public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into staging-next

This commit is contained in:
Jan Tojnar 2020-03-24 01:51:13 +01:00
parent 9fd82b3e7e 0bfd0187da
commit cbd504c0ae
No known key found for this signature in database
GPG Key ID: 7FAB2A15F7A607A4
909 changed files with 32849 additions and 16087 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/languages-frameworks/android.section.md
View File

@ -235,5 +235,5 @@ package manager uses. To update the expressions run the `generate.sh` script
that is stored in the `pkgs/development/mobile/androidenv/` sub directory:
```bash
sh ./generate.sh
./generate.sh
```

6
doc/languages-frameworks/rust.section.md
View File

@ -60,9 +60,9 @@ Nix depends on this file, so if it missing you can use `cargoPatches` to apply
it in the `patchPhase`. Consider sending a PR upstream with a note to the
maintainer describing why it's important to include in the application.
Unless `legacyCargoFetcher` is set to `true`, the fetcher will also verify that
the `Cargo.lock` file is in sync with the `src` attribute, and will compress the
vendor directory into a tar.gz archive.
The fetcher will verify that the `Cargo.lock` file is in sync with the `src`
attribute, and fail the build if not. It will also will compress the vendor
directory into a tar.gz archive.
### Building a crate for a different target

13
lib/modules.nix
View File

@ -93,7 +93,11 @@ rec {
res set._definedNames
else
res;
result = { inherit options config; };
result = {
inherit options;
config = removeAttrs config [ "_module" ];
inherit (config) _module;
};
in result;
# collectModules :: (modulesPath: String) -> (modules: [ Module ]) -> (args: Attrs) -> [ Module ]
@ -410,10 +414,9 @@ rec {
# Type-check the remaining definitions, and merge them. Or throw if no definitions.
mergedValue =
if isDefined then
foldl' (res: def:
if type.check def.value then res
else throw "The option value `${showOption loc}' in `${def.file}' is not of type `${type.description}'."
) (type.merge loc defsFinal) defsFinal
if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
else let firstInvalid = findFirst (def: ! type.check def.value) null defsFinal;
in throw "The option value `${showOption loc}' in `${firstInvalid.file}' is not of type `${type.description}'."
else
# (nixos-option detects this specific error message and gives it special
# handling. If changed here, please change it there too.)

2
lib/options.nix
View File

@ -159,7 +159,7 @@ rec {
let ss = opt.type.getSubOptions opt.loc;
in if ss != {} then optionAttrSetToDocList' opt.loc ss else [];
in
[ docOption ] ++ subOptions) (collect isOption options);
[ docOption ] ++ optionals docOption.visible subOptions) (collect isOption options);
/* This function recursively removes all derivation attributes from

8
lib/systems/doubles.nix
View File

@ -26,7 +26,13 @@ let
"riscv32-linux" "riscv64-linux"
"aarch64-none" "avr-none" "arm-none" "i686-none" "x86_64-none" "powerpc-none" "msp430-none" "riscv64-none" "riscv32-none" "vc4-none"
"arm-none" "armv6l-none" "aarch64-none"
"avr-none"
"i686-none" "x86_64-none"
"powerpc-none"
"msp430-none"
"riscv64-none" "riscv32-none"
"vc4-none"
"js-ghcjs"
];

13
lib/tests/modules.sh
View File

@ -185,6 +185,14 @@ checkConfigError 'The option .* defined in .* does not exist' config.enable ./di
# Check that imports can depend on derivations
checkConfigOutput "true" config.enable ./import-from-store.nix
# Check that configs can be conditional on option existence
checkConfigOutput true config.enable ./define-option-dependently.nix ./declare-enable.nix ./declare-int-positive-value.nix
checkConfigOutput 360 config.value ./define-option-dependently.nix ./declare-enable.nix ./declare-int-positive-value.nix
checkConfigOutput 7 config.value ./define-option-dependently.nix ./declare-int-positive-value.nix
checkConfigOutput true config.set.enable ./define-option-dependently-nested.nix ./declare-enable-nested.nix ./declare-int-positive-value-nested.nix
checkConfigOutput 360 config.set.value ./define-option-dependently-nested.nix ./declare-enable-nested.nix ./declare-int-positive-value-nested.nix
checkConfigOutput 7 config.set.value ./define-option-dependently-nested.nix ./declare-int-positive-value-nested.nix
# Check attrsOf and lazyAttrsOf. Only lazyAttrsOf should be lazy, and only
# attrsOf should work with conditional definitions
# In addition, lazyAttrsOf should honor an options emptyValue
@ -194,6 +202,11 @@ checkConfigOutput "true" config.conditionalWorks ./declare-attrsOf.nix ./attrsOf
checkConfigOutput "false" config.conditionalWorks ./declare-lazyAttrsOf.nix ./attrsOf-conditional-check.nix
checkConfigOutput "empty" config.value.foo ./declare-lazyAttrsOf.nix ./attrsOf-conditional-check.nix
# Even with multiple assignments, a type error should be thrown if any of them aren't valid
checkConfigError 'The option value .* in .* is not of type .*' \
config.value ./declare-int-unsigned-value.nix ./define-value-list.nix ./define-value-int-positive.nix
cat <<EOF
====== module tests ======
$pass Pass

14
lib/tests/modules/declare-enable-nested.nix Normal file
View File

@ -0,0 +1,14 @@
{ lib, ... }:
{
options.set = {
enable = lib.mkOption {
default = false;
example = true;
type = lib.types.bool;
description = ''
Some descriptive text
'';
};
};
}

9
lib/tests/modules/declare-int-positive-value-nested.nix Normal file
View File

@ -0,0 +1,9 @@
{ lib, ... }:
{
options.set = {
value = lib.mkOption {
type = lib.types.ints.positive;
};
};
}

16
lib/tests/modules/define-option-dependently-nested.nix Normal file
View File

@ -0,0 +1,16 @@
{ lib, options, ... }:
# Some modules may be distributed separately and need to adapt to other modules
# that are distributed and versioned separately.
{
# Always defined, but the value depends on the presence of an option.
config.set = {
value = if options ? set.enable then 360 else 7;
}
# Only define if possible.
// lib.optionalAttrs (options ? set.enable) {
enable = true;
};
}

16
lib/tests/modules/define-option-dependently.nix Normal file
View File

@ -0,0 +1,16 @@
{ lib, options, ... }:
# Some modules may be distributed separately and need to adapt to other modules
# that are distributed and versioned separately.
{
# Always defined, but the value depends on the presence of an option.
config = {
value = if options ? enable then 360 else 7;
}
# Only define if possible.
// lib.optionalAttrs (options ? enable) {
enable = true;
};
}

2
lib/tests/systems.nix
View File

@ -14,7 +14,7 @@ let
in with lib.systems.doubles; lib.runTests {
testall = mseteq all (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos ++ wasi ++ windows ++ embedded ++ js);
testarm = mseteq arm [ "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "arm-none" "armv7a-darwin" ];
testarm = mseteq arm [ "armv5tel-linux" "armv6l-linux" "armv6l-none" "armv7a-linux" "armv7l-linux" "arm-none" "armv7a-darwin" ];
testi686 = mseteq i686 [ "i686-linux" "i686-freebsd" "i686-netbsd" "i686-openbsd" "i686-cygwin" "i686-windows" "i686-none" "i686-darwin" ];
testmips = mseteq mips [ "mipsel-linux" ];
testx86_64 = mseteq x86_64 [ "x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin" "x86_64-solaris" "x86_64-windows" "x86_64-none" ];

79
maintainers/maintainer-list.nix
View File

@ -711,6 +711,12 @@
githubId = 55833;
name = "Troels Henriksen";
};
atkinschang = {
email = "atkinschang+nixpkgs@gmail.com";
github = "AtkinsChang";
githubId = 5193600;
name = "Atkins Chang";
};
atnnn = {
email = "etienne@atnnn.com";
github = "atnnn";
@ -1919,6 +1925,12 @@
githubId = 126339;
name = "Domen Kozar";
};
dominikh = {
email = "dominik@honnef.co";
github = "dominikh";
githubId = 39825;
name = "Dominik Honnef";
};
doronbehar = {
email = "me@doronbehar.com";
github = "doronbehar";
@ -2748,6 +2760,12 @@
githubId = 3217744;
name = "Peter Ferenczy";
};
gila = {
email = "jeffry.molanus@gmail.com";
github = "gila";
githubId = 15957973;
name = "Jeffry Molanus";
};
gilligan = {
email = "tobias.pflug@gmail.com";
github = "gilligan";
@ -3713,6 +3731,16 @@
githubId = 66669;
name = "Jeff Zellner";
};
kaction = {
name = "Dmitry Bogatov";
email = "KAction@disroot.org";
github = "kaction";
githubId = 44864956;
key = [{
longkeyid = "ed25519/0x749FD4DFA2E94236";
fingerprint = "3F87 0A7C A7B4 3731 2F13 6083 749F D4DF A2E9 4236";
}];
};
kaiha = {
email = "kai.harries@gmail.com";
github = "kaiha";
@ -3746,6 +3774,12 @@
github = "kampfschlaefer";
name = "Arnold Krille";
};
karantan = {
name = "Gasper Vozel";
email = "karantan@gmail.com";
github = "karantan";
githubId = 7062631;
};
karolchmist = {
email = "info+nix@chmist.com";
name = "karolchmist";
@ -3914,6 +3948,11 @@
githubId = 13721712;
name = "Konrad Langenberg";
};
kolbycrouch = {
email = "kjc.devel@gmail.com";
github = "kolbycrouch";
name = "Kolby Crouch";
};
konimex = {
email = "herdiansyah@netc.eu";
github = "konimex";
@ -4132,6 +4171,12 @@
github = "leonardoce";
name = "Leonardo Cecchi";
};
leshainc = {
email = "leshainc@fomalhaut.me";
github = "LeshaInc";
githubId = 42153076;
name = "Alexey Nikashkin";
};
lethalman = {
email = "lucabru@src.gnome.org";
github = "lethalman";
@ -4144,6 +4189,16 @@
githubId = 3425311;
name = "Antoine Eiche";
};
lexuge = {
name = "Harry Ying";
email = "lexugeyky@outlook.com";
github = "LEXUGE";
githubId = 13804737;
keys = [{
longkeyid = "rsa4096/0xAE53B4C2E58EDD45";
fingerprint = "7FE2 113A A08B 695A C8B8 DDE6 AE53 B4C2 E58E DD45";
}];
};
lheckemann = {
email = "git@sphalerite.org";
github = "lheckemann";
@ -4587,6 +4642,12 @@
githubId = 1269099;
name = "Marius Bakke";
};
mbaillie = {
email = "martin@baillie.email";
github = "martinbaillie";
githubId = 613740;
name = "Martin Baillie";
};
mbbx6spp = {
email = "me@susanpotter.net";
github = "mbbx6spp";
@ -4791,6 +4852,12 @@
githubId = 3958340;
name = "Eshin Kunishima";
};
mikesperber = {
email = "sperber@deinprogramm.de";
github = "mikesperber";
githubId = 1387206;
name = "Mike Sperber";
};
mildlyincompetent = {
email = "nix@kch.dev";
github = "mildlyincompetent";
@ -6169,6 +6236,12 @@
githubId = 2507744;
name = "Roland Koebler";
};
rkrzr = {
email = "ops+nixpkgs@channable.com";
github = "rkrzr";
githubId = 82817;
name = "Robert Kreuzer";
};
rlupton20 = {
email = "richard.lupton@gmail.com";
github = "rlupton20";
@ -7245,6 +7318,12 @@
githubId = 8547242;
name = "Stefan Rohrbacher";
};
"thelegy" = {
email = "mail+nixos@0jb.de";
github = "thelegy";
githubId = 3105057;
name = "Jan Beinke";
};
thesola10 = {
email = "thesola10@bobile.fr";
github = "thesola10";

13
maintainers/scripts/nix-generate-from-cpan.pl
View File

@ -6,6 +6,7 @@ use warnings;
use CPAN::Meta();
use CPANPLUS::Backend();
use Module::CoreList;
use Getopt::Long::Descriptive qw( describe_options );
use JSON::PP qw( encode_json );
use Log::Log4perl qw(:easy);
@ -164,7 +165,7 @@ Readonly::Hash my %LICENSE_MAP => (
# License not provided in metadata.
unknown => {
licenses => [qw( unknown )],
licenses => [],
amb => 1
}
);
@ -278,14 +279,8 @@ sub get_deps {
foreach my $n ( $deps->required_modules ) {
next if $n eq "perl";
# Figure out whether the module is a core module by attempting
# to `use` the module in a pure Perl interpreter and checking
# whether it succeeded. Note, $^X is a magic variable holding
# the path to the running Perl interpreter.
if ( system("env -i $^X -M$n -e1 >/dev/null 2>&1") == 0 ) {
DEBUG("skipping Perl-builtin module $n");
next;
}
my @core = Module::CoreList->find_modules(qr/^$n$/);
next if (@core);
my $pkg = module_to_pkg( $cb, $n );

9
maintainers/team-list.nix
View File

@ -21,4 +21,13 @@ with lib.maintainers; {
members = [ jtojnar worldofpeace ];
scope = "Maintain Freedesktop.org packages for graphical desktop.";
};
gnome = {
members = [
hedning
jtojnar
worldofpeace
];
scope = "Maintain GNOME desktop environment and platform.";
};
}

1
nixos/doc/manual/configuration/configuration.xml
View File

@ -21,7 +21,6 @@
<xi:include href="xfce.xml" />
<xi:include href="networking.xml" />
<xi:include href="linux-kernel.xml" />
<xi:include href="matrix.xml" />
<xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
<xi:include href="profiles.xml" />
<xi:include href="kubernetes.xml" />

74
nixos/doc/manual/release-notes/rl-2003.xml
View File

@ -196,10 +196,10 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
</listitem>
<listitem>
<para>
There is now only one Xfce package-set and module. This means attributes, <literal>xfce4-14</literal>
<literal>xfce4-12</literal>, and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
packages. And in future NixOS releases will be the latest released version of Xfce available at the
time during the releases development (if viable).
There is now only one Xfce package-set and module. This means that attributes <literal>xfce4-14</literal>
and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
packages. And in the future NixOS releases will be the latest released version of Xfce available at the
time of the release's development (if viable).
</para>
</listitem>
<listitem>
@ -235,7 +235,7 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
<listitem>
<para>
The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output.
This has led to drastically reduced closed sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
</para>
</listitem>
<listitem>
@ -641,6 +641,13 @@ auth required pam_succeed_if.so uid >= 1000 quiet
The previous behavior can be restored by setting <literal>config.riot-web.conf = { disable_guests = false; piwik = true; }</literal>.
</para>
</listitem>
<listitem>
<para>
Stand-alone usage of <literal>Upower</literal> now requires
<option>services.upower.enable</option> instead of just installing into
<xref linkend="opt-environment.systemPackages"/>.
</para>
</listitem>
</itemizedlist>
</section>
@ -712,6 +719,63 @@ auth required pam_succeed_if.so uid >= 1000 quiet
For further reference, please read <link xlink:href="https://github.com/NixOS/nixpkgs/pull/68953">#68953</link> or the corresponding <link xlink:href="https://discourse.nixos.org/t/predictable-network-interface-names-in-initrd/4055">discourse thread</link>.
</para>
</listitem>
<listitem>
<para>
The <package>matrix-synapse</package>-package has been updated to
<link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.11.1">v1.11.1</link>.
Due to <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.10.0rc1">stricter requirements</link>
for database configuration when using <package>postgresql</package>, the automated database setup
of the module has been removed to avoid any further edge-cases.
</para>
<para>
<package>matrix-synapse</package> expects <literal>postgresql</literal>-databases to have the options
<literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> set to
<link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link> which basically
instructs <literal>postgresql</literal> to ignore any locale-based preferences.
</para>
<para>
Depending on your setup, you need to incorporate one of the following changes in your setup to
upgrade to 20.03:
<itemizedlist>
<listitem><para>If you use <literal>sqlite3</literal> you don't need to do anything.</para></listitem>
<listitem><para>If you use <literal>postgresql</literal> on a different server, you don't need
to change anything as well since this module was never designed to configure remote databases.
</para></listitem>
<listitem><para>If you use <literal>postgresql</literal> and configured your synapse initially on
<literal>19.09</literal> or older, you simply need to enable <package>postgresql</package>-support
explicitly:
<programlisting>{ ... }: {
services.matrix-synapse = {
<link linkend="opt-services.matrix-synapse.enable">enable</link> = true;
/* and all the other config you've defined here */
};
<link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true;
}</programlisting>
</para></listitem>
<listitem><para>If you deploy a fresh <package>matrix-synapse</package>, you need to configure
the database yourself (e.g. by using the
<link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link>
option). An example for this can be found in the
<link linkend="module-services-matrix">documentation of the Matrix module</link>.
</para></listitem>
<listitem><para>If you initially deployed your <package>matrix-synapse</package> on
<literal>nixos-unstable</literal> <emphasis>after</emphasis> the <literal>19.09</literal>-release,
your database is misconfigured due to a regression in NixOS. For now, <package>matrix-synapse</package> will
startup with a warning, but it's recommended to reconfigure the database to set the values
<literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> to
<link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link>.
</para></listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
The <link linkend="opt-systemd.network.links">systemd.network.links</link> option is now respected
even when <link linkend="opt-systemd.network.enable">systemd-networkd</link> is disabled.
This mirrors the behaviour of systemd - It's udev that parses <literal>.link</literal> files,
not <command>systemd-networkd</command>.
</para>
</listitem>
</itemizedlist>
</section>
</section>

31
nixos/doc/manual/release-notes/rl-2009.xml
View File

@ -28,6 +28,15 @@
PHP now defaults to PHP 7.4, updated from 7.3.
</para>
</listitem>
<listitem>
<para>
Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have
been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal>
in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should
make use of these new options instead.
</para>
</listitem>
</itemizedlist>
</section>
@ -77,6 +86,28 @@
}</programlisting>
</para>
</listitem>
<listitem>
<para>
The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal>
as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal>
is 20.09 or higher. It also enables number of
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link>
which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
<option>systemd.services.supybot.serviceConfig</option>.
</para>
</listitem>
<listitem>
<para>
The <literal>security.duosec.skey</literal> option, which stored a secret in the
nix store, has been replaced by a new
<link linkend="opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link>
option for better security.
</para>
<para>
<literal>security.duosec.ikey</literal> has been renamed to
<link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
</para>
</listitem>
</itemizedlist>
</section>

