public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:NixOS/nixpkgs

This commit is contained in:
Aristid Breitkreuz 2017-04-07 20:44:40 +02:00
parent d486006e06 a5ee494046
commit be6e9dce32
1262 changed files with 36462 additions and 20613 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.mention-bot
View File

@ -2,7 +2,8 @@
"userBlacklist": [
"civodul",
"jhasse",
"shlevy"
"shlevy",
"bbenoist"
],
"alwaysNotifyForPaths": [
{ "name": "FRidh", "files": ["pkgs/top-level/python-packages.nix", "pkgs/development/interpreters/python/*", "pkgs/development/python-modules/*" ] },

8
.travis.yml
View File

@ -1,8 +1,14 @@
language: nix
sudo: true
# 'sudo: false' == containers that start fast, but only get 4G ram;
# 'sudo: true' == VMs that start slow, but with 8G
# ..as per: https://docs.travis-ci.com/user/ci-environment/#Virtualization-environments
# Nixpkgs PR tests OOM with 4G: https://github.com/NixOS/nixpkgs/issues/24200
matrix:
include:
- os: linux
sudo: false
sudo: required
script:
- ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball nixpkgs-unstable
- ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual

8
README.md
View File

@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
```
For stability and maximum binary package support, it is recommended to maintain
custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
release and `nixos-unstable` for the latest successful build of master:
```
% git remote update channels
% git rebase channels/nixos-16.09
% git rebase channels/nixos-17.03
```
For pull-requests, please rebase onto nixpkgs `master`.
@ -32,9 +32,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
* [Manual (NixOS)](https://nixos.org/nixos/manual/)
* [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
Communication:

12
default.nix
View File

@ -2,7 +2,17 @@ let requiredVersion = import ./lib/minver.nix; in
if ! builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.nixVersion == 1 then
abort "This version of Nixpkgs requires Nix >= ${requiredVersion}, please upgrade! See https://nixos.org/wiki/How_to_update_when_Nix_is_too_old_to_evaluate_Nixpkgs"
abort ''
This version of Nixpkgs requires Nix >= ${requiredVersion}, please upgrade:
- If you are running NixOS, use `nixos-rebuild' to upgrade your system.
- If you installed Nix using the install script (https://nixos.org/nix/install),
it is safe to upgrade by running it again:
curl https://nixos.org/nix/install | sh
''
else

4
doc/default.nix
View File

@ -68,6 +68,10 @@ pkgs.stdenv.mkDerivation {
inputFile = ../pkgs/development/r-modules/README.md;
outputFile = "languages-frameworks/r.xml";
}
+ toDocbook {
inputFile = ./languages-frameworks/rust.md;
outputFile = "./languages-frameworks/rust.xml";
}
+ toDocbook {
inputFile = ./languages-frameworks/vim.md;
outputFile = "./languages-frameworks/vim.xml";

2
doc/functions.xml
View File

@ -529,7 +529,7 @@
<note>
<para>
If you see errors similar to <literal>getProtocolByName: does not exist (no such protocol name: tcp)</literal>
you may need to add <literal>pkgs.iana_etc</literal> to <varname>contents</varname>.
you may need to add <literal>pkgs.iana-etc</literal> to <varname>contents</varname>.
</para>
</note>

1
doc/languages-frameworks/index.xml
View File

@ -27,6 +27,7 @@ such as Perl or Haskell. These are described in this chapter.</para>
<xi:include href="qt.xml" />
<xi:include href="r.xml" /> <!-- generated from ../../pkgs/development/r-modules/README.md -->
<xi:include href="ruby.xml" />
<xi:include href="rust.xml" />
<xi:include href="texlive.xml" />
<xi:include href="vim.xml" />

34
doc/languages-frameworks/python.md
View File

@ -3,7 +3,7 @@
## User Guide
Several versions of Python are available on Nix as well as a high amount of
packages. The default interpreter is CPython 3.5.
packages. The default interpreter is CPython 2.7.
### Using Python
@ -131,7 +131,7 @@ specify some (optional) [meta information](http://nixos.org/nixpkgs/manual/#chap
The output of the function is a derivation, which is an attribute with the name
`toolz` of the set `pythonPackages`. Actually, sets are created for all interpreter versions,
so `python27Packages`, `python34Packages`, `python35Packages` and `pypyPackages`.
so e.g. `python27Packages`, `python35Packages` and `pypyPackages`.
The above example works when you're directly working on
`pkgs/top-level/python-packages.nix` in the Nixpkgs repository. Often though,
@ -422,8 +422,8 @@ and in this case the `python35` interpreter is automatically used.
### Interpreters
Versions 2.6, 2.7, 3.3, 3.4 and 3.5 of the CPython interpreter are available as respectively
`python26`, `python27`, `python33`, `python34` and `python35`. The PyPy interpreter
Versions 2.7, 3.3, 3.4, 3.5 and 3.6 of the CPython interpreter are available as
respectively `python27`, `python33`, `python34`, `python35` and `python36`. The PyPy interpreter
is available as `pypy`. The aliases `python2` and `python3` correspond to respectively `python27` and
`python35`. The default interpreter, `python`, maps to `python2`.
The Nix expressions for the interpreters can be found in
@ -472,6 +472,7 @@ sets are
* `pkgs.python33Packages`
* `pkgs.python34Packages`
* `pkgs.python35Packages`
* `pkgs.python36Packages`
* `pkgs.pypyPackages`
and the aliases
@ -674,8 +675,8 @@ deterministic bytecode. This has security implications and is relevant for
those using Python in a `nix-shell`.
When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1.
The `buildPythonPackage` function sets `DETERMINISTIC_BUILD` as well as
[PYTHONHASHSEED](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
[PYTHONHASHSEED=0](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
Both are also exported in `nix-shell`.
@ -897,6 +898,27 @@ is executed it will attempt to download the python modules listed in
requirements.txt. However these will be cached locally within the `virtualenv`
folder and not downloaded again.
### How to override a Python package from `configuration.nix`?
If you need to change a package's attribute(s) from `configuration.nix` you could do:
```nix
nixpkgs.config.packageOverrides = superP: {
pythonPackages = superP.pythonPackages.override {
overrides = self: super: {
bepasty-server = super.bepasty-server.overrideAttrs ( oldAttrs: {
src = pkgs.fetchgit {
url = "https://github.com/bepasty/bepasty-server";
sha256 = "9ziqshmsf0rjvdhhca55sm0x8jz76fsf2q4rwh4m6lpcf8wr0nps";
rev = "e2516e8cf4f2afb5185337073607eb9e84a61d2d";
};
});
};
};
};
```
If you are using the `bepasty-server` package somewhere, for example in `systemPackages` or indirectly from `services.bepasty`, then a `nixos-rebuild switch` will rebuild the system but with the `bepasty-server` package using a different `src` attribute. This way one can modify `python` based software/libraries easily. Using `self` and `super` one can also alter dependencies (`buildInputs`) between the old state (`self`) and new state (`super`).
## Contributing

91
doc/languages-frameworks/rust.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Rust
author: Matthias Beyer
date: 2017-03-05
---
# User's Guide to the Rust Infrastructure
To install the rust compiler and cargo put
```
rustStable.rustc
rustStable.cargo
```
into the `environment.systemPackages` or bring them into scope with
`nix-shell -p rustStable.rustc -p rustStable.cargo`.
There are also `rustBeta` and `rustNightly` package sets available.
These are not updated very regulary. For daily builds see
[Using the Rust nightlies overlay](#using-the-rust-nightlies-overlay)
## Packaging Rust applications
Rust applications are packaged by using the `buildRustPackage` helper from `rustPlatform`:
```
with rustPlatform;
buildRustPackage rec {
name = "ripgrep-${version}";
version = "0.4.0";
src = fetchFromGitHub {
owner = "BurntSushi";
repo = "ripgrep";
rev = "${version}";
sha256 = "0y5d1n6hkw85jb3rblcxqas2fp82h3nghssa4xqrhqnz25l799pj";
};
depsSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
meta = with stdenv.lib; {
description = "A utility that combines the usability of The Silver Searcher with the raw speed of grep";
homepage = https://github.com/BurntSushi/ripgrep;
license = with licenses; [ unlicense ];
maintainers = [ maintainers.tailhook ];
platforms = platforms.all;
};
}
```
`buildRustPackage` requires a `depsSha256` attribute which is computed over
all crate sources of this package. Currently it is obtained by inserting a
fake checksum into the expression and building the package once. The correct
checksum can be then take from the failed build.
To install crates with nix there is also an experimental project called
[nixcrates](https://github.com/fractalide/nixcrates).
## Using the Rust nightlies overlay
Mozilla provides an overlay for nixpkgs to bring a nightly version of Rust into scope.
This overlay can _also_ be used to install recent unstable or stable versions
of Rust, if desired.
To use this overlay, clone
[nixpkgs-mozilla](https://github.com/mozilla/nixpkgs-mozilla),
and create a symbolic link to the file
[rust-overlay.nix](https://github.com/mozilla/nixpkgs-mozilla/blob/master/rust-overlay.nix)
in the `~/.config/nixpkgs/overlays` directory.
$ git clone https://github.com/mozilla/nixpkgs-mozilla.git
$ mkdir -p ~/.config/nixpkgs/overlays
$ ln -s $(pwd)/nixpkgs-mozilla/rust-overlay.nix ~/.config/nixpkgs/overlays/rust-overlay.nix
The latest version can be installed with the following command:
$ nix-env -Ai nixos.rustChannels.stable.rust
Or using the attribute with nix-shell:
$ nix-shell -p nixos.rustChannels.stable.rust
To install the beta or nightly channel, "stable" should be substituted by
"nightly" or "beta", or
use the function provided by this overlay to pull a version based on a
build date.
The overlay automatically updates itself as it uses the same source as
[rustup](https://www.rustup.rs/).

4
doc/overlays.xml
View File

@ -34,7 +34,7 @@ first one present is considered, and all the rest are ignored:
<listitem>
<para>In the directory <filename>~/.nixpkgs/overlays/</filename>.</para>
<para>In the directory <filename>~/.config/nixpkgs/overlays/</filename>.</para>
</listitem>
</orderedlist>
@ -50,7 +50,7 @@ the same recipe. In the case where overlays are loaded from a directory, they ar
alphabetical order.</para>
<para>To install an overlay using the last option, you can clone the overlay's repository and add
a symbolic link to it in <filename>~/.nixpkgs/overlays/</filename> directory.</para>
a symbolic link to it in <filename>~/.config/nixpkgs/overlays/</filename> directory.</para>
</section>

4
lib/attrsets.nix
View File

@ -1,12 +1,12 @@
# Operations on attribute sets.
with {
let
inherit (builtins) head tail length;
inherit (import ./trivial.nix) or;
inherit (import ./default.nix) fold;
inherit (import ./strings.nix) concatStringsSep;
inherit (import ./lists.nix) concatMap concatLists all deepSeqList;
};
in
rec {
inherit (builtins) attrNames listToAttrs hasAttr isAttrs getAttr;

41
lib/lists.nix
View File

@ -16,17 +16,22 @@ rec {
*/
singleton = x: [x];
/* "Fold" a binary function `op' between successive elements of
`list' with `nul' as the starting value, i.e., `fold op nul [x_1
x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))'. (This is
Haskell's foldr).
/* right fold a binary function `op' between successive elements of
`list' with `nul' as the starting value, i.e.,
`foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))'.
Type:
foldr :: (a -> b -> b) -> b -> [a] -> b
Example:
concat = fold (a: b: a + b) "z"
concat = foldr (a: b: a + b) "z"
concat [ "a" "b" "c" ]
=> "abcz"
# different types
strange = foldr (int: str: toString (int + 1) + str) "a"
strange [ 1 2 3 4 ]
=> "2345a"
*/
fold = op: nul: list:
foldr = op: nul: list:
let
len = length list;
fold' = n:
@ -35,13 +40,25 @@ rec {
else op (elemAt list n) (fold' (n + 1));
in fold' 0;
/* Left fold: `fold op nul [x_1 x_2 ... x_n] == op (... (op (op nul
x_1) x_2) ... x_n)'.
/* `fold' is an alias of `foldr' for historic reasons */
# FIXME(Profpatsch): deprecate?
fold = foldr;
/* left fold, like `foldr', but from the left:
`foldl op nul [x_1 x_2 ... x_n] == op (... (op (op nul x_1) x_2) ... x_n)`.
Type:
foldl :: (b -> a -> b) -> b -> [a] -> b
Example:
lconcat = foldl (a: b: a + b) "z"
lconcat [ "a" "b" "c" ]
=> "zabc"
# different types
lstrange = foldl (str: int: str + toString (int + 1)) ""
strange [ 1 2 3 4 ]
=> "a2345"
*/
foldl = op: nul: list:
let
@ -52,7 +69,7 @@ rec {
else op (foldl' (n - 1)) (elemAt list n);
in foldl' (length list - 1);
/* Strict version of foldl.
/* Strict version of `foldl'.
The difference is that evaluation is forced upon access. Usually used
with small whole results (in contract with lazily-generated list or large
@ -140,7 +157,7 @@ rec {
any isString [ 1 { } ]
=> false
*/
any = builtins.any or (pred: fold (x: y: if pred x then true else y) false);
any = builtins.any or (pred: foldr (x: y: if pred x then true else y) false);
/* Return true iff function `pred' returns true for all elements of
`list'.
@ -151,7 +168,7 @@ rec {
all (x: x < 3) [ 1 2 3 ]
=> false
*/
all = builtins.all or (pred: fold (x: y: if pred x then y else false) true);
all = builtins.all or (pred: foldr (x: y: if pred x then y else false) true);
/* Count how many times function `pred' returns true for the elements
of `list'.
