public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into gcc8

This commit is contained in:
Patrick Hilhorst 2018-05-15 21:37:03 +02:00
parent da5a692fcd 4046c49fb5
commit 61411e57ec
No known key found for this signature in database
GPG Key ID: 589BB0A8DAFEF2B2
722 changed files with 14955 additions and 14879 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/configuration.xml
View File

@ -378,7 +378,7 @@
myPackages = pkgs.buildEnv {
name = "my-packages";
paths = [ aspell bc coreutils ffmpeg nixUnstable emscripten jq nox silver-searcher ];
pathsToLink = [ "/share/man" "/share/doc" /bin" ];
pathsToLink = [ "/share/man" "/share/doc" "/bin" ];
extraOutputsToInstall = [ "man" "doc" ];
};
};
@ -416,7 +416,7 @@ cp ${myProfile} $out/etc/profile.d/my-profile.sh
nox
silver-searcher
];
pathsToLink = [ "/share/man" "/share/doc" /bin" "/etc" ];
pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ];
extraOutputsToInstall = [ "man" "doc" ];
};
};

2
doc/submitting-changes.xml
View File

@ -476,7 +476,7 @@ Additional information.
<para>
It's only for non-breaking mass-rebuild commits. That means it's not to
be used for testing, and changes must have been well tested already.
<link xlink:href="http://comments.gmane.org/gmane.linux.distributions.nixos/13447">Read
<link xlink:href="https://web.archive.org/web/20160528180406/http://comments.gmane.org/gmane.linux.distributions.nixos/13447">Read
policy here</link>.
</para>
</listitem>

39
lib/default.nix
View File

@ -51,11 +51,11 @@ let
# back-compat aliases
platforms = systems.forMeta;
inherit (builtins) add addErrorContext attrNames
concatLists deepSeq elem elemAt filter genericClosure genList
getAttr hasAttr head isAttrs isBool isInt isList
isString length lessThan listToAttrs pathExists readFile
replaceStrings seq stringLength sub substring tail;
inherit (builtins) add addErrorContext attrNames concatLists
deepSeq elem elemAt filter genericClosure genList getAttr
hasAttr head isAttrs isBool isInt isList isString length
lessThan listToAttrs pathExists readFile replaceStrings seq
stringLength sub substring tail;
inherit (trivial) id const concat or and boolToString mergeAttrs
flip mapNullable inNixShell min max importJSON warn info
nixpkgsVersion version mod compare splitByAndCompare
@ -74,30 +74,32 @@ let
inherit (lists) singleton foldr fold foldl foldl' imap0 imap1
concatMap flatten remove findSingle findFirst any all count
optional optionals toList range partition zipListsWith zipLists
reverseList listDfs toposort sort naturalSort compareLists take drop sublist
last init crossLists unique intersectLists subtractLists
mutuallyExclusive;
reverseList listDfs toposort sort naturalSort compareLists take
drop sublist last init crossLists unique intersectLists
subtractLists mutuallyExclusive;
inherit (strings) concatStrings concatMapStrings concatImapStrings
intersperse concatStringsSep concatMapStringsSep
concatImapStringsSep makeSearchPath makeSearchPathOutput
makeLibraryPath makeBinPath makePerlPath optionalString
hasPrefix hasSuffix stringToCharacters stringAsChars escape
escapeShellArg escapeShellArgs replaceChars lowerChars upperChars
toLower toUpper addContextFrom splitString removePrefix
removeSuffix versionOlder versionAtLeast getVersion nameFromURL
enableFeature fixedWidthString fixedWidthNumber isStorePath
escapeShellArg escapeShellArgs replaceChars lowerChars
upperChars toLower toUpper addContextFrom splitString
removePrefix removeSuffix versionOlder versionAtLeast getVersion
nameFromURL enableFeature enableFeatureAs withFeature
withFeatureAs fixedWidthString fixedWidthNumber isStorePath
toInt readPathsFromFile fileContents;
inherit (stringsWithDeps) textClosureList textClosureMap
noDepEntry fullDepEntry packEntry stringAfter;
inherit (customisation) overrideDerivation makeOverridable
callPackageWith callPackagesWith extendDerivation
hydraJob makeScope;
callPackageWith callPackagesWith extendDerivation hydraJob
makeScope;
inherit (meta) addMetaAttrs dontDistribute setName updateName
appendToName mapDerivationAttrset lowPrio lowPrioSet hiPrio
hiPrioSet;
inherit (sources) pathType pathIsDirectory cleanSourceFilter
cleanSource sourceByRegex sourceFilesBySuffices
commitIdFromGitRepo cleanSourceWith pathHasContext canCleanSource;
commitIdFromGitRepo cleanSourceWith pathHasContext
canCleanSource;
inherit (modules) evalModules closeModules unifyModuleSyntax
applyIfFunction unpackSubmodule packSubmodule mergeModules
mergeModules' mergeOptionDecls evalOptionValue mergeDefinitions
@ -119,8 +121,7 @@ let
traceXMLVal traceXMLValMarked traceSeq traceSeqN traceValSeq
traceValSeqFn traceValSeqN traceValSeqNFn traceShowVal
traceShowValMarked showVal traceCall traceCall2 traceCall3
traceValIfNot runTests testAllTrue traceCallXml
attrNamesToStr;
traceValIfNot runTests testAllTrue traceCallXml attrNamesToStr;
inherit (misc) maybeEnv defaultMergeArg defaultMerge foldArgs
defaultOverridableDelayableArgs composedArgsAndFun
maybeAttrNullable maybeAttr ifEnable checkFlag getValue
@ -129,7 +130,7 @@ let
closePropagation mapAttrsFlatten nvs setAttr setAttrMerge
mergeAttrsWithFunc mergeAttrsConcatenateValues
mergeAttrsNoOverride mergeAttrByFunc mergeAttrsByFuncDefaults
mergeAttrsByFuncDefaultsClean mergeAttrBy
prepareDerivationArgs nixType imap overridableDelayableArgs;
mergeAttrsByFuncDefaultsClean mergeAttrBy prepareDerivationArgs
nixType imap overridableDelayableArgs;
});
in lib

2
lib/meta.nix
View File

@ -86,6 +86,4 @@ rec {
then { system = elem; }
else { parsed = elem; };
in lib.matchAttrs pattern platform;
enableIfAvailable = p: if p.meta.available or true then [ p ] else [];
}

28
lib/modules.nix
View File

@ -310,6 +310,7 @@ rec {
in opt //
{ value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
inherit (res.defsFinal') highestPrio;
definitions = map (def: def.value) res.defsFinal;
files = map (def: def.file) res.defsFinal;
inherit (res) isDefined;
@ -317,7 +318,7 @@ rec {
# Merge definitions of a value of a given type.
mergeDefinitions = loc: type: defs: rec {
defsFinal =
defsFinal' =
let
# Process mkMerge and mkIf properties.
defs' = concatMap (m:
@ -325,15 +326,20 @@ rec {
) defs;
# Process mkOverride properties.
defs'' = filterOverrides defs';
defs'' = filterOverrides' defs';
# Sort mkOrder properties.
defs''' =
# Avoid sorting if we don't have to.
if any (def: def.value._type or "" == "order") defs''
then sortProperties defs''
else defs'';
in defs''';
if any (def: def.value._type or "" == "order") defs''.values
then sortProperties defs''.values
else defs''.values;
in {
values = defs''';
inherit (defs'') highestPrio;
};
defsFinal = defsFinal'.values;
# Type-check the remaining definitions, and merge them.
mergedValue = foldl' (res: def:
@ -416,13 +422,18 @@ rec {
Note that "z" has the default priority 100.
*/
filterOverrides = defs:
filterOverrides = defs: (filterOverrides' defs).values;
filterOverrides' = defs:
let
defaultPrio = 100;
getPrio = def: if def.value._type or "" == "override" then def.value.priority else defaultPrio;
highestPrio = foldl' (prio: def: min (getPrio def) prio) 9999 defs;
strip = def: if def.value._type or "" == "override" then def // { value = def.value.content; } else def;
in concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
in {
values = concatMap (def: if getPrio def == highestPrio then [(strip def)] else []) defs;
inherit highestPrio;
};
/* Sort a list of properties. The sort priority of a property is
1000 by default, but can be overridden by wrapping the property
@ -664,6 +675,7 @@ rec {
in
{ config, options, ... }:
{ options = setAttrByPath from (mkOption {
inherit visible;
description = "Alias of <option>${showOption to}</option>.";
apply = x: use (toOf config);
});

35
lib/strings.nix
View File

@ -82,7 +82,7 @@ rec {
=> "//bin"
*/
makeSearchPath = subDir: packages:
concatStringsSep ":" (map (path: path + "/" + subDir) packages);
concatStringsSep ":" (map (path: path + "/" + subDir) (builtins.filter (x: x != null) packages));
/* Construct a Unix-style search path, using given package output.
If no output is found, fallback to `.out` and then to the default.
@ -414,6 +414,39 @@ rec {
*/
enableFeature = enable: feat: "--${if enable then "enable" else "disable"}-${feat}";
/* Create an --{enable-<feat>=<value>,disable-<feat>} string that can be passed to
standard GNU Autoconf scripts.
Example:
enableFeature true "shared" "foo"
=> "--enable-shared=foo"
enableFeature false "shared" (throw "ignored")
=> "--disable-shared"
*/
enableFeatureAs = enable: feat: value: enableFeature enable feat + optionalString enable "=${value}";
/* Create an --{with,without}-<feat> string that can be passed to
standard GNU Autoconf scripts.
Example:
withFeature true "shared"
=> "--with-shared"
withFeature false "shared"
=> "--without-shared"
*/
withFeature = with_: feat: "--${if with_ then "with" else "without"}-${feat}";
/* Create an --{with-<feat>=<value>,without-<feat>} string that can be passed to
standard GNU Autoconf scripts.
Example:
with_Feature true "shared" "foo"
=> "--with-shared=foo"
with_Feature false "shared" (throw "ignored")
=> "--without-shared"
*/
withFeatureAs = with_: feat: value: withFeature with_ feat + optionalString with_ "=${value}";
/* Create a fixed width string with additional prefix to match
required width.

8
lib/systems/default.nix
View File

@ -29,6 +29,7 @@ rec {
/**/ if final.isDarwin then "libSystem"
else if final.isMinGW then "msvcrt"
else if final.isMusl then "musl"
else if final.isUClibc then "uclibc"
else if final.isAndroid then "bionic"
else if final.isLinux /* default */ then "glibc"
# TODO(@Ericson2314) think more about other operating systems
@ -49,5 +50,12 @@ rec {
} // mapAttrs (n: v: v final.parsed) inspect.predicates
// args;
in assert final.useAndroidPrebuilt -> final.isAndroid;
assert lib.foldl
(pass: { assertion, message }:
if assertion final
then pass
else throw message)
true
(final.parsed.abi.assertions or []);
final;
}

38
lib/systems/examples.nix
View File

@ -11,36 +11,41 @@ rec {
sheevaplug = rec {
config = "armv5tel-unknown-linux-gnueabi";
arch = "armv5tel";
float = "soft";
platform = platforms.sheevaplug;
};
raspberryPi = rec {
config = "armv6l-unknown-linux-gnueabihf";
arch = "armv6l";
float = "hard";
fpu = "vfp";
platform = platforms.raspberrypi;
};
armv7l-hf-multiplatform = rec {
config = "arm-unknown-linux-gnueabihf";
arch = "armv7-a";
float = "hard";
fpu = "vfpv3-d16";
config = "armv7a-unknown-linux-gnueabihf";
platform = platforms.armv7l-hf-multiplatform;
};
aarch64-multiplatform = rec {
config = "aarch64-unknown-linux-gnu";
arch = "aarch64";
platform = platforms.aarch64-multiplatform;
};
armv5te-android-prebuilt = rec {
config = "armv5tel-unknown-linux-androideabi";
sdkVer = "21";
platform = platforms.armv5te-android;
useAndroidPrebuilt = true;
};
armv7a-android-prebuilt = rec {
config = "armv7a-unknown-linux-androideabi";
sdkVer = "21";
platform = platforms.armv7a-android;
useAndroidPrebuilt = true;
};
aarch64-android-prebuilt = rec {
config = "aarch64-unknown-linux-android";
arch = "aarch64";
sdkVer = "21";
platform = platforms.aarch64-multiplatform;
useAndroidPrebuilt = true;
};
@ -51,16 +56,17 @@ rec {
};
pogoplug4 = rec {
arch = "armv5tel";
config = "armv5tel-unknown-linux-gnueabi";
float = "soft";
platform = platforms.pogoplug4;
};
ben-nanonote = rec {
config = "mipsel-unknown-linux-uclibc";
platform = platforms.ben_nanonote;
};
fuloongminipc = rec {
config = "mipsel-unknown-linux-gnu";
arch = "mips";
float = "hard";
platform = platforms.fuloong2f_n32;
};
@ -128,7 +134,6 @@ rec {
# 32 bit mingw-w64
mingw32 = {
config = "i686-pc-mingw32";
arch = "x86"; # Irrelevant
libc = "msvcrt"; # This distinguishes the mingw (non posix) toolchain
platform = {};
};
@ -137,7 +142,6 @@ rec {
mingwW64 = {
# That's the triplet they use in the mingw-w64 docs.
config = "x86_64-pc-mingw32";
arch = "x86_64"; # Irrelevant
libc = "msvcrt"; # This distinguishes the mingw (non posix) toolchain
platform = {};
};

4
lib/systems/inspect.nix
View File

@ -3,6 +3,9 @@ with import ./parse.nix { inherit lib; };
with lib.attrsets;
with lib.lists;
let abis_ = abis; in
let abis = lib.mapAttrs (_: abi: builtins.removeAttrs abi [ "assertions" ]) abis_; in
rec {
patterns = rec {
isi686 = { cpu = cpuTypes.i686; };
@ -38,6 +41,7 @@ rec {
isAndroid = [ { abi = abis.android; } { abi = abis.androideabi; } ];
isMusl = with abis; map (a: { abi = a; }) [ musl musleabi musleabihf ];
isUClibc = with abis; map (a: { abi = a; }) [ uclibc uclibceabi uclibceabihf ];
isEfi = map (family: { cpu.family = family; })
[ "x86" "arm" "aarch64" ];

73
lib/systems/parse.nix
View File

@ -68,20 +68,31 @@ rec {
cpuTypes = with significantBytes; setTypes types.openCpuType {
arm = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv5tel = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv6l = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv7a = { bits = 32; significantByte = littleEndian; family = "arm"; };
armv7l = { bits = 32; significantByte = littleEndian; family = "arm"; };
aarch64 = { bits = 64; significantByte = littleEndian; family = "arm"; };
armv5tel = { bits = 32; significantByte = littleEndian; family = "arm"; version = "5"; };
armv6m = { bits = 32; significantByte = littleEndian; family = "arm"; version = "6"; };
armv6l = { bits = 32; significantByte = littleEndian; family = "arm"; version = "6"; };
armv7a = { bits = 32; significantByte = littleEndian; family = "arm"; version = "7"; };
armv7r = { bits = 32; significantByte = littleEndian; family = "arm"; version = "7"; };
armv7m = { bits = 32; significantByte = littleEndian; family = "arm"; version = "7"; };
armv7l = { bits = 32; significantByte = littleEndian; family = "arm"; version = "7"; };
armv8a = { bits = 32; significantByte = littleEndian; family = "arm"; version = "8"; };
armv8r = { bits = 32; significantByte = littleEndian; family = "arm"; version = "8"; };
armv8m = { bits = 32; significantByte = littleEndian; family = "arm"; version = "8"; };
aarch64 = { bits = 64; significantByte = littleEndian; family = "arm"; version = "8"; };
i686 = { bits = 32; significantByte = littleEndian; family = "x86"; };
x86_64 = { bits = 64; significantByte = littleEndian; family = "x86"; };
mips = { bits = 32; significantByte = bigEndian; family = "mips"; };
mipsel = { bits = 32; significantByte = littleEndian; family = "mips"; };
mips64 = { bits = 64; significantByte = bigEndian; family = "mips"; };
mips64el = { bits = 64; significantByte = littleEndian; family = "mips"; };
powerpc = { bits = 32; significantByte = bigEndian; family = "power"; };
riscv32 = { bits = 32; significantByte = littleEndian; family = "riscv"; };
riscv64 = { bits = 64; significantByte = littleEndian; family = "riscv"; };
wasm32 = { bits = 32; significantByte = littleEndian; family = "wasm"; };
wasm64 = { bits = 64; significantByte = littleEndian; family = "wasm"; };
};
@ -184,17 +195,40 @@ rec {
types.abi = enum (attrValues abis);
abis = setTypes types.openAbi {
android = {};
cygnus = {};
gnu = {};
msvc = {};
eabi = {};
androideabi = {};
gnueabi = {};
gnueabihf = {};
musleabi = {};
musleabihf = {};
musl = {};
cygnus = {};
msvc = {};
eabi = {};
androideabi = {};
android = {
assertions = [
{ assertion = platform: !platform.isAarch32;
message = ''
The "android" ABI is not for 32-bit ARM. Use "androideabi" instead.
'';
}
];
};
gnueabi = { float = "soft"; };
gnueabihf = { float = "hard"; };
gnu = {
assertions = [
{ assertion = platform: !platform.isAarch32;
message = ''
The "gnu" ABI is ambiguous on 32-bit ARM. Use "gnueabi" or "gnueabihf" instead.
'';
}
];
};
musleabi = { float = "soft"; };
musleabihf = { float = "hard"; };
musl = {};
uclibceabihf = { float = "soft"; };
uclibceabi = { float = "hard"; };
uclibc = {};
unknown = {};
};
@ -261,7 +295,12 @@ rec {
kernel = getKernel args.kernel;
abi =
/**/ if args ? abi then getAbi args.abi
else if isLinux parsed then abis.gnu
else if isLinux parsed then
if isAarch32 parsed then
if lib.versionAtLeast (parsed.cpu.version or "0") "6"
then abis.gnueabihf
else abis.gnueabi
else abis.gnu
else if isWindows parsed then abis.gnu
else abis.unknown;
};

