools}/sbin/rngd -f";
serviceConfig = {
ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
+ optionalString cfg.debug " -d";
NoNewPrivileges = true;
PrivateNetwork = true;
PrivateTmp = true;
ProtectSystem = "full";
ProtectHome = true;
};
};
};
}

290
nixos/modules/services/audio/jack.nix Normal file
View File

@@ -0,0 +1,290 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.jack;
pcmPlugin = cfg.jackd.enable && cfg.alsa.enable;
loopback = cfg.jackd.enable && cfg.loopback.enable;
enable32BitAlsaPlugins = cfg.alsa.support32Bit && pkgs.stdenv.isx86_64 && pkgs.pkgsi686Linux.alsaLib != null;
umaskNeeded = versionOlder cfg.jackd.package.version "1.9.12";
bridgeNeeded = versionAtLeast cfg.jackd.package.version "1.9.12";
in {
options = {
services.jack = {
jackd = {
enable = mkEnableOption ''
JACK Audio Connection Kit. You need to add yourself to the "jackaudio" group
'';
package = mkOption {
# until jack1 promiscuous mode is fixed
internal = true;
type = types.package;
default = pkgs.jack2;
defaultText = "pkgs.jack2";
example = literalExample "pkgs.jack1";
description = ''
The JACK package to use.
'';
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [
"-dalsa"
];
example = literalExample ''
[ "-dalsa" "--device" "hw:1" ];
'';
description = ''
Specifies startup command line arguments to pass to JACK server.
'';
};
session = mkOption {
type = types.lines;
description = ''
Commands to run after JACK is started.
'';
};
};
alsa = {
enable = mkOption {
type = types.bool;
default = true;
description = ''
Route audio to/from generic ALSA-using applications using ALSA JACK PCM plugin.
'';
};
support32Bit = mkOption {
type = types.bool;
default = false;
description = ''
Whether to support sound for 32-bit ALSA applications on 64-bit system.
'';
};
};
loopback = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Create ALSA loopback device, instead of using PCM plugin. Has broader
application support (things like Steam will work), but may need fine-tuning
for concrete hardware.
'';
};
index = mkOption {
type = types.int;
default = 10;
description = ''
Index of an ALSA loopback device.
'';
};
config = mkOption {
type = types.lines;
description = ''
ALSA config for loopback device.
'';
};
dmixConfig = mkOption {
type = types.lines;
default = "";
example = ''
period_size 2048
periods 2
'';
description = ''
For music production software that still doesn't support JACK natively you
would like to put buffer/period adjustments here
to decrease dmix device latency.
'';
};
session = mkOption {
type = types.lines;
description = ''
Additional commands to run to setup loopback device.
'';
};
};
};
};
config = mkMerge [
(mkIf pcmPlugin {
sound.extraConfig = ''
pcm_type.jack {
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_jack.so ;
${lib.optionalString enable32BitAlsaPlugins
"libs.32Bit = ${pkgs.pkgsi686Linux.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_jack.so ;"}
}
pcm.!default {
@func getenv
vars [ PCM ]
default "plug:jack"
}
'';
})
(mkIf loopback {
boot.kernelModules = [ "snd-aloop" ];
boot.kernelParams = [ "snd-aloop.index=${toString cfg.loopback.index}" ];
sound.extraConfig = cfg.loopback.config;
})
(mkIf cfg.jackd.enable {
services.jack.jackd.session = ''
${lib.optionalString bridgeNeeded "${pkgs.a2jmidid}/bin/a2jmidid -e &"}
'';
# https://alsa.opensrc.org/Jack_and_Loopback_device_as_Alsa-to-Jack_bridge#id06
services.jack.loopback.config = ''
pcm.loophw00 {
type hw
card ${toString cfg.loopback.index}
device 0
subdevice 0
}
pcm.amix {
type dmix
ipc_key 219345
slave {
pcm loophw00
${cfg.loopback.dmixConfig}
}
}
pcm.asoftvol {
type softvol
slave.pcm "amix"
control { name Master }
}
pcm.cloop {
type hw
card ${toString cfg.loopback.index}
device 1
subdevice 0
format S32_LE
}
pcm.loophw01 {
type hw
card ${toString cfg.loopback.index}
device 0
subdevice 1
}
pcm.ploop {
type hw
card ${toString cfg.loopback.index}
device 1
subdevice 1
format S32_LE
}
pcm.aduplex {
type asym
playback.pcm "asoftvol"
capture.pcm "loophw01"
}
pcm.!default {
type plug
slave.pcm aduplex
}
'';
services.jack.loopback.session = ''
alsa_in -j cloop -dcloop &
alsa_out -j ploop -dploop &
while [ "$(jack_lsp cloop)" == "" ] || [ "$(jack_lsp ploop)" == "" ]; do sleep 1; done
jack_connect cloop:capture_1 system:playback_1
jack_connect cloop:capture_2 system:playback_2
jack_connect system:capture_1 ploop:playback_1
jack_connect system:capture_2 ploop:playback_2
'';
assertions = [
{
assertion = !(cfg.alsa.enable && cfg.loopback.enable);
message = "For JACK both alsa and loopback options shouldn't be used at the same time.";
}
];
users.users.jackaudio = {
group = "jackaudio";
extraGroups = [ "audio" ];
description = "JACK Audio system service user";
};
# http://jackaudio.org/faq/linux_rt_config.html
security.pam.loginLimits = [
{ domain = "@jackaudio"; type = "-"; item = "rtprio"; value = "99"; }
{ domain = "@jackaudio"; type = "-"; item = "memlock"; value = "unlimited"; }
];
users.groups.jackaudio = {};
environment = {
systemPackages = [ cfg.jackd.package ];
etc."alsa/conf.d/50-jack.conf".source = "${pkgs.alsaPlugins}/etc/alsa/conf.d/50-jack.conf";
variables.JACK_PROMISCUOUS_SERVER = "jackaudio";
};
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="sound", ATTRS{id}!="Loopback", TAG+="systemd", ENV{SYSTEMD_WANTS}="jack.service"
'';
systemd.services.jack = {
description = "JACK Audio Connection Kit";
serviceConfig = {
User = "jackaudio";
ExecStart = "${cfg.jackd.package}/bin/jackd ${lib.escapeShellArgs cfg.jackd.extraOptions}";
LimitRTPRIO = 99;
LimitMEMLOCK = "infinity";
} // optionalAttrs umaskNeeded {
UMask = "007";
};
path = [ cfg.jackd.package ];
environment = {
JACK_PROMISCUOUS_SERVER = "jackaudio";
JACK_NO_AUDIO_RESERVATION = "1";
};
restartIfChanged = false;
};
systemd.services.jack-session = {
description = "JACK session";
script = ''
jack_wait -w
${cfg.jackd.session}
${lib.optionalString cfg.loopback.enable cfg.loopback.session}
'';
serviceConfig = {
RemainAfterExit = true;
User = "jackaudio";
StateDirectory = "jack";
LimitRTPRIO = 99;
LimitMEMLOCK = "infinity";
};
path = [ cfg.jackd.package ];
environment = {
JACK_PROMISCUOUS_SERVER = "jackaudio";
HOME = "/var/lib/jack";
};
wantedBy = [ "jack.service" ];
partOf = [ "jack.service" ];
after = [ "jack.service" ];
restartIfChanged = false;
};
})
];
meta.maintainers = [ maintainers.gnidorah ];
}