4
nixos/lib/eval-config.nix
View File

@ -61,7 +61,7 @@ in rec {
args = extraArgs;
specialArgs =
{ modulesPath = builtins.toString ../modules; } // specialArgs;
}) config options;
}) config options _module;
# These are the extra arguments passed to every module. In
# particular, Nixpkgs is passed through the "pkgs" argument.
@ -69,5 +69,5 @@ in rec {
inherit baseModules extraModules modules;
};
inherit (config._module.args) pkgs;
inherit (_module.args) pkgs;
}

11
nixos/maintainers/scripts/ec2/amazon-image.nix
View File

@ -8,10 +8,15 @@ in {
imports = [ ../../../modules/virtualisation/amazon-image.nix ];
# Required to provide good EBS experience,
# Amazon recomments setting this to the highest possible value for a good EBS
# experience, which prior to 4.15 was 255.
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html#timeout-nvme-ebs-volumes
# TODO change value to 4294967295 when kernel is updated to 4.15 or later
config.boot.kernelParams = [ "nvme_core.io_timeout=255" ];
config.boot.kernelParams =
let timeout =
if pkgs.lib.versionAtLeast config.boot.kernelPackages.kernel.version "4.15"
then "4294967295"
else "255";
in [ "nvme_core.io_timeout=${timeout}" ];
options.amazonImage = {
name = mkOption {

12
nixos/modules/hardware/wooting.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.hardware.wooting.enable =
mkEnableOption "Enable support for Wooting keyboards";
config = mkIf config.hardware.wooting.enable {
environment.systemPackages = [ pkgs.wootility ];
services.udev.packages = [ pkgs.wooting-udev-rules ];
};
}

8
nixos/modules/installer/tools/tools.nix
View File

@ -42,7 +42,10 @@ let
inherit (config.system.nixos-generate-config) configuration;
};
nixos-option = pkgs.callPackage ./nixos-option { };
nixos-option =
if lib.versionAtLeast (lib.getVersion pkgs.nix) "2.4pre"
then null
else pkgs.callPackage ./nixos-option { };
nixos-version = makeProg {
name = "nixos-version";
@ -184,10 +187,9 @@ in
nixos-install
nixos-rebuild
nixos-generate-config
nixos-option
nixos-version
nixos-enter
];
] ++ lib.optional (nixos-option != null) nixos-option;
system.build = {
inherit nixos-install nixos-generate-config nixos-option nixos-rebuild nixos-enter;

14
nixos/modules/misc/documentation.nix
View File

@ -17,6 +17,7 @@ let
inherit pkgs config;
version = config.system.nixos.release;
revision = "release-${version}";
extraSources = cfg.nixos.extraModuleSources;
options =
let
scrubbedEval = evalModules {
@ -163,6 +164,19 @@ in
'';
};
nixos.extraModuleSources = mkOption {
type = types.listOf (types.either types.path types.str);
default = [ ];
description = ''
Which extra NixOS module paths the generated NixOS's documentation should strip
from options.
'';
example = literalExample ''
# e.g. with options from modules in ''${pkgs.customModules}/nix:
[ pkgs.customModules ]
'';
};
};
};

4
nixos/modules/misc/nixpkgs.nix
View File

@ -236,8 +236,8 @@ in
let
nixosExpectedSystem =
if config.nixpkgs.crossSystem != null
then config.nixpkgs.crossSystem.system
else config.nixpkgs.localSystem.system;
then config.nixpkgs.crossSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.crossSystem.config))
else config.nixpkgs.localSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.localSystem.config));
nixosOption =
if config.nixpkgs.crossSystem != null
then "nixpkgs.crossSystem"

10
nixos/modules/module-list.nix
View File

@ -64,6 +64,7 @@
./hardware/tuxedo-keyboard.nix
./hardware/usb-wwan.nix
./hardware/onlykey.nix
./hardware/wooting.nix
./hardware/video/amdgpu.nix
./hardware/video/amdgpu-pro.nix
./hardware/video/ati.nix
@ -200,6 +201,7 @@
./security/wrappers/default.nix
./security/sudo.nix
./security/systemd-confinement.nix
./security/tpm2.nix
./services/admin/oxidized.nix
./services/admin/salt/master.nix
./services/admin/salt/minion.nix
@ -247,9 +249,10 @@
./services/cluster/kubernetes/proxy.nix
./services/cluster/kubernetes/scheduler.nix
./services/computing/boinc/client.nix
./services/computing/torque/server.nix
./services/computing/torque/mom.nix
./services/computing/foldingathome/client.nix
./services/computing/slurm/slurm.nix
./services/computing/torque/mom.nix
./services/computing/torque/server.nix
./services/continuous-integration/buildbot/master.nix
./services/continuous-integration/buildbot/worker.nix
./services/continuous-integration/buildkite-agents.nix
@ -432,7 +435,6 @@
./services/misc/ethminer.nix
./services/misc/exhibitor.nix
./services/misc/felix.nix
./services/misc/folding-at-home.nix
./services/misc/freeswitch.nix
./services/misc/fstrim.nix
./services/misc/gammu-smsd.nix
@ -709,6 +711,7 @@
./services/networking/shorewall6.nix
./services/networking/shout.nix
./services/networking/sniproxy.nix
./services/networking/smartdns.nix
./services/networking/smokeping.nix
./services/networking/softether.nix
./services/networking/spacecookie.nix
@ -726,6 +729,7 @@
./services/networking/syncthing.nix
./services/networking/syncthing-relay.nix
./services/networking/syncplay.nix
./services/networking/tailscale.nix
./services/networking/tcpcrypt.nix
./services/networking/teamspeak3.nix
./services/networking/tedicross.nix

12
nixos/modules/programs/ssmtp.nix
View File

@ -14,8 +14,16 @@ in
{
imports = [
(mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ])
(mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "directDelivery" ] [ "services" "ssmtp" "enable" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "hostName" ] [ "services" "ssmtp" "hostName" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "domain" ] [ "services" "ssmtp" "domain" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "root" ] [ "services" "ssmtp" "root" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "useTLS" ] [ "services" "ssmtp" "useTLS" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "useSTARTTLS" ] [ "services" "ssmtp" "useSTARTTLS" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "authUser" ] [ "services" "ssmtp" "authUser" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "authPass" ] [ "services" "ssmtp" "authPass" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "authPassFile" ] [ "services" "ssmtp" "authPassFile" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "setSendmail" ] [ "services" "ssmtp" "setSendmail" ])
];
options = {

92
nixos/modules/security/duosec.nix
View File

@ -9,8 +9,7 @@ let
configFilePam = ''
[duo]
ikey=${cfg.ikey}
skey=${cfg.skey}
ikey=${cfg.integrationKey}
host=${cfg.host}
${optionalString (cfg.groups != "") ("groups="+cfg.groups)}
failmode=${cfg.failmode}
@ -24,26 +23,12 @@ let
motd=${boolToStr cfg.motd}
accept_env_factor=${boolToStr cfg.acceptEnvFactor}
'';
loginCfgFile = optionalAttrs cfg.ssh.enable {
"duo/login_duo.conf" =
{ source = pkgs.writeText "login_duo.conf" configFileLogin;
mode = "0600";
user = "sshd";
};
};
pamCfgFile = optional cfg.pam.enable {
"duo/pam_duo.conf" =
{ source = pkgs.writeText "pam_duo.conf" configFilePam;
mode = "0600";
user = "sshd";
};
};
in
{
imports = [
(mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ])
(mkRenamedOptionModule [ "security" "duosec" "ikey" ] [ "security" "duosec" "integrationKey" ])
(mkRemovedOptionModule [ "security" "duosec" "skey" ] "The insecure security.duosec.skey option has been replaced by a new security.duosec.secretKeyFile option. Use this new option to store a secure copy of your key instead.")
];
options = {
@ -60,14 +45,18 @@ in
description = "If enabled, protect logins with Duo Security using PAM support.";
};
ikey = mkOption {
integrationKey = mkOption {
type = types.str;
description = "Integration key.";
};
skey = mkOption {
type = types.str;
description = "Secret key.";
secretKeyFile = mkOption {
type = types.path;
default = null;
description = ''
A file containing your secret key. The security of your Duo application is tied to the security of your secret key.
'';
example = "/run/keys/duo-skey";
};
host = mkOption {
@ -195,21 +184,52 @@ in
};
config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
environment.systemPackages = [ pkgs.duo-unix ];
environment.systemPackages = [ pkgs.duo-unix ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
environment.etc = loginCfgFile // pamCfgFile;
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
/* If PAM *and* SSH are enabled, then don't do anything special.
If PAM isn't used, set the default SSH-only options. */
services.openssh.extraConfig = mkIf (cfg.ssh.enable || cfg.pam.enable) (
if cfg.pam.enable then "UseDNS no" else ''
# Duo Security configuration
ForceCommand ${config.security.wrapperDir}/login_duo
PermitTunnel no
${optionalString (!cfg.allowTcpForwarding) ''
AllowTcpForwarding no
''}
'');
system.activationScripts = {
login_duo = mkIf cfg.ssh.enable ''
if test -f "${cfg.secretKeyFile}"; then
mkdir -m 0755 -p /etc/duo
umask 0077
conf="$(mktemp)"
{
cat ${pkgs.writeText "login_duo.conf" configFileLogin}
printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})"
} >"$conf"
chown sshd "$conf"
mv -fT "$conf" /etc/duo/login_duo.conf
fi
'';
pam_duo = mkIf cfg.pam.enable ''
if test -f "${cfg.secretKeyFile}"; then
mkdir -m 0755 -p /etc/duo
umask 0077
conf="$(mktemp)"
{
cat ${pkgs.writeText "login_duo.conf" configFilePam}
printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})"
} >"$conf"
mv -fT "$conf" /etc/duo/pam_duo.conf
fi
'';
};
/* If PAM *and* SSH are enabled, then don't do anything special.
If PAM isn't used, set the default SSH-only options. */
services.openssh.extraConfig = mkIf (cfg.ssh.enable || cfg.pam.enable) (
if cfg.pam.enable then "UseDNS no" else ''
# Duo Security configuration
ForceCommand ${config.security.wrapperDir}/login_duo
PermitTunnel no
${optionalString (!cfg.allowTcpForwarding) ''
AllowTcpForwarding no
''}
'');
};
}

6
nixos/modules/security/google_oslogin.nix
View File

@ -59,10 +59,8 @@ in
exec ${package}/bin/google_authorized_keys "$@"
'';
};
services.openssh.extraConfig = ''
AuthorizedKeysCommand /etc/ssh/authorized_keys_command_google_oslogin %u
AuthorizedKeysCommandUser nobody
'';
services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command_google_oslogin %u";
services.openssh.authorizedKeysCommandUser = "nobody";
};
}

185
nixos/modules/security/tpm2.nix Normal file
View File

@ -0,0 +1,185 @@
{ lib, pkgs, config, ... }:
let
cfg = config.security.tpm2;
# This snippet is taken from tpm2-tss/dist/tpm-udev.rules, but modified to allow custom user/groups
# The idea is that the tssUser is allowed to acess the TPM and kernel TPM resource manager, while
# the tssGroup is only allowed to access the kernel resource manager
# Therefore, if either of the two are null, the respective part isn't generated
udevRules = tssUser: tssGroup: ''
${lib.optionalString (tssUser != null) ''KERNEL=="tpm[0-9]*", MODE="0660", OWNER="${tssUser}"''}
${lib.optionalString (tssUser != null || tssGroup != null)
''KERNEL=="tpmrm[0-9]*", MODE="0660"''
+ lib.optionalString (tssUser != null) '', OWNER="${tssUser}"''
+ lib.optionalString (tssGroup != null) '', GROUP="${tssGroup}"''
}
'';
in {
options.security.tpm2 = {
enable = lib.mkEnableOption "Trusted Platform Module 2 support";
tssUser = lib.mkOption {
description = ''
Name of the tpm device-owner and service user, set if applyUdevRules is
set.
'';
type = lib.types.nullOr lib.types.str;
default = if cfg.abrmd.enable then "tss" else "root";
defaultText = ''"tss" when using the userspace resource manager,'' +
''"root" otherwise'';
};
tssGroup = lib.mkOption {
description = ''
Group of the tpm kernel resource manager (tpmrm) device-group, set if
applyUdevRules is set.
'';
type = lib.types.nullOr lib.types.str;
default = "tss";
};
applyUdevRules = lib.mkOption {
description = ''
Whether to make the /dev/tpm[0-9] devices accessible by the tssUser, or
the /dev/tpmrm[0-9] by tssGroup respectively
'';
type = lib.types.bool;
default = true;
};
abrmd = {
enable = lib.mkEnableOption ''
Trusted Platform 2 userspace resource manager daemon
'';
package = lib.mkOption {
description = "tpm2-abrmd package to use";
type = lib.types.package;
default = pkgs.tpm2-abrmd;
defaultText = "pkgs.tpm2-abrmd";
};
};
pkcs11 = {
enable = lib.mkEnableOption ''
TPM2 PKCS#11 tool and shared library in system path
(<literal>/run/current-system/sw/lib/libtpm2_pkcs11.so</literal>)
'';
package = lib.mkOption {
description = "tpm2-pkcs11 package to use";
type = lib.types.package;
default = pkgs.tpm2-pkcs11;
defaultText = "pkgs.tpm2-pkcs11";
};
};
tctiEnvironment = {
enable = lib.mkOption {
description = ''
Set common TCTI environment variables to the specified value.
The variables are
<itemizedlist>
<listitem>
<para>
<literal>TPM2TOOLS_TCTI</literal>
</para>
</listitem>
<listitem>
<para>
<literal>TPM2_PKCS11_TCTI</literal>
</para>
</listitem>
</itemizedlist>
'';
type = lib.types.bool;
default = false;
};
interface = lib.mkOption {
description = ''
The name of the TPM command transmission interface (TCTI) library to
use.
'';
type = lib.types.enum [ "tabrmd" "device" ];
default = "device";
};
deviceConf = lib.mkOption {
description = ''
Configuration part of the device TCTI, e.g. the path to the TPM device.
Applies if interface is set to "device".
The format is specified in the
<link xlink:href="https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md#tcti-options">
tpm2-tools repository</link>.
'';
type = lib.types.str;
default = "/dev/tpmrm0";
};
tabrmdConf = lib.mkOption {
description = ''
Configuration part of the tabrmd TCTI, like the D-Bus bus name.
Applies if interface is set to "tabrmd".
The format is specified in the
<link xlink:href="https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md#tcti-options">
tpm2-tools repository</link>.
'';
type = lib.types.str;
default = "bus_name=com.intel.tss2.Tabrmd";
};
};
};
config = lib.mkIf cfg.enable (lib.mkMerge [
{
# PKCS11 tools and library
environment.systemPackages = lib.mkIf cfg.pkcs11.enable [
(lib.getBin cfg.pkcs11.package)
(lib.getLib cfg.pkcs11.package)
];
services.udev.extraRules = lib.mkIf cfg.applyUdevRules
(udevRules cfg.tssUser cfg.tssGroup);
# Create the tss user and group only if the default value is used
users.users.${cfg.tssUser} = lib.mkIf (cfg.tssUser == "tss") {
isSystemUser = true;
};
users.groups.${cfg.tssGroup} = lib.mkIf (cfg.tssGroup == "tss") {};
environment.variables = lib.mkIf cfg.tctiEnvironment.enable (
lib.attrsets.genAttrs [
"TPM2TOOLS_TCTI"
"TPM2_PKCS11_TCTI"
] (_: ''${cfg.tctiEnvironment.interface}:${
if cfg.tctiEnvironment.interface == "tabrmd" then
cfg.tctiEnvironment.tabrmdConf
else
cfg.tctiEnvironment.deviceConf
}'')
);
}
(lib.mkIf cfg.abrmd.enable {
systemd.services."tpm2-abrmd" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "dbus";
Restart = "always";
RestartSec = 30;
BusName = "com.intel.tss2.Tabrmd";
StandardOutput = "syslog";
ExecStart = "${cfg.abrmd.package}/bin/tpm2-abrmd";
User = "tss";
Group = "nogroup";
};
};
services.dbus.packages = lib.singleton cfg.abrmd.package;
})
]);
meta.maintainers = with lib.maintainers; [ lschuermann ];
}

81
nixos/modules/services/computing/foldingathome/client.nix Normal file
View File

@ -0,0 +1,81 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.foldingathome;
args =
["--team" "${toString cfg.team}"]
++ lib.optionals (cfg.user != null) ["--user" cfg.user]
++ cfg.extraArgs
;
in
{
imports = [
(mkRenamedOptionModule [ "services" "foldingAtHome" ] [ "services" "foldingathome" ])
(mkRenamedOptionModule [ "services" "foldingathome" "nickname" ] [ "services" "foldingathome" "user" ])
(mkRemovedOptionModule [ "services" "foldingathome" "config" ] ''
Use <literal>services.foldingathome.extraArgs instead<literal>
'')
];
options.services.foldingathome = {
enable = mkEnableOption "Enable the Folding@home client";
package = mkOption {
type = types.package;
default = pkgs.fahclient;
defaultText = "pkgs.fahclient";
description = ''
Which Folding@home client to use.
'';
};
user = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The user associated with the reported computation results. This will
be used in the ranking statistics.
'';
};
team = mkOption {
type = types.int;
default = 236565;
description = ''
The team ID associated with the reported computation results. This
will be used in the ranking statistics.
By default, use the NixOS folding@home team ID is being used.
'';
};
extraArgs = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Extra startup options for the FAHClient. Run
<literal>FAHClient --help</literal> to find all the available options.
'';
};
};
config = mkIf cfg.enable {
systemd.services.foldingathome = {
description = "Folding@home client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = ''
exec ${cfg.package}/bin/FAHClient ${lib.escapeShellArgs args}
'';
serviceConfig = {
DynamicUser = true;
StateDirectory = "foldingathome";
WorkingDirectory = "%S/foldingathome";
};
};
};
meta = {
maintainers = with lib.maintainers; [ zimbatm ];
};
}

17
nixos/modules/services/databases/mysql.nix
View File

@ -10,16 +10,8 @@ let
isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb;
isMysqlAtLeast57 =
(lib.getName mysql == lib.getName pkgs.mysql57)
&& (builtins.compareVersions mysql.version "5.7" >= 0);
mysqldOptions =
"--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}";
# For MySQL 5.7+, --insecure creates the root user without password
# (earlier versions and MariaDB do this by default).
installOptions =
"${mysqldOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}";
settingsFile = pkgs.writeText "my.cnf" (
generators.toINI { listsAsDuplicateKeys = true; } cfg.settings +
@ -366,9 +358,14 @@ in
pkgs.nettools
];
preStart = ''
preStart = if isMariaDB then ''
if ! test -e ${cfg.dataDir}/mysql; then
${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${installOptions}
${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions}
touch /tmp/mysql_init
fi
'' else ''
if ! test -e ${cfg.dataDir}/mysql; then
${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure
touch /tmp/mysql_init
fi
'';