222
lib/systems/platforms.nix
View File

@ -20,12 +20,15 @@ rec {
kernelAutoModules = false;
};
##
## ARM
##
pogoplug4 = {
name = "pogoplug4";
gcc = {
arch = "armv5te";
float = "soft";
};
kernelMajor = "2.6";
@ -158,7 +161,6 @@ rec {
kernelDTB = true; # Beyond 3.10
gcc = {
arch = "armv5te";
float = "soft";
};
};
@ -243,7 +245,6 @@ rec {
gcc = {
arch = "armv6";
fpu = "vfp";
float = "hard";
# TODO(@Ericson2314) what is this and is it a good idea? It was
# used in some cross compilation examples but not others.
#
@ -336,7 +337,6 @@ rec {
gcc = {
cpu = "cortex-a9";
fpu = "vfpv3";
float = "hard";
};
};
@ -363,7 +363,6 @@ rec {
gcc = {
cpu = "cortex-a9";
fpu = "neon";
float = "hard";
};
};
@ -376,6 +375,128 @@ rec {
kernelBaseConfig = "guruplug_defconfig";
};
beaglebone = armv7l-hf-multiplatform // {
name = "beaglebone";
kernelBaseConfig = "bb.org_defconfig";
kernelAutoModules = false;
kernelExtraConfig = ""; # TBD kernel config
kernelTarget = "zImage";
};
# https://developer.android.com/ndk/guides/abis#armeabi
armv5te-android = {
name = "armeabi";
gcc = {
arch = "armv5te";
float = "soft";
float-abi = "soft";
};
};
# https://developer.android.com/ndk/guides/abis#v7a
armv7a-android = {
name = "armeabi-v7a";
gcc = {
arch = "armv7-a";
float = "hard";
float-abi = "softfp";
fpu = "vfpv3-d16";
};
};
armv7l-hf-multiplatform = {
name = "armv7l-hf-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelBaseConfig = "multi_v7_defconfig";
kernelArch = "arm";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
kernelTarget = "zImage";
kernelExtraConfig = ''
# Serial port for Raspberry Pi 3. Upstream forgot to add it to the ARMv7 defconfig.
SERIAL_8250_BCM2835AUX y
SERIAL_8250_EXTENDED y
SERIAL_8250_SHARE_IRQ y
# Fix broken sunxi-sid nvmem driver.
TI_CPTS y
# Hangs ODROID-XU4
ARM_BIG_LITTLE_CPUIDLE n
'';
gcc = {
# Some table about fpu flags:
# http://community.arm.com/servlet/JiveServlet/showImage/38-1981-3827/blogentry-103749-004812900+1365712953_thumb.png
# Cortex-A5: -mfpu=neon-fp16
# Cortex-A7 (rpi2): -mfpu=neon-vfpv4
# Cortex-A8 (beaglebone): -mfpu=neon
# Cortex-A9: -mfpu=neon-fp16
# Cortex-A15: -mfpu=neon-vfpv4
# More about FPU:
# https://wiki.debian.org/ArmHardFloatPort/VfpComparison
# vfpv3-d16 is what Debian uses and seems to be the best compromise: NEON is not supported in e.g. Scaleway or Tegra 2,
# and the above page suggests NEON is only an improvement with hand-written assembly.
arch = "armv7-a";
fpu = "vfpv3-d16";
# For Raspberry Pi the 2 the best would be:
# cpu = "cortex-a7";
# fpu = "neon-vfpv4";
};
};
aarch64-multiplatform = {
name = "aarch64-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelBaseConfig = "defconfig";
kernelArch = "arm64";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
kernelExtraConfig = ''
# Raspberry Pi 3 stuff. Not needed for kernels >= 4.10.
ARCH_BCM2835 y
BCM2835_MBOX y
BCM2835_WDT y
RASPBERRYPI_FIRMWARE y
RASPBERRYPI_POWER y
SERIAL_8250_BCM2835AUX y
SERIAL_8250_EXTENDED y
SERIAL_8250_SHARE_IRQ y
# Cavium ThunderX stuff.
PCI_HOST_THUNDER_ECAM y
# Nvidia Tegra stuff.
PCI_TEGRA y
# The default (=y) forces us to have the XHCI firmware available in initrd,
# which our initrd builder can't currently do easily.
USB_XHCI_TEGRA m
'';
kernelTarget = "Image";
gcc = {
arch = "armv8-a";
};
};
##
## MIPS
##
ben_nanonote = {
name = "ben_nanonote";
kernelMajor = "2.6";
kernelArch = "mips";
gcc = {
arch = "mips32";
float = "soft";
};
};
fuloong2f_n32 = {
name = "fuloong2f_n32";
kernelMajor = "2.6";
@ -449,97 +570,14 @@ rec {
kernelTarget = "vmlinux";
gcc = {
arch = "loongson2f";
float = "hard";
abi = "n32";
};
};
beaglebone = armv7l-hf-multiplatform // {
name = "beaglebone";
kernelBaseConfig = "bb.org_defconfig";
kernelAutoModules = false;
kernelExtraConfig = ""; # TBD kernel config
kernelTarget = "zImage";
};
armv7l-hf-multiplatform = {
name = "armv7l-hf-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelBaseConfig = "multi_v7_defconfig";
kernelArch = "arm";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
kernelTarget = "zImage";
kernelExtraConfig = ''
# Serial port for Raspberry Pi 3. Upstream forgot to add it to the ARMv7 defconfig.
SERIAL_8250_BCM2835AUX y
SERIAL_8250_EXTENDED y
SERIAL_8250_SHARE_IRQ y
# Fix broken sunxi-sid nvmem driver.
TI_CPTS y
# Hangs ODROID-XU4
ARM_BIG_LITTLE_CPUIDLE n
'';
gcc = {
# Some table about fpu flags:
# http://community.arm.com/servlet/JiveServlet/showImage/38-1981-3827/blogentry-103749-004812900+1365712953_thumb.png
# Cortex-A5: -mfpu=neon-fp16
# Cortex-A7 (rpi2): -mfpu=neon-vfpv4
# Cortex-A8 (beaglebone): -mfpu=neon
# Cortex-A9: -mfpu=neon-fp16
# Cortex-A15: -mfpu=neon-vfpv4
# More about FPU:
# https://wiki.debian.org/ArmHardFloatPort/VfpComparison
# vfpv3-d16 is what Debian uses and seems to be the best compromise: NEON is not supported in e.g. Scaleway or Tegra 2,
# and the above page suggests NEON is only an improvement with hand-written assembly.
arch = "armv7-a";
fpu = "vfpv3-d16";
float = "hard";
# For Raspberry Pi the 2 the best would be:
# cpu = "cortex-a7";
# fpu = "neon-vfpv4";
};
};
aarch64-multiplatform = {
name = "aarch64-multiplatform";
kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
kernelBaseConfig = "defconfig";
kernelArch = "arm64";
kernelDTB = true;
kernelAutoModules = true;
kernelPreferBuiltin = true;
kernelExtraConfig = ''
# Raspberry Pi 3 stuff. Not needed for kernels >= 4.10.
ARCH_BCM2835 y
BCM2835_MBOX y
BCM2835_WDT y
RASPBERRYPI_FIRMWARE y
RASPBERRYPI_POWER y
SERIAL_8250_BCM2835AUX y
SERIAL_8250_EXTENDED y
SERIAL_8250_SHARE_IRQ y
# Cavium ThunderX stuff.
PCI_HOST_THUNDER_ECAM y
# Nvidia Tegra stuff.
PCI_TEGRA y
# The default (=y) forces us to have the XHCI firmware available in initrd,
# which our initrd builder can't currently do easily.
USB_XHCI_TEGRA m
'';
kernelTarget = "Image";
gcc = {
arch = "armv8-a";
};
};
##
## Other
##
riscv-multiplatform = bits: {
name = "riscv-multiplatform";

13
lib/tests/modules.sh
View File

@ -136,7 +136,18 @@ checkConfigOutput "true" "$@" ./define-module-check.nix
# Check coerced value.
checkConfigOutput "\"42\"" config.value ./declare-coerced-value.nix
checkConfigOutput "\"24\"" config.value ./declare-coerced-value.nix ./define-value-string.nix
checkConfigError 'The option value .* in .* is not.*string or signed integer.*' config.value ./declare-coerced-value.nix ./define-value-list.nix
checkConfigError 'The option value .* in .* is not.*string or signed integer convertible to it' config.value ./declare-coerced-value.nix ./define-value-list.nix
# Check coerced value with unsound coercion
checkConfigOutput "12" config.value ./declare-coerced-value-unsound.nix
checkConfigError 'The option value .* in .* is not.*8 bit signed integer.* or string convertible to it' config.value ./declare-coerced-value-unsound.nix ./define-value-string-bigint.nix
checkConfigError 'unrecognised JSON value' config.value ./declare-coerced-value-unsound.nix ./define-value-string-arbitrary.nix
# Check loaOf with long list.
checkConfigOutput "1 2 3 4 5 6 7 8 9 10" config.result ./loaOf-with-long-list.nix
# Check loaOf with many merges of lists.
checkConfigOutput "1 2 3 4 5 6 7 8 9 10" config.result ./loaOf-with-many-list-merges.nix
cat <<EOF
====== module tests ======

10
lib/tests/modules/declare-coerced-value-unsound.nix Normal file
View File

@ -0,0 +1,10 @@
{ lib, ... }:
{
options = {
value = lib.mkOption {
default = "12";
type = lib.types.coercedTo lib.types.str lib.toInt lib.types.ints.s8;
};
};
}

3
lib/tests/modules/define-value-string-arbitrary.nix Normal file
View File

@ -0,0 +1,3 @@
{
value = "foobar";
}

3
lib/tests/modules/define-value-string-bigint.nix Normal file
View File

@ -0,0 +1,3 @@
{
value = "1000";
}

19
lib/tests/modules/loaOf-with-long-list.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, ... }:
{
options = {
loaOfInt = lib.mkOption {
type = lib.types.loaOf lib.types.int;
};
result = lib.mkOption {
type = lib.types.str;
};
};
config = {
loaOfInt = [ 1 2 3 4 5 6 7 8 9 10 ];
result = toString (lib.attrValues config.loaOfInt);
};
}

19
lib/tests/modules/loaOf-with-many-list-merges.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, ... }:
{
options = {
loaOfInt = lib.mkOption {
type = lib.types.loaOf lib.types.int;
};
result = lib.mkOption {
type = lib.types.str;
};
};
config = {
loaOfInt = lib.mkMerge (map lib.singleton [ 1 2 3 4 5 6 7 8 9 10 ]);
result = toString (lib.attrValues config.loaOfInt);
};
}

40
lib/types.nix
View File

@ -256,7 +256,7 @@ rec {
functor = (defaultFunctor name) // { wrapped = elemType; };
};
nonEmptyListOf = elemType:
nonEmptyListOf = elemType:
let list = addCheck (types.listOf elemType) (l: l != []);
in list // { description = "non-empty " + list.description; };
@ -280,15 +280,26 @@ rec {
# List or attribute set of ...
loaOf = elemType:
let
convertIfList = defIdx: def:
convertAllLists = defs:
let
padWidth = stringLength (toString (length defs));
unnamedPrefix = i: "unnamed-" + fixedWidthNumber padWidth i + ".";
in
imap1 (i: convertIfList (unnamedPrefix i)) defs;
convertIfList = unnamedPrefix: def:
if isList def.value then
{ inherit (def) file;
value = listToAttrs (
imap1 (elemIdx: elem:
{ name = elem.name or "unnamed-${toString defIdx}.${toString elemIdx}";
value = elem;
}) def.value);
}
let
padWidth = stringLength (toString (length def.value));
unnamed = i: unnamedPrefix + fixedWidthNumber padWidth i;
in
{ inherit (def) file;
value = listToAttrs (
imap1 (elemIdx: elem:
{ name = elem.name or (unnamed elemIdx);
value = elem;
}) def.value);
}
else
def;
listOnly = listOf elemType;
@ -297,7 +308,7 @@ rec {
name = "loaOf";
description = "list or attribute set of ${elemType.description}s";
check = x: isList x || isAttrs x;
merge = loc: defs: attrOnly.merge loc (imap1 convertIfList defs);
merge = loc: defs: attrOnly.merge loc (convertAllLists defs);
getSubOptions = prefix: elemType.getSubOptions (prefix ++ ["<name?>"]);
getSubModules = elemType.getSubModules;
substSubModules = m: loaOf (elemType.substSubModules m);
@ -419,16 +430,13 @@ rec {
assert coercedType.getSubModules == null;
mkOptionType rec {
name = "coercedTo";
description = "${finalType.description} or ${coercedType.description}";
check = x: finalType.check x || coercedType.check x;
description = "${finalType.description} or ${coercedType.description} convertible to it";
check = x: finalType.check x || (coercedType.check x && finalType.check (coerceFunc x));
merge = loc: defs:
let
coerceVal = val:
if finalType.check val then val
else let
coerced = coerceFunc val;
in assert finalType.check coerced; coerced;
else coerceFunc val;
in finalType.merge loc (map (def: def // { value = coerceVal def.value; }) defs);
getSubOptions = finalType.getSubOptions;
getSubModules = finalType.getSubModules;

