Merge remote-tracking branch 'channels/nixos-unstable' into rust-analyzer

This commit is contained in:
oxalica 2020-04-08 14:22:56 +08:00
commit e33256ef24
No known key found for this signature in database
GPG Key ID: CED392DE0C483D00
2773 changed files with 79776 additions and 42335 deletions

5
.github/CODEOWNERS vendored
View File

@ -82,8 +82,8 @@
/pkgs/development/r-modules @peti
# Ruby
/pkgs/development/interpreters/ruby @alyssais @zimbatm
/pkgs/development/ruby-modules @alyssais @zimbatm
/pkgs/development/interpreters/ruby @alyssais
/pkgs/development/ruby-modules @alyssais
# Rust
/pkgs/development/compilers/rust @Mic92 @LnL7
@ -178,6 +178,7 @@
/nixos/tests/prometheus-exporters.nix @WilliButz
# PHP
/doc/languages-frameworks/php.section.md @etu
/pkgs/development/interpreters/php @etu
/pkgs/top-level/php-packages.nix @etu
/pkgs/build-support/build-pecl.nix @etu

1
.gitignore vendored
View File

@ -11,6 +11,7 @@ result-*
.version-suffix
.DS_Store
.mypy_cache
/pkgs/development/libraries/qt-5/*/tmp/
/pkgs/desktops/kde-5/*/tmp/

View File

@ -186,7 +186,7 @@ with import <nixpkgs> {};
androidenv.emulateApp {
name = "emulate-MyAndroidApp";
platformVersion = "28";
abiVersion = "x86_64"; # armeabi-v7a, mips, x86
abiVersion = "x86"; # armeabi-v7a, mips, x86_64
systemImageType = "google_apis_playstore";
}
```
@ -235,5 +235,5 @@ package manager uses. To update the expressions run the `generate.sh` script
that is stored in the `pkgs/development/mobile/androidenv/` sub directory:
```bash
sh ./generate.sh
./generate.sh
```

View File

@ -233,7 +233,7 @@ mkDerivation {
</term>
<listitem>
<para>
You can rely on applications depending on the library set the necessary environment variables but that it often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:
You can rely on applications depending on the library setting the necessary environment variables but that is often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:
<itemizedlist>
<listitem xml:id="ssec-gnome-common-issues-unwrappable-package-gnome-shell-ext">
<para>

View File

@ -369,7 +369,7 @@ automatically select the right version of GHC and other build tools to build,
test and execute apps in an existing project downloaded from somewhere on the
Internet. Pass the `--nix` flag to any `stack` command to do so, e.g.
```shell
git clone --recursive https://github.com/yesodweb/wai
git clone --recurse-submodules https://github.com/yesodweb/wai.git
cd wai
stack --nix build
```

View File

@ -0,0 +1,112 @@
# PHP
## User Guide
### Using PHP
#### Overview
Several versions of PHP are available on Nix, each of which having a
wide variety of extensions and libraries available.
The attribute `php` refers to the version of PHP considered most
stable and thoroughly tested in nixpkgs for any given release of
NixOS. Note that while this version of PHP may not be the latest major
release from upstream, any version of PHP supported in nixpkgs may be
utilized by specifying the desired attribute by version, such as
`php74`.
Only versions of PHP that are supported by upstream for the entirety
of a given NixOS release will be included in that release of
NixOS. See [PHP Supported
Versions](https://www.php.net/supported-versions.php).
Interactive tools built on PHP are put in `php.packages`; composer is
for example available at `php.packages.composer`.
Most extensions that come with PHP, as well as some popular
third-party ones, are available in `php.extensions`; for example, the
opcache extension shipped with PHP is available at
`php.extensions.opcache` and the third-party ImageMagick extension at
`php.extensions.imagick`.
The different versions of PHP that nixpkgs provides is located under
attributes named based on major and minor version number; e.g.,
`php74` is PHP 7.4 with commonly used extensions installed,
`php74base` is the same PHP runtime without extensions.
#### Installing PHP with packages
A PHP package with specific extensions enabled can be built using
`php.withExtensions`. This is a function which accepts an anonymous
function as its only argument; the function should take one argument,
the set of all extensions, and return a list of wanted extensions. For
example, a PHP package with the opcache and ImageMagick extensions
enabled:
```nix
php.withExtensions (e: with e; [ imagick opcache ])
```
Note that this will give you a package with _only_ opcache and
ImageMagick, none of the other extensions which are enabled by default
in the `php` package will be available.
To enable building on a previous PHP package, the currently enabled
extensions are made available in its `enabledExtensions`
attribute. For example, to generate a package with all default
extensions enabled, except opcache, but with ImageMagick:
```nix
php.withExtensions (e:
(lib.filter (e: e != php.extensions.opcache) php.enabledExtensions)
++ [ e.imagick ])
```
If you want a PHP build with extra configuration in the `php.ini`
file, you can use `php.buildEnv`. This function takes two named and
optional parameters: `extensions` and `extraConfig`. `extensions`
takes an extension specification equivalent to that of
`php.withExtensions`, `extraConfig` a string of additional `php.ini`
configuration parameters. For example, a PHP package with the opcache
and ImageMagick extensions enabled, and `memory_limit` set to `256M`:
```nix
php.buildEnv {
extensions = e: with e; [ imagick opcache ];
extraConfig = "memory_limit=256M";
}
```
##### Example setup for `phpfpm`
You can use the previous examples in a `phpfpm` pool called `foo` as
follows:
```nix
let
myPhp = php.withExtensions (e: with e; [ imagick opcache ]);
in {
services.phpfpm.pools."foo".phpPackage = myPhp;
};
```
```nix
let
myPhp = php.buildEnv {
extensions = e: with e; [ imagick opcache ];
extraConfig = "memory_limit=256M";
};
in {
services.phpfpm.pools."foo".phpPackage = myPhp;
};
```
##### Example usage with `nix-shell`
This brings up a temporary environment that contains a PHP interpreter
with the extensions `imagick` and `opcache` enabled.
```sh
nix-shell -p 'php.buildEnv { extensions = e: with e; [ imagick opcache ]; }'
```

View File

@ -53,14 +53,16 @@ all crate sources of this package. Currently it is obtained by inserting a
fake checksum into the expression and building the package once. The correct
checksum can be then take from the failed build.
When the `Cargo.lock`, provided by upstream, is not in sync with the
`Cargo.toml`, it is possible to use `cargoPatches` to update it. All patches
added in `cargoPatches` will also be prepended to the patches in `patches` at
build-time.
Per the instructions in the [Cargo Book](https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html)
best practices guide, Rust applications should always commit the `Cargo.lock`
file in git to ensure a reproducible build. However, a few packages do not, and
Nix depends on this file, so if it missing you can use `cargoPatches` to apply
it in the `patchPhase`. Consider sending a PR upstream with a note to the
maintainer describing why it's important to include in the application.
Unless `legacyCargoFetcher` is set to `true`, the fetcher will also verify that
the `Cargo.lock` file is in sync with the `src` attribute, and will compress the
vendor directory into a tar.gz archive.
The fetcher will verify that the `Cargo.lock` file is in sync with the `src`
attribute, and fail the build if not. It will also will compress the vendor
directory into a tar.gz archive.
### Building a crate for a different target

View File

@ -261,12 +261,7 @@ deoplete-fish = super.deoplete-fish.overrideAttrs(old: {
Sometimes plugins require an override that must be changed when the plugin is updated. This can cause issues when Vim plugins are auto-updated but the associated override isn't updated. For these plugins, the override should be written so that it specifies all information required to install the plugin, and running `./update.py` doesn't change the derivation for the plugin. Manually updating the override is required to update these types of plugins. An example of such a plugin is `LanguageClient-neovim`.
To add a new plugin:
1. run `./update.py` and create a commit named "vimPlugins: Update",
2. add the new plugin to [vim-plugin-names](/pkgs/misc/vim-plugins/vim-plugin-names) and add overrides if required to [overrides.nix](/pkgs/misc/vim-plugins/overrides.nix),
3. run `./update.py` again and create a commit named "vimPlugins.[name]: init at [version]" (where `name` and `version` can be found in [generated.nix](/pkgs/misc/vim-plugins/generated.nix)), and
4. create a pull request.
To add a new plugin, run `./update.py --add "[owner]/[name]"`. **NOTE**: This script automatically commits to your git repository. Be sure to check out a fresh branch before running.
## Important repositories

View File

@ -37,7 +37,7 @@ security updates. More up to date packages and modules are available via the
Both `nixos-unstable` and `nixpkgs` follow the `master` branch of the Nixpkgs
repository, although both do lag the `master` branch by generally
[a couple of days](https://howoldis.herokuapp.com/). Updates to a channel are
[a couple of days](https://status.nixos.org/). Updates to a channel are
distributed as soon as all tests for that channel pass, e.g.
[this table](https://hydra.nixos.org/job/nixpkgs/trunk/unstable#tabs-constituents)
shows the status of tests for the `nixpkgs` channel.

View File

@ -25,7 +25,7 @@
import ./nixos/lib/eval-config.nix (args // {
modules = modules ++
[ { system.nixos.versionSuffix =
".${lib.substring 0 8 self.lastModified}.${self.shortRev or "dirty"}";
".${lib.substring 0 8 (self.lastModifiedDate or self.lastModified)}.${self.shortRev or "dirty"}";
system.nixos.revision = lib.mkIf (self ? rev) self.rev;
}
];

View File

@ -4,7 +4,7 @@
let
inherit (builtins) head tail length;
inherit (lib.trivial) and;
inherit (lib.strings) concatStringsSep;
inherit (lib.strings) concatStringsSep sanitizeDerivationName;
inherit (lib.lists) fold concatMap concatLists;
in
@ -310,7 +310,7 @@ rec {
path' = builtins.storePath path;
res =
{ type = "derivation";
name = builtins.unsafeDiscardStringContext (builtins.substring 33 (-1) (baseNameOf path'));
name = sanitizeDerivationName (builtins.substring 33 (-1) (baseNameOf path'));
outPath = path';
outputs = [ "out" ];
out = res;

View File

@ -131,7 +131,12 @@ rec {
origArgs = auto // args;
pkgs = f origArgs;
mkAttrOverridable = name: _: makeOverridable (newArgs: (f newArgs).${name}) origArgs;
in lib.mapAttrs mkAttrOverridable pkgs;
in
if lib.isDerivation pkgs then throw
("function `callPackages` was called on a *single* derivation "
+ ''"${pkgs.name or "<unknown-name>"}";''
+ " did you mean to use `callPackage` instead?")
else lib.mapAttrs mkAttrOverridable pkgs;
/* Add attributes to each output of a derivation without changing

View File

@ -24,6 +24,7 @@ let
# packaging
customisation = callLibs ./customisation.nix;
maintainers = import ../maintainers/maintainer-list.nix;
teams = callLibs ../maintainers/team-list.nix;
meta = callLibs ./meta.nix;
sources = callLibs ./sources.nix;
versions = callLibs ./versions.nix;
@ -55,6 +56,9 @@ let
# back-compat aliases
platforms = systems.doubles;
# linux kernel configuration
kernel = callLibs ./kernel.nix;
inherit (builtins) add addErrorContext attrNames concatLists
deepSeq elem elemAt filter genericClosure genList getAttr
hasAttr head isAttrs isBool isInt isList isString length

View File

@ -76,10 +76,14 @@ rec {
* mkKeyValue is the same as in toINI.
*/
toKeyValue = {
mkKeyValue ? mkKeyValueDefault {} "="
}: attrs:
mkKeyValue ? mkKeyValueDefault {} "=",
listsAsDuplicateKeys ? false
}:
let mkLine = k: v: mkKeyValue k v + "\n";
in libStr.concatStrings (libAttr.mapAttrsToList mkLine attrs);
mkLines = if listsAsDuplicateKeys
then k: v: map (mkLine k) (if lib.isList v then v else [v])
else k: v: [ (mkLine k v) ];
in attrs: libStr.concatStrings (lib.concatLists (libAttr.mapAttrsToList mkLines attrs));
/* Generate an INI-style config file from an
@ -106,7 +110,9 @@ rec {
# apply transformations (e.g. escapes) to section names
mkSectionName ? (name: libStr.escape [ "[" "]" ] name),
# format a setting line from key and value
mkKeyValue ? mkKeyValueDefault {} "="
mkKeyValue ? mkKeyValueDefault {} "=",
# allow lists as values for duplicate keys
listsAsDuplicateKeys ? false
}: attrsOfAttrs:
let
# map function to string for each key val
@ -115,11 +121,64 @@ rec {
(libAttr.mapAttrsToList mapFn attrs);
mkSection = sectName: sectValues: ''
[${mkSectionName sectName}]
'' + toKeyValue { inherit mkKeyValue; } sectValues;
'' + toKeyValue { inherit mkKeyValue listsAsDuplicateKeys; } sectValues;
in
# map input to ini sections
mapAttrsToStringsSep "\n" mkSection attrsOfAttrs;
/* Generate a git-config file from an attrset.
*
* It has two major differences from the regular INI format:
*
* 1. values are indented with tabs
* 2. sections can have sub-sections
*
* generators.toGitINI {
* url."ssh://git@github.com/".insteadOf = "https://github.com";
* user.name = "edolstra";
* }
*
*> [url "ssh://git@github.com/"]
*> insteadOf = https://github.com/
*>
*> [user]
*> name = edolstra
*/
toGitINI = attrs:
with builtins;
let
mkSectionName = name:
let
containsQuote = libStr.hasInfix ''"'' name;
sections = libStr.splitString "." name;
section = head sections;
subsections = tail sections;
subsection = concatStringsSep "." subsections;
in if containsQuote || subsections == [ ] then
name
else
''${section} "${subsection}"'';
# generation for multiple ini values
mkKeyValue = k: v:
let mkKeyValue = mkKeyValueDefault { } " = " k;
in concatStringsSep "\n" (map (kv: "\t" + mkKeyValue kv) (lib.toList v));
# converts { a.b.c = 5; } to { "a.b".c = 5; } for toINI
gitFlattenAttrs = let
recurse = path: value:
if isAttrs value then
lib.mapAttrsToList (name: value: recurse ([ name ] ++ path) value) value
else if length path > 1 then {
${concatStringsSep "." (lib.reverseList (tail path))}.${head path} = value;
} else {
${head path} = value;
};
in attrs: lib.foldl lib.recursiveUpdate { } (lib.flatten (recurse [ ] attrs));
toINI_ = toINI { inherit mkKeyValue mkSectionName; };
in
toINI_ (gitFlattenAttrs attrs);
/* Generates JSON from an arbitrary (non-function) value.
* For more information see the documentation of the builtin.

View File

@ -1,12 +1,7 @@
{ lib, version }:
{ lib }:
with lib;
{
# Common patterns/legacy
whenAtLeast = ver: mkIf (versionAtLeast version ver);
whenOlder = ver: mkIf (versionOlder version ver);
# range is (inclusive, exclusive)
whenBetween = verLow: verHigh: mkIf (versionAtLeast version verLow && versionOlder version verHigh);
# Keeping these around in case we decide to change this horrible implementation :)
@ -18,4 +13,14 @@ with lib;
module = { tristate = "m"; };
freeform = x: { freeform = x; };
/*
Common patterns/legacy used in common-config/hardened-config.nix
*/
whenHelpers = version: {
whenAtLeast = ver: mkIf (versionAtLeast version ver);
whenOlder = ver: mkIf (versionOlder version ver);
# range is (inclusive, exclusive)
whenBetween = verLow: verHigh: mkIf (versionAtLeast version verLow && versionOlder version verHigh);
};
}

View File

@ -649,6 +649,13 @@ lib.mapAttrs (n: v: v // { shortName = n; }) {
url = http://metadata.ftp-master.debian.org/changelogs/main/d/debianutils/debianutils_4.8.1_copyright;
};
sspl = {
shortName = "SSPL";
fullName = "Server Side Public License";
url = https://www.mongodb.com/licensing/server-side-public-license;
free = false;
};
tcltk = spdx {
spdxId = "TCL";
fullName = "TCL/TK License";
@ -675,6 +682,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) {
# channel and NixOS images.
};
unicode-dfs-2016 = spdx {
spdxId = "Unicode-DFS-2016";
fullName = "Unicode License Agreement - Data Files and Software (2016)";
};
unlicense = spdx {
spdxId = "Unlicense";
fullName = "The Unlicense";

View File

@ -93,7 +93,11 @@ rec {
res set._definedNames
else
res;
result = { inherit options config; };
result = {
inherit options;
config = removeAttrs config [ "_module" ];
inherit (config) _module;
};
in result;
# collectModules :: (modulesPath: String) -> (modules: [ Module ]) -> (args: Attrs) -> [ Module ]
@ -389,7 +393,7 @@ rec {
let
# Process mkMerge and mkIf properties.
defs' = concatMap (m:
map (value: { inherit (m) file; inherit value; }) (dischargeProperties m.value)
map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
) defs;
# Process mkOverride properties.
@ -410,10 +414,9 @@ rec {
# Type-check the remaining definitions, and merge them. Or throw if no definitions.
mergedValue =
if isDefined then
foldl' (res: def:
if type.check def.value then res
else throw "The option value `${showOption loc}' in `${def.file}' is not of type `${type.description}'."
