Merge staging-next into staging
This commit is contained in:
commit
ad1d58c622
|
@ -139,3 +139,14 @@
|
|||
|
||||
# Bazel
|
||||
/pkgs/development/tools/build-managers/bazel @mboes @Profpatsch
|
||||
|
||||
# NixOS modules for e-mail and dns services
|
||||
/nixos/modules/services/mail/mailman.nix @peti
|
||||
/nixos/modules/services/mail/postfix.nix @peti
|
||||
/nixos/modules/services/networking/bind.nix @peti
|
||||
/nixos/modules/services/mail/rspamd.nix @peti
|
||||
|
||||
# Emacs
|
||||
/pkgs/applications/editors/emacs-modes @adisbladis
|
||||
/pkgs/applications/editors/emacs @adisbladis
|
||||
/pkgs/top-level/emacs-packages.nix @adisbladis
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
# Crystal
|
||||
|
||||
## Building a Crystal package
|
||||
|
||||
This section uses [Mint](https://github.com/mint-lang/mint) as an example for how to build a Crystal package.
|
||||
|
||||
If the Crystal project has any dependencies, the first step is to get a `shards.nix` file encoding those. Get a copy of the project and go to its root directory such that its `shard.lock` file is in the current directory, then run `crystal2nix` in it
|
||||
```bash
|
||||
$ git clone https://github.com/mint-lang/mint
|
||||
$ cd mint
|
||||
$ git checkout 0.5.0
|
||||
$ nix-shell -p crystal2nix --run crystal2nix
|
||||
```
|
||||
|
||||
This should have generated a `shards.nix` file.
|
||||
|
||||
Next create a Nix file for your derivation and use `pkgs.crystal.buildCrystalPackage` as follows:
|
||||
```nix
|
||||
with import <nixpkgs> {};
|
||||
crystal.buildCrystalPackage rec {
|
||||
pname = "mint";
|
||||
version = "0.5.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "mint-lang";
|
||||
repo = "mint";
|
||||
rev = version;
|
||||
sha256 = "0vxbx38c390rd2ysvbwgh89v2232sh5rbsp3nk9wzb70jybpslvl";
|
||||
};
|
||||
|
||||
# Insert the path to your shards.nix file here
|
||||
shardsFile = ./shards.nix;
|
||||
|
||||
...
|
||||
}
|
||||
```
|
||||
|
||||
This won't build anything yet, because we haven't told it what files build. We can specify a mapping from binary names to source files with the `crystalBinaries` attribute. The project's compilation instructions should show this. For Mint, the binary is called "mint", which is compiled from the source file `src/mint.cr`, so we'll specify this as follows:
|
||||
|
||||
```nix
|
||||
crystalBinaries.mint.src = "src/mint.cr";
|
||||
|
||||
# ...
|
||||
```
|
||||
|
||||
Additionally you can override the default `crystal build` options (which are currently `--release --progress --no-debug --verbose`) with
|
||||
|
||||
```nix
|
||||
crystalBinaries.mint.options = [ "--release" "--verbose" ];
|
||||
```
|
||||
|
||||
Depending on the project, you might need additional steps to get it to compile successfully. In Mint's case, we need to link against openssl, so in the end the Nix file looks as follows:
|
||||
|
||||
```nix
|
||||
with import <nixpkgs> {};
|
||||
crystal.buildCrystalPackage rec {
|
||||
version = "0.5.0";
|
||||
pname = "mint";
|
||||
src = fetchFromGitHub {
|
||||
owner = "mint-lang";
|
||||
repo = "mint";
|
||||
rev = version;
|
||||
sha256 = "0vxbx38c390rd2ysvbwgh89v2232sh5rbsp3nk9wzb70jybpslvl";
|
||||
};
|
||||
|
||||
shardsFile = ./shards.nix;
|
||||
crystalBinaries.mint.src = "src/mint.cr";
|
||||
|
||||
buildInputs = [ openssl_1_0_2 ];
|
||||
}
|
||||
```
|
|
@ -32,4 +32,5 @@
|
|||
<xi:include href="titanium.section.xml" />
|
||||
<xi:include href="vim.section.xml" />
|
||||
<xi:include href="emscripten.section.xml" />
|
||||
<xi:include href="crystal.section.xml" />
|
||||
</chapter>
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
answer some of the frequently asked questions
|
||||
related to Nixpkgs use.
|
||||
|
||||
Some useful information related to package use
|
||||
Some useful information related to package use
|
||||
can be found in <link linkend="chap-package-notes">package-specific development notes</link>.
|
||||
|
||||
</para>
|
||||
|
@ -196,7 +196,7 @@ overrides = self: super: rec {
|
|||
haskell-mode = self.melpaPackages.haskell-mode;
|
||||
...
|
||||
};
|
||||
((emacsPackagesNgGen emacs).overrideScope' overrides).emacsWithPackages (p: with p; [
|
||||
((emacsPackagesGen emacs).overrideScope' overrides).emacsWithPackages (p: with p; [
|
||||
# here both these package will use haskell-mode of our own choice
|
||||
ghc-mod
|
||||
dante
|
||||
|
|
|
@ -323,16 +323,14 @@ rec {
|
|||
else
|
||||
mergeDefinitions loc opt.type defs';
|
||||
|
||||
# Check whether the option is defined, and apply the ‘apply’
|
||||
# function to the merged value. This allows options to yield a
|
||||
# value computed from the definitions.
|
||||
value =
|
||||
if !res.isDefined then
|
||||
throw "The option `${showOption loc}' is used but not defined."
|
||||
else if opt ? apply then
|
||||
opt.apply res.mergedValue
|
||||
else
|
||||
res.mergedValue;
|
||||
|
||||
# The value with a check that it is defined
|
||||
valueDefined = if res.isDefined then res.mergedValue else
|
||||
throw "The option `${showOption loc}' is used but not defined.";
|
||||
|
||||
# Apply the 'apply' function to the merged value. This allows options to
|
||||
# yield a value computed from the definitions
|
||||
value = if opt ? apply then opt.apply valueDefined else valueDefined;
|
||||
|
||||
in opt //
|
||||
{ value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
|
||||
|
|
|
@ -478,7 +478,7 @@
|
|||
name = "Stanislas Lange";
|
||||
};
|
||||
ankhers = {
|
||||
email = "justin.k.wood@gmail.com";
|
||||
email = "me@ankhers.dev";
|
||||
github = "ankhers";
|
||||
githubId = 750786;
|
||||
name = "Justin Wood";
|
||||
|
@ -5340,10 +5340,16 @@
|
|||
name = "Richard Lupton";
|
||||
};
|
||||
rnhmjoj = {
|
||||
email = "micheleguerinirocco@me.com";
|
||||
email = "rnhmjoj@inventati.org";
|
||||
github = "rnhmjoj";
|
||||
githubId = 2817565;
|
||||
name = "Michele Guerini Rocco";
|
||||
keys =
|
||||
[
|
||||
{ longkeyid = "ed25519/0xBFBAF4C975F76450";
|
||||
fingerprint = "92B2 904F D293 C94D C4C9 3E6B BFBA F4C9 75F7 6450";
|
||||
}
|
||||
];
|
||||
};
|
||||
rob = {
|
||||
email = "rob.vermaas@gmail.com";
|
||||
|
@ -5686,6 +5692,12 @@
|
|||
githubId = 918365;
|
||||
name = "Stefan Frijters";
|
||||
};
|
||||
sgo = {
|
||||
email = "stig@stig.io";
|
||||
github = "stigtsp";
|
||||
githubId = 75371;
|
||||
name = "Stig Palmquist";
|
||||
};
|
||||
sgraf = {
|
||||
email = "sgraf1337@gmail.com";
|
||||
github = "sgraf812";
|
||||
|
@ -6655,6 +6667,16 @@
|
|||
githubId = 5837359;
|
||||
name = "Adrian Pistol";
|
||||
};
|
||||
vika_nezrimaya = {
|
||||
email = "vika@fireburn.ru";
|
||||
github = "kisik21";
|
||||
githubId = 7953163;
|
||||
name = "Vika Shleina";
|
||||
keys = [{
|
||||
longkeyid = "rsa4096/0x5402B9B5497BACDB";
|
||||
fingerprint = "A03C D09C 36CF D9F6 1ADF AF11 5402 B9B5 497B ACDB";
|
||||
}];
|
||||
};
|
||||
vinymeuh = {
|
||||
email = "vinymeuh@gmail.com";
|
||||
github = "vinymeuh";
|
||||
|
|
|
@ -18,6 +18,7 @@ http,,,,,vcunat
|
|||
inspect,,,,,
|
||||
ldoc,,,,,
|
||||
lgi,,,,,
|
||||
ljsyscall,,,,lua5_1,lblasc
|
||||
lpeg,,,,,vyp
|
||||
lpeg_patterns,,,,,
|
||||
lpeglabel,,,,,
|
||||
|
|
|
|
@ -11,4 +11,11 @@
|
|||
creating the image in the first place. As a result it allows users to edit
|
||||
and rebuild the live-system.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
On images where the installation media also becomes an installation target,
|
||||
copying over <literal>configuration.nix</literal> should be disabled by
|
||||
setting <literal>installer.cloneConfig</literal> to <literal>false</literal>.
|
||||
This is already done in <literal>sd-image.nix</literal>.
|
||||
</para>
|
||||
</section>
|
||||
|
|
|
@ -6,33 +6,31 @@
|
|||
<title>Installation Device</title>
|
||||
|
||||
<para>
|
||||
Provides a basic configuration for installation devices like CDs. This means
|
||||
enabling hardware scans, using the <link linkend="sec-profile-clone-config">
|
||||
Clone Config profile</link> to guarantee
|
||||
<filename>/etc/nixos/configuration.nix</filename> exists (for
|
||||
<command>nixos-rebuild</command> to work), a copy of the Nixpkgs channel
|
||||
snapshot used to create the install media.
|
||||
Provides a basic configuration for installation devices like CDs.