55
maintainers/maintainer-list.nix
View File

@ -43,6 +43,11 @@
github = "ChengCat";
name = "Yucheng Zhang";
};
CrazedProgrammer = {
email = "crazedprogrammer@gmail.com";
github = "CrazedProgrammer";
name = "CrazedProgrammer";
};
CrystalGamma = {
email = "nixos@crystalgamma.de";
github = "CrystalGamma";
@ -676,6 +681,11 @@
github = "bramd";
name = "Bram Duvigneau";
};
brian-dawn = {
email = "brian.t.dawn@gmail.com";
github = "brian-dawn";
name = "Brian Dawn";
};
bstrik = {
email = "dutchman55@gmx.com";
github = "bstrik";
@ -998,6 +1008,11 @@
github = "demin-dmitriy";
name = "Dmitriy Demin";
};
demyanrogozhin = {
email = "demyan.rogozhin@gmail.com";
github = "demyanrogozhin";
name = "Demyan Rogozhin";
};
derchris = {
email = "derchris@me.com";
github = "derchrisuk";
@ -1740,6 +1755,11 @@
github = "jdagilliland";
name = "Jason Gilliland";
};
jD91mZM2 = {
email = "me@krake.one";
github = "jD91mZM2";
name = "jD91mZM2";
};
jefdaj = {
email = "jefdaj@gmail.com";
github = "jefdaj";
@ -1815,6 +1835,11 @@
github = "joamaki";
name = "Jussi Maki";
};
joelburget = {
email = "joelburget@gmail.com";
github = "joelburget";
name = "Joel Burget";
};
joelmo = {
email = "joel.moberg@gmail.com";
github = "joelmo";
@ -2358,6 +2383,11 @@
github = "meditans";
name = "Carlo Nucera";
};
megheaiulian = {
email = "iulian.meghea@gmail.com";
github = "megheaiulian";
name = "Meghea Iulian";
};
mehandes = {
email = "niewskici@gmail.com";
github = "mehandes";
@ -2471,6 +2501,16 @@
github = "mmahut";
name = "Marek Mahut";
};
mmlb = {
email = "me.mmlb@mmlb.me";
github = "mmlb";
name = "Manuel Mendez";
};
mnacamura = {
email = "m.nacamura@gmail.com";
github = "mnacamura";
name = "Mitsuhiro Nakamura";
};
moaxcp = {
email = "moaxcp@gmail.com";
github = "moaxcp";
@ -3139,6 +3179,11 @@
github = "rittelle";
name = "Lennart Rittel";
};
rkoe = {
email = "rk@simple-is-better.org";
github = "rkoe";
name = "Roland Koebler";
};
rlupton20 = {
email = "richard.lupton@gmail.com";
github = "rlupton20";
@ -3219,6 +3264,11 @@
github = "rushmorem";
name = "Rushmore Mushambi";
};
ruuda = {
email = "dev+nix@veniogames.com";
github = "ruuda";
name = "Ruud van Asseldonk";
};
rvl = {
email = "dev+nix@rodney.id.au";
github = "rvl";
@ -3731,6 +3781,11 @@
github = "titanous";
name = "Jonathan Rudenberg";
};
tmplt = {
email = "tmplt@dragons.rocks";
github = "tmplt";
name = "Viktor";
};
tnias = {
email = "phil@grmr.de";
github = "tnias";

4
nixos/doc/manual/configuration/linux-kernel.xml
View File

@ -50,9 +50,9 @@ nixpkgs.config.packageOverrides = pkgs:
<xref linkend="opt-boot.kernelModules"/> = [ "fuse" "kvm-intel" "coretemp" ];
</programlisting>
If the module is required early during the boot (e.g. to mount the root file
system), you can use <xref linkend="opt-boot.initrd.extraKernelModules"/>:
system), you can use <xref linkend="opt-boot.initrd.kernelModules"/>:
<programlisting>
<xref linkend="opt-boot.initrd.extraKernelModules"/> = [ "cifs" ];
<xref linkend="opt-boot.initrd.kernelModules"/> = [ "cifs" ];
</programlisting>
This causes the specified modules and their dependencies to be added to the
initial ramdisk.

9
nixos/doc/manual/development/option-types.xml
View File

@ -21,6 +21,15 @@
</para>
<variablelist>
<varlistentry>
<term><varname>types.attrs</varname>
</term>
<listitem>
<para>
A free-form attribute set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>types.bool</varname>
</term>

2
nixos/doc/manual/development/releases.xml
View File

@ -70,7 +70,7 @@
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">
Bump the <literal>system.defaultChannel</literal> attribute in
Bump the <literal>system.nixos.defaultChannel</literal> attribute in
<literal>nixos/modules/misc/version.nix</literal> </link>
</para>
</listitem>

4
nixos/doc/manual/release-notes/rl-1509.xml
View File

@ -433,9 +433,9 @@ system.autoUpgrade.enable = true;
default. If you have existing systems with such host keys and want to
continue to use them, please set
<programlisting>
system.stateVersion = "14.12";
system.nixos.stateVersion = "14.12";
</programlisting>
The new option <option>system.stateVersion</option> ensures that certain
The new option <option>system.nixos.stateVersion</option> ensures that certain
configuration changes that could break existing systems (such as the
<command>sshd</command> host key setting) will maintain compatibility with
the specified NixOS release. NixOps sets the state version of existing

74
nixos/doc/manual/release-notes/rl-1809.xml
View File

@ -53,7 +53,10 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
<itemizedlist>
<listitem>
<para></para>
<para>When enabled the <literal>iproute2</literal> will copy the files
expected by ip route (e.g., <filename>rt_tables</filename>) in
<filename>/run/iproute2</filename>. This allows to write aliases for
routing tables for instance.</para>
</listitem>
</itemizedlist>
</section>
@ -101,6 +104,17 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
that can be mapped onto the YAML configuration defined in <link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the <varname>docker/distribution</varname> docs</link>.
</para>
</listitem>
<listitem>
<para>
<literal>gnucash</literal> has changed from version 2.4 to 3.x.
If you've been using <literal>gnucash</literal> (version 2.4) instead of
<literal>gnucash26</literal> (version 2.6) you must open your Gnucash
data file(s) with <literal>gnucash26</literal> and then save them to
upgrade the file format. Then you may use your data file(s) with
Gnucash 3.x. See the upgrade <link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>.
Gnucash 2.4 is still available under the attribute <literal>gnucash24</literal>.
</para>
</listitem>
</itemizedlist>
</section>
@ -169,6 +183,64 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
for further reference.
</para>
</listitem>
<listitem>
<para>
The module for <option>security.dhparams</option> has two new options now:
</para>
<variablelist>
<varlistentry>
<term><option>security.dhparams.stateless</option></term>
<listitem><para>
Puts the generated Diffie-Hellman parameters into the Nix store instead
of managing them in a stateful manner in
<filename class="directory">/var/lib/dhparams</filename>.
</para></listitem>
</varlistentry>
<varlistentry>
<term><option>security.dhparams.defaultBitSize</option></term>
<listitem><para>
The default bit size to use for the generated Diffie-Hellman parameters.
</para></listitem>
</varlistentry>
</variablelist>
<note><para>
The path to the actual generated parameter files should now be queried
using
<literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>
because it might be either in the Nix store or in a directory configured
by <option>security.dhparams.path</option>.
</para></note>
<note>
<title>For developers:</title>
<para>
Module implementers should not set a specific bit size in order to let
users configure it by themselves if they want to have a different bit
size than the default (2048).
</para>
<para>
An example usage of this would be:
<programlisting>
{ config, ... }:
{
security.dhparams.params.myservice = {};
environment.etc."myservice.conf".text = ''
dhparams = ${config.security.dhparams.params.myservice.path}
'';
}
</programlisting>
</para>
</note>
</listitem>
<listitem>
<para>
<literal>networking.networkmanager.useDnsmasq</literal> has been deprecated. Use
<literal>networking.networkmanager.dns</literal> instead.
</para>
</listitem>
</itemizedlist>
</section>
</section>

9
nixos/lib/make-ext4-fs.nix
View File

@ -14,7 +14,7 @@ in
pkgs.stdenv.mkDerivation {
name = "ext4-fs.img";
nativeBuildInputs = with pkgs; [e2fsprogs libfaketime perl];
nativeBuildInputs = with pkgs; [e2fsprogs.bin libfaketime perl];
buildCommand =
''
@ -83,5 +83,12 @@ pkgs.stdenv.mkDerivation {
echo "--- Failed to create EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks) ---"
return 1
fi
# I have ended up with corrupted images sometimes, I suspect that happens when the build machine's disk gets full during the build.
if ! fsck.ext4 -n -f $out; then
echo "--- Fsck failed for EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks) ---"
cat errorlog
return 1
fi
'';
}

5
nixos/maintainers/scripts/ec2/amazon-image.nix
View File

@ -8,6 +8,11 @@ in {
imports = [ ../../../modules/virtualisation/amazon-image.nix ];
# Required to provide good EBS experience,
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html#timeout-nvme-ebs-volumes
# TODO change value to 4294967295 when kernel is updated to 4.15 or later
config.boot.kernelParams = [ "nvme_core.io_timeout=255" ];
options.amazonImage = {
name = mkOption {
type = types.str;

23
nixos/modules/config/iproute2.nix Normal file
View File

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.networking.iproute2;
confDir = "/run/iproute2";
in
{
options.networking.iproute2.enable = mkEnableOption "copy IP route configuration files";
config = mkMerge [
({ nixpkgs.config.iproute2.confDir = confDir; })
(mkIf cfg.enable {
system.activationScripts.iproute2 = ''
cp -R ${pkgs.iproute}/etc/iproute2 ${confDir}
chmod -R 664 ${confDir}
chmod +x ${confDir}
'';
})
];
}

2
nixos/modules/installer/cd-dvd/installation-cd-base.nix
View File

@ -31,4 +31,6 @@ with lib;
# Allow the user to log in as root without a password.
users.extraUsers.root.initialHashedPassword = "";
system.nixos.stateVersion = mkDefault "18.03";
}

2
nixos/modules/installer/tools/nixos-generate-config.pl
View File

@ -628,7 +628,7 @@ $bootLoaderConfig
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "${\(qw(@release@))}"; # Did you read the comment?
system.nixos.stateVersion = "${\(qw(@release@))}"; # Did you read the comment?
}
EOF

1
nixos/modules/installer/virtualbox-demo.nix
View File

@ -21,4 +21,5 @@ with lib;
services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" "modesetting" ];
powerManagement.enable = false;
system.nixos.stateVersion = mkDefault "18.03";
}

6
nixos/modules/misc/documentation.nix
View File

@ -75,20 +75,20 @@ let cfg = config.documentation; in
(mkIf cfg.man.enable {
environment.systemPackages = [ pkgs.man-db ];
environment.pathsToLink = [ "/share/man" ];
environment.extraOutputsToInstall = [ "man" ] ++ optional cfg.dev.enable [ "devman" ];
environment.extraOutputsToInstall = [ "man" ] ++ optional cfg.dev.enable "devman";
})
(mkIf cfg.info.enable {
environment.systemPackages = [ pkgs.texinfoInteractive ];
environment.pathsToLink = [ "/share/info" ];
environment.extraOutputsToInstall = [ "info" ] ++ optional cfg.dev.enable [ "devinfo" ];
environment.extraOutputsToInstall = [ "info" ] ++ optional cfg.dev.enable "devinfo";
})
(mkIf cfg.doc.enable {
# TODO(@oxij): put it here and remove from profiles?
# environment.systemPackages = [ pkgs.w3m ]; # w3m-nox?
environment.pathsToLink = [ "/share/doc" ];
environment.extraOutputsToInstall = [ "doc" ] ++ optional cfg.dev.enable [ "devdoc" ];
environment.extraOutputsToInstall = [ "doc" ] ++ optional cfg.dev.enable "devdoc";
})
]);

8
nixos/modules/misc/ids.nix
View File

@ -190,7 +190,7 @@
cadvisor = 167;
nylon = 168;
apache-kafka = 169;
panamax = 170;
#panamax = 170; # unused
exim = 172;
#fleet = 173; # unused
#input = 174; # unused
@ -306,6 +306,7 @@
ceph = 288;
duplicati = 289;
monetdb = 290;
restic = 291;
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -473,9 +474,9 @@
#chronos = 164; # unused
gitlab = 165;
nylon = 168;
panamax = 170;
#panamax = 170; # unused
exim = 172;
fleet = 173;
#fleet = 173; # unused
input = 174;
sddm = 175;
tss = 176;
@ -580,6 +581,7 @@
ceph = 288;
duplicati = 289;
monetdb = 290;
restic = 291;
# When adding a gid, make sure it doesn't match an existing
# uid. Users and groups with the same name should have equal

17
nixos/modules/misc/version.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ options, config, lib, pkgs, ... }:
with lib;
@ -12,29 +12,29 @@ in
{
options.system = {
options.system.nixos = {
nixos.version = mkOption {
version = mkOption {
internal = true;
type = types.str;
description = "The full NixOS version (e.g. <literal>16.03.1160.f2d4ee1</literal>).";
};
nixos.release = mkOption {
release = mkOption {
readOnly = true;
type = types.str;
default = trivial.release;
description = "The NixOS release (e.g. <literal>16.03</literal>).";
};
nixos.versionSuffix = mkOption {
versionSuffix = mkOption {
internal = true;
type = types.str;
default = trivial.versionSuffix;
description = "The NixOS version suffix (e.g. <literal>1160.f2d4ee1</literal>).";
};
nixos.revision = mkOption {
revision = mkOption {
internal = true;
type = types.str;
default = if pathIsDirectory gitRepo then commitIdFromGitRepo gitRepo
@ -43,7 +43,7 @@ in
description = "The Git revision from which this NixOS configuration was built.";
};
nixos.codeName = mkOption {
codeName = mkOption {
readOnly = true;
type = types.str;
description = "The NixOS release code name (e.g. <literal>Emu</literal>).";
@ -76,6 +76,9 @@ in
config = {
warnings = lib.optional (options.system.nixos.stateVersion.highestPrio > 1000)
"You don't have `system.nixos.stateVersion` explicitly set. Expect things to break.";
system.nixos = {
# These defaults are set here rather than up there so that
# changing them would not rebuild the manual

8
nixos/modules/module-list.nix
View File

@ -9,6 +9,7 @@
./config/fonts/ghostscript.nix
./config/gnu.nix
./config/i18n.nix
./config/iproute2.nix
./config/krb5/default.nix
./config/ldap.nix
./config/networking.nix
@ -167,14 +168,13 @@
./services/backup/mysql-backup.nix
./services/backup/postgresql-backup.nix
./services/backup/restic.nix
./services/backup/restic-rest-server.nix
./services/backup/rsnapshot.nix
./services/backup/tarsnap.nix
./services/backup/znapzend.nix
./services/cluster/fleet.nix
./services/cluster/kubernetes/default.nix
./services/cluster/kubernetes/dns.nix
./services/cluster/kubernetes/dashboard.nix
./services/cluster/panamax.nix
./services/computing/boinc/client.nix
./services/computing/torque/server.nix
./services/computing/torque/mom.nix
@ -215,6 +215,7 @@
./services/desktops/accountsservice.nix
./services/desktops/dleyna-renderer.nix
./services/desktops/dleyna-server.nix
./services/desktops/flatpak.nix
./services/desktops/geoclue2.nix
./services/desktops/pipewire.nix
./services/desktops/gnome3/at-spi2-core.nix
@ -514,6 +515,7 @@
./services/networking/murmur.nix
./services/networking/namecoind.nix
./services/networking/nat.nix
./services/networking/ndppd.nix
./services/networking/networkmanager.nix
./services/networking/nftables.nix
./services/networking/ngircd.nix
@ -649,6 +651,7 @@
./services/web-apps/tt-rss.nix
./services/web-apps/selfoss.nix
./services/web-apps/quassel-webserver.nix
./services/web-apps/youtrack.nix
./services/web-servers/apache-httpd/default.nix
./services/web-servers/caddy.nix
./services/web-servers/fcgiwrap.nix
@ -780,6 +783,7 @@
./virtualisation/hyperv-guest.nix
./virtualisation/openvswitch.nix
./virtualisation/parallels-guest.nix
./virtualisation/qemu-guest-agent.nix
./virtualisation/rkt.nix
./virtualisation/virtualbox-guest.nix
./virtualisation/virtualbox-host.nix

1
nixos/modules/profiles/base.nix
View File

@ -17,6 +17,7 @@
pkgs.ddrescue
pkgs.ccrypt
pkgs.cryptsetup # needed for dm-crypt volumes
pkgs.mkpasswd # for generating password files
# Some networking tools.
pkgs.fuse

2
nixos/modules/programs/shell.nix
View File

@ -40,7 +40,7 @@ in
# Subscribe the root user to the NixOS channel by default.
if [ "$USER" = root -a ! -e $HOME/.nix-channels ]; then
echo "${config.system.defaultChannel} nixos" > $HOME/.nix-channels
echo "${config.system.nixos.defaultChannel} nixos" > $HOME/.nix-channels
fi
# Create the per-user garbage collector roots directory.