67
nixos/modules/services/misc/folding-at-home.nix
View File

@ -1,67 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
stateDir = "/var/lib/foldingathome";
cfg = config.services.foldingAtHome;
fahUser = "foldingathome";
in {
###### interface
options = {
services.foldingAtHome = {
enable = mkOption {
default = false;
description = ''
Whether to enable the Folding@Home to use idle CPU time.
'';
};
nickname = mkOption {
default = "Anonymous";
description = ''
A unique handle for statistics.
'';
};
config = mkOption {
default = "";
description = ''
Extra configuration. Contents will be added verbatim to the
configuration file.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
users.users.${fahUser} =
{ uid = config.ids.uids.foldingathome;
description = "Folding@Home user";
home = stateDir;
};
systemd.services.foldingathome = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -m 0755 -p ${stateDir}
chown ${fahUser} ${stateDir}
cp -f ${pkgs.writeText "client.cfg" cfg.config} ${stateDir}/client.cfg
'';
script = "${pkgs.su}/bin/su -s ${pkgs.runtimeShell} ${fahUser} -c 'cd ${stateDir}; ${pkgs.foldingathome}/bin/fah6'";
};
services.foldingAtHome.config = ''
[settings]
username=${cfg.nickname}
'';
};
}

46
nixos/modules/services/misc/matrix-synapse.nix
View File

@ -111,6 +111,9 @@ app_service_config_files: ${builtins.toJSON cfg.app_service_config_files}
${cfg.extraConfig}
'';
hasLocalPostgresDB = let args = cfg.database_args; in
usePostgresql && (!(args ? host) || (elem args.host [ "localhost" "127.0.0.1" "::1" ]));
in {
options = {
services.matrix-synapse = {
@ -354,13 +357,6 @@ in {
The database engine name. Can be sqlite or psycopg2.
'';
};
create_local_database = mkOption {
type = types.bool;
default = true;
description = ''
Whether to create a local database automatically.
'';
};
database_name = mkOption {
type = types.str;
default = "matrix-synapse";
@ -657,6 +653,25 @@ in {
};
config = mkIf cfg.enable {
assertions = [
{ assertion = hasLocalPostgresDB -> config.services.postgresql.enable;
message = ''
Cannot deploy matrix-synapse with a configuration for a local postgresql database
and a missing postgresql service. Since 20.03 it's mandatory to manually configure the
database (please read the thread in https://github.com/NixOS/nixpkgs/pull/80447 for
further reference).
If you
- try to deploy a fresh synapse, you need to configure the database yourself. An example
for this can be found in <nixpkgs/nixos/tests/matrix-synapse.nix>
- update your existing matrix-synapse instance, you simply need to add `services.postgresql.enable = true`
to your configuration.
For further information about this update, please read the release-notes of 20.03 carefully.
'';
}
];
users.users.matrix-synapse = {
group = "matrix-synapse";
home = cfg.dataDir;
@ -669,18 +684,9 @@ in {
gid = config.ids.gids.matrix-synapse;
};
services.postgresql = mkIf (usePostgresql && cfg.create_local_database) {
enable = mkDefault true;
ensureDatabases = [ cfg.database_name ];
ensureUsers = [{
name = cfg.database_user;
ensurePermissions = { "DATABASE \"${cfg.database_name}\"" = "ALL PRIVILEGES"; };
}];
};
systemd.services.matrix-synapse = {
description = "Synapse Matrix homeserver";
after = [ "network.target" ] ++ lib.optional config.services.postgresql.enable "postgresql.service" ;
after = [ "network.target" ] ++ optional hasLocalPostgresDB "postgresql.service";
wantedBy = [ "multi-user.target" ];
preStart = ''
${cfg.package}/bin/homeserver \
@ -709,6 +715,12 @@ in {
The `trusted_third_party_id_servers` option as been removed in `matrix-synapse` v1.4.0
as the behavior is now obsolete.
'')
(mkRemovedOptionModule [ "services" "matrix-synapse" "create_local_database" ] ''
Database configuration must be done manually. An exemplary setup is demonstrated in
<nixpkgs/nixos/tests/matrix-synapse.nix>
'')
];
meta.doc = ./matrix-synapse.xml;
}

97
nixos/doc/manual/configuration/matrix.xml → nixos/modules/services/misc/matrix-synapse.xml
View File

@ -40,26 +40,35 @@ let
in join config.networking.hostName config.networking.domain;
in {
networking = {
hostName = "myhostname";
domain = "example.org";
<link linkend="opt-networking.hostName">hostName</link> = "myhostname";
<link linkend="opt-networking.domain">domain</link> = "example.org";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
<link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
<link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true;
<link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link> = ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.nginx = {
enable = true;
<link linkend="opt-services.nginx.enable">enable</link> = true;
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
# but the rest make sense as well
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
<link linkend="opt-services.nginx.recommendedTlsSettings">recommendedTlsSettings</link> = true;
<link linkend="opt-services.nginx.recommendedOptimisation">recommendedOptimisation</link> = true;
<link linkend="opt-services.nginx.recommendedGzipSettings">recommendedGzipSettings</link> = true;
<link linkend="opt-services.nginx.recommendedProxySettings">recommendedProxySettings</link> = true;
virtualHosts = {
<link linkend="opt-services.nginx.virtualHosts">virtualHosts</link> = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host being accessible as ${config.networking.domain}
# to another host actually running the Matrix homeserver.
"${config.networking.domain}" = {
locations."= /.well-known/matrix/server".extraConfig =
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/server".extraConfig</link> =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
@ -68,7 +77,7 @@ in {
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/client".extraConfig</link> =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
@ -84,34 +93,37 @@ in {
# Reverse proxy for Matrix client-server and server-server communication
${fqdn} = {
enableACME = true;
forceSSL = true;
<link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
# Or do a redirect instead of the 404, or whatever is appropriate for you.
# But do not put a Matrix Web client here! See the Riot Web section below.
locations."/".extraConfig = ''
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."/".extraConfig</link> = ''
return 404;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
proxyPass = "http://[::1]:8008"; # without a trailing /
<link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.proxyPass">proxyPass</link> = "http://[::1]:8008"; # without a trailing /
};
};
};
};
services.matrix-synapse = {
enable = true;
server_name = config.networking.domain;
listeners = [
<link linkend="opt-services.matrix-synapse.enable">enable</link> = true;
<link linkend="opt-services.matrix-synapse.server_name">server_name</link> = config.networking.domain;
<link linkend="opt-services.matrix-synapse.listeners">listeners</link> = [
{
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{ names = [ "client" "federation" ]; compress = false; }
<link linkend="opt-services.matrix-synapse.listeners._.port">port</link> = 8008;
<link linkend="opt-services.matrix-synapse.listeners._.bind_address">bind_address</link> = "::1";
<link linkend="opt-services.matrix-synapse.listeners._.type">type</link> = "http";
<link linkend="opt-services.matrix-synapse.listeners._.tls">tls</link> = false;
<link linkend="opt-services.matrix-synapse.listeners._.x_forwarded">x_forwarded</link> = true;
<link linkend="opt-services.matrix-synapse.listeners._.resources">resources</link> = [
{
<link linkend="opt-services.matrix-synapse.listeners._.resources._.names">names</link> = [ "client" "federation" ];
<link linkend="opt-services.matrix-synapse.listeners._.resources._.compress">compress</link> = false;
}
];
}
];
@ -135,10 +147,10 @@ in {
<para>
If you want to run a server with public registration by anybody, you can
then enable <option>services.matrix-synapse.enable_registration =
true;</option>. Otherwise, or you can generate a registration secret with
then enable <literal><link linkend="opt-services.matrix-synapse.enable_registration">services.matrix-synapse.enable_registration</link> =
true;</literal>. Otherwise, or you can generate a registration secret with
<command>pwgen -s 64 1</command> and set it with
<option>services.matrix-synapse.registration_shared_secret</option>. To
<option><link linkend="opt-services.matrix-synapse.registration_shared_secret">services.matrix-synapse.registration_shared_secret</link></option>. To
create a new user or admin, run the following after you have set the secret
and have rebuilt NixOS:
<screen>
@ -154,8 +166,8 @@ Success!
<literal>@your-username:example.org</literal>. Note that the registration
secret ends up in the nix store and therefore is world-readable by any user
on your machine, so it makes sense to only temporarily activate the
<option>registration_shared_secret</option> option until a better solution
for NixOS is in place.
<link linkend="opt-services.matrix-synapse.registration_shared_secret">registration_shared_secret</link>
option until a better solution for NixOS is in place.
</para>
</section>
<section xml:id="module-services-matrix-riot-web">
@ -177,15 +189,24 @@ Success!
Matrix Now!</link> for a list of existing clients and their supported
featureset.
<programlisting>
services.nginx.virtualHosts."riot.${fqdn}" = {
enableACME = true;
forceSSL = true;
serverAliases = [
"riot.${config.networking.domain}"
];
{
services.nginx.virtualHosts."riot.${fqdn}" = {
<link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
<link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
<link linkend="opt-services.nginx.virtualHosts._name_.serverAliases">serverAliases</link> = [
"riot.${config.networking.domain}"
];
root = pkgs.riot-web;
};
<link linkend="opt-services.nginx.virtualHosts._name_.root">root</link> = pkgs.riot-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "${config.networking.domain}";
"server_name" = "${fqdn}";
};
};
};
};
}
</programlisting>
</para>

6
nixos/modules/services/misc/sssd.nix
View File

@ -88,9 +88,7 @@ in {
exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@"
'';
};
services.openssh.extraConfig = ''
AuthorizedKeysCommand /etc/ssh/authorized_keys_command
AuthorizedKeysCommandUser nobody
'';
services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
services.openssh.authorizedKeysCommandUser = "nobody";
})];
}

137
nixos/modules/services/monitoring/graphite.nix
View File

@ -39,8 +39,6 @@ let
GRAPHITE_URL = cfg.seyren.graphiteUrl;
} // cfg.seyren.extraConfig;
pagerConfig = pkgs.writeText "alarms.yaml" cfg.pager.alerts;
configDir = pkgs.buildEnv {
name = "graphite-config";
paths = lists.filter (el: el != null) [
@ -61,12 +59,10 @@ let
carbonEnv = {
PYTHONPATH = let
cenv = pkgs.python.buildEnv.override {
extraLibs = [ pkgs.python27Packages.carbon ];
cenv = pkgs.python3.buildEnv.override {
extraLibs = [ pkgs.python3Packages.carbon ];
};
cenvPack = "${cenv}/${pkgs.python.sitePackages}";
# opt/graphite/lib contains twisted.plugins.carbon-cache
in "${cenvPack}/opt/graphite/lib:${cenvPack}";
in "${cenv}/${pkgs.python3.sitePackages}";
GRAPHITE_ROOT = dataDir;
GRAPHITE_CONF_DIR = configDir;
GRAPHITE_STORAGE_DIR = dataDir;
@ -74,6 +70,10 @@ let
in {
imports = [
(mkRemovedOptionModule ["services" "graphite" "pager"] "")
];
###### interface
options.services.graphite = {
@ -132,7 +132,7 @@ in {
finders = mkOption {
description = "List of finder plugins to load.";
default = [];
example = literalExample "[ pkgs.python27Packages.influxgraph ]";
example = literalExample "[ pkgs.python3Packages.influxgraph ]";
type = types.listOf types.package;
};
@ -159,8 +159,8 @@ in {
package = mkOption {
description = "Package to use for graphite api.";
default = pkgs.python27Packages.graphite_api;
defaultText = "pkgs.python27Packages.graphite_api";
default = pkgs.python3Packages.graphite_api;
defaultText = "pkgs.python3Packages.graphite_api";
type = types.package;
};
@ -344,49 +344,6 @@ in {
};
};
pager = {
enable = mkOption {
description = ''
Whether to enable graphite-pager service. For more information visit
<link xlink:href="https://github.com/seatgeek/graphite-pager"/>
'';
default = false;
type = types.bool;
};
redisUrl = mkOption {
description = "Redis connection string.";
default = "redis://localhost:${toString config.services.redis.port}/";
type = types.str;
};
graphiteUrl = mkOption {
description = "URL to your graphite service.";
default = "http://${cfg.web.listenAddress}:${toString cfg.web.port}";
type = types.str;
};
alerts = mkOption {
description = "Alerts configuration for graphite-pager.";
default = ''
alerts:
- target: constantLine(100)
warning: 90
critical: 200
name: Test
'';
example = ''
pushbullet_key: pushbullet_api_key
alerts:
- target: stats.seatgeek.app.deal_quality.venue_info_cache.hit
warning: .5
critical: 1
name: Deal quality venue cache hits
'';
type = types.lines;
};
};
beacon = {
enable = mkEnableOption "graphite beacon";
@ -409,7 +366,7 @@ in {
environment = carbonEnv;
serviceConfig = {
RuntimeDirectory = name;
ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}";
ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}";
User = "graphite";
Group = "graphite";
PermissionsStartOnly = true;
@ -431,7 +388,7 @@ in {
environment = carbonEnv;
serviceConfig = {
RuntimeDirectory = name;
ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}";
ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}";
User = "graphite";
Group = "graphite";
PIDFile="/run/${name}/${name}.pid";
@ -447,7 +404,7 @@ in {
environment = carbonEnv;
serviceConfig = {
RuntimeDirectory = name;
ExecStart = "${pkgs.pythonPackages.twisted}/bin/twistd ${carbonOpts name}";
ExecStart = "${pkgs.python3Packages.twisted}/bin/twistd ${carbonOpts name}";
User = "graphite";
Group = "graphite";
PIDFile="/run/${name}/${name}.pid";
@ -457,19 +414,11 @@ in {
(mkIf (cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay) {
environment.systemPackages = [
pkgs.pythonPackages.carbon
pkgs.python3Packages.carbon
];
})
(mkIf cfg.web.enable (let
python27' = pkgs.python27.override {
packageOverrides = self: super: {
django = self.django_1_8;
django_tagging = self.django_tagging_0_4_3;
};
};
pythonPackages = python27'.pkgs;
in {
(mkIf cfg.web.enable ({
systemd.services.graphiteWeb = {
description = "Graphite Web Interface";
wantedBy = [ "multi-user.target" ];
@ -477,28 +426,27 @@ in {
path = [ pkgs.perl ];
environment = {
PYTHONPATH = let
penv = pkgs.python.buildEnv.override {
penv = pkgs.python3.buildEnv.override {
extraLibs = [
pythonPackages.graphite-web
pythonPackages.pysqlite
pkgs.python3Packages.graphite-web
];
};
penvPack = "${penv}/${pkgs.python.sitePackages}";
penvPack = "${penv}/${pkgs.python3.sitePackages}";
in concatStringsSep ":" [
"${graphiteLocalSettingsDir}"
"${penvPack}/opt/graphite/webapp"
"${penvPack}"
# explicitly adding pycairo in path because it cannot be imported via buildEnv
"${pkgs.pythonPackages.pycairo}/${pkgs.python.sitePackages}"
"${pkgs.python3Packages.pycairo}/${pkgs.python3.sitePackages}"
];
DJANGO_SETTINGS_MODULE = "graphite.settings";
GRAPHITE_SETTINGS_MODULE = "graphite_local_settings";
GRAPHITE_CONF_DIR = configDir;
GRAPHITE_STORAGE_DIR = dataDir;
LD_LIBRARY_PATH = "${pkgs.cairo.out}/lib";
};
serviceConfig = {
ExecStart = ''
${pkgs.python27Packages.waitress-django}/bin/waitress-serve-django \
${pkgs.python3Packages.waitress-django}/bin/waitress-serve-django \
--host=${cfg.web.listenAddress} --port=${toString cfg.web.port}
'';
User = "graphite";
@ -510,7 +458,7 @@ in {
mkdir -p ${dataDir}/{whisper/,log/webapp/}
chmod 0700 ${dataDir}/{whisper/,log/webapp/}
${pkgs.pythonPackages.django_1_8}/bin/django-admin.py migrate --noinput
${pkgs.python3Packages.django}/bin/django-admin.py migrate --noinput
chown -R graphite:graphite ${dataDir}
@ -518,16 +466,16 @@ in {
fi
# Only collect static files when graphite_web changes.
if ! [ "${dataDir}/current_graphite_web" -ef "${pythonPackages.graphite-web}" ]; then
if ! [ "${dataDir}/current_graphite_web" -ef "${pkgs.python3Packages.graphite-web}" ]; then
mkdir -p ${staticDir}
${pkgs.pythonPackages.django_1_8}/bin/django-admin.py collectstatic --noinput --clear
${pkgs.python3Packages.django}/bin/django-admin.py collectstatic --noinput --clear
chown -R graphite:graphite ${staticDir}
ln -sfT "${pythonPackages.graphite-web}" "${dataDir}/current_graphite_web"
ln -sfT "${pkgs.python3Packages.graphite-web}" "${dataDir}/current_graphite_web"
fi
'';
};
environment.systemPackages = [ pythonPackages.graphite-web ];
environment.systemPackages = [ pkgs.python3Packages.graphite-web ];
}))
(mkIf cfg.api.enable {
@ -537,16 +485,16 @@ in {
after = [ "network.target" ];
environment = {
PYTHONPATH = let
aenv = pkgs.python.buildEnv.override {
extraLibs = [ cfg.api.package pkgs.cairo pkgs.pythonPackages.cffi ] ++ cfg.api.finders;
aenv = pkgs.python3.buildEnv.override {
extraLibs = [ cfg.api.package pkgs.cairo pkgs.python3Packages.cffi ] ++ cfg.api.finders;
};
in "${aenv}/${pkgs.python.sitePackages}";
in "${aenv}/${pkgs.python3.sitePackages}";
GRAPHITE_API_CONFIG = graphiteApiConfig;
LD_LIBRARY_PATH = "${pkgs.cairo.out}/lib";
};
serviceConfig = {
ExecStart = ''
${pkgs.python27Packages.waitress}/bin/waitress-serve \
${pkgs.python3Packages.waitress}/bin/waitress-serve \
--host=${cfg.api.listenAddress} --port=${toString cfg.api.port} \
graphite_api.app:app
'';
@ -591,34 +539,13 @@ in {
services.mongodb.enable = mkDefault true;
})
(mkIf cfg.pager.enable {
systemd.services.graphitePager = {
description = "Graphite Pager Alerting Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "redis.service" ];
environment = {
REDIS_URL = cfg.pager.redisUrl;
GRAPHITE_URL = cfg.pager.graphiteUrl;
};
serviceConfig = {
ExecStart = "${pkgs.pythonPackages.graphitepager}/bin/graphite-pager --config ${pagerConfig}";
User = "graphite";
Group = "graphite";
};
};
services.redis.enable = mkDefault true;
environment.systemPackages = [ pkgs.pythonPackages.graphitepager ];
})
(mkIf cfg.beacon.enable {
systemd.services.graphite-beacon = {
description = "Grpahite Beacon Alerting Daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.pythonPackages.graphite_beacon}/bin/graphite-beacon \
${pkgs.python3Packages.graphite_beacon}/bin/graphite-beacon \
--config=${pkgs.writeText "graphite-beacon.json" (builtins.toJSON cfg.beacon.config)}
'';
User = "graphite";
@ -630,7 +557,7 @@ in {
(mkIf (
cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay ||
cfg.web.enable || cfg.api.enable ||
cfg.seyren.enable || cfg.pager.enable || cfg.beacon.enable
cfg.seyren.enable || cfg.beacon.enable
) {
users.users.graphite = {
uid = config.ids.uids.graphite;