|
||||
This enables redistributable firmware, includes the
|
||||
<link linkend="sec-profile-clone-config">Clone Config profile</link>
|
||||
and a copy of the Nixpkgs channel, so <command>nixos-install</command>
|
||||
works out of the box.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Additionally, documentation for <link linkend="opt-documentation.enable">
|
||||
Nixpkgs</link> and <link linkend="opt-documentation.nixos.enable">NixOS
|
||||
</link> are forcefully enabled (to override the
|
||||
Documentation for <link linkend="opt-documentation.enable">Nixpkgs</link>
|
||||
and <link linkend="opt-documentation.nixos.enable">NixOS</link> are
|
||||
forcefully enabled (to override the
|
||||
<link linkend="sec-profile-minimal">Minimal profile</link> preference); the
|
||||
NixOS manual is shown automatically on TTY 8, sudo and udisks are disabled.
|
||||
Autologin is enabled as root.
|
||||
NixOS manual is shown automatically on TTY 8, udisks is disabled.
|
||||
Autologin is enabled as <literal>nixos</literal> user, while passwordless
|
||||
login as both <literal>root</literal> and <literal>nixos</literal> is possible.
|
||||
Passwordless <command>sudo</command> is enabled too.
|
||||
<link linkend="opt-networking.wireless.enable">wpa_supplicant</link> is
|
||||
enabled, but configured to not autostart.
|
||||
</para>
|
||||
<para>
|
||||
It is explained how to login, start the ssh server, and if available,
|
||||
how to start the display manager.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
A message is shown to the user to start a display manager if needed, ssh with
|
||||
<xref linkend="opt-services.openssh.permitRootLogin"/> are enabled (but
|
||||
doesn't autostart). WPA Supplicant is also enabled without autostart.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Finally, vim is installed, root is set to not have a password, the kernel is
|
||||
made more silent for remote public IP installs, and several settings are
|
||||
tweaked so that the installer has a better chance of succeeding under
|
||||
low-memory environments.
|
||||
Several settings are tweaked so that the installer has a better chance of
|
||||
succeeding under low-memory environments.
|
||||
</para>
|
||||
</section>
|
||||
|
|
|
@ -48,6 +48,15 @@
|
|||
To gain root privileges use <literal>sudo -i</literal> without a password.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
We've updated to Xfce 4.14, which brings a new module <option>services.xserver.desktopManager.xfce4-14</option>.
|
||||
If you'd like to upgrade, please switch from the <option>services.xserver.desktopManager.xfce</option> module as it
|
||||
will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support
|
||||
<option>thunarPlugins</option> and it isn't recommended to use <option>services.xserver.desktopManager.xfce</option>
|
||||
and <option>services.xserver.desktopManager.xfce4-14</option> simultaneously or to downgrade from Xfce 4.14 after upgrading.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
@ -291,6 +300,55 @@
|
|||
configuration while being better type-checked and mergeable.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
No service depends on <literal>keys.target</literal> anymore which is a systemd
|
||||
target that indicates if all <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps keys</link> were successfully uploaded.
|
||||
Instead, <literal><key-name>-key.service</literal> should be used to define
|
||||
a dependency of a key in a service. The full issue behind the <literal>keys.target</literal>
|
||||
dependency is described at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
|
||||
</para>
|
||||
<para>
|
||||
The following services are affected by this:
|
||||
<itemizedlist>
|
||||
<listitem><para><link linkend="opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.nsd.enable"><literal>services.nsd</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.softether.enable"><literal>services.softether</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.strongswan.enable"><literal>services.strongswan</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link></para></listitem>
|
||||
<listitem><para><link linkend="opt-services.httpd.enable"><literal>services.httpd</literal></link></para></listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <option>security.acme.directory</option> option has been replaced by a read-only <option>security.acme.certs.<cert>.directory</option> option for each certificate you define. This will be
|
||||
a subdirectory of <literal>/var/lib/acme</literal>. You can use this read-only option to figure out where the certificates are stored for a specific certificate. For example,
|
||||
the <option>services.nginx.virtualhosts.<name>.enableACME</option> option will use this directory option to find the certs for the virtual host.
|
||||
</para>
|
||||
<para>
|
||||
<option>security.acme.preDelay</option> and <option>security.acme.activationDelay</option> options have been removed. To execute a service before certificates
|
||||
are provisioned or renewed add a <literal>RequiredBy=acme-${cert}.service</literal> to any service.
|
||||
</para>
|
||||
<para>
|
||||
Furthermore, the acme module will not automatically add a dependency on <literal>lighttpd.service</literal> anymore. If you are using certficates provided by letsencrypt
|
||||
for lighttpd, then you should depend on the certificate service <literal>acme-${cert}.service></literal> manually.
|
||||
</para>
|
||||
<para>
|
||||
For nginx, the dependencies are still automatically managed when <option>services.nginx.virtualhosts.<name>.enableACME</option> is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs,
|
||||
instead of depending on the catch-all <literal>acme-certificates.target</literal>. This target unit was also removed from the codebase.
|
||||
This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal
|
||||
ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at
|
||||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/60180">NixOS/nixpkgs#60180</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The old deprecated <literal>emacs</literal> package sets have been dropped.
|
||||
What used to be called <literal>emacsPackagesNg</literal> is now simply called <literal>emacsPackages</literal>.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
@ -527,6 +585,12 @@
|
|||
features.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
We no longer enable custom font rendering settings with <option>fonts.fontconfig.penultimate.enable</option> by default.
|
||||
The defaults from fontconfig are sufficient.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</section>
|
||||
|
|
|
@ -269,7 +269,7 @@ in
|
|||
penultimate = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable fontconfig-penultimate settings to supplement the
|
||||
NixOS defaults by providing per-font rendering defaults and
|
||||
|
|
|
@ -194,5 +194,9 @@ in
|
|||
rm -f /nix-path-registration
|
||||
fi
|
||||
'';
|
||||
|
||||
# the installation media is also the installation target,
|
||||
# so we don't want to provide the installation configuration.nix.
|
||||
installer.cloneConfig = false;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -340,7 +340,7 @@
|
|||
cockroachdb = 313;
|
||||
zoneminder = 314;
|
||||
paperless = 315;
|
||||
mailman = 316;
|
||||
#mailman = 316; # removed 2019-08-30
|
||||
|
||||
# When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
|
||||
|
||||
|
@ -641,7 +641,7 @@
|
|||
cockroachdb = 313;
|
||||
zoneminder = 314;
|
||||
paperless = 315;
|
||||
mailman = 316;
|
||||
#mailman = 316; # removed 2019-08-30
|
||||
|
||||
# When adding a gid, make sure it doesn't match an existing
|
||||
# uid. Users and groups with the same name should have equal
|
||||
|
|
|
@ -376,6 +376,7 @@
|
|||
./services/mail/mail.nix
|
||||
./services/mail/mailcatcher.nix
|
||||
./services/mail/mailhog.nix
|
||||
./services/mail/mailman.nix
|
||||
./services/mail/mlmmj.nix
|
||||
./services/mail/offlineimap.nix
|
||||
./services/mail/opendkim.nix
|
||||
|
@ -770,6 +771,7 @@
|
|||
./services/system/uptimed.nix
|
||||
./services/torrent/deluge.nix
|
||||
./services/torrent/flexget.nix
|
||||
./services/torrent/magnetico.nix
|
||||
./services/torrent/opentracker.nix
|
||||
./services/torrent/peerflix.nix
|
||||
./services/torrent/transmission.nix
|
||||
|
|
|
@ -55,13 +55,16 @@ with lib;
|
|||
services.mingetty.autologinUser = "nixos";
|
||||
|
||||
# Some more help text.
|
||||
services.mingetty.helpLine =
|
||||
''
|
||||
services.mingetty.helpLine = ''
|
||||
The "nixos" and "root" accounts have empty passwords.
|
||||
|
||||
The "nixos" and "root" account have empty passwords. ${
|
||||
optionalString config.services.xserver.enable
|
||||
"Type `sudo systemctl start display-manager' to\nstart the graphical user interface."}
|
||||
'';
|
||||
Type `sudo systemctl start sshd` to start the SSH daemon.
|
||||
You then must set a password for either "root" or "nixos"
|
||||
with `passwd` to be able to login.
|
||||
'' + optionalString config.services.xserver.enable ''
|
||||
Type `sudo systemctl start display-manager' to
|
||||
start the graphical user interface.
|
||||
'';
|
||||
|
||||
# Allow sshd to be started manually through "systemctl start sshd".
|
||||
services.openssh = {
|
||||
|
|
|
@ -98,7 +98,7 @@ in
|
|||
if [ "$TERM" != "dumb" -o -n "$INSIDE_EMACS" ]; then
|
||||
PROMPT_COLOR="1;31m"
|
||||
let $UID && PROMPT_COLOR="1;32m"
|
||||
if [ -n "$INSIDE_EMACS" ]; then
|
||||
if [ -n "$INSIDE_EMACS" -o "$TERM" == "eterm" -o "$TERM" == "eterm-color" ]; then
|
||||
# Emacs term mode doesn't support xterm title escape sequence (\e]0;)
|
||||
PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
|
||||
else
|
||||
|
|
|
@ -214,7 +214,6 @@ in
|
|||
# Need to disable features to support TRAMP
|
||||
if [ "$TERM" = dumb ]; then
|
||||
unsetopt zle prompt_cr prompt_subst
|
||||
unfunction precmd preexec
|
||||
unset RPS1 RPROMPT
|
||||
PS1='$ '
|
||||
PROMPT='$ '
|
||||
|
|
|
@ -256,6 +256,11 @@ with lib;
|
|||
|
||||
# binfmt
|
||||
(mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ])
|
||||
|
||||
# ACME
|
||||
(mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
|
||||
(mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
|
||||
(mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
|
||||
|
||||
# KSM
|
||||
(mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ])
|
||||
|
|
|
@ -80,25 +80,11 @@ let
|
|||
'';
|
||||
};
|
||||
|
||||
activationDelay = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Systemd time span expression to delay copying new certificates to main
|
||||
state directory. See <citerefentry><refentrytitle>systemd.time</refentrytitle>
|
||||
<manvolnum>7</manvolnum></citerefentry>.