3
nixos/modules/rename.nix
View File

@ -17,6 +17,7 @@ with lib;
(mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
(mkRenamedOptionModule [ "networking" "networkmanager" "useDnsmasq" ] [ "networking" "networkmanager" "dns" ])
(mkRenamedOptionModule [ "services" "cadvisor" "host" ] [ "services" "cadvisor" "listenAddress" ])
(mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ]
@ -203,6 +204,8 @@ with lib;
(mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ])
(mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ])
(mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ])
(mkRenamedOptionModule [ "system" "stateVersion" ] [ "system" "nixos" "stateVersion" ])
(mkRenamedOptionModule [ "system" "defaultChannel" ] [ "system" "nixos" "defaultChannel" ])
# Users
(mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ])

8
nixos/modules/security/acme.nix
View File

@ -257,7 +257,7 @@ in
if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
${if data.activationDelay != null then ''
${data.preDelay}
if [ -d '${lpath}' ]; then
@ -266,6 +266,10 @@ in
systemctl --wait start acme-setlive-${cert}.service
fi
'' else data.postRun}
# noop ensuring that the "if" block is non-empty even if
# activationDelay == null and postRun == ""
true
fi
'';
@ -294,7 +298,7 @@ in
chown '${data.user}:${data.group}' '${cpath}'
fi
'';
script =
script =
''
workdir="$(mktemp -d)"

228
nixos/modules/security/dhparams.nix
View File

@ -1,107 +1,173 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (lib) mkOption types;
cfg = config.security.dhparams;
in
{
bitType = types.addCheck types.int (b: b >= 16) // {
name = "bits";
description = "integer of at least 16 bits";
};
paramsSubmodule = { name, config, ... }: {
options.bits = mkOption {
type = bitType;
default = cfg.defaultBitSize;
description = ''
The bit size for the prime that is used during a Diffie-Hellman
key exchange.
'';
};
options.path = mkOption {
type = types.path;
readOnly = true;
description = ''
The resulting path of the generated Diffie-Hellman parameters
file for other services to reference. This could be either a
store path or a file inside the directory specified by
<option>security.dhparams.path</option>.
'';
};
config.path = let
generated = pkgs.runCommand "dhparams-${name}.pem" {
nativeBuildInputs = [ pkgs.openssl ];
} "openssl dhparam -out \"$out\" ${toString config.bits}";
in if cfg.stateful then "${cfg.path}/${name}.pem" else generated;
};
in {
options = {
security.dhparams = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to generate new DH params and clean up old DH params.
'';
};
params = mkOption {
description =
''
Diffie-Hellman parameters to generate.
The value is the size (in bits) of the DH params to generate. The
generated DH params path can be found in
<filename><replaceable>security.dhparams.path</replaceable>/<replaceable>name</replaceable>.pem</filename>.
Note: The name of the DH params is taken as being the name of the
service it serves: the params will be generated before the said
service is started.
Warning: If you are removing all dhparams from this list, you have
to leave security.dhparams.enable for at least one activation in
order to have them be cleaned up. This also means if you rollback to
a version without any dhparams the existing ones won't be cleaned
up.
'';
type = with types; attrsOf int;
type = with types; let
coerce = bits: { inherit bits; };
in attrsOf (coercedTo int coerce (submodule paramsSubmodule));
default = {};
example = { nginx = 3072; };
example = lib.literalExample "{ nginx.bits = 3072; }";
description = ''
Diffie-Hellman parameters to generate.
The value is the size (in bits) of the DH params to generate. The
generated DH params path can be found in
<literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>.
<note><para>The name of the DH params is taken as being the name of
the service it serves and the params will be generated before the
said service is started.</para></note>
<warning><para>If you are removing all dhparams from this list, you
have to leave <option>security.dhparams.enable</option> for at
least one activation in order to have them be cleaned up. This also
means if you rollback to a version without any dhparams the
existing ones won't be cleaned up. Of course this only applies if
<option>security.dhparams.stateful</option> is
<literal>true</literal>.</para></warning>
<note><title>For module implementers:</title><para>It's recommended
to not set a specific bit size here, so that users can easily
override this by setting
<option>security.dhparams.defaultBitSize</option>.</para></note>
'';
};
stateful = mkOption {
type = types.bool;
default = true;
description = ''
Whether generation of Diffie-Hellman parameters should be stateful or
not. If this is enabled, PEM-encoded files for Diffie-Hellman
parameters are placed in the directory specified by
<option>security.dhparams.path</option>. Otherwise the files are
created within the Nix store.
<note><para>If this is <literal>false</literal> the resulting store
path will be non-deterministic and will be rebuilt every time the
<package>openssl</package> package changes.</para></note>
'';
};
defaultBitSize = mkOption {
type = bitType;
default = 2048;
description = ''
This allows to override the default bit size for all of the
Diffie-Hellman parameters set in
<option>security.dhparams.params</option>.
'';
};
path = mkOption {
description =
''
Path to the directory in which Diffie-Hellman parameters will be
stored.
'';
type = types.str;
default = "/var/lib/dhparams";
};
enable = mkOption {
description =
''
Whether to generate new DH params and clean up old DH params.
'';
default = false;
type = types.bool;
description = ''
Path to the directory in which Diffie-Hellman parameters will be
stored. This only is relevant if
<option>security.dhparams.stateful</option> is
<literal>true</literal>.
'';
};
};
};
config = mkIf cfg.enable {
config = lib.mkIf (cfg.enable && cfg.stateful) {
systemd.services = {
dhparams-init = {
description = "Cleanup old Diffie-Hellman parameters";
wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
serviceConfig.Type = "oneshot";
script =
# Create directory
''
if [ ! -d ${cfg.path} ]; then
mkdir -p ${cfg.path}
fi
'' +
# Remove old dhparams
''
for file in ${cfg.path}/*; do
if [ ! -f "$file" ]; then
continue
fi
'' + concatStrings (mapAttrsToList (name: value:
''
if [ "$file" == "${cfg.path}/${name}.pem" ] && \
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
continue
fi
''
) cfg.params) +
''
rm $file
done
description = "Clean Up Old Diffie-Hellman Parameters";
# TODO: Ideally this would be removing the *former* cfg.path, though this
# does not seem really important as changes to it are quite unlikely
rmdir --ignore-fail-on-non-empty ${cfg.path}
'';
};
} //
mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
after = [ "dhparams-init.service" ];
before = [ "${name}.service" ];
# Clean up even when no DH params is set
wantedBy = [ "multi-user.target" ];
serviceConfig.RemainAfterExit = true;
serviceConfig.Type = "oneshot";
script =
''
script = ''
if [ ! -d ${cfg.path} ]; then
mkdir -p ${cfg.path}
if [ ! -f ${cfg.path}/${name}.pem ]; then
${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
fi
# Remove old dhparams
for file in ${cfg.path}/*; do
if [ ! -f "$file" ]; then
continue
fi
'';
}) cfg.params;
${lib.concatStrings (lib.mapAttrsToList (name: { bits, path, ... }: ''
if [ "$file" = ${lib.escapeShellArg path} ] && \
${pkgs.openssl}/bin/openssl dhparam -in "$file" -text \
| head -n 1 | grep "(${toString bits} bit)" > /dev/null; then
continue
fi
'') cfg.params)}
rm $file
done
# TODO: Ideally this would be removing the *former* cfg.path, though
# this does not seem really important as changes to it are quite
# unlikely
rmdir --ignore-fail-on-non-empty ${cfg.path}
'';
};
} // lib.mapAttrs' (name: { bits, path, ... }: lib.nameValuePair "dhparams-gen-${name}" {
description = "Generate Diffie-Hellman Parameters for ${name}";
after = [ "dhparams-init.service" ];
before = [ "${name}.service" ];
wantedBy = [ "multi-user.target" ];
unitConfig.ConditionPathExists = "!${path}";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p ${lib.escapeShellArg cfg.path}
${pkgs.openssl}/bin/openssl dhparam -out ${lib.escapeShellArg path} \
${toString bits}
'';
}) cfg.params;
};
}

4
nixos/modules/security/pam.nix
View File

@ -449,6 +449,10 @@ in
<varname>item</varname>, and <varname>value</varname>
attribute. The syntax and semantics of these attributes
must be that described in the limits.conf(5) man page.
Note that these limits do not apply to systemd services,
whose limits can be changed via <option>systemd.extraConfig</option>
instead.
'';
};

107
nixos/modules/services/backup/restic-rest-server.nix Normal file
View File

@ -0,0 +1,107 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.restic.server;
in
{
meta.maintainers = [ maintainers.bachp ];
options.services.restic.server = {
enable = mkEnableOption "Restic REST Server";
listenAddress = mkOption {
default = ":8000";
example = "127.0.0.1:8080";
type = types.str;
description = "Listen on a specific IP address and port.";
};
dataDir = mkOption {
default = "/var/lib/restic";
type = types.path;
description = "The directory for storing the restic repository.";
};
appendOnly = mkOption {
default = false;
type = types.bool;
description = ''
Enable append only mode.
This mode allows creation of new backups but prevents deletion and modification of existing backups.
This can be useful when backing up systems that have a potential of being hacked.
'';
};
privateRepos = mkOption {
default = false;
type = types.bool;
description = ''
Enable private repos.
Grants access only when a subdirectory with the same name as the user is specified in the repository URL.
'';
};
prometheus = mkOption {
default = false;
type = types.bool;
description = "Enable Prometheus metrics at /metrics.";
};
extraFlags = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Extra commandline options to pass to Restic REST server.
'';
};
package = mkOption {
default = pkgs.restic-rest-server;
defaultText = "pkgs.restic-rest-server";
type = types.package;
description = "Restic REST server package to use.";
};
};
config = mkIf cfg.enable {
systemd.services.restic-rest-server = {
description = "Restic REST Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${cfg.package}/bin/rest-server \
--listen ${cfg.listenAddress} \
--path ${cfg.dataDir} \
${optionalString cfg.appendOnly "--append-only"} \
${optionalString cfg.privateRepos "--private-repos"} \
${optionalString cfg.prometheus "--prometheus"} \
${escapeShellArgs cfg.extraFlags} \
'';
Type = "simple";
User = "restic";
Group = "restic";
# Security hardening
ReadWritePaths = [ cfg.dataDir ];
PrivateTmp = true;
ProtectSystem = "strict";
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
PrivateDevices = true;
};
};
users.extraUsers.restic = {
group = "restic";
home = cfg.dataDir;
createHome = true;
uid = config.ids.uids.restic;
};
users.extraGroups.restic.gid = config.ids.uids.restic;
};
}

150
nixos/modules/services/cluster/fleet.nix
View File

@ -1,150 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.fleet;
in {
##### Interface
options.services.fleet = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable fleet service.
'';
};
listen = mkOption {
type = types.listOf types.str;
default = [ "/var/run/fleet.sock" ];
example = [ "/var/run/fleet.sock" "127.0.0.1:49153" ];
description = ''
Fleet listening addresses.
'';
};
etcdServers = mkOption {
type = types.listOf types.str;
default = [ "http://127.0.0.1:2379" ];
description = ''
Fleet list of etcd endpoints to use.
'';
};
publicIp = mkOption {
type = types.nullOr types.str;
default = "";
description = ''
Fleet IP address that should be published with the local Machine's
state and any socket information. If not set, fleetd will attempt
to detect the IP it should publish based on the machine's IP
routing information.
'';
};
etcdCafile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Fleet TLS ca file when SSL certificate authentication is enabled
in etcd endpoints.
'';
};
etcdKeyfile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Fleet TLS key file when SSL certificate authentication is enabled
in etcd endpoints.
'';
};
etcdCertfile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Fleet TLS cert file when SSL certificate authentication is enabled
in etcd endpoints.
'';
};
metadata = mkOption {
type = types.attrsOf types.str;
default = {};
apply = attrs: concatMapStringsSep "," (n: "${n}=${attrs."${n}"}") (attrNames attrs);
example = literalExample ''
{
region = "us-west";
az = "us-west-1";
}
'';
description = ''
Key/value pairs that are published with the local to the fleet registry.
This data can be used directly by a client of fleet to make scheduling decisions.
'';
};
extraConfig = mkOption {
type = types.attrsOf types.str;
apply = mapAttrs' (n: v: nameValuePair ("FLEET_" + n) v);
default = {};
example = literalExample ''
{
VERBOSITY = 1;
ETCD_REQUEST_TIMEOUT = "2.0";
AGENT_TTL = "40s";
}
'';
description = ''
Fleet extra config. See
<link xlink:href="https://github.com/coreos/fleet/blob/master/Documentation/deployment-and-configuration.md"/>
for configuration options.
'';
};
};
##### Implementation
config = mkIf cfg.enable {
systemd.services.fleet = {
description = "Fleet Init System Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "fleet.socket" "etcd.service" "docker.service" ];
requires = [ "fleet.socket" ];
environment = {
FLEET_ETCD_SERVERS = concatStringsSep "," cfg.etcdServers;
FLEET_PUBLIC_IP = cfg.publicIp;
FLEET_ETCD_CAFILE = cfg.etcdCafile;
FLEET_ETCD_KEYFILE = cfg.etcdKeyfile;
FLEET_ETCD_CERTFILE = cfg.etcdCertfile;
FLEET_METADATA = cfg.metadata;
} // cfg.extraConfig;
serviceConfig = {
ExecStart = "${pkgs.fleet}/bin/fleetd";
Group = "fleet";
};
};
systemd.sockets.fleet = {
description = "Fleet Socket for the API";
wantedBy = [ "sockets.target" ];
listenStreams = cfg.listen;
socketConfig = {
ListenStream = "/var/run/fleet.sock";
SocketMode = "0660";
SocketUser = "root";
SocketGroup = "fleet";
};
};
services.etcd.enable = mkDefault true;
virtualisation.docker.enable = mkDefault true;
environment.systemPackages = [ pkgs.fleet ];
users.extraGroups.fleet.gid = config.ids.gids.fleet;
};
}

156
nixos/modules/services/cluster/panamax.nix
View File

@ -1,156 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.panamax;
panamax_api = pkgs.panamax_api.override { dataDir = cfg.dataDir + "/api"; };
panamax_ui = pkgs.panamax_ui.override { dataDir = cfg.dataDir + "/ui"; };
in {
##### Interface
options.services.panamax = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable Panamax service.
'';
};
UIPort = mkOption {
type = types.int;
default = 8888;
description = ''
Panamax UI listening port.
'';
};
APIPort = mkOption {
type = types.int;
default = 3000;
description = ''
Panamax UI listening port.
'';
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/panamax";
description = ''
Data dir for Panamax.
'';
};
fleetctlEndpoint = mkOption {
type = types.str;
default = "http://127.0.0.1:2379";
description = ''
Panamax fleetctl endpoint.
'';
};
journalEndpoint = mkOption {
type = types.str;
default = "http://127.0.0.1:19531";
description = ''
Panamax journal endpoint.
'';
};
secretKey = mkOption {
type = types.str;
default = "SomethingVeryLong.";
description = ''
Panamax secret key (do change this).
'';
};
};
##### Implementation
config = mkIf cfg.enable {
systemd.services.panamax-api = {
description = "Panamax API";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "fleet.service" "etcd.service" "docker.service" ];
path = [ panamax_api ];
environment = {
RAILS_ENV = "production";
JOURNAL_ENDPOINT = cfg.journalEndpoint;
FLEETCTL_ENDPOINT = cfg.fleetctlEndpoint;
PANAMAX_DATABASE_PATH = "${cfg.dataDir}/api/db/mnt/db.sqlite3";
};
preStart = ''
rm -rf ${cfg.dataDir}/state/tmp
mkdir -p ${cfg.dataDir}/api/{db/mnt,state/log,state/tmp}
ln -sf ${panamax_api}/share/panamax-api/_db/{schema.rb,seeds.rb,migrate} ${cfg.dataDir}/api/db/
if [ ! -f ${cfg.dataDir}/.created ]; then
bundle exec rake db:setup
bundle exec rake db:seed
bundle exec rake panamax:templates:load || true
touch ${cfg.dataDir}/.created
else
bundle exec rake db:migrate
fi
'';
serviceConfig = {
ExecStart = "${panamax_api}/bin/bundle exec rails server --binding 127.0.0.1 --port ${toString cfg.APIPort}";
User = "panamax";
Group = "panamax";
};
};
systemd.services.panamax-ui = {
description = "Panamax UI";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "panamax_api.service" ];
path = [ panamax_ui ];
environment = {
RAILS_ENV = "production";
JOURNAL_ENDPOINT = cfg.journalEndpoint;
PMX_API_PORT_3000_TCP_ADDR = "localhost";
PMX_API_PORT_3000_TCP_PORT = toString cfg.APIPort;
SECRET_KEY_BASE = cfg.secretKey;
};
preStart = ''
mkdir -p ${cfg.dataDir}/ui/state/{log,tmp}
chown -R panamax:panamax ${cfg.dataDir}
'';
serviceConfig = {
ExecStart = "${panamax_ui}/bin/bundle exec rails server --binding 127.0.0.1 --port ${toString cfg.UIPort}";
User = "panamax";
Group = "panamax";
PermissionsStartOnly = true;
};
};
users.extraUsers.panamax =
{ uid = config.ids.uids.panamax;
description = "Panamax user";
createHome = true;
home = cfg.dataDir;
extraGroups = [ "docker" ];
};
services.journald.enableHttpGateway = mkDefault true;
services.fleet.enable = mkDefault true;
services.cadvisor.enable = mkDefault true;
services.cadvisor.port = mkDefault 3002;
virtualisation.docker.enable = mkDefault true;
environment.systemPackages = [ panamax_api panamax_ui ];
users.extraGroups.panamax.gid = config.ids.gids.panamax;
};
}