@ -219,7 +236,7 @@ rec {
=> { right = [ 5 3 4 ]; wrong = [ 1 2 ]; }
*/
partition = builtins.partition or (pred:
fold (h: t:
foldr (h: t:
if pred h
then { right = [h] ++ t.right; wrong = t.wrong; }
else { right = t.right; wrong = [h] ++ t.wrong; }

20
lib/maintainers.nix
View File

@ -14,6 +14,7 @@
aboseley = "Adam Boseley <adam.boseley@gmail.com>";
abuibrahim = "Ruslan Babayev <ruslan@babayev.com>";
acowley = "Anthony Cowley <acowley@gmail.com>";
adelbertc = "Adelbert Chang <adelbertc@gmail.com>";
adev = "Adrien Devresse <adev@adev.name>";
Adjective-Object = "Maxwell Huang-Hobbs <mhuan13@gmail.com>";
adnelson = "Allen Nelson <ithinkican@gmail.com>";
@ -24,6 +25,7 @@
aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
afranchuk = "Alex Franchuk <alex.franchuk@gmail.com>";
aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
ahmedtd = "Taahir Ahmed <ahmed.taahir@gmail.com>";
ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
akc = "Anders Claesson <akc@akc.is>";
@ -59,7 +61,6 @@
badi = "Badi' Abdul-Wahid <abdulwahidc@gmail.com>";
balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
Baughn = "Svein Ove Aas <sveina@gmail.com>";
bbenoist = "Baptist BENOIST <return_0@live.com>";
bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
@ -82,6 +83,7 @@
bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
c0dehero = "CodeHero <codehero@nerdpol.ch>";
calrama = "Moritz Maxeiner <moritz@ucworks.org>";
calvertvl = "Victor Calvert <calvertvl@gmail.com>";
campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
canndrew = "Andrew Cann <shum@canndrew.org>";
carlsverre = "Carl Sverre <accounts@carlsverre.com>";
@ -134,6 +136,7 @@
dgonyeo = "Derek Gonyeo <derek@gonyeo.com>";
dipinhora = "Dipin Hora <dipinhora+github@gmail.com>";
dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
DmitryTsygankov = "Dmitry Tsygankov <dmitry.tsygankov@gmail.com>";
dmjio = "David Johnson <djohnson.m@gmail.com>";
dochang = "Desmond O. Chang <dochang@gmail.com>";
domenkozar = "Domen Kozar <domen@dev.si>";
@ -141,6 +144,7 @@
dpaetzel = "David Pätzel <david.a.paetzel@gmail.com>";
drets = "Dmytro Rets <dmitryrets@gmail.com>";
drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
dsferruzza = "David Sferruzza <david.sferruzza@gmail.com>";
dtzWill = "Will Dietz <nix@wdtz.org>";
e-user = "Alexander Kahl <nixos@sodosopa.io>";
ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
@ -180,6 +184,7 @@
ftrvxmtrx = "Siarhei Zirukin <ftrvxmtrx@gmail.com>";
funfunctor = "Edward O'Callaghan <eocallaghan@alterapraxis.com>";
fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
fuzzy-id = "Thomas Bach <hacking+nixos@babibo.de>";
fxfactorial = "Edgar Aroutiounian <edgar.factorial@gmail.com>";
gal_bolle = "Florent Becker <florent.becker@ens-lyon.org>";
garbas = "Rok Garbas <rok@garbas.si>";
@ -215,6 +220,7 @@
ivan-tkatchev = "Ivan Tkatchev <tkatchev@gmail.com>";
j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
jansol = "Jan Solanti <jan.solanti@paivola.fi>";
javaguirre = "Javier Aguirre <contacto@javaguirre.net>";
jb55 = "William Casarin <bill@casarin.me>";
jbedo = "Justin Bedő <cu@cua0.org>";
@ -237,6 +243,7 @@
jonafato = "Jon Banafato <jon@jonafato.com>";
jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
jpierre03 = "Jean-Pierre PRUNARET <nix@prunetwork.fr>";
jpotier = "Martin Potier <jpo.contributes.to.nixos@marvid.fr>";
jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
jwiegley = "John Wiegley <johnw@newartisans.com>";
@ -314,6 +321,7 @@
michalrus = "Michal Rus <m@michalrus.com>";
michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
mikefaille = "Michaël Faille <michael@faille.io>";
miltador = "Vasiliy Solovey <miltador@yandex.ua>";
mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
mingchuan = "Ming Chuan <ming@culpring.com>";
mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
@ -344,6 +352,7 @@
nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
ndowens = "Nathan Owens <ndowens04@gmail.com>";
neeasade = "Nathan Isom <nathanisom27@gmail.com>";
nequissimus = "Tim Steinbach <tim@nequissimus.com>";
nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
nhooyr = "Anmol Sethi <anmol@aubble.com>";
@ -378,6 +387,7 @@
pashev = "Igor Pashev <pashev.igor@gmail.com>";
patternspandemic = "Brad Christensen <patternspandemic@live.com>";
pawelpacana = "Paweł Pacana <pawel.pacana@gmail.com>";
pbogdan = "Piotr Bogdan <ppbogdan@gmail.com>";
periklis = "theopompos@gmail.com";
pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
peterhoeg = "Peter Hoeg <peter@hoeg.com>";
@ -394,6 +404,7 @@
pjones = "Peter Jones <pjones@devalot.com>";
pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
plumps = "Maksim Bronsky <maks.bronsky@web.de";
pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
polyrod = "Maurizio Di Pietro <dc1mdp@gmail.com>";
@ -455,6 +466,8 @@
scolobb = "Sergiu Ivanov <sivanov@colimite.fr>";
sepi = "Raffael Mancini <raffael@mancini.lu>";
seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";
shawndellysse = "Shawn Dellysse <sdellysse@gmail.com>";
sheenobu = "Sheena Artrip <sheena.artrip@gmail.com>";
sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
shell = "Shell Turner <cam.turn@gmail.com>";
@ -488,6 +501,7 @@
tailhook = "Paul Colomiets <paul@colomiets.name>";
takikawa = "Asumu Takikawa <asumu@igalia.com>";
taktoa = "Remy Goldschmidt <taktoa@gmail.com>";
taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
teh = "Tom Hunger <tehunger@gmail.com>";
telotortium = "Robert Irelan <rirelan@gmail.com>";
@ -510,7 +524,8 @@
tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
twey = "James Twey Kay <twey@twey.co.uk>";
uralbash = "Svintsov Dmitry <root@uralbash.ru>";
urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
utdemir = "Utku Demir <me@utdemir.com>";
#urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
uwap = "uwap <me@uwap.name>";
vandenoever = "Jos van den Oever <jos@vandenoever.info>";
vanzef = "Ivan Solyankin <vanzef@gmail.com>";
@ -540,6 +555,7 @@
wscott = "Wayne Scott <wsc9tt@gmail.com>";
wyvie = "Elijah Rum <elijahrum@gmail.com>";
xnwdd = "Guillermo NWDD <nwdd+nixos@no.team>";
xvapx = "Marti Serra <marti.serra.coscollano@gmail.com>";
xwvvvvwx = "David Terry <davidterry@posteo.de>";
yarr = "Dmitry V. <savraz@gmail.com>";
yochai = "Yochai <yochai@titat.info>";

6
lib/strings.nix
View File

@ -476,10 +476,8 @@ rec {
readPathsFromFile = rootPath: file:
let
root = toString rootPath;
lines =
builtins.map (lib.removeSuffix "\n")
(lib.splitString "\n" (builtins.readFile file));
removeComments = lib.filter (line: !(lib.hasPrefix "#" line));
lines = lib.splitString "\n" (builtins.readFile file);
removeComments = lib.filter (line: line != "" && !(lib.hasPrefix "#" line));
relativePaths = removeComments lines;
absolutePaths = builtins.map (path: builtins.toPath (root + "/" + path)) relativePaths;
in

35
lib/tests.nix
View File

@ -1,3 +1,6 @@
# to run these tests:
# nix-instantiate --eval --strict nixpkgs/lib/tests.nix
# if the resulting list is empty, all tests passed
let inherit (builtins) add; in
with import ./default.nix;
@ -45,10 +48,34 @@ runTests {
expected = ["b" "c"];
};
testFold = {
expr = fold (builtins.add) 0 (range 0 100);
expected = 5050;
};
testFold =
let
f = op: fold: fold op 0 (range 0 100);
# fold with associative operator
assoc = f builtins.add;
# fold with non-associative operator
nonAssoc = f builtins.sub;
in {
expr = {
assocRight = assoc foldr;
# right fold with assoc operator is same as left fold
assocRightIsLeft = assoc foldr == assoc foldl;
nonAssocRight = nonAssoc foldr;
nonAssocLeft = nonAssoc foldl;
# with non-assoc operator the fold results are not the same
nonAssocRightIsNotLeft = nonAssoc foldl != nonAssoc foldr;
# fold is an alias for foldr
foldIsRight = nonAssoc fold == nonAssoc foldr;
};
expected = {
assocRight = 5050;
assocRightIsLeft = true;
nonAssocRight = 50;
nonAssocLeft = (-5050);
nonAssocRightIsNotLeft = true;
foldIsRight = true;
};
};
testTake = testAllTrue [
([] == (take 0 [ 1 2 3 ]))

33
lib/trivial.nix
View File

@ -1,17 +1,44 @@
rec {
# Identity function.
/* The identity function
For when you need a function that does nothing.
Type: id :: a -> a
*/
id = x: x;
# Constant function.
/* The constant function
Ignores the second argument.
Or: Construct a function that always returns a static value.
Type: const :: a -> b -> a
Example:
let f = const 5; in f 10
=> 5
*/
const = x: y: x;
# Named versions corresponding to some builtin operators.
## Named versions corresponding to some builtin operators.
/* Concat two strings */
concat = x: y: x ++ y;
/* boolean or */
or = x: y: x || y;
/* boolean and */
and = x: y: x && y;
/* Merge two attribute sets shallowly, right side trumps left
Example:
mergeAttrs { a = 1; b = 2; } // { b = 3; c = 4; }
=> { a = 1; b = 3; c = 4; }
*/
mergeAttrs = x: y: x // y;
# Compute the fixed point of the given function `f`, which is usually an
# attribute set that expects its final, non-recursive representation as an
# argument:

2
lib/types.nix
View File

@ -6,7 +6,7 @@ with import ./attrsets.nix;
with import ./options.nix;
with import ./trivial.nix;
with import ./strings.nix;
with {inherit (import ./modules.nix) mergeDefinitions filterOverrides; };
let inherit (import ./modules.nix) mergeDefinitions filterOverrides; in
rec {

4
maintainers/scripts/hydra-eval-failures.py
View File

@ -48,8 +48,8 @@ def get_maintainers(attr_name):
@click.command()
@click.option(
'--jobset',
default="nixos/release-16.09",
help='Hydra project like nixos/release-16.09')
default="nixos/release-17.03",
help='Hydra project like nixos/release-17.03')
def cli(jobset):
"""
Given a Hydra project, inspect latest evaluation

277
maintainers/scripts/nix-diff.sh Executable file
View File

@ -0,0 +1,277 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p coreutils gnugrep gnused
################################################################################
# nix-diff.sh #
################################################################################
# This script "diffs" Nix profile generations. #
# #
# Example: #
################################################################################
# > nix-diff.sh 90 92 #
# + gnumake-4.2.1 #
# + gnumake-4.2.1-doc #
# - htmldoc-1.8.29 #
################################################################################
# The example shows that as of generation 92 and since generation 90, #
# gnumake-4.2.1 and gnumake-4.2.1-doc have been installed, while #
# htmldoc-1.8.29 has been removed. #
# #
# The example above shows the default, minimal output mode of this script. #
# For more features, run `nix-diff.sh -h` for usage instructions. #
################################################################################
usage() {
cat <<EOF
usage: nix-diff.sh [-h | [-p profile | -s] [-q] [-l] [range]]
-h: print this message before exiting
-q: list the derivations installed in the parent generation
-l: diff every available intermediate generation between parent and
child
-p profile: specify the Nix profile to use
* defaults to ~/.nix-profile
-s: use the system profile
* equivalent to: -p /nix/var/nix/profiles/system
profile: * should be something like /nix/var/nix/profiles/default, not a
generation link like /nix/var/nix/profiles/default-2-link
range: the range of generations to diff
* the following patterns are allowed, where A, B, and N are positive
integers, and G is the currently active generation:
A..B => diffs from generation A to generation B
~N => diffs from the Nth newest generation (older than G) to G
A => diffs from generation A to G
* defaults to ~1
EOF
}
usage_tip() {
echo 'run `nix-diff.sh -h` for usage instructions' >&2
exit 1
}
while getopts :hqlp:s opt; do
case $opt in
h)
usage
exit
;;
q)
opt_query=1
;;
l)
opt_log=1
;;
p)
opt_profile=$OPTARG
;;
s)
opt_profile=/nix/var/nix/profiles/system
;;
\?)
echo "error: invalid option -$OPTARG" >&2
usage_tip
;;
esac
done
shift $((OPTIND-1))
if [ -n "$opt_profile" ]; then
if ! [ -L "$opt_profile" ]; then
echo "error: expecting \`$opt_profile\` to be a symbolic link" >&2
usage_tip
fi
else
opt_profile=$(readlink ~/.nix-profile)
if (( $? != 0 )); then
echo 'error: unable to dereference `~/.nix-profile`' >&2
echo 'specify the profile manually with the `-p` flag' >&2
usage_tip
fi
fi
list_gens() {
nix-env -p "$opt_profile" --list-generations \
| sed -r 's:^\s*::' \
| cut -d' ' -f1
}
current_gen() {
nix-env -p "$opt_profile" --list-generations \
| grep -E '\(current\)\s*$' \
| sed -r 's:^\s*::' \
| cut -d' ' -f1
}
neg_gen() {
local i=0 from=$1 n=$2 tmp
for gen in $(list_gens | sort -rn); do
if ((gen < from)); then
tmp=$gen
((i++))
((i == n)) && break
fi
done
if ((i < n)); then
echo -n "error: there aren't $n generation(s) older than" >&2
echo " generation $from" >&2
return 1
fi
echo $tmp
}
match() {
argv=("$@")
for i in $(seq $(($#-1))); do
if grep -E "^${argv[$i]}\$" <(echo "$1") >/dev/null; then
echo $i
return
fi
done
echo 0
}
case $(match "$1" '' '[0-9]+' '[0-9]+\.\.[0-9]+' '~[0-9]+') in
1)
diffTo=$(current_gen)
diffFrom=$(neg_gen $diffTo 1)
(($? == 1)) && usage_tip
;;
2)
diffFrom=$1
diffTo=$(current_gen)
;;
3)
diffFrom=${1%%.*}
diffTo=${1##*.}
;;
4)
diffTo=$(current_gen)
diffFrom=$(neg_gen $diffTo ${1#*~})
(($? == 1)) && usage_tip
;;
0)
echo 'error: invalid invocation' >&2
usage_tip
;;
esac
dirA="${opt_profile}-${diffFrom}-link"
dirB="${opt_profile}-${diffTo}-link"
declare -a temp_files
temp_length() {
echo -n ${#temp_files[@]}
}
temp_make() {
temp_files[$(temp_length)]=$(mktemp)
}
temp_clean() {
rm -f ${temp_files[@]}
}
temp_name() {
echo -n "${temp_files[$(($(temp_length)-1))]}"
}
trap 'temp_clean' EXIT
temp_make
versA=$(temp_name)
refs=$(nix-store -q --references "$dirA")
(( $? != 0 )) && exit 1
echo "$refs" \
| grep -v env-manifest.nix \
| sort \
> "$versA"
print_tag() {
local gen=$1
nix-env -p "$opt_profile" --list-generations \
| grep -E "^\s*${gen}" \
| sed -r 's:^\s*::' \
| sed -r 's:\s*$::'
}
if [ -n "$opt_query" ]; then
print_tag $diffFrom
cat "$versA" \
| sed -r 's:^[^-]+-(.*)$: \1:'
print_line=1
fi
if [ -n "$opt_log" ]; then
gens=$(for gen in $(list_gens); do
((diffFrom < gen && gen < diffTo)) && echo $gen
done)
# Force the $diffTo generation to be included in this list, instead of using
# `gen <= diffTo` in the preceding loop, so we encounter an error upon the
# event of its nonexistence.
gens=$(echo "$gens"
echo $diffTo)
else
gens=$diffTo
fi
temp_make
add=$(temp_name)
temp_make
rem=$(temp_name)
temp_make
out=$(temp_name)
for gen in $gens; do
[ -n "$print_line" ] && echo
temp_make
versB=$(temp_name)
dirB="${opt_profile}-${gen}-link"
refs=$(nix-store -q --references "$dirB")
(( $? != 0 )) && exit 1
echo "$refs" \
| grep -v env-manifest.nix \
| sort \
> "$versB"
in=$(comm -3 -1 "$versA" "$versB")
sed -r 's:^[^-]*-(.*)$:\1+:' <(echo "$in") \
| sort -f \
> "$add"
un=$(comm -3 -2 "$versA" "$versB")
sed -r 's:^[^-]*-(.*)$:\1-:' <(echo "$un") \
| sort -f \
> "$rem"
cat "$rem" "$add" \
| sort -f \
| sed -r 's:(.*)-$:- \1:' \
| sed -r 's:(.*)\+$:\+ \1:' \
| grep -v '^$' \
> "$out"
if [ -n "$opt_query" -o -n "$opt_log" ]; then
lines=$(wc -l "$out" | cut -d' ' -f1)
tag=$(print_tag "$gen")
(( $? != 0 )) && exit 1
if [ $lines -eq 0 ]; then
echo "$tag (no change)"
else
echo "$tag"
fi
cat "$out" \
| sed 's:^: :'
print_line=1
else
echo "diffing from generation $diffFrom to $diffTo"
cat "$out"
fi
versA=$versB
done
exit 0

22
nixos/doc/manual/development/sources.xml
View File

@ -8,7 +8,7 @@
<para>By default, NixOSs <command>nixos-rebuild</command> command
uses the NixOS and Nixpkgs sources provided by the
<literal>nixos-unstable</literal> channel (kept in
<literal>nixos</literal> channel (kept in
<filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>).
To modify NixOS, however, you should check out the latest sources from
Git. This is as follows:
@ -27,8 +27,8 @@ a subdirectory of the Nixpkgs repository.) The remote
<literal>channels</literal> refers to a read-only repository that
tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/>
for more information about channels). Thus, the Git branch
<literal>channels/nixos-14.12</literal> will contain the latest built
and tested version available in the <literal>nixos-14.12</literal>
<literal>channels/nixos-17.03</literal> will contain the latest built
and tested version available in the <literal>nixos-17.03</literal>
channel.</para>
<para>Its often inconvenient to develop directly on the master
@ -39,9 +39,9 @@ branch based on your current NixOS version:
<screen>
$ nixos-version
14.04.273.ea1952b (Baboon)
17.09pre104379.6e0b727 (Hummingbird)
$ git checkout -b local ea1952b
$ git checkout -b local 6e0b727
</screen>
Or, to base your local branch on the latest version available in a
@ -49,17 +49,17 @@ NixOS channel:
<screen>
$ git remote update channels
$ git checkout -b local channels/nixos-14.12
$ git checkout -b local channels/nixos-17.03
</screen>
(Replace <literal>nixos-14.12</literal> with the name of the channel
(Replace <literal>nixos-17.03</literal> with the name of the channel
you want to use.) You can use <command>git merge</command> or
<command>git rebase</command> to keep your local branch in sync with
the channel, e.g.