|
||||
'';
|
||||
};
|
||||
|
||||
preDelay = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
description = ''
|
||||
Commands to run after certificates are re-issued but before they are
|
||||
activated. Typically the new certificate is published to DNS.
|
||||
|
||||
Executed in the same directory with the new certificate.
|
||||
'';
|
||||
directory = mkOption {
|
||||
type = types.str;
|
||||
readOnly = true;
|
||||
default = "/var/lib/acme/${name}";
|
||||
description = "Directory where certificate and other state is stored.";
|
||||
};
|
||||
|
||||
extraDomains = mkOption {
|
||||
|
@ -126,13 +112,6 @@ in
|
|||
|
||||
options = {
|
||||
security.acme = {
|
||||
directory = mkOption {
|
||||
default = "/var/lib/acme";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Directory where certs and other state will be stored by default.
|
||||
'';
|
||||
};
|
||||
|
||||
validMin = mkOption {
|
||||
type = types.int;
|
||||
|
@ -181,7 +160,11 @@ in
|
|||
default = { };
|
||||
type = with types; attrsOf (submodule certOpts);
|
||||
description = ''
|
||||
Attribute set of certificates to get signed and renewed.
|
||||
Attribute set of certificates to get signed and renewed. Creates
|
||||
<literal>acme-''${cert}.{service,timer}</literal> systemd units for
|
||||
each certificate defined here. Other services can add dependencies
|
||||
to those units if they rely on the certificates being present,
|
||||
or trigger restarts of the service if certificates get renewed.
|
||||
'';
|
||||
example = literalExample ''
|
||||
{
|
||||
|
@ -209,8 +192,7 @@ in
|
|||
servicesLists = mapAttrsToList certToServices cfg.certs;
|
||||
certToServices = cert: data:
|
||||
let
|
||||
cpath = lpath + optionalString (data.activationDelay != null) ".staging";
|
||||
lpath = "${cfg.directory}/${cert}";
|
||||
lpath = "acme/${cert}";
|
||||
rights = if data.allowKeysForGroup then "750" else "700";
|
||||
cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
|
||||
++ optionals (data.email != null) [ "--email" data.email ]
|
||||
|
@ -224,79 +206,27 @@ in
|
|||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
SuccessExitStatus = [ "0" "1" ];
|
||||
PermissionsStartOnly = true;
|
||||
User = data.user;
|
||||
Group = data.group;
|
||||
PrivateTmp = true;
|
||||
StateDirectory = lpath;
|
||||
StateDirectoryMode = rights;
|
||||
WorkingDirectory = "/var/lib/${lpath}";
|
||||
ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}";
|
||||
ExecStopPost =
|
||||
let
|
||||
script = pkgs.writeScript "acme-post-stop" ''
|
||||
#!${pkgs.runtimeShell} -e
|
||||
${data.postRun}
|
||||
'';
|
||||
in
|
||||
"+${script}";
|
||||
};
|
||||
path = with pkgs; [ simp_le systemd ];
|
||||
preStart = ''
|
||||
mkdir -p '${cfg.directory}'
|
||||
chown 'root:root' '${cfg.directory}'
|
||||
chmod 755 '${cfg.directory}'
|
||||
if [ ! -d '${cpath}' ]; then
|
||||
mkdir '${cpath}'
|
||||
fi
|
||||
chmod ${rights} '${cpath}'
|
||||
chown -R '${data.user}:${data.group}' '${cpath}'
|
||||
mkdir -p '${data.webroot}/.well-known/acme-challenge'
|
||||
chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
|
||||
'';
|
||||
script = ''
|
||||
cd '${cpath}'
|
||||
set +e
|
||||
simp_le ${escapeShellArgs cmdline}
|
||||
EXITCODE=$?
|
||||
set -e
|
||||
echo "$EXITCODE" > /tmp/lastExitCode
|
||||
exit "$EXITCODE"
|
||||
'';
|
||||
postStop = ''
|
||||
cd '${cpath}'
|
||||
|
||||
if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
|
||||
${if data.activationDelay != null then ''
|
||||
|
||||
${data.preDelay}
|
||||
|
||||
if [ -d '${lpath}' ]; then
|
||||
systemd-run --no-block --on-active='${data.activationDelay}' --unit acme-setlive-${cert}.service
|
||||
else
|
||||
systemctl --wait start acme-setlive-${cert}.service
|
||||
fi
|
||||
'' else data.postRun}
|
||||
|
||||
# noop ensuring that the "if" block is non-empty even if
|
||||
# activationDelay == null and postRun == ""
|
||||
true
|
||||
fi
|
||||
'';
|
||||
|
||||
before = [ "acme-certificates.target" ];
|
||||
wantedBy = [ "acme-certificates.target" ];
|
||||
};
|
||||
delayService = {
|
||||
description = "Set certificate for ${cert} live";
|
||||
path = with pkgs; [ rsync ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
};
|
||||
script = ''
|
||||
rsync -a --delete-after '${cpath}/' '${lpath}'
|
||||
'';
|
||||
postStop = data.postRun;
|
||||
};
|
||||
selfsignedService = {
|
||||
description = "Create preliminary self-signed certificate for ${cert}";
|
||||
path = [ pkgs.openssl ];
|
||||
preStart = ''
|
||||
if [ ! -d '${cpath}' ]
|
||||
then
|
||||
mkdir -p '${cpath}'
|
||||
chmod ${rights} '${cpath}'
|
||||
chown '${data.user}:${data.group}' '${cpath}'
|
||||
fi
|
||||
'';
|
||||
script =
|
||||
''
|
||||
workdir="$(mktemp -d)"
|
||||
|
@ -318,50 +248,41 @@ in
|
|||
-out $workdir/server.crt
|
||||
|
||||
# Copy key to destination
|
||||
cp $workdir/server.key ${cpath}/key.pem
|
||||
cp $workdir/server.key /var/lib/${lpath}/key.pem
|
||||
|
||||
# Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates)
|
||||
cat $workdir/{server.crt,ca.crt} > "${cpath}/fullchain.pem"
|
||||
cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem"
|
||||
|
||||
# Create full.pem for e.g. lighttpd
|
||||
cat $workdir/{server.key,server.crt,ca.crt} > "${cpath}/full.pem"
|
||||
cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem"
|
||||
|
||||
# Give key acme permissions
|
||||
chown '${data.user}:${data.group}' "${cpath}/"{key,fullchain,full}.pem
|
||||
chmod ${rights} "${cpath}/"{key,fullchain,full}.pem
|
||||
chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem
|
||||
chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
PermissionsStartOnly = true;
|
||||
PrivateTmp = true;
|
||||
StateDirectory = lpath;
|
||||
User = data.user;
|
||||
Group = data.group;
|
||||
};
|
||||
unitConfig = {
|
||||
# Do not create self-signed key when key already exists
|
||||
ConditionPathExists = "!${cpath}/key.pem";
|
||||
ConditionPathExists = "!/var/lib/${lpath}/key.pem";
|
||||
};
|
||||
before = [
|
||||
"acme-selfsigned-certificates.target"
|
||||
];
|
||||
wantedBy = [
|
||||
"acme-selfsigned-certificates.target"
|
||||
];
|
||||
};
|
||||
in (
|
||||
[ { name = "acme-${cert}"; value = acmeService; } ]
|
||||
++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; }
|
||||
++ optional (data.activationDelay != null) { name = "acme-setlive-${cert}"; value = delayService; }
|
||||
);
|
||||
servicesAttr = listToAttrs services;
|
||||
injectServiceDep = {
|
||||
after = [ "acme-selfsigned-certificates.target" ];
|
||||
wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
|
||||
};
|
||||
in
|
||||
servicesAttr //
|
||||
(if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) //
|
||||
(if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {});
|
||||
servicesAttr;
|
||||
|
||||
systemd.tmpfiles.rules =
|
||||
flip mapAttrsToList cfg.certs
|
||||
(cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");
|
||||
|
||||
systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
|
||||
("acme-${cert}")
|
||||
|
|
|
@ -59,10 +59,8 @@ http {
|
|||
<para>
|
||||
The private key <filename>key.pem</filename> and certificate
|
||||
<filename>fullchain.pem</filename> will be put into
|
||||
<filename>/var/lib/acme/foo.example.com</filename>. The target directory can
|
||||
be configured with the option <xref linkend="opt-security.acme.directory"/>.
|
||||
<filename>/var/lib/acme/foo.example.com</filename>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Refer to <xref linkend="ch-options" /> for all available configuration
|
||||
options for the <link linkend="opt-security.acme.certs">security.acme</link>
|
||||
|
|
|
@ -111,7 +111,10 @@ in
|
|||
config = mkIf cfg.enable {
|
||||
systemd.services.gitlab-runner = {
|
||||
path = cfg.packages;
|
||||
environment = config.networking.proxy.envVars;
|
||||
environment = config.networking.proxy.envVars // {
|
||||
# Gitlab runner will not start if the HOME variable is not set
|
||||
HOME = cfg.workDir;
|
||||
};
|
||||
description = "Gitlab Runner";
|
||||
after = [ "network.target" ]
|
||||
++ optional hasDocker "docker.service";
|
||||
|
|
|
@ -224,26 +224,17 @@ in
|
|||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
systemd.services.redis_init =
|
||||
{ description = "Redis Server Initialisation";
|
||||
|
||||
wantedBy = [ "redis.service" ];
|
||||
before = [ "redis.service" ];
|
||||
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
script = ''
|
||||
install -d -m0700 -o ${cfg.user} ${cfg.dbpath}
|
||||
chown -R ${cfg.user} ${cfg.dbpath}
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.redis =
|
||||
{ description = "Redis Server";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
|
||||
preStart = ''
|
||||
install -d -m0700 -o ${cfg.user} ${cfg.dbpath}
|
||||
chown -R ${cfg.user} ${cfg.dbpath}
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${cfg.package}/bin/redis-server ${redisConfig}";
|
||||
User = cfg.user;
|
||||
|
|
|
@ -12,14 +12,7 @@ with lib;
|
|||
|
||||
services.gnome3.gnome-user-share = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable GNOME User Share, a service that exports the
|
||||
contents of the Public folder in your home directory on the local network.