) (type.merge loc defsFinal) defsFinal
if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
else let firstInvalid = findFirst (def: ! type.check def.value) null defsFinal;
in throw "The option value `${showOption loc}' in `${firstInvalid.file}' is not of type `${type.description}'."
else
# (nixos-option detects this specific error message and gives it special
# handling. If changed here, please change it there too.)

View File

@ -159,7 +159,7 @@ rec {
let ss = opt.type.getSubOptions opt.loc;
in if ss != {} then optionAttrSetToDocList' opt.loc ss else [];
in
[ docOption ] ++ subOptions) (collect isOption options);
[ docOption ] ++ optionals docOption.visible subOptions) (collect isOption options);
/* This function recursively removes all derivation attributes from

View File

@ -63,17 +63,14 @@ rec {
# https://nixos.org/nix/manual/#builtin-filterSource
#
# name: Optional name to use as part of the store path.
# This defaults `src.name` or otherwise `baseNameOf src`.
# We recommend setting `name` whenever `src` is syntactically `./.`.
# Otherwise, you depend on `./.`'s name in the parent directory,
# which can cause inconsistent names, defeating caching.
# This defaults to `src.name` or otherwise `"source"`.
#
cleanSourceWith = { filter ? _path: _type: true, src, name ? null }:
let
isFiltered = src ? _isLibCleanSourceWith;
origSrc = if isFiltered then src.origSrc else src;
filter' = if isFiltered then name: type: filter name type && src.filter name type else filter;
name' = if name != null then name else if isFiltered then src.name else baseNameOf src;
name' = if name != null then name else if isFiltered then src.name else "source";
in {
inherit origSrc;
filter = filter';

View File

@ -678,4 +678,36 @@ rec {
=> "1.0"
*/
fileContents = file: removeSuffix "\n" (builtins.readFile file);
/* Creates a valid derivation name from a potentially invalid one.
Type: sanitizeDerivationName :: String -> String
Example:
sanitizeDerivationName "../hello.bar # foo"
=> "-hello.bar-foo"
sanitizeDerivationName ""
=> "unknown"
sanitizeDerivationName pkgs.hello
=> "-nix-store-2g75chlbpxlrqn15zlby2dfh8hr9qwbk-hello-2.10"
*/
sanitizeDerivationName = string: lib.pipe string [
# Get rid of string context. This is safe under the assumption that the
# resulting string is only used as a derivation name
builtins.unsafeDiscardStringContext
# Strip all leading "."
(x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0)
# Split out all invalid characters
# https://github.com/NixOS/nix/blob/2.3.2/src/libstore/store-api.cc#L85-L112
# https://github.com/NixOS/nix/blob/2242be83c61788b9c0736a92bb0b5c7bbfc40803/nix-rust/src/store/path.rs#L100-L125
(builtins.split "[^[:alnum:]+._?=-]+")
# Replace invalid character ranges with a "-"
(concatMapStrings (s: if lib.isList s then "-" else s))
# Limit to 211 characters (minus 4 chars for ".drv")
(x: substring (lib.max (stringLength x - 207) 0) (-1) x)
# If the result is empty, replace it with "unknown"
(x: if stringLength x == 0 then "unknown" else x)
];
}

View File

@ -65,6 +65,7 @@ rec {
freebsd = "FreeBSD";
openbsd = "OpenBSD";
wasi = "Wasi";
genode = "Genode";
}.${final.parsed.kernel.name} or null;
# uname -p

View File

@ -26,9 +26,17 @@ let
"riscv32-linux" "riscv64-linux"
"aarch64-none" "avr-none" "arm-none" "i686-none" "x86_64-none" "powerpc-none" "msp430-none" "riscv64-none" "riscv32-none" "vc4-none"
"arm-none" "armv6l-none" "aarch64-none"
"avr-none"
"i686-none" "x86_64-none"
"powerpc-none"
"msp430-none"
"riscv64-none" "riscv32-none"
"vc4-none"
"js-ghcjs"
"aarch64-genode" "x86_64-genode"
];
allParsed = map parse.mkSystemFromString all;
@ -62,6 +70,7 @@ in {
unix = filterDoubles predicates.isUnix;
wasi = filterDoubles predicates.isWasi;
windows = filterDoubles predicates.isWindows;
genode = filterDoubles predicates.isGenode;
embedded = filterDoubles predicates.isNone;

View File

@ -47,6 +47,7 @@ rec {
isMinGW = { kernel = kernels.windows; abi = abis.gnu; };
isWasi = { kernel = kernels.wasi; };
isGhcjs = { kernel = kernels.ghcjs; };
isGenode = { kernel = kernels.genode; };
isNone = { kernel = kernels.none; };
isAndroid = [ { abi = abis.android; } { abi = abis.androideabi; } ];

View File

@ -279,6 +279,7 @@ rec {
wasi = { execFormat = wasm; families = { }; };
windows = { execFormat = pe; families = { }; };
ghcjs = { execFormat = unknown; families = { }; };
genode = { execFormat = elf; families = { }; };
} // { # aliases
# 'darwin' is the kernel for all of them. We choose macOS by default.
darwin = kernels.macos;
@ -395,6 +396,8 @@ rec {
then { cpu = elemAt l 0; vendor = "unknown"; kernel = elemAt l 1; abi = elemAt l 2; }
else if (elemAt l 2 == "ghcjs")
then { cpu = elemAt l 0; vendor = "unknown"; kernel = elemAt l 2; }
else if hasPrefix "genode" (elemAt l 2)
then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; }
else throw "Target specification with 3 components is ambiguous";
"4" = { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; abi = elemAt l 3; };
}.${toString (length l)}

View File

@ -3,6 +3,23 @@
# if the resulting list is empty, all tests passed
with import ../default.nix;
let
testSanitizeDerivationName = { name, expected }:
let
drv = derivation {
name = strings.sanitizeDerivationName name;
builder = "x";
system = "x";
};
in {
# Evaluate the derivation so an invalid name would be caught
expr = builtins.seq drv.drvPath drv.name;
inherit expected;
};
in
runTests {
@ -348,6 +365,18 @@ runTests {
'';
};
testToINIDuplicateKeys = {
expr = generators.toINI { listsAsDuplicateKeys = true; } { foo.bar = true; baz.qux = [ 1 false ]; };
expected = ''
[baz]
qux=1
qux=false
[foo]
bar=true
'';
};
testToINIDefaultEscapes = {
expr = generators.toINI {} {
"no [ and ] allowed unescaped" = {
@ -478,4 +507,29 @@ runTests {
expected = "'-X' 'PUT' '--data' '{\"id\":0}' '--retry' '3' '--url' 'https://example.com/foo' '--url' 'https://example.com/bar' '--verbose'";
};
testSanitizeDerivationNameLeadingDots = testSanitizeDerivationName {
name = "..foo";
expected = "foo";
};
testSanitizeDerivationNameAscii = testSanitizeDerivationName {
name = " !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~";
expected = "-+--.-0123456789-=-?-ABCDEFGHIJKLMNOPQRSTUVWXYZ-_-abcdefghijklmnopqrstuvwxyz-";
};
testSanitizeDerivationNameTooLong = testSanitizeDerivationName {
name = "This string is loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong";
expected = "loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooong";
};
testSanitizeDerivationNameTooLongWithInvalid = testSanitizeDerivationName {
name = "Hello there aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa &&&&&&&&";
expected = "there-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-";
};
testSanitizeDerivationNameEmpty = testSanitizeDerivationName {
name = "";
expected = "unknown";
};
}

View File

@ -185,6 +185,14 @@ checkConfigError 'The option .* defined in .* does not exist' config.enable ./di
# Check that imports can depend on derivations
checkConfigOutput "true" config.enable ./import-from-store.nix
# Check that configs can be conditional on option existence
checkConfigOutput true config.enable ./define-option-dependently.nix ./declare-enable.nix ./declare-int-positive-value.nix
checkConfigOutput 360 config.value ./define-option-dependently.nix ./declare-enable.nix ./declare-int-positive-value.nix
checkConfigOutput 7 config.value ./define-option-dependently.nix ./declare-int-positive-value.nix
checkConfigOutput true config.set.enable ./define-option-dependently-nested.nix ./declare-enable-nested.nix ./declare-int-positive-value-nested.nix
checkConfigOutput 360 config.set.value ./define-option-dependently-nested.nix ./declare-enable-nested.nix ./declare-int-positive-value-nested.nix
checkConfigOutput 7 config.set.value ./define-option-dependently-nested.nix ./declare-int-positive-value-nested.nix
# Check attrsOf and lazyAttrsOf. Only lazyAttrsOf should be lazy, and only
# attrsOf should work with conditional definitions
# In addition, lazyAttrsOf should honor an options emptyValue
@ -194,6 +202,11 @@ checkConfigOutput "true" config.conditionalWorks ./declare-attrsOf.nix ./attrsOf
checkConfigOutput "false" config.conditionalWorks ./declare-lazyAttrsOf.nix ./attrsOf-conditional-check.nix
checkConfigOutput "empty" config.value.foo ./declare-lazyAttrsOf.nix ./attrsOf-conditional-check.nix
# Even with multiple assignments, a type error should be thrown if any of them aren't valid
checkConfigError 'The option value .* in .* is not of type .*' \
config.value ./declare-int-unsigned-value.nix ./define-value-list.nix ./define-value-int-positive.nix
cat <<EOF
====== module tests ======
$pass Pass

View File

@ -0,0 +1,14 @@
{ lib, ... }:
{
options.set = {
enable = lib.mkOption {
default = false;
example = true;
type = lib.types.bool;
description = ''
Some descriptive text
'';
};
};
}

View File

@ -0,0 +1,9 @@
{ lib, ... }:
{
options.set = {
value = lib.mkOption {
type = lib.types.ints.positive;
};
};
}

View File

@ -0,0 +1,16 @@
{ lib, options, ... }:
# Some modules may be distributed separately and need to adapt to other modules
# that are distributed and versioned separately.
{
# Always defined, but the value depends on the presence of an option.
config.set = {
value = if options ? set.enable then 360 else 7;
}
# Only define if possible.
// lib.optionalAttrs (options ? set.enable) {
enable = true;
};
}

View File

@ -0,0 +1,16 @@
{ lib, options, ... }:
# Some modules may be distributed separately and need to adapt to other modules
# that are distributed and versioned separately.
{
# Always defined, but the value depends on the presence of an option.
config = {
value = if options ? enable then 360 else 7;
}
# Only define if possible.
// lib.optionalAttrs (options ? enable) {
enable = true;
};
}

View File

@ -12,16 +12,17 @@ let
expected = lib.sort lib.lessThan y;
};
in with lib.systems.doubles; lib.runTests {
testall = mseteq all (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos ++ wasi ++ windows ++ embedded ++ js);
testall = mseteq all (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos ++ wasi ++ windows ++ embedded ++ js ++ genode);
testarm = mseteq arm [ "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "arm-none" "armv7a-darwin" ];
testarm = mseteq arm [ "armv5tel-linux" "armv6l-linux" "armv6l-none" "armv7a-linux" "armv7l-linux" "arm-none" "armv7a-darwin" ];
testi686 = mseteq i686 [ "i686-linux" "i686-freebsd" "i686-netbsd" "i686-openbsd" "i686-cygwin" "i686-windows" "i686-none" "i686-darwin" ];
testmips = mseteq mips [ "mipsel-linux" ];
testx86_64 = mseteq x86_64 [ "x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin" "x86_64-solaris" "x86_64-windows" "x86_64-none" ];
testx86_64 = mseteq x86_64 [ "x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-genode" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin" "x86_64-solaris" "x86_64-windows" "x86_64-none" ];
testcygwin = mseteq cygwin [ "i686-cygwin" "x86_64-cygwin" ];
testdarwin = mseteq darwin [ "x86_64-darwin" "i686-darwin" "aarch64-darwin" "armv7a-darwin" ];
testfreebsd = mseteq freebsd [ "i686-freebsd" "x86_64-freebsd" ];
testgenode = mseteq genode [ "aarch64-genode" "x86_64-genode" ];
testgnu = mseteq gnu (linux /* ++ kfreebsd ++ ... */);
testillumos = mseteq illumos [ "x86_64-solaris" ];
testlinux = mseteq linux [ "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "i686-linux" "mipsel-linux" "riscv32-linux" "riscv64-linux" "x86_64-linux" "powerpc64le-linux" ];

View File

@ -1,5 +1,5 @@
/* List of NixOS maintainers.
```nix
handle = {
# Required
name = "Your name";
@ -13,6 +13,7 @@
fingerprint = "AAAA BBBB CCCC DDDD EEEE FFFF 0000 1111 2222 3333";
}];
};
```
where
@ -38,7 +39,7 @@
Please keep the list alphabetically sorted.
See `./scripts/check-maintainer-github-handles.sh` for an example on how to work with this data.