<screen>
$ git remote update channels
$ git merge channels/nixos-14.12
$ git merge channels/nixos-17.03
</screen>
You can use <command>git cherry-pick</command> to copy commits from
@ -87,7 +87,11 @@ $ ln -s <replaceable>/my/sources</replaceable>/nixpkgs ~/.nix-defexpr/nixpkgs
You may want to delete the symlink
<filename>~/.nix-defexpr/channels_root</filename> to prevent roots
NixOS channel from clashing with your own tree.</para>
NixOS channel from clashing with your own tree (this may break the
command-not-found utility though). If you want to go back to the default
state, you may just remove the <filename>~/.nix-defexpr</filename>
directory completely, log out and log in again and it should have been
recreated with a link to the root channels.</para>
<!-- FIXME: not sure what this means.
<para>You should not pass the base directory

3
nixos/doc/manual/installation/installing-uefi.xml
View File

@ -26,7 +26,8 @@ changes:
<literal>vfat</literal> filesystem.</para>
</listitem>
<listitem>
<para>You must set <option>boot.loader.systemd-boot.enable</option> to
<para>Instead of <option>boot.loader.grub.device</option>,
you must set <option>boot.loader.systemd-boot.enable</option> to
<literal>true</literal>. <command>nixos-generate-config</command>
should do this automatically for new configurations when booted in
UEFI mode.</para>

4
nixos/doc/manual/installation/installing-usb.xml
View File

@ -11,7 +11,9 @@ a USB stick. You can use the <command>dd</command> utility to write the image:
<command>dd if=<replaceable>path-to-image</replaceable>
of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
correct drive; you can use the <command>lsblk</command> command to get a list of
block devices.</para>
block devices. If you're on OS X you can run <command>diskutil list</command>
to see the list of devices; the device you'll use for the USB must be ejected
before writing the image.</para>
<para>The <command>dd</command> utility will write the image verbatim to the drive,
making it the recommended option for both UEFI and non-UEFI installations. For

22
nixos/doc/manual/installation/upgrading.xml
View File

@ -15,12 +15,12 @@ been built. These channels are:
<itemizedlist>
<listitem>
<para><emphasis>Stable channels</emphasis>, such as <literal
xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
xlink:href="https://nixos.org/channels/nixos-17.03">nixos-17.03</literal>.
These only get conservative bug fixes and package upgrades. For
instance, a channel update may cause the Linux kernel on your
system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
not from 3.4.<replaceable>x</replaceable> to
3.11.<replaceable>x</replaceable> (a major change that has the
system to be upgraded from 4.9.16 to 4.9.17 (a minor bug fix), but
not from 4.9.<replaceable>x</replaceable> to
4.11.<replaceable>x</replaceable> (a major change that has the
potential to break things). Stable channels are generally
maintained until the next stable branch is created.</para>
<para></para>
@ -34,7 +34,7 @@ been built. These channels are:
</listitem>
<listitem>
<para><emphasis>Small channels</emphasis>, such as <literal
xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
xlink:href="https://nixos.org/channels/nixos-17.03-small">nixos-17.03-small</literal>
or <literal
xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
are identical to the stable and unstable channels described above,
@ -55,8 +55,8 @@ appliances.)</para>
<para>When you first install NixOS, youre automatically subscribed to
the NixOS channel that corresponds to your installation source. For
instance, if you installed from a 14.12 ISO, you will be subscribed to
the <literal>nixos-14.12</literal> channel. To see which NixOS
instance, if you installed from a 17.03 ISO, you will be subscribed to
the <literal>nixos-17.03</literal> channel. To see which NixOS
channel youre subscribed to, run the following as root:
<screen>
@ -71,16 +71,16 @@ To switch to a different NixOS channel, do
</screen>
(Be sure to include the <literal>nixos</literal> parameter at the
end.) For instance, to use the NixOS 14.12 stable channel:
end.) For instance, to use the NixOS 17.03 stable channel:
<screen>
# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
# nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
</screen>
If you have a server, you may want to use the “small” channel instead:
<screen>
# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
# nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
</screen>
And if you want to live on the bleeding edge:
@ -130,7 +130,7 @@ runs, see <command>systemctl list-timers</command>.) You can also
specify a channel explicitly, e.g.
<programlisting>
system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
system.autoUpgrade.channel = https://nixos.org/channels/nixos-17.03;
</programlisting>
</para>

285
nixos/doc/manual/release-notes/rl-1703.xml
View File

@ -4,7 +4,15 @@
version="5.0"
xml:id="sec-release-17.03">
<title>Release 17.03 (“XXX”, 2017/03/??)</title>
<title>Release 17.03 (“Gorilla”, 2017/03/31)</title>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-highlights">
<title>Highlights</title>
<para>In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
@ -16,19 +24,40 @@ has the following highlights: </para>
manual</link> for more information.</para>
</listitem>
<listitem>
<para>This release is based on Glibc 2.25, GCC 5.4.0 and systemd
232. The default Linux kernel is 4.9 and Nix is at 1.11.8.</para>
</listitem>
<listitem>
<para>The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed</para>
</listitem>
<listitem>
<para>The setuid wrapper functionality now supports setting
capabilities.</para>
</listitem>
<listitem>
<para>X.org server uses branch 1.19. Due to ABI incompatibilities,
<para>X.org server uses branch 1.19. Due to ABI incompatibilities,
<literal>ati_unfree</literal> keeps forcing 1.17
and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
</listitem>
<listitem>
<para>PHP now defaults to PHP 7.1</para>
<para>
Cross compilation has been rewritten. See the nixpkgs manual for
details. The most obvious breaking change is that in derivations there is no
<literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now
cross by default, not native.
</para>
</listitem>
<listitem>
<para>The <literal>overridePackages</literal> function has been rewritten
to be replaced by <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link></para>
</listitem>
<listitem>
@ -38,16 +67,115 @@ has the following highlights: </para>
manual</link> for more information.</para>
</listitem>
<listitem>
<para>PHP now defaults to PHP 7.1</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-new-services">
<title>New Services</title>
<para>The following new services were added since the last release:</para>
<itemizedlist>
<listitem>
<para></para>
</listitem>
<listitem><para><literal>hardware/ckb.nix</literal></para></listitem>
<listitem><para><literal>hardware/mcelog.nix</literal></para></listitem>
<listitem><para><literal>hardware/usb-wwan.nix</literal></para></listitem>
<listitem><para><literal>hardware/video/capture/mwprocapture.nix</literal></para></listitem>
<listitem><para><literal>programs/adb.nix</literal></para></listitem>
<listitem><para><literal>programs/chromium.nix</literal></para></listitem>
<listitem><para><literal>programs/gphoto2.nix</literal></para></listitem>
<listitem><para><literal>programs/java.nix</literal></para></listitem>
<listitem><para><literal>programs/mtr.nix</literal></para></listitem>
<listitem><para><literal>programs/oblogout.nix</literal></para></listitem>
<listitem><para><literal>programs/vim.nix</literal></para></listitem>
<listitem><para><literal>programs/wireshark.nix</literal></para></listitem>
<listitem><para><literal>security/dhparams.nix</literal></para></listitem>
<listitem><para><literal>services/audio/ympd.nix</literal></para></listitem>
<listitem><para><literal>services/computing/boinc/client.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/buildbot/master.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/buildbot/worker.nix</literal></para></listitem>
<listitem><para><literal>services/continuous-integration/gitlab-runner.nix</literal></para></listitem>
<listitem><para><literal>services/databases/riak-cs.nix</literal></para></listitem>
<listitem><para><literal>services/databases/stanchion.nix</literal></para></listitem>
<listitem><para><literal>services/desktops/gnome3/gnome-terminal-server.nix</literal></para></listitem>
<listitem><para><literal>services/editors/infinoted.nix</literal></para></listitem>
<listitem><para><literal>services/hardware/illum.nix</literal></para></listitem>
<listitem><para><literal>services/hardware/trezord.nix</literal></para></listitem>
<listitem><para><literal>services/logging/journalbeat.nix</literal></para></listitem>
<listitem><para><literal>services/mail/offlineimap.nix</literal></para></listitem>
<listitem><para><literal>services/mail/postgrey.nix</literal></para></listitem>
<listitem><para><literal>services/misc/couchpotato.nix</literal></para></listitem>
<listitem><para><literal>services/misc/docker-registry.nix</literal></para></listitem>
<listitem><para><literal>services/misc/errbot.nix</literal></para></listitem>
<listitem><para><literal>services/misc/geoip-updater.nix</literal></para></listitem>
<listitem><para><literal>services/misc/gogs.nix</literal></para></listitem>
<listitem><para><literal>services/misc/leaps.nix</literal></para></listitem>
<listitem><para><literal>services/misc/nix-optimise.nix</literal></para></listitem>
<listitem><para><literal>services/misc/ssm-agent.nix</literal></para></listitem>
<listitem><para><literal>services/misc/sssd.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/arbtt.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/netdata.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/default.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/alertmanager.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/blackbox-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/json-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/nginx-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/node-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/snmp-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/unifi-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/prometheus/varnish-exporter.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/sysstat.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/telegraf.nix</literal></para></listitem>
<listitem><para><literal>services/monitoring/vnstat.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/cachefilesd.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/glusterfs.nix</literal></para></listitem>
<listitem><para><literal>services/network-filesystems/ipfs.nix</literal></para></listitem>
<listitem><para><literal>services/networking/dante.nix</literal></para></listitem>
<listitem><para><literal>services/networking/dnscrypt-wrapper.nix</literal></para></listitem>
<listitem><para><literal>services/networking/fakeroute.nix</literal></para></listitem>
<listitem><para><literal>services/networking/flannel.nix</literal></para></listitem>
<listitem><para><literal>services/networking/htpdate.nix</literal></para></listitem>
<listitem><para><literal>services/networking/miredo.nix</literal></para></listitem>
<listitem><para><literal>services/networking/nftables.nix</literal></para></listitem>
<listitem><para><literal>services/networking/powerdns.nix</literal></para></listitem>
<listitem><para><literal>services/networking/pdns-recursor.nix</literal></para></listitem>
<listitem><para><literal>services/networking/quagga.nix</literal></para></listitem>
<listitem><para><literal>services/networking/redsocks.nix</literal></para></listitem>
<listitem><para><literal>services/networking/wireguard.nix</literal></para></listitem>
<listitem><para><literal>services/system/cgmanager.nix</literal></para></listitem>
<listitem><para><literal>services/torrent/opentracker.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/atlassian/confluence.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/atlassian/crowd.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/atlassian/jira.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/frab.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/nixbot.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/selfoss.nix</literal></para></listitem>
<listitem><para><literal>services/web-apps/quassel-webserver.nix</literal></para></listitem>
<listitem><para><literal>services/x11/unclutter-xfixes.nix</literal></para></listitem>
<listitem><para><literal>services/x11/urxvtd.nix</literal></para></listitem>
<listitem><para><literal>system/boot/systemd-nspawn.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/ecs-agent.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/lxcfs.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/openstack/keystone.nix</literal></para></listitem>
<listitem><para><literal>virtualisation/openstack/glance.nix</literal></para></listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-incompatibilities">
<title>Backward Incompatibilities</title>
<para>When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
@ -55,10 +183,8 @@ following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>
Cross compilation has been rewritten. See the nixpkgs manual for
details. The most obvious breaking change is that derivations absent a
<literal>.nativeDrv</literal> or <literal>.crossDrv</literal> are now
cross by default, not native.
Derivations have no <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal>
and are now cross by default, not native.
</para>
</listitem>
@ -95,15 +221,6 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
The Yama LSM is now enabled by default in the kernel,
which prevents ptracing non-child processes.
This means you will not be able to attach gdb to an existing process,
but will need to start that process from gdb (so it is a child).
</para>
</listitem>
<listitem>
<para>
The <literal>stripHash</literal> bash function in <literal>stdenv</literal>
@ -183,7 +300,7 @@ following incompatible changes:</para>
<para><literal>overridePackages</literal> function no longer exists.
It is replaced by <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link>. For example, the following code:
overlays</link>. For example, the following code:
<programlisting>
let
@ -228,7 +345,7 @@ following incompatible changes:</para>
<listitem>
<para>
Iputils no longer provide ping6 and traceroute6. The functionality of
these tools have been integrated into ping and traceroute respectively. To
these tools has been integrated into ping and traceroute respectively. To
enforce an address family the new flags <literal>-4</literal> and
<literal>-6</literal> have been added. One notable incompatibility is that
specifying an interface (for link-local IPv6 for instance) is no longer done
@ -237,10 +354,60 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
The socket handling of the <literal>services.rmilter</literal> module
has been fixed and refactored. As rmilter doesn't support binding to
more than one socket, the options <literal>bindUnixSockets</literal>
and <literal>bindInetSockets</literal> have been replaced by
<literal>services.rmilter.bindSocket.*</literal>. The default is still
a unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to
the options documentation for more information.
</para>
</listitem>
<listitem>
<para>
The <literal>fetch*</literal> functions no longer support md5,
please use sha256 instead.
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy module interface has been streamlined around the
<option>extraArgs</option> option. Where possible, legacy option
declarations are mapped to <option>extraArgs</option> but will emit
warnings. The <option>resolverList</option> has been outright
removed: to use an unlisted resolver, use the
<option>customResolver</option> option.
</para>
</listitem>
<listitem>
<para>
torbrowser now stores local state under
<filename>~/.local/share/tor-browser</filename> by default. Any
browser profile data from the old location,
<filename>~/.torbrowser4</filename>, must be migrated manually.
</para>
</listitem>
<listitem>
<para>
The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03-notable-changes">
<para>Other notable improvements:</para>
<title>Other Notable Changes</title>
<itemizedlist>
@ -261,6 +428,18 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>Python 2.6 interpreter and package set have been removed.</para>
</listitem>
<listitem>
<para>
The Python 2.7 interpreter does not use modules anymore. Instead, all
CPython interpreters now include the whole standard library except for `tkinter`,
which is available in the Python package set.
</para>
</listitem>
<listitem>
<para>
Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
@ -271,7 +450,65 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
The Python package sets now use a fixed-point combinator and the sets are
available as attributes of the interpreters.
</para>
</listitem>
<listitem>
<para>
The Python function <literal>buildPythonPackage</literal> has been improved and can be
used to build from Setuptools source, Flit source, and precompiled Wheels.
</para>
</listitem>
<listitem>
<para>
When adding new or updating current Python libraries, the expressions should be put
in separate files in <literal>pkgs/development/python-modules</literal> and
called from <literal>python-packages.nix</literal>.
</para>
</listitem>
<listitem>
<para>
The dnscrypt-proxy service supports synchronizing the list of public
resolvers without working DNS resolution. This fixes issues caused by the
resolver list becoming outdated. It also improves the viability of
DNSCrypt only configurations.
</para>
</listitem>
<listitem>
<para>
Containers using bridged networking no longer lose their connection after
changes to the host networking.
</para>
</listitem>
<listitem>
<para>
ZFS supports pool auto scrubbing.
</para>
</listitem>
<listitem>
<para>
The bind DNS utilities (e.g. dig) have been split into their own output and
are now also available in <literal>pkgs.dnsutils</literal> and it is no longer
necessary to pull in all of <literal>bind</literal> to use them.
</para>
</listitem>
<listitem>
<para>
Per-user configuration was moved from <filename>~/.nixpkgs</filename> to
<filename>~/.config/nixpkgs</filename>. The former is still valid for
<filename>config.nix</filename> for backwards compatibility.
</para>
</listitem>
</itemizedlist>
</section>
</section>

18
nixos/doc/manual/release-notes/rl-1709.xml
View File

@ -11,7 +11,11 @@ has the following highlights: </para>
<itemizedlist>
<listitem>
<para></para>
<para>
The user handling now keeps track of deallocated UIDs/GIDs. When a user
or group is revived, this allows it to be allocated the UID/GID it had before.
A consequence is that UIDs and GIDs are no longer reused.
</para>
</listitem>
</itemizedlist>
@ -49,6 +53,18 @@ following incompatible changes:</para>
rest of the system on a stable release.
</para>
</listitem>
<listitem>
<para>
Updated to FreeType 2.7.1, including a new TrueType engine.
The new engine replaces the Infinality engine which was the default in
NixOS. The default font rendering settings are now provided by
fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults
are less invasive and provide rendering that is more consistent with
other systems and hopefully with each font designer's intent. Some
system-wide configuration has been removed from the Fontconfig NixOS
module where user Fontconfig settings are available.