2
nixos/modules/services/databases/mysql.nix
View File

@ -218,7 +218,7 @@ in
config = mkIf config.services.mysql.enable {
services.mysql.dataDir =
mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/mysql"
mkDefault (if versionAtLeast config.system.nixos.stateVersion "17.09" then "/var/lib/mysql"
else "/var/mysql");
users.extraUsers.mysql = {

10
nixos/modules/services/databases/postgresql.nix
View File

@ -147,7 +147,7 @@ in
};
superUser = mkOption {
type = types.str;
default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root";
default= if versionAtLeast config.system.nixos.stateVersion "17.09" then "postgres" else "root";
internal = true;
description = ''
NixOS traditionally used 'root' as superuser, most other distros use 'postgres'.
@ -166,14 +166,14 @@ in
services.postgresql.package =
# Note: when changing the default, make it conditional on
# system.stateVersion to maintain compatibility with existing
# system.nixos.stateVersion to maintain compatibility with existing
# systems!
mkDefault (if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql96
else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql95
mkDefault (if versionAtLeast config.system.nixos.stateVersion "17.09" then pkgs.postgresql96
else if versionAtLeast config.system.nixos.stateVersion "16.03" then pkgs.postgresql95
else pkgs.postgresql94);
services.postgresql.dataDir =
mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
mkDefault (if versionAtLeast config.system.nixos.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
else "/var/db/postgresql");
services.postgresql.authentication = mkAfter

52
nixos/modules/services/desktops/flatpak.nix Normal file
View File

@ -0,0 +1,52 @@
# flatpak service.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.flatpak;
in {
meta = {
doc = ./flatpak.xml;
maintainers = pkgs.flatpak.meta.maintainers;
};
###### interface
options = {
services.flatpak = {
enable = mkEnableOption "flatpak";
extraPortals = mkOption {
type = types.listOf types.package;
default = [];
description = ''
List of additional portals to add to path. Portals allow interaction
with system, like choosing files or taking screenshots. At minimum,
a desktop portal implementation should be listed. GNOME already
adds <package>xdg-desktop-portal-gtk</package>; for KDE, there
is <package>xdg-desktop-portal-kde</package>. Other desktop
environments will probably want to do the same.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.flatpak ];
services.dbus.packages = [ pkgs.flatpak pkgs.xdg-desktop-portal ] ++ cfg.extraPortals;
systemd.packages = [ pkgs.flatpak pkgs.xdg-desktop-portal ] ++ cfg.extraPortals;
environment.variables = {
PATH = [
"$HOME/.local/share/flatpak/exports/bin"
"/var/lib/flatpak/exports/bin"
];
XDG_DESKTOP_PORTAL_PATH = map (p: "${p}/share/xdg-desktop-portal/portals") cfg.extraPortals;
};
};
}

53
nixos/modules/services/desktops/flatpak.xml Normal file
View File

@ -0,0 +1,53 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="module-services-flatpak">
<title>Flatpak</title>
<para><emphasis>Source:</emphasis> <filename>modules/services/desktop/flatpak.nix</filename></para>
<para><emphasis>Upstream documentation:</emphasis> <link xlink:href="https://github.com/flatpak/flatpak/wiki"/></para>
<para>Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.</para>
<para>
To enable Flatpak, add the following to your <filename>configuration.nix</filename>:
<programlisting>
<xref linkend="opt-services.flatpak.enable"/> = true;
</programlisting>
</para>
<para>
For the sandboxed apps to work correctly, desktop integration portals need to be installed. If you run GNOME, this will be handled automatically for you; in other cases, you will need to add something like the following to your <filename>configuration.nix</filename>:
<programlisting>
<xref linkend="opt-services.flatpak.extraPortals"/> = [ pkgs.xdg-desktop-portal-gtk ];
</programlisting>
</para>
<para>
Then, you will need to add a repository, for example, <link xlink:href="https://github.com/flatpak/flatpak/wiki">Flathub</link>, either using the following commands:
<programlisting>
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak update
</programlisting>
or by opening the <link xlink:href="https://flathub.org/repo/flathub.flatpakrepo">repository file</link> in GNOME Software.
</para>
<para>
Finally, you can search and install programs:
<programlisting>
flatpak search bustle
flatpak install flathub org.freedesktop.Bustle
flatpak run org.freedesktop.Bustle
</programlisting>
Again, GNOME Software offers graphical interface for these tasks.
</para>
</chapter>

8
nixos/modules/services/mail/dovecot.nix
View File

@ -25,6 +25,7 @@ let
ssl_cert = <${cfg.sslServerCert}
ssl_key = <${cfg.sslServerKey}
${optionalString (!(isNull cfg.sslCACert)) ("ssl_ca = <" + cfg.sslCACert)}
ssl_dh = <${config.security.dhparams.params.dovecot2.path}
disable_plaintext_auth = yes
'')
@ -297,10 +298,13 @@ in
config = mkIf cfg.enable {
security.pam.services.dovecot2 = mkIf cfg.enablePAM {};
services.dovecot2.protocols =
security.dhparams = mkIf (! isNull cfg.sslServerCert) {
enable = true;
params.dovecot2 = {};
};
services.dovecot2.protocols =
optional cfg.enableImap "imap"
++ optional cfg.enablePop3 "pop3"
++ optional cfg.enableLmtp "lmtp";

20
nixos/modules/services/misc/matrix-synapse.nix
View File

@ -342,7 +342,7 @@ in {
};
database_type = mkOption {
type = types.enum [ "sqlite3" "psycopg2" ];
default = if versionAtLeast config.system.stateVersion "18.03"
default = if versionAtLeast config.system.nixos.stateVersion "18.03"
then "psycopg2"
else "sqlite3";
description = ''
@ -395,7 +395,14 @@ in {
};
url_preview_ip_range_blacklist = mkOption {
type = types.listOf types.str;
default = [];
default = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"169.254.0.0/16"
];
description = ''
List of IP address CIDR ranges that the URL preview spider is denied
from accessing.
@ -412,14 +419,7 @@ in {
};
url_preview_url_blacklist = mkOption {
type = types.listOf types.str;
default = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"169.254.0.0/16"
];
default = [];
description = ''
Optional list of URL matches that the URL preview spider is
denied from accessing.

2
nixos/modules/services/misc/mesos-slave.nix
View File

@ -187,7 +187,7 @@ in {
systemd.services.mesos-slave = {
description = "Mesos Slave";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
after = [ "network.target" ] ++ optionals cfg.withDocker [ "docker.service" ] ;
path = [ pkgs.runtimeShellPackage ];
serviceConfig = {
ExecStart = ''

2
nixos/modules/services/network-filesystems/ipfs.nix
View File

@ -14,7 +14,7 @@ let
(optionalString (cfg.defaultMode == "norouting") "--routing=none")
] ++ cfg.extraFlags);
defaultDataDir = if versionAtLeast config.system.stateVersion "17.09" then
defaultDataDir = if versionAtLeast config.system.nixos.stateVersion "17.09" then
"/var/lib/ipfs" else
"/var/lib/ipfs/.ipfs";

3
nixos/modules/services/networking/firewall.nix
View File

@ -242,6 +242,9 @@ let
# Don't allow traffic to leak out until the script has completed
ip46tables -A INPUT -j nixos-drop
${cfg.extraStopCommands}
if ${startScript}; then
ip46tables -D INPUT -j nixos-drop 2>/dev/null || true
else

14
nixos/modules/services/networking/gnunet.nix
View File

@ -102,6 +102,14 @@ in
};
};
package = mkOption {
type = types.package;
default = pkgs.gnunet;
defaultText = "pkgs.gnunet";
description = "Overridable attribute of the gnunet package to use.";
example = literalExample "pkgs.gnunet_git";
};
extraOptions = mkOption {
default = "";
description = ''
@ -130,16 +138,16 @@ in
# The user tools that talk to `gnunetd' should come from the same source,
# so install them globally.
environment.systemPackages = [ pkgs.gnunet ];
environment.systemPackages = [ cfg.package ];
systemd.services.gnunet = {
description = "GNUnet";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.gnunet pkgs.miniupnpc ];
path = [ cfg.package pkgs.miniupnpc ];
environment.TMPDIR = "/tmp";
serviceConfig.PrivateTemp = true;
serviceConfig.ExecStart = "${pkgs.gnunet}/lib/gnunet/libexec/gnunet-service-arm -c ${configFile}";
serviceConfig.ExecStart = "${cfg.package}/lib/gnunet/libexec/gnunet-service-arm -c ${configFile}";
serviceConfig.User = "gnunet";
serviceConfig.UMask = "0007";
serviceConfig.WorkingDirectory = homeDir;

5
nixos/modules/services/networking/hostapd.nix
View File

@ -151,11 +151,6 @@ in
config = mkIf cfg.enable {
assertions = [
{ assertion = (cfg.channel >= 1 && cfg.channel <= 13);
message = "channel must be between 1 and 13";
}];
environment.systemPackages = [ pkgs.hostapd ];
systemd.services.hostapd =

62
nixos/modules/services/networking/keepalived/default.nix
View File

@ -8,10 +8,12 @@ let
keepalivedConf = pkgs.writeText "keepalived.conf" ''
global_defs {
${optionalString cfg.enableScriptSecurity "enable_script_security"}
${snmpGlobalDefs}
${cfg.extraGlobalDefs}
}
${vrrpScriptStr}
${vrrpInstancesStr}
${cfg.extraConfig}
'';
@ -26,6 +28,22 @@ let
+ optionalString enableTraps "enable_traps"
);
vrrpScriptStr = concatStringsSep "\n" (map (s:
''
vrrp_script ${s.name} {
script "${s.script}"
interval ${toString s.interval}
fall ${toString s.fall}
rise ${toString s.rise}
timeout ${toString s.timeout}
weight ${toString s.weight}
user ${s.user} ${optionalString (s.group != null) s.group}
${s.extraConfig}
}
''
) vrrpScripts);
vrrpInstancesStr = concatStringsSep "\n" (map (i:
''
vrrp_instance ${i.name} {
@ -49,6 +67,18 @@ let
${concatMapStringsSep "\n" virtualIpLine i.virtualIps}
}
${optionalString (builtins.length i.trackScripts > 0) ''
track_script {
${concatStringsSep "\n" i.trackScripts}
}
''}
${optionalString (builtins.length i.trackInterfaces > 0) ''
track_interface {
${concatStringsSep "\n" i.trackInterfaces}
}
''}
${i.extraConfig}
}
''
@ -64,6 +94,12 @@ let
notNullOrEmpty = s: !(s == null || s == "");
vrrpScripts = mapAttrsToList (name: config:
{
inherit name;
} // config
) cfg.vrrpScripts;
vrrpInstances = mapAttrsToList (iName: iConfig:
{
name = iName;
@ -86,7 +122,8 @@ let
{ assertion = !i.vmacXmitBase || i.useVmac;
message = "services.keepalived.vrrpInstances.${i.name}.vmacXmitBase has no effect when services.keepalived.vrrpInstances.${i.name}.useVmac is not set.";
}
] ++ flatten (map (virtualIpAssertions i.name) i.virtualIps);
] ++ flatten (map (virtualIpAssertions i.name) i.virtualIps)
++ flatten (map (vrrpScriptAssertion i.name) i.trackScripts);
virtualIpAssertions = vrrpName: ip: [
{ assertion = ip.addr != "";
@ -94,6 +131,11 @@ let
}
];
vrrpScriptAssertion = vrrpName: scriptName: {
assertion = builtins.hasAttr scriptName cfg.vrrpScripts;
message = "services.keepalived.vrrpInstances.${vrrpName} trackscript ${scriptName} is not defined in services.keepalived.vrrpScripts.";
};
pidFile = "/run/keepalived.pid";
in
@ -110,6 +152,14 @@ in
'';
};
enableScriptSecurity = mkOption {
type = types.bool;
default = false;
description = ''
Don't run scripts configured to be run as root if any part of the path is writable by a non-root user.
'';
};
snmp = {
enable = mkOption {
@ -181,8 +231,16 @@ in
};
vrrpScripts = mkOption {
type = types.attrsOf (types.submodule (import ./vrrp-script-options.nix {
inherit lib;
}));
default = {};
description = "Declarative vrrp script config";
};
vrrpInstances = mkOption {
type = types.attrsOf (types.submodule (import ./vrrp-options.nix {
type = types.attrsOf (types.submodule (import ./vrrp-instance-options.nix {
inherit lib;
}));
default = {};

14
nixos/modules/services/networking/keepalived/vrrp-options.nix → nixos/modules/services/networking/keepalived/vrrp-instance-options.nix
View File

@ -108,6 +108,20 @@ with lib;
description = "Declarative vhost config";
};
trackScripts = mkOption {
type = types.listOf types.str;
default = [];
example = [ "chk_cmd1" "chk_cmd2" ];
description = "List of script names to invoke for health tracking.";
};
trackInterfaces = mkOption {
type = types.listOf types.str;
default = [];
example = [ "eth0" "eth1" ];
description = "List of network interfaces to monitor for health tracking.";
};
extraConfig = mkOption {
type = types.lines;
default = "";

64
nixos/modules/services/networking/keepalived/vrrp-script-options.nix Normal file
View File

@ -0,0 +1,64 @@
{ lib } :
with lib;
with lib.types;
{
options = {
script = mkOption {
type = str;
example = "\${pkgs.curl} -f http://localhost:80";
description = "(Path of) Script command to execute followed by args, i.e. cmd [args]...";
};
interval = mkOption {
type = int;
default = 1;
description = "Seconds between script invocations.";
};
timeout = mkOption {
type = int;
default = 5;
description = "Seconds after which script is considered to have failed.";
};
weight = mkOption {
type = int;
default = 0;
description = "Following a failure, adjust the priority by this weight.";
};
rise = mkOption {
type = int;
default = 5;
description = "Required number of successes for OK transition.";
};
fall = mkOption {
type = int;
default = 3;
description = "Required number of failures for KO transition.";
};
user = mkOption {
type = str;
default = "keepalived_script";
description = "Name of user to run the script under.";
};
group = mkOption {
type = nullOr str;
default = null;
description = "Name of group to run the script under. Defaults to user group.";
};
extraConfig = mkOption {
type = lines;
default = "";
description = "Extra lines to be added verbatim to the vrrp_script section.";
};
};
}

82
nixos/modules/services/networking/matterbridge.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ options, config, pkgs, lib, ... }:
with lib;
@ -6,7 +6,11 @@ let
cfg = config.services.matterbridge;
matterbridgeConfToml = pkgs.writeText "matterbridge.toml" (cfg.configFile);
matterbridgeConfToml =
if cfg.configPath == null then
pkgs.writeText "matterbridge.toml" (cfg.configFile)
else
cfg.configPath;
in
@ -15,17 +19,32 @@ in
services.matterbridge = {
enable = mkEnableOption "Matterbridge chat platform bridge";
configPath = mkOption {
type = with types; nullOr str;
default = null;
example = "/etc/nixos/matterbridge.toml";
description = ''
The path to the matterbridge configuration file.
'';
};
configFile = mkOption {
type = types.str;
example = ''
#WARNING: as this file contains credentials, be sure to set correct file permissions [irc]
# WARNING: as this file contains credentials, do not use this option!
# It is kept only for backwards compatibility, and would cause your
# credentials to be in the nix-store, thus with the world-readable
# permission bits.
# Use services.matterbridge.configPath instead.
[irc]
[irc.freenode]
Server="irc.freenode.net:6667"
Nick="matterbot"
[mattermost]
[mattermost.work]
#do not prefix it wit http:// or https://
# Do not prefix it with http:// or https://
Server="yourmattermostserver.domain"
Team="yourteam"
Login="yourlogin"
@ -44,6 +63,10 @@ in
channel="off-topic"
'';
description = ''
WARNING: THIS IS INSECURE, as your password will end up in
<filename>/nix/store</filename>, thus publicly readable. Use
<literal>services.matterbridge.configPath</literal> instead.
The matterbridge configuration file in the TOML file format.
'';
};
@ -65,32 +88,31 @@ in
};
};
config = mkMerge [
(mkIf cfg.enable {
config = mkIf cfg.enable {
warnings = optional options.services.matterbridge.configFile.isDefined
"The option services.matterbridge.configFile is insecure and should be replaced with services.matterbridge.configPath";
users.extraUsers = mkIf (cfg.user == "matterbridge") [
{ name = "matterbridge";
group = "matterbridge";
} ];
users.extraGroups = mkIf (cfg.group == "matterbridge") [
{ name = "matterbridge";
} ];
systemd.services.matterbridge = {
description = "Matterbridge chat platform bridge";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStart = "${pkgs.matterbridge.bin}/bin/matterbridge -conf ${matterbridgeConfToml}";
Restart = "always";
RestartSec = "10";
};
users.extraUsers = optional (cfg.user == "matterbridge")
{ name = "matterbridge";
group = "matterbridge";
};
})
];
}
users.extraGroups = optional (cfg.group == "matterbridge")
{ name = "matterbridge";
};
systemd.services.matterbridge = {
description = "Matterbridge chat platform bridge";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
ExecStart = "${pkgs.matterbridge.bin}/bin/matterbridge -conf ${matterbridgeConfToml}";
Restart = "always";
RestartSec = "10";
};
};
};
}