35
nixos/modules/services/monitoring/netdata.nix
View File

@ -9,10 +9,12 @@ let
mkdir -p $out/libexec/netdata/plugins.d
ln -s /run/wrappers/bin/apps.plugin $out/libexec/netdata/plugins.d/apps.plugin
ln -s /run/wrappers/bin/freeipmi.plugin $out/libexec/netdata/plugins.d/freeipmi.plugin
ln -s /run/wrappers/bin/perf.plugin $out/libexec/netdata/plugins.d/perf.plugin
ln -s /run/wrappers/bin/slabinfo.plugin $out/libexec/netdata/plugins.d/slabinfo.plugin
'';
plugins = [
"${pkgs.netdata}/libexec/netdata/plugins.d"
"${cfg.package}/libexec/netdata/plugins.d"
"${wrappedPlugins}/libexec/netdata/plugins.d"
] ++ cfg.extraPluginPaths;
@ -35,6 +37,13 @@ in {
services.netdata = {
enable = mkEnableOption "netdata";
package = mkOption {
type = types.package;
default = pkgs.netdata;
defaultText = "pkgs.netdata";
description = "Netdata package to use.";
};
user = mkOption {
type = types.str;
default = "netdata";
@ -141,8 +150,8 @@ in {
path = (with pkgs; [ curl gawk which ]) ++ lib.optional cfg.python.enable
(pkgs.python3.withPackages cfg.python.extraPackages);
serviceConfig = {
Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules";
ExecStart = "${pkgs.netdata}/bin/netdata -P /run/netdata/netdata.pid -D -c ${configFile}";
Environment="PYTHONPATH=${cfg.package}/libexec/netdata/python.d/python_modules";
ExecStart = "${cfg.package}/bin/netdata -P /run/netdata/netdata.pid -D -c ${configFile}";
ExecReload = "${pkgs.utillinux}/bin/kill -s HUP -s USR1 -s USR2 $MAINPID";
TimeoutStopSec = 60;
# User and group
@ -159,7 +168,7 @@ in {
systemd.enableCgroupAccounting = true;
security.wrappers."apps.plugin" = {
source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin.org";
source = "${cfg.package}/libexec/netdata/plugins.d/apps.plugin.org";
capabilities = "cap_dac_read_search,cap_sys_ptrace+ep";
owner = cfg.user;
group = cfg.group;
@ -167,13 +176,29 @@ in {
};
security.wrappers."freeipmi.plugin" = {
source = "${pkgs.netdata}/libexec/netdata/plugins.d/freeipmi.plugin.org";
source = "${cfg.package}/libexec/netdata/plugins.d/freeipmi.plugin.org";
capabilities = "cap_dac_override,cap_fowner+ep";
owner = cfg.user;
group = cfg.group;
permissions = "u+rx,g+rx,o-rwx";
};
security.wrappers."perf.plugin" = {
source = "${cfg.package}/libexec/netdata/plugins.d/perf.plugin.org";
capabilities = "cap_sys_admin+ep";
owner = cfg.user;
group = cfg.group;
permissions = "u+rx,g+rx,o-rx";
};
security.wrappers."slabinfo.plugin" = {
source = "${cfg.package}/libexec/netdata/plugins.d/slabinfo.plugin.org";
capabilities = "cap_dac_override+ep";
owner = cfg.user;
group = cfg.group;
permissions = "u+rx,g+rx,o-rx";
};
security.pam.loginLimits = [
{ domain = "netdata"; type = "soft"; item = "nofile"; value = "10000"; }
{ domain = "netdata"; type = "hard"; item = "nofile"; value = "30000"; }

10
nixos/modules/services/networking/firewall.nix
View File

@ -546,9 +546,13 @@ in
options nf_conntrack nf_conntrack_helper=1
'';
assertions = [ { assertion = cfg.checkReversePath -> kernelHasRPFilter;
message = "This kernel does not support rpfilter"; }
];
assertions = [
# This is approximately "checkReversePath -> kernelHasRPFilter",
# but the checkReversePath option can include non-boolean
# values.
{ assertion = cfg.checkReversePath == false || kernelHasRPFilter;
message = "This kernel does not support rpfilter"; }
];
systemd.services.firewall = {
description = "Firewall";

157
nixos/modules/services/networking/iodine.nix
View File

@ -9,6 +9,8 @@ let
iodinedUser = "iodined";
/* is this path made unreadable by ProtectHome = true ? */
isProtected = x: hasPrefix "/root" x || hasPrefix "/home" x;
in
{
imports = [
@ -35,45 +37,48 @@ in
corresponding attribute name.
'';
example = literalExample ''
{
foo = {
server = "tunnel.mdomain.com";
relay = "8.8.8.8";
extraConfig = "-v";
{
foo = {
server = "tunnel.mdomain.com";
relay = "8.8.8.8";
extraConfig = "-v";
}
}
}
'';
type = types.attrsOf (types.submodule (
{
options = {
server = mkOption {
type = types.str;
default = "";
description = "Domain or Subdomain of server running iodined";
example = "tunnel.mydomain.com";
};
type = types.attrsOf (
types.submodule (
{
options = {
server = mkOption {
type = types.str;
default = "";
description = "Hostname of server running iodined";
example = "tunnel.mydomain.com";
};
relay = mkOption {
type = types.str;
default = "";
description = "DNS server to use as a intermediate relay to the iodined server";
example = "8.8.8.8";
};
relay = mkOption {
type = types.str;
default = "";
description = "DNS server to use as an intermediate relay to the iodined server";
example = "8.8.8.8";
};
extraConfig = mkOption {
type = types.str;
default = "";
description = "Additional command line parameters";
example = "-l 192.168.1.10 -p 23";
};
extraConfig = mkOption {
type = types.str;
default = "";
description = "Additional command line parameters";
example = "-l 192.168.1.10 -p 23";
};
passwordFile = mkOption {
type = types.str;
default = "";
description = "File that contains password";
};
};
}));
passwordFile = mkOption {
type = types.str;
default = "";
description = "Path to a file containing the password.";
};
};
}
)
);
};
server = {
@ -121,31 +126,67 @@ in
boot.kernelModules = [ "tun" ];
systemd.services =
let
createIodineClientService = name: cfg:
{
description = "iodine client - ${name}";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "exec ${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "< \"${cfg.passwordFile}\""} ${cfg.relay} ${cfg.server}";
serviceConfig = {
RestartSec = "30s";
Restart = "always";
let
createIodineClientService = name: cfg:
{
description = "iodine client - ${name}";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "exec ${pkgs.iodine}/bin/iodine -f -u ${iodinedUser} ${cfg.extraConfig} ${optionalString (cfg.passwordFile != "") "< \"${builtins.toString cfg.passwordFile}\""} ${cfg.relay} ${cfg.server}";
serviceConfig = {
RestartSec = "30s";
Restart = "always";
# hardening :
# Filesystem access
ProtectSystem = "strict";
ProtectHome = if isProtected cfg.passwordFile then "read-only" else "true" ;
PrivateTmp = true;
ReadWritePaths = "/dev/net/tun";
PrivateDevices = false;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
# Caps
NoNewPrivileges = true;
# Misc.
LockPersonality = true;
RestrictRealtime = true;
PrivateMounts = true;
MemoryDenyWriteExecute = true;
};
};
in
listToAttrs (
mapAttrsToList
(name: value: nameValuePair "iodine-${name}" (createIodineClientService name value))
cfg.clients
) // {
iodined = mkIf (cfg.server.enable) {
description = "iodine, ip over dns server daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${builtins.toString cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}";
serviceConfig = {
# Filesystem access
ProtectSystem = "strict";
ProtectHome = if isProtected cfg.server.passwordFile then "read-only" else "true" ;
PrivateTmp = true;
ReadWritePaths = "/dev/net/tun";
PrivateDevices = false;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
# Caps
NoNewPrivileges = true;
# Misc.
LockPersonality = true;
RestrictRealtime = true;
PrivateMounts = true;
MemoryDenyWriteExecute = true;
};
};
};
};
in
listToAttrs (
mapAttrsToList
(name: value: nameValuePair "iodine-${name}" (createIodineClientService name value))
cfg.clients
) // {
iodined = mkIf (cfg.server.enable) {
description = "iodine, ip over dns server daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}";
};
};
users.users.${iodinedUser} = {
uid = config.ids.uids.iodined;

2
nixos/modules/services/networking/resilio.nix
View File

@ -244,7 +244,7 @@ in
group = "rslsync";
};
users.groups = [ { name = "rslsync"; } ];
users.groups.rslsync = {};
systemd.services.resilio = with pkgs; {
description = "Resilio Sync Service";

61
nixos/modules/services/networking/smartdns.nix Normal file
View File

@ -0,0 +1,61 @@
{ lib, pkgs, config, ... }:
with lib;
let
inherit (lib.types) attrsOf coercedTo listOf oneOf str int bool;
cfg = config.services.smartdns;
confFile = pkgs.writeText "smartdns.conf" (with generators;
toKeyValue {
mkKeyValue = mkKeyValueDefault {
mkValueString = v:
if isBool v then
if v then "yes" else "no"
else
mkValueStringDefault { } v;
} " ";
listsAsDuplicateKeys =
true; # Allowing duplications because we need to deal with multiple entries with the same key.
} cfg.settings);
in {
options.services.smartdns = {
enable = mkEnableOption "SmartDNS DNS server";
bindPort = mkOption {
type = types.port;
default = 53;
description = "DNS listening port number.";
};
settings = mkOption {
type =
let atom = oneOf [ str int bool ];
in attrsOf (coercedTo atom toList (listOf atom));
example = literalExample ''
{
bind = ":5353 -no-rule -group example";
cache-size = 4096;
server-tls = [ "8.8.8.8:853" "1.1.1.1:853" ];
server-https = "https://cloudflare-dns.com/dns-query -exclude-default-group";
prefetch-domain = true;
speed-check-mode = "ping,tcp:80";
};
'';
description = ''
A set that will be generated into configuration file, see the <link xlink:href="https://github.com/pymumu/smartdns/blob/master/ReadMe_en.md#configuration-parameter">SmartDNS README</link> for details of configuration parameters.
You could override the options here like <option>services.smartdns.bindPort</option> by writing <literal>settings.bind = ":5353 -no-rule -group example";</literal>.
'';
};
};
config = lib.mkIf cfg.enable {
services.smartdns.settings.bind = mkDefault ":${toString cfg.bindPort}";
systemd.packages = [ pkgs.smartdns ];
systemd.services.smartdns.wantedBy = [ "multi-user.target" ];
environment.etc."smartdns/smartdns.conf".source = confFile;
environment.etc."default/smartdns".source =
"${pkgs.smartdns}/etc/default/smartdns";
};
}

26
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -17,7 +17,7 @@ let
${cfg.extraConfig}
EOL
ssh-keygen -f mock-hostkey -N ""
ssh-keygen -q -f mock-hostkey -N ""
sshd -t -f $out -h mock-hostkey
'';
@ -238,6 +238,26 @@ in
description = "Files from which authorized keys are read.";
};
authorizedKeysCommand = mkOption {
type = types.str;
default = "none";
description = ''
Specifies a program to be used to look up the user's public
keys. The program must be owned by root, not writable by group
or others and specified by an absolute path.
'';
};
authorizedKeysCommandUser = mkOption {
type = types.str;
default = "nobody";
description = ''
Specifies the user under whose account the AuthorizedKeysCommand
is run. It is recommended to use a dedicated user that has no
other role on the host than running authorized keys commands.
'';
};
kexAlgorithms = mkOption {
type = types.listOf types.str;
default = [
@ -485,6 +505,10 @@ in
PrintMotd no # handled by pam_motd
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
${optionalString (cfg.authorizedKeysCommand != "none") ''
AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
''}
${flip concatMapStrings cfg.hostKeys (k: ''
HostKey ${k.path}

1
nixos/modules/services/networking/stubby.nix
View File

@ -205,6 +205,7 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "notify";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
ExecStart = "${pkgs.stubby}/bin/stubby -C ${confFile} ${optionalString cfg.debugLogging "-l"}";

2
nixos/modules/services/networking/supplicant.nix
View File

@ -39,8 +39,6 @@ let
bindsTo = deps;
after = deps;
before = [ "network.target" ];
# Receive restart event after resume
partOf = [ "post-resume.target" ];
path = [ pkgs.coreutils ];

109
nixos/modules/services/networking/supybot.nix
View File

@ -3,32 +3,35 @@
with lib;
let
cfg = config.services.supybot;
isStateDirHome = hasPrefix "/home/" cfg.stateDir;
isStateDirVar = cfg.stateDir == "/var/lib/supybot";
pyEnv = pkgs.python3.withPackages (p: [ p.limnoria ] ++ (cfg.extraPackages p));
in
{
options = {
services.supybot = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable Supybot, an IRC bot";
description = "Enable Supybot, an IRC bot (also known as Limnoria).";
};
stateDir = mkOption {
# Setting this to /var/lib/supybot caused useradd to fail
default = "/home/supybot";
type = types.path;
default = if versionAtLeast config.system.stateVersion "20.09"
then "/var/lib/supybot"
else "/home/supybot";
defaultText = "/var/lib/supybot";
description = "The root directory, logs and plugins are stored here";
};
configFile = mkOption {
type = types.path;
description = ''
Path to a supybot config file. This can be generated by
Path to initial supybot config file. This can be generated by
running supybot-wizard.
Note: all paths should include the full path to the stateDir
@ -36,21 +39,54 @@ in
'';
};
plugins = mkOption {
type = types.attrsOf types.path;
default = {};
description = ''
Attribute set of additional plugins that will be symlinked to the
<filename>plugin</filename> subdirectory.
Please note that you still need to add the plugins to the config
file (or with <literal>!load</literal>) using their attribute name.
'';
example = literalExample ''
let
plugins = pkgs.fetchzip {
url = "https://github.com/ProgVal/Supybot-plugins/archive/57c2450c.zip";
sha256 = "077snf84ibnva3sbpzdfpfma6hcdw7dflwnhg6pw7mgnf0nd84qd";
};
in
{
Wikipedia = "''${plugins}/Wikipedia";
Decide = ./supy-decide;
}
'';
};
extraPackages = mkOption {
default = p: [];
description = ''
Extra Python packages available to supybot plugins. The
value must be a function which receives the attrset defined
in <varname>python3Packages</varname> as the sole argument.
'';
example = literalExample ''p: [ p.lxml p.requests ]'';
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.pythonPackages.limnoria ];
environment.systemPackages = [ pkgs.python3Packages.limnoria ];
users.users.supybot = {
uid = config.ids.uids.supybot;
group = "supybot";
description = "Supybot IRC bot user";
home = cfg.stateDir;
createHome = true;
isSystemUser = true;
};
users.groups.supybot = {
@ -59,19 +95,16 @@ in
systemd.services.supybot = {
description = "Supybot, an IRC bot";
documentation = [ "https://limnoria.readthedocs.io/" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.pythonPackages.limnoria ];
preStart = ''
cd ${cfg.stateDir}
mkdir -p backup conf data plugins logs/plugins tmp web
ln -sf ${cfg.configFile} supybot.cfg
# This needs to be created afresh every time
rm -f supybot.cfg.bak
rm -f '${cfg.stateDir}/supybot.cfg.bak'
'';
serviceConfig = {
ExecStart = "${pkgs.pythonPackages.limnoria}/bin/supybot ${cfg.stateDir}/supybot.cfg";
ExecStart = "${pyEnv}/bin/supybot ${cfg.stateDir}/supybot.cfg";
PIDFile = "/run/supybot.pid";
User = "supybot";
Group = "supybot";
@ -79,8 +112,50 @@ in
Restart = "on-abort";
StartLimitInterval = "5m";
StartLimitBurst = "1";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
RestrictNamespaces = true;
RestrictRealtime = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RemoveIPC = true;
ProtectHostname = true;
CapabilityBoundingSet = "";
ProtectSystem = "full";
}
// optionalAttrs isStateDirVar {
StateDirectory = "supybot";
ProtectSystem = "strict";
}
// optionalAttrs (!isStateDirHome) {
ProtectHome = true;
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 supybot supybot - -"
"d '${cfg.stateDir}/backup' 0750 supybot supybot - -"
"d '${cfg.stateDir}/conf' 0750 supybot supybot - -"
"d '${cfg.stateDir}/data' 0750 supybot supybot - -"
"d '${cfg.stateDir}/plugins' 0750 supybot supybot - -"
"d '${cfg.stateDir}/logs' 0750 supybot supybot - -"
"d '${cfg.stateDir}/logs/plugins' 0750 supybot supybot - -"
"d '${cfg.stateDir}/tmp' 0750 supybot supybot - -"
"d '${cfg.stateDir}/web' 0750 supybot supybot - -"
"L '${cfg.stateDir}/supybot.cfg' - - - - ${cfg.configFile}"
]
++ (flip mapAttrsToList cfg.plugins (name: dest:
"L+ '${cfg.stateDir}/plugins/${name}' - - - - ${dest}"
));
};
}

46
nixos/modules/services/networking/tailscale.nix Normal file
View File

@ -0,0 +1,46 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.services.tailscale;
in {
meta.maintainers = with maintainers; [ danderson mbaillie ];
options.services.tailscale = {
enable = mkEnableOption "Tailscale client daemon";
port = mkOption {
type = types.port;
default = 41641;
description = "The port to listen on for tunnel traffic (0=autoselect).";
};
};
config = mkIf cfg.enable {
systemd.services.tailscale = {
description = "Tailscale client daemon";
after = [ "network-pre.target" ];
wants = [ "network-pre.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
StartLimitIntervalSec = 0;
StartLimitBurst = 0;
};
serviceConfig = {
ExecStart =
"${pkgs.tailscale}/bin/tailscaled --port ${toString cfg.port}";
RuntimeDirectory = "tailscale";
RuntimeDirectoryMode = 755;
StateDirectory = "tailscale";
StateDirectoryMode = 700;
Restart = "on-failure";
};
};
};
}