</para>
</listitem>
</itemizedlist>

6
nixos/lib/testing.nix
View File

@ -108,16 +108,16 @@ rec {
mkdir -p $out/bin
echo "$testScript" > $out/test-script
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
wrapProgram $out/bin/nixos-test-driver \
--add-flags "$vms" \
--add-flags "''${vms[*]}" \
${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
--run "testScript=\"\$(cat $out/test-script)\"" \
--set testScript '$testScript' \
--set VLANS '${toString vlans}'
ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
wrapProgram $out/bin/nixos-run-vms \
--add-flags "$vms" \
--add-flags "''${vms[*]}" \
${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
--set tests 'startAll; joinAll;' \
--set VLANS '${toString vlans}' \

15
nixos/maintainers/scripts/ec2/create-amis.sh
View File

@ -3,21 +3,20 @@
# To start with do: nix-shell -p awscli --run "aws configure"
set -e
set -o pipefail
#set -x
stateDir=${TMPDIR:-/tmp}/ec2-image
echo "keeping state in $stateDir"
mkdir -p $stateDir
version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
major=${version:0:5}
echo "NixOS version is $version ($major)"
stateDir=/var/tmp/ec2-image-$version
echo "keeping state in $stateDir"
mkdir -p $stateDir
rm -f ec2-amis.nix
types="hvm pv"
types="hvm"
stores="ebs s3"
regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
@ -206,7 +205,7 @@ for type in $types; do
# Register the AMI.
if [ $type = pv ]; then
kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.05-$arch.gz" | jq -r .Images[0].ImageId)
if [ "$kernel" = null ]; then break; fi
echo "using PV-GRUB kernel $kernel"
extraFlags+=" --virtualization-type paravirtual --kernel $kernel"

270
nixos/modules/config/fonts/fontconfig-penultimate.nix Normal file
View File

@ -0,0 +1,270 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.fonts.fontconfig;
fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
# back-supported fontconfig version and package
# version is used for font cache generation
supportVersion = "210";
supportPkg = pkgs."fontconfig_${supportVersion}";
# latest fontconfig version and package
# version is used for configuration folder name, /etc/fonts/VERSION/
# note: format differs from supportVersion and can not be used with makeCacheConf
latestVersion = pkgs.fontconfig.configVersion;
latestPkg = pkgs.fontconfig;
# supported version fonts.conf
supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; };
# configuration file to read fontconfig cache
# version dependent
# priority 0
cacheConfSupport = makeCacheConf { version = supportVersion; };
cacheConfLatest = makeCacheConf {};
# generate the font cache setting file for a fontconfig version
# use latest when no version is passed
makeCacheConf = { version ? null }:
let
fcPackage = if builtins.isNull version
then "fontconfig"
else "fontconfig_${version}";
makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
cache = makeCache pkgs."${fcPackage}";
cache32 = makeCache pkgs.pkgsi686Linux."${fcPackage}";
in
pkgs.writeText "fc-00-nixos-cache.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Font directories -->
${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
<!-- Pre-generated font caches -->
<cachedir>${cache}</cachedir>
${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
<cachedir>${cache32}</cachedir>
''}
</fontconfig>
'';
# The configuration to be included in /etc/font/
penultimateConf = pkgs.runCommand "font-penultimate-conf" {} ''
support_folder=$out/etc/fonts/conf.d
latest_folder=$out/etc/fonts/${latestVersion}/conf.d
mkdir -p $support_folder
mkdir -p $latest_folder
ln -s ${supportFontsConf} $support_folder/../fonts.conf
ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
$latest_folder/../fonts.conf
# fontconfig-penultimate various configuration files
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$support_folder
ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
$latest_folder
ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
ln -s ${cacheConfLatest} $latest_folder/00-nixos-cache.conf
rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
ln -s ${antialiasConf} $support_folder/10-antialias.conf
ln -s ${antialiasConf} $latest_folder/10-antialias.conf
rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
ln -s ${hintingConf} $support_folder/10-hinting.conf
ln -s ${hintingConf} $latest_folder/10-hinting.conf
${optionalString cfg.useEmbeddedBitmaps ''
rm $support_folder/10-no-embedded-bitmaps.conf
rm $latest_folder/10-no-embedded-bitmaps.conf
''}
rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
ln -s ${subpixelConf} $support_folder/10-subpixel.conf
ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
${optionalString (cfg.dpi != 0) ''
ln -s ${dpiConf} $support_folder/11-dpi.conf
ln -s ${dpiConf} $latest_folder/11-dpi.conf
''}
${optionalString (!cfg.includeUserConf) ''
rm $support_folder/50-user.conf
rm $latest_folder/50-user.conf
''}
# 51-local.conf
rm $latest_folder/51-local.conf
substitute \
${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
$latest_folder/51-local.conf \
--replace local.conf /etc/fonts/${latestVersion}/local.conf
ln -s ${defaultFontsConf} $support_folder/52-default-fonts.conf
ln -s ${defaultFontsConf} $latest_folder/52-default-fonts.conf
${optionalString cfg.allowBitmaps ''
rm $support_folder/53-no-bitmaps.conf
rm $latest_folder/53-no-bitmaps.conf
''}
${optionalString (!cfg.allowType1) ''
ln -s ${rejectType1} $support_folder/53-no-type1.conf
ln -s ${rejectType1} $latest_folder/53-no-type1.conf
''}
'';
hintingConf = pkgs.writeText "fc-10-hinting.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="hinting">
${fcBool cfg.hinting.enable}
</edit>
<edit mode="append" name="autohint">
${fcBool cfg.hinting.autohint}
</edit>
<edit mode="append" name="hintstyle">
<const>hintslight</const>
</edit>
</match>
</fontconfig>
'';
antialiasConf = pkgs.writeText "fc-10-antialias.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="antialias">
${fcBool cfg.antialias}
</edit>
</match>
</fontconfig>
'';
subpixelConf = pkgs.writeText "fc-10-subpixel.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default rendering settings -->
<match target="pattern">
<edit mode="append" name="rgba">
<const>${cfg.subpixel.rgba}</const>
</edit>
<edit mode="append" name="lcdfilter">
<const>lcd${cfg.subpixel.lcdfilter}</const>
</edit>
</match>
</fontconfig>
'';
dpiConf = pkgs.writeText "fc-11-dpi.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<match target="pattern">
<edit name="dpi" mode="assign">
<double>${toString cfg.dpi}</double>
</edit>
</match>
</fontconfig>
'';
defaultFontsConf =
let genDefault = fonts: name:
optionalString (fonts != []) ''
<alias>
<family>${name}</family>
<prefer>
${concatStringsSep ""
(map (font: ''
<family>${font}</family>
'') fonts)}
</prefer>
</alias>
'';
in
pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
<!-- Default fonts -->
${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
${genDefault cfg.defaultFonts.serif "serif"}
${genDefault cfg.defaultFonts.monospace "monospace"}
</fontconfig>
'';
rejectType1 = pkgs.writeText "fc-53-no-type1.conf" ''
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
<!-- Reject Type 1 fonts -->
<selectfont>
<rejectfont>
<pattern>
<patelt name="fontformat"><string>Type 1</string></patelt>
</pattern>
</rejectfont>
</selectfont>
</fontconfig>
'';
in
{
options = {
fonts = {
fontconfig = {
penultimate = {
enable = mkOption {
type = types.bool;
default = true;
description = ''
Enable fontconfig-penultimate settings to supplement the
NixOS defaults by providing per-font rendering defaults and
metric aliases.
'';
};
};
};
};
};
config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
fonts.fontconfig.confPackages = [ penultimateConf ];
};
}

12
nixos/modules/config/fonts/fontconfig-ultimate.nix
View File

@ -43,7 +43,7 @@ in
ultimate = {
enable = mkOption {
type = types.bool;
default = true;
default = false;
description = ''
Enable fontconfig-ultimate settings (formerly known as
Infinality). Besides the customizable settings in this NixOS
@ -63,15 +63,6 @@ in
<literal>none</literal> disables the substitutions.
'';
};
preset = mkOption {
type = types.enum ["ultimate1" "ultimate2" "ultimate3" "ultimate4" "ultimate5" "osx" "windowsxp"];
default = "ultimate3";
description = ''
FreeType rendering settings preset. Any of the presets may be
customized by setting environment variables.
'';
};
};
};
};
@ -81,7 +72,6 @@ in
config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
fonts.fontconfig.confPackages = [ confPkg ];
environment.variables."INFINALITY_FT" = cfg.preset;
};

105
nixos/modules/config/fonts/fontconfig.nix
View File

@ -75,23 +75,23 @@ let cfg = config.fonts.fontconfig;
<fontconfig>
<!-- Default rendering settings -->
<match target="font">
<edit mode="assign" name="hinting">
<match target="pattern">
<edit mode="append" name="hinting">
${fcBool cfg.hinting.enable}
</edit>
<edit mode="assign" name="autohint">
<edit mode="append" name="autohint">
${fcBool cfg.hinting.autohint}
</edit>
<edit mode="assign" name="hintstyle">
<const>hint${cfg.hinting.style}</const>
<edit mode="append" name="hintstyle">
<const>hintslight</const>
</edit>
<edit mode="assign" name="antialias">
<edit mode="append" name="antialias">
${fcBool cfg.antialias}
</edit>
<edit mode="assign" name="rgba">
<edit mode="append" name="rgba">
<const>${cfg.subpixel.rgba}</const>
</edit>
<edit mode="assign" name="lcdfilter">
<edit mode="append" name="lcdfilter">
<const>lcd${cfg.subpixel.lcdfilter}</const>
</edit>
</match>
@ -104,13 +104,6 @@ let cfg = config.fonts.fontconfig;
</match>
''}
<!-- Force autohint always -->
<match target="font">
<edit name="force_autohint" mode="assign">
${fcBool cfg.forceAutohint}
</edit>
</match>
</fontconfig>
'';
@ -174,13 +167,6 @@ let cfg = config.fonts.fontconfig;
</edit>
</match>
<!-- Render some monospace TTF fonts as bitmaps -->
<match target="pattern">
<edit name="bitmap_monospace" mode="assign">
${fcBool cfg.renderMonoTTFAsBitmap}
</edit>
</match>
</fontconfig>
'';
@ -304,7 +290,11 @@ in
antialias = mkOption {
type = types.bool;
default = true;
description = "Enable font antialiasing.";
description = ''
Enable font antialiasing. At high resolution (> 200 DPI),
antialiasing has no visible effect; users of such displays may want
to disable this option.
'';
};
dpi = mkOption {
@ -358,26 +348,21 @@ in
enable = mkOption {
type = types.bool;
default = true;
description = "Enable TrueType hinting.";
description = ''
Enable font hinting. Hinting aligns glyphs to pixel boundaries to
improve rendering sharpness at low resolution. At high resolution
(> 200 dpi) hinting will do nothing (at best); users of such
displays may want to disable this option.
'';
};
autohint = mkOption {
type = types.bool;
default = true;
default = false;
description = ''
Enable the autohinter, which provides hinting for otherwise
un-hinted fonts. The results are usually lower quality than
correctly-hinted fonts.
'';
};
style = mkOption {
type = types.enum ["none" "slight" "medium" "full"];
default = "full";
description = ''
TrueType hinting style, one of <literal>none</literal>,
<literal>slight</literal>, <literal>medium</literal>, or
<literal>full</literal>.
Enable the autohinter in place of the default interpreter.
The results are usually lower quality than correctly-hinted
fonts, but better than unhinted fonts.
'';
};
};
@ -398,7 +383,15 @@ in
default = "rgb";
type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"];
description = ''
Subpixel order.
Subpixel order. The overwhelming majority of displays are
<literal>rgb</literal> in their normal orientation. Select
<literal>vrgb</literal> for mounting such a display 90 degrees
clockwise from its normal orientation or <literal>vbgr</literal>
for mounting 90 degrees counter-clockwise. Select
<literal>bgr</literal> in the unlikely event of mounting 180
degrees from the normal orientation. Reverse these directions in
the improbable event that the display's native subpixel order is
<literal>bgr</literal>.
'';
};
@ -406,7 +399,9 @@ in
default = "default";
type = types.enum ["none" "default" "light" "legacy"];
description = ''
FreeType LCD filter.
FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering
has no visible effect; users of such displays may want to select
<literal>none</literal>.
'';
};
@ -444,31 +439,19 @@ in
description = ''Use embedded bitmaps in fonts like Calibri.'';
};
forceAutohint = mkOption {
type = types.bool;
default = false;
description = ''
Force use of the TrueType Autohinter. Useful for debugging or
free-software purists.
'';
};
renderMonoTTFAsBitmap = mkOption {
type = types.bool;
default = false;
description = ''Render some monospace TTF fonts as bitmaps.'';
};
};
};
};
config = mkIf cfg.enable {
fonts.fontconfig.confPackages = [ confPkg ];
environment.systemPackages = [ pkgs.fontconfig ];
environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
};
config = mkMerge [
(mkIf cfg.enable {
environment.systemPackages = [ pkgs.fontconfig ];
environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
})
(mkIf (cfg.enable && !cfg.penultimate.enable) {
fonts.fontconfig.confPackages = [ confPkg ];
})
];
}

4
nixos/modules/config/networking.nix
View File

@ -178,10 +178,10 @@ in
environment.etc =
{ # /etc/services: TCP/UDP port assignments.
"services".source = pkgs.iana_etc + "/etc/services";
"services".source = pkgs.iana-etc + "/etc/services";
# /etc/protocols: IP protocol numbers.
"protocols".source = pkgs.iana_etc + "/etc/protocols";
"protocols".source = pkgs.iana-etc + "/etc/protocols";
# /etc/rpc: RPC program numbers.
"rpc".source = pkgs.glibc.out + "/etc/rpc";

4
nixos/modules/config/sysctl.nix
View File

@ -64,5 +64,9 @@ in
# Removed under grsecurity.
boot.kernel.sysctl."kernel.kptr_restrict" =
if (config.boot.kernelPackages.kernel.features.grsecurity or false) then null else 1;
# Disable YAMA by default to allow easy debugging.
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
};
}

70
nixos/modules/config/update-users-groups.pl
View File

@ -6,6 +6,21 @@ use JSON;
make_path("/var/lib/nixos", { mode => 0755 });
# Keep track of deleted uids and gids.
my $uidMapFile = "/var/lib/nixos/uid-map";
my $uidMap = -e $uidMapFile ? decode_json(read_file($uidMapFile)) : {};
my $gidMapFile = "/var/lib/nixos/gid-map";
my $gidMap = -e $gidMapFile ? decode_json(read_file($gidMapFile)) : {};
sub updateFile {
my ($path, $contents, $perms) = @_;
write_file("$path.tmp", { binmode => ':utf8', perms => $perms // 0644 }, $contents);
rename("$path.tmp", $path) or die;
}
sub hashPassword {
my ($password) = @_;
my $salt = "";
@ -18,10 +33,10 @@ sub hashPassword {
# Functions for allocating free GIDs/UIDs. FIXME: respect ID ranges in
# /etc/login.defs.
sub allocId {
my ($used, $idMin, $idMax, $up, $getid) = @_;
my ($used, $prevUsed, $idMin, $idMax, $up, $getid) = @_;
my $id = $up ? $idMin : $idMax;
while ($id >= $idMin && $id <= $idMax) {
if (!$used->{$id} && !defined &$getid($id)) {
if (!$used->{$id} && !$prevUsed->{$id} && !defined &$getid($id)) {
$used->{$id} = 1;
return $id;
}
@ -31,23 +46,36 @@ sub allocId {
die "$0: out of free UIDs or GIDs\n";
}
my (%gidsUsed, %uidsUsed);
my (%gidsUsed, %uidsUsed, %gidsPrevUsed, %uidsPrevUsed);
sub allocGid {
return allocId(\%gidsUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
my ($name) = @_;
my $prevGid = $gidMap->{$name};
if (defined $prevGid && !defined $gidsUsed{$prevGid}) {
print STDERR "reviving group '$name' with GID $prevGid\n";
$gidsUsed{$prevGid} = 1;
return $prevGid;
}
return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
}
sub allocUid {
my ($isSystemUser) = @_;
my ($name, $isSystemUser) = @_;
my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1);
return allocId(\%uidsUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
my $prevUid = $uidMap->{$name};
if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
print STDERR "reviving user '$name' with UID $prevUid\n";
$uidsUsed{$prevUid} = 1;
return $prevUid;
}
return allocId(\%uidsUsed, \%uidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
}
# Read the declared users/groups.
my $spec = decode_json(read_file($ARGV[0]));