43
nixos/modules/services/networking/minidlna.nix
View File

@ -1,23 +1,16 @@
# Module for MiniDLNA, a simple DLNA server.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.minidlna;
port = 8200;
in
{
###### interface
options = {
services.minidlna.enable = mkOption {
type = types.bool;
default = false;
@ -43,24 +36,48 @@ in
'';
};
services.minidlna.loglevel = mkOption {
type = types.str;
default = "warn";
example = "general,artwork,database,inotify,scanner,metadata,http,ssdp,tivo=warn";
description =
''
Defines the type of messages that should be logged, and down to
which level of importance they should be considered.
The possible types are artwork, database, general, http,
inotify, metadata, scanner, ssdp and tivo.
The levels are off, fatal, error, warn, info and
debug, listed here in order of decreasing importance. off
turns off logging messages entirely, fatal logs the most
critical messages only, and so on down to debug that logs every
single messages.
The types are comma-separated, followed by an equal sign (=),
followed by a level that applies to the preceding types. This can
be repeated, separating each of these constructs with a comma.
Defaults to general,artwork,database,inotify,scanner,metadata,
http,ssdp,tivo=warn which logs every type of message at the
warn level.
'';
};
services.minidlna.config = mkOption {
type = types.lines;
description = "The contents of MiniDLNA's configuration file.";
};
};
###### implementation
config = mkIf cfg.enable {
services.minidlna.config =
''
port=${toString port}
friendly_name=${config.networking.hostName} MiniDLNA
db_dir=/var/cache/minidlna
log_level=warn
log_level=${cfg.loglevel}
inotify=yes
${concatMapStrings (dir: ''
media_dir=${dir}
@ -98,7 +115,5 @@ in
" -f ${pkgs.writeText "minidlna.conf" cfg.config}";
};
};
};
}

47
nixos/modules/services/networking/ndppd.nix Normal file
View File

@ -0,0 +1,47 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.ndppd;
configFile = pkgs.runCommand "ndppd.conf" {} ''
substitute ${pkgs.ndppd}/etc/ndppd.conf $out \
--replace eth0 ${cfg.interface} \
--replace 1111:: ${cfg.network}
'';
in {
options = {
services.ndppd = {
enable = mkEnableOption "daemon that proxies NDP (Neighbor Discovery Protocol) messages between interfaces";
interface = mkOption {
type = types.string;
default = "eth0";
example = "ens3";
description = "Interface which is on link-level with router.";
};
network = mkOption {
type = types.string;
default = "1111::";
example = "2001:DB8::/32";
description = "Network that we proxy.";
};
configFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to configuration file.";
};
};
};
config = mkIf cfg.enable {
systemd.packages = [ pkgs.ndppd ];
environment.etc."ndppd.conf".source = if (cfg.configFile != null) then cfg.configFile else configFile;
systemd.services.ndppd = {
serviceConfig.RuntimeDirectory = [ "ndppd" ];
wantedBy = [ "multi-user.target" ];
};
};
meta.maintainers = with maintainers; [ gnidorah ];
}

23
nixos/modules/services/networking/networkmanager.nix
View File

@ -10,7 +10,8 @@ let
stateDirs = "/var/lib/NetworkManager /var/lib/dhclient /var/lib/misc";
dns =
if cfg.useDnsmasq then "dnsmasq"
if cfg.dns == "none" then "none"
else if cfg.dns == "dnsmasq" then "dnsmasq"
else if config.services.resolved.enable then "systemd-resolved"
else if config.services.unbound.enable then "unbound"
else "default";
@ -205,14 +206,20 @@ in {
};
};
useDnsmasq = mkOption {
type = types.bool;
default = false;
dns = mkOption {
type = types.enum [ "auto" "dnsmasq" "none" ];
default = "auto";
description = ''
Enable NetworkManager's dnsmasq integration. NetworkManager will run
dnsmasq as a local caching nameserver, using a "split DNS"
configuration if you are connected to a VPN, and then update
resolv.conf to point to the local nameserver.
Options:
- auto: Check for systemd-resolved, unbound, or use default.
- dnsmasq:
Enable NetworkManager's dnsmasq integration. NetworkManager will run
dnsmasq as a local caching nameserver, using a "split DNS"
configuration if you are connected to a VPN, and then update
resolv.conf to point to the local nameserver.
- none:
Disable NetworkManager's DNS integration completely.
It will not touch your /etc/resolv.conf.
'';
};

14
nixos/modules/services/networking/nsd.nix
View File

@ -20,6 +20,7 @@ let
zoneStats = length (collect (x: (x.zoneStats or null) != null) cfg.zones) > 0;
};
mkZoneFileName = name: if name == "." then "root" else name;
nsdEnv = pkgs.buildEnv {
name = "nsd-env";
@ -50,8 +51,9 @@ let
};
writeZoneData = name: text: pkgs.writeTextFile {
inherit name text;
destination = "/zones/${name}";
name = "nsd-zone-${mkZoneFileName name}";
inherit text;
destination = "/zones/${mkZoneFileName name}";
};
@ -146,7 +148,7 @@ let
zoneConfigFile = name: zone: ''
zone:
name: "${name}"
zonefile: "${stateDir}/zones/${name}"
zonefile: "${stateDir}/zones/${mkZoneFileName name}"
${maybeString "outgoing-interface: " zone.outgoingInterface}
${forEach " rrl-whitelist: " zone.rrlWhitelist}
${maybeString "zonestats: " zone.zoneStats}
@ -887,6 +889,12 @@ in
config = mkIf cfg.enable {
assertions = singleton {
assertion = zoneConfigs ? "." -> cfg.rootServer;
message = "You have a root zone configured. If this is really what you "
+ "want, please enable 'services.nsd.rootServer'.";
};
environment.systemPackages = [ nsdPkg ];
users.extraGroups = singleton {

4
nixos/modules/services/networking/radicale.nix
View File

@ -9,7 +9,7 @@ let
confFile = pkgs.writeText "radicale.conf" cfg.config;
# This enables us to default to version 2 while still not breaking configurations of people with version 1
defaultPackage = if versionAtLeast config.system.stateVersion "17.09" then {
defaultPackage = if versionAtLeast config.system.nixos.stateVersion "17.09" then {
pkg = pkgs.radicale2;
text = "pkgs.radicale2";
} else {
@ -35,7 +35,7 @@ in
defaultText = defaultPackage.text;
description = ''
Radicale package to use. This defaults to version 1.x if
<literal>system.stateVersion &lt; 17.09</literal> and version 2.x
<literal>system.nixos.stateVersion &lt; 17.09</literal> and version 2.x
otherwise.
'';
};

1
nixos/modules/services/security/sshguard.nix
View File

@ -133,6 +133,7 @@ in {
ReadOnlyDirectories = "/";
ReadWriteDirectories = "/run/sshguard /var/lib/sshguard";
RuntimeDirectory = "sshguard";
StateDirectory = "sshguard";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
};
};

40
nixos/modules/services/web-apps/nexus.nix
View File

@ -42,6 +42,34 @@ in
default = 8081;
description = "Port to listen on.";
};
jvmOpts = mkOption {
type = types.lines;
default = ''
-Xms1200M
-Xmx1200M
-XX:MaxDirectMemorySize=2G
-XX:+UnlockDiagnosticVMOptions
-XX:+UnsyncloadClass
-XX:+LogVMOutput
-XX:LogFile=${cfg.home}/nexus3/log/jvm.log
-XX:-OmitStackTraceInFastThrow
-Djava.net.preferIPv4Stack=true
-Dkaraf.home=${pkgs.nexus}
-Dkaraf.base=${pkgs.nexus}
-Dkaraf.etc=${pkgs.nexus}/etc/karaf
-Djava.util.logging.config.file=${pkgs.nexus}/etc/karaf/java.util.logging.properties
-Dkaraf.data=${cfg.home}/nexus3
-Djava.io.tmpdir=${cfg.home}/nexus3/tmp
-Dkaraf.startLocalConsole=false
'';
description = ''
Options for the JVM written to `nexus.jvmopts`.
Please refer to the docs (https://help.sonatype.com/repomanager3/installation/configuring-the-runtime-environment)
for further information.
'';
};
};
};
@ -63,13 +91,13 @@ in
environment = {
NEXUS_USER = cfg.user;
NEXUS_HOME = cfg.home;
VM_OPTS_FILE = pkgs.writeText "nexus.vmoptions" cfg.jvmOpts;
};
preStart = ''
mkdir -p ${cfg.home}/nexus3/etc
ln -sf ${cfg.home} /run/sonatype-work
chown -R ${cfg.user}:${cfg.group} ${cfg.home}
if [ ! -f ${cfg.home}/nexus3/etc/nexus.properties ]; then
@ -77,10 +105,10 @@ in
echo "application-port=${toString cfg.listenPort}" >> ${cfg.home}/nexus3/etc/nexus.properties
echo "application-host=${toString cfg.listenAddress}" >> ${cfg.home}/nexus3/etc/nexus.properties
else
sed 's/^application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-port=.*/application-port=${toString cfg.listenPort}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
sed 's/^# application-host=.*/application-host=${toString cfg.listenAddress}/' -i ${cfg.home}/nexus3/etc/nexus.properties
fi
'';

2
nixos/modules/services/web-servers/caddy.nix
View File

@ -66,7 +66,7 @@ in {
description = "Caddy web server";
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment = mkIf (versionAtLeast config.system.stateVersion "17.09")
environment = mkIf (versionAtLeast config.system.nixos.stateVersion "17.09")
{ CADDYPATH = cfg.dataDir; };
serviceConfig = {
ExecStart = ''

8
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -38,6 +38,7 @@ let
${toString (flip mapAttrsToList upstream.servers (name: server: ''
server ${name} ${optionalString server.backup "backup"};
''))}
${upstream.extraConfig}
}
''));
@ -492,6 +493,13 @@ in
'';
default = {};
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
These lines go to the end of the upstream verbatim.
'';
};
};
});
description = ''

1
nixos/modules/services/x11/desktop-managers/gnome3.nix
View File

@ -120,6 +120,7 @@ in {
services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
services.udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
systemd.packages = [ pkgs.gnome3.vino ];
services.flatpak.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
# If gnome3 is installed, build vim for gtk3 too.
nixpkgs.config.vim.gui = "gtk3";

1
nixos/modules/services/x11/desktop-managers/xterm.nix
View File

@ -12,6 +12,7 @@ in
options = {
services.xserver.desktopManager.xterm.enable = mkOption {
type = types.bool;
default = true;
description = "Enable a xterm terminal as a desktop manager.";
};

4
nixos/modules/services/x11/window-managers/stumpwm.nix
View File

@ -15,10 +15,10 @@ in
services.xserver.windowManager.session = singleton {
name = "stumpwm";
start = ''
${pkgs.stumpwm}/bin/stumpwm &
${pkgs.lispPackages.stumpwm}/bin/stumpwm &
waitPID=$!
'';
};
environment.systemPackages = [ pkgs.stumpwm ];
environment.systemPackages = [ pkgs.lispPackages.stumpwm ];
};
}

19
nixos/modules/system/activation/switch-to-configuration.pl
View File

@ -4,6 +4,7 @@ use strict;
use warnings;
use File::Basename;
use File::Slurp;
use Net::DBus;
use Sys::Syslog qw(:standard :macros);
use Cwd 'abs_path';
@ -67,17 +68,15 @@ EOF
$SIG{PIPE} = "IGNORE";
sub getActiveUnits {
# FIXME: use D-Bus or whatever to query this, since parsing the
# output of list-units is likely to break.
# Use current version of systemctl binary before daemon is reexeced.
my $lines = `LANG= /run/current-system/sw/bin/systemctl list-units --full --no-legend`;
my $mgr = Net::DBus->system->get_service("org.freedesktop.systemd1")->get_object("/org/freedesktop/systemd1");
my $units = $mgr->ListUnitsByPatterns([], []);
my $res = {};
foreach my $line (split '\n', $lines) {
chomp $line;
last if $line eq "";
$line =~ /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s/ or next;
next if $1 eq "UNIT";
$res->{$1} = { load => $2, state => $3, substate => $4 };
for my $item (@$units) {
my ($id, $description, $load_state, $active_state, $sub_state,
$following, $unit_path, $job_id, $job_type, $job_path) = @$item;
next unless $following eq '';
next if $job_id == 0 and $active_state eq 'inactive';
$res->{$id} = { load => $load_state, state => $active_state, substate => $sub_state };
}
return $res;
}

3
nixos/modules/system/activation/top-level.nix
View File

@ -127,7 +127,8 @@ let
configurationName = config.boot.loader.grub.configurationName;
# Needed by switch-to-configuration.
perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl";
perl = "${pkgs.perl}/bin/perl " + (concatMapStringsSep " " (lib: "-I${lib}/${pkgs.perl.libPrefix}") (with pkgs.perlPackages; [ FileSlurp NetDBus XMLParser XMLTwig ]));
} else throw "\nFailed assertions:\n${concatStringsSep "\n" (map (x: "- ${x}") failed)}");
# Replace runtime dependencies

7
nixos/modules/system/boot/coredump.nix
View File

@ -15,8 +15,11 @@ with lib;
Enables storing core dumps in systemd.
Note that this alone is not enough to enable core dumps. The maximum
file size for core dumps must be specified in limits.conf as well. See
<option>security.pam.loginLimits</option> as well as the limits.conf(5)
man page.
<option>security.pam.loginLimits</option> and the limits.conf(5)
man page (these specify the core dump limits for user login sessions)
and <option>systemd.extraConfig</option> (where e.g.
<literal>DefaultLimitCORE=1000000</literal> can be specified to set
the core dump limit for systemd system-level services).
'';
};

2
nixos/modules/system/boot/grow-partition.nix
View File

@ -30,7 +30,7 @@ with lib;
boot.initrd.postDeviceCommands = ''
rootDevice="${config.fileSystems."/".device}"
if [ -e "$rootDevice" ]; then
if waitDevice "$rootDevice"; then
rootDevice="$(readlink -f "$rootDevice")"
parentDevice="$rootDevice"
while [ "''${parentDevice%[0-9]}" != "''${parentDevice}" ]; do

1
nixos/modules/system/boot/luksroot.nix
View File

@ -454,7 +454,6 @@ in
["firewire_ohci" "firewire_core" "firewire_sbp2"];
# Some modules that may be needed for mounting anything ciphered
# Also load input_leds to get caps lock light working (#12456)
boot.initrd.availableKernelModules = [ "dm_mod" "dm_crypt" "cryptd" "input_leds" ]
++ luks.cryptoModules
# workaround until https://marc.info/?l=linux-crypto-vger&m=148783562211457&w=4 is merged