*/
*/
{
"0x4A6F" = {
email = "0x4A6F@shackspace.de";
@ -301,6 +302,12 @@
githubId = 786394;
name = "Alexander Krupenkin ";
};
albakham = {
email = "dev@geber.ga";
github = "albakham";
githubId = 43479487;
name = "Titouan Biteau";
};
alexarice = {
email = "alexrice999@hotmail.co.uk";
github = "alexarice";
@ -411,10 +418,15 @@
githubId = 20530052;
name = "Andrew Miloradovsky";
};
aminb = {
email = "amin@aminb.org";
github = "aminb";
notbandali = {
name = "Amin Bandali";
email = "bandali@gnu.org";
github = "notbandali";
githubId = 1254858;
keys = [{
longkeyid = "rsa4096/0xA21A020248816103";
fingerprint = "BE62 7373 8E61 6D6D 1B3A 08E8 A21A 0202 4881 6103";
}];
};
aminechikhaoui = {
email = "amine.chikhaoui91@gmail.com";
@ -644,6 +656,12 @@
githubId = 10285250;
name = "Artur E. Ruuge";
};
asbachb = {
email = "asbachb-nixpkgs-5c2a@impl.it";
github = "asbachb";
githubId = 1482768;
name = "Benjamin Asbach";
};
ashalkhakov = {
email = "artyom.shalkhakov@gmail.com";
github = "ashalkhakov";
@ -710,6 +728,12 @@
githubId = 55833;
name = "Troels Henriksen";
};
atkinschang = {
email = "atkinschang+nixpkgs@gmail.com";
github = "AtkinsChang";
githubId = 5193600;
name = "Atkins Chang";
};
atnnn = {
email = "etienne@atnnn.com";
github = "atnnn";
@ -957,6 +981,12 @@
githubId = 2071583;
name = "Benjamin Hipple";
};
bhougland = {
email = "benjamin.hougland@gmail.com";
github = "bhougland18";
githubId = 28444296;
name = "Benjamin Hougland";
};
binarin = {
email = "binarin@binarin.ru";
github = "binarin";
@ -1250,6 +1280,20 @@
githubId = 5949913;
name = "Carlos Fernandez Sanz";
};
cge = {
email = "cevans@evanslabs.org";
github = "cgevans";
githubId = 2054509;
name = "Constantine Evans";
keys = [
{ longkeyid = "rsa4096/0xB67DB1D20A93A9F9";
fingerprint = "32B1 6EE7 DBA5 16DE 526E 4C5A B67D B1D2 0A93 A9F9";
}
{ longkeyid = "rsa4096/0x1A1D58B86AE2AABD";
fingerprint = "669C 1D24 5A87 DB34 6BE4 3216 1A1D 58B8 6AE2 AABD";
}
];
};
chaduffy = {
email = "charles@dyfis.net";
github = "charles-dyfis-net";
@ -1572,10 +1616,12 @@
githubId = 2217136;
name = "Ștefan D. Mihăilă";
keys = [
{ longkeyid = "rsa4096/6E68A39BF16A3ECB";
{
longkeyid = "rsa4096/6E68A39BF16A3ECB";
fingerprint = "CBC9 C7CC 51F0 4A61 3901 C723 6E68 A39B F16A 3ECB";
}
{ longkeyid = "rsa4096/6220AD7846220A52";
{
longkeyid = "rsa4096/6220AD7846220A52";
fingerprint = "7EAB 1447 5BBA 7DDE 7092 7276 6220 AD78 4622 0A52";
}
];
@ -1792,7 +1838,7 @@
name = "Didier J. Devroye";
};
devhell = {
email = "\"^\"@regexmail.net";
email = ''"^"@regexmail.net'';
github = "devhell";
githubId = 896182;
name = "devhell";
@ -1916,6 +1962,12 @@
githubId = 126339;
name = "Domen Kozar";
};
dominikh = {
email = "dominik@honnef.co";
github = "dominikh";
githubId = 39825;
name = "Dominik Honnef";
};
doronbehar = {
email = "me@doronbehar.com";
github = "doronbehar";
@ -1958,7 +2010,7 @@
drewrisinger = {
email = "drisinger+nixpkgs@gmail.com";
github = "drewrisinger";
gitHubId = 10198051;
githubId = 10198051;
name = "Drew Risinger";
};
dsferruzza = {
@ -2131,7 +2183,7 @@
};
ehmry = {
email = "ehmry@posteo.net";
github= "ehmry";
github = "ehmry";
githubId = 537775;
name = "Emery Hemingway";
};
@ -2352,6 +2404,12 @@
fingerprint = "67FE 98F2 8C44 CF22 1828 E12F D57E FA62 5C9A 925F";
}];
};
euank = {
email = "euank-nixpkg@euank.com";
github = "euank";
githubId = 2147649;
name = "Euan Kemp";
};
evanjs = {
email = "evanjsx@gmail.com";
github = "evanjs";
@ -2745,6 +2803,12 @@
githubId = 3217744;
name = "Peter Ferenczy";
};
gila = {
email = "jeffry.molanus@gmail.com";
github = "gila";
githubId = 15957973;
name = "Jeffry Molanus";
};
gilligan = {
email = "tobias.pflug@gmail.com";
github = "gilligan";
@ -2787,6 +2851,12 @@
githubId = 12064730;
name = "Alex Ivanov";
};
gnxlxnxx = {
email = "gnxlxnxx@web.de";
github = "gnxlxnxx";
githubId = 25820499;
name = "Roman Kretschmer";
};
goibhniu = {
email = "cillian.deroiste@gmail.com";
github = "cillianderoiste";
@ -3096,6 +3166,12 @@
githubId = 4401220;
name = "Michael Eden";
};
illiusdope = {
email = "mat@marini.ca";
github = "illiusdope";
githubId = 61913481;
name = "Mat Marini";
};
ilya-fedin = {
email = "fedin-ilja2010@ya.ru";
github = "ilya-fedin";
@ -3177,6 +3253,12 @@
fingerprint = "7311 2700 AB4F 4CDF C68C F6A5 79C3 C47D C652 EA54";
}];
};
ivar = {
email = "ivar.scholten@protonmail.com";
github = "IvarWithoutBones";
githubId = 41924494;
Name = "Ivar";
};
ivegotasthma = {
email = "ivegotasthma@protonmail.com";
github = "ivegotasthma";
@ -3590,6 +3672,12 @@
github = "jorsn";
githubId = 4646725;
};
joshuafern = {
name = "Joshua Fern";
email = "joshuafern@protonmail.com";
github = "JoshuaFern";
githubId = 4300747;
};
jpas = {
name = "Jarrod Pas";
email = "jarrod@jarrodpas.com";
@ -3698,6 +3786,16 @@
githubId = 66669;
name = "Jeff Zellner";
};
kaction = {
name = "Dmitry Bogatov";
email = "KAction@disroot.org";
github = "kaction";
githubId = 44864956;
key = [{
longkeyid = "ed25519/0x749FD4DFA2E94236";
fingerprint = "3F87 0A7C A7B4 3731 2F13 6083 749F D4DF A2E9 4236";
}];
};
kaiha = {
email = "kai.harries@gmail.com";
github = "kaiha";
@ -3731,6 +3829,12 @@
github = "kampfschlaefer";
name = "Arnold Krille";
};
karantan = {
name = "Gasper Vozel";
email = "karantan@gmail.com";
github = "karantan";
githubId = 7062631;
};
karolchmist = {
email = "info+nix@chmist.com";
name = "karolchmist";
@ -3899,6 +4003,11 @@
githubId = 13721712;
name = "Konrad Langenberg";
};
kolbycrouch = {
email = "kjc.devel@gmail.com";
github = "kolbycrouch";
name = "Kolby Crouch";
};
konimex = {
email = "herdiansyah@netc.eu";
github = "konimex";
@ -4117,6 +4226,12 @@
github = "leonardoce";
name = "Leonardo Cecchi";
};
leshainc = {
email = "leshainc@fomalhaut.me";
github = "LeshaInc";
githubId = 42153076;
name = "Alexey Nikashkin";
};
lethalman = {
email = "lucabru@src.gnome.org";
github = "lethalman";
@ -4129,6 +4244,16 @@
githubId = 3425311;
name = "Antoine Eiche";
};
lexuge = {
name = "Harry Ying";
email = "lexugeyky@outlook.com";
github = "LEXUGE";
githubId = 13804737;
keys = [{
longkeyid = "rsa4096/0xAE53B4C2E58EDD45";
fingerprint = "7FE2 113A A08B 695A C8B8 DDE6 AE53 B4C2 E58E DD45";
}];
};
lheckemann = {
email = "git@sphalerite.org";
github = "lheckemann";
@ -4303,6 +4428,12 @@
github = "ltavard";
name = "Laure Tavard";
};
luc65r = {
email = "lucas@ransan.tk";
github = "luc65r";
githubId = 59375051;
name = "Lucas Ransan";
};
lucus16 = {
email = "lars.jellema@gmail.com";
github = "Lucus16";
@ -4532,6 +4663,12 @@
githubId = 1711539;
name = "matklad";
};
matt-snider = {
email = "matt.snider@protonmail.com";
github = "matt-snider";
githubId = 11810057;
name = "Matt Snider";
};
matthewbauer = {
email = "mjbauer95@gmail.com";
github = "matthewbauer";
@ -4566,6 +4703,12 @@
githubId = 1269099;
name = "Marius Bakke";
};
mbaillie = {
email = "martin@baillie.email";
github = "martinbaillie";
githubId = 613740;
name = "Martin Baillie";
};
mbbx6spp = {
email = "me@susanpotter.net";
github = "mbbx6spp";
@ -4770,12 +4913,24 @@
githubId = 3958340;
name = "Eshin Kunishima";
};
mikesperber = {
email = "sperber@deinprogramm.de";
github = "mikesperber";
githubId = 1387206;
name = "Mike Sperber";
};
mildlyincompetent = {
email = "nix@kch.dev";
github = "mildlyincompetent";
githubId = 19479662;
name = "Kajetan Champlewski";
};
millerjason = {
email = "mailings-github@millerjason.com";
github = "millerjason";
githubId = 7610974;
name = "Jason Miller";
};
miltador = {
email = "miltador@yandex.ua";
name = "Vasiliy Solovey";
@ -4789,7 +4944,12 @@
minijackson = {
email = "minijackson@riseup.net";
github = "minijackson";
githubId = 1200507;
name = "Rémi Nicole";
keys = [{
longkeyid = "rsa2048/0xFEA888C9F5D64F62";
fingerprint = "3196 83D3 9A1B 4DE1 3DC2 51FD FEA8 88C9 F5D6 4F62";
}];
};
mirdhyn = {
email = "mirdhyn@gmail.com";
@ -4872,11 +5032,11 @@
mmilata = {
email = "martin@martinmilata.cz";
github = "mmilata";
gitHubId = 85857;
githubId = 85857;
name = "Martin Milata";
};
mmlb = {
email = "me.mmlb@mmlb.me";
email = "manny@peekaboo.mmlb.icu";
github = "mmlb";
name = "Manuel Mendez";
};
@ -5502,6 +5662,12 @@
githubId = 11016164;
name = "Fedor Pakhomov";
};
paluh = {
email = "paluho@gmail.com";
github = "paluh";
githubId = 190249;
name = "Tomasz Rybarczyk";
};
pamplemousse = {
email = "xav.maso@gmail.com";
github = "Pamplemousse";
@ -5775,11 +5941,10 @@
github = "pradyuman";
githubId = 9904569;
name = "Pradyuman Vig";
keys = [
{ longkeyid = "rsa4096/4F74D5361C4CA31E";
keys = [{
longkeyid = "rsa4096/4F74D5361C4CA31E";
fingerprint = "240B 57DE 4271 2480 7CE3 EAC8 4F74 D536 1C4C A31E";
}
];
}];
};
prikhi = {
email = "pavan.rikhi@gmail.com";
@ -5793,10 +5958,12 @@
githubId = 7537109;
name = "Michael Weiss";
keys = [
{ longkeyid = "ed25519/0x130826A6C2A389FD"; # Git only
{
longkeyid = "ed25519/0x130826A6C2A389FD"; # Git only
fingerprint = "86A7 4A55 07D0 58D1 322E 37FD 1308 26A6 C2A3 89FD";
}
{ longkeyid = "rsa3072/0xBCA9943DD1DF4C04"; # Email, etc.
{
longkeyid = "rsa3072/0xBCA9943DD1DF4C04"; # Email, etc.
fingerprint = "AF85 991C C950 49A2 4205 1933 BCA9 943D D1DF 4C04";
}
];
@ -5881,6 +6048,12 @@
githubId = 37715;
name = "Brian McKenna";
};
puzzlewolf = {
email = "nixos@nora.pink";
github = "puzzlewolf";
githubId = 23097564;
name = "Nora Widdecke";
};
pxc = {
email = "patrick.callahan@latitudeengineering.com";
name = "Patrick Callahan";
@ -5891,6 +6064,12 @@
githubId = 4579165;
name = "Danny Bautista";
};
peelz = {
email = "peelz.dev+nixpkgs@gmail.com";
github = "louistakepillz";
githubId = 920910;
name = "peelz";
};
q3k = {
email = "q3k@q3k.org";
github = "q3k";
@ -5919,6 +6098,11 @@
fingerprint = "7573 56D7 79BB B888 773E 415E 736C CDF9 EF51 BD97";
}];
};
raboof = {
email = "arnout@bzzt.net";
github = "raboof";
name = "Arnout Engelen";
};
rafaelgg = {
email = "rafael.garcia.gallego@gmail.com";
github = "rafaelgg";
@ -6145,6 +6329,12 @@
githubId = 2507744;
name = "Roland Koebler";
};
rkrzr = {
email = "ops+nixpkgs@channable.com";
github = "rkrzr";
githubId = 82817;
name = "Robert Kreuzer";
};
rlupton20 = {
email = "richard.lupton@gmail.com";
github = "rlupton20";
@ -6156,12 +6346,10 @@
github = "rnhmjoj";
githubId = 2817565;
name = "Michele Guerini Rocco";
keys =
[
{ longkeyid = "ed25519/0xBFBAF4C975F76450";
keys = [{
longkeyid = "ed25519/0xBFBAF4C975F76450";
fingerprint = "92B2 904F D293 C94D C4C9 3E6B BFBA F4C9 75F7 6450";
}
];
}];
};
rob = {
email = "rob.vermaas@gmail.com";
@ -6605,6 +6793,11 @@
github = "shmish111";
name = "David Smith";
};
shnarazk = {
email = "shujinarazaki@protonmail.com";
github = "shnarazk";
name = "Narazaki Shuji";
};
shou = {
email = "x+g@shou.io";
github = "Shou";
@ -6681,6 +6874,12 @@
githubId = 848812;
name = "Stephan Jau";
};
sjfloat = {
email = "steve+nixpkgs@jonescape.com";
github = "sjfloat";
githubId = 216167;
name = "Steve Jones";
};
sjmackenzie = {
email = "setori88@gmail.com";
github = "sjmackenzie";
@ -7176,6 +7375,12 @@
githubId = 378734;
name = "TG Θ";
};
th0rgal = {
email = "thomas.marchand@tuta.io";
github = "Th0rgal";
githubId = 41830259;
name = "Thomas Marchand";
};
thall = {
email = "niclas.thall@gmail.com";
github = "thall";
@ -7217,6 +7422,12 @@
githubId = 8547242;
name = "Stefan Rohrbacher";
};
"thelegy" = {
email = "mail+nixos@0jb.de";
github = "thelegy";
githubId = 3105057;
name = "Jan Beinke";
};
thesola10 = {
email = "thesola10@bobile.fr";
github = "thesola10";
@ -7239,6 +7450,12 @@
githubId = 844343;
name = "Thiago K. Okada";
};
thmzlt = {
email = "git@thomazleite.com";
github = "thmzlt";
githubId = 7709;
name = "Thomaz Leite";
};
ThomasMader = {
email = "thomas.mader@gmail.com";
github = "ThomasMader";
@ -7314,10 +7531,10 @@
github = "tkerber";
githubId = 5722198;
name = "Thomas Kerber";
keys = [ {
keys = [{
longkeyid = "rsa4096/0x8489B911F9ED617B";
fingerprint = "556A 403F B0A2 D423 F656 3424 8489 B911 F9ED 617B";
} ];
}];
};
tmplt = {
email = "tmplt@dragons.rocks";
@ -7597,7 +7814,8 @@
};
vcunat = {
name = "Vladimír Čunát";
email = "v@cunat.cz"; # vcunat@gmail.com predominated in commits before 2019/03
# vcunat@gmail.com predominated in commits before 2019/03
email = "v@cunat.cz";
github = "vcunat";
githubId = 1785925;
keys = [{
@ -7849,6 +8067,12 @@
githubId = 13489144;
name = "Calle Rosenquist";
};
xe = {
email = "me@christine.website";
github = "Xe";
githubId = 529003;
name = "Christine Dodrill";
};
xeji = {
email = "xeji@cat3.de";
github = "xeji";
@ -8177,6 +8401,10 @@
githubId = 474343;
name = "Xavier Zwirtz";
};
ymeister = {
name = "Yuri Meister";
email = "47071325+ymeister@users.noreply.github.com";
github = "ymeister";
githubId = 47071325;
};
}

View File

@ -6,6 +6,7 @@ use warnings;
use CPAN::Meta();
use CPANPLUS::Backend();
use Module::CoreList;
use Getopt::Long::Descriptive qw( describe_options );
use JSON::PP qw( encode_json );
use Log::Log4perl qw(:easy);
@ -164,7 +165,7 @@ Readonly::Hash my %LICENSE_MAP => (
# License not provided in metadata.
unknown => {
licenses => [qw( unknown )],
licenses => [],
amb => 1
}
);
@ -278,14 +279,8 @@ sub get_deps {
foreach my $n ( $deps->required_modules ) {
next if $n eq "perl";
# Figure out whether the module is a core module by attempting
# to `use` the module in a pure Perl interpreter and checking
# whether it succeeded. Note, $^X is a magic variable holding
# the path to the running Perl interpreter.
if ( system("env -i $^X -M$n -e1 >/dev/null 2>&1") == 0 ) {
DEBUG("skipping Perl-builtin module $n");
next;
}
my @core = Module::CoreList->find_modules(qr/^$n$/);
next if (@core);
my $pkg = module_to_pkg( $cb, $n );

33
maintainers/team-list.nix Normal file
View File

@ -0,0 +1,33 @@
/* List of maintainer teams.
name = {
# Required
members = [ maintainer1 maintainer2 ];
scope = "Maintain foo packages.";
};
where
- `members` is the list of maintainers belonging to the group,
- `scope` describes the scope of the group.
More fields may be added in the future.
Please keep the list alphabetically sorted.
*/
{ lib }:
with lib.maintainers; {
freedesktop = {
members = [ jtojnar worldofpeace ];
scope = "Maintain Freedesktop.org packages for graphical desktop.";
};
gnome = {
members = [
hedning
jtojnar
worldofpeace
];
scope = "Maintain GNOME desktop environment and platform.";
};
}

View File

@ -21,7 +21,6 @@
<xi:include href="xfce.xml" />
<xi:include href="networking.xml" />
<xi:include href="linux-kernel.xml" />
<xi:include href="matrix.xml" />
<xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
<xi:include href="profiles.xml" />
<xi:include href="kubernetes.xml" />

View File

@ -24,8 +24,7 @@
</para>
<para>
The NixOS manual is available on virtual console 8 (press Alt+F8 to access)
or by running <command>nixos-help</command>.