17
nixos/modules/services/networking/zerotierone.nix
View File

@ -69,13 +69,14 @@ in
environment.systemPackages = [ cfg.package ];
# Prevent systemd from potentially changing the MAC address
environment.etc."systemd/network/50-zerotier.link".text = ''
[Match]
OriginalName=zt*
[Link]
AutoNegotiation=false
MACAddressPolicy=none
'';
systemd.network.links."50-zerotier" = {
matchConfig = {
OriginalName = "zt*";
};
linkConfig = {
AutoNegotiation = false;
MACAddressPolicy = "none";
};
};
};
}

4
nixos/modules/services/security/fail2ban.nix
View File

@ -216,6 +216,10 @@ in
config = mkIf cfg.enable {
warnings = mkIf (config.networking.firewall.enable == false && config.networking.nftables.enable == false) [
"fail2ban can not be used without a firewall"
];
environment.systemPackages = [ cfg.package ];
environment.etc = {

2
nixos/modules/services/x11/desktop-managers/kodi.nix
View File

@ -20,7 +20,7 @@ in
services.xserver.desktopManager.session = [{
name = "kodi";
start = ''
${pkgs.kodi}/bin/kodi --lircdev /run/lirc/lircd --standalone &
LIRC_SOCKET_PATH=/run/lirc/lircd ${pkgs.kodi}/bin/kodi --standalone &
waitPID=$!
'';
}];

44
nixos/modules/services/x11/desktop-managers/mate.nix
View File

@ -44,35 +44,35 @@ in
config = mkIf cfg.enable {
services.xserver.desktopManager.session = singleton {
name = "mate";
bgSupport = true;
start = ''
export XDG_MENU_PREFIX=mate-
services.xserver.displayManager.sessionPackages = [
pkgs.mate.mate-session-manager
];
# Let caja find extensions
export CAJA_EXTENSION_DIRS=$CAJA_EXTENSION_DIRS''${CAJA_EXTENSION_DIRS:+:}${config.system.path}/lib/caja/extensions-2.0
services.xserver.displayManager.sessionCommands = ''
if test "$XDG_CURRENT_DESKTOP" = "MATE"; then
export XDG_MENU_PREFIX=mate-
# Let caja extensions find gsettings schemas
${concatMapStrings (p: ''
# Let caja find extensions
export CAJA_EXTENSION_DIRS=$CAJA_EXTENSION_DIRS''${CAJA_EXTENSION_DIRS:+:}${config.system.path}/lib/caja/extensions-2.0
# Let caja extensions find gsettings schemas
${concatMapStrings (p: ''
if [ -d "${p}/lib/caja/extensions-2.0" ]; then
${addToXDGDirs p}
${addToXDGDirs p}
fi
'')
config.environment.systemPackages
}
'') config.environment.systemPackages}
# Let mate-panel find applets
export MATE_PANEL_APPLETS_DIR=$MATE_PANEL_APPLETS_DIR''${MATE_PANEL_APPLETS_DIR:+:}${config.system.path}/share/mate-panel/applets
export MATE_PANEL_EXTRA_MODULES=$MATE_PANEL_EXTRA_MODULES''${MATE_PANEL_EXTRA_MODULES:+:}${config.system.path}/lib/mate-panel/applets
# Add mate-control-center paths to some XDG variables because its schemas are needed by mate-settings-daemon, and mate-settings-daemon is a dependency for mate-control-center (that is, they are mutually recursive)
${addToXDGDirs pkgs.mate.mate-control-center}
fi
'';
# Add mate-control-center paths to some XDG variables because its schemas are needed by mate-settings-daemon, and mate-settings-daemon is a dependency for mate-control-center (that is, they are mutually recursive)
${addToXDGDirs pkgs.mate.mate-control-center}
# Let mate-panel find applets
environment.sessionVariables."MATE_PANEL_APPLETS_DIR" = "${config.system.path}/share/mate-panel/applets";
environment.sessionVariables."MATE_PANEL_EXTRA_MODULES" = "${config.system.path}/lib/mate-panel/applets";
${pkgs.mate.mate-session-manager}/bin/mate-session ${optionalString cfg.debug "--debug"} &
waitPID=$!
'';
};
# Debugging
environment.sessionVariables.MATE_SESSION_DEBUG = mkIf cfg.debug "1";
environment.systemPackages =
pkgs.mate.basePackages ++

2
nixos/modules/system/activation/top-level.nix
View File

@ -75,7 +75,7 @@ let
echo -n "$configurationName" > $out/configuration-name
echo -n "systemd ${toString config.systemd.package.interfaceVersion}" > $out/init-interface-version
echo -n "$nixosLabel" > $out/nixos-version
echo -n "${pkgs.stdenv.hostPlatform.system}" > $out/system
echo -n "${config.boot.kernelPackages.stdenv.hostPlatform.system}" > $out/system
mkdir $out/fine-tune
childCount=0

227
nixos/modules/system/boot/kernel.nix
View File

@ -192,139 +192,144 @@ in
###### implementation
config = mkIf (!config.boot.isContainer) {
config = mkMerge
[ (mkIf config.boot.initrd.enable {
boot.initrd.availableKernelModules =
[ # Note: most of these (especially the SATA/PATA modules)
# shouldn't be included by default since nixos-generate-config
# detects them, but I'm keeping them for now for backwards
# compatibility.
system.build = { inherit kernel; };
# Some SATA/PATA stuff.
"ahci"
"sata_nv"
"sata_via"
"sata_sis"
"sata_uli"
"ata_piix"
"pata_marvell"
system.modulesTree = [ kernel ] ++ config.boot.extraModulePackages;
# Standard SCSI stuff.
"sd_mod"
"sr_mod"
# Implement consoleLogLevel both in early boot and using sysctl
# (so you don't need to reboot to have changes take effect).
boot.kernelParams =
[ "loglevel=${toString config.boot.consoleLogLevel}" ] ++
optionals config.boot.vesa [ "vga=0x317" "nomodeset" ];
# SD cards and internal eMMC drives.
"mmc_block"
boot.kernel.sysctl."kernel.printk" = mkDefault config.boot.consoleLogLevel;
# Support USB keyboards, in case the boot fails and we only have
# a USB keyboard, or for LUKS passphrase prompt.
"uhci_hcd"
"ehci_hcd"
"ehci_pci"
"ohci_hcd"
"ohci_pci"
"xhci_hcd"
"xhci_pci"
"usbhid"
"hid_generic" "hid_lenovo" "hid_apple" "hid_roccat"
"hid_logitech_hidpp" "hid_logitech_dj"
boot.kernelModules = [ "loop" "atkbd" ];
] ++ optionals (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [
# Misc. x86 keyboard stuff.
"pcips2" "atkbd" "i8042"
boot.initrd.availableKernelModules =
[ # Note: most of these (especially the SATA/PATA modules)
# shouldn't be included by default since nixos-generate-config
# detects them, but I'm keeping them for now for backwards
# compatibility.
# x86 RTC needed by the stage 2 init script.
"rtc_cmos"
];
# Some SATA/PATA stuff.
"ahci"
"sata_nv"
"sata_via"
"sata_sis"
"sata_uli"
"ata_piix"
"pata_marvell"
boot.initrd.kernelModules =
[ # For LVM.
"dm_mod"
];
})
# Standard SCSI stuff.
"sd_mod"
"sr_mod"
(mkIf (!config.boot.isContainer) {
system.build = { inherit kernel; };
# SD cards and internal eMMC drives.
"mmc_block"
system.modulesTree = [ kernel ] ++ config.boot.extraModulePackages;
# Support USB keyboards, in case the boot fails and we only have
# a USB keyboard, or for LUKS passphrase prompt.
"uhci_hcd"
"ehci_hcd"
"ehci_pci"
"ohci_hcd"
"ohci_pci"
"xhci_hcd"
"xhci_pci"
"usbhid"
"hid_generic" "hid_lenovo" "hid_apple" "hid_roccat"
"hid_logitech_hidpp" "hid_logitech_dj"
# Implement consoleLogLevel both in early boot and using sysctl
# (so you don't need to reboot to have changes take effect).
boot.kernelParams =
[ "loglevel=${toString config.boot.consoleLogLevel}" ] ++
optionals config.boot.vesa [ "vga=0x317" "nomodeset" ];
] ++ optionals (pkgs.stdenv.isi686 || pkgs.stdenv.isx86_64) [
# Misc. x86 keyboard stuff.
"pcips2" "atkbd" "i8042"
boot.kernel.sysctl."kernel.printk" = mkDefault config.boot.consoleLogLevel;
# x86 RTC needed by the stage 2 init script.
"rtc_cmos"
];
boot.kernelModules = [ "loop" "atkbd" ];
boot.initrd.kernelModules =
[ # For LVM.
"dm_mod"
];
# The Linux kernel >= 2.6.27 provides firmware.
hardware.firmware = [ kernel ];
# The Linux kernel >= 2.6.27 provides firmware.
hardware.firmware = [ kernel ];
# Create /etc/modules-load.d/nixos.conf, which is read by
# systemd-modules-load.service to load required kernel modules.
environment.etc =
{ "modules-load.d/nixos.conf".source = kernelModulesConf;
};
systemd.services.systemd-modules-load =
{ wantedBy = [ "multi-user.target" ];
restartTriggers = [ kernelModulesConf ];
serviceConfig =
{ # Ignore failed module loads. Typically some of the
# modules in boot.kernelModules are "nice to have but
# not required" (e.g. acpi-cpufreq), so we don't want to
# barf on those.
SuccessExitStatus = "0 1";
# Create /etc/modules-load.d/nixos.conf, which is read by
# systemd-modules-load.service to load required kernel modules.
environment.etc =
{ "modules-load.d/nixos.conf".source = kernelModulesConf;
};
};
lib.kernelConfig = {
isYes = option: {
assertion = config: config.isYes option;
message = "CONFIG_${option} is not yes!";
configLine = "CONFIG_${option}=y";
};
systemd.services.systemd-modules-load =
{ wantedBy = [ "multi-user.target" ];
restartTriggers = [ kernelModulesConf ];
serviceConfig =
{ # Ignore failed module loads. Typically some of the
# modules in boot.kernelModules are "nice to have but
# not required" (e.g. acpi-cpufreq), so we don't want to
# barf on those.
SuccessExitStatus = "0 1";
};
};
isNo = option: {
assertion = config: config.isNo option;
message = "CONFIG_${option} is not no!";
configLine = "CONFIG_${option}=n";
};
lib.kernelConfig = {
isYes = option: {
assertion = config: config.isYes option;
message = "CONFIG_${option} is not yes!";
configLine = "CONFIG_${option}=y";
};
isModule = option: {
assertion = config: config.isModule option;
message = "CONFIG_${option} is not built as a module!";
configLine = "CONFIG_${option}=m";
};
isNo = option: {
assertion = config: config.isNo option;
message = "CONFIG_${option} is not no!";
configLine = "CONFIG_${option}=n";
};
### Usually you will just want to use these two
# True if yes or module
isEnabled = option: {
assertion = config: config.isEnabled option;
message = "CONFIG_${option} is not enabled!";
configLine = "CONFIG_${option}=y";
};
isModule = option: {
assertion = config: config.isModule option;
message = "CONFIG_${option} is not built as a module!";
configLine = "CONFIG_${option}=m";
};
# True if no or omitted
isDisabled = option: {
assertion = config: config.isDisabled option;
message = "CONFIG_${option} is not disabled!";
configLine = "CONFIG_${option}=n";
};
};
### Usually you will just want to use these two
# True if yes or module
isEnabled = option: {
assertion = config: config.isEnabled option;
message = "CONFIG_${option} is not enabled!";
configLine = "CONFIG_${option}=y";
};
# The config options that all modules can depend upon
system.requiredKernelConfig = with config.lib.kernelConfig; [
# !!! Should this really be needed?
(isYes "MODULES")
(isYes "BINFMT_ELF")
] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT"));
# True if no or omitted
isDisabled = option: {
assertion = config: config.isDisabled option;
message = "CONFIG_${option} is not disabled!";
configLine = "CONFIG_${option}=n";
};
};
# nixpkgs kernels are assumed to have all required features
assertions = if config.boot.kernelPackages.kernel ? features then [] else
let cfg = config.boot.kernelPackages.kernel.config; in map (attrs:
{ assertion = attrs.assertion cfg; inherit (attrs) message; }
) config.system.requiredKernelConfig;
# The config options that all modules can depend upon
system.requiredKernelConfig = with config.lib.kernelConfig;
[
# !!! Should this really be needed?
(isYes "MODULES")
(isYes "BINFMT_ELF")
] ++ (optional (randstructSeed != "") (isYes "GCC_PLUGIN_RANDSTRUCT"));
};
# nixpkgs kernels are assumed to have all required features
assertions = if config.boot.kernelPackages.kernel ? features then [] else
let cfg = config.boot.kernelPackages.kernel.config; in map (attrs:
{ assertion = attrs.assertion cfg; inherit (attrs) message; }
) config.system.requiredKernelConfig;
})
];
}

79
nixos/modules/system/boot/networkd.nix
View File

@ -355,6 +355,14 @@ let
};
linkOptions = commonNetworkOptions // {
# overwrite enable option from above
enable = mkOption {
default = true;
type = types.bool;
description = ''
Whether to enable this .link unit. It's handled by udev no matter if <command>systemd-networkd</command> is enabled or not
'';
};
linkConfig = mkOption {
default = {};
@ -1045,44 +1053,49 @@ in
};
config = mkIf config.systemd.network.enable {
config = mkMerge [
# .link units are honored by udev, no matter if systemd-networkd is enabled or not.
{
systemd.network.units = mapAttrs' (n: v: nameValuePair "${n}.link" (linkToUnit n v)) cfg.links;
environment.etc = unitFiles;
}
users.users.systemd-network.group = "systemd-network";
(mkIf config.systemd.network.enable {
systemd.additionalUpstreamSystemUnits = [
"systemd-networkd.service" "systemd-networkd-wait-online.service"
];
users.users.systemd-network.group = "systemd-network";
systemd.network.units = mapAttrs' (n: v: nameValuePair "${n}.link" (linkToUnit n v)) cfg.links
// mapAttrs' (n: v: nameValuePair "${n}.netdev" (netdevToUnit n v)) cfg.netdevs
// mapAttrs' (n: v: nameValuePair "${n}.network" (networkToUnit n v)) cfg.networks;
systemd.additionalUpstreamSystemUnits = [
"systemd-networkd.service" "systemd-networkd-wait-online.service"
];
environment.etc = unitFiles;
systemd.network.units = mapAttrs' (n: v: nameValuePair "${n}.netdev" (netdevToUnit n v)) cfg.netdevs
// mapAttrs' (n: v: nameValuePair "${n}.network" (networkToUnit n v)) cfg.networks;
systemd.services.systemd-networkd = {
wantedBy = [ "multi-user.target" ];
restartTriggers = attrNames unitFiles;
# prevent race condition with interface renaming (#39069)
requires = [ "systemd-udev-settle.service" ];
after = [ "systemd-udev-settle.service" ];
};
systemd.services.systemd-networkd-wait-online = {
wantedBy = [ "network-online.target" ];
};
systemd.services."systemd-network-wait-online@" = {
description = "Wait for Network Interface %I to be Configured";
conflicts = [ "shutdown.target" ];
requisite = [ "systemd-networkd.service" ];
after = [ "systemd-networkd.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online -i %I";
systemd.services.systemd-networkd = {
wantedBy = [ "multi-user.target" ];
restartTriggers = attrNames unitFiles;
# prevent race condition with interface renaming (#39069)
requires = [ "systemd-udev-settle.service" ];
after = [ "systemd-udev-settle.service" ];
};
};
services.resolved.enable = mkDefault true;
};
systemd.services.systemd-networkd-wait-online = {
wantedBy = [ "network-online.target" ];
};
systemd.services."systemd-network-wait-online@" = {
description = "Wait for Network Interface %I to be Configured";
conflicts = [ "shutdown.target" ];
requisite = [ "systemd-networkd.service" ];
after = [ "systemd-networkd.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online -i %I";
};
};
services.resolved.enable = mkDefault true;
})
];
}

13
nixos/modules/system/boot/stage-1.nix
View File

@ -390,6 +390,17 @@ in
'';
};
boot.initrd.enable = mkOption {
type = types.bool;
default = !config.boot.isContainer;
defaultText = "!config.boot.isContainer";
description = ''
Whether to enable the NixOS initial RAM disk (initrd). This may be
needed to perform some initialisation tasks (like mounting
network/encrypted file systems) before continuing the boot process.
'';
};
boot.initrd.prepend = mkOption {
default = [ ];
type = types.listOf types.str;
@ -555,7 +566,7 @@ in
};
config = mkIf (!config.boot.isContainer) {
config = mkIf config.boot.initrd.enable {
assertions = [
{ assertion = any (fs: fs.mountPoint == "/") fileSystems;
message = "The fileSystems option does not specify your root file system.";

1
nixos/tests/all-tests.nix
View File

@ -135,6 +135,7 @@ in
initrd-network-ssh = handleTest ./initrd-network-ssh {};
initrdNetwork = handleTest ./initrd-network.nix {};
installer = handleTest ./installer.nix {};
iodine = handleTest ./iodine.nix {};
ipv6 = handleTest ./ipv6.nix {};
jackett = handleTest ./jackett.nix {};
jellyfin = handleTest ./jellyfin.nix {};

50
nixos/tests/fenics.nix Normal file
View File

@ -0,0 +1,50 @@
import ./make-test-python.nix ({ pkgs, ... }:
let
fenicsScript = pkgs.writeScript "poisson.py" ''
#!/usr/bin/env python
from dolfin import *
mesh = UnitSquareMesh(4, 4)
V = FunctionSpace(mesh, "Lagrange", 1)
def boundary(x):
return x[0] < DOLFIN_EPS or x[0] > 1.0 - DOLFIN_EPS
u0 = Constant(0.0)
bc = DirichletBC(V, u0, boundary)
u = TrialFunction(V)
v = TestFunction(V)
f = Expression("10*exp(-(pow(x[0] - 0.5, 2) + pow(x[1] - 0.5, 2)) / 0.02)", degree=2)
g = Expression("sin(5*x[0])", degree=2)
a = inner(grad(u), grad(v))*dx
L = f*v*dx + g*v*ds
u = Function(V)
solve(a == L, u, bc)
print(u)
'';
in
{
name = "fenics";
meta = {
maintainers = with pkgs.stdenv.lib.maintainers; [ knedlsepp ];
};
nodes = {
fenicsnode = { pkgs, ... }: {
environment.systemPackages = with pkgs; [
gcc
(python3.withPackages (ps: with ps; [ fenics ]))
];
virtualisation.memorySize = 512;
};
};
testScript =
{ nodes, ... }:
''
start_all()
node1.succeed("${fenicsScript}")
'';
})