# Don't allocate UIDs/GIDs that are already in use.
# Don't allocate UIDs/GIDs that are manually assigned.
foreach my $g (@{$spec->{groups}}) {
$gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
}
@ -56,6 +84,11 @@ foreach my $u (@{$spec->{users}}) {
$uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
}
# Likewise for previously used but deleted UIDs/GIDs.
$uidsPrevUsed{$_} = 1 foreach values %{$uidMap};
$gidsPrevUsed{$_} = 1 foreach values %{$gidMap};
# Read the current /etc/group.
sub parseGroup {
chomp;
@ -114,16 +147,18 @@ foreach my $g (@{$spec->{groups}}) {
}
}
} else {
$g->{gid} = allocGid if !defined $g->{gid};
$g->{gid} = allocGid($name) if !defined $g->{gid};
$g->{password} = "x";
}
$g->{members} = join ",", sort(keys(%members));
$groupsOut{$name} = $g;
$gidMap->{$name} = $g->{gid};
}
# Update the persistent list of declarative groups.
write_file($declGroupsFile, { binmode => ':utf8' }, join(" ", sort(keys %groupsOut)));
updateFile($declGroupsFile, join(" ", sort(keys %groupsOut)));
# Merge in the existing /etc/group.
foreach my $name (keys %groupsCur) {
@ -140,8 +175,8 @@ foreach my $name (keys %groupsCur) {
# Rewrite /etc/group. FIXME: acquire lock.
my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
(sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
write_file("/etc/group.tmp", { binmode => ':utf8' }, @lines);
rename("/etc/group.tmp", "/etc/group") or die;
updateFile($gidMapFile, encode_json($gidMap));
updateFile("/etc/group", \@lines);
system("nscd --invalidate group");
# Generate a new /etc/passwd containing the declared users.
@ -167,7 +202,7 @@ foreach my $u (@{$spec->{users}}) {
$u->{uid} = $existing->{uid};
}
} else {
$u->{uid} = allocUid($u->{isSystemUser}) if !defined $u->{uid};
$u->{uid} = allocUid($name, $u->{isSystemUser}) if !defined $u->{uid};
if (defined $u->{initialPassword}) {
$u->{hashedPassword} = hashPassword($u->{initialPassword});
@ -195,10 +230,12 @@ foreach my $u (@{$spec->{users}}) {
$u->{fakePassword} = $existing->{fakePassword} // "x";
$usersOut{$name} = $u;
$uidMap->{$name} = $u->{uid};
}
# Update the persistent list of declarative users.
write_file($declUsersFile, { binmode => ':utf8' }, join(" ", sort(keys %usersOut)));
updateFile($declUsersFile, join(" ", sort(keys %usersOut)));
# Merge in the existing /etc/passwd.
foreach my $name (keys %usersCur) {
@ -214,8 +251,8 @@ foreach my $name (keys %usersCur) {
# Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
(sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
write_file("/etc/passwd.tmp", { binmode => ':utf8' }, @lines);
rename("/etc/passwd.tmp", "/etc/passwd") or die;
updateFile($uidMapFile, encode_json($uidMap));
updateFile("/etc/passwd", \@lines);
system("nscd --invalidate passwd");
@ -242,5 +279,4 @@ foreach my $u (values %usersOut) {
push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n";
}
write_file("/etc/shadow.tmp", { binmode => ':utf8', perms => 0600 }, @shadowNew);
rename("/etc/shadow.tmp", "/etc/shadow") or die;
updateFile("/etc/shadow", \@shadowNew, 0600);

1
nixos/modules/hardware/all-firmware.nix
View File

@ -26,6 +26,7 @@ with lib;
firmwareLinuxNonfree
intel2200BGFirmware
rtl8723bs-firmware
rtl8192su-firmware
];
};

13
nixos/modules/installer/cd-dvd/channel.nix
View File

@ -6,6 +6,16 @@
with lib;
let
# Do not include these things:
# - The '.git' directory
# - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
# - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
filterFn = path: type: let basename = baseNameOf (toString path); in
if type == "directory" then basename != ".git"
else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
nixpkgs = builtins.filterSource filterFn pkgs.path;
# We need a copy of the Nix expressions for Nixpkgs and NixOS on the
# CD. These are installed into the "nixos" channel of the root
@ -15,12 +25,11 @@ let
{ }
''
mkdir -p $out
cp -prd ${pkgs.path} $out/nixos
cp -prd ${nixpkgs} $out/nixos
chmod -R u+w $out/nixos
if [ ! -e $out/nixos/nixpkgs ]; then
ln -s . $out/nixos/nixpkgs
fi
rm -rf $out/nixos/.git
echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix
'';

2
nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
View File

@ -28,7 +28,7 @@ in
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=tty0"];
boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"];
# FIXME: this probably should be in installation-device.nix
users.extraUsers.root.initialHashedPassword = "";

2
nixos/modules/installer/tools/auto-upgrade.nix
View File

@ -48,7 +48,7 @@ let cfg = config.system.autoUpgrade; in
description = ''
Specification (in the format described by
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>) of the time at
<manvolnum>7</manvolnum></citerefentry>) of the time at
which the update will occur.
'';
};

6
nixos/modules/installer/tools/nix-fallback-paths.nix
View File

@ -1,5 +1,5 @@
{
x86_64-linux = "/nix/store/4ssykr786d0wp7y6m4xd4qwqs4nrry1z-nix-1.11.7";
i686-linux = "/nix/store/61ggxx2072y2g877m01asy0lsn7xpn06-nix-1.11.7";
x86_64-darwin = "/nix/store/pxf5ri5kdbfqkhd10sw4lpj8sn385ks5-nix-1.11.7";
x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8";
i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8";
x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8";
}

9
nixos/modules/module-list.nix
View File

@ -1,8 +1,9 @@
[
./config/debug-info.nix
./config/fonts/corefonts.nix
./config/fonts/fontconfig-ultimate.nix
./config/fonts/fontconfig.nix
./config/fonts/fontconfig-penultimate.nix
./config/fonts/fontconfig-ultimate.nix
./config/fonts/fontdir.nix
./config/fonts/fonts.nix
./config/fonts/ghostscript.nix
@ -137,7 +138,6 @@
./services/backup/mysql-backup.nix
./services/backup/postgresql-backup.nix
./services/backup/rsnapshot.nix
./services/backup/sitecopy-backup.nix
./services/backup/tarsnap.nix
./services/backup/znapzend.nix
./services/cluster/fleet.nix
@ -274,6 +274,7 @@
./services/misc/gpsd.nix
#./services/misc/ihaskell.nix
./services/misc/irkerd.nix
./services/misc/jackett.nix
./services/misc/leaps.nix
./services/misc/mantisbt.nix
./services/misc/mathics.nix
@ -294,6 +295,7 @@
./services/misc/parsoid.nix
./services/misc/phd.nix
./services/misc/plex.nix
./services/misc/radarr.nix
./services/misc/redmine.nix
./services/misc/rippled.nix
./services/misc/ripple-rest.nix
@ -453,7 +455,7 @@
./services/networking/prayer.nix
./services/networking/privoxy.nix
./services/networking/prosody.nix
./services/networking/quagga.nix
# ./services/networking/quagga.nix
./services/networking/quassel.nix
./services/networking/racoon.nix
./services/networking/radicale.nix
@ -527,6 +529,7 @@
./services/system/cgmanager.nix
./services/system/cloud-init.nix
./services/system/dbus.nix
./services/system/earlyoom.nix
./services/system/kerberos.nix
./services/system/nscd.nix
./services/system/uptimed.nix

2
nixos/modules/programs/venus.nix
View File

@ -45,7 +45,7 @@ in
description = ''
Specification (in the format described by
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>) of the time at
<manvolnum>7</manvolnum></citerefentry>) of the time at
which the Venus will collect feeds.
'';
};

11
nixos/modules/rename.nix
View File

@ -35,6 +35,9 @@ with lib;
(mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
(mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
(mkRemovedOptionModule [ "services" "rmilter" "bindInetSockets" ] "Use services.rmilter.bindSocket.* instead")
(mkRemovedOptionModule [ "services" "rmilter" "bindUnixSockets" ] "Use services.rmilter.bindSocket.* instead")
# Old Grub-related options.
(mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
(mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
@ -138,9 +141,6 @@ with lib;
# Unity3D
(mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
# fontconfig-ultimate
(mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
# murmur
(mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
@ -199,5 +199,10 @@ with lib;
"See the 16.09 release notes for more information.")
(mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
(mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
(mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "")
(mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ]
"Set the option `services.xserver.displayManager.sddm.package' instead.")
(mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
(mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
];
}

4
nixos/modules/security/acme.nix
View File

@ -110,7 +110,7 @@ in
description = ''
Systemd calendar expression when to check for renewal. See
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>.
<manvolnum>7</manvolnum></citerefentry>.
'';
};
@ -178,7 +178,7 @@ in
path = [ pkgs.simp_le ];
preStart = ''
mkdir -p '${cfg.directory}'
chown '${data.user}:${data.group}' '${cfg.directory}'
chown -R '${data.user}:${data.group}' '${cfg.directory}'
if [ ! -d '${cpath}' ]; then
mkdir '${cpath}'
fi

2
nixos/modules/security/polkit.nix
View File

@ -64,7 +64,7 @@ in
systemd.packages = [ pkgs.polkit.out ];
systemd.services.polkit.restartTriggers = [ config.system.path ];
systemd.services.polkit.unitConfig.X-StopIfChanged = false;
systemd.services.polkit.stopIfChanged = false;
# The polkit daemon reads action/rule files
environment.pathsToLink = [ "/share/polkit-1" ];

14
nixos/modules/security/wrappers/default.nix
View File

@ -179,21 +179,31 @@ in
# Remove the old /var/setuid-wrappers path from the system...
#
# TODO: this is only necessary for ugprades 16.09 => 17.x;
# TODO: this is only necessary for upgrades 16.09 => 17.x;
# this conditional removal block needs to be removed after
# the release.
if [ -d /var/setuid-wrappers ]; then
rm -rf /var/setuid-wrappers
ln -s /run/wrappers/bin /var/setuid-wrappers
fi
# Remove the old /run/setuid-wrappers-dir path from the
# system as well...
#
# TODO: this is only necessary for ugprades 16.09 => 17.x;
# TODO: this is only necessary for upgrades 16.09 => 17.x;
# this conditional removal block needs to be removed after
# the release.
if [ -d /run/setuid-wrapper-dirs ]; then
rm -rf /run/setuid-wrapper-dirs
ln -s /run/wrappers/bin /run/setuid-wrapper-dirs
fi
# TODO: this is only necessary for upgrades 16.09 => 17.x;
# this conditional removal block needs to be removed after
# the release.
if readlink -f /run/booted-system | grep nixos-17 > /dev/null; then
rm -rf /run/setuid-wrapper-dirs
rm -rf /var/setuid-wrappers
fi
# We want to place the tmpdirs for the wrappers to the parent dir.

106
nixos/modules/services/backup/sitecopy-backup.nix
View File

@ -1,106 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (pkgs) sitecopy;
stateDir = "/var/spool/sitecopy";
sitecopyCron = backup : ''
${if backup ? period then backup.period else config.services.sitecopy.period} root ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${backup.name}.conf --update ${backup.name} >> /var/log/sitecopy.log 2>&1
'';
in
{
options = {
services.sitecopy = {
enable = mkOption {
default = false;
description = ''
Whether to enable <command>sitecopy</command> backups of specified
directories.
'';
};
period = mkOption {
default = "15 04 * * *";
description = ''
This option defines (in the format used by <command>cron</command>)
when the <command>sitecopy</command> backups are to be run.
The default is to update at 04:15 (at night) every day.
'';
};
backups = mkOption {
example = [
{ name = "test";
local = "/tmp/backup";
remote = "/staff-groups/ewi/st/strategoxt/backup/test";
server = "webdata.tudelft.nl";
protocol = "webdav";
https = true ;
symlinks = "maintain" ;
}
];
default = [];
description = ''
List of attribute sets describing the backups.
Username/password are extracted from
<filename>${stateDir}/sitecopy.secrets</filename> at activation
time. The secrets file lines should have the following structure:
<screen>
server username password
</screen>
'';
};
};
};
config = mkIf config.services.sitecopy.enable {
environment.systemPackages = [ sitecopy ];
services.cron.systemCronJobs = map sitecopyCron config.services.sitecopy.backups;
system.activationScripts.sitecopyBackup = stringAfter [ "stdio" "users" ]
''
mkdir -m 0700 -p ${stateDir}
chown root ${stateDir}
touch ${stateDir}/sitecopy.secrets
chown root ${stateDir}/sitecopy.secrets
${lib.concatStrings (map ( b: ''
unset secrets
unset secret
secrets=`grep '^${b.server}' ${stateDir}/sitecopy.secrets | head -1`
secret=($secrets)
cat > ${stateDir}/${b.name}.conf << EOF
site ${b.name}
server ${b.server}
protocol ${b.protocol}
username ''${secret[1]}
password ''${secret[2]}
local ${b.local}
remote ${b.remote}
symlinks ${b.symlinks}
${if b.https then "http secure" else ""}
EOF
chmod 0600 ${stateDir}/${b.name}.conf
if ! test -e ${stateDir}/${b.name} ; then
echo " * Initializing sitecopy '${b.name}'"
${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${b.name}.conf --initialize ${b.name}
else
echo " * Sitecopy '${b.name}' already initialized"
fi
'' ) config.services.sitecopy.backups
)}
'';
};
}

13
nixos/modules/services/continuous-integration/gitlab-runner.nix
View File

@ -20,6 +20,14 @@ in
description = "The working directory used";
};
package = mkOption {
description = "Gitlab Runner package to use";
default = pkgs.gitlab-runner;
defaultText = "pkgs.gitlab-runner";
type = types.package;
example = literalExample "pkgs.gitlab-runner_1_11";
};
};
config = mkIf cfg.enable {
@ -29,7 +37,7 @@ in
requires = [ "docker.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''${pkgs.gitlab-runner.bin}/bin/gitlab-runner run \
ExecStart = ''${cfg.package.bin}/bin/gitlab-runner run \
--working-directory ${cfg.workDir} \
--config ${configFile} \
--service gitlab-runner \
@ -38,6 +46,9 @@ in
};
};
# Make the gitlab-runner command availabe so users can query the runner
environment.systemPackages = [ cfg.package ];
users.extraUsers.gitlab-runner = {
group = "gitlab-runner";
extraGroups = [ "docker" ];

5
nixos/modules/services/databases/neo4j.nix
View File

@ -27,9 +27,7 @@ let
''}
dbms.shell.enabled=true
${cfg.extraServerConfig}
'';
wrapperConfig = pkgs.writeText "neo4j-wrapper.conf" ''
# Default JVM parameters from neo4j.conf
dbms.jvm.additional=-XX:+UseG1GC
dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
@ -135,12 +133,11 @@ in {
preStart = ''
mkdir -m 0700 -p ${cfg.dataDir}/{data/graph.db,conf,logs}
ln -fs ${serverConfig} ${cfg.dataDir}/conf/neo4j.conf
ln -fs ${wrapperConfig} ${cfg.dataDir}/conf/neo4j-wrapper.conf
if [ "$(id -u)" = 0 ]; then chown -R neo4j ${cfg.dataDir}; fi
'';
};
environment.systemPackages = [ pkgs.neo4j ];
environment.systemPackages = [ cfg.package ];
users.extraUsers = singleton {
name = "neo4j";

5
nixos/modules/services/editors/emacs.xml
View File

@ -79,10 +79,11 @@
</listitem>
</varlistentry>
<varlistentry>
<term><varname>emacs24Macport</varname></term>
<term><varname>emacsMacport</varname></term>
<term><varname>emacs25Macport</varname></term>
<listitem>
<para>
Emacs 24 with the "Mac port" patches, providing a more
Emacs 25 with the "Mac port" patches, providing a more
native look and feel under OS X.
</para>
</listitem>

29
nixos/modules/services/hardware/bluetooth.nix
View File

@ -14,12 +14,26 @@ in
options = {
hardware.bluetooth.enable = mkEnableOption "support for Bluetooth.";
hardware.bluetooth = {
enable = mkEnableOption "support for Bluetooth.";
hardware.bluetooth.powerOnBoot = mkOption {
type = types.bool;
default = true;
description = "Whether to power up the default Bluetooth controller on boot.";
powerOnBoot = mkOption {
type = types.bool;
default = true;
description = "Whether to power up the default Bluetooth controller on boot.";
};
extraConfig = mkOption {
type = types.lines;
default = "";
example = ''
[General]
ControllerMode = bredr
'';
description = ''
Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf).