The NixOS manual is available by running <command>nixos-help</command>.
</para>
<para>

View File

@ -196,10 +196,10 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
</listitem>
<listitem>
<para>
There is now only one Xfce package-set and module. This means attributes, <literal>xfce4-14</literal>
<literal>xfce4-12</literal>, and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
packages. And in future NixOS releases will be the latest released version of Xfce available at the
time during the releases development (if viable).
There is now only one Xfce package-set and module. This means that attributes <literal>xfce4-14</literal>
and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
packages. And in the future NixOS releases will be the latest released version of Xfce available at the
time of the release's development (if viable).
</para>
</listitem>
<listitem>
@ -235,7 +235,7 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
<listitem>
<para>
The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output.
This has led to drastically reduced closed sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
</para>
</listitem>
<listitem>
@ -641,6 +641,128 @@ auth required pam_succeed_if.so uid >= 1000 quiet
The previous behavior can be restored by setting <literal>config.riot-web.conf = { disable_guests = false; piwik = true; }</literal>.
</para>
</listitem>
<listitem>
<para>
Stand-alone usage of <literal>Upower</literal> now requires
<option>services.upower.enable</option> instead of just installing into
<xref linkend="opt-environment.systemPackages"/>.
</para>
</listitem>
<listitem>
<para>
<package>nextcloud</package> has been updated to <literal>v18.0.2</literal>. This means
that users from NixOS 19.09 can't upgrade directly since you can only move one version
forward and 19.09 uses <literal>v16.0.8</literal>.
</para>
<para>
To provide a safe upgrade-path and to circumvent similar issues in the future, the following
measures were taken:
<itemizedlist>
<listitem>
<para>
The <package>pkgs.nextcloud</package>-attribute has been removed and replaced with
versioned attributes (currently <package>pkgs.nextcloud17</package> and
<package>pkgs.nextcloud18</package>). With this change major-releases can be backported
without breaking stuff and to make upgrade-paths easier.
</para>
</listitem>
<listitem>
<para>
Existing setups will be detected using
<link linkend="opt-system.stateVersion">system.stateVersion</link>: by default,
<package>nextcloud17</package> will be used, but will raise a warning which notes
that after that deploy it's recommended to update to the latest stable version
(<package>nextcloud18</package>) by declaring the newly introduced setting
<link linkend="opt-services.nextcloud.package">services.nextcloud.package</link>.
</para>
</listitem>
<listitem>
<para>
Users with an overlay (e.g. to use <package>nextcloud</package> at version
<literal>v18</literal> on <literal>19.09</literal>) will get an evaluation error
by default. This is done to ensure that our
<link linkend="opt-services.nextcloud.package">package</link>-option doesn't select an
older version by accident. It's recommended to use <package>pkgs.nextcloud18</package>
or to set <link linkend="opt-services.nextcloud.package">package</link> to
<package>pkgs.nextcloud</package> explicitly.
</para>
</listitem>
</itemizedlist>
</para>
<warning>
<para>
Please note that if you're comming from <literal>19.03</literal> or older, you have
to manually upgrade to <literal>19.09</literal> first to upgrade your server
to Nextcloud v16.
</para>
</warning>
</listitem>
<listitem>
<para>
<package>Hydra</package> has gained a massive performance improvement due to
<link xlink:href="https://github.com/NixOS/hydra/pull/710">some database schema
changes</link> by adding several IDs and better indexing. However, it's necessary
to upgrade Hydra in multiple steps:
<itemizedlist>
<listitem>
<para>
At first, an older version of Hydra needs to be deployed which adds those
(nullable) columns. When having set <link linkend="opt-system.stateVersion">stateVersion
</link> to a value older than <literal>20.03</literal>, this package will be selected
by default from the module when upgrading. Otherwise, the package can be deployed using
the following config:
<programlisting>{ pkgs, ... }: {
<link linkend="opt-services.hydra.package">services.hydra.package</link> = pkgs.hydra-migration;
}</programlisting>
</para>
</listitem>
<listitem>
<para>
Automatically fill the newly added ID columns on the server by running the following
command:
<screen>
<prompt>$ </prompt>hydra-backfill-ids
</screen>
<warning>
<para>Please note that this process can take a while depending on your database-size!</para>
</warning>
</para>
</listitem>
<listitem>
<para>
Deploy a newer version of Hydra to activate the DB optimizations. You can choose from
either <package>hydra-unstable</package> (latest <literal>master</literal> compiled
against <package>nixUnstable</package>) and <package>hydra-flakes</package> (latest
version with flake-support).
<warning>
<para>
If your <link linkend="opt-system.stateVersion">stateVersion</link> is set to
<literal>20.03</literal> or greater, <package>hydra-unstable</package> will be used
automatically! This will break your setup if you didn't run the migration.
</para>
</warning>
Please note that Hydra is currently not available with <package>nixStable</package>
as this doesn't compile anymore.
</para>
</listitem>
</itemizedlist>
<warning>
<para>
<package>pkgs.hydra</package> has been removed to ensure a graceful database-migration
using the dedicated package-attributes. If you still have <package>pkgs.hydra</package>
defined in e.g. an overlay, an assertion error will be thrown. To circumvent this,
you need to set <xref linkend="opt-services.hydra.package" /> to <package>pkgs.hydra</package>
explicitly and make sure you know what you're doing!
</para>
</warning>
</para>
</listitem>
<listitem>
<para>
The TokuDB storage engine will be disabled in <package>mariadb</package> 10.5. It is recommended to switch
to RocksDB. See also <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link>.
</para>
</listitem>
</itemizedlist>
</section>
@ -712,6 +834,77 @@ auth required pam_succeed_if.so uid >= 1000 quiet
For further reference, please read <link xlink:href="https://github.com/NixOS/nixpkgs/pull/68953">#68953</link> or the corresponding <link xlink:href="https://discourse.nixos.org/t/predictable-network-interface-names-in-initrd/4055">discourse thread</link>.
</para>
</listitem>
<listitem>
<para>
The <package>matrix-synapse</package>-package has been updated to
<link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.11.1">v1.11.1</link>.
Due to <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.10.0rc1">stricter requirements</link>
for database configuration when using <package>postgresql</package>, the automated database setup
of the module has been removed to avoid any further edge-cases.
</para>
<para>
<package>matrix-synapse</package> expects <literal>postgresql</literal>-databases to have the options
<literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> set to
<link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link> which basically
instructs <literal>postgresql</literal> to ignore any locale-based preferences.
</para>
<para>
Depending on your setup, you need to incorporate one of the following changes in your setup to
upgrade to 20.03:
<itemizedlist>
<listitem><para>If you use <literal>sqlite3</literal> you don't need to do anything.</para></listitem>
<listitem><para>If you use <literal>postgresql</literal> on a different server, you don't need
to change anything as well since this module was never designed to configure remote databases.
</para></listitem>
<listitem><para>If you use <literal>postgresql</literal> and configured your synapse initially on
<literal>19.09</literal> or older, you simply need to enable <package>postgresql</package>-support
explicitly:
<programlisting>{ ... }: {
services.matrix-synapse = {
<link linkend="opt-services.matrix-synapse.enable">enable</link> = true;
/* and all the other config you've defined here */
};
<link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true;
}</programlisting>
</para></listitem>
<listitem><para>If you deploy a fresh <package>matrix-synapse</package>, you need to configure
the database yourself (e.g. by using the
<link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link>
option). An example for this can be found in the
<link linkend="module-services-matrix">documentation of the Matrix module</link>.
</para></listitem>
<listitem><para>If you initially deployed your <package>matrix-synapse</package> on
<literal>nixos-unstable</literal> <emphasis>after</emphasis> the <literal>19.09</literal>-release,
your database is misconfigured due to a regression in NixOS. For now, <package>matrix-synapse</package> will
startup with a warning, but it's recommended to reconfigure the database to set the values
<literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> to
<link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link>.
</para></listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
The <link linkend="opt-systemd.network.links">systemd.network.links</link> option is now respected
even when <link linkend="opt-systemd.network.enable">systemd-networkd</link> is disabled.
This mirrors the behaviour of systemd - It's udev that parses <literal>.link</literal> files,
not <command>systemd-networkd</command>.
</para>
</listitem>
<listitem>
<para>
<package>mongodb</package> has been updated to version <literal>3.4.24</literal>.
<warning>
<para>
Please note that <package>mongodb</package> has been relicensed under their own
<link xlink:href="https://www.mongodb.com/licensing/server-side-public-license/faq"><literal>
sspl</literal></link>-license. Since it's not entirely free and not OSI-approved,
it's listed as non-free. This means that Hydra doesn't provide prebuilt
<package>mongodb</package>-packages and needs to be built locally.
</para>
</warning>
</para>
</listitem>
</itemizedlist>
</section>
</section>

View File

@ -23,6 +23,23 @@
Support is planned until the end of April 2021, handing over to 21.03.
</para>
</listitem>
<listitem>
<para>GNOME desktop environment was upgraded to 3.36, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release notes</link>.</para>
</listitem>
<listitem>
<para>
PHP now defaults to PHP 7.4, updated from 7.3.
</para>
</listitem>
<listitem>
<para>
Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have
been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal>
in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should
make use of these new options instead.
</para>
</listitem>
</itemizedlist>
</section>
@ -72,6 +89,112 @@
}</programlisting>
</para>
</listitem>
<listitem>
<para>
The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal>
as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal>
is 20.09 or higher. It also enables number of
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link>
which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
<option>systemd.services.supybot.serviceConfig</option>.
</para>
</listitem>
<listitem>
<para>
The <literal>security.duosec.skey</literal> option, which stored a secret in the
nix store, has been replaced by a new
<link linkend="opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link>
option for better security.
</para>
<para>
<literal>security.duosec.ikey</literal> has been renamed to
<link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
</para>
</listitem>
<listitem>
<para>
The initrd SSH support now uses OpenSSH rather than Dropbear to
allow the use of Ed25519 keys and other OpenSSH-specific
functionality. Host keys must now be in the OpenSSH format, and at
least one pre-generated key must be specified.
</para>
<para>
If you used the <option>boot.initrd.network.ssh.host*Key</option>
options, you'll get an error explaining how to convert your host
keys and migrate to the new
<option>boot.initrd.network.ssh.hostKeys</option> option.
Otherwise, if you don't have any host keys set, you'll need to
generate some; see the <option>hostKeys</option> option
documentation for instructions.
</para>
</listitem>
<listitem>
<para>
Since this release there's an easy way to customize your PHP install to get a much smaller
base PHP with only wanted extensions enabled. See the following snippet installing a smaller PHP
with the extensions <literal>imagick</literal>, <literal>opcache</literal> and
<literal>pdo_mysql</literal> loaded:
<programlisting>
environment.systemPackages = [
(pkgs.php.buildEnv { extensions = pp: with pp; [
imagick
opcache
pdo_mysql
]; })
];</programlisting>
The default <literal>php</literal> attribute hasn't lost any extensions -
the <literal>opcache</literal> extension was added there.
All upstream PHP extensions are available under <package><![CDATA[php.extensions.<name?>]]></package>.
</para>
<para>
The updated <literal>php</literal> attribute is now easily customizable to your liking
by using extensions instead of writing config files or changing configure flags.
Therefore we have removed the following configure flags:
<itemizedlist>
<title>PHP <literal>config</literal> flags that we don't read anymore:</title>
<listitem><para><literal>config.php.argon2</literal></para></listitem>
<listitem><para><literal>config.php.bcmath</literal></para></listitem>
<listitem><para><literal>config.php.bz2</literal></para></listitem>
<listitem><para><literal>config.php.calendar</literal></para></listitem>
<listitem><para><literal>config.php.curl</literal></para></listitem>
<listitem><para><literal>config.php.exif</literal></para></listitem>
<listitem><para><literal>config.php.ftp</literal></para></listitem>
<listitem><para><literal>config.php.gd</literal></para></listitem>
<listitem><para><literal>config.php.gettext</literal></para></listitem>
<listitem><para><literal>config.php.gmp</literal></para></listitem>
<listitem><para><literal>config.php.imap</literal></para></listitem>
<listitem><para><literal>config.php.intl</literal></para></listitem>
<listitem><para><literal>config.php.ldap</literal></para></listitem>
<listitem><para><literal>config.php.libxml2</literal></para></listitem>
<listitem><para><literal>config.php.libzip</literal></para></listitem>
<listitem><para><literal>config.php.mbstring</literal></para></listitem>
<listitem><para><literal>config.php.mysqli</literal></para></listitem>
<listitem><para><literal>config.php.mysqlnd</literal></para></listitem>
<listitem><para><literal>config.php.openssl</literal></para></listitem>
<listitem><para><literal>config.php.pcntl</literal></para></listitem>
<listitem><para><literal>config.php.pdo_mysql</literal></para></listitem>
<listitem><para><literal>config.php.pdo_odbc</literal></para></listitem>
<listitem><para><literal>config.php.pdo_pgsql</literal></para></listitem>
<listitem><para><literal>config.php.phpdbg</literal></para></listitem>
<listitem><para><literal>config.php.postgresql</literal></para></listitem>
<listitem><para><literal>config.php.readline</literal></para></listitem>
<listitem><para><literal>config.php.soap</literal></para></listitem>
<listitem><para><literal>config.php.sockets</literal></para></listitem>
<listitem><para><literal>config.php.sodium</literal></para></listitem>
<listitem><para><literal>config.php.sqlite</literal></para></listitem>
<listitem><para><literal>config.php.tidy</literal></para></listitem>
<listitem><para><literal>config.php.xmlrpc</literal></para></listitem>
<listitem><para><literal>config.php.xsl</literal></para></listitem>
<listitem><para><literal>config.php.zip</literal></para></listitem>
<listitem><para><literal>config.php.zlib</literal></para></listitem>
</itemizedlist>
</para>
</listitem>
</itemizedlist>
</section>

View File

@ -41,6 +41,12 @@ let
# default to the argument. That way this new default could propagate all
# they way through, but has the last priority behind everything else.
nixpkgs.system = lib.mkDefault system;
# Stash the value of the `system` argument. When using `nesting.children`
# we want to have the same default value behavior (immediately above)
# without any interference from the user's configuration.
nixpkgs.initialSystem = system;
_module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_);
};
};
@ -55,7 +61,7 @@ in rec {
args = extraArgs;
specialArgs =
{ modulesPath = builtins.toString ../modules; } // specialArgs;
}) config options;
}) config options _module;
# These are the extra arguments passed to every module. In
# particular, Nixpkgs is passed through the "pkgs" argument.
@ -63,5 +69,5 @@ in rec {
inherit baseModules extraModules modules;
};
inherit (config._module.args) pkgs;
inherit (_module.args) pkgs;
}

View File

@ -86,7 +86,7 @@ let
optionsList = lib.sort optionLess optionsListDesc;
# Convert the list of options into an XML file.
optionsXML = pkgs.writeText "options.xml" (builtins.toXML optionsList);
optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList);
optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList);
@ -133,6 +133,7 @@ in {
optionsJSON = pkgs.runCommand "options.json"
{ meta.description = "List of NixOS options in JSON format";
buildInputs = [ pkgs.brotli ];
}
''
# Export list of options in different format.
@ -141,8 +142,11 @@ in {
cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix))} $dst/options.json
brotli -9 < $dst/options.json > $dst/options.json.br
mkdir -p $out/nix-support
echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
echo "file json-br $dst/options.json.br" >> $out/nix-support/hydra-build-products
''; # */
optionsDocBook = pkgs.runCommand "options-docbook.xml" {} ''

View File

@ -6,6 +6,7 @@ from xml.sax.saxutils import XMLGenerator
import _thread
import atexit
import base64
import codecs
import os
import pathlib
import ptpython.repl
@ -101,10 +102,12 @@ def make_command(args: list) -> str:
def create_vlan(vlan_nr: str) -> Tuple[str, str, "subprocess.Popen[bytes]", Any]:
global log
log.log("starting VDE switch for network {}".format(vlan_nr))
vde_socket = os.path.abspath("./vde{}.ctl".format(vlan_nr))
vde_socket = tempfile.mkdtemp(
prefix="nixos-test-vde-", suffix="-vde{}.ctl".format(vlan_nr)
)
pty_master, pty_slave = pty.openpty()
vde_process = subprocess.Popen(
["vde_switch", "-s", vde_socket, "--dirmode", "0777"],
["vde_switch", "-s", vde_socket, "--dirmode", "0700"],
bufsize=1,
stdin=pty_slave,
stdout=subprocess.PIPE,
@ -115,6 +118,7 @@ def create_vlan(vlan_nr: str) -> Tuple[str, str, "subprocess.Popen[bytes]", Any]
fd.write("version\n")
# TODO: perl version checks if this can be read from
# an if not, dies. we could hang here forever. Fix it.
assert vde_process.stdout is not None
vde_process.stdout.readline()
if not os.path.exists(os.path.join(vde_socket, "ctl")):
raise Exception("cannot start vde_switch")
@ -139,7 +143,7 @@ def retry(fn: Callable) -> None:
class Logger:
def __init__(self) -> None:
self.logfile = os.environ.get("LOGFILE", "/dev/null")
self.logfile_handle = open(self.logfile, "wb")
self.logfile_handle = codecs.open(self.logfile, "wb")
self.xml = XMLGenerator(self.logfile_handle, encoding="utf-8")
self.queue: "Queue[Dict[str, str]]" = Queue(1000)
@ -739,6 +743,7 @@ class Machine:
self.shell, _ = self.shell_socket.accept()
def process_serial_output() -> None:
assert self.process.stdout is not None
for _line in self.process.stdout:
# Ignore undecodable bytes that may occur in boot menus
line = _line.decode(errors="ignore").replace("\r", "").rstrip()
@ -936,7 +941,7 @@ if __name__ == "__main__":
machine.process.kill()
for _, _, process, _ in vde_sockets:
process.kill()
process.terminate()
log.close()
tic = time.time()

View File

@ -175,13 +175,13 @@ in rec {
nodeNames = builtins.attrNames nodes;
invalidNodeNames = lib.filter
(node: builtins.match "^[A-z_][A-z0-9_]+$" node == null) nodeNames;
(node: builtins.match "^[A-z_]([A-z0-9_]+)?$" node == null) nodeNames;
in
if lib.length invalidNodeNames > 0 then
throw ''
Cannot create machines out of (${lib.concatStringsSep ", " invalidNodeNames})!