|
||||
'';
|
||||
};
|
||||
enable = mkEnableOption "GNOME User Share, a user-level file sharing service for GNOME";
|
||||
|
||||
};
|
||||
|
||||
|
@ -30,12 +23,13 @@ with lib;
|
|||
|
||||
config = mkIf config.services.gnome3.gnome-user-share.enable {
|
||||
|
||||
environment.systemPackages = [ pkgs.gnome3.gnome-user-share ];
|
||||
environment.systemPackages = [
|
||||
pkgs.gnome3.gnome-user-share
|
||||
];
|
||||
|
||||
services.xserver.displayManager.sessionCommands = with pkgs.gnome3; ''
|
||||
# Don't let gnome-control-center depend upon gnome-user-share
|
||||
export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${gnome-user-share}/share/gsettings-schemas/${gnome-user-share.name}
|
||||
'';
|
||||
systemd.packages = [
|
||||
pkgs.gnome3.gnome-user-share
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
Damien Cassou @DamienCassou
|
||||
Thomas Tuegel @ttuegel
|
||||
Rodney Lorrimar @rvl
|
||||
Adam Hoese @adisbladis
|
||||
-->
|
||||
<para>
|
||||
<link xlink:href="https://www.gnu.org/software/emacs/">Emacs</link> is an
|
||||
|
@ -130,15 +131,6 @@
|
|||
Emacs packages through nixpkgs.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
This documentation describes the new Emacs packages framework in NixOS
|
||||
16.03 (<varname>emacsPackagesNg</varname>) which should not be confused
|
||||
with the previous and deprecated framework
|
||||
(<varname>emacs24Packages</varname>).
|
||||
</para>
|
||||
</note>
|
||||
|
||||
<para>
|
||||
The first step to declare the list of packages you want in your Emacs
|
||||
installation is to create a dedicated derivation. This can be done in a
|
||||
|
@ -164,7 +156,7 @@ $ ./result/bin/emacs
|
|||
|
||||
let
|
||||
myEmacs = pkgs.emacs; <co xml:id="ex-emacsNix-2" />
|
||||
emacsWithPackages = (pkgs.emacsPackagesNgGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" />
|
||||
emacsWithPackages = (pkgs.emacsPackagesGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" />
|
||||
in
|
||||
emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [ <co xml:id="ex-emacsNix-4" />
|
||||
magit # ; Integrate git <C-x g>
|
||||
|
@ -262,10 +254,10 @@ in
|
|||
<example xml:id="module-services-emacs-querying-packages">
|
||||
<title>Querying Emacs packages</title>
|
||||
<programlisting><![CDATA[
|
||||
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.elpaPackages
|
||||
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaPackages
|
||||
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaStablePackages
|
||||
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.orgPackages
|
||||
nix-env -f "<nixpkgs>" -qaP -A emacsPackages.elpaPackages
|
||||
nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaPackages
|
||||
nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaStablePackages
|
||||
nix-env -f "<nixpkgs>" -qaP -A emacsPackages.orgPackages
|
||||
]]></programlisting>
|
||||
</example>
|
||||
</para>
|
||||
|
|
|
@ -8,8 +8,8 @@ let
|
|||
cfg = config.services.fwupd;
|
||||
originalEtc =
|
||||
let
|
||||
mkEtcFile = n: nameValuePair n { source = "${pkgs.fwupd}/etc/${n}"; };
|
||||
in listToAttrs (map mkEtcFile pkgs.fwupd.filesInstalledToEtc);
|
||||
mkEtcFile = n: nameValuePair n { source = "${cfg.package}/etc/${n}"; };
|
||||
in listToAttrs (map mkEtcFile cfg.package.filesInstalledToEtc);
|
||||
extraTrustedKeys =
|
||||
let
|
||||
mkName = p: "pki/fwupd/${baseNameOf (toString p)}";
|
||||
|
@ -24,7 +24,7 @@ let
|
|||
"fwupd/remotes.d/fwupd-tests.conf" = {
|
||||
source = pkgs.runCommand "fwupd-tests-enabled.conf" {} ''
|
||||
sed "s,^Enabled=false,Enabled=true," \
|
||||
"${pkgs.fwupd.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out"
|
||||
"${cfg.package.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out"
|
||||
'';
|
||||
};
|
||||
} else {};
|
||||
|
@ -77,13 +77,21 @@ in {
|
|||
<link xlink:href="https://github.com/hughsie/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>.
|
||||
'';
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.fwupd;
|
||||
description = ''
|
||||
Which fwupd package to use.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.fwupd ];
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
environment.etc = {
|
||||
"fwupd/daemon.conf" = {
|
||||
|
@ -102,11 +110,11 @@ in {
|
|||
|
||||
} // originalEtc // extraTrustedKeys // testRemote;
|
||||
|
||||
services.dbus.packages = [ pkgs.fwupd ];
|
||||
services.dbus.packages = [ cfg.package ];
|
||||
|
||||
services.udev.packages = [ pkgs.fwupd ];
|
||||
services.udev.packages = [ cfg.package ];
|
||||
|
||||
systemd.packages = [ pkgs.fwupd ];
|
||||
systemd.packages = [ cfg.package ];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/fwupd 0755 root root -"
|
||||
|
|
|
@ -344,8 +344,7 @@ in
|
|||
systemd.services.dovecot2 = {
|
||||
description = "Dovecot IMAP/POP3 server";
|
||||
|
||||
after = [ "keys.target" "network.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
restartTriggers = [ cfg.configFile ];
|
||||
|
||||
|
|
|
@ -0,0 +1,114 @@
|
|||
{ config, pkgs, lib, ... }: # mailman.nix
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.services.mailman;
|
||||
|
||||
pythonEnv = pkgs.python3.withPackages (ps: [ps.mailman]);
|
||||
|
||||
mailmanExe = with pkgs; stdenv.mkDerivation {
|
||||
name = "mailman-" + python3Packages.mailman.version;
|
||||
unpackPhase = ":";
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
sed >"$out/bin/mailman" <"${pythonEnv}/bin/mailman" \
|
||||
-e "2 iexport MAILMAN_CONFIG_FILE=/etc/mailman.cfg"
|
||||
chmod +x $out/bin/mailman
|
||||
'';
|
||||
};
|
||||
|
||||
mailmanCfg = ''
|
||||
[mailman]
|
||||
site_owner: ${cfg.siteOwner}
|
||||
layout: fhs
|
||||
|
||||
[paths.fhs]
|
||||
bin_dir: ${pkgs.python3Packages.mailman}/bin
|
||||
var_dir: /var/lib/mailman
|
||||
queue_dir: $var_dir/queue
|
||||
log_dir: $var_dir/log
|
||||
lock_dir: $var_dir/lock
|
||||
etc_dir: /etc
|
||||
ext_dir: $etc_dir/mailman.d
|
||||
pid_file: /run/mailman/master.pid
|
||||
'';
|
||||
|
||||
in {
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
|
||||
services.mailman = {
|
||||
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable Mailman on this host. Requires an active Postfix installation.";
|
||||
};
|
||||
|
||||
siteOwner = mkOption {
|
||||
type = types.str;
|
||||
default = "postmaster";
|
||||
description = ''
|
||||
Certain messages that must be delivered to a human, but which can't
|
||||
be delivered to a list owner (e.g. a bounce from a list owner), will
|
||||
be sent to this address. It should point to a human.
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
assertions = [
|
||||
{ assertion = cfg.enable -> config.services.postfix.enable;
|
||||
message = "Mailman requires Postfix";
|
||||
}
|
||||
{ assertion = config.services.postfix.recipientDelimiter == "+";
|
||||
message = "Postfix's recipientDelimiter must be set to '+'.";
|
||||
}
|
||||
];
|
||||
|
||||
users.users.mailman = { description = "GNU Mailman"; isSystemUser = true; };
|
||||
|
||||
environment = {
|
||||
systemPackages = [ mailmanExe ];
|
||||
etc."mailman.cfg".text = mailmanCfg;
|
||||
};