10
nixos/modules/services/audio/mopidy.nix
View File

@@ -70,25 +70,25 @@ in {
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - mopidy mopidy - -"
];
systemd.services.mopidy = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "sound.target" ];
description = "mopidy music player daemon";
preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}";
serviceConfig = {
ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}";
User = "mopidy";
PermissionsStartOnly = true;
};
};
systemd.services.mopidy-scan = {
description = "mopidy local files scanner";
preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}";
serviceConfig = {
ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)} local scan";
User = "mopidy";
PermissionsStartOnly = true;
Type = "oneshot";
};
};
@@ -98,7 +98,7 @@ in {
group = "mopidy";
extraGroups = [ "audio" ];
description = "Mopidy daemon user";
home = "${cfg.dataDir}";
home = cfg.dataDir;
};
users.groups.mopidy.gid = gid;

49
nixos/modules/services/audio/roon-server.nix Normal file
View File

@@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
with lib;
let
name = "roon-server";
cfg = config.services.roon-server;
in {
options = {
services.roon-server = {
enable = mkEnableOption "Roon Server";
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open ports in the firewall for the server.
UDP: 9003
TCP: 9100 - 9200
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.roon-server = {
after = [ "network.target" ];
description = "Roon Server";
wantedBy = [ "multi-user.target" ];
environment.ROON_DATAROOT = "/var/lib/${name}";
serviceConfig = {
ExecStart = "${pkgs.roon-server}/opt/start.sh";
LimitNOFILE = 8192;
DynamicUser = true;
SupplementaryGroups = "audio";
StateDirectory = name;
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPortRanges = [
{ from = 9100; to = 9200; }
];
allowedUDPPorts = [ 9003 ];
};
};
}