'';
};
};
};
@ -30,6 +44,11 @@ in
environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ];
environment.etc = singleton {
source = pkgs.writeText "main.conf" cfg.extraConfig;
target = "bluetooth/main.conf";
};
services.udev.packages = [ bluez-bluetooth ];
services.dbus.packages = [ bluez-bluetooth ];
systemd.packages = [ bluez-bluetooth ];

6
nixos/modules/services/hardware/udev.nix
View File

@ -35,6 +35,7 @@ let
udevRules = pkgs.runCommand "udev-rules"
{ preferLocalBuild = true;
allowSubstitutes = false;
packages = unique (map toString cfg.packages);
}
''
mkdir -p $out
@ -45,7 +46,7 @@ let
echo 'ENV{PATH}="${udevPath}/bin:${udevPath}/sbin"' > $out/00-path.rules
# Add the udev rules from other packages.
for i in ${toString cfg.packages}; do
for i in $packages; do
echo "Adding rules for package $i"
for j in $i/{etc,lib}/udev/rules.d/*; do
echo "Copying $j to $out/$(basename $j)"
@ -132,10 +133,11 @@ let
hwdbBin = pkgs.runCommand "hwdb.bin"
{ preferLocalBuild = true;
allowSubstitutes = false;
packages = unique (map toString ([udev] ++ cfg.packages));
}
''
mkdir -p etc/udev/hwdb.d
for i in ${toString ([udev] ++ cfg.packages)}; do
for i in $packages; do
echo "Adding hwdb files for package $i"
for j in $i/{etc,lib}/udev/hwdb.d/*; do
ln -s $j etc/udev/hwdb.d/$(basename $j)

2
nixos/modules/services/logging/awstats.nix
View File

@ -38,7 +38,7 @@ in
Specification of the time at which awstats will get updated.
(in the format described by <citerefentry>
<refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>)
<manvolnum>7</manvolnum></citerefentry>)
'';
};

197
nixos/modules/services/mail/rmilter.nix
View File

@ -5,35 +5,38 @@ with lib;
let
rspamdCfg = config.services.rspamd;
postfixCfg = config.services.postfix;
cfg = config.services.rmilter;
inetSockets = map (sock: let s = stringSplit ":" sock; in "inet:${last s}:${head s}") cfg.bindInetSockets;
unixSockets = map (sock: "unix:${sock}") cfg.bindUnixSockets;
inetSocket = addr: port: "inet:[${toString port}@${addr}]";
unixSocket = sock: "unix:${sock}";
allSockets = unixSockets ++ inetSockets;
systemdSocket = if cfg.bindSocket.type == "unix" then cfg.bindSocket.path
else "${cfg.bindSocket.address}:${toString cfg.bindSocket.port}";
rmilterSocket = if cfg.bindSocket.type == "unix" then unixSocket cfg.bindSocket.path
else inetSocket cfg.bindSocket.address cfg.bindSocket.port;
rmilterConf = ''
pidfile = /run/rmilter/rmilter.pid;
bind_socket = ${if cfg.socketActivation then "fd:3" else concatStringsSep ", " allSockets};
tempdir = /tmp;
pidfile = /run/rmilter/rmilter.pid;
bind_socket = ${if cfg.socketActivation then "fd:3" else rmilterSocket};
tempdir = /tmp;
'' + (with cfg.rspamd; if enable then ''
spamd {
servers = ${concatStringsSep ", " servers};
connect_timeout = 1s;
results_timeout = 20s;
error_time = 10;
dead_time = 300;
maxerrors = 10;
reject_message = "${rejectMessage}";
${optionalString (length whitelist != 0) "whitelist = ${concatStringsSep ", " whitelist};"}
spamd {
servers = ${concatStringsSep ", " servers};
connect_timeout = 1s;
results_timeout = 20s;
error_time = 10;
dead_time = 300;
maxerrors = 10;
reject_message = "${rejectMessage}";
${optionalString (length whitelist != 0) "whitelist = ${concatStringsSep ", " whitelist};"}
# rspamd_metric - metric for using with rspamd
# Default: "default"
rspamd_metric = "default";
${extraConfig}
};
'' else "") + cfg.extraConfig;
# rspamd_metric - metric for using with rspamd
# Default: "default"
rspamd_metric = "default";
${extraConfig}
};
'' else "") + cfg.extraConfig;
rmilterConfigFile = pkgs.writeText "rmilter.conf" rmilterConf;
@ -48,11 +51,13 @@ in
services.rmilter = {
enable = mkOption {
type = types.bool;
default = cfg.rspamd.enable;
description = "Whether to run the rmilter daemon.";
};
debug = mkOption {
type = types.bool;
default = false;
description = "Whether to run the rmilter daemon in debug mode.";
};
@ -73,25 +78,37 @@ in
'';
};
bindUnixSockets = mkOption {
type = types.listOf types.str;
default = ["/run/rmilter/rmilter.sock"];
bindSocket.type = mkOption {
type = types.enum [ "unix" "inet" ];
default = "unix";
description = ''
Unix domain sockets to listen for MTA requests.
'';
example = ''
[ "/run/rmilter.sock"]
What kind of socket rmilter should listen on. Either "unix"
for an Unix domain socket or "inet" for a TCP socket.
'';
};
bindInetSockets = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Inet addresses to listen (in format accepted by systemd.socket)
bindSocket.path = mkOption {
type = types.str;
default = "/run/rmilter/rmilter.sock";
description = ''
Path to Unix domain socket to listen on.
'';
example = ''
["127.0.0.1:11990"]
};
bindSocket.address = mkOption {
type = types.str;
default = "::1";
example = "0.0.0.0";
description = ''
Inet address to listen on.
'';
};
bindSocket.port = mkOption {
type = types.int;
default = 11990;
description = ''
Inet port to listen on.
'';
};
@ -100,14 +117,16 @@ in
default = true;
description = ''
Enable systemd socket activation for rmilter.
(disabling socket activation not recommended
when unix socket used, and follow to wrong
permissions on unix domain socket.)
Disabling socket activation is not recommended when a Unix
domain socket is used and could lead to incorrect
permissions.
'';
};
rspamd = {
enable = mkOption {
type = types.bool;
default = rspamdCfg.enable;
description = "Whether to use rspamd to filter mails";
};
@ -157,13 +176,9 @@ in
type = types.str;
description = "Addon to postfix configuration";
default = ''
smtpd_milters = ${head allSockets}
# or for TCP socket
# # smtpd_milters = inet:localhost:9900
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
# skip mail without checks if milter will die
milter_default_action = accept
smtpd_milters = ${rmilterSocket}
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
'';
};
};
@ -175,52 +190,60 @@ milter_default_action = accept
###### implementation
config = mkIf cfg.enable {
config = mkMerge [
users.extraUsers = singleton {
name = cfg.user;
description = "rspamd daemon";
uid = config.ids.uids.rmilter;
group = cfg.group;
};
(mkIf cfg.enable {
users.extraGroups = singleton {
name = cfg.group;
gid = config.ids.gids.rmilter;
};
systemd.services.rmilter = {
description = "Rmilter Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;
Restart = "always";
RuntimeDirectory = "rmilter";
RuntimeDirectoryMode = "0755";
users.extraUsers = singleton {
name = cfg.user;
description = "rmilter daemon";
uid = config.ids.uids.rmilter;
group = cfg.group;
};
};
systemd.sockets.rmilter = mkIf cfg.socketActivation {
description = "Rmilter service socket";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = cfg.bindUnixSockets ++ cfg.bindInetSockets;
SocketUser = cfg.user;
SocketGroup = cfg.group;
SocketMode = "0666";
users.extraGroups = singleton {
name = cfg.group;
gid = config.ids.gids.rmilter;
};
};
services.postfix.extraConfig = optionalString cfg.postfix.enable cfg.postfix.configFragment;
users.users.postfix.extraGroups = [ cfg.group ];
};
systemd.services.rmilter = {
description = "Rmilter Service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;
Restart = "always";
RuntimeDirectory = "rmilter";
RuntimeDirectoryMode = "0750";
};
};
systemd.sockets.rmilter = mkIf cfg.socketActivation {
description = "Rmilter service socket";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = systemdSocket;
SocketUser = cfg.user;
SocketGroup = cfg.group;
SocketMode = "0660";
};
};
})
(mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {
users.extraUsers.${cfg.user}.extraGroups = [ rspamdCfg.group ];
})
(mkIf (cfg.enable && cfg.postfix.enable) {
services.postfix.extraConfig = cfg.postfix.configFragment;
users.extraUsers.${postfixCfg.user}.extraGroups = [ cfg.group ];
})
];
}

5
nixos/modules/services/mail/rspamd.nix
View File

@ -53,8 +53,11 @@ in
bindSocket = mkOption {
type = types.listOf types.str;
default = [
"/run/rspamd/rspamd.sock mode=0666 owner=${cfg.user}"
"/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
];
defaultText = ''[
"/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
]'';
description = ''
List of sockets to listen, in format acceptable by rspamd
'';

1
nixos/modules/services/misc/gitlab.nix
View File

@ -481,6 +481,7 @@ in {
mkdir -p ${cfg.statePath}/repositories
mkdir -p ${gitlabConfig.production.shared.path}/artifacts
mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects
mkdir -p ${gitlabConfig.production.shared.path}/pages
mkdir -p ${cfg.statePath}/log
mkdir -p ${cfg.statePath}/shell
mkdir -p ${cfg.statePath}/tmp/pids

44
nixos/modules/services/misc/jackett.nix Normal file
View File

@ -0,0 +1,44 @@
{ config, pkgs, lib, mono, ... }:
with lib;
let
cfg = config.services.jackett;
in
{
options = {
services.jackett = {
enable = mkEnableOption "Jackett";
};
};
config = mkIf cfg.enable {
systemd.services.jackett = {
description = "Jackett";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
test -d /var/lib/jackett/ || {
echo "Creating jackett data directory in /var/lib/jackett/"
mkdir -p /var/lib/jackett/
}
chown -R jackett /var/lib/jackett/
chmod 0700 /var/lib/jackett/
'';
serviceConfig = {
Type = "simple";
User = "jackett";
Group = "nogroup";
PermissionsStartOnly = "true";
ExecStart = "${pkgs.jackett}/bin/Jackett";
Restart = "on-failure";
};
};
users.extraUsers.jackett = {
home = "/var/lib/jackett";
};
};
}

15
nixos/modules/services/misc/nix-daemon.nix
View File

@ -8,7 +8,7 @@ let
nix = cfg.package.out;
isNix112 = versionAtLeast (getVersion nix) "1.12pre4997";
isNix112 = versionAtLeast (getVersion nix) "1.12pre";
makeNixBuildUser = nr:
{ name = "nixbld${toString nr}";
@ -46,6 +46,7 @@ let
binary-caches = ${toString cfg.binaryCaches}
trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
auto-optimise-store = ${if cfg.autoOptimiseStore then "true" else "false"}
${optionalString cfg.requireSignedBinaryCaches ''
signed-binary-caches = *
''}
@ -86,6 +87,18 @@ in
'';
};
autoOptimiseStore = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
If set to true, Nix automatically detects files in the store that have
identical contents, and replaces them with hard links to a single copy.
This saves disk space. If set to false (the default), you can still run
nix-store --optimise to get rid of duplicate files.
'';
};
buildCores = mkOption {
type = types.int;
default = 1;

2
nixos/modules/services/misc/nix-gc.nix
View File

@ -26,7 +26,7 @@ in
description = ''
Specification (in the format described by
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>) of the time at
<manvolnum>7</manvolnum></citerefentry>) of the time at
which the garbage collector will run.
'';
};

2
nixos/modules/services/misc/nix-optimise.nix
View File

@ -26,7 +26,7 @@ in
description = ''
Specification (in the format described by
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>) of the time at
<manvolnum>7</manvolnum></citerefentry>) of the time at
which the optimiser will run.
'';
};

2
nixos/modules/services/misc/octoprint.nix
View File

@ -117,7 +117,7 @@ in
'';
serviceConfig = {
ExecStart = "${pkgs.octoprint}/bin/octoprint -b ${cfg.stateDir}";
ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}";
User = cfg.user;
Group = cfg.group;
PermissionsStartOnly = true;

44
nixos/modules/services/misc/radarr.nix Normal file
View File

@ -0,0 +1,44 @@
{ config, pkgs, lib, mono, ... }:
with lib;
let
cfg = config.services.radarr;
in
{
options = {
services.radarr = {
enable = mkEnableOption "Radarr";
};
};
config = mkIf cfg.enable {
systemd.services.radarr = {
description = "Radarr";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
test -d /var/lib/radarr/ || {
echo "Creating radarr data directory in /var/lib/radarr/"
mkdir -p /var/lib/radarr/
}
chown -R radarr /var/lib/radarr/
chmod 0700 /var/lib/radarr/
'';
serviceConfig = {
Type = "simple";
User = "radarr";
Group = "nogroup";
PermissionsStartOnly = "true";
ExecStart = "${pkgs.radarr}/bin/Radarr";
Restart = "on-failure";
};
};
users.extraUsers.radarr = {
home = "/var/lib/radarr";
};
};
}

20
nixos/modules/services/monitoring/munin.nix
View File

@ -193,14 +193,26 @@ in
}) (mkIf cronCfg.enable {
services.cron.systemCronJobs = [
"*/5 * * * * munin ${pkgs.munin}/bin/munin-cron --config ${muninConf}"
];
systemd.timers.munin-cron = {
description = "batch Munin master programs";
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "*:0/5";
};
systemd.services.munin-cron = {
description = "batch Munin master programs";
unitConfig.Documentation = "man:munin-cron(8)";
serviceConfig = {
Type = "oneshot";
User = "munin";
ExecStart = "${pkgs.munin}/bin/munin-cron --config ${muninConf}";
};
};
system.activationScripts.munin-cron = stringAfter [ "users" "groups" ] ''
mkdir -p /var/{run,log,www,lib}/munin
chown -R munin:munin /var/{run,log,www,lib}/munin
'';
})];
}

1
nixos/modules/services/network-filesystems/openafs-client/default.nix
View File

@ -76,6 +76,7 @@ in
description = "AFS client";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = { RemainAfterExit = true; };
preStart = ''
mkdir -p -m 0755 /afs

10
nixos/modules/services/networking/avahi-daemon.nix
View File

@ -21,6 +21,7 @@ let
use-ipv6=${if ipv6 then "yes" else "no"}
${optionalString (interfaces!=null) "allow-interfaces=${concatStringsSep "," interfaces}"}
${optionalString (domainName!=null) "domain-name=${domainName}"}
allow-point-to-point=${if allowPointToPoint then "yes" else "no"}
[wide-area]
enable-wide-area=${if wideArea then "yes" else "no"}
@ -98,6 +99,15 @@ in
'';
};
allowPointToPoint = mkOption {
default = false;
description= ''
Whether to use POINTTOPOINT interfaces. Might make mDNS unreliable due to usually large
latencies with such links and opens a potential security hole by allowing mDNS access from Internet
connections. Use with care and YMMV!
'';
};
wideArea = mkOption {
default = true;
description = ''Whether to enable wide-area service discovery.'';

2
nixos/modules/services/networking/dnscrypt-proxy.nix
View File

@ -220,6 +220,8 @@ in
${getLib pkgs.attr}/lib/libattr.so.* mr, # */
${resolverList} r,
/run/systemd/notify rw,
}
'');
})

11
nixos/modules/services/networking/nftables.nix
View File

@ -17,6 +17,17 @@ in
This conflicts with the standard networking firewall, so make sure to
disable it before using nftables.
Note that if you have Docker enabled you will not be able to use
nftables without intervention. Docker uses iptables internally to
setup NAT for containers. This module disables the ip_tables kernel
module, however Docker automatically loads the module. Please see [1]
for more information.
There are other programs that use iptables internally too, such as
libvirt.
[1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273
'';
};
networking.nftables.ruleset = mkOption {

15
nixos/modules/services/networking/searx.nix
View File

@ -18,17 +18,12 @@ in
services.searx = {
enable = mkOption {
type = types.bool;
default = false;
description = "
Whether to enable the Searx server. See https://github.com/asciimoo/searx
";
};
enable = mkEnableOption
"the searx server. See https://github.com/asciimoo/searx";
configFile = mkOption {
type = types.path;
default = "";
type = types.nullOr types.path;
default = null;
description = "
The path of the Searx server configuration file. If no file
is specified, a default file is used (default config file has
@ -72,7 +67,7 @@ in
User = "searx";
ExecStart = "${cfg.package}/bin/searx-run";
};
} // (optionalAttrs (configFile != "") {
} // (optionalAttrs (configFile != null) {
environment.SEARX_SETTINGS_PATH = configFile;
});

45
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -240,7 +240,7 @@ in
systemd =
let
sshd-service =
service =
{ description = "SSH Daemon";
wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target";
@ -251,8 +251,20 @@ in
environment.LD_LIBRARY_PATH = nssModulesPath;
wants = [ "sshd-keygen.service" ];
after = [ "sshd-keygen.service" ];
preStart =
''
# Make sure we don't write to stdout, since in case of
# socket activation, it goes to the remote side (#19589).
exec >&2
mkdir -m 0755 -p /etc/ssh
${flip concatMapStrings cfg.hostKeys (k: ''
if ! [ -f "${k.path}" ]; then
ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N ""
fi
'')}
'';
serviceConfig =
{ ExecStart =
@ -262,31 +274,12 @@ in
KillMode = "process";
} // (if cfg.startWhenNeeded then {
StandardInput = "socket";
StandardError = "journal";
} else {
Restart = "always";
Type = "simple";
});
};
sshd-keygen-service =
{ description = "SSH Host Key Generation";
path = [ cfgc.package ];
script =
''
mkdir -m 0755 -p /etc/ssh
${flip concatMapStrings cfg.hostKeys (k: ''
if ! [ -f "${k.path}" ]; then
ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N ""
fi
'')}
'';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
};
};
in
if cfg.startWhenNeeded then {
@ -298,13 +291,11 @@ in
socketConfig.Accept = true;
};
services.sshd-keygen = sshd-keygen-service;
services."sshd@" = sshd-service;
services."sshd@" = service;
} else {
services.sshd-keygen = sshd-keygen-service;
services.sshd = sshd-service;
services.sshd = service;
};

3
nixos/modules/services/networking/vsftpd.nix
View File

@ -37,6 +37,9 @@ let
(yesNoOption "anonymousUser" "anonymous_enable" false ''
Whether to enable the anonymous FTP user.