|
||||
|
||||
services.postfix = {
|
||||
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
||||
config = {
|
||||
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||
# Mailman uses recipient delimiters, so we don't need special handling.
|
||||
owner_request_special = "no";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.mailman = {
|
||||
description = "GNU Mailman Master Process";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${mailmanExe}/bin/mailman start";
|
||||
ExecStop = "${mailmanExe}/bin/mailman stop";
|
||||
User = "mailman";
|
||||
Type = "forking";
|
||||
StateDirectory = "mailman";
|
||||
StateDirectoryMode = "0700";
|
||||
RuntimeDirectory = "mailman";
|
||||
PIDFile = "/run/mailman/master.pid";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
|
@ -8,7 +8,9 @@ let
|
|||
|
||||
nix = cfg.package.out;
|
||||
|
||||
isNix20 = versionAtLeast (getVersion nix) "2.0pre";
|
||||
nixVersion = getVersion nix;
|
||||
|
||||
isNix20 = versionAtLeast nixVersion "2.0pre";
|
||||
|
||||
makeNixBuildUser = nr:
|
||||
{ name = "nixbld${toString nr}";
|
||||
|
@ -61,6 +63,9 @@ let
|
|||
builders =
|
||||
''}
|
||||
system-features = ${toString cfg.systemFeatures}
|
||||
${optionalString (versionAtLeast nixVersion "2.3pre") ''
|
||||
sandbox-fallback = false
|
||||
''}
|
||||
$extraOptions
|
||||
END
|
||||
'' + optionalString cfg.checkConfig (
|
||||
|
|
|
@ -156,6 +156,8 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
systemd.enableCgroupAccounting = true;
|
||||
|
||||
security.wrappers."apps.plugin" = {
|
||||
source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin.org";
|
||||
capabilities = "cap_dac_read_search,cap_sys_ptrace+ep";
|
||||
|
|
|
@ -916,9 +916,8 @@ in
|
|||
systemd.services.nsd = {
|
||||
description = "NSD authoritative only domain name service";
|
||||
|
||||
after = [ "keys.target" "network.target" ];
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";
|
||||
|
|
|
@ -70,8 +70,6 @@ in
|
|||
|
||||
systemd.services.softether-init = {
|
||||
description = "SoftEther VPN services initial task";
|
||||
after = [ "keys.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
|
|
|
@ -62,9 +62,8 @@ in {
|
|||
systemd.services.strongswan-swanctl = {
|
||||
description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" "keys.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
path = with pkgs; [ kmod iproute iptables utillinux ];
|
||||
after = [ "network-online.target" ];
|
||||
path = with pkgs; [ kmod iproute iptables utillinux ];
|
||||
environment = {
|
||||
STRONGSWAN_CONF = pkgs.writeTextFile {
|
||||
name = "strongswan.conf";
|
||||
|
|
|
@ -151,8 +151,7 @@ in
|
|||
description = "strongSwan IPSec Service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux
|
||||
wants = [ "keys.target" ];
|
||||
after = [ "network-online.target" "keys.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
environment = {
|
||||
STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
|
||||
};
|
||||
|
|
|
@ -70,7 +70,7 @@ in
|
|||
};
|
||||
|
||||
storageBackend = mkOption {
|
||||
type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ];
|
||||
type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" "raft" ];
|
||||
default = "inmem";
|
||||
description = "The name of the type of storage backend";
|
||||
};
|
||||
|
|
|
@ -0,0 +1,214 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.magnetico;
|
||||
|
||||
dataDir = "/var/lib/magnetico";
|
||||
|
||||
credFile = with cfg.web;
|
||||
if credentialsFile != null
|
||||
then credentialsFile
|
||||
else pkgs.writeText "magnetico-credentials"
|
||||
(concatStrings (mapAttrsToList
|
||||
(user: hash: "${user}:${hash}\n")
|
||||
cfg.web.credentials));
|
||||
|
||||
# default options in magneticod/main.go
|
||||
dbURI = concatStrings
|
||||
[ "sqlite3://${dataDir}/database.sqlite3"
|
||||
"?_journal_mode=WAL"
|
||||
"&_busy_timeout=3000"
|
||||
"&_foreign_keys=true"
|
||||
];
|
||||
|
||||
crawlerArgs = with cfg.crawler; escapeShellArgs
|
||||
([ "--database=${dbURI}"
|
||||
"--indexer-addr=${address}:${toString port}"
|
||||
"--indexer-max-neighbors=${toString maxNeighbors}"
|
||||
"--leech-max-n=${toString maxLeeches}"
|
||||
] ++ extraOptions);
|
||||
|
||||
webArgs = with cfg.web; escapeShellArgs
|
||||
([ "--database=${dbURI}"
|
||||
(if (cfg.web.credentialsFile != null || cfg.web.credentials != { })
|
||||
then "--credentials=${toString credFile}"
|
||||
else "--no-auth")
|
||||
] ++ extraOptions);
|
||||
|
||||
in {
|
||||
|
||||
###### interface
|
||||
|
||||
options.services.magnetico = {
|
||||
enable = mkEnableOption "Magnetico, Bittorrent DHT crawler";
|
||||
|
||||
crawler.address = mkOption {
|
||||
type = types.str;
|
||||
default = "0.0.0.0";
|
||||
example = "1.2.3.4";
|
||||
description = ''
|
||||
Address to be used for indexing DHT nodes.
|
||||
'';
|
||||
};
|
||||
|
||||
crawler.port = mkOption {
|
||||
type = types.port;
|
||||
default = 0;
|
||||
description = ''
|
||||
Port to be used for indexing DHT nodes.
|
||||
This port should be added to
|
||||
<option>networking.firewall.allowedTCPPorts</option>.
|
||||
'';
|
||||
};
|
||||
|
||||
crawler.maxNeighbors = mkOption {
|
||||
type = types.ints.positive;
|
||||
default = 1000;
|
||||
description = ''
|
||||
Maximum number of simultaneous neighbors of an indexer.
|
||||
Be careful changing this number: high values can very
|
||||
easily cause your network to be congested or even crash
|
||||
your router.
|
||||
'';
|
||||
};
|
||||
|
||||
crawler.maxLeeches = mkOption {
|
||||
type = types.ints.positive;
|
||||
default = 200;
|
||||
description = ''
|
||||
Maximum number of simultaneous leeches.
|
||||
'';
|
||||
};
|
||||
|
||||
crawler.extraOptions = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Extra command line arguments to pass to magneticod.
|
||||
'';
|
||||
};
|
||||
|
||||
web.address = mkOption {
|
||||
type = types.str;
|
||||
default = "localhost";
|
||||
example = "1.2.3.4";
|
||||
description = ''
|
||||
Address the web interface will listen to.
|
||||
'';
|
||||
};
|
||||
|
||||
web.port = mkOption {
|
||||
type = types.port;
|
||||
default = 8080;
|
||||
description = ''
|
||||
Port the web interface will listen to.
|
||||
'';
|
||||
};
|
||||
|
||||
web.credentials = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {};
|
||||
example = lib.literalExample ''
|
||||
{
|
||||
myuser = "$2y$12$YE01LZ8jrbQbx6c0s2hdZO71dSjn2p/O9XsYJpz.5968yCysUgiaG";
|
||||
}
|
||||
'';
|
||||
description = ''
|
||||
The credentials to access the web interface, in case authentication is
|
||||
enabled, in the format <literal>username:hash</literal>. If unset no
|
||||
authentication will be required.
|
||||
|
||||
Usernames must start with a lowercase ([a-z]) ASCII character, might
|
||||
contain non-consecutive underscores except at the end, and consists of
|
||||
small-case a-z characters and digits 0-9. The
|
||||
<command>htpasswd</command> tool from the <package>apacheHttpd
|
||||
</package> package may be used to generate the hash: <command>htpasswd
|
||||
-bnBC 12 username password</command>
|
||||
|
||||
<warning>
|
||||
<para>
|
||||
The hashes will be stored world-readable in the nix store.
|
||||
Consider using the <literal>credentialsFile</literal> option if you
|
||||
don't want this.
|
||||
</para>
|
||||
</warning>
|
||||
'';
|
||||
};
|
||||
|
||||
web.credentialsFile = mkOption {
|
||||
type = types.nullOr types.path;
|
||||
default = null;
|
||||
description = ''
|
||||
The path to the file holding the credentials to access the web
|
||||
interface. If unset no authentication will be required.
|
||||
|
||||
The file must constain user names and password hashes in the format
|
||||
<literal>username:hash </literal>, one for each line. Usernames must
|
||||
start with a lowecase ([a-z]) ASCII character, might contain
|
||||
non-consecutive underscores except at the end, and consists of
|
||||
small-case a-z characters and digits 0-9.
|
||||
The <command>htpasswd</command> tool from the <package>apacheHttpd
|
||||
</package> package may be used to generate the hash:
|
||||
<command>htpasswd -bnBC 12 username password</command>
|
||||
'';
|
||||
};
|
||||
|
||||
web.extraOptions = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Extra command line arguments to pass to magneticow.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
users.users.magnetico = {
|
||||
description = "Magnetico daemons user";
|
||||
};
|
||||
|
||||
systemd.services.magneticod = {
|
||||
description = "Magnetico DHT crawler";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
User = "magnetico";
|
||||
Restart = "on-failure";
|
||||
ExecStart = "${pkgs.magnetico}/bin/magneticod ${crawlerArgs}";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.magneticow = {
|
||||
description = "Magnetico web interface";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" "magneticod.service"];
|
||||
|
||||
serviceConfig = {
|
||||
User = "magnetico";
|
||||
StateDirectory = "magnetico";
|
||||
Restart = "on-failure";
|
||||
ExecStart = "${pkgs.magnetico}/bin/magneticow ${webArgs}";
|
||||
};
|
||||
};
|
||||
|
||||
assertions =
|
||||
[
|
||||
{
|
||||
assertion = cfg.web.credentialsFile != null || cfg.web.credentials != { };
|
||||
message = ''
|
||||
The options services.magnetico.web.credentialsFile and
|
||||
services.magnetico.web.credentials are mutually exclusives.
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
}
|
|
@ -670,8 +670,7 @@ in
|
|||
{ description = "Apache HTTPD";
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "keys.target" ];
|
||||
after = [ "network.target" "fs.target" "keys.target" ];
|
||||
after = [ "network.target" "fs.target" ];
|
||||
|
||||
path =
|
||||
[ httpd pkgs.coreutils pkgs.gnugrep ]
|
||||
|
|
|
@ -4,23 +4,25 @@ with lib;
|
|||
|
||||
let
|
||||
cfg = config.services.nginx;
|
||||
certs = config.security.acme.certs;
|
||||
vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
|
||||
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;
|
||||
virtualHosts = mapAttrs (vhostName: vhostConfig:
|
||||
let
|
||||
serverName = if vhostConfig.serverName != null
|
||||
then vhostConfig.serverName
|
||||
else vhostName;
|
||||
acmeDirectory = config.security.acme.directory;
|
||||
in
|
||||
vhostConfig // {
|
||||
inherit serverName;
|
||||
} // (optionalAttrs vhostConfig.enableACME {
|
||||
sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
|
||||
sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem";
|
||||
sslTrustedCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
|
||||
sslCertificate = "${certs.${serverName}.directory}/fullchain.pem";
|
||||
sslCertificateKey = "${certs.${serverName}.directory}/key.pem";
|
||||
sslTrustedCertificate = "${certs.${serverName}.directory}/full.pem";
|
||||
}) // (optionalAttrs (vhostConfig.useACMEHost != null) {
|
||||
sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
|
||||
sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem";
|
||||
sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
|
||||
sslCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem";
|
||||
sslCertificateKey = "${certs.${vhostConfig.useACMEHost}.directory}/key.pem";
|
||||
sslTrustedCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem";
|
||||
})
|
||||
) cfg.virtualHosts;
|
||||
enableIPv6 = config.networking.enableIPv6;
|
||||
|
@ -646,8 +648,9 @@ in
|
|||
|
||||
systemd.services.nginx = {
|
||||
description = "Nginx Web Server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts);
|
||||
after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts;
|
||||
stopIfChanged = false;
|
||||
preStart =
|
||||
''
|
||||
|
@ -680,8 +683,6 @@ in
|
|||
|
||||
security.acme.certs = filterAttrs (n: v: v != {}) (
|
||||
let
|
||||
vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
|
||||
acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;
|
||||
acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = {
|
||||
user = cfg.user;
|
||||
group = lib.mkDefault cfg.group;