59
nixos/modules/system/boot/stage-1-init.sh
View File

@ -74,6 +74,32 @@ ln -s /proc/mounts /etc/mtab # to shut up mke2fs
touch /etc/udev/hwdb.bin # to shut up udev
touch /etc/initrd-release
# Function for waiting a device to appear.
waitDevice() {
local device="$1"
# USB storage devices tend to appear with some delay. It would be
# great if we had a way to synchronously wait for them, but
# alas... So just wait for a few seconds for the device to
# appear.
if test ! -e $device; then
echo -n "waiting for device $device to appear..."
try=20
while [ $try -gt 0 ]; do
sleep 1
# also re-try lvm activation now that new block devices might have appeared
lvm vgchange -ay
# and tell udev to create nodes for the new LVs
udevadm trigger --action=add
if test -e $device; then break; fi
echo -n "."
try=$((try - 1))
done
echo
[ $try -ne 0 ]
fi
}
# Mount special file systems.
specialMount() {
local device="$1"
@ -377,40 +403,7 @@ lustrateRoot () {
exec 4>&-
}
# Function for waiting a device to appear.
waitDevice() {
local device="$1"
# USB storage devices tend to appear with some delay. It would be
# great if we had a way to synchronously wait for them, but
# alas... So just wait for a few seconds for the device to
# appear.
if test ! -e $device; then
echo -n "waiting for device $device to appear..."
try=20
while [ $try -gt 0 ]; do
sleep 1
# also re-try lvm activation now that new block devices might have appeared
lvm vgchange -ay
# and tell udev to create nodes for the new LVs
udevadm trigger --action=add
if test -e $device; then break; fi
echo -n "."
try=$((try - 1))
done
echo
[ $try -ne 0 ]
fi
}
# Try to resume - all modules are loaded now.
if test -e /sys/power/tuxonice/resume; then
if test -n "$(cat /sys/power/tuxonice/resume)"; then
echo 0 > /sys/power/tuxonice/user_interface/enabled
echo 1 > /sys/power/tuxonice/do_resume || echo "failed to resume..."
fi
fi
if test -e /sys/power/resume -a -e /sys/power/disk; then
if test -n "@resumeDevice@" && waitDevice "@resumeDevice@"; then

17
nixos/modules/system/boot/systemd-lib.nix
View File

@ -2,9 +2,10 @@
with lib;
let cfg = config.systemd; in
rec {
let
cfg = config.systemd;
lndir = "${pkgs.xorg.lndir}/bin/lndir";
in rec {
shellEscape = s: (replaceChars [ "\\" ] [ "\\\\" ] s);
@ -136,7 +137,13 @@ rec {
for i in ${toString cfg.packages}; do
for fn in $i/etc/systemd/${type}/* $i/lib/systemd/${type}/*; do
if ! [[ "$fn" =~ .wants$ ]]; then
ln -s $fn $out/
if [[ -d "$fn" ]]; then
targetDir="$out/$(basename "$fn")"
mkdir -p "$targetDir"
${lndir} "$fn" "$targetDir"
else
ln -s $fn $out/
fi
fi
done
done
@ -151,7 +158,7 @@ rec {
if [ "$(readlink -f $i/$fn)" = /dev/null ]; then
ln -sfn /dev/null $out/$fn
else
mkdir $out/$fn.d
mkdir -p $out/$fn.d
ln -s $i/$fn $out/$fn.d/overrides.conf
fi
else

2
nixos/modules/system/boot/systemd-unit-options.nix
View File

@ -217,7 +217,7 @@ in rec {
environment = mkOption {
default = {};
type = with types; attrsOf (nullOr (either str package));
type = with types; attrsOf (nullOr (either str (either path package)));
example = { PATH = "/foo/bar/bin"; LANG = "nl_NL.UTF-8"; };
description = "Environment variables passed to the service's processes.";
};

6
nixos/modules/testing/test-instrumentation.nix
View File

@ -58,6 +58,9 @@ in
systemd.services."serial-getty@${qemuSerialDevice}".enable = false;
systemd.services."serial-getty@hvc0".enable = false;
# Only use a serial console, no TTY.
virtualisation.qemu.consoles = [ qemuSerialDevice ];
boot.initrd.preDeviceCommands =
''
echo 600 > /proc/sys/kernel/hung_task_timeout_secs
@ -126,6 +129,9 @@ in
users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
services.xserver.displayManager.job.logToJournal = true;
# set default stateVersion to avoid warnings during eval
system.nixos.stateVersion = mkDefault "18.03";
};
}

7
nixos/modules/virtualisation/amazon-image.nix
View File

@ -48,13 +48,6 @@ let cfg = config.ec2; in
boot.loader.grub.extraPerEntryConfig = mkIf (!cfg.hvm) "root (hd0)";
boot.loader.timeout = 0;
boot.initrd.postDeviceCommands =
''
# Force udev to exit to prevent random "Device or resource busy
# while trying to open /dev/xvda" errors from fsck.
udevadm control --exit || true
'';
boot.initrd.network.enable = true;
# Mount all formatted ephemeral disks and activate all swap devices.

2
nixos/modules/virtualisation/amazon-options.nix
View File

@ -3,7 +3,7 @@
options = {
ec2 = {
hvm = lib.mkOption {
default = lib.versionAtLeast config.system.stateVersion "17.03";
default = lib.versionAtLeast config.system.nixos.stateVersion "17.03";
internal = true;
description = ''
Whether the EC2 instance is a HVM instance.

4
nixos/modules/virtualisation/containers.nix
View File

@ -606,8 +606,8 @@ in
{ config, pkgs, ... }:
{ services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql96;
system.stateVersion = "17.03";
system.nixos.stateVersion = "17.03";
};
};
}

36
nixos/modules/virtualisation/qemu-guest-agent.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.qemuGuest;
in {
options.services.qemuGuest = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable the qemu guest agent.";
};
};
config = mkIf cfg.enable (
mkMerge [
{
services.udev.extraRules = ''
SUBSYSTEM=="virtio-ports", ATTR{name}=="org.qemu.guest_agent.0", TAG+="systemd" ENV{SYSTEMD_WANTS}="qemu-guest-agent.service"
'';
systemd.services.qemu-guest-agent = {
description = "Run the QEMU Guest Agent";
serviceConfig = {
ExecStart = "${pkgs.kvm.ga}/bin/qemu-ga";
Restart = "always";
RestartSec = 0;
};
};
}
]
);
}

43
nixos/modules/virtualisation/qemu-vm.nix
View File

@ -23,9 +23,9 @@ let
cfg = config.virtualisation;
qemuGraphics = if cfg.graphics then "" else "-nographic";
kernelConsole = if cfg.graphics then "" else "console=${qemuSerialDevice}";
ttys = [ "tty1" "tty2" "tty3" "tty4" "tty5" "tty6" ];
qemuGraphics = lib.optionalString (!cfg.graphics) "-nographic";
consoles = lib.concatMapStringsSep " " (c: "console=${c}") cfg.qemu.consoles;
# XXX: This is very ugly and in the future we really should use attribute
# sets to build ALL of the QEMU flags instead of this mixed mess of Nix
@ -108,7 +108,7 @@ let
${mkDiskIfaceDriveFlag "0" "file=$NIX_DISK_IMAGE,cache=writeback,werror=report"} \
-kernel ${config.system.build.toplevel}/kernel \
-initrd ${config.system.build.toplevel}/initrd \
-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${kernelConsole} $QEMU_KERNEL_PARAMS" \
-append "$(cat ${config.system.build.toplevel}/kernel-params) init=${config.system.build.toplevel}/init regInfo=${regInfo}/registration ${consoles} $QEMU_KERNEL_PARAMS" \
''} \
$extraDisks \
${qemuGraphics} \
@ -248,9 +248,10 @@ in
default = true;
description =
''
Whether to run QEMU with a graphics window, or access
the guest computer serial port through the host tty.
'';
Whether to run QEMU with a graphics window, or in nographic mode.
Serial console will be enabled on both settings, but this will
change the preferred console.
'';
};
virtualisation.cores =
@ -332,6 +333,23 @@ in
description = "Options passed to QEMU.";
};
consoles = mkOption {
type = types.listOf types.str;
default = let
consoles = [ "${qemuSerialDevice},115200n8" "tty0" ];
in if cfg.graphics then consoles else reverseList consoles;
example = [ "console=tty1" ];
description = ''
The output console devices to pass to the kernel command line via the
<literal>console</literal> parameter, the primary console is the last
item of this list.
By default it enables both serial console and
<literal>tty0</literal>. The preferred console (last one) is based on
the value of <option>virtualisation.graphics</option>.
'';
};
networkingOptions =
mkOption {
default = [
@ -356,6 +374,15 @@ in
type = types.enum [ "virtio" "scsi" "ide" ];
description = "The interface used for the virtual hard disks.";
};
guestAgent.enable =
mkOption {
default = true;
type = types.bool;
description = ''
Enable the Qemu guest agent.
'';
};
};
virtualisation.useBootLoader =
@ -507,6 +534,8 @@ in
# Don't run ntpd in the guest. It should get the correct time from KVM.
services.timesyncd.enable = false;
services.qemuGuest.enable = cfg.qemu.guestAgent.enable;
system.build.vm = pkgs.runCommand "nixos-vm" { preferLocalBuild = true; }
''
mkdir -p $out/bin

7
nixos/release-combined.nix
View File

@ -58,6 +58,8 @@ in rec {
nixos.ova.x86_64-linux or []
#(all nixos.tests.containers)
(all nixos.tests.containers-imperative)
(all nixos.tests.containers-ipv4)
nixos.tests.chromium.x86_64-linux or []
(all nixos.tests.firefox)
(all nixos.tests.firewall)
@ -98,6 +100,7 @@ in rec {
(all nixos.tests.misc)
(all nixos.tests.mutableUsers)
(all nixos.tests.nat.firewall)
(all nixos.tests.nat.firewall-conntrack)
(all nixos.tests.nat.standalone)
(all nixos.tests.networking.scripted.loopback)
(all nixos.tests.networking.scripted.static)
@ -112,6 +115,10 @@ in rec {
(all nixos.tests.nfs4)
(all nixos.tests.openssh)
(all nixos.tests.php-pcre)
(all nixos.tests.predictable-interface-names.predictable)
(all nixos.tests.predictable-interface-names.unpredictable)
(all nixos.tests.predictable-interface-names.predictableNetworkd)
(all nixos.tests.predictable-interface-names.unpredictableNetworkd)
(all nixos.tests.printing)
(all nixos.tests.proxy)
(all nixos.tests.sddm.default)

12
nixos/release.nix
View File

@ -198,6 +198,7 @@ in rec {
modules = singleton ({ config, pkgs, ... }:
{ fileSystems."/".device = mkDefault "/dev/sda1";
boot.loader.grub.device = mkDefault "/dev/sda";
system.nixos.stateVersion = mkDefault "18.03";
});
}).config.system.build.toplevel;
preferLocalBuild = true;
@ -269,6 +270,7 @@ in rec {
tests.containers-macvlans = callTest tests/containers-macvlans.nix {};
tests.couchdb = callTest tests/couchdb.nix {};
tests.deluge = callTest tests/deluge.nix {};
tests.dhparams = callTest tests/dhparams.nix {};
tests.docker = callTestOnMatchingSystems ["x86_64-linux"] tests/docker.nix {};
tests.docker-tools = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-tools.nix {};
tests.docker-tools-overlay = callTestOnMatchingSystems ["x86_64-linux"] tests/docker-tools-overlay.nix {};
@ -283,8 +285,8 @@ in rec {
tests.env = callTest tests/env.nix {};
tests.ferm = callTest tests/ferm.nix {};
tests.firefox = callTest tests/firefox.nix {};
tests.flatpak = callTest tests/flatpak.nix {};
tests.firewall = callTest tests/firewall.nix {};
tests.fleet = callTestOnMatchingSystems ["x86_64-linux"] tests/fleet.nix {};
tests.fwupd = callTest tests/fwupd.nix {};
#tests.gitlab = callTest tests/gitlab.nix {};
tests.gitolite = callTest tests/gitolite.nix {};
@ -313,10 +315,7 @@ in rec {
tests.plotinus = callTest tests/plotinus.nix {};
tests.keymap = callSubTests tests/keymap.nix {};
tests.initrdNetwork = callTest tests/initrd-network.nix {};
tests.kafka_0_9 = callTest tests/kafka_0_9.nix {};
tests.kafka_0_10 = callTest tests/kafka_0_10.nix {};
tests.kafka_0_11 = callTest tests/kafka_0_11.nix {};
tests.kafka_1_0 = callTest tests/kafka_1_0.nix {};
tests.kafka = callSubTests tests/kafka.nix {};
tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {};
tests.kernel-latest = callTest tests/kernel-latest.nix {};
tests.kernel-lts = callTest tests/kernel-lts.nix {};
@ -348,6 +347,7 @@ in rec {
tests.networking.scripted = callSubTests tests/networking.nix { networkd = false; };
# TODO: put in networking.nix after the test becomes more complete
tests.networkingProxy = callTest tests/networking-proxy.nix {};
tests.nexus = callTest tests/nexus.nix { };
tests.nfs3 = callTest tests/nfs.nix { version = 3; };
tests.nfs4 = callTest tests/nfs.nix { version = 4; };
tests.nginx = callTest tests/nginx.nix { };
@ -360,7 +360,6 @@ in rec {
tests.openldap = callTest tests/openldap.nix {};
tests.owncloud = callTest tests/owncloud.nix {};
tests.pam-oath-login = callTest tests/pam-oath-login.nix {};
#tests.panamax = callTestOnMatchingSystems ["x86_64-linux"] tests/panamax.nix {};
tests.peerflix = callTest tests/peerflix.nix {};
tests.php-pcre = callTest tests/php-pcre.nix {};
tests.postgresql = callSubTests tests/postgresql.nix {};
@ -399,6 +398,7 @@ in rec {
tests.virtualbox = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/virtualbox.nix {};
tests.wordpress = callTest tests/wordpress.nix {};
tests.xautolock = callTest tests/xautolock.nix {};
tests.xdg-desktop-portal = callTest tests/xdg-desktop-portal.nix {};
tests.xfce = callTest tests/xfce.nix {};
tests.xmonad = callTest tests/xmonad.nix {};
tests.xrdp = callTest tests/xrdp.nix {};

4
nixos/tests/acme.nix
View File

@ -54,9 +54,11 @@ in import ./make-test.nix {
};
testScript = ''
$letsencrypt->waitForUnit("default.target");
$letsencrypt->waitForUnit("boulder.service");
startAll;
$webserver->waitForUnit("default.target");
$webserver->waitForUnit("acme-certificates.target");
$client->waitForUnit("default.target");
$client->succeed('curl https://example.com/ | grep -qF "hello world"');
'';
}

4
nixos/tests/common/letsencrypt.nix
View File

@ -386,6 +386,10 @@ in {
services.nginx.enable = true;
services.nginx.recommendedProxySettings = true;
# This fixes the test on i686
services.nginx.commonHttpConfig = ''
server_names_hash_bucket_size 64;
'';
services.nginx.virtualHosts.${wfeDomain} = {
onlySSL = true;
enableACME = false;

4
nixos/tests/containers-imperative.nix
View File

@ -17,7 +17,9 @@ import ./make-test.nix ({ pkgs, ...} : {
emptyContainer = import ../lib/eval-config.nix {
inherit (config.nixpkgs.localSystem) system;
modules = lib.singleton {
containers.foo.config = {};
containers.foo.config = {
system.nixos.stateVersion = "18.03";
};
};
};
in [ pkgs.stdenv emptyContainer.config.containers.foo.path pkgs.libxslt ];

1
nixos/tests/containers-ipv4.nix
View File

@ -21,6 +21,7 @@ import ./make-test.nix ({ pkgs, ...} : {
services.httpd.adminAddr = "foo@example.org";
networking.firewall.allowedTCPPorts = [ 80 ];
networking.firewall.allowPing = true;
system.nixos.stateVersion = "18.03";
};
};