'')
(yesNoOption "anonymousUserNoPassword" "no_anon_password" false ''
Whether to disable the password for the anonymous FTP user.
'')
(yesNoOption "localUsers" "local_enable" false ''
Whether to enable FTP for local users.
'')

1
nixos/modules/services/security/tor.nix
View File

@ -140,6 +140,7 @@ in
};
privoxy.enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether to enable and configure the system Privoxy to use Tor's

96
nixos/modules/services/system/earlyoom.nix Normal file
View File

@ -0,0 +1,96 @@
{ config, lib, pkgs, ... }:
with lib;
let
ecfg = config.services.earlyoom;
in
{
options = {
services.earlyoom = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable early out of memory killing.
'';
};
freeMemThreshold = mkOption {
type = types.int;
default = 10;
description = ''
Minimum of availabe memory (in percent).
If the free memory falls below this threshold and the analog is true for
<option>services.earlyoom.freeSwapThreshold</option>
the killing begins.
'';
};
freeSwapThreshold = mkOption {
type = types.int;
default = 10;
description = ''
Minimum of availabe swap space (in percent).
If the available swap space falls below this threshold and the analog
is true for <option>services.earlyoom.freeMemThreshold</option>
the killing begins.
'';
};
useKernelOOMKiller= mkOption {
type = types.bool;
default = false;
description = ''
Use kernel OOM killer instead of own user-space implementation.
'';
};
ignoreOOMScoreAdjust = mkOption {
type = types.bool;
default = false;
description = ''
Ignore oom_score_adjust values of processes.
User-space implementation only.
'';
};
enableDebugInfo = mkOption {
type = types.bool;
default = false;
description = ''
Enable debugging messages.
'';
};
};
};
config = mkIf ecfg.enable {
assertions = [
{ assertion = ecfg.freeMemThreshold > 0 && ecfg.freeMemThreshold <= 100;
message = "Needs to be a positive percentage"; }
{ assertion = ecfg.freeSwapThreshold > 0 && ecfg.freeSwapThreshold <= 100;
message = "Needs to be a positive percentage"; }
{ assertion = !ecfg.useKernelOOMKiller || !ecfg.ignoreOOMScoreAdjust;
message = "Both options in conjunction do not make sense"; }
];
systemd.services.earlyoom = {
description = "Early OOM Daemon for Linux";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
StandardOutput = "null";
StandardError = "syslog";
ExecStart = ''
${pkgs.earlyoom}/bin/earlyoom \
-m ${toString ecfg.freeMemThreshold} \
-s ${toString ecfg.freeSwapThreshold} \
${optionalString ecfg.useKernelOOMKiller "-k"} \
${optionalString ecfg.ignoreOOMScoreAdjust "-i"} \
${optionalString ecfg.enableDebugInfo "-d"}
'';
};
};
};
}

31
nixos/modules/services/web-servers/apache-httpd/wordpress.nix
View File

@ -9,7 +9,7 @@ let
<?php
define('DB_NAME', '${config.dbName}');
define('DB_USER', '${config.dbUser}');
define('DB_PASSWORD', '${config.dbPassword}');
define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}'));
define('DB_HOST', '${config.dbHost}');
define('DB_CHARSET', 'utf8');
$table_prefix = '${config.tablePrefix}';
@ -137,9 +137,34 @@ in
};
dbPassword = mkOption {
default = "wordpress";
description = "The mysql password to the respective dbUser.";
description = ''
The mysql password to the respective dbUser.
Warning: this password is stored in the world-readable Nix store. It's
recommended to use the $dbPasswordFile option since that gives you control over
the security of the password. $dbPasswordFile also takes precedence over $dbPassword.
'';
example = "wordpress";
};
dbPasswordFile = mkOption {
type = types.str;
default = toString (pkgs.writeTextFile {
name = "wordpress-dbpassword";
text = config.dbPassword;
});
example = "/run/keys/wordpress-dbpassword";
description = ''
Path to a file that contains the mysql password to the respective dbUser.
The file should be readable by the user: config.services.httpd.user.
$dbPasswordFile takes precedence over the $dbPassword option.
This defaults to a file in the world-readable Nix store that contains the value
of the $dbPassword option. It's recommended to override this with a path not in
the Nix store. Tip: use nixops key management:
<link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/>
'';
};
tablePrefix = mkOption {
default = "wp_";
description = ''
@ -251,7 +276,7 @@ in
sleep 1
done
${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'
${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";'
${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";"
else
echo "Good, no need to do anything database related."
fi

36
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -87,6 +87,8 @@ let
server_tokens ${if cfg.serverTokens then "on" else "off"};
${cfg.commonHttpConfig}
${vhosts}
${optionalString cfg.statusPage ''
@ -183,6 +185,7 @@ let
${optionalString (config.index != null) "index ${config.index};"}
${optionalString (config.tryFiles != null) "try_files ${config.tryFiles};"}
${optionalString (config.root != null) "root ${config.root};"}
${optionalString (config.alias != null) "alias ${config.alias};"}
${config.extraConfig}
}
'') locations);
@ -244,11 +247,13 @@ in
};
package = mkOption {
default = pkgs.nginx;
defaultText = "pkgs.nginx";
default = pkgs.nginxStable;
defaultText = "pkgs.nginxStable";
type = types.package;
description = "
Nginx package to use.
Nginx package to use. This defaults to the stable version. Note
that the nginx team recommends to use the mainline version which
available in nixpkgs as <literal>nginxMainline</literal>.
";
};
@ -275,6 +280,24 @@ in
'';
};
commonHttpConfig = mkOption {
type = types.lines;
default = "";
example = ''
resolver 127.0.0.1 valid=5s;
log_format myformat '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
'';
description = ''
With nginx you must provide common http context definitions before
they are used, e.g. log_format, resolver, etc. inside of server
or location contexts. Use this attribute to set these definitions
at the appropriate location.
'';
};
httpConfig = mkOption {
type = types.lines;
default = "";
@ -381,6 +404,13 @@ in
config = mkIf cfg.enable {
# TODO: test user supplied config file pases syntax test
assertions = let hostOrAliasIsNull = l: l.root == null || l.alias == null; in [
{
assertion = all (host: all hostOrAliasIsNull (attrValues host.locations)) (attrValues virtualHosts);
message = "Only one of nginx root or alias can be specified on a location.";
}
];
systemd.services.nginx = {
description = "Nginx Web Server";
after = [ "network.target" ];

9
nixos/modules/services/web-servers/nginx/location-options.nix
View File

@ -45,6 +45,15 @@ with lib;
'';
};
alias = mkOption {
type = types.nullOr types.path;
default = null;
example = "/your/alias/directory";
description = ''
Alias directory for requests.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";

1
nixos/modules/services/web-servers/phpfpm/default.nix
View File

@ -147,7 +147,6 @@ in {
cfgFile = fpmCfgFile pool poolConfig;
in {
Slice = "phpfpm.slice";
PrivateTmp = true;
PrivateDevices = true;
ProtectSystem = "full";
ProtectHome = true;

2
nixos/modules/services/x11/desktop-managers/enlightenment.nix
View File

@ -64,7 +64,7 @@ in
security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";
environment.etc = singleton
{ source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
{ source = xcfg.xkbDir;
target = "X11/xkb";
};

4
nixos/modules/services/x11/desktop-managers/lumina.nix
View File

@ -32,8 +32,8 @@ in
environment.systemPackages = [
pkgs.fluxbox
pkgs.qt5.kwindowsystem
pkgs.qt5.oxygen-icons5
pkgs.libsForQt5.kwindowsystem
pkgs.kdeFrameworks.oxygen-icons5
pkgs.lumina
pkgs.numlockx
pkgs.qt5.qtsvg

13
nixos/modules/services/x11/desktop-managers/plasma5.nix
View File

@ -176,7 +176,7 @@ in
environment.pathsToLink = [ "/share" ];
environment.etc = singleton {
source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
source = xcfg.xkbDir;
target = "X11/xkb";
};
@ -208,11 +208,7 @@ in
services.xserver.displayManager.sddm = {
theme = "breeze";
themes = [
pkgs.extra-cmake-modules # for the setup-hook
plasma5.plasma-workspace
pkgs.breeze-icons
];
package = pkgs.sddmPlasma5;
};
security.pam.services.kde = { allowNullPassword = true; };
@ -225,11 +221,6 @@ in
security.pam.services.sddm.enableKwallet = true;
security.pam.services.slim.enableKwallet = true;
# use kimpanel as the default IBus panel
i18n.inputMethod.ibus.panel =
lib.mkDefault
"${plasma5.plasma-desktop}/lib/libexec/kimpanel-ibus-panel";
})
];

2
nixos/modules/services/x11/display-managers/default.nix
View File

@ -24,7 +24,7 @@ let
Xft.lcdfilter: lcd${fontconfig.subpixel.lcdfilter}
Xft.hinting: ${if fontconfig.hinting.enable then "1" else "0"}
Xft.autohint: ${if fontconfig.hinting.autohint then "1" else "0"}
Xft.hintstyle: hint${fontconfig.hinting.style}
Xft.hintstyle: hintslight
'';
# file provided by services.xserver.displayManager.session.script

10
nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix
View File

@ -45,6 +45,7 @@ let
theme-name = ${cfg.theme.name}
icon-theme-name = ${cfg.iconTheme.name}
background = ${ldmcfg.background}
${cfg.extraConfig}
'';
in
@ -103,6 +104,15 @@ in
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration that should be put in the lightdm-gtk-greeter.conf
configuration file.
'';
};
};
};

11
nixos/modules/services/x11/display-managers/sddm.nix
View File

@ -9,7 +9,7 @@ let
cfg = dmcfg.sddm;
xEnv = config.systemd.services."display-manager".environment;
sddm = pkgs.sddm.override { inherit (cfg) themes; };
sddm = cfg.package;
xserverWrapper = pkgs.writeScript "xserver-wrapper" ''
#!/bin/sh
@ -105,11 +105,12 @@ in
'';
};
themes = mkOption {
type = types.listOf types.package;
default = [];
package = mkOption {
type = types.package;
default = pkgs.sddm;
description = ''
Extra packages providing themes.
The SDDM package to install.
The default package can be overridden to provide extra themes.
'';
};

37
nixos/modules/services/x11/window-managers/2bwm.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.xserver.windowManager."2bwm";
in
{
###### interface
options = {
services.xserver.windowManager."2bwm".enable = mkEnableOption "2bwm";
};
###### implementation
config = mkIf cfg.enable {
services.xserver.windowManager.session = singleton
{ name = "2bwm";
start =
''
${pkgs."2bwm"}/bin/2bwm &
waitPID=$!
'';
};
environment.systemPackages = [ pkgs."2bwm" ];
};
}

2
nixos/modules/services/x11/window-managers/default.nix
View File

@ -8,12 +8,14 @@ in
{
imports = [
./2bwm.nix
./afterstep.nix
./bspwm.nix
./compiz.nix
./dwm.nix
./exwm.nix
./fluxbox.nix
./fvwm.nix
./herbstluftwm.nix
./i3.nix
./jwm.nix

41
nixos/modules/services/x11/window-managers/fvwm.nix Normal file
View File

@ -0,0 +1,41 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.xserver.windowManager.fvwm;
fvwm = pkgs.fvwm.override { gestures = cfg.gestures; };
in
{
###### interface
options = {
services.xserver.windowManager.fvwm = {
enable = mkEnableOption "Fvwm window manager";
gestures = mkOption {
default = false;
type = types.bool;
description = "Whether or not to enable libstroke for gesture support";
};
};
};
###### implementation
config = mkIf cfg.enable {
services.xserver.windowManager.session = singleton
{ name = "fvwm";
start =
''
${fvwm}/bin/fvwm &
waitPID=$!
'';
};
environment.systemPackages = [ fvwm ];
};
}

2
nixos/modules/system/activation/top-level.nix
View File

@ -53,6 +53,8 @@ let
ln -s ${config.system.build.initialRamdisk}/initrd $out/initrd
ln -s ${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets $out
ln -s ${config.hardware.firmware}/lib/firmware $out/firmware
''}

33
nixos/modules/system/boot/initrd-ssh.nix
View File

@ -44,9 +44,10 @@ in
description = ''
RSA SSH private key file in the Dropbear format.
WARNING: This key is contained insecurely in the global Nix store. Do NOT
use your regular SSH host private keys for this purpose or you'll expose
them to regular users!
WARNING: Unless your bootloader supports initrd secrets, this key is
contained insecurely in the global Nix store. Do NOT use your regular
SSH host private keys for this purpose or you'll expose them to
regular users!
'';
};
@ -56,9 +57,10 @@ in
description = ''
DSS SSH private key file in the Dropbear format.
WARNING: This key is contained insecurely in the global Nix store. Do NOT
use your regular SSH host private keys for this purpose or you'll expose
them to regular users!
WARNING: Unless your bootloader supports initrd secrets, this key is
contained insecurely in the global Nix store. Do NOT use your regular
SSH host private keys for this purpose or you'll expose them to
regular users!
'';
};
@ -68,9 +70,10 @@ in
description = ''
ECDSA SSH private key file in the Dropbear format.
WARNING: This key is contained insecurely in the global Nix store. Do NOT
use your regular SSH host private keys for this purpose or you'll expose
them to regular users!
WARNING: Unless your bootloader supports initrd secrets, this key is
contained insecurely in the global Nix store. Do NOT use your regular
SSH host private keys for this purpose or you'll expose them to
regular users!