18
nixos/tests/graphite.nix
View File

@ -12,15 +12,19 @@ import ./make-test-python.nix ({ pkgs, ... } :
virtualisation.memorySize = 1024;
time.timeZone = "UTC";
services.graphite = {
web.enable = true;
web = {
enable = true;
extraConfig = ''
SECRET_KEY = "abcd";
'';
};
api = {
enable = true;
port = 8082;
finders = [ pkgs.python27Packages.influxgraph ];
finders = [ pkgs.python3Packages.influxgraph ];
};
carbon.enableCache = true;
seyren.enable = true;
pager.enable = true;
seyren.enable = false; # Implicitely requires openssl-1.0.2u which is marked insecure
beacon.enable = true;
};
};
@ -31,16 +35,16 @@ import ./make-test-python.nix ({ pkgs, ... } :
one.wait_for_unit("default.target")
one.wait_for_unit("graphiteWeb.service")
one.wait_for_unit("graphiteApi.service")
one.wait_for_unit("graphitePager.service")
one.wait_for_unit("graphite-beacon.service")
one.wait_for_unit("carbonCache.service")
one.wait_for_unit("seyren.service")
# The services above are of type "simple". systemd considers them active immediately
# even if they're still in preStart (which takes quite long for graphiteWeb).
# Wait for ports to open so we're sure the services are up and listening.
one.wait_for_open_port(8080)
one.wait_for_open_port(2003)
one.succeed('echo "foo 1 `date +%s`" | nc -N localhost 2003')
one.wait_until_succeeds("curl 'http://localhost:8080/metrics/find/?query=foo&format=treejson' --silent | grep foo >&2")
one.wait_until_succeeds(
"curl 'http://localhost:8080/metrics/find/?query=foo&format=treejson' --silent | grep foo >&2"
)
'';
})

63
nixos/tests/iodine.nix Normal file
View File

@ -0,0 +1,63 @@
import ./make-test-python.nix (
{ pkgs, ... }: let
domain = "whatever.example.com";
in
{
name = "iodine";
nodes = {
server =
{ ... }:
{
networking.firewall = {
allowedUDPPorts = [ 53 ];
trustedInterfaces = [ "dns0" ];
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.ip_forward" = 1;
};
services.iodine.server = {
enable = true;
ip = "10.53.53.1/24";
passwordFile = "${builtins.toFile "password" "foo"}";
inherit domain;
};
# test resource: accessible only via tunnel
services.openssh = {
enable = true;
openFirewall = false;
};
};
client =
{ ... }: {
services.iodine.clients.testClient = {
# test that ProtectHome is "read-only"
passwordFile = "/root/pw";
relay = "server";
server = domain;
};
systemd.tmpfiles.rules = [
"f /root/pw 0666 root root - foo"
];
environment.systemPackages = [
pkgs.nagiosPluginsOfficial
];
};
};
testScript = ''
start_all()
server.wait_for_unit("sshd")
server.wait_for_unit("iodined")
client.wait_for_unit("iodine-testClient")
client.succeed("check_ssh -H 10.53.53.1")
'';
}
)

21
nixos/tests/matrix-synapse.nix
View File

@ -35,12 +35,31 @@ in {
nodes = {
# Since 0.33.0, matrix-synapse doesn't allow underscores in server names
serverpostgres = args: {
serverpostgres = { pkgs, ... }: {
services.matrix-synapse = {
enable = true;
database_type = "psycopg2";
tls_certificate_path = "${cert}";
tls_private_key_path = "${key}";
database_args = {
password = "synapse";
};
};
services.postgresql = {
enable = true;
# The database name and user are configured by the following options:
# - services.matrix-synapse.database_name
# - services.matrix-synapse.database_user
#
# The values used here represent the default values of the module.
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
};

27
nixos/tests/mysql.nix
View File

@ -22,6 +22,27 @@ import ./make-test-python.nix ({ pkgs, ...} : {
services.mysql.package = pkgs.mysql57;
};
mysql80 =
{ pkgs, ... }:
{
# prevent oom:
# Kernel panic - not syncing: Out of memory: compulsory panic_on_oom is enabled
virtualisation.memorySize = 1024;
services.mysql.enable = true;
services.mysql.initialDatabases = [
{ name = "testdb"; schema = ./testdb.sql; }
{ name = "empty_testdb"; }
];
# note that using pkgs.writeText here is generally not a good idea,
# as it will store the password in world-readable /nix/store ;)
services.mysql.initialScript = pkgs.writeText "mysql-init.sql" ''
CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123';
'';
services.mysql.package = pkgs.mysql80;
};
mariadb =
{ pkgs, ... }:
@ -61,6 +82,12 @@ import ./make-test-python.nix ({ pkgs, ...} : {
# ';' acts as no-op, just check whether login succeeds with the user created from the initialScript
mysql.succeed("echo ';' | mysql -u passworduser --password=password123")
mysql80.wait_for_unit("mysql")
mysql80.succeed("echo 'use empty_testdb;' | mysql -u root")
mysql80.succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4")
# ';' acts as no-op, just check whether login succeeds with the user created from the initialScript
mysql80.succeed("echo ';' | mysql -u passworduser --password=password123")
mariadb.wait_for_unit("mysql")
mariadb.succeed(
"echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser"

25
nixos/tests/networking.nix
View File

@ -655,6 +655,31 @@ let
), "The IPv6 routing table has not been properly cleaned:\n{}".format(ipv6Residue)
'';
};
# even with disabled networkd, systemd.network.links should work
# (as it's handled by udev, not networkd)
link = {
name = "Link";
nodes.client = { pkgs, ... }: {
virtualisation.vlans = [ 1 ];
networking = {
useNetworkd = networkd;
useDHCP = false;
};
systemd.network.links."50-foo" = {
matchConfig = {
Name = "foo";
Driver = "dummy";
};
linkConfig.MTUBytes = "1442";
};
};
testScript = ''
print(client.succeed("ip l add name foo type dummy"))
print(client.succeed("stat /etc/systemd/network/50-foo.link"))
client.succeed("udevadm settle")
assert "mtu 1442" in client.succeed("ip l show dummy0")
'';
};
};
in mapAttrs (const (attrs: makeTest (attrs // {

8
pkgs/applications/audio/ardour/default.nix
View File

@ -1,8 +1,8 @@
{ stdenv, fetchgit, alsaLib, aubio, boost, cairomm, curl, doxygen
, fftwSinglePrec, flac, glibc, glibmm, graphviz, gtkmm2, libjack2
, libgnomecanvas, libgnomecanvasmm, liblo, libmad, libogg, librdf
, libgnomecanvas, libgnomecanvasmm, liblo, libmad, libogg
, librdf_raptor, librdf_rasqal, libsamplerate, libsigcxx, libsndfile
, libusb, libuuid, libxml2, libxslt, lilv, lv2, makeWrapper
, libusb, libuuid, libxml2, libxslt, lilv, lrdf, lv2, makeWrapper
, perl, pkgconfig, python2, rubberband, serd, sord, sratom
, taglib, vampSDK, dbus, fftw, pango, suil, libarchive
, wafHook }:
@ -34,8 +34,8 @@ stdenv.mkDerivation rec {
buildInputs =
[ alsaLib aubio boost cairomm curl doxygen dbus fftw fftwSinglePrec flac
glibmm graphviz gtkmm2 libjack2 libgnomecanvas libgnomecanvasmm liblo
libmad libogg librdf librdf_raptor librdf_rasqal libsamplerate
libsigcxx libsndfile libusb libuuid libxml2 libxslt lilv lv2
libmad libogg librdf_raptor librdf_rasqal libsamplerate
libsigcxx libsndfile libusb libuuid libxml2 libxslt lilv lrdf lv2
makeWrapper pango perl pkgconfig python2 rubberband serd sord
sratom suil taglib vampSDK libarchive
];

37
pkgs/applications/audio/aucatctl/default.nix Normal file
View File

@ -0,0 +1,37 @@
{ stdenv, fetchurl, sndio, libbsd }:
stdenv.mkDerivation rec {
pname = "aucatctl";
version = "0.1";
src = fetchurl {
url = "http://www.sndio.org/${pname}-${version}.tar.gz";
sha256 = "524f2fae47db785234f166551520d9605b9a27551ca438bd807e3509ce246cf0";
};
buildInputs = [ sndio ]
++ stdenv.lib.optional (!stdenv.isDarwin && !stdenv.targetPlatform.isBSD)
libbsd;
outputs = [ "out" "man" ];
preBuild = ''
makeFlagsArray+=("PREFIX=$out")
'' + stdenv.lib.optionalString
(!stdenv.isDarwin && !stdenv.targetPlatform.isBSD) ''
makeFlagsArray+=(LDADD="-lsndio -lbsd")
# Fix warning about implicit declaration of function 'strlcpy'
substituteInPlace aucatctl.c \
--replace '#include <string.h>' '#include <bsd/string.h>'
'';
meta = with stdenv.lib; {
description =
"The aucatctl utility sends MIDI messages to control sndiod and/or aucat volumes";
homepage = "http://www.sndio.org";
license = licenses.isc;
maintainers = with maintainers; [ sna ];
platforms = platforms.unix;
};
}

41
pkgs/applications/audio/cadence/default.nix
View File

@ -1,15 +1,23 @@
{ stdenv
, mkDerivation
, a2jmidid
, coreutils
, lib
, libjack2
, fetchpatch
, fetchzip
, jack_capture
, pkgconfig
, pulseaudioFull
, qtbase
, makeWrapper
, python3Packages
, mkDerivation
, python3
}:
#ladish missing, claudia can't work.
#pulseaudio needs fixes (patchShebangs .pa ...)
#desktop needs icons and exec fixing.
mkDerivation rec {
mkDerivation rec {
version = "0.9.1";
pname = "cadence";
@ -26,12 +34,26 @@
})
];
postPatch = ''
libjackso=$(realpath ${lib.makeLibraryPath [libjack2]}/libjack.so.0);
substituteInPlace ./src/jacklib.py --replace libjack.so.0 $libjackso
substituteInPlace ./src/cadence.py --replace "/usr/bin/pulseaudio" \
"${lib.makeBinPath[pulseaudioFull]}/pulseaudio"
substituteInPlace ./c++/jackbridge/JackBridge.cpp --replace libjack.so.0 $libjackso
'';
nativeBuildInputs = [
pkgconfig
];
buildInputs = [
qtbase
jack_capture
pulseaudioFull
((python3.withPackages (ps: with ps; [
pyqt5
dbus-python
])))
];
makeFlags = [
@ -39,10 +61,6 @@
"SYSCONFDIR=${placeholder "out"}/etc"
];
propagatedBuildInputs = with python3Packages; [
pyqt5_with_qtwebkit
];
dontWrapQtApps = true;
# Replace with our own wrappers. They need to be changed manually since it wouldn't work otherwise.
@ -65,10 +83,11 @@
};
in lib.mapAttrsToList (script: source: ''
rm -f ${script}
makeWrapper ${python3Packages.python.interpreter} ${script} \
--set PYTHONPATH "$PYTHONPATH:${outRef}/share/cadence" \
''${qtWrapperArgs[@]} \
--add-flags "-O ${source}"
makeQtWrapper ${source} ${script} \
--prefix PATH : "${lib.makeBinPath [
jack_capture # cadence-render
pulseaudioFull # cadence, cadence-session-start
]}"
'') scriptAndSource;
meta = {

2
pkgs/applications/audio/clementine/default.nix
View File

@ -125,7 +125,7 @@ let
mkdir -p $out/share
for dir in applications icons kde4; do
ln -s "$free/share/$dir" "$out/share/$dir"
ln -s "${free}/share/$dir" "$out/share/$dir"
done
'';
enableParallelBuilding = true;

33
pkgs/applications/audio/cmt/default.nix Normal file
View File

@ -0,0 +1,33 @@
{ stdenv
, fetchurl
, ladspaH
}:
stdenv.mkDerivation rec {
name = "cmt";
version = "1.17";
src = fetchurl {
url = "http://www.ladspa.org/download/${name}_${version}.tgz";
sha256 = "07xd0xmwpa0j12813jpf87fr9hwzihii5l35mp8ady7xxfmxfmpb";
};
buildInputs = [ ladspaH ];
preBuild = ''
cd src
'';
installFlags = [ "INSTALL_PLUGINS_DIR=${placeholder "out"}/lib/ladspa" ];
preInstall = ''
mkdir -p $out/lib/ladspa
'';
meta = with stdenv.lib; {
description = "Computer Music Toolkit";
homepage = "https://www.ladspa.org/cmt";
license = licenses.gpl2;
platforms = platforms.linux;
maintainers = with maintainers; [ sjfloat ];
};
}

30
pkgs/applications/audio/ft2-clone/default.nix Normal file
View File

@ -0,0 +1,30 @@
{ stdenv
, fetchFromGitHub
, cmake
, alsaLib
, SDL2
}:
stdenv.mkDerivation rec {
pname = "ft2-clone";
version = "1.09";
src = fetchFromGitHub {
owner = "8bitbubsy";
repo = "ft2-clone";
rev = "v${version}";
sha256 = "18my7fywaf66rq8phsly8lglxzpglran8rj27fvwgpni8098ic7d";
};
nativeBuildInputs = [ cmake ];
buildInputs = [ SDL2 ] ++ stdenv.lib.optional stdenv.isLinux alsaLib;
meta = with stdenv.lib; {
description = "A highly accurate clone of the classic Fasttracker II software for MS-DOS";
homepage = "https://16-bits.org/ft2.php";
license = licenses.bsd3;
maintainers = with maintainers; [ fgaz ];
platforms = platforms.all;
};
}

6
pkgs/applications/audio/guitarix/default.nix
View File

@ -1,7 +1,7 @@
{ stdenv, fetchurl, gettext, intltool, pkgconfig, python2
, avahi, bluez, boost, eigen, fftw, glib, glib-networking
, glibmm, gsettings-desktop-schemas, gtkmm2, libjack2
, ladspaH, libav, librdf, libsndfile, lilv, lv2, serd, sord, sratom
, ladspaH, libav, libsndfile, lilv, lrdf, lv2, serd, sord, sratom
, wrapGAppsHook, zita-convolver, zita-resampler, curl, wafHook
, optimizationSupport ? false # Enable support for native CPU extensions
}:
@ -23,8 +23,8 @@ stdenv.mkDerivation rec {
buildInputs = [
avahi bluez boost eigen fftw glib glibmm glib-networking.out
gsettings-desktop-schemas gtkmm2 libjack2 ladspaH libav librdf
libsndfile lilv lv2 serd sord sratom zita-convolver
gsettings-desktop-schemas gtkmm2 libjack2 ladspaH libav
libsndfile lilv lrdf lv2 serd sord sratom zita-convolver
zita-resampler curl
];

9
pkgs/applications/audio/hydrogen/default.nix
View File

@ -1,5 +1,6 @@
{ stdenv, fetchurl, alsaLib, boost, cmake, glib, lash, libjack2, libarchive
, liblrdf, libsndfile, pkgconfig, qt4 }:
{ stdenv, fetchurl, pkgconfig, cmake
, alsaLib, boost, glib, lash, libjack2, libarchive, libsndfile, lrdf, qt4
}:
stdenv.mkDerivation rec {
version = "0.9.7";
@ -10,9 +11,9 @@ stdenv.mkDerivation rec {
sha256 = "1dy2jfkdw0nchars4xi4isrz66fqn53a9qk13bqza7lhmsg3s3qy";
};
nativeBuildInputs = [ pkgconfig ];
nativeBuildInputs = [ pkgconfig cmake ];
buildInputs = [
alsaLib boost cmake glib lash libjack2 libarchive liblrdf libsndfile qt4
alsaLib boost glib lash libjack2 libarchive libsndfile lrdf qt4
];
meta = with stdenv.lib; {

4
pkgs/applications/audio/jack-rack/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, pkgconfig, libjack2, ladspaH, gtk2, alsaLib, libxml2, librdf }:
{ stdenv, fetchurl, pkgconfig, libjack2, ladspaH, gtk2, alsaLib, libxml2, lrdf }:
stdenv.mkDerivation rec {
name = "jack-rack-1.4.7";
src = fetchurl {
@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
sha256 = "1lmibx9gicagcpcisacj6qhq6i08lkl5x8szysjqvbgpxl9qg045";
};
nativeBuildInputs = [ pkgconfig ];
buildInputs = [ libjack2 ladspaH gtk2 alsaLib libxml2 librdf ];
buildInputs = [ libjack2 ladspaH gtk2 alsaLib libxml2 lrdf ];
NIX_LDFLAGS = "-ldl -lm -lpthread";
meta = {

4
pkgs/applications/audio/mopidy/iris.nix
View File

@ -2,11 +2,11 @@
python3Packages.buildPythonApplication rec {
pname = "Mopidy-Iris";
version = "3.45.1";
version = "3.46.0";
src = python3Packages.fetchPypi {
inherit pname version;
sha256 = "02jmylz76wlwxlv8drndprb7r9l8kqqgjkp17mjx5ngnl545pc2w";
sha256 = "0c7b6zbcj4bq5qsxvhjwqclrl1k2hs3wb50pfjbw7gs7m3gm2b7d";
};
propagatedBuildInputs = [

24
pkgs/applications/audio/mopidy/mpd.nix Normal file
View File

@ -0,0 +1,24 @@
{ stdenv, python3Packages, mopidy }:
python3Packages.buildPythonApplication rec {
pname = "Mopidy-MPD";
version = "3.0.0";
src = python3Packages.fetchPypi {
inherit pname version;
sha256 = "0prjli4352521igcsfcgmk97jmzgbfy4ik8hnli37wgvv252wiac";
};
propagatedBuildInputs = [mopidy];
# no tests implemented
doCheck = false;
pythonImportsCheck = [ "mopidy_mpd" ];
meta = with stdenv.lib; {
homepage = "https://github.com/mopidy/mopidy-mpd";
description = "Mopidy extension for controlling playback from MPD clients";
license = licenses.asl20;
maintainers = [ maintainers.tomahna ];
};
}