6
nixos/modules/services/audio/slimserver.nix
View File

@@ -42,15 +42,17 @@ in {
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - slimserver slimserver - -"
];
systemd.services.slimserver = {
after = [ "network.target" ];
description = "Slim Server for Logitech Squeezebox Players";
wantedBy = [ "multi-user.target" ];
preStart = "mkdir -p ${cfg.dataDir} && chown -R slimserver:slimserver ${cfg.dataDir}";
serviceConfig = {
User = "slimserver";
PermissionsStartOnly = true;
# Issue 40589: Disable broken image/video support (audio still works!)
ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache --noimage --novideo";
};

1
nixos/modules/services/audio/snapserver.nix
View File

@@ -4,7 +4,6 @@ with lib;
let
package = "snapcast";
name = "snapserver";
cfg = config.services.snapserver;

16
nixos/modules/services/backup/duplicati.nix
View File

@@ -19,13 +19,22 @@ in
};
interface = mkOption {
default = "lo";
default = "127.0.0.1";
type = types.str;
description = ''
Listening interface for the web UI
Set it to "any" to listen on all available interfaces
'';
};
user = mkOption {
default = "duplicati";
type = types.str;
description = ''
Duplicati runs as it's own user. It will only be able to backup world-readable files.
Run as root with special care.
'';
};
};
};
@@ -37,14 +46,15 @@ in
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "duplicati";
User = cfg.user;
Group = "duplicati";
StateDirectory = "duplicati";
ExecStart = "${pkgs.duplicati}/bin/duplicati-server --webservice-interface=${cfg.interface} --webservice-port=${toString cfg.port} --server-datafolder=/var/lib/duplicati";
Restart = "on-failure";
};
};
users.users.duplicati = {
users.users.duplicati = lib.optionalAttrs (cfg.user == "duplicati") {
uid = config.ids.uids.duplicati;
home = "/var/lib/duplicati";
createHome = true;

31
nixos/modules/services/backup/znapzend.nix
View File

@@ -7,28 +7,23 @@ let
planDescription = ''
The znapzend backup plan to use for the source.
</para>
<para>
The plan specifies how often to backup and for how long to keep the
backups. It consists of a series of retention periodes to interval
associations:
</para>
<para>
<literal>
retA=>intA,retB=>intB,...
</literal>
</para>
<para>
Both intervals and retention periods are expressed in standard units
of time or multiples of them. You can use both the full name or a
shortcut according to the following listing:
</para>
<para>
Both intervals and retention periods are expressed in standard units
of time or multiples of them. You can use both the full name or a
shortcut according to the following listing:
<literal>
second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|y
</literal>
</para>
<para>
See <citerefentry><refentrytitle>znapzendzetup</refentrytitle><manvolnum>1</manvolnum></citerefentry> for more info.
'';
planExample = "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m";
@@ -139,12 +134,10 @@ let
type = nullOr ints.u16;
description = ''
Port to use for <command>mbuffer</command>.
</para>
<para>
If this is null, it will run <command>mbuffer</command> through
ssh.
</para>
<para>
If this is not null, it will run <command>mbuffer</command>
directly through TCP, which is not encrypted but faster. In that
case the given port needs to be open on the destination host.
@@ -255,7 +248,7 @@ let
cfg = config.services.znapzend;
onOff = b: if b then "on" else "off";
nullOff = b: if isNull b then "off" else toString b;
nullOff = b: if b == null then "off" else toString b;
stripSlashes = replaceStrings [ "/" ] [ "." ];
attrsToFile = config: concatStringsSep "\n" (builtins.attrValues (
@@ -263,7 +256,7 @@ let
mkDestAttrs = dst: with dst;
mapAttrs' (n: v: nameValuePair "dst_${label}${n}" v) ({
"" = optionalString (! isNull host) "${host}:" + dataset;
"" = optionalString (host != null) "${host}:" + dataset;
_plan = plan;
} // optionalAttrs (presend != null) {
_precmd = presend;

8
nixos/modules/services/cluster/kubernetes/addons/dns.nix
View File

@@ -3,7 +3,7 @@
with lib;
let
version = "1.3.1";
version = "1.5.0";
cfg = config.services.kubernetes.addons.dns;
ports = {
dns = 10053;
@@ -55,9 +55,9 @@ in {
type = types.attrs;
default = {
imageName = "coredns/coredns";
imageDigest = "sha256:02382353821b12c21b062c59184e227e001079bb13ebd01f9d3270ba0fcbf1e4";
imageDigest = "sha256:e83beb5e43f8513fa735e77ffc5859640baea30a882a11cc75c4c3244a737d3c";
finalImageTag = version;
sha256 = "0vbylgyxv2jm2mnzk6f28jbsj305zsxmx3jr6ngjq461czcl5fi5";
sha256 = "15sbmhrxjxidj0j0cccn1qxpg6al175w43m6ngspl0mc132zqc9q";
};
};
};
@@ -160,7 +160,7 @@ in {
fallthrough in-addr.arpa ip6.arpa
}
prometheus :${toString ports.metrics}
proxy . /etc/resolv.conf
forward . /etc/resolv.conf
cache 30
loop
reload