'';
};
@ -97,10 +100,6 @@ in
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear
cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib
${optionalString (cfg.hostRSAKey != null) "install -D ${cfg.hostRSAKey} $out/etc/dropbear/dropbear_rsa_host_key"}
${optionalString (cfg.hostDSSKey != null) "install -D ${cfg.hostDSSKey} $out/etc/dropbear/dropbear_dss_host_key"}
${optionalString (cfg.hostECDSAKey != null) "install -D ${cfg.hostECDSAKey} $out/etc/dropbear/dropbear_ecdsa_host_key"}
'';
boot.initrd.extraUtilsCommandsTest = ''
@ -116,9 +115,6 @@ in
touch /var/log/lastlog
mkdir -p /etc/dropbear
${optionalString (cfg.hostRSAKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key"}
${optionalString (cfg.hostDSSKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_dss_host_key /etc/dropbear/dropbear_dss_host_key"}
${optionalString (cfg.hostECDSAKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_ecdsa_host_key /etc/dropbear/dropbear_ecdsa_host_key"}
mkdir -p /root/.ssh
${concatStrings (map (key: ''
@ -128,6 +124,11 @@ in
dropbear -s -j -k -E -m -p ${toString cfg.port}
'';
boot.initrd.secrets =
(optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) //
(optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) //
(optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; });
};
}

62
nixos/modules/system/boot/loader/grub/install-grub.pl
View File

@ -443,9 +443,40 @@ my $confFile = $grubVersion == 1 ? "$bootPath/grub/menu.lst" : "$bootPath/grub/g
my $tmpFile = $confFile . ".tmp";
writeFile($tmpFile, $conf);
# check whether to install GRUB EFI or not
sub getEfiTarget {
if ($grubVersion == 1) {
return "no"
} elsif (($grub ne "") && ($grubEfi ne "")) {
# EFI can only be installed when target is set;
# A target is also required then for non-EFI grub
if (($grubTarget eq "") || ($grubTargetEfi eq "")) { die }
else { return "both" }
} elsif (($grub ne "") && ($grubEfi eq "")) {
# TODO: It would be safer to disallow non-EFI grub installation if no taget is given.
# If no target is given, then grub auto-detects the target which can lead to errors.
# E.g. it seems as if grub would auto-detect a EFI target based on the availability
# of a EFI partition.
# However, it seems as auto-detection is currently relied on for non-x86_64 and non-i386
# architectures in NixOS. That would have to be fixed in the nixos modules first.
return "no"
} elsif (($grub eq "") && ($grubEfi ne "")) {
# EFI can only be installed when target is set;
if ($grubTargetEfi eq "") { die }
else {return "only" }
} else {
# prevent an installation if neither grub nor grubEfi is given
return "neither"
}
}
my $efiTarget = getEfiTarget();
# Append entries detected by os-prober
if (get("useOSProber") eq "true") {
system(get("shell"), "-c", "pkgdatadir=$grub/share/grub $grub/etc/grub.d/30_os-prober >> $tmpFile");
my $targetpackage = ($efiTarget eq "no") ? $grub : $grubEfi;
system(get("shell"), "-c", "pkgdatadir=$targetpackage/share/grub $targetpackage/etc/grub.d/30_os-prober >> $tmpFile");
}
# Atomically switch to the new config
@ -498,36 +529,7 @@ sub getDeviceTargets {
}
return @devices;
}
# check whether to install GRUB EFI or not
sub getEfiTarget {
if ($grubVersion == 1) {
return "no"
} elsif (($grub ne "") && ($grubEfi ne "")) {
# EFI can only be installed when target is set;
# A target is also required then for non-EFI grub
if (($grubTarget eq "") || ($grubTargetEfi eq "")) { die }
else { return "both" }
} elsif (($grub ne "") && ($grubEfi eq "")) {
# TODO: It would be safer to disallow non-EFI grub installation if no taget is given.
# If no target is given, then grub auto-detects the target which can lead to errors.
# E.g. it seems as if grub would auto-detect a EFI target based on the availability
# of a EFI partition.
# However, it seems as auto-detection is currently relied on for non-x86_64 and non-i386
# architectures in NixOS. That would have to be fixed in the nixos modules first.
return "no"
} elsif (($grub eq "") && ($grubEfi ne "")) {
# EFI can only be installed when target is set;
if ($grubTargetEfi eq "") { die }
else {return "only" }
} else {
# prevent an installation if neither grub nor grubEfi is given
return "neither"
}
}
my @deviceTargets = getDeviceTargets();
my $efiTarget = getEfiTarget();
my $prevGrubState = readGrubState();
my @prevDeviceTargets = split/,/, $prevGrubState->devices;

10
nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
View File

@ -32,8 +32,11 @@ def write_loader_conf(generation):
f.write("editor 0");
os.rename("@efiSysMountPoint@/loader/loader.conf.tmp", "@efiSysMountPoint@/loader/loader.conf")
def profile_path(generation, name):
return os.readlink("%s/%s" % (system_dir(generation), name))
def copy_from_profile(generation, name, dry_run=False):
store_file_path = os.readlink("%s/%s" % (system_dir(generation), name))
store_file_path = profile_path(generation, name)
suffix = os.path.basename(store_file_path)
store_dir = os.path.basename(os.path.dirname(store_file_path))
efi_file_path = "/efi/nixos/%s-%s.efi" % (store_dir, suffix)
@ -44,6 +47,11 @@ def copy_from_profile(generation, name, dry_run=False):
def write_entry(generation, machine_id):
kernel = copy_from_profile(generation, "kernel")
initrd = copy_from_profile(generation, "initrd")
try:
append_initrd_secrets = profile_path(generation, "append-initrd-secrets")
subprocess.check_call([append_initrd_secrets, "@efiSysMountPoint@%s" % (initrd)])
except FileNotFoundError:
pass
entry_file = "@efiSysMountPoint@/loader/entries/nixos-generation-%d.conf" % (generation)
generation_dir = os.readlink(system_dir(generation))
tmp_path = "%s.tmp" % (entry_file)

2
nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
View File

@ -65,6 +65,8 @@ in {
boot.loader.grub.enable = mkDefault false;
boot.loader.supportsInitrdSecrets = true;
system = {
build.installBootLoader = gummibootBuilder;

51
nixos/modules/system/boot/luksroot.nix
View File

@ -6,29 +6,38 @@ let
luks = config.boot.initrd.luks;
openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; ''
# Wait for luksRoot to appear, e.g. if on a usb drive.
# XXX: copied and adapted from stage-1-init.sh - should be
# available as a function.
if ! test -e ${device}; then
echo -n "waiting 10 seconds for device ${device} to appear..."
for try in $(seq 10); do
sleep 1
if test -e ${device}; then break; fi
echo -n .
done
echo "ok"
fi
# Wait for a target (e.g. device, keyFile, header, ...) to appear.
wait_target() {
local name="$1"
local target="$2"
if [ ! -e $target ]; then
echo -n "Waiting 10 seconds for $name $target to appear"
local success=false;
for try in $(seq 10); do
echo -n "."
sleep 1
if [ -e $target ]; then success=true break; fi
done
if [ $success = true ]; then
echo " - success";
else
echo " - failure";
fi
fi
}
# Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g.
# if on a USB drive.
wait_target "device" ${device}
${optionalString (keyFile != null) ''
if ! test -e ${keyFile}; then
echo -n "waiting 10 seconds for key file ${keyFile} to appear..."
for try in $(seq 10); do
sleep 1
if test -e ${keyFile}; then break; fi
echo -n .
done
echo "ok"
fi
wait_target "key file" ${keyFile}
''}
${optionalString (header != null) ''
wait_target "header" ${header}
''}
open_normally() {

8
nixos/modules/system/boot/stage-1-init.sh
View File

@ -8,6 +8,14 @@ export LD_LIBRARY_PATH=@extraUtils@/lib
export PATH=@extraUtils@/bin
ln -s @extraUtils@/bin /bin
# Copy the secrets to their needed location
if [ -d "@extraUtils@/secrets" ]; then
for secret in $(cd "@extraUtils@/secrets"; find . -type f); do
mkdir -p $(dirname "/$secret")
ln -s "@extraUtils@/secrets/$secret" "$secret"
done
fi
# Stop LVM complaining about fd3
export LVM_SUPPRESS_FD_WARNINGS=true

93
nixos/modules/system/boot/stage-1.nix
View File

@ -82,6 +82,17 @@ let
copy_bin_and_libs ${pkgs.e2fsprogs}/sbin/resize2fs
''}
# Copy secrets if needed.
${optionalString (!config.boot.loader.supportsInitrdSecrets)
(concatStringsSep "\n" (mapAttrsToList (dest: source:
let source' = if source == null then dest else source; in
''
mkdir -p $(dirname "$out/secrets/${dest}")
cp -a ${source'} "$out/secrets/${dest}"
''
) config.boot.initrd.secrets))
}
${config.boot.initrd.extraUtilsCommands}
# Copy ld manually since it isn't detected correctly
@ -242,6 +253,52 @@ let
];
};
# Script to add secret files to the initrd at bootloader update time
initialRamdiskSecretAppender =
pkgs.writeScriptBin "append-initrd-secrets"
''
#!${pkgs.bash}/bin/bash -e
function usage {
echo "USAGE: $0 INITRD_FILE" >&2
echo "Appends this configuration's secrets to INITRD_FILE" >&2
}
if [ $# -ne 1 ]; then
usage
exit 1
fi
if [ "$1"x = "--helpx" ]; then
usage
exit 0
fi
${lib.optionalString (config.boot.initrd.secrets == {})
"exit 0"}
export PATH=${pkgs.coreutils}/bin:${pkgs.cpio}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin
function cleanup {
if [ -n "$tmp" -a -d "$tmp" ]; then
rm -fR "$tmp"
fi
}
trap cleanup EXIT
tmp=$(mktemp -d initrd-secrets.XXXXXXXXXX)
${lib.concatStringsSep "\n" (mapAttrsToList (dest: source:
let source' = if source == null then dest else toString source; in
''
mkdir -p $(dirname "$tmp/${dest}")
cp -a ${source'} "$tmp/${dest}"
''
) config.boot.initrd.secrets)
}
(cd "$tmp" && find . | cpio -H newc -o) | gzip >>"$1"
'';
in
{
@ -370,6 +427,25 @@ in
example = "xz";
};
boot.initrd.secrets = mkOption
{ internal = true;
default = {};
type = types.attrsOf (types.nullOr types.path);
description =
''
Secrets to append to the initrd. The attribute name is the
path the secret should have inside the initrd, the value
is the path it should be copied from (or null for the same
path inside and out).
'';
example = literalExample
''
{ "/etc/dropbear/dropbear_rsa_host_key" =
./secret-dropbear-key;
}
'';
};
boot.initrd.supportedFilesystems = mkOption {
default = [ ];
example = [ "btrfs" ];
@ -377,6 +453,18 @@ in
description = "Names of supported filesystem types in the initial ramdisk.";
};
boot.loader.supportsInitrdSecrets = mkOption
{ internal = true;
default = false;
type = types.bool;
description =
''
Whether the bootloader setup runs append-initrd-secrets.
If not, any needed secrets must be copied into the initrd
and thus added to the store.
'';
};
fileSystems = mkOption {
options.neededForBoot = mkOption {
default = false;
@ -404,9 +492,8 @@ in
}
];
system.build.bootStage1 = bootStage1;
system.build.initialRamdisk = initialRamdisk;
system.build.extraUtils = extraUtils;
system.build =
{ inherit bootStage1 initialRamdisk initialRamdiskSecretAppender extraUtils; };
system.requiredKernelConfig = with config.lib.kernelConfig; [
(isYes "TMPFS")

6
nixos/modules/system/boot/systemd-unit-options.nix
View File

@ -328,7 +328,7 @@ in rec {
Automatically start this unit at the given date/time, which
must be in the format described in
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>. This is equivalent
<manvolnum>7</manvolnum></citerefentry>. This is equivalent
to adding a corresponding timer unit with
<option>OnCalendar</option> set to the value given here.
'';
@ -375,9 +375,9 @@ in rec {
Each attribute in this set specifies an option in the
<literal>[Timer]</literal> section of the unit. See
<citerefentry><refentrytitle>systemd.timer</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> and
<manvolnum>7</manvolnum></citerefentry> and
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry> for details.
<manvolnum>7</manvolnum></citerefentry> for details.
'';
};

3
nixos/modules/system/boot/systemd.nix
View File

@ -829,7 +829,8 @@ in
# Some overrides to upstream units.
systemd.services."systemd-backlight@".restartIfChanged = false;
systemd.services."systemd-rfkill@".restartIfChanged = false;
systemd.services."systemd-fsck@".restartIfChanged = false;
systemd.services."systemd-fsck@".path = [ config.system.path ];
systemd.services."user@".restartIfChanged = false;
systemd.services.systemd-journal-flush.restartIfChanged = false;
systemd.services.systemd-random-seed.restartIfChanged = false;

2
nixos/modules/tasks/filesystems.nix
View File

@ -221,7 +221,7 @@ in
environment.etc.fstab.text =
let
fsToSkipCheck = [ "none" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" ];
fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" ];
skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck;
in ''
# This is a generated file. Do not edit!

2
nixos/modules/tasks/filesystems/zfs.nix
View File

@ -234,7 +234,7 @@ in
description = ''
Systemd calendar expression when to scrub ZFS pools. See
<citerefentry><refentrytitle>systemd.time</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>.
<manvolnum>7</manvolnum></citerefentry>.
'';
};

56
nixos/modules/tasks/network-interfaces-scripted.nix
View File

@ -159,35 +159,42 @@ let
after = [ "network-pre.target" ] ++ (deviceDependency i.name);
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
# Restart rather than stop+start this unit to prevent the
# network from dying during switch-to-configuration.
stopIfChanged = false;
path = [ pkgs.iproute ];
script =
''
# FIXME: shouldn't this be done in network-link?
echo "bringing up interface..."
ip link set "${i.name}" up
restart_network_interfaces=false
state="/run/nixos/network/addresses/${i.name}"
mkdir -p $(dirname "$state")
'' + flip concatMapStrings (ips) (ip:
let
address = "${ip.address}/${toString ip.prefixLength}";
in
''
echo "checking ip ${address}..."
echo "${address}" >> $state
if out=$(ip addr add "${address}" dev "${i.name}" 2>&1); then
echo "added ip ${address}..."
echo "added ip ${address}"
elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then
echo "failed to add ${address}"
exit 1
fi
'');
preStop = flip concatMapStrings (ips) (ip:
let
address = "${ip.address}/${toString ip.prefixLength}";
in
''
echo -n "deleting ${address}..."
ip addr del "${address}" dev "${i.name}" >/dev/null 2>&1 || echo -n " Failed"
echo ""
'');
preStop = ''
state="/run/nixos/network/addresses/${i.name}"
while read address; do
echo -n "deleting $address..."
ip addr del "$address" dev "${i.name}" >/dev/null 2>&1 || echo -n " Failed"
echo ""
done < "$state"
rm -f "$state"
'';
};
createTunDevice = i: nameValuePair "${i.name}-netdev"
@ -239,6 +246,10 @@ let
ip link set "${i}" master "${n}"
ip link set "${i}" up
'')}
# Save list of enslaved interfaces
echo "${flip concatMapStrings v.interfaces (i: ''
${i}
'')}" > /run/${n}.interfaces
# Enable stp on the interface
${optionalString v.rstp ''
@ -250,7 +261,28 @@ let
postStop = ''
ip link set "${n}" down || true
ip link del "${n}" || true
rm -f /run/${n}.interfaces
'';
reload = ''
# Un-enslave child interfaces (old list of interfaces)
for interface in `cat /run/${n}.interfaces`; do
ip link set "$interface" nomaster up
done
# Enslave child interfaces (new list of interfaces)
${flip concatMapStrings v.interfaces (i: ''
ip link set "${i}" master "${n}"
ip link set "${i}" up
'')}
# Save list of enslaved interfaces
echo "${flip concatMapStrings v.interfaces (i: ''
${i}
'')}" > /run/${n}.interfaces
# (Un-)set stp on the bridge
echo ${if v.rstp then "2" else "0"} > /sys/class/net/${n}/bridge/stp_state
'';
reloadIfChanged = true;
});
createVswitchDevice = n: v: nameValuePair "${n}-netdev"

19
nixos/modules/tasks/network-interfaces-systemd.nix
View File

@ -59,15 +59,16 @@ in
systemd.network =
let
domains = cfg.search ++ (optional (cfg.domain != null) cfg.domain);
genericNetwork = override: {
DHCP = override (dhcpStr cfg.useDHCP);
} // optionalAttrs (cfg.defaultGateway != null) {
gateway = override [ cfg.defaultGateway.address ];
} // optionalAttrs (cfg.defaultGateway6 != null) {
gateway = override [ cfg.defaultGateway6.address ];
} // optionalAttrs (domains != [ ]) {
domains = override domains;
};
genericNetwork = override:
let gateway = optional (cfg.defaultGateway != null) cfg.defaultGateway.address
++ optional (cfg.defaultGateway6 != null) cfg.defaultGateway6.address;
in {
DHCP = override (dhcpStr cfg.useDHCP);
} // optionalAttrs (gateway != [ ]) {
gateway = override gateway;
} // optionalAttrs (domains != [ ]) {
domains = override domains;
};
in mkMerge [ {
enable = true;
networks."99-main" = genericNetwork mkDefault;

6
nixos/modules/virtualisation/amazon-image.nix
View File

@ -15,6 +15,12 @@ let cfg = config.ec2; in
config = {
assertions = [
{ assertion = cfg.hvm;
message = "Paravirtualized EC2 instances are no longer supported.";
}
];
virtualisation.growPartition = cfg.hvm;
fileSystems."/" = {

4
nixos/modules/virtualisation/amazon-options.nix
View File

@ -3,7 +3,7 @@
options = {
ec2 = {
hvm = lib.mkOption {
default = false;
default = lib.versionAtLeast config.system.stateVersion "17.03";
internal = true;
description = ''
Whether the EC2 instance is a HVM instance.
@ -11,6 +11,4 @@
};
};
};
config = {};
}

12
nixos/modules/virtualisation/docker.nix
View File

@ -126,7 +126,17 @@ in
path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs);
};
systemd.sockets.docker.socketConfig.ListenStream = cfg.listenOptions;
systemd.sockets.docker = {
description = "Docker Socket for the API";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = cfg.listenOptions;
SocketMode = "0660";
SocketUser = "root";
SocketGroup = "docker";
};
};
}
]);

Some files were not shown because too many files have changed in this diff Show More