41
pkgs/applications/audio/mup/default.nix Normal file
View File

@ -0,0 +1,41 @@
{ stdenv, fetchurl, autoreconfHook, bison, flex, ghostscript, groff, netpbm
, fltk, libXinerama, libXpm, libjpeg
}:
stdenv.mkDerivation rec {
pname = "mup";
version = "6.7";
src = fetchurl {
url = "http://www.arkkra.com/ftp/pub/unix/mup${builtins.replaceStrings ["."] [""] version}src.tar.gz";
sha256 = "1y1qknhib1isdjsbv833w3nxzyfljkfgp1gmjwly60l55q60frpk";
};
nativeBuildInputs = [ autoreconfHook bison flex ghostscript groff netpbm ];
buildInputs = [ fltk libXinerama libXpm libjpeg ];
patches = [ ./ghostscript-permit-file-write.patch ];
postPatch = ''
for f in Makefile.am doc/Makefile.am doc/htmldocs/Makefile.am src/mupmate/Preferences.C; do
substituteInPlace $f --replace doc/packages doc
done
substituteInPlace src/mupprnt/mupprnt --replace 'mup ' $out/bin/mup' '
substituteInPlace src/mupdisp/genfile.c --replace '"mup"' '"'$out/bin/mup'"'
substituteInPlace src/mupmate/Preferences.C \
--replace '"mup"' '"'$out/bin/mup'"' \
--replace '"gv"' '"xdg-open"' \
--replace /usr/share/doc $out/share/doc
'';
enableParallelBuilding = false; # Undeclared dependencies + https://stackoverflow.com/a/19822767/1687334 for prolog.ps.
meta = with stdenv.lib; {
homepage = http://www.arkkra.com/;
description = "Music typesetting program (ASCII to PostScript and MIDI)";
license = licenses.bsd3;
maintainers = with maintainers; [ orivej ];
platforms = platforms.linux;
};
}

5
pkgs/applications/audio/mup/ghostscript-permit-file-write.patch Normal file
View File

@ -0,0 +1,5 @@
--- a/src/mup/Makefile.am
+++ b/src/mup/Makefile.am
@@ -39 +39 @@ fontdata.c: prolog.ps ../../tools/mup/getfontinfo.ps ../../LICENSE
- $(GS) -sDEVICE=nullpage -sOutputFile=/dev/null -dQUIET - < ../../tools/mup/getfontinfo.ps | $(SED) -e "/Warning:/d" >> fontdata.c
+ $(GS) -sDEVICE=nullpage -sOutputFile=/dev/null -dQUIET --permit-file-write=charnames:fontinit - < ../../tools/mup/getfontinfo.ps | $(SED) -e "/Warning:/d" >> fontdata.c

81
pkgs/applications/audio/muse/default.nix
View File

@ -1,25 +1,33 @@
{ stdenv
, fetchFromGitHub
, libjack2
, wrapQtAppsHook
, qtsvg
, qttools
, cmake
, libsndfile
, libsamplerate
, ladspaH
, fluidsynth
, alsaLib
, rtaudio
, lash
, dssi
, liblo
, pkgconfig
{ stdenv, fetchFromGitHub, cmake, pkgconfig, qttools, wrapQtAppsHook
, alsaLib, dssi, fluidsynth, ladspaH, lash, libinstpatch, libjack2, liblo
, libsamplerate, libsndfile, lilv, lrdf, lv2, qtsvg, rtaudio, rubberband, sord
}:
stdenv.mkDerivation {
stdenv.mkDerivation rec {
pname = "muse-sequencer";
version = "3.1pre1";
version = "3.1.0";
src = fetchFromGitHub {
owner = "muse-sequencer";
repo = "muse";
rev = "muse_${builtins.replaceStrings ["."] ["_"] version}";
sha256 = "08k25652w88xf2i79lw305x1phpk7idrww9jkqwcs8q6wzgmz8aq";
};
sourceRoot = "source/muse3";
prePatch = ''
chmod u+w $NIX_BUILD_TOP
'';
patches = [ ./fix-parallel-building.patch ];
nativeBuildInputs = [ cmake pkgconfig qttools wrapQtAppsHook ];
buildInputs = [
alsaLib dssi fluidsynth ladspaH lash libinstpatch libjack2 liblo
libsamplerate libsndfile lilv lrdf lv2 qtsvg rtaudio rubberband sord
];
meta = with stdenv.lib; {
homepage = "https://www.muse-sequencer.org/";
@ -32,38 +40,7 @@ stdenv.mkDerivation {
MusE aims to be a complete multitrack virtual studio for Linux,
it is published under the GNU General Public License.
'';
license = stdenv.lib.licenses.gpl2;
license = licenses.gpl2Plus;
maintainers = with maintainers; [ orivej ];
};
src =
fetchFromGitHub {
owner = "muse-sequencer";
repo = "muse";
rev = "2167ae053c16a633d8377acdb1debaac10932838";
sha256 = "0rsdx8lvcbz5bapnjvypw8h8bq587s9z8cf2znqrk6ah38s6fsrf";
};
nativeBuildInputs = [
pkgconfig
wrapQtAppsHook
qttools
cmake
];
buildInputs = [
libjack2
qtsvg
libsndfile
libsamplerate
ladspaH
fluidsynth
alsaLib
rtaudio
lash
dssi
liblo
];
sourceRoot = "source/muse3";
}

78
pkgs/applications/audio/muse/fix-parallel-building.patch Normal file
View File

@ -0,0 +1,78 @@
To confirm these dependencies, run in a fresh build tree:
ninja muse/components/CMakeFiles/components.dir/confmport.o
In file included from ../muse/components/confmport.cpp:48:
../muse/mplugins/midifilterimpl.h:28:10: fatal error:
ui_midifilter.h: No such file or directory
ninja muse/waveedit/CMakeFiles/waveedit.dir/wavecanvas.o
In file included from ../muse/waveedit/wavecanvas.cpp:72:
../muse/components/copy_on_write.h:26:10: fatal error:
ui_copy_on_write_base.h: No such file or directory
ninja muse/instruments/CMakeFiles/instruments.dir/editinstrument.o
In file included from ../muse/instruments/editinstrument.cpp:58:
../muse/components/editevent.h:26:10: fatal error:
ui_editnotedialogbase.h: No such file or directory
ninja muse/liste/CMakeFiles/liste.dir/listedit.o
In file included from ../muse/liste/listedit.cpp:37:
../muse/components/editevent.h:26:10: fatal error:
ui_editnotedialogbase.h: No such file or directory
ninja muse/mixer/CMakeFiles/mixer.dir/rack.o
In file included from ../muse/mixer/rack.cpp:49:
../muse/components/plugindialog.h:4:10: fatal error:
ui_plugindialogbase.h: No such file or directory
--- a/muse/components/CMakeLists.txt
+++ b/muse/components/CMakeLists.txt
@@ -343,4 +343,5 @@ set_target_properties( components
target_link_libraries ( components
${QT_LIBRARIES}
+ mplugins
widgets
xml_module
--- a/muse/waveedit/CMakeLists.txt
+++ b/muse/waveedit/CMakeLists.txt
@@ -79,4 +79,5 @@ set_target_properties( waveedit
target_link_libraries( waveedit
${QT_LIBRARIES}
+ components
widgets
)
--- a/muse/instruments/CMakeLists.txt
+++ b/muse/instruments/CMakeLists.txt
@@ -78,4 +78,5 @@ set_target_properties( instruments
target_link_libraries ( instruments
${QT_LIBRARIES}
+ components
icons
widgets
--- a/muse/liste/CMakeLists.txt
+++ b/muse/liste/CMakeLists.txt
@@ -65,4 +65,5 @@ set_target_properties( liste
target_link_libraries ( liste
${QT_LIBRARIES}
+ components
awl
widgets
--- a/muse/mixer/CMakeLists.txt
+++ b/muse/mixer/CMakeLists.txt
@@ -87,4 +87,5 @@ set_target_properties ( mixer
target_link_libraries ( mixer
${QT_LIBRARIES}
+ components
widgets
)

4
pkgs/applications/audio/musescore/default.nix
View File

@ -6,11 +6,11 @@
mkDerivation rec {
pname = "musescore";
version = "3.2.3";
version = "3.4.2";
src = fetchzip {
url = "https://github.com/musescore/MuseScore/releases/download/v${version}/MuseScore-${version}.zip";
sha256 = "17mr0c8whw6vz86lp1j36rams4h8virc4z68fld0q3rpq6g05szs";
sha256 = "1laskvp40dncs12brkgvk7wl0qrvzy52rn7nf3b67ps1vmd130gp";
stripRoot = false;
};

16
pkgs/applications/audio/musescore/remove_qtwebengine_install_hack.patch
View File

@ -1,12 +1,9 @@
--- a/mscore/CMakeLists.txt
+++ b/mscore/CMakeLists.txt
@@ -660,22 +660,6 @@ if (MINGW)
else (MINGW)
if ( NOT MSVC )
-## install qwebengine core
--- a/main/CMakeLists.txt
+++ b/main/CMakeLists.txt
@@ -220,16 +219,0 @@ else (MINGW)
- ## install qwebengine core
- if (NOT APPLE AND USE_WEBENGINE)
- install(FILES
- install(PROGRAMS
- ${QT_INSTALL_LIBEXECS}/QtWebEngineProcess
- DESTINATION bin
- )
@ -20,6 +17,3 @@
- )
- endif(NOT APPLE AND USE_WEBENGINE)
-
target_link_libraries(mscore
${ALSA_LIB}
${QT_LIBRARIES}

1
pkgs/applications/audio/netease-cloud-music/default.nix
View File

@ -68,7 +68,6 @@ in stdenv.mkDerivation rec {
wrapProgram $out/bin/netease-cloud-music \
--prefix LD_LIBRARY_PATH : "${runtimeLibs}" \
--set QT_AUTO_SCREEN_SCALE_FACTOR 1 \
--set QCEF_INSTALL_PATH "${deepin.qcef}/lib/qcef"
'';

4
pkgs/applications/audio/non/default.nix
View File

@ -1,5 +1,5 @@
{ stdenv, fetchFromGitHub, pkgconfig, python2, cairo, libjpeg, ntk, libjack2
, libsndfile, ladspaH, liblrdf, liblo, libsigcxx, wafHook
, libsndfile, ladspaH, liblo, libsigcxx, lrdf, wafHook
}:
stdenv.mkDerivation {
@ -14,7 +14,7 @@ stdenv.mkDerivation {
nativeBuildInputs = [ pkgconfig wafHook ];
buildInputs = [ python2 cairo libjpeg ntk libjack2 libsndfile
ladspaH liblrdf liblo libsigcxx
ladspaH liblo libsigcxx lrdf
];
meta = {

6
pkgs/applications/audio/parlatype/default.nix
View File

@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "parlatype";
version = "1.6.2";
version = "2.0";
src = fetchFromGitHub {
owner = "gkarsay";
repo = pname;
rev = "v${version}";
sha256 = "157423f40l8nd5da6y0qjmg4l3125zailp98w2hda3mxxn1j5ix3";
sha256 = "026i19vkdq35rldbjp1wglamr22a1330iv736mmgbd8fs7vz22nx";
};
nativeBuildInputs = [
@ -61,7 +61,7 @@ stdenv.mkDerivation rec {
It plays audio sources to transcribe them in your favourite text application.
Its intended to be useful for journalists, students, scientists and whoever needs to transcribe audio files.
'';
homepage = https://gkarsay.github.io/parlatype/;
homepage = "https://gkarsay.github.io/parlatype/";
license = licenses.gpl3Plus;
maintainers = [ maintainers.melchips ];
platforms = platforms.linux;

30
pkgs/applications/audio/pt2-clone/default.nix Normal file
View File

@ -0,0 +1,30 @@
{ stdenv
, fetchFromGitHub
, cmake
, alsaLib
, SDL2
}:
stdenv.mkDerivation rec {
pname = "pt2-clone";
version = "1.06";
src = fetchFromGitHub {
owner = "8bitbubsy";
repo = "pt2-clone";
rev = "v${version}";
sha256 = "00zifwiprd3i60z4pf4471jxbc33vh9p30ib0lnzwpgjz5pnxqnr";
};
nativeBuildInputs = [ cmake ];
buildInputs = [ SDL2 ] ++ stdenv.lib.optional stdenv.isLinux alsaLib;
meta = with stdenv.lib; {
description = "A highly accurate clone of the classic ProTracker 2.3D software for Amiga";
homepage = "https://16-bits.org/pt2.php";
license = licenses.bsd3;
maintainers = with maintainers; [ fgaz ];
platforms = platforms.all;
};
}

4
pkgs/applications/audio/rosegarden/default.nix
View File

@ -1,6 +1,6 @@
{ stdenv, fetchurl, cmake, makedepend, perl, pkgconfig, qttools, wrapQtAppsHook
, dssi, fftwSinglePrec, ladspaH, ladspaPlugins, libjack2, alsaLib
, liblo, liblrdf, libsamplerate, libsndfile, lirc ? null, qtbase }:
, liblo, libsamplerate, libsndfile, lirc ? null, lrdf, qtbase }:
stdenv.mkDerivation (rec {
version = "19.12";
@ -25,10 +25,10 @@ stdenv.mkDerivation (rec {
ladspaPlugins
libjack2
liblo
liblrdf
libsamplerate
libsndfile
lirc
lrdf
qtbase
alsaLib
];

8
pkgs/applications/audio/sonic-lineup/default.nix
View File

@ -1,6 +1,6 @@
{ stdenv, fetchurl, alsaLib, boost, bzip2, fftw, fftwFloat, libfishsound
, libid3tag, liblo, liblrdf, libmad, liboggz, libpulseaudio, libsamplerate
, libsndfile, opusfile, portaudio, rubberband, serd, sord, vampSDK, capnproto
, libid3tag, liblo, libmad, liboggz, libpulseaudio, libsamplerate
, libsndfile, lrdf, opusfile, portaudio, rubberband, serd, sord, vampSDK, capnproto
, wrapQtAppsHook, pkgconfig
}:
@ -14,8 +14,8 @@ stdenv.mkDerivation rec {
};
buildInputs =
[ alsaLib boost bzip2 fftw fftwFloat libfishsound libid3tag liblo liblrdf
libmad liboggz libpulseaudio libsamplerate libsndfile opusfile pkgconfig
[ alsaLib boost bzip2 fftw fftwFloat libfishsound libid3tag liblo
libmad liboggz libpulseaudio libsamplerate libsndfile lrdf opusfile
portaudio rubberband serd sord capnproto
];

4
pkgs/applications/audio/sonic-visualiser/default.nix
View File

@ -1,7 +1,7 @@
# TODO add plugins having various licenses, see http://www.vamp-plugins.org/download.html
{ stdenv, fetchurl, alsaLib, bzip2, fftw, libjack2, libX11, liblo
, libmad, libogg, librdf, librdf_raptor, librdf_rasqal, libsamplerate
, libmad, libogg, lrdf, librdf_raptor, librdf_rasqal, libsamplerate
, libsndfile, pkgconfig, libpulseaudio, qtbase, qtsvg, redland
, rubberband, serd, sord, vampSDK, fftwFloat
, capnproto, liboggz, libfishsound, libid3tag, opusfile
@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
};
buildInputs =
[ libsndfile qtbase qtsvg fftw fftwFloat bzip2 librdf rubberband
[ libsndfile qtbase qtsvg fftw fftwFloat bzip2 lrdf rubberband
libsamplerate vampSDK alsaLib librdf_raptor librdf_rasqal redland
serd
sord

51
pkgs/applications/audio/soundtracker/default.nix Normal file
View File

@ -0,0 +1,51 @@
{ stdenv
, fetchurl
, pkg-config
, autoconf
, gtk2
, alsaLib
, SDL
, jack2
, goocanvas # graphical envelope editing
}:
stdenv.mkDerivation rec {
pname = "soundtracker";
version = "1.0.0.1";
src = fetchurl {
# Past releases get moved to the "old releases" directory.
# Only the latest release (currently a prerelease) is at the top level.
url = "mirror://sourceforge/soundtracker/old%20releases/soundtracker-${version}.tar.bz2";
sha256 = "1ggliswz5ngmlnrnyhv3x1arh5w77an0ww9p53cddp9aas5q11jm";
};
nativeBuildInputs = [
pkg-config
autoconf
];
buildInputs = [
gtk2
SDL
jack2
goocanvas
] ++ stdenv.lib.optional stdenv.isLinux alsaLib;
meta = with stdenv.lib; {
description = "A music tracking tool similar in design to the DOS program FastTracker and the Amiga legend ProTracker";
longDescription = ''
SoundTracker is a pattern-oriented music editor (similar to the DOS
program 'FastTracker'). Samples are lined up on tracks and patterns
which are then arranged to a song. Supported module formats are XM and
MOD; the player code is the one from OpenCP. A basic sample recorder
and editor is also included.
'';
homepage = "http://www.soundtracker.org/";
downloadPage = "https://sourceforge.net/projects/soundtracker/files/";
license = licenses.gpl2Plus;
maintainers = with maintainers; [ fgaz ];
platforms = platforms.all;
# gdk/gdkx.h not found
broken = stdenv.isDarwin;
};
}

6
pkgs/applications/audio/spotify-tui/default.nix
View File

@ -2,16 +2,16 @@
rustPlatform.buildRustPackage rec {
pname = "spotify-tui";
version = "0.16.0";
version = "0.17.0";
src = fetchFromGitHub {
owner = "Rigellute";
repo = "spotify-tui";
rev = "v${version}";
sha256 = "0fmj25zjg12v0kyanic343lrdhxkh290v88qiz6ac47g8bdy3c83";
sha256 = "1jx2qyshqg84l3fm682h8262da0hy68qjjg3dm2i53dxqxrm5ji9";
};
cargoSha256 = "1n8aacy0hapjm10hmgqm07rb5c0ngmzr1s116pspsl7cdszza6xi";
cargoSha256 = "12qwp59gshc9d6nz0s3w03zc8sxqri12vrav94vi54fqagiikinm";
nativeBuildInputs = [ pkgconfig ] ++ stdenv.lib.optionals stdenv.isLinux [ python3 ];
buildInputs = [ openssl ]

4
pkgs/applications/audio/vorbis-tools/default.nix
View File

@ -3,8 +3,8 @@
let
debPatch = fetchzip {
url = "mirror://debian/pool/main/v/vorbis-tools/vorbis-tools_1.4.0-6.debian.tar.xz";
sha256 = "1xmmpdvxyr84lazlg23c6ck5ic97ga2rkiqabb1d98ix2zdzyqz5";
url = "mirror://debian/pool/main/v/vorbis-tools/vorbis-tools_1.4.0-11.debian.tar.xz";
sha256 = "0kvmd5nslyqplkdb7pnmqj47ir3y5lmaxd12wmrnqh679a8jhcyi";
};
in
stdenv.mkDerivation {