|
||||
|
|
|
@ -18,7 +18,7 @@ in
|
|||
# determines the default: later modules (if enabled) are preferred.
|
||||
# E.g., if Plasma 5 is enabled, it supersedes xterm.
|
||||
imports = [
|
||||
./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix
|
||||
./none.nix ./xterm.nix ./xfce.nix ./xfce4-14.nix ./plasma5.nix ./lumina.nix
|
||||
./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix
|
||||
./mate.nix ./pantheon.nix ./surf-display.nix
|
||||
];
|
||||
|
|
|
@ -0,0 +1,157 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.xserver.desktopManager.xfce4-14;
|
||||
in
|
||||
|
||||
{
|
||||
# added 2019-08-18
|
||||
# needed to preserve some semblance of UI familarity
|
||||
# with original XFCE module
|
||||
imports = [
|
||||
(mkRenamedOptionModule
|
||||
[ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ]
|
||||
[ "services" "xserver" "displayManager" "sessionCommands" ])
|
||||
];
|
||||
|
||||
options = {
|
||||
services.xserver.desktopManager.xfce4-14 = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable the Xfce desktop environment.";
|
||||
};
|
||||
|
||||
# TODO: support thunar plugins
|
||||
# thunarPlugins = mkOption {
|
||||
# default = [];
|
||||
# type = types.listOf types.package;
|
||||
# example = literalExample "[ pkgs.xfce4-14.thunar-archive-plugin ]";
|
||||
# description = ''
|
||||
# A list of plugin that should be installed with Thunar.
|
||||
# '';
|
||||
# };
|
||||
|
||||
noDesktop = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon).";
|
||||
};
|
||||
|
||||
enableXfwm = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Enable the XFWM (default) window manager.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs.xfce4-14 // pkgs; [
|
||||
glib # for gsettings
|
||||
gtk3.out # gtk-update-icon-cache
|
||||
|
||||
gnome3.adwaita-icon-theme
|
||||
hicolor-icon-theme
|
||||
tango-icon-theme
|
||||
xfce4-icon-theme
|
||||
|
||||
desktop-file-utils
|
||||
shared-mime-info # for update-mime-database
|
||||
|
||||
# For a polkit authentication agent
|
||||
polkit_gnome
|
||||
|
||||
# Needed by Xfce's xinitrc script
|
||||
xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/
|
||||
|
||||
exo
|
||||
garcon
|
||||
gtk-xfce-engine
|
||||
libxfce4ui
|
||||
xfconf
|
||||
|
||||
mousepad
|
||||
ristretto
|
||||
xfce4-appfinder
|
||||
xfce4-screenshooter
|
||||
xfce4-session
|
||||
xfce4-settings
|
||||
xfce4-terminal
|
||||
|
||||
# TODO: resync patch for plugins
|
||||
#(thunar.override { thunarPlugins = cfg.thunarPlugins; })
|
||||
thunar
|
||||
] # TODO: NetworkManager doesn't belong here
|
||||
++ optional config.networking.networkmanager.enable networkmanagerapplet
|
||||
++ optional config.hardware.pulseaudio.enable xfce4-pulseaudio-plugin
|
||||
++ optional config.powerManagement.enable xfce4-power-manager
|
||||
++ optional cfg.enableXfwm xfwm4
|
||||
++ optionals (!cfg.noDesktop) [
|
||||
xfce4-panel
|
||||
xfce4-notifyd
|
||||
xfdesktop
|
||||
];
|
||||
|
||||
environment.pathsToLink = [
|
||||
"/share/xfce4"
|
||||
"/lib/xfce4"
|
||||
"/share/gtksourceview-3.0"
|
||||
"/share/gtksourceview-4.0"
|
||||
];
|
||||
|
||||
# Use the correct gnome3 packageSet
|
||||
networking.networkmanager.basePackages = mkIf config.networking.networkmanager.enable {
|
||||
inherit (pkgs) networkmanager modemmanager wpa_supplicant crda;
|
||||
inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc
|
||||
networkmanager-openconnect networkmanager-fortisslvpn
|
||||
networkmanager-iodine networkmanager-l2tp;
|
||||
};
|
||||
|
||||
services.xserver.desktopManager.session = [{
|
||||
name = "xfce4-14";
|
||||
bgSupport = true;
|
||||
start = ''
|
||||
# Set GTK_PATH so that GTK+ can find the theme engines.
|
||||
export GTK_PATH="${config.system.path}/lib/gtk-2.0:${config.system.path}/lib/gtk-3.0"
|
||||
|
||||
# Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes.
|
||||
export GTK_DATA_PREFIX=${config.system.path}
|
||||
|
||||
${pkgs.runtimeShell} ${pkgs.xfce4-14.xinitrc} &
|
||||
waitPID=$!
|
||||
'';
|
||||
}];
|
||||
|
||||
services.xserver.updateDbusEnvironment = true;
|
||||
services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ];
|
||||
|
||||
# Enable helpful DBus services.
|
||||
services.udisks2.enable = true;
|
||||
security.polkit.enable = true;
|
||||
services.accounts-daemon.enable = true;
|
||||
services.upower.enable = config.powerManagement.enable;
|
||||
services.gnome3.glib-networking.enable = true;
|
||||
services.gvfs.enable = true;
|
||||
services.gvfs.package = pkgs.xfce.gvfs;
|
||||
services.tumbler.enable = true;
|
||||
services.dbus.packages =
|
||||
optional config.services.printing.enable pkgs.system-config-printer;
|
||||
services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager
|
||||
|
||||
# Enable default programs
|
||||
programs.dconf.enable = true;
|
||||
|
||||
# Shell integration for VTE terminals
|
||||
programs.bash.vteIntegration = mkDefault true;
|
||||
programs.zsh.vteIntegration = mkDefault true;
|
||||
|
||||
# Systemd services
|
||||
systemd.packages = with pkgs.xfce4-14; [
|
||||
thunar
|
||||
] ++ optional (!cfg.noDesktop) xfce4-notifyd;
|
||||
|
||||
};
|
||||
}
|
|
@ -109,7 +109,7 @@ let
|
|||
|
||||
# Allow the user to setup a custom session type.
|
||||
if test -x ~/.xsession; then
|
||||
exec ~/.xsession
|
||||
eval exec ~/.xsession "$@"
|
||||
fi
|
||||
|
||||
if test "$1"; then
|
||||
|
|
|
@ -112,11 +112,13 @@ let
|
|||
# Hibernate / suspend.
|
||||
"hibernate.target"
|
||||
"suspend.target"
|
||||
"suspend-then-hibernate.target"
|
||||
"sleep.target"
|
||||
"hybrid-sleep.target"
|
||||
"systemd-hibernate.service"
|
||||
"systemd-hybrid-sleep.service"
|
||||
"systemd-suspend.service"
|
||||
"systemd-suspend-then-hibernate.service"
|
||||
|
||||
# Reboot stuff.
|
||||
"reboot.target"
|
||||
|
|
|
@ -256,6 +256,10 @@ let
|
|||
RestartForceExitStatus = "133";
|
||||
SuccessExitStatus = "133";
|
||||
|
||||
# Some containers take long to start
|
||||
# especially when you automatically start many at once
|
||||
TimeoutStartSec = cfg.timeoutStartSec;
|
||||
|
||||
Restart = "on-failure";
|
||||
|
||||
Slice = "machine.slice";
|
||||
|
@ -423,6 +427,7 @@ let
|
|||
extraVeths = {};
|
||||
additionalCapabilities = [];
|
||||
ephemeral = false;
|
||||
timeoutStartSec = "15s";
|
||||
allowedDevices = [];
|
||||
hostAddress = null;
|
||||
hostAddress6 = null;
|
||||
|
@ -595,6 +600,18 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
timeoutStartSec = mkOption {
|
||||
type = types.str;
|
||||
default = "1min";
|
||||
description = ''
|
||||
Time for the container to start. In case of a timeout,
|
||||
the container processes get killed.
|
||||
See <citerefentry><refentrytitle>systemd.time</refentrytitle>
|
||||
<manvolnum>7</manvolnum></citerefentry>
|
||||
for more information about the format.