All machines are referenced as perl variables in the testing framework which will break the
All machines are referenced as python variables in the testing framework which will break the
script when special characters are used.
Please stick to alphanumeric chars and underscores as separation.

View File

@ -14,7 +14,7 @@ rec {
# becomes dev-xyzzy. FIXME: slow.
escapeSystemdPath = s:
replaceChars ["/" "-" " "] ["-" "\\x2d" "\\x20"]
(if hasPrefix "/" s then substring 1 (stringLength s) s else s);
(removePrefix "/" s);
# Returns a system path for a given shell package
toShellPath = shell:

View File

@ -0,0 +1 @@
azure

View File

@ -0,0 +1,42 @@
# azure
## Demo
Here's a demo of this being used: https://asciinema.org/a/euXb9dIeUybE3VkstLWLbvhmp
## Usage
This is meant to be an example image that you can copy into your own
project and modify to your own needs. Notice that the example image
includes a built-in test user account, which by default uses your
`~/.ssh/id_ed25519.pub` as an `authorized_key`.
Build and upload the image
```shell
$ ./upload-image.sh ./examples/basic/image.nix
...
+ attr=azbasic
+ nix-build ./examples/basic/image.nix --out-link azure
/nix/store/qdpzknpskzw30vba92mb24xzll1dqsmd-azure-image
...
95.5 %, 0 Done, 0 Failed, 1 Pending, 0 Skipped, 1 Total, 2-sec Throughput (Mb/s): 932.9565
...
/subscriptions/aff271ee-e9be-4441-b9bb-42f5af4cbaeb/resourceGroups/nixos-images/providers/Microsoft.Compute/images/azure-image-todo-makethisbetter
```
Take the output, boot an Azure VM:
```
img="/subscriptions/.../..." # use output from last command
./boot-vm.sh "${img}"
...
=> booted
```
## Future Work
1. If the user specifies a hard-coded user, then the agent could be removed.
Probably has security benefits; definitely has closure-size benefits.
(It's likely the VM will need to be booted with a special flag. See:
https://github.com/Azure/azure-cli/issues/12775 for details.)

View File

@ -0,0 +1,36 @@
#!/usr/bin/env bash
set -euo pipefail
set -x
image="${1}"
location="westus2"
group="nixos-test-vm"
vm_size="Standard_D2s_v3"; os_size=42;
# ensure group
az group create --location "westus2" --name "${group}"
group_id="$(az group show --name "${group}" -o tsv --query "[id]")"
# (optional) identity
if ! az identity show -n "${group}-identity" -g "${group}" &>/dev/stderr; then
az identity create --name "${group}-identity" --resource-group "${group}"
fi
# (optional) role assignment, to the resource group, bad but not really great alternatives
identity_id="$(az identity show --name "${group}-identity" --resource-group "${group}" -o tsv --query "[id]")"
principal_id="$(az identity show --name "${group}-identity" --resource-group "${group}" -o tsv --query "[principalId]")"
until az role assignment create --assignee "${principal_id}" --role "Owner" --scope "${group_id}"; do sleep 1; done
# boot vm
az vm create \
--name "${group}-vm" \
--resource-group "${group}" \
--assign-identity "${identity_id}" \
--size "${vm_size}" \
--os-disk-size-gb "${os_size}" \
--image "${image}" \
--admin-username "${USER}" \
--location "westus2" \
--storage-sku "Premium_LRS" \
--ssh-key-values "$(ssh-add -L)"

View File

@ -0,0 +1,7 @@
export group="${AZURE_RESOURCE_GROUP:-"azure"}"
export location="${AZURE_LOCATION:-"westus2"}"
img_file=$(echo azure/*.vhd)
img_name="$(basename "${img_file}")"
img_name="${img_name%".vhd"}"
export img_name="${img_name//[._]/-}"

View File

@ -0,0 +1,10 @@
let
pkgs = (import <nixpkgs> {});
machine = import "${pkgs.path}/nixos/lib/eval-config.nix" {
system = "x86_64-linux";
modules = [
({config, ...}: { imports = [ ./system.nix ]; })
];
};
in
machine.config.system.build.azureImage

View File

@ -0,0 +1,34 @@
{ pkgs, modulesPath, ... }:
let username = "azurenixosuser";
in
{
imports = [
"${modulesPath}/virtualisation/azure-common.nix"
"${modulesPath}/virtualisation/azure-image.nix"
];
## NOTE: This is just an example of how to hard-code a user.
## The normal Azure agent IS included and DOES provision a user based
## on the information passed at VM creation time.
users.users."${username}" = {
isNormalUser = true;
home = "/home/${username}";
description = "Azure NixOS Test User";
openssh.authorizedKeys.keys = [ (builtins.readFile ~/.ssh/id_ed25519.pub) ];
};
nix.trustedUsers = [ username ];
virtualisation.azureImage.diskSize = 2500;
system.stateVersion = "20.03";
boot.kernelPackages = pkgs.linuxPackages_latest;
# test user doesn't have a password
services.openssh.passwordAuthentication = false;
security.sudo.wheelNeedsPassword = false;
environment.systemPackages = with pkgs; [
git file htop wget curl
];
}

View File

@ -0,0 +1,13 @@
with (import ../../../../default.nix {});
stdenv.mkDerivation {
name = "nixcfg-azure-devenv";
nativeBuildInputs = [
azure-cli
bash
cacert
azure-storage-azcopy
];
AZURE_CONFIG_DIR="/tmp/azure-cli/.azure";
}

View File

@ -0,0 +1,58 @@
#!/usr/bin/env bash
set -euo pipefail
set -x
image_nix="${1:-"./examples/basic/image.nix"}"
nix-build "${image_nix}" --out-link "azure"
group="nixos-images"
location="westus2"
img_name="nixos-image"
img_file="$(readlink -f ./azure/disk.vhd)"
if ! az group show -n "${group}" &>/dev/null; then
az group create --name "${group}" --location "${location}"
fi
# note: the disk access token song/dance is tedious
# but allows us to upload direct to a disk image
# thereby avoid storage accounts (and naming them) entirely!
if ! az disk show -g "${group}" -n "${img_name}" &>/dev/null; then
bytes="$(stat -c %s ${img_file})"
size="30"
az disk create \
--resource-group "${group}" \
--name "${img_name}" \
--for-upload true --upload-size-bytes "${bytes}"
timeout=$(( 60 * 60 )) # disk access token timeout
sasurl="$(\
az disk grant-access \
--access-level Write \
--resource-group "${group}" \
--name "${img_name}" \
--duration-in-seconds ${timeout} \
| jq -r '.accessSas'
)"
azcopy copy "${img_file}" "${sasurl}" \
--blob-type PageBlob
az disk revoke-access \
--resource-group "${group}" \
--name "${img_name}"
fi
if ! az image show -g "${group}" -n "${img_name}" &>/dev/null; then
diskid="$(az disk show -g "${group}" -n "${img_name}" -o json | jq -r .id)"
az image create \
--resource-group "${group}" \
--name "${img_name}" \
--source "${diskid}" \
--os-type "linux" >/dev/null
fi
imageid="$(az image show -g "${group}" -n "${img_name}" -o json | jq -r .id)"
echo "${imageid}"

View File

@ -8,10 +8,15 @@ in {
imports = [ ../../../modules/virtualisation/amazon-image.nix ];
# Required to provide good EBS experience,
# Amazon recomments setting this to the highest possible value for a good EBS
# experience, which prior to 4.15 was 255.
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html#timeout-nvme-ebs-volumes
# TODO change value to 4294967295 when kernel is updated to 4.15 or later
config.boot.kernelParams = [ "nvme_core.io_timeout=255" ];
config.boot.kernelParams =
let timeout =
if pkgs.lib.versionAtLeast config.boot.kernelPackages.kernel.version "4.15"
then "4294967295"
else "255";
in [ "nvme_core.io_timeout=${timeout}" ];
options.amazonImage = {
name = mkOption {

View File

@ -18,7 +18,7 @@ state_dir=$HOME/amis/ec2-images
home_region=eu-west-1
bucket=nixos-amis
regions=(eu-west-1 eu-west-2 eu-west-3 eu-central-1
regions=(eu-west-1 eu-west-2 eu-west-3 eu-central-1 eu-north-1
us-east-1 us-east-2 us-west-1 us-west-2
ca-central-1
ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2

View File

@ -77,7 +77,7 @@ with lib;
if [ -w "$themedir" ]; then
rm -f "$themedir"/icon-theme.cache
${pkgs.gtk3.out}/bin/gtk-update-icon-cache --ignore-theme-index "$themedir"
${pkgs.buildPackages.gtk3.out}/bin/gtk-update-icon-cache --ignore-theme-index "$themedir"
fi
done
'';

View File

@ -35,12 +35,22 @@ in
'';
};
networking.hostFiles = lib.mkOption {
type = types.listOf types.path;
defaultText = lib.literalExample "Hosts from `networking.hosts` and `networking.extraHosts`";
example = lib.literalExample ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]'';
description = ''
Files that should be concatenated together to form <filename>/etc/hosts</filename>.
'';
};
networking.extraHosts = lib.mkOption {
type = types.lines;
default = "";
example = "192.168.0.1 lanlocalhost";
description = ''
Additional verbatim entries to be appended to <filename>/etc/hosts</filename>.
For adding hosts from derivation results, use <option>networking.hostFiles</option> instead.
'';
};
@ -159,6 +169,15 @@ in
"::1" = [ "localhost" ];
};
networking.hostFiles = let
stringHosts =
let
oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n";
allToString = set: concatMapStrings (oneToString set) (attrNames set);
in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts));
extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts;
in mkBefore [ stringHosts extraHosts ];
environment.etc =
{ # /etc/services: TCP/UDP port assignments.
services.source = pkgs.iana-etc + "/etc/services";
@ -167,12 +186,8 @@ in
protocols.source = pkgs.iana-etc + "/etc/protocols";
# /etc/hosts: Hostname-to-IP mappings.
hosts.text = let
oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip};
allToString = set: concatMapStringsSep "\n" (oneToString set) (attrNames set);
in ''
${allToString (filterAttrs (_: v: v != []) cfg.hosts)}
${cfg.extraHosts}
hosts.source = pkgs.runCommandNoCC "hosts" {} ''
cat ${escapeShellArgs cfg.hostFiles} > $out
'';
# /etc/host.conf: resolver configuration file

View File

@ -16,6 +16,10 @@ in
{
meta = {
maintainers = teams.gnome.members;
};
options = {
programs.bash.vteIntegration = mkOption {

View File

@ -2,6 +2,10 @@
with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
options = {
xdg.autostart.enable = mkOption {
type = types.bool;

View File

@ -2,6 +2,10 @@
with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
options = {
xdg.icons.enable = mkOption {
type = types.bool;

View File

@ -2,6 +2,10 @@
with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
options = {
xdg.menus.enable = mkOption {
type = types.bool;

View File

@ -2,6 +2,10 @@
with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
options = {
xdg.mime.enable = mkOption {
type = types.bool;

View File

@ -7,6 +7,10 @@ with lib;
(mkRenamedOptionModule [ "services" "flatpak" "extraPortals" ] [ "xdg" "portal" "extraPortals" ])
];
meta = {
maintainers = teams.freedesktop.members;
};
options.xdg.portal = {
enable =
mkEnableOption "<link xlink:href='https://github.com/flatpak/xdg-desktop-portal'>xdg desktop integration</link>"//{

View File

@ -2,6 +2,10 @@
with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
options = {
xdg.sounds.enable = mkOption {
type = types.bool;

View File

@ -8,7 +8,12 @@ with lib;
options = {
hardware.sensor.iio = {
enable = mkOption {
description = "Enable this option to support IIO sensors.";
description = ''
Enable this option to support IIO sensors.
IIO sensors are used for orientation and ambient light
sensors on some mobile devices.
'';
type = types.bool;
default = false;
};

View File

@ -0,0 +1,19 @@
{ config, pkgs, lib, ... }:
let
cfg = config.hardware.uinput;
in {
options.hardware.uinput = {
enable = lib.mkEnableOption "uinput support";
};
config = lib.mkIf cfg.enable {
boot.kernelModules = [ "uinput" ];
users.groups.uinput = {};
services.udev.extraRules = ''
SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput"
'';
};
}

View File

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.hardware.wooting.enable =
mkEnableOption "Enable support for Wooting keyboards";
config = mkIf config.hardware.wooting.enable {
environment.systemPackages = [ pkgs.wootility ];
services.udev.packages = [ pkgs.wooting-udev-rules ];
};
}

View File

@ -75,5 +75,9 @@ in
QT_IM_MODULE = "ibus";
XMODIFIERS = "@im=ibus";
};
xdg.portal.extraPortals = mkIf config.xdg.portal.enable [
ibusPackage
];
};
}

View File

@ -42,7 +42,10 @@ let
inherit (config.system.nixos-generate-config) configuration;
};
nixos-option = pkgs.callPackage ./nixos-option { };
nixos-option =
if lib.versionAtLeast (lib.getVersion pkgs.nix) "2.4pre"
then null
else pkgs.callPackage ./nixos-option { };
nixos-version = makeProg {
name = "nixos-version";
@ -184,10 +187,9 @@ in
nixos-install
nixos-rebuild
nixos-generate-config
nixos-option
nixos-version
nixos-enter
];
] ++ lib.optional (nixos-option != null) nixos-option;
system.build = {
inherit nixos-install nixos-generate-config nixos-option nixos-rebuild nixos-enter;

View File

@ -17,6 +17,7 @@ let
inherit pkgs config;
version = config.system.nixos.release;
revision = "release-${version}";
extraSources = cfg.nixos.extraModuleSources;
options =
let
scrubbedEval = evalModules {
@ -163,6 +164,19 @@ in
'';
};
nixos.extraModuleSources = mkOption {
type = types.listOf (types.either types.path types.str);
default = [ ];
description = ''
Which extra NixOS module paths the generated NixOS's documentation should strip
from options.
'';
example = literalExample ''
# e.g. with options from modules in ''${pkgs.customModules}/nix:
[ pkgs.customModules ]
'';
};
};
};
@ -204,9 +218,7 @@ in
++ optionals config.services.xserver.enable [ desktopItem pkgs.nixos-icons ]);
services.mingetty.helpLine = mkIf cfg.doc.enable (
"\nRun `nixos-help` "
+ optionalString config.services.nixosManual.showManual "or press <Alt-F${toString config.services.nixosManual.ttyNumber}> "
+ "for the NixOS manual."