8
nixos/modules/services/cluster/kubernetes/apiserver.nix
View File

@@ -184,6 +184,12 @@ in
type = bool;
};
preferredAddressTypes = mkOption {
description = "List of the preferred NodeAddressTypes to use for kubelet connections.";
type = nullOr str;
default = null;
};
proxyClientCertFile = mkOption {
description = "Client certificate to use for connections to proxy.";
default = null;
@@ -349,6 +355,8 @@ in
"--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \
${optionalString (cfg.kubeletClientKeyFile != null)
"--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \
${optionalString (cfg.preferredAddressTypes != null)
"--kubelet-preferred-address-types=${cfg.preferredAddressTypes}"} \
${optionalString (cfg.proxyClientCertFile != null)
"--proxy-client-cert-file=${cfg.proxyClientCertFile}"} \
${optionalString (cfg.proxyClientKeyFile != null)

7
nixos/modules/services/cluster/kubernetes/default.nix
View File

@@ -72,13 +72,6 @@ let
default = null;
};
};
kubeConfigDefaults = {
server = mkDefault cfg.kubeconfig.server;
caFile = mkDefault cfg.kubeconfig.caFile;
certFile = mkDefault cfg.kubeconfig.certFile;
keyFile = mkDefault cfg.kubeconfig.keyFile;
};
in {
###### interface

13
nixos/modules/services/cluster/kubernetes/kubelet.nix
View File

@@ -7,9 +7,9 @@ let
cfg = top.kubelet;
cniConfig =
if cfg.cni.config != [] && !(isNull cfg.cni.configDir) then
if cfg.cni.config != [] && cfg.cni.configDir != null then
throw "Verbatim CNI-config and CNI configDir cannot both be set."
else if !(isNull cfg.cni.configDir) then
else if cfg.cni.configDir != null then
cfg.cni.configDir
else
(pkgs.buildEnv {
@@ -28,13 +28,6 @@ let
kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig;
manifests = pkgs.buildEnv {
name = "kubernetes-manifests";
paths = mapAttrsToList (name: manifest:
pkgs.writeTextDir "${name}.json" (builtins.toJSON manifest)
) cfg.manifests;
};
manifestPath = "kubernetes/manifests";
taintOptions = with lib.types; { name, ... }: {
@@ -373,7 +366,7 @@ in
boot.kernelModules = ["br_netfilter"];
services.kubernetes.kubelet.hostname = with config.networking;
mkDefault (hostName + optionalString (!isNull domain) ".${domain}");
mkDefault (hostName + optionalString (domain != null) ".${domain}");
services.kubernetes.pki.certs = with top.lib; {
kubelet = mkCert {

3
nixos/modules/services/cluster/kubernetes/pki.nix
View File

@@ -118,7 +118,6 @@ in
cfsslCertPathPrefix = "${config.services.cfssl.dataDir}/cfssl";
cfsslCert = "${cfsslCertPathPrefix}.pem";
cfsslKey = "${cfsslCertPathPrefix}-key.pem";
cfsslPort = toString config.services.cfssl.port;
certmgrPaths = [
top.caFile
@@ -285,7 +284,7 @@ in
};
};
environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig)
environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (cfg.etcClusterAdminKubeconfig != null)
(top.lib.mkKubeConfig "cluster-admin" clusterAdminKubeconfig);
environment.systemPackages = mkIf (top.kubelet.enable || top.proxy.enable) [

9
nixos/modules/services/computing/boinc/client.nix
View File

@@ -105,19 +105,18 @@ in
isSystemUser = true;
};
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - boinc - - -"
];
systemd.services.boinc = {
description = "BOINC Client";
after = ["network.target" "local-fs.target"];
wantedBy = ["multi-user.target"];
preStart = ''
mkdir -p ${cfg.dataDir}
chown boinc ${cfg.dataDir}
'';
script = ''
${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag}
'';
serviceConfig = {
PermissionsStartOnly = true; # preStart must be run as root
User = "boinc";
Nice = 10;
};

Some files were not shown because too many files have changed in this diff Show More