144
nixos/tests/dhparams.nix Normal file
View File

@ -0,0 +1,144 @@
let
common = { pkgs, ... }: {
security.dhparams.enable = true;
environment.systemPackages = [ pkgs.openssl ];
};
in import ./make-test.nix {
name = "dhparams";
nodes.generation1 = { pkgs, config, ... }: {
imports = [ common ];
security.dhparams.params = {
# Use low values here because we don't want the test to run for ages.
foo.bits = 16;
# Also use the old format to make sure the type is coerced in the right
# way.
bar = 17;
};
systemd.services.foo = {
description = "Check systemd Ordering";
wantedBy = [ "multi-user.target" ];
unitConfig = {
# This is to make sure that the dhparams generation of foo occurs
# before this service so we need this service to start as early as
# possible to provoke a race condition.
DefaultDependencies = false;
# We check later whether the service has been started or not.
ConditionPathExists = config.security.dhparams.params.foo.path;
};
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
# The reason we only provide an ExecStop here is to ensure that we don't
# accidentally trigger an error because a file system is not yet ready
# during very early startup (we might not even have the Nix store
# available, for example if future changes in NixOS use systemd mount
# units to do early file system initialisation).
serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
};
};
nodes.generation2 = {
imports = [ common ];
security.dhparams.params.foo.bits = 18;
};
nodes.generation3 = common;
nodes.generation4 = {
imports = [ common ];
security.dhparams.stateful = false;
security.dhparams.params.foo2.bits = 18;
security.dhparams.params.bar2.bits = 19;
};
nodes.generation5 = {
imports = [ common ];
security.dhparams.defaultBitSize = 30;
security.dhparams.params.foo3 = {};
security.dhparams.params.bar3 = {};
};
testScript = { nodes, ... }: let
getParamPath = gen: name: let
node = "generation${toString gen}";
in nodes.${node}.config.security.dhparams.params.${name}.path;
assertParamBits = gen: name: bits: let
path = getParamPath gen name;
in ''
$machine->nest('check bit size of ${path}', sub {
my $out = $machine->succeed('openssl dhparam -in ${path} -text');
$out =~ /^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$/m;
die "bit size should be ${toString bits} but it is $1 instead."
if $1 != ${toString bits};
});
'';
switchToGeneration = gen: let
node = "generation${toString gen}";
inherit (nodes.${node}.config.system.build) toplevel;
switchCmd = "${toplevel}/bin/switch-to-configuration test";
in ''
$machine->nest('switch to generation ${toString gen}', sub {
$machine->succeed('${switchCmd}');
$main::machine = ''$${node};
});
'';
in ''
my $machine = $generation1;
$machine->waitForUnit('multi-user.target');
subtest "verify startup order", sub {
$machine->succeed('systemctl is-active foo.service');
};
subtest "check bit sizes of dhparam files", sub {
${assertParamBits 1 "foo" 16}
${assertParamBits 1 "bar" 17}
};
${switchToGeneration 2}
subtest "check whether bit size has changed", sub {
${assertParamBits 2 "foo" 18}
};
subtest "ensure that dhparams file for 'bar' was deleted", sub {
$machine->fail('test -e ${getParamPath 1 "bar"}');
};
${switchToGeneration 3}
subtest "ensure that 'security.dhparams.path' has been deleted", sub {
$machine->fail(
'test -e ${nodes.generation3.config.security.dhparams.path}'
);
};
${switchToGeneration 4}
subtest "check bit sizes dhparam files", sub {
${assertParamBits 4 "foo2" 18}
${assertParamBits 4 "bar2" 19}
};
subtest "check whether dhparam files are in the Nix store", sub {
$machine->succeed(
'expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}',
'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}',
);
};
${switchToGeneration 5}
subtest "check whether defaultBitSize works as intended", sub {
${assertParamBits 5 "foo3" 30}
${assertParamBits 5 "bar3" 30}
};
'';
}

23
nixos/tests/flatpak.nix Normal file
View File

@ -0,0 +1,23 @@
# run installed tests
import ./make-test.nix ({ pkgs, ... }:
{
name = "flatpak";
meta = {
maintainers = pkgs.flatpak.meta.maintainers;
};
machine = { config, pkgs, ... }: {
imports = [ ./common/x11.nix ];
services.xserver.desktopManager.gnome3.enable = true; # TODO: figure out minimal environment where the tests work
services.flatpak.enable = true;
environment.systemPackages = with pkgs; [ gnupg gnome-desktop-testing ostree python2 ];
virtualisation.memorySize = 2047;
virtualisation.diskSize = 1024;
};
testScript = ''
$machine->waitForX();
$machine->succeed("gnome-desktop-testing-runner -d '${pkgs.flatpak.installedTests}/share' --timeout 3600");
'';
})

76
nixos/tests/fleet.nix
View File

@ -1,76 +0,0 @@
import ./make-test.nix ({ pkgs, ...} : rec {
name = "simple";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ offline ];
};
nodes = {
node1 =
{ config, pkgs, ... }:
{
services = {
etcd = {
enable = true;
listenPeerUrls = ["http://0.0.0.0:7001"];
initialAdvertisePeerUrls = ["http://node1:7001"];
initialCluster = ["node1=http://node1:7001" "node2=http://node2:7001"];
};
};
services.fleet = {
enable = true;
metadata.name = "node1";
};
networking.firewall.allowedTCPPorts = [ 7001 ];
};
node2 =
{ config, pkgs, ... }:
{
services = {
etcd = {
enable = true;
listenPeerUrls = ["http://0.0.0.0:7001"];
initialAdvertisePeerUrls = ["http://node2:7001"];
initialCluster = ["node1=http://node1:7001" "node2=http://node2:7001"];
};
};
services.fleet = {
enable = true;
metadata.name = "node2";
};
networking.firewall.allowedTCPPorts = [ 7001 ];
};
};
service = builtins.toFile "hello.service" ''
[Unit]
Description=Hello World
[Service]
ExecStart=/bin/sh -c "while true; do echo \"Hello, world\"; /var/run/current-system/sw/bin/sleep 1; done"
[X-Fleet]
MachineMetadata=name=node2
'';
testScript =
''
startAll;
$node1->waitForUnit("fleet.service");
$node2->waitForUnit("fleet.service");
$node2->waitUntilSucceeds("fleetctl list-machines | grep node1");
$node1->waitUntilSucceeds("fleetctl list-machines | grep node2");
$node1->succeed("cp ${service} hello.service && fleetctl submit hello.service");
$node1->succeed("fleetctl list-unit-files | grep hello");
$node1->succeed("fleetctl start hello.service");
$node1->waitUntilSucceeds("fleetctl list-units | grep running");
$node1->succeed("fleetctl stop hello.service");
$node1->succeed("fleetctl destroy hello.service");
'';
})

20
nixos/tests/graphite.nix
View File

@ -4,6 +4,7 @@ import ./make-test.nix ({ pkgs, ...} :
nodes = {
one =
{ config, pkgs, ... }: {
virtualisation.memorySize = 1024;
time.timeZone = "UTC";
services.graphite = {
web.enable = true;
@ -21,12 +22,17 @@ import ./make-test.nix ({ pkgs, ...} :
testScript = ''
startAll;
$one->waitForUnit("default.target");
$one->requireActiveUnit("graphiteWeb.service");
$one->requireActiveUnit("graphiteApi.service");
$one->requireActiveUnit("graphitePager.service");
$one->requireActiveUnit("carbonCache.service");
$one->requireActiveUnit("seyren.service");
$one->succeed("echo \"foo 1 `date +%s`\" | nc -q0 localhost 2003");
$one->waitUntilSucceeds("curl 'http://localhost:8080/metrics/find/?query=foo&format=treejson' --silent | grep foo")
$one->waitForUnit("graphiteWeb.service");
$one->waitForUnit("graphiteApi.service");
$one->waitForUnit("graphitePager.service");
$one->waitForUnit("carbonCache.service");
$one->waitForUnit("seyren.service");
# The services above are of type "simple". systemd considers them active immediately
# even if they're still in preStart (which takes quite long for graphiteWeb).
# Wait for ports to open so we're sure the services are up and listening.
$one->waitForOpenPort(8080);
$one->waitForOpenPort(2003);
$one->succeed("echo \"foo 1 `date +%s`\" | nc -N localhost 2003");
$one->waitUntilSucceeds("curl 'http://localhost:8080/metrics/find/?query=foo&format=treejson' --silent | grep foo >&2");
'';
})

6
nixos/tests/home-assistant.nix
View File

@ -65,12 +65,12 @@ in {
$hass->waitUntilSucceeds("mosquitto_pub -V mqttv311 -t home-assistant/test -u homeassistant -P '${apiPassword}' -m let_there_be_light");
$hass->succeed("curl http://localhost:8123/api/states/binary_sensor.mqtt_binary_sensor -H 'x-ha-access: ${apiPassword}' | grep -qF '\"state\": \"on\"'");
# Check that no errors were logged
$hass->fail("cat ${configDir}/home-assistant.log | grep -qF ERROR");
# Print log to ease debugging
my $log = $hass->succeed("cat ${configDir}/home-assistant.log");
print "\n### home-assistant.log ###\n";
print "$log\n";
# Check that no errors were logged
$hass->fail("cat ${configDir}/home-assistant.log | grep -qF ERROR");
'';
})

1
nixos/tests/installer.nix
View File

@ -241,6 +241,7 @@ let
nixos-artwork.wallpapers.gnome-dark
perlPackages.XMLLibXML
perlPackages.ListCompare
xorg.lndir
# add curl so that rather than seeing the test attempt to download
# curl's tarball, we see what it's trying to download

68
nixos/tests/kafka.nix Normal file
View File

@ -0,0 +1,68 @@
{ system ? builtins.currentSystem }:
with import ../lib/testing.nix { inherit system; };
with pkgs.lib;
let
makeKafkaTest = name: kafkaPackage: (makeTest {
inherit name;
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ nequissimus ];
};
nodes = {
zookeeper1 = { config, ... }: {
services.zookeeper = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ 2181 ];
virtualisation.memorySize = 1024;
};
kafka = { config, ... }: {
services.apache-kafka = {
enable = true;
extraProperties = ''
offsets.topic.replication.factor = 1
zookeeper.session.timeout.ms = 600000
'';
package = kafkaPackage;
zookeeper = "zookeeper1:2181";
# These are the default options, but UseCompressedOops doesn't work with 32bit JVM
jvmOptions = [
"-server" "-Xmx1G" "-Xms1G" "-XX:+UseParNewGC" "-XX:+UseConcMarkSweepGC" "-XX:+CMSClassUnloadingEnabled"
"-XX:+CMSScavengeBeforeRemark" "-XX:+DisableExplicitGC" "-Djava.awt.headless=true" "-Djava.net.preferIPv4Stack=true"
] ++ optionals (! pkgs.stdenv.isi686 ) [ "-XX:+UseCompressedOops" ];
};
networking.firewall.allowedTCPPorts = [ 9092 ];
# i686 tests: qemu-system-i386 can simulate max 2047MB RAM (not 2048)
virtualisation.memorySize = 2047;
};
};
testScript = ''
startAll;
$zookeeper1->waitForUnit("default.target");
$zookeeper1->waitForUnit("zookeeper.service");
$zookeeper1->waitForOpenPort(2181);
$kafka->waitForUnit("default.target");
$kafka->waitForUnit("apache-kafka.service");
$kafka->waitForOpenPort(9092);
$kafka->waitUntilSucceeds("${kafkaPackage}/bin/kafka-topics.sh --create --zookeeper zookeeper1:2181 --partitions 1 --replication-factor 1 --topic testtopic");
$kafka->mustSucceed("echo 'test 1' | ${kafkaPackage}/bin/kafka-console-producer.sh --broker-list localhost:9092 --topic testtopic");
'' + (if name == "kafka_0_9" then ''
$kafka->mustSucceed("${kafkaPackage}/bin/kafka-console-consumer.sh --zookeeper zookeeper1:2181 --topic testtopic --from-beginning --max-messages 1 | grep 'test 1'");
'' else ''
$kafka->mustSucceed("${kafkaPackage}/bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic testtopic --from-beginning --max-messages 1 | grep 'test 1'");
'');
});
in with pkgs; {
kafka_0_9 = makeKafkaTest "kafka_0_9" apacheKafka_0_9;
kafka_0_10 = makeKafkaTest "kafka_0_10" apacheKafka_0_10;
kafka_0_11 = makeKafkaTest "kafka_0_11" apacheKafka_0_11;
kafka_1_0 = makeKafkaTest "kafka_1_0" apacheKafka_1_0;
}

48
nixos/tests/kafka_0_10.nix
View File

@ -1,48 +0,0 @@
import ./make-test.nix ({ pkgs, lib, ... } :
let
kafkaPackage = pkgs.apacheKafka_0_10;
in {
name = "kafka_0_10";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ nequissimus ];
};
nodes = {
zookeeper1 = { config, ... }: {
services.zookeeper = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ 2181 ];
};
kafka = { config, ... }: {
services.apache-kafka = {
enable = true;
extraProperties = ''
offsets.topic.replication.factor = 1
'';
package = kafkaPackage;
zookeeper = "zookeeper1:2181";
};
networking.firewall.allowedTCPPorts = [ 9092 ];
virtualisation.memorySize = 2048;
};
};
testScript = ''
startAll;
$zookeeper1->waitForUnit("zookeeper");
$zookeeper1->waitForUnit("network.target");
$zookeeper1->waitForOpenPort(2181);
$kafka->waitForUnit("apache-kafka");
$kafka->waitForUnit("network.target");
$kafka->waitForOpenPort(9092);
$kafka->waitUntilSucceeds("${kafkaPackage}/bin/kafka-topics.sh --create --zookeeper zookeeper1:2181 --partitions 1 --replication-factor 1 --topic testtopic");
$kafka->mustSucceed("echo 'test 1' | ${kafkaPackage}/bin/kafka-console-producer.sh --broker-list localhost:9092 --topic testtopic");
$kafka->mustSucceed("${kafkaPackage}/bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic testtopic --from-beginning --max-messages 1 | grep 'test 1'");
'';
})

48
nixos/tests/kafka_0_11.nix
View File

@ -1,48 +0,0 @@
import ./make-test.nix ({ pkgs, lib, ... } :
let
kafkaPackage = pkgs.apacheKafka_0_11;
in {
name = "kafka_0_11";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ nequissimus ];
};
nodes = {
zookeeper1 = { config, ... }: {
services.zookeeper = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ 2181 ];
};
kafka = { config, ... }: {
services.apache-kafka = {
enable = true;
extraProperties = ''
offsets.topic.replication.factor = 1
'';
package = kafkaPackage;
zookeeper = "zookeeper1:2181";
};
networking.firewall.allowedTCPPorts = [ 9092 ];
virtualisation.memorySize = 2048;
};
};
testScript = ''
startAll;
$zookeeper1->waitForUnit("zookeeper");
$zookeeper1->waitForUnit("network.target");
$zookeeper1->waitForOpenPort(2181);
$kafka->waitForUnit("apache-kafka");
$kafka->waitForUnit("network.target");
$kafka->waitForOpenPort(9092);
$kafka->waitUntilSucceeds("${kafkaPackage}/bin/kafka-topics.sh --create --zookeeper zookeeper1:2181 --partitions 1 --replication-factor 1 --topic testtopic");
$kafka->mustSucceed("echo 'test 1' | ${kafkaPackage}/bin/kafka-console-producer.sh --broker-list localhost:9092 --topic testtopic");
$kafka->mustSucceed("${kafkaPackage}/bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic testtopic --from-beginning --max-messages 1 | grep 'test 1'");
'';
})

48
nixos/tests/kafka_0_9.nix
View File

@ -1,48 +0,0 @@
import ./make-test.nix ({ pkgs, lib, ... } :
let
kafkaPackage = pkgs.apacheKafka_0_9;
in {
name = "kafka_0_9";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ nequissimus ];
};
nodes = {
zookeeper1 = { config, ... }: {
services.zookeeper = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ 2181 ];
};
kafka = { config, ... }: {
services.apache-kafka = {
enable = true;
extraProperties = ''
offsets.topic.replication.factor = 1
'';
package = kafkaPackage;
zookeeper = "zookeeper1:2181";
};
networking.firewall.allowedTCPPorts = [ 9092 ];
virtualisation.memorySize = 2048;
};
};
testScript = ''
startAll;
$zookeeper1->waitForUnit("zookeeper");
$zookeeper1->waitForUnit("network.target");
$zookeeper1->waitForOpenPort(2181);
$kafka->waitForUnit("apache-kafka");
$kafka->waitForUnit("network.target");
$kafka->waitForOpenPort(9092);
$kafka->waitUntilSucceeds("${kafkaPackage}/bin/kafka-topics.sh --create --zookeeper zookeeper1:2181 --partitions 1 --replication-factor 1 --topic testtopic");
$kafka->mustSucceed("echo 'test 1' | ${kafkaPackage}/bin/kafka-console-producer.sh --broker-list localhost:9092 --topic testtopic");
$kafka->mustSucceed("${kafkaPackage}/bin/kafka-console-consumer.sh --zookeeper zookeeper1:2181 --topic testtopic --from-beginning --max-messages 1 | grep 'test 1'");
'';
})

Some files were not shown because too many files have changed in this diff Show More