10
pkgs/applications/blockchains/go-ethereum.nix
View File

@ -1,17 +1,17 @@
{ stdenv, buildGoModule, fetchFromGitHub, libobjc, IOKit }:
{ stdenv, buildGoModule, fetchFromGitHub, libobjc, IOKit, CoreServices }:
buildGoModule rec {
pname = "go-ethereum";
version = "1.9.10";
version = "1.9.11";
src = fetchFromGitHub {
owner = "ethereum";
repo = pname;
rev = "v${version}";
sha256 = "0pm8gfr4g7rbax6vzxv6lklpx83mxghah7fyvpk3jqvm1mq299ln";
sha256 = "0xhkdxn5ajzi05252is5whqank81xy94jp1l5z2a44rajv8rh9vs";
};
modSha256 = "0zar9nvx2nk6kyijp8df3y2rzxvg0mccj6b3skhzf8y9c27hvrsg";
modSha256 = "0jcj0knkhyndndyv1j9xhgbg5psagvyd27ailna3x9ikjlb8f7gg";
subPackages = [
"cmd/abigen"
@ -30,6 +30,8 @@ buildGoModule rec {
"cmd/wnode"
];
buildInputs = stdenv.lib.optionals stdenv.isDarwin [ CoreServices ];
# Fix for usb-related segmentation faults on darwin
propagatedBuildInputs =
stdenv.lib.optionals stdenv.isDarwin [ libobjc IOKit ];

8
pkgs/applications/blockchains/lnd.nix
View File

@ -1,4 +1,4 @@
{ buildGoModule, fetchFromGitHub, lib }:
{ buildGoModule, fetchFromGitHub, stdenv, Security }:
buildGoModule rec {
pname = "lnd";
@ -13,10 +13,12 @@ buildGoModule rec {
modSha256 = "1pvcvpiz6ck8xkgpypchrq9kgkik0jxd7f3jhihbgldsh4zaqiaq";
meta = with lib; {
buildInputs = stdenv.lib.optionals stdenv.isDarwin [ Security ];
meta = with stdenv.lib; {
description = "Lightning Network Daemon";
homepage = "https://github.com/lightningnetwork/lnd";
license = lib.licenses.mit;
license = licenses.mit;
maintainers = with maintainers; [ cypherpunk2140 ];
};
}

29
pkgs/applications/blockchains/monero-gui/default.nix
View File

@ -1,36 +1,35 @@
{ stdenv, wrapQtAppsHook, makeDesktopItem, fetchFromGitHub
, qtbase, qmake, qtmultimedia, qttools
, qtgraphicaleffects, qtdeclarative
, qtlocation, qtquickcontrols, qtquickcontrols2
, qtwebchannel, qtwebengine, qtx11extras, qtxmlpatterns
{ stdenv, wrapQtAppsHook, makeDesktopItem
, fetchFromGitHub, qmake, qttools, pkgconfig
, qtbase, qtdeclarative, qtgraphicaleffects
, qtmultimedia, qtxmlpatterns
, qtquickcontrols, qtquickcontrols2
, monero, unbound, readline, boost, libunwind
, libsodium, pcsclite, zeromq, cppzmq, pkgconfig
, hidapi, randomx
, libsodium, pcsclite, zeromq, cppzmq
, hidapi, libusb, protobuf, randomx
}:
with stdenv.lib;
stdenv.mkDerivation rec {
pname = "monero-gui";
version = "0.15.0.1";
version = "0.15.0.4";
src = fetchFromGitHub {
owner = "monero-project";
repo = "monero-gui";
rev = "v${version}";
sha256 = "08j8kkncdn57xql0bhmlzjpjkdfhqbpda1p07r797q8qi0nl4w8n";
sha256 = "12m5fgnxkr11q2arx1m5ccpxqm5ljcvm6l547dwqn297zs5jim4z";
};
nativeBuildInputs = [ qmake pkgconfig wrapQtAppsHook ];
buildInputs = [
qtbase qtmultimedia qtgraphicaleffects
qtdeclarative qtlocation
qtquickcontrols qtquickcontrols2
qtwebchannel qtwebengine qtx11extras
qtxmlpatterns monero unbound readline
qtbase qtdeclarative qtgraphicaleffects
qtmultimedia qtquickcontrols qtquickcontrols2
qtxmlpatterns
monero unbound readline
boost libunwind libsodium pcsclite zeromq
cppzmq hidapi randomx
cppzmq hidapi libusb protobuf randomx
];
NIX_CFLAGS_COMPILE = [ "-Wno-error=format-security" ];

17
pkgs/applications/blockchains/monero-gui/move-log-file.patch
View File

@ -1,15 +1,14 @@
diff --git a/main.cpp b/main.cpp
index a51568d..5a9f683 100644
--- a/main.cpp
+++ b/main.cpp
@@ -152,7 +152,9 @@ int main(int argc, char *argv[])
diff --git a/src/main/main.cpp b/src/main/main.cpp
index c5210e5f..45794d72 100644
--- a/src/main/main.cpp
+++ b/src/main/main.cpp
@@ -220,6 +220,9 @@ int main(int argc, char *argv[])
QCommandLineOption logPathOption(QStringList() << "l" << "log-file",
QCoreApplication::translate("main", "Log to specified file"),
QCoreApplication::translate("main", "file"));
-
+ logPathOption.setDefaultValue(
+ QStandardPaths::writableLocation(QStandardPaths::CacheLocation)
+ + "/monero-wallet-gui.log");
parser.addOption(logPathOption);
parser.addHelpOption();
parser.process(app);
QCommandLineOption testQmlOption("test-qml");
testQmlOption.setFlags(QCommandLineOption::HiddenFromHelp);

4
pkgs/applications/blockchains/monero/default.nix
View File

@ -2,7 +2,7 @@
, cmake, pkgconfig
, boost, miniupnpc, openssl, unbound, cppzmq
, zeromq, pcsclite, readline, libsodium, hidapi
, python3Packages, randomx, rapidjson
, pythonProtobuf, randomx, rapidjson, libusb
, CoreData, IOKit, PCSC
}:
@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
boost miniupnpc openssl unbound
cppzmq zeromq pcsclite readline
libsodium hidapi randomx rapidjson
python3Packages.protobuf
pythonProtobuf libusb
] ++ stdenv.lib.optionals stdenv.isDarwin [ IOKit CoreData PCSC ];
cmakeFlags = [

35
pkgs/applications/blockchains/quorum.nix Normal file
View File

@ -0,0 +1,35 @@
{ stdenv, fetchFromGitHub, buildGoPackage, git, which }:
buildGoPackage rec {
pname = "quorum";
version = "2.5.0";
goPackagePath = "github.com/jpmorganchase/quorum";
src = fetchFromGitHub {
owner = "jpmorganchase";
repo = pname;
rev = "v${version}";
sha256 = "0xfdaqp9bj5dkw12gy19lxj73zh7w80j051xclsvnd41sfah86ll";
};
buildInputs = [ git which ];
buildPhase = ''
cd "go/src/$goPackagePath"
make geth bootnode swarm
'';
installPhase = ''
mkdir -pv $bin/bin
cp -v build/bin/geth build/bin/bootnode build/bin/swarm $bin/bin
'';
meta = with stdenv.lib; {
description = "A permissioned implementation of Ethereum supporting data privacy";
homepage = "https://www.goquorum.com/";
license = licenses.lgpl3;
maintainers = with maintainers; [ mmahut ];
platforms = subtractLists ["aarch64-linux"] platforms.linux;
};
}

16
pkgs/applications/blockchains/zcash/default.nix
View File

@ -7,15 +7,19 @@ with stdenv.lib;
stdenv.mkDerivation rec {
pname = "zcash";
version = "2.1.0-1";
version = "2.1.1-1";
src = fetchFromGitHub {
owner = "zcash";
repo = "zcash";
rev = "v${version}";
sha256 = "05bnn4lxrrcv1ha3jdfrgwg4ar576161n3j9d4gpc14ww3zgf9vz";
sha256 = "1g5zlfzfp31my8w8nlg5fncpr2y95iv9fm04x57sjb93rgmjdh5n";
};
patchPhase = ''
sed -i"" 's,-fvisibility=hidden,,g' src/Makefile.am
'';
nativeBuildInputs = [ autoreconfHook pkgconfig ];
buildInputs = [ gtest gmock gmp openssl wget db62 boost17x zlib
protobuf libevent libsodium librustzcash ]
@ -23,17 +27,15 @@ stdenv.mkDerivation rec {
configureFlags = [ "--with-boost-libdir=${boost17x.out}/lib" ];
patchPhase = ''
sed -i"" 's,-fvisibility=hidden,,g' src/Makefile.am
'';
postInstall = ''
cp zcutil/fetch-params.sh $out/bin/zcash-fetch-params
'';
enableParallelBuilding = true;
meta = {
description = "Peer-to-peer, anonymous electronic cash system";
homepage = https://z.cash/;
homepage = "https://z.cash/";
maintainers = with maintainers; [ rht tkerber ];
license = licenses.mit;
platforms = platforms.linux;

16
pkgs/applications/blockchains/zcash/librustzcash/default.nix
View File

@ -1,20 +1,17 @@
{ stdenv, fetchFromGitHub, rustPlatform }:
rustPlatform.buildRustPackage rec {
pname = "librustzcash-unstable";
version = "2018-10-27";
pname = "librustzcash";
version = "0.1.0";
src = fetchFromGitHub {
owner = "zcash";
repo = "librustzcash";
rev = "06da3b9ac8f278e5d4ae13088cf0a4c03d2c13f5";
sha256 = "0md0pp3k97iv7kfjpfkg14pjanhrql4vafa8ggbxpkajv1j4xldv";
rev = version;
sha256 = "0d28k29sgzrg9clynz29kpw50kbkp0a4dfdayqhmpjmsh05y6261";
};
# Delete this on next update; see #79975 for details
legacyCargoFetcher = true;
cargoSha256 = "166v8cxlpfslbs5gljbh7wp0lxqakayw47ikxm9r9a39n7j36mq1";
cargoSha256 = "1wzyrcmcbrna6rjzw19c4lq30didzk4w6fs6wmvxp0xfg4qqdlax";
installPhase = ''
mkdir -p $out/lib
@ -23,11 +20,12 @@ rustPlatform.buildRustPackage rec {
cp librustzcash/include/librustzcash.h $out/include/
'';
# The tests do pass, but they take an extremely long time to run.
doCheck = false;
meta = with stdenv.lib; {
description = "Rust-language assets for Zcash";
homepage = https://github.com/zcash/librustzcash;
homepage = "https://github.com/zcash/librustzcash";
maintainers = with maintainers; [ rht tkerber ];
license = with licenses; [ mit asl20 ];
platforms = platforms.unix;

12
pkgs/applications/editors/android-studio/default.nix
View File

@ -13,14 +13,14 @@ let
sha256Hash = "1mwzk18224bl8hbw9cdxwzgj5cfain4y70q64cpj4p0snffxqm77";
};
betaVersion = {
version = "4.0.0.10"; # "Android Studio 4.0 Beta 1"
build = "193.6220182";
sha256Hash = "0ibp54wcss4ihm454hbavv1bhar6cd4alp5b0z248ryjr5w9mixf";
version = "4.0.0.12"; # "Android Studio 4.0 Beta 3"
build = "193.6296804";
sha256Hash = "072rvh20xkn7izh6f2r2bspy06jrvcibj2hc12hz76m8cwzf4v0m";
};
latestVersion = { # canary & dev
version = "4.1.0.2"; # "Android Studio 4.1 Canary 2"
build = "193.6264773";
sha256Hash = "0m09q4jp653i9jlqsjplx3d64xkdm27c35781yz6h5rw0a1sq6kz";
version = "4.1.0.3"; # "Android Studio 4.1 Canary 3"
build = "193.6297379";
sha256Hash = "0sb8ll9bkkdglq18wvy5hikimhjbpfadjdygx9cd8q545h8dy137";
};
in {
# Attributes are named by their corresponding release channels

20
pkgs/applications/editors/eclipse/default.nix
View File

@ -13,10 +13,10 @@ assert stdenv ? glibc;
let
platform_major = "4";
platform_minor = "14";
year = "2019";
month = "12";
timestamp = "201912100610";
platform_minor = "15";
year = "2020";
month = "03";
timestamp = "${year}${month}050155";
in rec {
buildEclipse = import ./build-eclipse.nix {
@ -32,8 +32,8 @@ in rec {
description = "Eclipse IDE for C/C++ Developers";
src =
fetchurl {
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-cpp-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
sha512 = "28h8z45j7zlcbvvabzsniwqls1lns21isx69y6l207a869rknp9vzg6506q6zalj9b49j8c7ynkn379xgbzp07i6zw3dzk3pqp2rgam";
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-cpp-${year}-${month}-R-incubation-linux-gtk-x86_64.tar.gz";
sha512 = "2wy4a3p347fajr9zsfz1zlvz6jpy3vficdry27m5fs0azfmxmy2cfns5hh18sin4xqq3jvqppfqxh41rzcpcmiq12zhc6cz42brqgxw";
};
};
@ -45,7 +45,7 @@ in rec {
src =
fetchurl {
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-modeling-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
sha512 = "1g1zsz3c2kx4vs1mjpcisbk81lk4hsr1z2fw46lih825c53vwf59snp8d97c8yw2i25y0ml48nc1nskib6qnif8m2h6rpah7kgmi8ay";
sha512 = "0qccsclay9000sqrymm8hkg70a4jcvd70vymw1kkxsklcs7dnrhch55an98gbzf9r0jgd1ap62a4hyxlnm6hdqqniwcgdza0i4nwwgj";
};
};
@ -57,7 +57,7 @@ in rec {
src =
fetchurl {
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops${platform_major}/R-${platform_major}.${platform_minor}-${timestamp}/eclipse-platform-${platform_major}.${platform_minor}-linux-gtk-x86_64.tar.gz";
sha512 = "05nsldw937l1g9fj964njivgkf2ipk1rh1jg5w8svdhpp3v1pp3iinfm2mz9kk8namwfkx8krsvsxcgvqyzgrkhf42wqh53vqrjf70h";
sha512 = "01rv5x7qqm0a2p30828z2snms3nb2kjx9si63sr5rdkdgr3vbh6xq8n8fn757dqazmpz9zskmwxxmbxnwycfllhgb8msb77pcy3fpg7";
};
};
@ -87,7 +87,7 @@ in rec {
src =
fetchurl {
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops${platform_major}/R-${platform_major}.${platform_minor}-${timestamp}/eclipse-SDK-${platform_major}.${platform_minor}-linux-gtk-x86_64.tar.gz";
sha512 = "0dcbxzjqc27v1faz16yxqcm6zrbna4kkd32xy7paadiwn125y6ijx8zvda4kc7bih6v5b9ch2i0z5ndra1lcjcc88z6cklh0vngjkh1";
sha512 = "33ra8qslwz73240xzjvr751lpl94drlcf425a7kxngq1qla2cda7gxr71bxlr9fm2hrqq0h097ihmg0ix9hv2dmwnc76gp4hwwrlk41";
};
};
@ -99,7 +99,7 @@ in rec {
src =
fetchurl {
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/technology/epp/downloads/release/${year}-${month}/R/eclipse-java-${year}-${month}-R-linux-gtk-x86_64.tar.gz";
sha512 = "21lhgv3z23mn8q0gffgxlfwhyxb348zjnzv716zsys7h7kj5vigl45q9mz0qrl11524rxx7jwi901jjd4l258w9kp7wzlq0d5n1r39m";
sha512 = "0ffa1q19z31j8i552mp9zg4v0p4iv002cvlzh49ia8hi0hgk75pbkp6vxlr75jz0as03n71f0ww8xbflji31qgwfmy6rs1rzqihfff9";
};
};

12
pkgs/applications/editors/eclipse/plugins.nix
View File

@ -254,12 +254,12 @@ rec {
cdt = buildEclipseUpdateSite rec {
name = "cdt-${version}";
version = "9.10.0";
version = "9.11.0";
src = fetchzip {
stripRoot = false;
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/tools/cdt/releases/9.10/${name}/${name}.zip";
sha256 = "11nbrcvgbg9l3cmp3v3y8y0vldzcf6qlpp185a6dzabdcij6gz5m";
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/tools/cdt/releases/9.11/${name}/${name}.zip";
sha256 = "1730w6rbv649nzfalfd10p2ph0z9rbrrcflga0n1dpmg181xh9lk";
};
meta = with stdenv.lib; {
@ -474,12 +474,12 @@ rec {
jdt = buildEclipseUpdateSite rec {
name = "jdt-${version}";
version = "4.14";
version = "4.15";
src = fetchzip {
stripRoot = false;
url = https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-4.14-201912100610/org.eclipse.jdt-4.14.zip;
sha256 = "1c2a23qviv58xljpq3yb37ra8cqw7jh52hmzqlg1nij2sdxb6hm5";
url = "https://www.eclipse.org/downloads/download.php?r=1&nf=1&file=/eclipse/downloads/drops4/R-${version}-202003050155/org.eclipse.jdt-${version}.zip";
sha256 = "1dm4qgfb6rm7w0dk8br071c7wy0ybp7zrwvr3i02c2bxzy2psz7q";
};
meta = with stdenv.lib; {

21
pkgs/applications/editors/emacs-modes/elpa-generated.nix generated
View File

@ -1070,10 +1070,10 @@
elpaBuild {
pname = "elisp-benchmarks";
ename = "elisp-benchmarks";
version = "1.2";
version = "1.3";
src = fetchurl {
url = "https://elpa.gnu.org/packages/elisp-benchmarks-1.2.tar";
sha256 = "0grm4qw3aaf3hzrfg0vdgb5q67haappbc77qjgsy4jip85z7njmj";
url = "https://elpa.gnu.org/packages/elisp-benchmarks-1.3.tar";
sha256 = "05a891mwbz50q3a44irbf2w4wlp5dm2yxwcvxqrckvpjm1amndmf";
};
packageRequires = [];
meta = {
@ -3365,6 +3365,21 @@
license = lib.licenses.free;
};
}) {};
vcard = callPackage ({ elpaBuild, emacs, fetchurl, lib }:
elpaBuild {
pname = "vcard";
ename = "vcard";
version = "0.1";
src = fetchurl {
url = "https://elpa.gnu.org/packages/vcard-0.1.tar";
sha256 = "1awcm2s292r2nkyz5bwjaga46jsh5rn92469wrg1ag843mlyxbd0";
};
packageRequires = [ emacs ];
meta = {
homepage = "https://elpa.gnu.org/packages/vcard.html";
license = lib.licenses.free;
};
}) {};
vcl-mode = callPackage ({ elpaBuild, fetchurl, lib }:
elpaBuild {
pname = "vcl-mode";

1181
pkgs/applications/editors/emacs-modes/recipes-archive-melpa.json
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More