"\nRun 'nixos-help' for the NixOS manual."
);
})

View File

@ -133,7 +133,7 @@ in
tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
firebird = 95;
#keys = 96; # unused
#haproxy = 97; # DynamicUser as of 2019-11-08
#haproxy = 97; # dynamically allocated as of 2020-03-11
mongodb = 98;
openldap = 99;
#users = 100; # unused
@ -448,7 +448,7 @@ in
#tcpcryptd = 93; # unused
firebird = 95;
keys = 96;
#haproxy = 97; # DynamicUser as of 2019-11-08
#haproxy = 97; # dynamically allocated as of 2020-03-11
#mongodb = 98; # unused
openldap = 99;
munin = 102;

View File

@ -216,6 +216,14 @@ in
Ignored when <code>nixpkgs.pkgs</code> is set.
'';
};
initialSystem = mkOption {
type = types.str;
internal = true;
description = ''
Preserved value of <literal>system</literal> passed to <literal>eval-config.nix</literal>.
'';
};
};
config = {
@ -228,8 +236,8 @@ in
let
nixosExpectedSystem =
if config.nixpkgs.crossSystem != null
then config.nixpkgs.crossSystem.system
else config.nixpkgs.localSystem.system;
then config.nixpkgs.crossSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.crossSystem.config))
else config.nixpkgs.localSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.localSystem.config));
nixosOption =
if config.nixpkgs.crossSystem != null
then "nixpkgs.crossSystem"

View File

@ -64,6 +64,8 @@
./hardware/tuxedo-keyboard.nix
./hardware/usb-wwan.nix
./hardware/onlykey.nix
./hardware/wooting.nix
./hardware/uinput.nix
./hardware/video/amdgpu.nix
./hardware/video/amdgpu-pro.nix
./hardware/video/ati.nix
@ -200,6 +202,7 @@
./security/wrappers/default.nix
./security/sudo.nix
./security/systemd-confinement.nix
./security/tpm2.nix
./services/admin/oxidized.nix
./services/admin/salt/master.nix
./services/admin/salt/minion.nix
@ -247,9 +250,10 @@
./services/cluster/kubernetes/proxy.nix
./services/cluster/kubernetes/scheduler.nix
./services/computing/boinc/client.nix
./services/computing/torque/server.nix
./services/computing/torque/mom.nix
./services/computing/foldingathome/client.nix
./services/computing/slurm/slurm.nix
./services/computing/torque/mom.nix
./services/computing/torque/server.nix
./services/continuous-integration/buildbot/master.nix
./services/continuous-integration/buildbot/worker.nix
./services/continuous-integration/buildkite-agents.nix
@ -291,12 +295,12 @@
./services/desktops/deepin/deepin.nix
./services/desktops/dleyna-renderer.nix
./services/desktops/dleyna-server.nix
./services/desktops/pantheon/contractor.nix
./services/desktops/pantheon/files.nix
./services/desktops/flatpak.nix
./services/desktops/geoclue2.nix
./services/desktops/gsignond.nix
./services/desktops/gvfs.nix
./services/desktops/malcontent.nix
./services/desktops/pipewire.nix
./services/desktops/gnome3/at-spi2-core.nix
./services/desktops/gnome3/chrome-gnome-shell.nix
@ -364,6 +368,7 @@
./services/hardware/thermald.nix
./services/hardware/undervolt.nix
./services/hardware/vdr.nix
./services/hardware/xow.nix
./services/logging/SystemdJournal2Gelf.nix
./services/logging/awstats.nix
./services/logging/fluentd.nix
@ -405,6 +410,7 @@
./services/mail/sympa.nix
./services/mail/nullmailer.nix
./services/misc/airsonic.nix
./services/misc/ankisyncd.nix
./services/misc/apache-kafka.nix
./services/misc/autofs.nix
./services/misc/autorandr.nix
@ -430,7 +436,6 @@
./services/misc/ethminer.nix
./services/misc/exhibitor.nix
./services/misc/felix.nix
./services/misc/folding-at-home.nix
./services/misc/freeswitch.nix
./services/misc/fstrim.nix
./services/misc/gammu-smsd.nix
@ -465,7 +470,6 @@
./services/misc/nix-daemon.nix
./services/misc/nix-gc.nix
./services/misc/nix-optimise.nix
./services/misc/nixos-manual.nix
./services/misc/nix-ssh-serve.nix
./services/misc/novacomd.nix
./services/misc/nzbget.nix
@ -481,7 +485,6 @@
./services/misc/redmine.nix
./services/misc/rippled.nix
./services/misc/ripple-data-api.nix
./services/misc/rogue.nix
./services/misc/serviio.nix
./services/misc/safeeyes.nix
./services/misc/sickbeard.nix
@ -640,6 +643,7 @@
./services/networking/lldpd.nix
./services/networking/logmein-hamachi.nix
./services/networking/mailpile.nix
./services/networking/magic-wormhole-mailbox-server.nix
./services/networking/matterbridge.nix
./services/networking/mjpg-streamer.nix
./services/networking/minidlna.nix
@ -650,6 +654,7 @@
./services/networking/miredo.nix
./services/networking/mstpd.nix
./services/networking/mtprotoproxy.nix
./services/networking/mullvad-vpn.nix
./services/networking/murmur.nix
./services/networking/mxisd.nix
./services/networking/namecoind.nix
@ -678,6 +683,7 @@
./services/networking/ostinato.nix
./services/networking/owamp.nix
./services/networking/pdnsd.nix
./services/networking/pixiecore.nix
./services/networking/polipo.nix
./services/networking/powerdns.nix
./services/networking/pdns-recursor.nix
@ -688,6 +694,7 @@
./services/networking/prosody.nix
./services/networking/quagga.nix
./services/networking/quassel.nix
./services/networking/quorum.nix
./services/networking/quicktun.nix
./services/networking/racoon.nix
./services/networking/radicale.nix
@ -707,6 +714,7 @@
./services/networking/shorewall6.nix
./services/networking/shout.nix
./services/networking/sniproxy.nix
./services/networking/smartdns.nix
./services/networking/smokeping.nix
./services/networking/softether.nix
./services/networking/spacecookie.nix
@ -724,6 +732,7 @@
./services/networking/syncthing.nix
./services/networking/syncthing-relay.nix
./services/networking/syncplay.nix
./services/networking/tailscale.nix
./services/networking/tcpcrypt.nix
./services/networking/teamspeak3.nix
./services/networking/tedicross.nix
@ -817,6 +826,7 @@
./services/web-apps/documize.nix
./services/web-apps/dokuwiki.nix
./services/web-apps/frab.nix
./services/web-apps/gerrit.nix
./services/web-apps/gotify-server.nix
./services/web-apps/grocy.nix
./services/web-apps/icingaweb2/icingaweb2.nix

View File

@ -14,6 +14,9 @@ with lib;
nix.allowedUsers = mkDefault [ "@users" ];
environment.memoryAllocator.provider = mkDefault "scudo";
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true;

View File

@ -26,10 +26,6 @@ with lib;
# Show the manual.
documentation.nixos.enable = mkForce true;
services.nixosManual.showManual = true;
# Let the user play Rogue on TTY 8 during the installation.
#services.rogue.enable = true;
# Use less privileged nixos user
users.users.nixos = {

View File

@ -5,28 +5,34 @@ with lib;
let
cfg = config.programs.firejail;
wrappedBins = pkgs.stdenv.mkDerivation {
name = "firejail-wrapped-binaries";
nativeBuildInputs = with pkgs; [ makeWrapper ];
buildCommand = ''
wrappedBins = pkgs.runCommand "firejail-wrapped-binaries"
{ preferLocalBuild = true;
allowSubstitutes = false;
}
''
mkdir -p $out/bin
${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: ''
cat <<_EOF >$out/bin/${command}
#!${pkgs.stdenv.shell} -e
/run/wrappers/bin/firejail ${binary} "\$@"
#! ${pkgs.runtimeShell} -e
exec /run/wrappers/bin/firejail ${binary} "\$@"
_EOF
chmod 0755 $out/bin/${command}
'') cfg.wrappedBinaries)}
'';
};
in {
options.programs.firejail = {
enable = mkEnableOption "firejail";
wrappedBinaries = mkOption {
type = types.attrs;
type = types.attrsOf types.path;
default = {};
example = literalExample ''
{
firefox = "''${lib.getBin pkgs.firefox}/bin/firefox";
mpv = "''${lib.getBin pkgs.mpv}/bin/mpv";
}
'';
description = ''
Wrap the binaries in firejail and place them in the global path.
</para>
@ -41,7 +47,7 @@ in {
config = mkIf cfg.enable {
security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";
environment.systemPackages = [ wrappedBins ];
environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];
};
meta.maintainers = with maintainers; [ peterhoeg ];

View File

@ -6,6 +6,10 @@ let
cfg = config.programs.geary;
in {
meta = {
maintainers = teams.gnome.members;
};
options = {
programs.geary.enable = mkEnableOption "Geary, a Mail client for GNOME 3";
};

View File

@ -6,6 +6,10 @@ with lib;
{
meta = {
maintainers = teams.gnome.members;
};
# Added 2019-08-09
imports = [
(mkRenamedOptionModule

View File

@ -6,6 +6,10 @@ with lib;
{
meta = {
maintainers = teams.gnome.members;
};
# Added 2019-08-09
imports = [
(mkRenamedOptionModule

View File

@ -12,6 +12,10 @@ in
{
meta = {
maintainers = teams.gnome.members;
};
# Added 2019-08-19
imports = [
(mkRenamedOptionModule
@ -20,9 +24,7 @@ in
];
options = {
programs.gnome-terminal.enable = mkEnableOption "GNOME Terminal";
};
config = mkIf cfg.enable {

View File

@ -1,6 +1,10 @@
{ config, lib, pkgs, ... }:
{
meta = {
maintainers = lib.teams.freedesktop.members;
};
options.programs.nm-applet.enable = lib.mkEnableOption "nm-applet";
config = lib.mkIf config.programs.nm-applet.enable {

View File

@ -14,8 +14,16 @@ in
{
imports = [
(mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ])
(mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "directDelivery" ] [ "services" "ssmtp" "enable" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "hostName" ] [ "services" "ssmtp" "hostName" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "domain" ] [ "services" "ssmtp" "domain" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "root" ] [ "services" "ssmtp" "root" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "useTLS" ] [ "services" "ssmtp" "useTLS" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "useSTARTTLS" ] [ "services" "ssmtp" "useSTARTTLS" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "authUser" ] [ "services" "ssmtp" "authUser" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "authPass" ] [ "services" "ssmtp" "authPass" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "authPassFile" ] [ "services" "ssmtp" "authPassFile" ])
(mkRenamedOptionModule [ "networking" "defaultMailServer" "setSendmail" ] [ "services" "ssmtp" "setSendmail" ])
];
options = {

View File

@ -21,12 +21,12 @@ with lib;
(mkRemovedOptionModule [ "services" "firefox" "syncserver" "group" ] "")
(mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.")
(mkRemovedOptionModule [ "environment.blcr.enable" ] "The BLCR module has been removed")
(mkRemovedOptionModule [ "services.beegfsEnable" ] "The BeeGFS module has been removed")
(mkRemovedOptionModule [ "services.beegfs" ] "The BeeGFS module has been removed")
(mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed")
(mkRemovedOptionModule [ "services.fourStore" ] "The fourStore module has been removed")
(mkRemovedOptionModule [ "services.fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
(mkRemovedOptionModule [ "environment" "blcr" "enable" ] "The BLCR module has been removed")
(mkRemovedOptionModule [ "services" "beegfsEnable" ] "The BeeGFS module has been removed")
(mkRemovedOptionModule [ "services" "beegfs" ] "The BeeGFS module has been removed")
(mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed")
(mkRemovedOptionModule [ "services" "fourStore" ] "The fourStore module has been removed")
(mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
(mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " +
"https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html"))
(mkRemovedOptionModule [ "services" "xserver" "multitouch" ] ''

View File

@ -302,7 +302,7 @@ in
lpath = "acme/${cert}";
apath = "/var/lib/${lpath}";
spath = "/var/lib/acme/.lego";
rights = if data.allowKeysForGroup then "750" else "700";
fileMode = if data.allowKeysForGroup then "640" else "600";
globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
@ -318,7 +318,7 @@ in
description = "Renew ACME Certificate for ${cert}";
after = [ "network.target" "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
# With RemainAfterExit the service is considered active even
@ -331,7 +331,7 @@ in
Group = data.group;
PrivateTmp = true;
StateDirectory = "acme/.lego ${lpath}";
StateDirectoryMode = rights;
StateDirectoryMode = if data.allowKeysForGroup then "750" else "700";
WorkingDirectory = spath;
# Only try loading the credentialsFile if the dns challenge is enabled
EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null;
@ -354,10 +354,11 @@ in
cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
ln -sf fullchain.pem cert.pem
cat key.pem fullchain.pem > full.pem
chmod ${rights} *.pem
chown '${data.user}:${data.group}' *.pem
fi
chmod ${fileMode} *.pem
chown '${data.user}:${data.group}' *.pem
${data.postRun}
'';
in
@ -399,7 +400,7 @@ in
# Give key acme permissions
chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem
chmod ${rights} "${apath}/"{key,fullchain,full}.pem
chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem
'';
serviceConfig = {
Type = "oneshot";

View File

@ -9,8 +9,7 @@ let
configFilePam = ''
[duo]
ikey=${cfg.ikey}
skey=${cfg.skey}
ikey=${cfg.integrationKey}
host=${cfg.host}
${optionalString (cfg.groups != "") ("groups="+cfg.groups)}
failmode=${cfg.failmode}
@ -24,26 +23,12 @@ let
motd=${boolToStr cfg.motd}
accept_env_factor=${boolToStr cfg.acceptEnvFactor}
'';
loginCfgFile = optionalAttrs cfg.ssh.enable {
"duo/login_duo.conf" =
{ source = pkgs.writeText "login_duo.conf" configFileLogin;
mode = "0600";
user = "sshd";
};
};
pamCfgFile = optional cfg.pam.enable {
"duo/pam_duo.conf" =
{ source = pkgs.writeText "pam_duo.conf" configFilePam;
mode = "0600";
user = "sshd";
};
};
in
{
imports = [
(mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ])
(mkRenamedOptionModule [ "security" "duosec" "ikey" ] [ "security" "duosec" "integrationKey" ])
(mkRemovedOptionModule [ "security" "duosec" "skey" ] "The insecure security.duosec.skey option has been replaced by a new security.duosec.secretKeyFile option. Use this new option to store a secure copy of your key instead.")
];
options = {
@ -60,14 +45,18 @@ in
description = "If enabled, protect logins with Duo Security using PAM support.";
};
ikey = mkOption {
integrationKey = mkOption {
type = types.str;
description = "Integration key.";
};
skey = mkOption {
type = types.str;
description = "Secret key.";
secretKeyFile = mkOption {
type = types.path;
default = null;
description = ''
A file containing your secret key. The security of your Duo application is tied to the security of your secret key.
'';
example = "/run/keys/duo-skey";
};
host = mkOption {
@ -198,7 +187,38 @@ in
environment.systemPackages = [ pkgs.duo-unix ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
environment.etc = loginCfgFile // pamCfgFile;
system.activationScripts = {
login_duo = mkIf cfg.ssh.enable ''
if test -f "${cfg.secretKeyFile}"; then
mkdir -m 0755 -p /etc/duo
umask 0077
conf="$(mktemp)"
{
cat ${pkgs.writeText "login_duo.conf" configFileLogin}
printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})"
} >"$conf"
chown sshd "$conf"
mv -fT "$conf" /etc/duo/login_duo.conf
fi
'';
pam_duo = mkIf cfg.pam.enable ''
if test -f "${cfg.secretKeyFile}"; then
mkdir -m 0755 -p /etc/duo
umask 0077
conf="$(mktemp)"
{
cat ${pkgs.writeText "login_duo.conf" configFilePam}
printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})"
} >"$conf"
mv -fT "$conf" /etc/duo/pam_duo.conf
fi
'';
};
/* If PAM *and* SSH are enabled, then don't do anything special.