|
||||
'';
|
||||
};
|
||||
|
||||
bindMounts = mkOption {
|
||||
type = with types; loaOf (submodule bindMountOpts);
|
||||
default = {};
|
||||
|
|
|
@ -136,6 +136,7 @@ in rec {
|
|||
(all nixos.tests.switchTest)
|
||||
(all nixos.tests.udisks2)
|
||||
(all nixos.tests.xfce)
|
||||
(all nixos.tests.xfce4-14)
|
||||
|
||||
nixpkgs.tarball
|
||||
(all allSupportedNixpkgs.emacs)
|
||||
|
|
|
@ -3,19 +3,49 @@ let
|
|||
in import ./make-test.nix {
|
||||
name = "acme";
|
||||
|
||||
nodes = {
|
||||
nodes = rec {
|
||||
letsencrypt = ./common/letsencrypt;
|
||||
|
||||
acmeStandalone = { config, pkgs, ... }: {
|
||||
imports = [ commonConfig ];
|
||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||
networking.extraHosts = ''
|
||||
${config.networking.primaryIPAddress} standalone.com
|
||||
'';
|
||||
security.acme.certs."standalone.com" = {
|
||||
webroot = "/var/lib/acme/acme-challenges";
|
||||
};
|
||||
systemd.targets."acme-finished-standalone.com" = {};
|
||||
systemd.services."acme-standalone.com" = {
|
||||
wants = [ "acme-finished-standalone.com.target" ];
|
||||
before = [ "acme-finished-standalone.com.target" ];
|
||||
};
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."standalone.com" = {
|
||||
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenges";
|
||||
};
|
||||
};
|
||||
|
||||
webserver = { config, pkgs, ... }: {
|
||||
imports = [ commonConfig ];
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
networking.extraHosts = ''
|
||||
${config.networking.primaryIPAddress} example.com
|
||||
${config.networking.primaryIPAddress} a.example.com
|
||||
${config.networking.primaryIPAddress} b.example.com
|
||||
'';
|
||||
|
||||
# A target remains active. Use this to probe the fact that
|
||||
# a service fired eventhough it is not RemainAfterExit
|
||||
systemd.targets."acme-finished-a.example.com" = {};
|
||||
systemd.services."acme-a.example.com" = {
|
||||
wants = [ "acme-finished-a.example.com.target" ];
|
||||
before = [ "acme-finished-a.example.com.target" ];
|
||||
};
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."example.com" = {
|
||||
|
||||
services.nginx.virtualHosts."a.example.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".root = pkgs.runCommand "docroot" {} ''
|
||||
|
@ -23,17 +53,63 @@ in import ./make-test.nix {
|
|||
echo hello world > "$out/index.html"
|
||||
'';
|
||||
};
|
||||
|
||||
nesting.clone = [
|
||||
({pkgs, ...}: {
|
||||
|
||||
networking.extraHosts = ''
|
||||
${config.networking.primaryIPAddress} b.example.com
|
||||
'';
|
||||
systemd.targets."acme-finished-b.example.com" = {};
|
||||
systemd.services."acme-b.example.com" = {
|
||||
wants = [ "acme-finished-b.example.com.target" ];
|
||||
before = [ "acme-finished-b.example.com.target" ];
|
||||
};
|
||||
services.nginx.virtualHosts."b.example.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".root = pkgs.runCommand "docroot" {} ''
|
||||
mkdir -p "$out"
|
||||
echo hello world > "$out/index.html"
|
||||
'';
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
client = commonConfig;
|
||||
};
|
||||
|
||||
testScript = ''
|
||||
$letsencrypt->waitForUnit("default.target");
|
||||
$letsencrypt->waitForUnit("boulder.service");
|
||||
$webserver->waitForUnit("default.target");
|
||||
$webserver->waitForUnit("acme-certificates.target");
|
||||
$client->waitForUnit("default.target");
|
||||
$client->succeed('curl https://example.com/ | grep -qF "hello world"');
|
||||
'';
|
||||
testScript = {nodes, ...}:
|
||||
let
|
||||
newServerSystem = nodes.webserver2.config.system.build.toplevel;
|
||||
switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test";
|
||||
in
|
||||
# Note, waitForUnit does not work for oneshot services that do not have RemainAfterExit=true,
|
||||
# this is because a oneshot goes from inactive => activating => inactive, and never
|
||||
# reaches the active state. To work around this, we create some mock target units which
|
||||
# get pulled in by the oneshot units. The target units linger after activation, and hence we
|
||||
# can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do
|
||||
''
|
||||
$client->waitForUnit("default.target");
|
||||
$letsencrypt->waitForUnit("default.target");
|
||||
$letsencrypt->waitForUnit("boulder.service");
|
||||
|
||||
subtest "can request certificate with HTTPS-01 challenge", sub {
|
||||
$acmeStandalone->waitForUnit("default.target");
|
||||
$acmeStandalone->succeed("systemctl start acme-standalone.com.service");
|
||||
$acmeStandalone->waitForUnit("acme-finished-standalone.com.target");
|
||||
};
|
||||
|
||||
subtest "Can request certificate for nginx service", sub {
|
||||
$webserver->waitForUnit("acme-finished-a.example.com.target");
|
||||
$client->succeed('curl https://a.example.com/ | grep -qF "hello world"');
|
||||
};
|
||||
|
||||
subtest "Can add another certificate for nginx service", sub {
|
||||
$webserver->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test");
|
||||
$webserver->waitForUnit("acme-finished-b.example.com.target");
|
||||
$client->succeed('curl https://b.example.com/ | grep -qF "hello world"');
|
||||
};
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -278,6 +278,7 @@ in
|
|||
xautolock = handleTest ./xautolock.nix {};
|
||||
xdg-desktop-portal = handleTest ./xdg-desktop-portal.nix {};
|
||||
xfce = handleTest ./xfce.nix {};
|
||||
xfce4-14 = handleTest ./xfce4-14.nix {};
|
||||
xmonad = handleTest ./xmonad.nix {};
|
||||
xrdp = handleTest ./xrdp.nix {};
|
||||
xss-lock = handleTest ./xss-lock.nix {};
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
import ./make-test.nix ({ pkgs, ...} : {
|
||||
name = "magnetico";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ rnhmjoj ];
|
||||
};
|
||||
|
||||
machine = { ... }: {
|
||||
imports = [ ../modules/profiles/minimal.nix ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 9000 ];
|
||||
|
||||
services.magnetico = {
|
||||
enable = true;
|
||||
crawler.port = 9000;
|
||||
web.credentials.user = "$2y$12$P88ZF6soFthiiAeXnz64aOWDsY3Dw7Yw8fZ6GtiqFNjknD70zDmNe";
|
||||
};
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
startAll;
|
||||
$machine->waitForUnit("magneticod");
|
||||
$machine->waitForUnit("magneticow");
|
||||
$machine->succeed("${pkgs.curl}/bin/curl -u user:password http://localhost:8080");
|
||||
$machine->succeed("${pkgs.curl}/bin/curl -u user:wrongpwd http://localhost:8080") =~ "Unauthorised." or die;
|
||||
$machine->shutdown();
|
||||
'';
|
||||
})
|
|
@ -71,11 +71,13 @@ import ./make-test.nix ({ pkgs, ... }: {
|
|||
|
||||
# Regression test for https://github.com/NixOS/nixpkgs/issues/35268
|
||||
subtest "file system with x-initrd.mount is not unmounted", sub {
|
||||
$machine->succeed('mountpoint -q /test-x-initrd-mount');
|
||||
$machine->shutdown;
|
||||
$machine->waitForUnit('multi-user.target');
|
||||
# If the file system was unmounted during the shutdown the file system
|
||||
# has a last mount time, because the file system wasn't checked.
|
||||
$machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"');
|
||||
system('qemu-img', 'convert', '-O', 'raw',
|
||||
'vm-state-machine/empty2.qcow2', 'x-initrd-mount.raw');
|
||||
my $extinfo = `${pkgs.e2fsprogs}/bin/dumpe2fs x-initrd-mount.raw`;
|
||||
die "File system was not cleanly unmounted: $extinfo"
|
||||
unless $extinfo =~ /^Filesystem state: *clean$/m;
|
||||
};
|
||||
|
||||
subtest "systemd-shutdown works", sub {
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
import ./make-test.nix ({ pkgs, ...} : {
|
||||
name = "xfce4-14";
|
||||
|
||||
machine =
|
||||
{ pkgs, ... }:
|
||||
|
||||
{ imports = [ ./common/user-account.nix ];
|
||||
|
||||
services.xserver.enable = true;
|
||||
|
||||
services.xserver.displayManager.auto.enable = true;
|
||||
services.xserver.displayManager.auto.user = "alice";
|
||||
|
||||
services.xserver.desktopManager.xfce4-14.enable = true;
|
||||
};
|
||||
|
||||
testScript =
|
||||
''
|
||||
$machine->waitForX;
|
||||
$machine->waitForFile("/home/alice/.Xauthority");
|
||||
$machine->succeed("xauth merge ~alice/.Xauthority");
|
||||
$machine->waitForWindow(qr/xfce4-panel/);
|
||||
$machine->sleep(10);