If PAM isn't used, set the default SSH-only options. */

View File

@ -59,10 +59,8 @@ in
exec ${package}/bin/google_authorized_keys "$@"
'';
};
services.openssh.extraConfig = ''
AuthorizedKeysCommand /etc/ssh/authorized_keys_command_google_oslogin %u
AuthorizedKeysCommandUser nobody
'';
services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command_google_oslogin %u";
services.openssh.authorizedKeysCommandUser = "nobody";
};
}

View File

@ -0,0 +1,185 @@
{ lib, pkgs, config, ... }:
let
cfg = config.security.tpm2;
# This snippet is taken from tpm2-tss/dist/tpm-udev.rules, but modified to allow custom user/groups
# The idea is that the tssUser is allowed to acess the TPM and kernel TPM resource manager, while
# the tssGroup is only allowed to access the kernel resource manager
# Therefore, if either of the two are null, the respective part isn't generated
udevRules = tssUser: tssGroup: ''
${lib.optionalString (tssUser != null) ''KERNEL=="tpm[0-9]*", MODE="0660", OWNER="${tssUser}"''}
${lib.optionalString (tssUser != null || tssGroup != null)
''KERNEL=="tpmrm[0-9]*", MODE="0660"''
+ lib.optionalString (tssUser != null) '', OWNER="${tssUser}"''
+ lib.optionalString (tssGroup != null) '', GROUP="${tssGroup}"''
}
'';
in {
options.security.tpm2 = {
enable = lib.mkEnableOption "Trusted Platform Module 2 support";
tssUser = lib.mkOption {
description = ''
Name of the tpm device-owner and service user, set if applyUdevRules is
set.
'';
type = lib.types.nullOr lib.types.str;
default = if cfg.abrmd.enable then "tss" else "root";
defaultText = ''"tss" when using the userspace resource manager,'' +
''"root" otherwise'';
};
tssGroup = lib.mkOption {
description = ''
Group of the tpm kernel resource manager (tpmrm) device-group, set if
applyUdevRules is set.
'';
type = lib.types.nullOr lib.types.str;
default = "tss";
};
applyUdevRules = lib.mkOption {
description = ''
Whether to make the /dev/tpm[0-9] devices accessible by the tssUser, or
the /dev/tpmrm[0-9] by tssGroup respectively
'';
type = lib.types.bool;
default = true;
};
abrmd = {
enable = lib.mkEnableOption ''
Trusted Platform 2 userspace resource manager daemon
'';
package = lib.mkOption {
description = "tpm2-abrmd package to use";
type = lib.types.package;
default = pkgs.tpm2-abrmd;
defaultText = "pkgs.tpm2-abrmd";
};
};
pkcs11 = {
enable = lib.mkEnableOption ''
TPM2 PKCS#11 tool and shared library in system path
(<literal>/run/current-system/sw/lib/libtpm2_pkcs11.so</literal>)
'';
package = lib.mkOption {
description = "tpm2-pkcs11 package to use";
type = lib.types.package;
default = pkgs.tpm2-pkcs11;
defaultText = "pkgs.tpm2-pkcs11";
};
};
tctiEnvironment = {
enable = lib.mkOption {
description = ''
Set common TCTI environment variables to the specified value.
The variables are
<itemizedlist>
<listitem>
<para>
<literal>TPM2TOOLS_TCTI</literal>
</para>
</listitem>
<listitem>
<para>
<literal>TPM2_PKCS11_TCTI</literal>
</para>
</listitem>
</itemizedlist>
'';
type = lib.types.bool;
default = false;
};
interface = lib.mkOption {
description = ''
The name of the TPM command transmission interface (TCTI) library to
use.
'';
type = lib.types.enum [ "tabrmd" "device" ];
default = "device";
};
deviceConf = lib.mkOption {
description = ''
Configuration part of the device TCTI, e.g. the path to the TPM device.
Applies if interface is set to "device".
The format is specified in the
<link xlink:href="https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md#tcti-options">
tpm2-tools repository</link>.
'';
type = lib.types.str;
default = "/dev/tpmrm0";
};
tabrmdConf = lib.mkOption {
description = ''
Configuration part of the tabrmd TCTI, like the D-Bus bus name.
Applies if interface is set to "tabrmd".
The format is specified in the
<link xlink:href="https://github.com/tpm2-software/tpm2-tools/blob/master/man/common/tcti.md#tcti-options">
tpm2-tools repository</link>.
'';
type = lib.types.str;
default = "bus_name=com.intel.tss2.Tabrmd";
};
};
};
config = lib.mkIf cfg.enable (lib.mkMerge [
{
# PKCS11 tools and library
environment.systemPackages = lib.mkIf cfg.pkcs11.enable [
(lib.getBin cfg.pkcs11.package)
(lib.getLib cfg.pkcs11.package)
];
services.udev.extraRules = lib.mkIf cfg.applyUdevRules
(udevRules cfg.tssUser cfg.tssGroup);
# Create the tss user and group only if the default value is used
users.users.${cfg.tssUser} = lib.mkIf (cfg.tssUser == "tss") {
isSystemUser = true;
};
users.groups.${cfg.tssGroup} = lib.mkIf (cfg.tssGroup == "tss") {};
environment.variables = lib.mkIf cfg.tctiEnvironment.enable (
lib.attrsets.genAttrs [
"TPM2TOOLS_TCTI"
"TPM2_PKCS11_TCTI"
] (_: ''${cfg.tctiEnvironment.interface}:${
if cfg.tctiEnvironment.interface == "tabrmd" then
cfg.tctiEnvironment.tabrmdConf
else
cfg.tctiEnvironment.deviceConf
}'')
);
}
(lib.mkIf cfg.abrmd.enable {
systemd.services."tpm2-abrmd" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "dbus";
Restart = "always";
RestartSec = 30;
BusName = "com.intel.tss2.Tabrmd";
StandardOutput = "syslog";
ExecStart = "${cfg.abrmd.package}/bin/tpm2-abrmd";
User = "tss";
Group = "nogroup";
};
};
services.dbus.packages = lib.singleton cfg.abrmd.package;
})
]);
meta.maintainers = with lib.maintainers; [ lschuermann ];
}

View File

@ -63,9 +63,11 @@ in {
javaProperties = mkOption {
type = types.attrs;
default = { };
example = {
example = literalExample ''
{
"java.net.preferIPv4Stack" = "true";
};
}
'';
apply = attrs: {
"activemq.base" = "${cfg.baseDir}";
"activemq.data" = "${cfg.baseDir}/data";

View File

@ -189,6 +189,7 @@ let
in {
meta.maintainers = with maintainers; [ dotlambda ];
meta.doc = ./borgbackup.xml;
###### interface
@ -197,10 +198,11 @@ in {
Deduplicating backups using BorgBackup.
Adding a job will cause a borg-job-NAME wrapper to be added
to your system path, so that you can perform maintenance easily.
See also the chapter about BorgBackup in the NixOS manual.
'';
default = { };
example = literalExample ''
{
{ # for a local backup
rootBackup = {
paths = "/";
exclude = [ "/nix" ];
@ -213,6 +215,23 @@ in {
startAt = "weekly";
};
}
{ # Root backing each day up to a remote backup server. We assume that you have
# * created a password less key: ssh-keygen -N "" -t ed25519 -f /path/to/ssh_key
# best practices are: use -t ed25519, /path/to = /run/keys
# * the passphrase is in the file /run/keys/borgbackup_passphrase
# * you have initialized the repository manually
paths = [ "/etc" "/home" ];
exclude = [ "/nix" "'**/.cache'" ];
doInit = false;
repo = "user3@arep.repo.borgbase.com:repo";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /path/to/passphrase";
};
environment = { BORG_RSH = "ssh -i /path/to/ssh_key"; };
compression = "auto,lzma";
startAt = "daily";
};
'';
type = types.attrsOf (types.submodule (let globalConfig = config; in
{ name, config, ... }: {
@ -268,6 +287,8 @@ in {
<manvolnum>7</manvolnum></citerefentry>.
If you do not want the backup to start
automatically, use <literal>[ ]</literal>.
It will generate a systemd service borgbackup-job-NAME.
You may trigger it manually via systemctl restart borgbackup-job-NAME.
'';
};
@ -303,6 +324,10 @@ in {
you to specify a <option>passCommand</option>
or a <option>passphrase</option>.
'';
example = ''
encryption.mode = "repokey-blake2" ;
encryption.passphrase = "mySecretPassphrase" ;
'';
};
encryption.passCommand = mkOption {
@ -538,6 +563,7 @@ in {
description = ''
Serve BorgBackup repositories to given public SSH keys,
restricting their access to the repository only.
See also the chapter about BorgBackup in the NixOS manual.
Also, clients do not need to specify the absolute path when accessing the repository,
i.e. <literal>user@machine:.</literal> is enough. (Note colon and dot.)
'';

View File

@ -0,0 +1,227 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="module-borgbase">
<title>BorgBackup</title>
<para>
<emphasis>Source:</emphasis>
<filename>modules/services/backup/borgbackup.nix</filename>
</para>
<para>
<emphasis>Upstream documentation:</emphasis>
<link xlink:href="https://borgbackup.readthedocs.io/"/>
</para>
<para>
<link xlink:href="https://www.borgbackup.org/">BorgBackup</link> (short: Borg)
is a deduplicating backup program. Optionally, it supports compression and
authenticated encryption.
</para>
<para>
The main goal of Borg is to provide an efficient and secure way to backup
data. The data deduplication technique used makes Borg suitable for daily
backups since only changes are stored. The authenticated encryption technique
makes it suitable for backups to not fully trusted targets.
</para>
<section xml:id="module-services-backup-borgbackup-configuring">
<title>Configuring</title>
<para>
A complete list of options for the Borgbase module may be found
<link linkend="opt-services.borgbackup.jobs">here</link>.
</para>
</section>
<section xml:id="opt-services-backup-borgbackup-local-directory">
<title>Basic usage for a local backup</title>
<para>
A very basic configuration for backing up to a locally accessible directory
is:
<programlisting>
{
opt.services.borgbackup.jobs = {
{ rootBackup = {
paths = "/";
exclude = [ "/nix" "/path/to/local/repo" ];
repo = "/path/to/local/repo";
doInit = true;
encryption = {
mode = "repokey";
passphrase = "secret";
};
compression = "auto,lzma";
startAt = "weekly";
};
}
};
}</programlisting>
</para>
<warning>
<para>
If you do not want the passphrase to be stored in the world-readable
Nix store, use passCommand. You find an example below.
</para>
</warning>
</section>
<section xml:id="opt-services-backup-create-server">
<title>Create a borg backup server</title>
<para>You should use a different SSH key for each repository you write to,
because the specified keys are restricted to running borg serve and can only
access this single repository. You need the output of the generate pub file.
</para>
<para>
<programlisting>
# sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_my_borg_repo
# cat /run/keys/id_ed25519_my_borg_repo
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos</programlisting>
</para>
<para>
Add the following snippet to your NixOS configuration:
<programlisting>
{
services.borgbackup.repos = {
my_borg_repo = {
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID78zmOyA+5uPG4Ot0hfAy+sLDPU1L4AiIoRYEIVbbQ/ root@nixos"
] ;
path = "/var/lib/my_borg_repo" ;
};
};
}</programlisting>
</para>
</section>
<section xml:id="opt-services-backup-borgbackup-remote-server">
<title>Backup to the borg repository server</title>
<para>The following NixOS snippet creates an hourly backup to the service
(on the host nixos) as created in the section above. We assume
that you have stored a secret passphrasse in the file
<code>/run/keys/borgbackup_passphrase</code>, which should be only
accessible by root
</para>
<para>
<programlisting>
{
services.borgbackup.jobs = {
backupToLocalServer = {
paths = [ "/etc/nixos" ];
doInit = true;
repo = "borg@nixos:." ;
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/keys/borgbackup_passphrase";
};
environment = { BORG_RSH = "ssh -i /run/keys/id_ed25519_my_borg_repo"; };
compression = "auto,lzma";
startAt = "hourly";
};
};
};</programlisting>
</para>
<para>The following few commands (run as root) let you test your backup.
<programlisting>
> nixos-rebuild switch
...restarting the following units: polkit.service
> systemctl restart borgbackup-job-backupToLocalServer
> sleep 10
> systemctl restart borgbackup-job-backupToLocalServer
> export BORG_PASSPHRASE=topSecrect
> borg list --rsh='ssh -i /run/keys/id_ed25519_my_borg_repo' borg@nixos:.
nixos-backupToLocalServer-2020-03-30T21:46:17 Mon, 2020-03-30 21:46:19 [84feb97710954931ca384182f5f3cb90665f35cef214760abd7350fb064786ac]
nixos-backupToLocalServer-2020-03-30T21:46:30 Mon, 2020-03-30 21:46:32 [e77321694ecd160ca2228611747c6ad1be177d6e0d894538898de7a2621b6e68]</programlisting>
</para>
</section>
<section xml:id="opt-services-backup-borgbackup-borgbase">
<title>Backup to a hosting service</title>
<para>
Several companies offer <link
xlink:href="https://www.borgbackup.org/support/commercial.html">(paid)
hosting services</link> for Borg repositories.
</para>
<para>
To backup your home directory to borgbase you have to:
</para>
<itemizedlist>
<listitem>
<para>
Generate a SSH key without a password, to access the remote server. E.g.
</para>
<para>
<programlisting>sudo ssh-keygen -N '' -t ed25519 -f /run/keys/id_ed25519_borgbase</programlisting>
</para>
</listitem>
<listitem>
<para>
Create the repository on the server by following the instructions for your
hosting server.
</para>
</listitem>
<listitem>
<para>
Initialize the repository on the server. Eg.
<programlisting>
sudo borg init --encryption=repokey-blake2 \
-rsh "ssh -i /run/keys/id_ed25519_borgbase" \
zzz2aaaaa@zzz2aaaaa.repo.borgbase.com:repo</programlisting>
</para>
</listitem>
<listitem>
<para>Add it to your NixOS configuration, e.g.
<programlisting>
{
services.borgbackup.jobs = {
my_Remote_Backup = {
paths = [ "/" ];
exclude = [ "/nix" "'**/.cache'" ];
repo = "zzz2aaaaa@zzz2aaaaa.repo.borgbase.com:repo";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/keys/borgbackup_passphrase";
};
BORG_RSH = "ssh -i /run/keys/id_ed25519_borgbase";
compression = "auto,lzma";
startAt = "daily";
};
};
}}</programlisting>
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="opt-services-backup-borgbackup-vorta">
<title>Vorta backup client for the desktop</title>
<para>
Vorta is a backup client for macOS and Linux desktops. It integrates the
mighty BorgBackup with your desktop environment to protect your data from
disk failure, ransomware and theft.
</para>
<para>
It is available as a flatpak package. To enable it you must set the
following two configuration items.
</para>
<para>
<programlisting>
services.flatpak.enable = true ;
# next line is needed to avoid the Error
# Error deploying: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown:
services.accounts-daemon.enable = true;
</programlisting>
</para>
<para>As a normal user you must first install, then run vorta using the
following commands:
<programlisting>
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak install flathub com.borgbase.Vorta
flatpak run --branch=stable --arch=x86_64 --command=vorta com.borgbase.Vorta
</programlisting>
After running <code>flatpak install</code> you can start Vorta also via
the KDE application menu.
</para>
<para>
Details about using Vorta can be found under <link
xlink:href="https://vorta.borgbase.com/usage">https://vorta.borgbase.com
</link>.
</para>
</section>
</chapter>

View File

@ -138,7 +138,11 @@ in {
};
}));
default = {};
example."pool/test".target = "root@target:pool/test";
example = literalExample ''
{
"pool/test".target = "root@target:pool/test";
}
'';
description = "Syncoid commands to run.";
};
};

View File

@ -7,33 +7,41 @@ with lib;
options.services.hadoop = {
coreSite = mkOption {
default = {};
example = {
example = literalExample ''
{
"fs.defaultFS" = "hdfs://localhost";
};
}
'';
description = "Hadoop core-site.xml definition";
};
hdfsSite = mkOption {
default = {};
example = {
example = literalExample ''
{
"dfs.nameservices" = "namenode1";
};
}
'';
description = "Hadoop hdfs-site.xml definition";
};
mapredSite = mkOption {
default = {};
example = {
example = literalExample ''
{
"mapreduce.map.cpu.vcores" = "1";
};
}
'';
description = "Hadoop mapred-site.xml definition";
};
yarnSite = mkOption {
default = {};
example = {
example = literalExample ''
{
"yarn.resourcemanager.ha.id" = "resourcemanager1";
};
}
'';
description = "Hadoop yarn-site.xml definition";
};

View File

@ -0,0 +1,81 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.foldingathome;
args =
["--team" "${toString cfg.team}"]
++ lib.optionals (cfg.user != null) ["--user" cfg.user]
++ cfg.extraArgs
;
in
{
imports = [
(mkRenamedOptionModule [ "services" "foldingAtHome" ] [ "services" "foldingathome" ])
(mkRenamedOptionModule [ "services" "foldingathome" "nickname" ] [ "services" "foldingathome" "user" ])
(mkRemovedOptionModule [ "services" "foldingathome" "config" ] ''
Use <literal>services.foldingathome.extraArgs instead<literal>
'')
];
options.services.foldingathome = {
enable = mkEnableOption "Enable the Folding@home client";
package = mkOption {
type = types.package;
default = pkgs.fahclient;
defaultText = "pkgs.fahclient";
description = ''
Which Folding@home client to use.
'';
};
user = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
The user associated with the reported computation results. This will
be used in the ranking statistics.
'';
};
team = mkOption {
type = types.int;
default = 236565;
description = ''
The team ID associated with the reported computation results. This
will be used in the ranking statistics.
By default, use the NixOS folding@home team ID is being used.
'';
};
extraArgs = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Extra startup options for the FAHClient. Run
<literal>FAHClient --help</literal> to find all the available options.
'';
};
};
config = mkIf cfg.enable {
systemd.services.foldingathome = {
description = "Folding@home client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = ''
exec ${cfg.package}/bin/FAHClient ${lib.escapeShellArgs args}
'';
serviceConfig = {
DynamicUser = true;
StateDirectory = "foldingathome";
WorkingDirectory = "%S/foldingathome";
};
};
};
meta = {
maintainers = with lib.maintainers; [ zimbatm ];
};
}

View File

@ -208,8 +208,12 @@ in
description = "Buildkite agent user";
extraGroups = [ "keys" ];
isSystemUser = true;
group = "buildkite-agent-${name}";
};
});
config.users.groups = mapAgents (name: cfg: {
"buildkite-agent-${name}" = {};
});
config.systemd.services = mapAgents (name: cfg: {
"buildkite-agent-${name}" =

View File

@ -120,10 +120,16 @@ in
++ optional hasDocker "docker.service";
requires = optional hasDocker "docker.service";
wantedBy = [ "multi-user.target" ];
reloadIfChanged = true;
restartTriggers = [
config.environment.etc."gitlab-runner/config.toml".source
];
serviceConfig = {
StateDirectory = "gitlab-runner";
ExecReload= "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStart = ''${cfg.package.bin}/bin/gitlab-runner run \
--working-directory ${cfg.workDir} \
--config ${configFile} \
--config /etc/gitlab-runner/config.toml \
--service gitlab-runner \
--user gitlab-runner \
'';
@ -138,6 +144,9 @@ in
# Make the gitlab-runner command availabe so users can query the runner
environment.systemPackages = [ cfg.package ];
# Make sure the config can be reloaded on change
environment.etc."gitlab-runner/config.toml".source = configFile;
users.users.gitlab-runner = {
group = "gitlab-runner";
extraGroups = optional hasDocker "docker";

View File

@ -37,6 +37,8 @@ let
haveLocalDB = cfg.dbi == localDB;
inherit (config.system) stateVersion;
in
{
@ -63,8 +65,7 @@ in
};
package = mkOption {
type = types.path;
default = pkgs.hydra;
type = types.package;
defaultText = "pkgs.hydra";
description = "The Hydra package.";
};
@ -194,6 +195,34 @@ in
config = mkIf cfg.enable {
warnings = optional (cfg.package.migration or false) ''
You're currently deploying an older version of Hydra which is needed to
make some required database changes[1]. As soon as this is done, it's recommended
to run `hydra-backfill-ids` and set `services.hydra.package` to either `pkgs.hydra-unstable`
or `pkgs.hydra-flakes` after that.
[1] https://github.com/NixOS/hydra/pull/711
'';
services.hydra.package = with pkgs;
mkDefault (
if pkgs ? hydra
then throw ''
The Hydra package doesn't exist anymore in `nixpkgs`! It probably exists
due to an overlay. To upgrade Hydra, you need to take two steps as some
bigger changes in the database schema were implemented recently[1]. You first
need to deploy `pkgs.hydra-migration`, run `hydra-backfill-ids` on the server
and then deploy either `pkgs.hydra-unstable` or `pkgs.hydra-flakes`.
If you want to use `pkgs.hydra` from your overlay, please set `services.hydra.package`
explicitly to `pkgs.hydra` and make sure you know what you're doing.
[1] https://github.com/NixOS/hydra/pull/711
''
else if versionOlder stateVersion "20.03" then hydra-migration
else hydra-unstable
);
users.groups.hydra = {
gid = config.ids.gids.hydra;
};

View File

@ -10,16 +10,13 @@ let
isMariaDB = lib.getName mysql == lib.getName pkgs.mariadb;
isMysqlAtLeast57 =
(lib.getName mysql == lib.getName pkgs.mysql57)
&& (builtins.compareVersions mysql.version "5.7" >= 0);
mysqldOptions =
"--user=${cfg.user} --datadir=${cfg.dataDir} --basedir=${mysql}";
# For MySQL 5.7+, --insecure creates the root user without password
# (earlier versions and MariaDB do this by default).
installOptions =
"${mysqldOptions} ${lib.optionalString isMysqlAtLeast57 "--insecure"}";
settingsFile = pkgs.writeText "my.cnf" (
generators.toINI { listsAsDuplicateKeys = true; } cfg.settings +
optionalString (cfg.extraOptions != null) "[mysqld]\n${cfg.extraOptions}"
);
in
@ -76,9 +73,64 @@ in
description = "Location where MySQL stores its table files";
};
configFile = mkOption {
type = types.path;
default = settingsFile;
defaultText = "settingsFile";
description = ''
Override the configuration file used by MySQL. By default,
NixOS generates one automatically from <option>services.mysql.settings</option>.
'';
example = literalExample ''
pkgs.writeText "my.cnf" '''
[mysqld]
datadir = /var/lib/mysql
bind-address = 127.0.0.1
port = 3336
plugin-load-add = auth_socket.so
!includedir /etc/mysql/conf.d/
''';
'';
};
settings = mkOption {
type = with types; attrsOf (attrsOf (oneOf [ bool int str (listOf str) ]));
default = {};
description = ''
MySQL configuration. Refer to
<link xlink:href="https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html"/>,
<link xlink:href="https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html"/>,
and <link xlink:href="https://mariadb.com/kb/en/server-system-variables/"/>
for details on supported values.
<note>
<para>
MySQL configuration options such as <literal>--quick</literal> should be treated as
boolean options and provided values such as <literal>true</literal>, <literal>false</literal>,
<literal>1</literal>, or <literal>0</literal>. See the provided example below.
</para>
</note>
'';
example = literalExample ''
{
mysqld = {
key_buffer_size = "6G";
table_cache = 1600;
log-error = "/var/log/mysql_err.log";
plugin-load-add = [ "server_audit" "ed25519=auth_ed25519" ];
};
mysqldump = {
quick = true;
max_allowed_packet = "16M";
};
}
'';
};
extraOptions = mkOption {
type = types.lines;
default = "";
type = with types; nullOr lines;
default = null;
example = ''
key_buffer_size = 6G
table_cache = 1600
@ -252,10 +304,27 @@ in
config = mkIf config.services.mysql.enable {
warnings = optional (cfg.extraOptions != null) "services.mysql.`extraOptions` is deprecated, please use services.mysql.`settings`.";
services.mysql.dataDir =
mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/mysql"
else "/var/mysql");
services.mysql.settings.mysqld = mkMerge [
{
datadir = cfg.dataDir;
bind-address = mkIf (cfg.bind != null) cfg.bind;
port = cfg.port;
plugin-load-add = optional (cfg.ensureUsers != []) "auth_socket.so";
}
(mkIf (cfg.replication.role == "master" || cfg.replication.role == "slave") {
log-bin = "mysql-bin-${toString cfg.replication.serverId}";
log-bin-index = "mysql-bin-${toString cfg.replication.serverId}.index";
relay-log = "mysql-relay-bin";
server-id = cfg.replication.serverId;
})
];
users.users.mysql = {
description = "MySQL server user";
group = "mysql";
@ -266,25 +335,7 @@ in
environment.systemPackages = [mysql];
environment.etc."my.cnf".text =
''
[mysqld]
port = ${toString cfg.port}
datadir = ${cfg.dataDir}
${optionalString (cfg.bind != null) "bind-address = ${cfg.bind}" }
${optionalString (cfg.replication.role == "master" || cfg.replication.role == "slave")
''
log-bin=mysql-bin-${toString cfg.replication.serverId}
log-bin-index=mysql-bin-${toString cfg.replication.serverId}.index
relay-log=mysql-relay-bin
server-id = ${toString cfg.replication.serverId}
''}
${optionalString (cfg.ensureUsers != [])
''
plugin-load-add = auth_socket.so
''}
${cfg.extraOptions}
'';
environment.etc."my.cnf".source = cfg.configFile;
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} mysql -"
@ -297,7 +348,7 @@ in
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."my.cnf".source ];
restartTriggers = [ cfg.configFile ];
unitConfig.RequiresMountsFor = "${cfg.dataDir}";
@ -307,9 +358,14 @@ in
pkgs.nettools
];
preStart = ''
preStart = if isMariaDB then ''
if ! test -e ${cfg.dataDir}/mysql; then
${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${installOptions}
${mysql}/bin/mysql_install_db --defaults-file=/etc/my.cnf ${mysqldOptions}
touch /tmp/mysql_init
fi
'' else ''
if ! test -e ${cfg.dataDir}/mysql; then
${mysql}/bin/mysqld --defaults-file=/etc/my.cnf ${mysqldOptions} --initialize-insecure
touch /tmp/mysql_init
fi
'';

View File

@ -7,12 +7,10 @@
<!-- FIXME: render nicely -->
<!-- FIXME: source can be added automatically -->
<para>
<emphasis>Source:</emphasis>
<filename>modules/services/databases/postgresql.nix</filename>
<emphasis>Source:</emphasis> <filename>modules/services/databases/postgresql.nix</filename>
</para>
<para>
<emphasis>Upstream documentation:</emphasis>
<link xlink:href="http://www.postgresql.org/docs/"/>
<emphasis>Upstream documentation:</emphasis> <link xlink:href="http://www.postgresql.org/docs/"/>
</para>
<!-- FIXME: more stuff, like maintainer? -->
<para>
@ -23,18 +21,12 @@
<title>Configuring</title>
<para>
To enable PostgreSQL, add the following to your
<filename>configuration.nix</filename>:
To enable PostgreSQL, add the following to your <filename>configuration.nix</filename>:
<programlisting>
<xref linkend="opt-services.postgresql.enable"/> = true;
<xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_11;
</programlisting>
Note that you are required to specify the desired version of PostgreSQL
(e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your
PostgreSQL version requires a database dump and reload (see below), NixOS
cannot provide a default value for
<xref linkend="opt-services.postgresql.package"/> such as the most recent
release of PostgreSQL.
Note that you are required to specify the desired version of PostgreSQL (e.g. <literal>pkgs.postgresql_11</literal>). Since upgrading your PostgreSQL version requires a database dump and reload (see below), NixOS cannot provide a default value for <xref linkend="opt-services.postgresql.package"/> such as the most recent release of PostgreSQL.
</para>
<!--
@ -51,9 +43,7 @@ Type "help" for help.
-->
<para>
By default, PostgreSQL stores its databases in
<filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using
<xref linkend="opt-services.postgresql.dataDir"/>, e.g.
By default, PostgreSQL stores its databases in <filename>/var/lib/postgresql/$psqlSchema</filename>. You can override this using <xref linkend="opt-services.postgresql.dataDir"/>, e.g.
<programlisting>
<xref linkend="opt-services.postgresql.dataDir"/> = "/data/postgresql";
</programlisting>
@ -63,25 +53,83 @@ Type "help" for help.
<title>Upgrading</title>
<para>
FIXME: document dump/upgrade/load cycle.
Major PostgreSQL upgrade requires PostgreSQL downtime and a few imperative steps to be called. To simplify this process, use the following NixOS module:
<programlisting>
containers.temp-pg.config.services.postgresql = {
enable = true;
package = pkgs.postgresql_12;
## set a custom new dataDir
# dataDir = "/some/data/dir";
};
environment.systemPackages =
let newpg = config.containers.temp-pg.config.services.postgresql;
in [
(pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -x
export OLDDATA="${config.services.postgresql.dataDir}"
export NEWDATA="${newpg.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
export NEWBIN="${newpg.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
systemctl stop postgresql # old one
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
'')
];
</programlisting>
</para>
<para>
The upgrade process is:
</para>
<orderedlist>
<listitem>
<para>
Rebuild nixos configuration with the configuration above added to your <filename>configuration.nix</filename>. Alternatively, add that into separate file and reference it in <literal>imports</literal> list.
</para>
</listitem>
<listitem>
<para>
Login as root (<literal>sudo su -</literal>)
</para>
</listitem>
<listitem>
<para>
Run <literal>upgrade-pg-cluster</literal>. It will stop old postgresql, initialize new one and migrate old one to new one. You may supply arguments like <literal>--jobs 4</literal> and <literal>--link</literal> to speedup migration process. See <link xlink:href="https://www.postgresql.org/docs/current/pgupgrade.html" /> for details.
</para>
</listitem>
<listitem>
<para>
Change postgresql package in NixOS configuration to the one you were upgrading to, and change <literal>dataDir</literal> to the one you have migrated to. Rebuild NixOS. This should start new postgres using upgraded data directory.
</para>
</listitem>
<listitem>
<para>
After upgrade you may want to <literal>ANALYZE</literal> new db.
</para>
</listitem>
</orderedlist>
</section>
<section xml:id="module-services-postgres-options">
<title>Options</title>
<para>
A complete list of options for the PostgreSQL module may be found
<link linkend="opt-services.postgresql.enable">here</link>.
A complete list of options for the PostgreSQL module may be found <link linkend="opt-services.postgresql.enable">here</link>.
</para>
</section>
<section xml:id="module-services-postgres-plugins">
<title>Plugins</title>
<para>
Plugins collection for each PostgreSQL version can be accessed with
<literal>.pkgs</literal>. For example, for
<literal>pkgs.postgresql_11</literal> package, its plugin collection is
accessed by <literal>pkgs.postgresql_11.pkgs</literal>:
Plugins collection for each PostgreSQL version can be accessed with <literal>.pkgs</literal>. For example, for <literal>pkgs.postgresql_11</literal> package, its plugin collection is accessed by <literal>pkgs.postgresql_11.pkgs</literal>:
<screen>
<prompt>$ </prompt>nix repl '&lt;nixpkgs&gt;'
@ -98,6 +146,7 @@ postgresql_11.pkgs.pg_partman postgresql_11.pkgs.pgroonga
...
</screen>
</para>
<para>
To add plugins via NixOS configuration, set <literal>services.postgresql.extraPlugins</literal>:
<programlisting>
@ -108,10 +157,9 @@ postgresql_11.pkgs.pg_partman postgresql_11.pkgs.pgroonga
];
</programlisting>
</para>
<para>
You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using
function <literal>.withPackages</literal>. For example, creating a custom
PostgreSQL package in an overlay can look like:
You can build custom PostgreSQL-with-plugins (to be used outside of NixOS) using function <literal>.withPackages</literal>. For example, creating a custom PostgreSQL package in an overlay can look like:
<programlisting>
self: super: {
postgresql_custom = self.postgresql_11.withPackages (ps: [
@ -121,6 +169,7 @@ self: super: {
}
</programlisting>
</para>
<para>
Here's a recipe on how to override a particular plugin through an overlay:
<programlisting>

View File

@ -6,6 +6,10 @@ with lib;
{
meta = {
maintainers = teams.freedesktop.members;
};
###### interface
options = {

View File

@ -5,6 +5,10 @@
with lib;
{
meta = {
maintainers = with maintainers; [ worldofpeace ];
};
###### interface
options = {

View File

@ -6,6 +6,10 @@ with lib;
{
meta = {
maintainers = teams.gnome.members;
};
###### interface
options = {

View File

@ -4,6 +4,10 @@
with lib;
{
meta = {
maintainers = teams.gnome.members;
};
###### interface
options = {
services.gnome3.chrome-gnome-shell.enable = mkEnableOption ''

Some files were not shown because too many files have changed in this diff Show More