|
||||
|
||||
# Check that logging in has given the user ownership of devices.
|
||||
$machine->succeed("getfacl /dev/snd/timer | grep -q alice");
|
||||
|
||||
$machine->succeed("su - alice -c 'DISPLAY=:0.0 xfce4-terminal &'");
|
||||
$machine->waitForWindow(qr/Terminal/);
|
||||
$machine->sleep(10);
|
||||
$machine->screenshot("screen");
|
||||
'';
|
||||
})
|
|
@ -1,90 +0,0 @@
|
|||
{ callPackage, boost155, boost165, darwin, libsForQt5, libsForQt59, miniupnpc_2, python3, buildGo110Package }:
|
||||
|
||||
rec {
|
||||
|
||||
aeon = callPackage ./aeon { };
|
||||
|
||||
bitcoin = libsForQt5.callPackage ./bitcoin.nix { miniupnpc = miniupnpc_2; withGui = true; };
|
||||
bitcoind = callPackage ./bitcoin.nix { miniupnpc = miniupnpc_2; withGui = false; };
|
||||
clightning = callPackage ./clightning.nix { };
|
||||
|
||||
bitcoin-abc = libsForQt5.callPackage ./bitcoin-abc.nix { boost = boost165; withGui = true; };
|
||||
bitcoind-abc = callPackage ./bitcoin-abc.nix { boost = boost165; withGui = false; };
|
||||
|
||||
bitcoin-unlimited = libsForQt5.callPackage ./bitcoin-unlimited.nix {
|
||||
inherit (darwin.apple_sdk.frameworks) Foundation ApplicationServices AppKit;
|
||||
withGui = true;
|
||||
};
|
||||
bitcoind-unlimited = callPackage ./bitcoin-unlimited.nix {
|
||||
inherit (darwin.apple_sdk.frameworks) Foundation ApplicationServices AppKit;
|
||||
withGui = false;
|
||||
};
|
||||
|
||||
bitcoin-classic = libsForQt5.callPackage ./bitcoin-classic.nix { boost = boost165; withGui = true; };
|
||||
bitcoind-classic = callPackage ./bitcoin-classic.nix { boost = boost165; withGui = false; };
|
||||
|
||||
btc1 = callPackage ./btc1.nix {
|
||||
inherit (darwin.apple_sdk.frameworks) AppKit;
|
||||
boost = boost165;
|
||||
};
|
||||
btc1d = btc1.override { withGui = false; };
|
||||
|
||||
cryptop = python3.pkgs.callPackage ./cryptop { };
|
||||
|
||||
dashpay = callPackage ./dashpay.nix { };
|
||||
|
||||
dcrd = callPackage ./dcrd.nix { };
|
||||
dcrwallet = callPackage ./dcrwallet.nix { };
|
||||
|
||||
dero = callPackage ./dero.nix { boost = boost165; };
|
||||
|
||||
dogecoin = callPackage ./dogecoin.nix { boost = boost165; withGui = true; };
|
||||
dogecoind = callPackage ./dogecoin.nix { boost = boost165; withGui = false; };
|
||||
|
||||
|
||||
freicoin = callPackage ./freicoin.nix { boost = boost155; };
|
||||
go-ethereum = callPackage ./go-ethereum.nix {
|
||||
inherit (darwin) libobjc;
|
||||
inherit (darwin.apple_sdk.frameworks) IOKit;
|
||||
};
|
||||
go-ethereum-classic = callPackage ./go-ethereum-classic {
|
||||
buildGoPackage = buildGo110Package;
|
||||
};
|
||||
|
||||
litecoin = callPackage ./litecoin.nix {
|
||||
inherit (darwin.apple_sdk.frameworks) AppKit;
|
||||
};
|
||||
litecoind = litecoin.override { withGui = false; };
|
||||
|
||||
lnd = callPackage ./lnd.nix { };
|
||||
|
||||
masari = callPackage ./masari.nix { boost = boost165; };
|
||||
|
||||
mist = callPackage ./mist.nix { };
|
||||
|
||||
namecoin = callPackage ./namecoin.nix { withGui = true; };
|
||||
namecoind = callPackage ./namecoin.nix { withGui = false; };
|
||||
|
||||
pivx = libsForQt59.callPackage ./pivx.nix { withGui = true; };
|
||||
pivxd = callPackage ./pivx.nix { withGui = false; };
|
||||
|
||||
ethabi = callPackage ./ethabi.nix { };
|
||||
|
||||
stellar-core = callPackage ./stellar-core.nix { };
|
||||
|
||||
sumokoin = callPackage ./sumokoin.nix { boost = boost165; };
|
||||
|
||||
wownero = callPackage ./wownero.nix {};
|
||||
|
||||
zcash = callPackage ./zcash {
|
||||
withGui = false;
|
||||
};
|
||||
|
||||
parity = callPackage ./parity { };
|
||||
parity-beta = callPackage ./parity/beta.nix { };
|
||||
parity-ui = callPackage ./parity-ui { };
|
||||
|
||||
polkadot = callPackage ./polkadot { };
|
||||
|
||||
particl-core = callPackage ./particl/particl-core.nix { miniupnpc = miniupnpc_2; };
|
||||
}
|
|
@ -1,33 +1,29 @@
|
|||
{ fetchFromGitHub, stdenv, pythonPackages, gtk3, gobject-introspection, libnotify
|
||||
, gst_all_1, wrapGAppsHook }:
|
||||
{ stdenv, fetchFromGitHub, meson, ninja, pkgconfig, appstream-glib
|
||||
, wrapGAppsHook, pythonPackages, gtk3, gnome3, gobject-introspection
|
||||
, libnotify, libsecret, gst_all_1 }:
|
||||
|
||||
pythonPackages.buildPythonApplication rec {
|
||||
pname = "pithos";
|
||||
version = "1.1.2";
|
||||
version = "1.4.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = pname;
|
||||
repo = pname;
|
||||
rev = version;
|
||||
sha256 = "0zk9clfawsnwmgjbk7y5d526ksxd1pkh09ln6sb06v4ygaiifcxp";
|
||||
sha256 = "0vaw0rfcdh4bsp9b8la9bs36kw0iwia54y5x060byxhff9av6nj4";
|
||||
};
|
||||
|
||||
# No tests in repo
|
||||
doCheck = false;
|
||||
format = "other";
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace setup.py --replace "/usr/share" "$out/share"
|
||||
chmod +x meson_post_install.py
|
||||
patchShebangs meson_post_install.py
|
||||
'';
|
||||
|
||||
postInstall = ''
|
||||
mkdir -p $out/share/applications
|
||||
cp -v data/pithos.desktop $out/share/applications
|
||||
'';
|
||||
|
||||
buildInputs = [ wrapGAppsHook ];
|
||||
nativeBuildInputs = [ meson ninja pkgconfig appstream-glib wrapGAppsHook ];
|
||||
|
||||
propagatedBuildInputs =
|
||||
[ gtk3 gobject-introspection libnotify ] ++
|
||||
[ gtk3 gobject-introspection libnotify libsecret gnome3.adwaita-icon-theme ] ++
|
||||
(with gst_all_1; [ gstreamer gst-plugins-base gst-plugins-good gst-plugins-ugly gst-plugins-bad ]) ++
|
||||
(with pythonPackages; [ pygobject3 pylast ]);
|
||||
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
{ stdenv, fetchFromGitHub
|
||||
, wrapQtAppsHook, makeDesktopItem
|
||||
{ mkDerivation, lib, makeDesktopItem, fetchFromGitHub
|
||||
, qtbase, qmake, qtmultimedia, qttools
|
||||
, qtgraphicaleffects, qtdeclarative
|
||||
, qtlocation, qtquickcontrols, qtquickcontrols2
|
||||
|
@ -9,21 +8,9 @@
|
|||
, hidapi
|
||||
}:
|
||||
|
||||
with stdenv.lib;
|
||||
with lib;
|
||||
|
||||
let
|
||||
qmlPath = qmlLib: "${qmlLib}/${qtbase.qtQmlPrefix}";
|
||||
|
||||
qml2ImportPath = concatMapStringsSep ":" qmlPath [
|
||||
qtbase.bin qtmultimedia.bin qtgraphicaleffects
|
||||
qtdeclarative.bin qtlocation.bin
|
||||
qtquickcontrols qtquickcontrols2.bin
|
||||
qtwebchannel.bin qtwebengine.bin qtxmlpatterns
|
||||
];
|
||||
|
||||
in
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
mkDerivation rec {
|
||||
pname = "monero-gui";
|
||||
version = "0.14.1.2";
|
||||
|
||||
|
@ -34,7 +21,7 @@ stdenv.mkDerivation rec {
|
|||
sha256 = "1rm043r6y2mzy8pclnzbjjfxgps8pkfa2b92p66k8y8rdmgq6m1k";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [ qmake pkgconfig wrapQtAppsHook ];
|
||||
nativeBuildInputs = [ qmake pkgconfig ];
|
||||
|
||||
buildInputs = [
|
||||
qtbase qtmultimedia qtgraphicaleffects
|
||||
|
@ -46,9 +33,7 @@ stdenv.mkDerivation rec {
|
|||
cppzmq hidapi
|
||||
];
|
||||
|
||||
patches = [
|
||||
./move-log-file.patch
|
||||
];
|
||||
patches = [ ./move-log-file.patch ];
|
||||
|
||||
postPatch = ''
|
||||
echo '
|
|
@ -14,9 +14,9 @@ let
|
|||
};
|
||||
betaVersion = stableVersion;
|
||||
latestVersion = { # canary & dev
|
||||
version = "3.6.0.7"; # "Android Studio 3.6 Canary 7"
|
||||
build = "192.5807797";
|
||||
sha256Hash = "1l47miiyd8z7v0hbvda06953pp9ilyrsma83gxqx35ghnc0n7g81";
|
||||
version = "3.6.0.9"; # "Android Studio 3.6 Canary 9"
|
||||
build = "192.5830636";
|
||||
sha256Hash = "0c9zmxf2scsf9pygcbabzngl7cdyjgpir5pggjaj535ni0nsrr7p";
|
||||
};
|
||||
in {
|
||||
# Attributes are named by their corresponding release channels
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
{ stdenv, fetchurl, emacs }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "auto-complete-1.3.1";
|
||||
|
||||
src = fetchurl {
|
||||
url = "http://cx4a.org/pub/auto-complete/${name}.tar.bz2";
|
||||
sha256 = "124qxfp0pcphwlmrasbfrci48brxnrzc38h4wcf2sn20x1mvcrlj";
|
||||
};
|
||||
|
||||
buildInputs = [ emacs ];
|
||||
|
||||
preInstall = ''
|
||||
install -d $out/share/emacs/site-lisp
|
||||
'';
|
||||
|
||||
installFlags = "DIR=$(out)/share/emacs/site-lisp";
|
||||
|
||||
postInstall = ''
|
||||
ln -s javascript-mode $out/share/emacs/site-lisp/ac-dict/js2-mode
|
||||
'';
|
||||
|
||||
meta = {
|
||||
description = "Auto-complete extension for Emacs";
|
||||
homepage = http://cx4a.org/software/auto-complete/;
|
||||
license = stdenv.lib.licenses.gpl3Plus;
|
||||
|
||||
platforms = stdenv.lib.platforms.all;
|
||||
};
|
||||
}
|
|
@ -1,25 +0,0 @@
|
|||
{ stdenv, fetchurl, emacs }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "bbdb-3.1.2";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://download.savannah.gnu.org/releases/bbdb/${name}.tar.gz";
|
||||
sha256 = "1gs16bbpiiy01w9pyg12868r57kx1v3hnw04gmqsmpc40l1hyy05";
|
||||
};
|
||||
|
||||
buildInputs = [ emacs ];
|
||||
|
||||
# Hack to disable documentation as there is no way to tell bbdb to
|
||||
# NOT build pdfs. I really don't want to pull in TexLive here...
|
||||
preConfigure = ''
|
||||
substituteInPlace ./Makefile.in \
|
||||
--replace "SUBDIRS = lisp doc tex" "SUBDIRS = lisp"
|
||||
'';
|
||||
|
||||
meta = {
|
||||
homepage = https://savannah.nongnu.org/projects/bbdb/;
|
||||
description = "The Insidious Big Brother Database (BBDB), a contact management utility for Emacs, version 3";
|
||||
license = "GPL";
|
||||
};
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue