dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

temporalite: fix merge conflict

Browse Source
This commit is contained in:
Luc Perkins 2022-11-01 12:21:00 -03:00
commit 31854fc954
No known key found for this signature in database
GPG Key ID: 4F102D0C16E232F2
2826 changed files with 115466 additions and 38143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/CODEOWNERS vendored
View File

@ -187,6 +187,7 @@
/nixos/modules/services/networking/babeld.nix @mweinelt
/nixos/modules/services/networking/kea.nix @mweinelt
/nixos/modules/services/networking/knot.nix @mweinelt
/nixos/modules/services/monitoring/prometheus/exporters/kea.nix @mweinelt
/nixos/tests/babeld.nix @mweinelt
/nixos/tests/kea.nix @mweinelt
/nixos/tests/knot.nix @mweinelt

2
.github/workflows/basic-eval.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
steps:
- uses: actions/checkout@v3
- uses: cachix/install-nix-action@v18
- uses: cachix/cachix-action@v11
- uses: cachix/cachix-action@v12
with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci

2
.github/workflows/direct-push.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
id: ismerge
run: |
ISMERGE=$(curl -H 'Accept: application/vnd.github.groot-preview+json' -H "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ env.GITHUB_REPOSITORY }}/commits/${{ env.GITHUB_SHA }}/pulls | jq -r '.[] | select(.merge_commit_sha == "${{ env.GITHUB_SHA }}") | any')
echo "::set-output name=ismerge::$ISMERGE"
echo "ismerge=$ISMERGE" >> $GITHUB_OUTPUT
# github events are eventually consistent, so wait until changes propagate to thier DB
- run: sleep 60
if: steps.ismerge.outputs.ismerge != 'true'

2
.github/workflows/manual-nixos.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true
- uses: cachix/cachix-action@v11
- uses: cachix/cachix-action@v12
with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci

2
.github/workflows/manual-nixpkgs.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true
- uses: cachix/cachix-action@v11
- uses: cachix/cachix-action@v12
with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci

2
.github/workflows/manual-rendering.yml vendored
View File

@ -22,7 +22,7 @@ jobs:
with:
# explicitly enable sandbox
extra_nix_config: sandbox = true
- uses: cachix/cachix-action@v11
- uses: cachix/cachix-action@v12
with:
# This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
name: nixpkgs-ci

2
.github/workflows/update-terraform-providers.yml vendored
View File

@ -23,7 +23,7 @@ jobs:
- name: setup
id: setup
run: |
echo ::set-output name=title::"terraform-providers: update $(date -u +"%Y-%m-%d")"
echo "title=terraform-providers: update $(date -u +"%Y-%m-%d")" >> $GITHUB_OUTPUT
- name: update terraform-providers
run: |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

2
.mailmap
View File

@ -1 +1,3 @@
Daniel Løvbrøtte Olsen <me@dandellion.xyz> <daniel.olsen99@gmail.com>
R. RyanTM <ryantm-bot@ryantm.com>
Sandro <sandro.jaeckel@gmail.com>

11
doc/build-aux/pandoc-filters/docbook-writer/html-elements.lua Normal file
View File

@ -0,0 +1,11 @@
--[[
Converts some HTML elements commonly used in Markdown to corresponding DocBook elements.
]]
function RawInline(elem)
if elem.format == 'html' and elem.text == '<kbd>' then
return pandoc.RawInline('docbook', '<keycap>')
elseif elem.format == 'html' and elem.text == '</kbd>' then
return pandoc.RawInline('docbook', '</keycap>')
end
end

6
doc/contributing/reviewing-contributions.chapter.md
View File

@ -302,6 +302,12 @@ Container system, boot system and library changes are some examples of the pull
It is possible for community members that have enough knowledge and experience on a special topic to contribute by merging pull requests.
In case the PR is stuck waiting for the original author to apply a trivial
change (a typo, capitalisation change, etc.) and the author allowed the members
to modify the PR, consider applying it yourself. (or commit the existing review
suggestion) You should pay extra attention to make sure the addition doesn't go
against the idea of the original PR and would not be opposed by the author.
<!--
The following paragraphs about how to deal with unactive contributors is just a proposition and should be modified to what the community agrees to be the right policy.

4
doc/contributing/submitting-changes.chapter.md
View File

@ -244,12 +244,16 @@ The `master` branch is the main development branch. It should only see non-break
The `staging` branch is a development branch where mass-rebuilds go. Mass rebuilds are commits that cause rebuilds for many packages, like more than 500 (or perhaps, if it's 'light' packages, 1000). It should only see non-breaking mass-rebuild commits. That means it is not to be used for testing, and changes must have been well tested already. If the branch is already in a broken state, please refrain from adding extra new breakages.
During the process of a releasing a new NixOS version, this branch or the release-critical packages can be restricted to non-breaking changes.
### Staging-next branch {#submitting-changes-staging-next-branch}
The `staging-next` branch is for stabilizing mass-rebuilds submitted to the `staging` branch prior to merging them into `master`. Mass-rebuilds must go via the `staging` branch. It must only see non-breaking commits that are fixing issues blocking it from being merged into the `master` branch.
If the branch is already in a broken state, please refrain from adding extra new breakages. Stabilize it for a few days and then merge into master.
During the process of a releasing a new NixOS version, this branch or the release-critical packages can be restricted to non-breaking changes.
### Stable release branches {#submitting-changes-stable-release-branches}
The same staging workflow applies to stable release branches, but the main branch is called `release-*` instead of `master`.

1
doc/doc-support/lib-function-docs.nix
View File

@ -22,6 +22,7 @@ with pkgs; stdenv.mkDerivation {
docgen lists 'List manipulation functions'
docgen debug 'Debugging functions'
docgen options 'NixOS / nixpkgs option handling'
docgen filesystem 'Filesystem functions'
docgen sources 'Source filtering functions'
'';
}

2
doc/functions/library.xml
View File

@ -26,5 +26,7 @@
<xi:include href="./library/generated/options.xml" />
<xi:include href="./library/generated/filesystem.xml" />
<xi:include href="./library/generated/sources.xml" />
</section>

2
doc/languages-frameworks/lua.section.md
View File

@ -200,7 +200,7 @@ luaposix = buildLuarocksPackage {
The `buildLuarocksPackage` delegates most tasks to luarocks:
* it adds `luarocks` as an unpacker for `src.rock` files (zip files really).
* configurePhase` writes a temporary luarocks configuration file which location
* `configurePhase` writes a temporary luarocks configuration file which location
is exported via the environment variable `LUAROCKS_CONFIG`.
* the `buildPhase` does nothing.
* `installPhase` calls `luarocks make --deps-mode=none --tree $out` to build and

12
doc/languages-frameworks/rust.section.md
View File

@ -319,6 +319,18 @@ The above are just guidelines, and exceptions may be granted on a case-by-case b
However, please check if it's possible to disable a problematic subset of the
test suite and leave a comment explaining your reasoning.
This can be achived with `--skip` in `checkFlags`:
```nix
rustPlatform.buildRustPackage {
/* ... */
checkFlags = [
# reason for disabling test
"--skip=example::tests:example_test"
];
}
```
#### Setting `test-threads` {#setting-test-threads}
`buildRustPackage` will use parallel test threads by default,

8
doc/languages-frameworks/vim.section.md
View File

@ -170,8 +170,8 @@ of precompiled grammars, you can use `nvim-treesitter.withPlugins` function:
start = [
(nvim-treesitter.withPlugins (
plugins: with plugins; [
tree-sitter-nix
tree-sitter-python
nix
python
]
))
];
@ -180,7 +180,7 @@ of precompiled grammars, you can use `nvim-treesitter.withPlugins` function:
})
```
To enable all grammars packaged in nixpkgs, use `(pkgs.vimPlugins.nvim-treesitter.withPlugins (plugins: pkgs.tree-sitter.allGrammars))`.
To enable all grammars packaged in nixpkgs, use `pkgs.vimPlugins.nvim-treesitter.withAllGrammars`.
## Managing plugins with vim-plug {#managing-plugins-with-vim-plug}
@ -203,6 +203,8 @@ Note: this is not possible anymore for Neovim.
Nix expressions for Vim plugins are stored in [pkgs/applications/editors/vim/plugins](https://github.com/NixOS/nixpkgs/tree/master/pkgs/applications/editors/vim/plugins). For the vast majority of plugins, Nix expressions are automatically generated by running [`./update.py`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/update.py). This creates a [generated.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/generated.nix) file based on the plugins listed in [vim-plugin-names](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/vim-plugin-names). Plugins are listed in alphabetical order in `vim-plugin-names` using the format `[github username]/[repository]@[gitref]`. For example https://github.com/scrooloose/nerdtree becomes `scrooloose/nerdtree`.
After running `./update.py`, if nvim-treesitter received an update, also run [`nvim-treesitter/update.py`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/update.py) to update the tree sitter grammars for `nvim-treesitter`.
Some plugins require overrides in order to function properly. Overrides are placed in [overrides.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/vim/plugins/overrides.nix). Overrides are most often required when a plugin requires some dependencies, or extra steps are required during the build process. For example `deoplete-fish` requires both `deoplete-nvim` and `vim-fish`, and so the following override was added:
```nix

9
flake.nix
View File

@ -45,6 +45,15 @@
}).nixos.manual.x86_64-linux;
};
# The "legacy" in `legacyPackages` doesn't imply that the packages exposed
# through this attribute are "legacy" packages. Instead, `legacyPackages`
# is used here as a substitute attribute name for `packages`. The problem
# with `packages` is that it makes operations like `nix flake show
# nixpkgs` unusably slow due to the sheer number of packages the Nix CLI
# needs to evaluate. But when the Nix CLI sees a `legacyPackages`
# attribute it displays `omitted` instead of evaluating all packages,
# which keeps `nix flake show` on Nixpkgs reasonably fast, though less
# information rich.
legacyPackages = forAllSystems (system: import ./. { inherit system; });
nixosModules = {

96
lib/ascii-table.nix Normal file
View File

@ -0,0 +1,96 @@
{ " " = 32;
"!" = 33;
"\"" = 34;
"#" = 35;
"$" = 36;
"%" = 37;
"&" = 38;
"'" = 39;
"(" = 40;
")" = 41;
"*" = 42;
"+" = 43;
"," = 44;
"-" = 45;
"." = 46;
"/" = 47;
"0" = 48;
"1" = 49;
"2" = 50;
"3" = 51;
"4" = 52;
"5" = 53;
"6" = 54;
"7" = 55;
"8" = 56;
"9" = 57;
":" = 58;
";" = 59;
"<" = 60;
"=" = 61;
">" = 62;
"?" = 63;
"@" = 64;
"A" = 65;
"B" = 66;
"C" = 67;
"D" = 68;
"E" = 69;
"F" = 70;
"G" = 71;
"H" = 72;
"I" = 73;
"J" = 74;
"K" = 75;
"L" = 76;
"M" = 77;
"N" = 78;
"O" = 79;
"P" = 80;
"Q" = 81;
"R" = 82;
"S" = 83;
"T" = 84;
"U" = 85;
"V" = 86;
"W" = 87;
"X" = 88;
"Y" = 89;
"Z" = 90;
"[" = 91;
"\\" = 92;
"]" = 93;
"^" = 94;
"_" = 95;
"`" = 96;
"a" = 97;
"b" = 98;
"c" = 99;
"d" = 100;
"e" = 101;
"f" = 102;
"g" = 103;
"h" = 104;
"i" = 105;
"j" = 106;
"k" = 107;
"l" = 108;
"m" = 109;
"n" = 110;
"o" = 111;
"p" = 112;
"q" = 113;
"r" = 114;
"s" = 115;
"t" = 116;
"u" = 117;
"v" = 118;
"w" = 119;
"x" = 120;
"y" = 121;
"z" = 122;
"{" = 123;
"|" = 124;
"}" = 125;
"~" = 126;
}

2
lib/default.nix
View File

@ -103,7 +103,7 @@ let
getName getVersion
nameFromURL enableFeature enableFeatureAs withFeature
withFeatureAs fixedWidthString fixedWidthNumber isStorePath
toInt readPathsFromFile fileContents;
toInt toIntBase10 readPathsFromFile fileContents;
inherit (self.stringsWithDeps) textClosureList textClosureMap
noDepEntry fullDepEntry packEntry stringAfter;
inherit (self.customisation) overrideDerivation makeOverridable

31
lib/deprecated.nix
View File

@ -157,7 +157,36 @@ rec {
}
);
closePropagation = list: (uniqList {inputList = (innerClosePropagation [] list);});
closePropagationSlow = list: (uniqList {inputList = (innerClosePropagation [] list);});
# This is an optimisation of lib.closePropagation which avoids the O(n^2) behavior
# Using a list of derivations, it generates the full closure of the propagatedXXXBuildInputs
# The ordering / sorting / comparison is done based on the `outPath`
# attribute of each derivation.
# On some benchmarks, it performs up to 15 times faster than lib.closePropagation.
# See https://github.com/NixOS/nixpkgs/pull/194391 for details.
closePropagationFast = list:
builtins.map (x: x.val) (builtins.genericClosure {
startSet = builtins.map (x: {
key = x.outPath;
val = x;
}) (builtins.filter (x: x != null) list);
operator = item:
if !builtins.isAttrs item.val then
[ ]
else
builtins.concatMap (x:
if x != null then [{
key = x.outPath;
val = x;
}] else
[ ]) ((item.val.propagatedBuildInputs or [ ])
++ (item.val.propagatedNativeBuildInputs or [ ]));
});
closePropagation = if builtins ? genericClosure
then closePropagationFast
else closePropagationSlow;
# calls a function (f attr value ) for each record item. returns a list
mapAttrsFlatten = f: r: map (attr: f attr r.${attr}) (attrNames r);

58
lib/filesystem.nix
View File

@ -1,9 +1,23 @@
# Functions for copying sources to the Nix store.
{ lib }:
{ # haskellPathsInDir : Path -> Map String Path
# A map of all haskell packages defined in the given path,
# identified by having a cabal file with the same name as the
# directory itself.
haskellPathsInDir = root:
let
inherit (lib.strings)
hasPrefix
;
in
{
/*
A map of all haskell packages defined in the given path,
identified by having a cabal file with the same name as the
directory itself.
Type: Path -> Map String Path
*/
haskellPathsInDir =
# The directory within to search
root:
let # Files in the root
root-files = builtins.attrNames (builtins.readDir root);
# Files with their full paths
@ -17,15 +31,18 @@
builtins.pathExists (value + "/${name}.cabal")
) root-files-with-paths;
in builtins.listToAttrs cabal-subdirs;
# locateDominatingFile : RegExp
# -> Path
# -> Nullable { path : Path;
# matches : [ MatchResults ];
# }
# Find the first directory containing a file matching 'pattern'
# upward from a given 'file'.
# Returns 'null' if no directories contain a file matching 'pattern'.
locateDominatingFile = pattern: file:
/*
Find the first directory containing a file matching 'pattern'
upward from a given 'file'.
Returns 'null' if no directories contain a file matching 'pattern'.
Type: RegExp -> Path -> Nullable { path : Path; matches : [ MatchResults ]; }
*/
locateDominatingFile =
# The pattern to search for
pattern:
# The file to start searching upward from
file:
let go = path:
let files = builtins.attrNames (builtins.readDir path);
matches = builtins.filter (match: match != null)
@ -44,10 +61,15 @@
in go (if isDir then file else parent);
# listFilesRecursive: Path -> [ Path ]
#
# Given a directory, return a flattened list of all files within it recursively.
listFilesRecursive = dir: lib.flatten (lib.mapAttrsToList (name: type:
/*
Given a directory, return a flattened list of all files within it recursively.
Type: Path -> [ Path ]
*/
listFilesRecursive =
# The path to recursively list
dir:
lib.flatten (lib.mapAttrsToList (name: type:
if type == "directory" then
lib.filesystem.listFilesRecursive (dir + "/${name}")
else

2
lib/generators.nix
View File

@ -378,7 +378,7 @@ rec {
attr = let attrFilter = name: value: name != "_module" && value != null;
in ind: x: libStr.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList
(name: value: lib.optional (attrFilter name value) [
(name: value: lib.optionals (attrFilter name value) [
(key "\t${ind}" name)
(expr "\t${ind}" value)
]) x));

16
lib/licenses.nix
View File

@ -78,6 +78,12 @@ in mkLicense lset) ({
url = "https://aomedia.org/license/patent-license/";
};
apsl10 = {
spdxId = "APSL-1.0";
fullName = "Apple Public Source License 1.0";
url = "https://web.archive.org/web/20040701000000*/http://www.opensource.apple.com/apsl/1.0.txt";
};
apsl20 = {
spdxId = "APSL-2.0";
fullName = "Apple Public Source License 2.0";
@ -548,6 +554,16 @@ in mkLicense lset) ({
free = false;
};
lal12 = {
spdxId = "LAL-1.2";
fullName = "Licence Art Libre 1.2";
};
lal13 = {
spdxId = "LAL-1.3";
fullName = "Licence Art Libre 1.3";
};
lgpl2Only = {
spdxId = "LGPL-2.0-only";
fullName = "GNU Library General Public License v2 only";

12
lib/options.nix
View File

@ -322,10 +322,16 @@ rec {
showOption = parts: let
escapeOptionPart = part:
let
escaped = lib.strings.escapeNixString part;
in if escaped == "\"${part}\""
# We assume that these are "special values" and not real configuration data.
# If it is real configuration data, it is rendered incorrectly.
specialIdentifiers = [
"<name>" # attrsOf (submodule {})
"*" # listOf (submodule {})
"<function body>" # functionTo
];
in if builtins.elem part specialIdentifiers
then part
else escaped;
else lib.strings.escapeNixIdentifier part;
in (concatStringsSep ".") (map escapeOptionPart parts);
showFiles = files: concatStringsSep " and " (map (f: "`${f}'") files);

131
lib/strings.nix
View File

@ -185,6 +185,16 @@ rec {
*/
makeBinPath = makeSearchPathOutput "bin" "bin";
/* Normalize path, removing extranous /s
Type: normalizePath :: string -> string
Example:
normalizePath "/a//b///c/"
=> "/a/b/c/"
*/
normalizePath = s: (builtins.foldl' (x: y: if y == "/" && hasSuffix "/" x then x else x+y) "" (stringToCharacters s));
/* Depending on the boolean `cond', return either the given string
or the empty string. Useful to concatenate against a bigger string.
@ -294,6 +304,21 @@ rec {
map f (stringToCharacters s)
);
/* Convert char to ascii value, must be in printable range
Type: charToInt :: string -> int
Example:
charToInt "A"
=> 65
charToInt "("
=> 40
*/
charToInt = let
table = import ./ascii-table.nix;
in c: builtins.getAttr c table;
/* Escape occurrence of the elements of `list` in `string` by
prefixing it with a backslash.
@ -305,6 +330,19 @@ rec {
*/
escape = list: replaceChars list (map (c: "\\${c}") list);
/* Escape occurence of the element of `list` in `string` by
converting to its ASCII value and prefixing it with \\x.
Only works for printable ascii characters.
Type: escapeC = [string] -> string -> string
Example:
escapeC [" "] "foo bar"
=> "foo\\x20bar"
*/
escapeC = list: replaceChars list (map (c: "\\x${ toLower (lib.toHexString (charToInt c))}") list);
/* Quote string to be used safely within the Bourne shell.
Type: escapeShellArg :: string -> string
@ -745,24 +783,105 @@ rec {
else
false;
/* Parse a string as an int.
/* Parse a string as an int. Does not support parsing of integers with preceding zero due to
ambiguity between zero-padded and octal numbers. See toIntBase10.
Type: string -> int
Example:
toInt "1337"
=> 1337
toInt "-4"
=> -4
toInt " 123 "
=> 123
toInt "00024"
=> error: Ambiguity in interpretation of 00024 between octal and zero padded integer.
toInt "3.14"
=> error: floating point JSON numbers are not supported
*/
# Obviously, it is a bit hacky to use fromJSON this way.
toInt = str:
let may_be_int = fromJSON str; in
if isInt may_be_int
then may_be_int
else throw "Could not convert ${str} to int.";
let
# RegEx: Match any leading whitespace, then any digits, and finally match any trailing
# whitespace.
strippedInput = match "[[:space:]]*([[:digit:]]+)[[:space:]]*" str;
# RegEx: Match a leading '0' then one or more digits.
isLeadingZero = match "0[[:digit:]]+" (head strippedInput) == [];
# Attempt to parse input
parsedInput = fromJSON (head strippedInput);
generalError = "toInt: Could not convert ${escapeNixString str} to int.";
octalAmbigError = "toInt: Ambiguity in interpretation of ${escapeNixString str}"
+ " between octal and zero padded integer.";
in
# Error on presence of non digit characters.
if strippedInput == null
then throw generalError
# Error on presence of leading zero/octal ambiguity.
else if isLeadingZero
then throw octalAmbigError
# Error if parse function fails.
else if !isInt parsedInput
then throw generalError
# Return result.
else parsedInput;
/* Parse a string as a base 10 int. This supports parsing of zero-padded integers.
Type: string -> int
Example:
toIntBase10 "1337"
=> 1337
toIntBase10 "-4"
=> -4
toIntBase10 " 123 "
=> 123
toIntBase10 "00024"
=> 24
toIntBase10 "3.14"
=> error: floating point JSON numbers are not supported
*/
toIntBase10 = str:
let
# RegEx: Match any leading whitespace, then match any zero padding, capture any remaining
# digits after that, and finally match any trailing whitespace.
strippedInput = match "[[:space:]]*0*([[:digit:]]+)[[:space:]]*" str;
# RegEx: Match at least one '0'.
isZero = match "0+" (head strippedInput) == [];
# Attempt to parse input
parsedInput = fromJSON (head strippedInput);
generalError = "toIntBase10: Could not convert ${escapeNixString str} to int.";
in
# Error on presence of non digit characters.
if strippedInput == null
then throw generalError
# In the special case zero-padded zero (00000), return early.
else if isZero
then 0
# Error if parse function fails.
else if !isInt parsedInput
then throw generalError
# Return result.
else parsedInput;
/* Read a list of paths from `file`, relative to the `rootPath`.
Lines beginning with `#` are treated as comments and ignored.

86
lib/tests/misc.nix
View File

@ -312,6 +312,92 @@ runTests {
expected = true;
};
testNormalizePath = {
expr = strings.normalizePath "//a/b//c////d/";
expected = "/a/b/c/d/";
};
testCharToInt = {
expr = strings.charToInt "A";
expected = 65;
};
testEscapeC = {
expr = strings.escapeC [ " " ] "Hello World";
expected = "Hello\\x20World";
};
testToInt = testAllTrue [
# Naive
(123 == toInt "123")
(0 == toInt "0")
# Whitespace Padding
(123 == toInt " 123")
(123 == toInt "123 ")
(123 == toInt " 123 ")
(123 == toInt " 123 ")
(0 == toInt " 0")
(0 == toInt "0 ")
(0 == toInt " 0 ")
];
testToIntFails = testAllTrue [
( builtins.tryEval (toInt "") == { success = false; value = false; } )
( builtins.tryEval (toInt "123 123") == { success = false; value = false; } )
( builtins.tryEval (toInt "0 123") == { success = false; value = false; } )
( builtins.tryEval (toInt " 0d ") == { success = false; value = false; } )
( builtins.tryEval (toInt " 1d ") == { success = false; value = false; } )
( builtins.tryEval (toInt " d0 ") == { success = false; value = false; } )
( builtins.tryEval (toInt "00") == { success = false; value = false; } )
( builtins.tryEval (toInt "01") == { success = false; value = false; } )
( builtins.tryEval (toInt "002") == { success = false; value = false; } )
( builtins.tryEval (toInt " 002 ") == { success = false; value = false; } )
( builtins.tryEval (toInt " foo ") == { success = false; value = false; } )
( builtins.tryEval (toInt " foo 123 ") == { success = false; value = false; } )
( builtins.tryEval (toInt " foo123 ") == { success = false; value = false; } )
];
testToIntBase10 = testAllTrue [
# Naive
(123 == toIntBase10 "123")
(0 == toIntBase10 "0")
# Whitespace Padding
(123 == toIntBase10 " 123")
(123 == toIntBase10 "123 ")
(123 == toIntBase10 " 123 ")
(123 == toIntBase10 " 123 ")
(0 == toIntBase10 " 0")
(0 == toIntBase10 "0 ")
(0 == toIntBase10 " 0 ")
# Zero Padding
(123 == toIntBase10 "0123")
(123 == toIntBase10 "0000123")
(0 == toIntBase10 "000000")
# Whitespace and Zero Padding
(123 == toIntBase10 " 0123")
(123 == toIntBase10 "0123 ")
(123 == toIntBase10 " 0123 ")
(123 == toIntBase10 " 0000123")
(123 == toIntBase10 "0000123 ")
(123 == toIntBase10 " 0000123 ")
(0 == toIntBase10 " 000000")
(0 == toIntBase10 "000000 ")
(0 == toIntBase10 " 000000 ")
];
testToIntBase10Fails = testAllTrue [
( builtins.tryEval (toIntBase10 "") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 "123 123") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 "0 123") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " 0d ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " 1d ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " d0 ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " foo ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " foo 123 ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " foo 00123 ") == { success = false; value = false; } )
( builtins.tryEval (toIntBase10 " foo00123 ") == { success = false; value = false; } )
];
# LISTS
testFilter = {

6
lib/tests/modules.sh
View File

@ -162,7 +162,7 @@ checkConfigError 'A definition for option .* is not.*string or signed integer co
# Check coerced value with unsound coercion
checkConfigOutput '^12$' config.value ./declare-coerced-value-unsound.nix
checkConfigError 'A definition for option .* is not of type .*. Definition values:\n\s*- In .*: "1000"' config.value ./declare-coerced-value-unsound.nix ./define-value-string-bigint.nix
checkConfigError 'json.exception.parse_error' config.value ./declare-coerced-value-unsound.nix ./define-value-string-arbitrary.nix
checkConfigError 'toInt: Could not convert .* to int' config.value ./declare-coerced-value-unsound.nix ./define-value-string-arbitrary.nix
# Check mkAliasOptionModule.
checkConfigOutput '^true$' config.enable ./alias-with-priority.nix
@ -302,11 +302,11 @@ checkConfigOutput '^"baz"$' config.value.nested.bar.baz ./types-anything/mk-mods
## types.functionTo
checkConfigOutput '^"input is input"$' config.result ./functionTo/trivial.nix
checkConfigOutput '^"a b"$' config.result ./functionTo/merging-list.nix
checkConfigError 'A definition for option .fun.\[function body\]. is not of type .string.. Definition values:\n\s*- In .*wrong-type.nix' config.result ./functionTo/wrong-type.nix
checkConfigError 'A definition for option .fun.<function body>. is not of type .string.. Definition values:\n\s*- In .*wrong-type.nix' config.result ./functionTo/wrong-type.nix
checkConfigOutput '^"b a"$' config.result ./functionTo/list-order.nix
checkConfigOutput '^"a c"$' config.result ./functionTo/merging-attrs.nix
checkConfigOutput '^"a bee"$' config.result ./functionTo/submodule-options.nix
checkConfigOutput '^"fun.\[function body\].a fun.\[function body\].b"$' config.optionsResult ./functionTo/submodule-options.nix
checkConfigOutput '^"fun.<function body>.a fun.<function body>.b"$' config.optionsResult ./functionTo/submodule-options.nix
# moduleType
checkConfigOutput '^"a b"$' config.resultFoo ./declare-variants.nix ./define-variant.nix

4
lib/types.nix
View File

@ -617,8 +617,8 @@ rec {
descriptionClass = "composite";
check = isFunction;
merge = loc: defs:
fnArgs: (mergeDefinitions (loc ++ [ "[function body]" ]) elemType (map (fn: { inherit (fn) file; value = fn.value fnArgs; }) defs)).mergedValue;
getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "[function body]" ]);
fnArgs: (mergeDefinitions (loc ++ [ "<function body>" ]) elemType (map (fn: { inherit (fn) file; value = fn.value fnArgs; }) defs)).mergedValue;
getSubOptions = prefix: elemType.getSubOptions (prefix ++ [ "<function body>" ]);
getSubModules = elemType.getSubModules;
substSubModules = m: functionTo (elemType.substSubModules m);
functor = (defaultFunctor "functionTo") // { wrapped = elemType; };

150
maintainers/maintainer-list.nix
View File

@ -326,10 +326,10 @@
name = "Maxwell Huang-Hobbs";
};
adjacentresearch = {
email = "nate@adjacentresearch.xyz";
github = "0xperp";
githubId = 96147421;
name = "0xperp";
email = "nate@adjacentresearch.xyz";
github = "0xperp";
githubId = 96147421;
name = "0xperp";
};
adnelson = {
email = "ithinkican@gmail.com";
@ -528,10 +528,10 @@
name = "Aksh Gupta";
};
alapshin = {
email = "alapshin@fastmail.com";
github = "alapshin";
githubId = 321946;
name = "Andrei Lapshin";
email = "alapshin@fastmail.com";
github = "alapshin";
githubId = 321946;
name = "Andrei Lapshin";
};
albakham = {
email = "dev@geber.ga";
@ -1481,6 +1481,12 @@
githubId = 35324;
name = "Badi' Abdul-Wahid";
};
baduhai = {
email = "baduhai@pm.me";
github = "baduhai";
githubId = 31864305;
name = "William";
};
baitinq = {
email = "manuelpalenzuelamerino@gmail.com";
name = "Baitinq";
@ -2465,6 +2471,12 @@
fingerprint = "4EBB 30F1 E89A 541A A7F2 52BE 830A 9728 6309 66F4";
}];
};
christophcharles = {
email = "23055925+christophcharles@users.noreply.github.com";
github = "christophcharles";
githubId = 23055925;
name = "Christoph Charles";
};
christopherpoole = {
email = "mail@christopherpoole.net";
github = "christopherpoole";
@ -5698,6 +5710,12 @@
githubId = 3661115;
name = "Ingo Blechschmidt";
};
icewind1991 = {
name = "Robin Appelman";
email = "robin@icewind.nl";
github = "icewind1991";
githubId = 1283854;
};
icy-thought = {
name = "Icy-Thought";
email = "gilganyx@pm.me";
@ -5754,7 +5772,7 @@
githubId = 40234257;
name = "ilkecan bozdogan";
};
not-my-segfault = {
not-my-segfault = {
email = "michal@tar.black";
matrix = "@michal:tar.black";
github = "not-my-segfault";
@ -5878,6 +5896,12 @@
githubId = 54999;
name = "Ariel Nunez";
};
iopq = {
email = "iop_jr@yahoo.com";
github = "iopq";
githubId = 1817528;
name = "Igor Polyakov";
};
irenes = {
name = "Irene Knapp";
email = "ireneista@gmail.com";
@ -5994,6 +6018,12 @@
github = "j0hax";
githubId = 3802620;
};
j0lol = {
name = "Jo";
email = "me@j0.lol";
github = "j0lol";
githubId = 24716467;
};
j4m3s = {
name = "James Landrein";
email = "github@j4m3s.eu";
@ -6221,6 +6251,12 @@
githubId = 117874;
name = "Jeroen de Haas";
};
jdelStrother = {
email = "me@delstrother.com";
github = "jdelStrother";
githubId = 2377;
name = "Jonathan del Strother";
};
jdreaver = {
email = "johndreaver@gmail.com";
github = "jdreaver";
@ -7363,6 +7399,12 @@
githubId = 2037002;
name = "Konstantinos";
};
kototama = {
email = "kototama@posteo.jp";
github = "kototama";
githubId = 128620;
name = "Kototama";
};
kouyk = {
email = "skykinetic@stevenkou.xyz";
github = "kouyk";
@ -7516,6 +7558,8 @@
};
laalsaas = {
email = "laalsaas@systemli.org";
github = "laalsaas";
githubId = 43275254;
name = "laalsaas";
};
lach = {
@ -8530,6 +8574,12 @@
githubId = 95194;
name = "Mauricio Scheffer";
};
maxhero = {
email = "contact@maxhero.dev";
github = "themaxhero";
githubId = 4708337;
name = "Marcelo A. de L. Santos";
};
max-niederman = {
email = "max@maxniederman.com";
github = "max-niederman";
@ -8791,7 +8841,7 @@
email = "megoettlinger@gmail.com";
github = "mgttlinger";
githubId = 5120487;
name = "Merlin Göttlinger";
name = "Merlin Humml";
};
mguentner = {
email = "code@klandest.in";
@ -9072,6 +9122,15 @@
fingerprint = "E90C BA34 55B3 6236 740C 038F 0D94 8CE1 9CF4 9C5F";
}];
};
mktip = {
email = "mo.issa.ok+nix@gmail.com";
github = "mktip";
githubId = 45905717;
name = "Mohammad Issa";
keys = [{
fingerprint = "64BE BF11 96C3 DD7A 443E 8314 1DC0 82FA DE5B A863";
}];
};
mlieberman85 = {
email = "mlieberman85@gmail.com";
github = "mlieberman85";
@ -9424,6 +9483,12 @@
githubId = 772914;
name = "Mikael Voss";
};
mwolfe = {
email = "corp@m0rg.dev";
github = "m0rg-dev";
githubId = 38578268;
name = "Morgan Wolfe";
};
maxwilson = {
email = "nixpkgs@maxwilson.dev";
github = "mwilsoncoding";
@ -10728,6 +10793,15 @@
fingerprint = "B00F E582 FD3F 0732 EA48 3937 F558 14E4 D687 4375";
}];
};
PlayerNameHere = {
name = "Dixon Sean Low Yan Feng";
email = "dixonseanlow@protonmail.com";
github = "PlayerNameHere";
githubId = 56017218;
keys = [{
fingerprint = "E6F4 BFB4 8DE3 893F 68FC A15F FF5F 4B30 A41B BAC8";
}];
};
plchldr = {
email = "mail@oddco.de";
github = "plchldr";
@ -10740,6 +10814,12 @@
githubId = 358550;
name = "Philip Lykke Carlsen";
};
pleshevskiy = {
email = "dmitriy@pleshevski.ru";
github = "pleshevskiy";
githubId = 7839004;
name = "Dmitriy Pleshevskiy";
};
plumps = {
email = "maks.bronsky@web.de";
github = "plumps";
@ -12144,6 +12224,16 @@
githubId = 3598650;
name = "Fritz Otlinghaus";
};
Scrumplex = {
name = "Sefa Eyeoglu";
email = "contact@scrumplex.net";
matrix = "@Scrumplex:duckhub.io";
github = "Scrumplex";
githubId = 11587657;
keys = [{
fingerprint = "AF1F B107 E188 CB97 9A94 FD7F C104 1129 4912 A422";
}];
};
scubed2 = {
email = "scubed2@gmail.com";
github = "scubed2";
@ -13233,6 +13323,12 @@
githubId = 102685;
name = "Thomas Friese";
};
taylor1791 = {
email = "nixpkgs@tayloreverding.com";
github = "taylor1791";
githubId = 555003;
name = "Taylor Everding";
};
tazjin = {
email = "mail@tazj.in";
github = "tazjin";
@ -13699,12 +13795,6 @@
githubId = 2164118;
name = "Tobias Bora";
};
tohl = {
email = "tom@logand.com";
github = "tohl";
githubId = 12159013;
name = "Tomas Hlavaty";
};
tokudan = {
email = "git@danielfrank.net";
github = "tokudan";
@ -14045,11 +14135,11 @@
name = "Urban Skudnik";
};
usrfriendly = {
name = "Arin Lares";
email = "arinlares@gmail.com";
github = "usrfriendly";
githubId = 2502060;
};
name = "Arin Lares";
email = "arinlares@gmail.com";
github = "usrfriendly";
githubId = 2502060;
};
utdemir = {
email = "me@utdemir.com";
github = "utdemir";
@ -14458,6 +14548,12 @@
fingerprint = "2145 955E 3F5E 0C95 3458 41B5 11F7 BAEA 8567 43FF";
}];
};
wentam = {
name = "Matt Egeler";
email = "wentam42@gmail.com";
github = "wentam";
githubId = 901583;
};
wentasah = {
name = "Michal Sojka";
email = "wsh@2x.cz";
@ -15636,4 +15732,16 @@
github = "quasigod-io";
githubId = 62124625;
};
waelwindows = {
email = "waelwindows9922@gmail.com";
github = "Waelwindows";
githubId = 5228243;
name = "waelwindows";
};
wuyoli = {
name = "wuyoli";
email = "wuyoli@tilde.team";
github = "wuyoli";
githubId = 104238274;
};
}

2
maintainers/scripts/feature-freeze-teams.pl
View File

@ -31,7 +31,7 @@ sub github_team_members {
push @ret, $_->{'login'};
}
} else {
print {*STDERR} "!! Requesting members of GitHub Team '$team_name' failed: $response->status_line";
print {*STDERR} "!! Requesting members of GitHub Team '$team_name' failed: " . $response->status_line;
}
return \@ret;

2
maintainers/scripts/haskell/update-cabal2nix-unstable.sh
View File

@ -14,4 +14,4 @@ commit="$(jq -r .commit.sha <<< "$head_info")"
date="$(date "--date=$(jq -r .commit.commit.committer.date <<< "$head_info")" +%F)"
# generate nix expression from cabal file, replacing the version with the commit date
echo '# This file defines cabal2nix-unstable, used by maintainers/scripts/haskell/regenerate-hackage-packages.sh.' > pkgs/development/haskell-modules/cabal2nix-unstable.nix
cabal2nix "https://github.com/NixOS/cabal2nix/archive/$commit.tar.gz" | sed -e 's/version = ".*"/version = "'"unstable-$date"'"/' >> pkgs/development/haskell-modules/cabal2nix-unstable.nix
cabal2nix --subpath cabal2nix "https://github.com/NixOS/cabal2nix/archive/$commit.tar.gz" | sed -e 's/version = ".*"/version = "'"unstable-$date"'"/' >> pkgs/development/haskell-modules/cabal2nix-unstable.nix

4
maintainers/scripts/luarocks-packages.csv
View File

@ -63,7 +63,7 @@ luaepnf,,,,,,
luaevent,,,,,,
luaexpat,,,,1.4.1-1,,arobyn flosse
luaffi,,,http://luarocks.org/dev,,,
luafilesystem,,,,1.7.0-2,,flosse
luafilesystem,,,,1.8.0-1,,flosse
lualogging,,,,,,
luaossl,,,,,5.1,
luaposix,,,,34.1.1-1,,vyp lblasc
@ -87,7 +87,7 @@ mediator_lua,,,,,,
mpack,,,,,,
moonscript,https://github.com/leafo/moonscript.git,dev-1,,,,arobyn
nvim-client,https://github.com/neovim/lua-client.git,,,,,
nvim-cmp,,,,,,
nvim-cmp,https://github.com/hrsh7th/nvim-cmp,,,,,
penlight,https://github.com/lunarmodules/Penlight.git,,,,,alerque
plenary.nvim,https://github.com/nvim-lua/plenary.nvim.git,,,,5.1,
rapidjson,https://github.com/xpol/lua-rapidjson.git,,,,,

1 name src ref server version luaversion maintainers
63 luaevent
64 luaexpat 1.4.1-1 arobyn flosse
65 luaffi http://luarocks.org/dev
66 luafilesystem 1.7.0-2 1.8.0-1 flosse
67 lualogging
68 luaossl 5.1
69 luaposix 34.1.1-1 vyp lblasc
87 mpack
88 moonscript https://github.com/leafo/moonscript.git dev-1 arobyn
89 nvim-client https://github.com/neovim/lua-client.git
90 nvim-cmp https://github.com/hrsh7th/nvim-cmp
91 penlight https://github.com/lunarmodules/Penlight.git alerque
92 plenary.nvim https://github.com/nvim-lua/plenary.nvim.git 5.1
93 rapidjson https://github.com/xpol/lua-rapidjson.git

12
maintainers/scripts/update.nix
View File

@ -48,7 +48,17 @@ let
let
result = builtins.tryEval pathContent;
dedupResults = lst: nubOn ({ package, attrPath }: package.updateScript) (lib.concatLists lst);
somewhatUniqueRepresentant =
{ package, attrPath }: {
inherit (package) updateScript;
# Some updaters use the same `updateScript` value for all packages.
# Also compare `meta.description`.
position = package.meta.position or null;
# We cannot always use `meta.position` since it might not be available
# or it might be shared among multiple packages.
};
dedupResults = lst: nubOn somewhatUniqueRepresentant (lib.concatLists lst);
in
if result.success then
let

3
maintainers/team-list.nix
View File

@ -182,6 +182,8 @@ with lib.maintainers; {
members = [
cole-h
grahamc
hoverbear
lheckemann
];
scope = "Group registration for packages maintained by Determinate Systems.";
shortName = "Determinate Systems employees";
@ -673,7 +675,6 @@ with lib.maintainers; {
# Verify additions by approval of an already existing member of the team.
members = [
balsoft
mkaito
];
scope = "Group registration for Serokell employees who collectively maintain packages.";
shortName = "Serokell employees";

2
nixos/doc/manual/administration/declarative-containers.section.md
View File

@ -9,7 +9,7 @@ containers.database =
{ config =
{ config, pkgs, ... }:
{ services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_10;
services.postgresql.package = pkgs.postgresql_14;
};
};
```

2
nixos/doc/manual/configuration/config-file.section.md
View File

@ -166,7 +166,7 @@ Packages
pkgs.emacs
];
services.postgresql.package = pkgs.postgresql_10;
services.postgresql.package = pkgs.postgresql_14;
```
The latter option definition changes the default PostgreSQL package

8
nixos/doc/manual/configuration/kubernetes.chapter.md
View File

@ -43,14 +43,6 @@ Note: Assigning either role will also default both
and [](#opt-services.kubernetes.easyCerts)
to true. This sets up flannel as CNI and activates automatic PKI bootstrapping.
As of kubernetes 1.10.X it has been deprecated to open non-tls-enabled
ports on kubernetes components. Thus, from NixOS 19.03 all plain HTTP
ports have been disabled by default. While opening insecure ports is
still possible, it is recommended not to bind these to other interfaces
than loopback. To re-enable the insecure port on the apiserver, see options:
[](#opt-services.kubernetes.apiserver.insecurePort) and
[](#opt-services.kubernetes.apiserver.insecureBindAddress)
::: {.note}
As of NixOS 19.03, it is mandatory to configure:
[](#opt-services.kubernetes.masterAddress).

2
nixos/doc/manual/from_md/administration/declarative-containers.section.xml
View File

@ -11,7 +11,7 @@ containers.database =
{ config =
{ config, pkgs, ... }:
{ services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_10;
services.postgresql.package = pkgs.postgresql_14;
};
};
</programlisting>

2
nixos/doc/manual/from_md/configuration/config-file.section.xml
View File

@ -217,7 +217,7 @@ environment.systemPackages =
pkgs.emacs
];
services.postgresql.package = pkgs.postgresql_10;
services.postgresql.package = pkgs.postgresql_14;
</programlisting>
<para>
The latter option definition changes the default PostgreSQL

11
nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml
View File

@ -47,17 +47,6 @@ services.kubernetes.roles = [ &quot;master&quot; &quot;node&quot; ];
<xref linkend="opt-services.kubernetes.easyCerts" /> to true. This
sets up flannel as CNI and activates automatic PKI bootstrapping.
</para>
<para>
As of kubernetes 1.10.X it has been deprecated to open
non-tls-enabled ports on kubernetes components. Thus, from NixOS
19.03 all plain HTTP ports have been disabled by default. While
opening insecure ports is still possible, it is recommended not to
bind these to other interfaces than loopback. To re-enable the
insecure port on the apiserver, see options:
<xref linkend="opt-services.kubernetes.apiserver.insecurePort" />
and
<xref linkend="opt-services.kubernetes.apiserver.insecureBindAddress" />
</para>
<note>
<para>
As of NixOS 19.03, it is mandatory to configure:

148
nixos/doc/manual/from_md/installation/installing-usb.section.xml
View File

@ -1,35 +1,135 @@
<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-booting-from-usb">
<title>Booting from a USB Drive</title>
<title>Booting from a USB flash drive</title>
<para>
For systems without CD drive, the NixOS live CD can be booted from a
USB stick. You can use the <literal>dd</literal> utility to write
the image: <literal>dd if=path-to-image of=/dev/sdX</literal>. Be
careful about specifying the correct drive; you can use the
<literal>lsblk</literal> command to get a list of block devices.
The image has to be written verbatim to the USB flash drive for it
to be bootable on UEFI and BIOS systems. Here are the recommended
tools to do that.
</para>
<note>
<title>On macOS</title>
<section xml:id="sec-booting-from-usb-graphical">
<title>Creating bootable USB flash drive with a graphical
tool</title>
<para>
Etcher is a popular and user-friendly tool. It works on Linux,
Windows and macOS.
</para>
<para>
Download it from
<link xlink:href="https://www.balena.io/etcher/">balena.io</link>,
start the program, select the downloaded NixOS ISO, then select
the USB flash drive and flash it.
</para>
<warning>
<para>
Etcher reports errors and usage statistics by default, which can
be disabled in the settings.
</para>
</warning>
<para>
An alternative is
<link xlink:href="https://bztsrc.gitlab.io/usbimager">USBImager</link>,
which is very simple and does not connect to the internet.
Download the version with write-only (wo) interface for your
system. Start the program, select the image, select the USB flash
drive and click <quote>Write</quote>.
</para>
</section>
<section xml:id="sec-booting-from-usb-linux">
<title>Creating bootable USB flash drive from a Terminal on
Linux</title>
<orderedlist numeration="arabic" spacing="compact">
<listitem>
<para>
Plug in the USB flash drive.
</para>
</listitem>
<listitem>
<para>
Find the corresponding device with <literal>lsblk</literal>.
You can distinguish them by their size.
</para>
</listitem>
<listitem>
<para>
Make sure all partitions on the device are properly unmounted.
Replace <literal>sdX</literal> with your device (e.g.
<literal>sdb</literal>).
</para>
</listitem>
</orderedlist>
<programlisting>
$ diskutil list
[..]
/dev/diskN (external, physical):
#: TYPE NAME SIZE IDENTIFIER
[..]
$ diskutil unmountDisk diskN
Unmount of all volumes on diskN was successful
$ sudo dd if=nix.iso of=/dev/rdiskN bs=1M
sudo umount /dev/sdX*
</programlisting>
<orderedlist numeration="arabic" spacing="compact">
<listitem override="4">
<para>
Then use the <literal>dd</literal> utility to write the image
to the USB flash drive.
</para>
</listitem>
</orderedlist>
<programlisting>
sudo dd if=&lt;path-to-image&gt; of=/dev/sdX bs=4M conv=fsync
</programlisting>
</section>
<section xml:id="sec-booting-from-usb-macos">
<title>Creating bootable USB flash drive from a Terminal on
macOS</title>
<orderedlist numeration="arabic" spacing="compact">
<listitem>
<para>
Plug in the USB flash drive.
</para>
</listitem>
<listitem>
<para>
Find the corresponding device with
<literal>diskutil list</literal>. You can distinguish them by
their size.
</para>
</listitem>
<listitem>
<para>
Make sure all partitions on the device are properly unmounted.
Replace <literal>diskX</literal> with your device (e.g.
<literal>disk1</literal>).
</para>
</listitem>
</orderedlist>
<programlisting>
diskutil unmountDisk diskX
</programlisting>
<orderedlist numeration="arabic" spacing="compact">
<listitem override="4">
<para>
Then use the <literal>dd</literal> utility to write the image
to the USB flash drive.
</para>
</listitem>
</orderedlist>
<programlisting>
sudo dd if=&lt;path-to-image&gt; of=/dev/rdiskX bs=4m
</programlisting>
<para>
Using the 'raw' <literal>rdiskN</literal> device instead of
<literal>diskN</literal> completes in minutes instead of hours.
After <literal>dd</literal> completes, a GUI dialog &quot;The disk
you inserted was not readable by this computer&quot; will pop up,
which can be ignored.
</para>
</note>
<para>
The <literal>dd</literal> utility will write the image verbatim to
the drive, making it the recommended option for both UEFI and
non-UEFI installations.
</para>
<note>
<para>
Using the 'raw' <literal>rdiskX</literal> device instead of
<literal>diskX</literal> with dd completes in minutes instead of
hours.
</para>
</note>
<orderedlist numeration="arabic" spacing="compact">
<listitem override="5">
<para>
Eject the disk when it is finished.
</para>
</listitem>
</orderedlist>
<programlisting>
diskutil eject /dev/diskX
</programlisting>
</section>
</section>

1123
nixos/doc/manual/from_md/installation/installing.chapter.xml
View File

File diff suppressed because it is too large Load Diff

29
nixos/doc/manual/from_md/installation/obtaining.chapter.xml
View File

@ -2,16 +2,15 @@
<title>Obtaining NixOS</title>
<para>
NixOS ISO images can be downloaded from the
<link xlink:href="https://nixos.org/nixos/download.html">NixOS
download page</link>. There are a number of installation options. If
you happen to have an optical drive and a spare CD, burning the
image to CD and booting from that is probably the easiest option.
Most people will need to prepare a USB stick to boot from.
<xref linkend="sec-booting-from-usb" /> describes the preferred
method to prepare a USB stick. A number of alternative methods are
presented in the
<link xlink:href="https://nixos.wiki/wiki/NixOS_Installation_Guide#Making_the_installation_media">NixOS
Wiki</link>.
<link xlink:href="https://nixos.org/download.html#nixos-iso">NixOS
download page</link>. Follow the instructions in
<xref linkend="sec-booting-from-usb" /> to create a bootable USB
flash drive.
</para>
<para>
If you have a very old system that cant boot from USB, you can burn
the image to an empty CD. NixOS might not work very well on such
systems.
</para>
<para>
As an alternative to installing NixOS yourself, you can get a
@ -23,16 +22,16 @@
Using virtual appliances in Open Virtualization Format (OVF)
that can be imported into VirtualBox. These are available from
the
<link xlink:href="https://nixos.org/nixos/download.html">NixOS
<link xlink:href="https://nixos.org/download.html#nixos-virtualbox">NixOS
download page</link>.
</para>
</listitem>
<listitem>
<para>
Using AMIs for Amazons EC2. To find one for your region and
instance type, please refer to the
<link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/ec2-amis.nix">list
of most recent AMIs</link>.
Using AMIs for Amazons EC2. To find one for your region, please
refer to the
<link xlink:href="https://nixos.org/download.html#nixos-amazon">download
page</link>.
</para>
</listitem>
<listitem>

20
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View File

@ -1501,18 +1501,18 @@
</listitem>
<listitem>
<para>
MultiMC has been replaced with the fork PolyMC due to upstream
developers being hostile to 3rd party package maintainers.
PolyMC removes all MultiMC branding and is aimed at providing
proper 3rd party packages like the one contained in Nixpkgs.
This change affects the data folder where game instances and
other save and configuration files are stored. Users with
existing installations should rename
MultiMC has been replaced with the fork PrismLauncher due to
upstream developers being hostile to 3rd party package
maintainers. PrismLauncher removes all MultiMC branding and is
aimed at providing proper 3rd party packages like the one
contained in Nixpkgs. This change affects the data folder
where game instances and other save and configuration files
are stored. Users with existing installations should rename
<literal>~/.local/share/multimc</literal> to
<literal>~/.local/share/polymc</literal>. The main config
files path has also moved from
<literal>~/.local/share/PrismLauncher</literal>. The main
config files path has also moved from
<literal>~/.local/share/multimc/multimc.cfg</literal> to
<literal>~/.local/share/polymc/polymc.cfg</literal>.
<literal>~/.local/share/PrismLauncher/prismlauncher.cfg</literal>.
</para>
</listitem>
<listitem>

300
nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
View File

@ -137,6 +137,15 @@
certificates by default.
</para>
</listitem>
<listitem>
<para>
Improved performances of
<literal>lib.closePropagation</literal> which was previously
quadratic. This is used in e.g.
<literal>ghcWithPackages</literal>. Please see backward
incompatibilities notes below.
</para>
</listitem>
<listitem>
<para>
Cinnamon has been updated to 5.4. While at it, the cinnamon
@ -180,6 +189,15 @@
<link xlink:href="options.html#opt-virtualisation.appvm.enable">virtualisation.appvm</link>.
</para>
</listitem>
<listitem>
<para>
[xray] (https://github.com/XTLS/Xray-core), a fully compatible
v2ray-core replacement. Features XTLS, which when enabled on
server and client, brings UDP FullCone NAT to proxy setups.
Available as
<link xlink:href="options.html#opt-services.xray.enable">services.xray</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/mozilla-services/syncstorage-rs">syncstorage-rs</link>,
@ -254,6 +272,13 @@
<link xlink:href="options.html#opt-services.kanata.enable">services.kanata</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/prymitive/karma">karma</link>,
an alert dashboard for Prometheus Alertmanager. Available as
<link xlink:href="options.html#opt-services.karma.enable">services.karma</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://languagetool.org/">languagetool</link>,
@ -275,6 +300,13 @@
<link linkend="opt-services.outline.enable">services.outline</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://ntfy.sh">ntfy.sh</link>, a push
notification service. Available as
<link linkend="opt-services.ntfy-sh.enable">services.ntfy-sh</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://git.sr.ht/~migadu/alps">alps</link>,
@ -289,6 +321,14 @@
<link linkend="opt-services.endlessh-go.enable">services.endlessh-go</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://garagehq.deuxfleurs.fr/">Garage</link>,
a simple object storage server for geodistributed deployments,
alternative to MinIO. Available as
<link linkend="opt-services.garage.enable">services.garage</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://netbird.io">netbird</link>, a zero
@ -334,6 +374,13 @@
<link linkend="opt-services.expressvpn.enable">services.expressvpn</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://troglobit.com/projects/merecat/">merecat</link>,
a small and easy HTTP server based on thttpd. Available as
<link linkend="opt-services.merecat.enable">services.merecat</link>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/L11R/go-autoconfig">go-autoconfig</link>,
@ -396,6 +443,13 @@
<link xlink:href="options.html#opt-services.listmonk.enable">services.listmonk</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://uptime.kuma.pet/">Uptime
Kuma</link>, a fancy self-hosted monitoring tool. Available as
<link linkend="opt-services.uptime-kuma.enable">services.uptime-kuma</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.11-incompatibilities">
@ -473,6 +527,16 @@
future Git update without notice.
</para>
</listitem>
<listitem>
<para>
<literal>openssh</literal> was updated to version 9.1,
disabling the generation of DSA keys when using
<literal>ssh-keygen -A</literal> as they are insecure. Also,
<literal>SetEnv</literal> directives in
<literal>ssh_config</literal> and
<literal>sshd_config</literal> are now first-match-wins
</para>
</listitem>
<listitem>
<para>
<literal>bsp-layout</literal> no longer uses the command
@ -529,6 +593,17 @@
this version for the entire lifecycle of the 22.11 release.
</para>
</listitem>
<listitem>
<para>
The ipfs package and module were renamed to kubo. The kubo
module now uses an RFC42-style <literal>settings</literal>
option instead of <literal>extraConfig</literal> and the
<literal>gatewayAddress</literal>,
<literal>apiAddress</literal> and
<literal>swarmAddress</literal> options were renamed. Using
the old names will print a warning but still work.
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.cosign</literal> does not provide the
@ -579,6 +654,12 @@
notes</link>.
</para>
</listitem>
<listitem>
<para>
<literal>lib.closePropagation</literal> now needs that all
gathered sets have an <literal>outPath</literal> attribute.
</para>
</listitem>
<listitem>
<para>
lemmy module option
@ -593,6 +674,35 @@
module removed, due to lack of maintainers.
</para>
</listitem>
<listitem>
<para>
The <literal>nix.checkConfig</literal> option now fully
disables the config check. The new
<literal>nix.checkAllErrors</literal> option behaves like
<literal>nix.checkConfig</literal> previously did.
</para>
</listitem>
<listitem>
<para>
<literal>generateOptparseApplicativeCompletions</literal> and
<literal>generateOptparseApplicativeCompletion</literal> from
<literal>haskell.lib.compose</literal> (and
<literal>haskell.lib</literal>) have been deprecated in favor
of <literal>generateOptparseApplicativeCompletions</literal>
(plural!) as provided by the haskell package sets (so
<literal>haskellPackages.generateOptparseApplicativeCompletions</literal>
etc.). The latter allows for cross-compilation (by
automatically disabling generation of completion in the cross
case). For it to work properly you need to make sure that the
function comes from the same context as the package you are
trying to override, i.e. always use the same package set as
your package is coming from or even better use
<literal>self.generateOptparseApplicativeCompletions</literal>
if you are overriding a haskell package set. The old functions
are retained for backwards compatibility, but yield are
warning.
</para>
</listitem>
<listitem>
<para>
The <literal>services.graphite.api</literal> and
@ -611,6 +721,16 @@
instead.
</para>
</listitem>
<listitem>
<para>
The
<link xlink:href="https://ce-programming.github.io/CEmu">CEmu
TI-84 Plus CE emulator</link> package has been renamed to
<literal>cemu-ti</literal>. The
<link xlink:href="https://cemu.info">Cemu Wii U
emulator</link> is now packaged as <literal>cemu</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>systemd-networkd</literal> v250 deprecated, renamed,
@ -666,6 +786,12 @@
system timezone.
</para>
</listitem>
<listitem>
<para>
The top-level <literal>termonad-with-packages</literal> alias
for <literal>termonad</literal> has been removed.
</para>
</listitem>
<listitem>
<para>
(Neo)Vim can not be configured with
@ -680,6 +806,14 @@
for vim).
</para>
</listitem>
<listitem>
<para>
The <literal>adguardhome</literal> module no longer uses
<literal>host</literal> and <literal>port</literal> options,
use <literal>settings.bind_host</literal> and
<literal>settings.bind_port</literal> instead.
</para>
</listitem>
<listitem>
<para>
The default <literal>kops</literal> version is now 1.25.1 and
@ -692,6 +826,24 @@
due to upstream dropping support.
</para>
</listitem>
<listitem>
<para>
<literal>mysql57</literal> has been removed. Please update to
<literal>mysql80</literal> or <literal>mariadb</literal>. See
the
<link xlink:href="https://mariadb.com/kb/en/upgrading-from-mysql-to-mariadb/">upgrade
guide</link> for more information.
</para>
</listitem>
<listitem>
<para>
Consequently, <literal>cqrlog</literal> and
<literal>amorok</literal> now use <literal>mariadb</literal>
instead of <literal>mysql57</literal> for their embedded
databases. Running <literal>mysql_upgrade</literal> may be
neccesary.
</para>
</listitem>
<listitem>
<para>
<literal>k3s</literal> supports <literal>clusterInit</literal>
@ -707,6 +859,16 @@
<literal>[ &quot;lua54&quot; &quot;luau&quot; ]</literal>.
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.fetchNextcloudApp</literal> has been rewritten
to circumvent impurities in e.g. tarballs from GitHub and to
make it easier to apply patches. This means that your hashes
are out-of-date and the (previously required) attributes
<literal>name</literal> and <literal>version</literal> are no
longer accepted.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.11-notable-changes">
@ -738,6 +900,18 @@
<literal>hardware.saleae-logic.package</literal>.
</para>
</listitem>
<listitem>
<para>
ZFS module will not allow hibernation by default, this is a
safety measure to prevent data loss cases like the ones
described at
<link xlink:href="https://github.com/openzfs/zfs/issues/260">OpenZFS/260</link>
and
<link xlink:href="https://github.com/openzfs/zfs/issues/12842">OpenZFS/12842</link>.
Use the <literal>boot.zfs.allowHibernation</literal> option to
configure this behaviour.
</para>
</listitem>
<listitem>
<para>
The Redis module now disables RDB persistence when
@ -758,12 +932,84 @@
the mtu on interfaces and tag its packets with an fwmark.
</para>
</listitem>
<listitem>
<para>
The option <literal>overrideStrategy</literal> was added to
the different systemd unit options
(<literal>systemd.services.&lt;name&gt;</literal>,
<literal>systemd.sockets.&lt;name&gt;</literal>, …) to allow
enforcing the creation of a dropin file, rather than the main
unit file, by setting it to <literal>asDropin</literal>. This
is useful in cases where the existence of the main unit file
is not known to Nix at evaluation time, for example when the
main unit file is provided by adding a package to
<literal>systemd.packages</literal>. See the fix proposed in
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/135557#issuecomment-1295392470">NixOSs
systemd abstraction doesnt work with systemd template
units</link> for an example.
</para>
</listitem>
<listitem>
<para>
The <literal>polymc</literal> package has been removed due to
a rogue maintainer. It has been replaced by
<literal>prismlauncher</literal>, a fork by the rest of the
maintainers. For more details, see
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/196624">the
pull request that made this change</link> and
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/196460">this
issue detailing the vulnerability</link>. Users with existing
installations should rename
<literal>~/.local/share/polymc</literal> to
<literal>~/.local/share/PrismLauncher</literal>. The main
config files path has also moved from
<literal>~/.local/share/polymc/polymc.cfg</literal> to
<literal>~/.local/share/PrismLauncher/prismlauncher.cfg</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>bloat</literal> package has been updated from
unstable-2022-03-31 to unstable-2022-10-25, which brings a
breaking change. See
<link xlink:href="https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73">this
upstream commit message</link> for details.
</para>
</listitem>
<listitem>
<para>
The <literal>services.matrix-synapse</literal> systemd unit
has been hardened.
</para>
</listitem>
<listitem>
<para>
The <literal>services.grafana</literal> options were converted
to a
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
0042</link> configuration.
</para>
</listitem>
<listitem>
<para>
The <literal>services.grafana.provision.datasources</literal>
and <literal>services.grafana.provision.dashboards</literal>
options were converted to a
<link xlink:href="https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md">RFC
0042</link> configuration. They also now support specifying
the provisioning YAML file with <literal>path</literal>
option.
</para>
</listitem>
<listitem>
<para>
The <literal>services.grafana.provision.alerting</literal>
option was added. It includes suboptions for every
alerting-related objects (with the exception of
<literal>notifiers</literal>), which means its now possible
to configure modern Grafana alerting declaratively.
</para>
</listitem>
<listitem>
<para>
Matrix Synapse now requires entries in the
@ -838,6 +1084,48 @@
re-enabled it.
</para>
</listitem>
<listitem>
<para>
Nextcloud has been updated to version
<emphasis role="strong">25</emphasis>. Additionally the
following things have changed for Nextcloud in NixOS:
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
For Nextcloud <emphasis role="strong">&gt;=24</emphasis>,
the default PHP version is 8.1.
</para>
</listitem>
<listitem>
<para>
Nextcloud <emphasis role="strong">23</emphasis> has been
removed since it will reach its
<link xlink:href="https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d">end
of life in December 2022</link>.
</para>
</listitem>
<listitem>
<para>
For <literal>system.stateVersion</literal> being
<emphasis role="strong">&gt;=22.11</emphasis>, Nextcloud
25 will be installed by default. For older versions,
Nextcloud 24 will be installed.
</para>
</listitem>
<listitem>
<para>
Please ensure that you only upgrade on major release at a
time! Nextcloud doesnt support upgrades across multiple
versions, i.e. an upgrade from
<emphasis role="strong">23</emphasis> to
<emphasis role="strong">25</emphasis> is only possible
when upgrading to <emphasis role="strong">24</emphasis>
first.
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
Add udev rules for the Teensy family of microcontrollers.
@ -880,6 +1168,18 @@
<literal>services.wordpress.sites.&lt;site&gt;.languages</literal>.
</para>
</listitem>
<listitem>
<para>
The default package for
<literal>services.mullvad-vpn.package</literal> was changed to
<literal>pkgs.mullvad</literal>, allowing cross-platform usage
of Mullvad. <literal>pkgs.mullvad</literal> only contains the
Mullvad CLI tool, so users who rely on the Mullvad GUI will
want to change it back to <literal>pkgs.mullvad-vpn</literal>,
or add <literal>pkgs.mullvad-vpn</literal> to their
environment.
</para>
</listitem>
<listitem>
<para>
There is a new module for the <literal>thunar</literal>

91
nixos/doc/manual/installation/installing-usb.section.md
View File

@ -1,31 +1,72 @@
# Booting from a USB Drive {#sec-booting-from-usb}
# Booting from a USB flash drive {#sec-booting-from-usb}
For systems without CD drive, the NixOS live CD can be booted from a USB
stick. You can use the `dd` utility to write the image:
`dd if=path-to-image of=/dev/sdX`. Be careful about specifying the correct
drive; you can use the `lsblk` command to get a list of block devices.
The image has to be written verbatim to the USB flash drive for it to be
bootable on UEFI and BIOS systems. Here are the recommended tools to do that.
::: {.note}
::: {.title}
On macOS
## Creating bootable USB flash drive with a graphical tool {#sec-booting-from-usb-graphical}
Etcher is a popular and user-friendly tool. It works on Linux, Windows and macOS.
Download it from [balena.io](https://www.balena.io/etcher/), start the program,
select the downloaded NixOS ISO, then select the USB flash drive and flash it.
::: {.warning}
Etcher reports errors and usage statistics by default, which can be disabled in
the settings.
:::
```ShellSession
$ diskutil list
[..]
/dev/diskN (external, physical):
#: TYPE NAME SIZE IDENTIFIER
[..]
$ diskutil unmountDisk diskN
Unmount of all volumes on diskN was successful
$ sudo dd if=nix.iso of=/dev/rdiskN bs=1M
```
An alternative is [USBImager](https://bztsrc.gitlab.io/usbimager),
which is very simple and does not connect to the internet. Download the version
with write-only (wo) interface for your system. Start the program,
select the image, select the USB flash drive and click "Write".
Using the \'raw\' `rdiskN` device instead of `diskN` completes in
minutes instead of hours. After `dd` completes, a GUI dialog \"The disk
you inserted was not readable by this computer\" will pop up, which can
be ignored.
:::
## Creating bootable USB flash drive from a Terminal on Linux {#sec-booting-from-usb-linux}
The `dd` utility will write the image verbatim to the drive, making it
the recommended option for both UEFI and non-UEFI installations.
1. Plug in the USB flash drive.
2. Find the corresponding device with `lsblk`. You can distinguish them by
their size.
3. Make sure all partitions on the device are properly unmounted. Replace `sdX`
with your device (e.g. `sdb`).
```ShellSession
sudo umount /dev/sdX*
```
4. Then use the `dd` utility to write the image to the USB flash drive.
```ShellSession
sudo dd if=<path-to-image> of=/dev/sdX bs=4M conv=fsync
```
## Creating bootable USB flash drive from a Terminal on macOS {#sec-booting-from-usb-macos}
1. Plug in the USB flash drive.
2. Find the corresponding device with `diskutil list`. You can distinguish them
by their size.
3. Make sure all partitions on the device are properly unmounted. Replace `diskX`
with your device (e.g. `disk1`).
```ShellSession
diskutil unmountDisk diskX
```
4. Then use the `dd` utility to write the image to the USB flash drive.
```ShellSession
sudo dd if=<path-to-image> of=/dev/rdiskX bs=4m
```
After `dd` completes, a GUI dialog \"The disk
you inserted was not readable by this computer\" will pop up, which can
be ignored.
::: {.note}
Using the \'raw\' `rdiskX` device instead of `diskX` with dd completes in
minutes instead of hours.
:::
5. Eject the disk when it is finished.
```ShellSession
diskutil eject /dev/diskX
```

166
nixos/doc/manual/installation/installing.chapter.md
View File

@ -1,30 +1,143 @@
# Installing NixOS {#sec-installation}
## Booting the system {#sec-installation-booting}
## Booting from the install medium {#sec-installation-booting}
To begin the installation, you have to boot your computer from the install drive.
1. Plug in the install drive. Then turn on or restart your computer.
2. Open the boot menu by pressing the appropriate key, which is usually shown
on the display on early boot.
Select the USB flash drive (the option usually contains the word "USB").
If you choose the incorrect drive, your computer will likely continue to
boot as normal. In that case restart your computer and pick a
different drive.
::: {.note}
The key to open the boot menu is different across computer brands and even
models. It can be <kbd>F12</kbd>, but also <kbd>F1</kbd>,
<kbd>F9</kbd>, <kbd>F10</kbd>, <kbd>Enter</kbd>, <kbd>Del</kbd>,
<kbd>Esc</kbd> or another function key. If you are unsure and don't see
it on the early boot screen, you can search online for your computers
brand, model followed by "boot from usb".
The computer might not even have that feature, so you have to go into the
BIOS/UEFI settings to change the boot order. Again, search online for
details about your specific computer model.
For Apple computers with Intel processors press and hold the <kbd></kbd>
(Option or Alt) key until you see the boot menu. On Apple silicon press
and hold the power button.
:::
::: {.note}
If your computer supports both BIOS and UEFI boot, choose the UEFI option.
:::
::: {.note}
If you use a CD for the installation, the computer will probably boot from
it automatically. If not, choose the option containing the word "CD" from
the boot menu.
:::
3. Shortly after selecting the appropriate boot drive, you should be
presented with a menu with different installer options. Leave the default
and wait (or press <kbd>Enter</kbd> to speed up).
4. The graphical images will start their corresponding desktop environment
and the graphical installer, which can take some time. The minimal images
will boot to a command line. You have to follow the instructions in
[](#sec-installation-manual) there.
## Graphical Installation {#sec-installation-graphical}
The graphical installer is recommended for desktop users and will guide you
through the installation.
1. In the "Welcome" screen, you can select the language of the Installer and
the installed system.
::: {.tip}
Leaving the language as "American English" will make it easier to search for
error messages in a search engine or to report an issue.
:::
2. Next you should choose your location to have the timezone set correctly.
You can actually click on the map!
::: {.note}
The installer will use an online service to guess your location based on
your public IP address.
:::
3. Then you can select the keyboard layout. The default keyboard model should
work well with most desktop keyboards. If you have a special keyboard or
notebook, your model might be in the list. Select the language you are most
comfortable typing in.
4. On the "Users" screen, you have to type in your display name, login name
and password. You can also enable an option to automatically login to the
desktop.
5. Then you have the option to choose a desktop environment. If you want to
create a custom setup with a window manager, you can select "No desktop".
::: {.tip}
If you don't have a favorite desktop and don't know which one to choose,
you can stick to either GNOME or Plasma. They have a quite different
design, so you should choose whichever you like better.
They are both popular choices and well tested on NixOS.
:::
6. You have the option to allow unfree software in the next screen.
7. The easiest option in the "Partitioning" screen is "Erase disk", which will
delete all data from the selected disk and install the system on it.
Also select "Swap (with Hibernation)" in the dropdown below it.
You have the option to encrypt the whole disk with LUKS.
::: {.note}
At the top left you see if the Installer was booted with BIOS or UEFI. If
you know your system supports UEFI and it shows "BIOS", reboot with the
correct option.
:::
::: {.warning}
Make sure you have selected the correct disk at the top and that no
valuable data is still on the disk! It will be deleted when
formatting the disk.
:::
8. Check the choices you made in the "Summary" and click "Install".
::: {.note}
The installation takes about 15 minutes. The time varies based on the
selected desktop environment, internet connection speed and disk write speed.
:::
9. When the install is complete, remove the USB flash drive and
reboot into your new system!
## Manual Installation {#sec-installation-manual}
NixOS can be installed on BIOS or UEFI systems. The procedure for a UEFI
installation is by and large the same as a BIOS installation. The
differences are mentioned in the steps that follow.
installation is broadly the same as for a BIOS installation. The differences
are mentioned in the following steps.
The installation media can be burned to a CD, or now more commonly,
"burned" to a USB drive (see [](#sec-booting-from-usb)).
The NixOS manual is available by running `nixos-help` in the command line
or from the application menu in the desktop environment.
The installation media contains a basic NixOS installation. When it's
finished booting, it should have detected most of your hardware.
The NixOS manual is available by running `nixos-help`.
To have access to the command line on the graphical images, open
Terminal (GNOME) or Konsole (Plasma) from the application menu.
You are logged-in automatically as `nixos`. The `nixos` user account has
an empty password so you can use `sudo` without a password:
```ShellSession
$ sudo -i
```
If you downloaded the graphical ISO image, you can run `systemctl
start display-manager` to start the desktop environment. If you want
to continue on the terminal, you can use `loadkeys` to switch to your
preferred keyboard layout. (We even provide neo2 via `loadkeys de
neo`!)
You can use `loadkeys` to switch to your preferred keyboard layout.
(We even provide neo2 via `loadkeys de neo`!)
If the text is too small to be legible, try `setfont ter-v32n` to
increase the font size.
@ -33,7 +146,8 @@ To install over a serial port connect with `115200n8` (e.g.
`picocom -b 115200 /dev/ttyUSB0`). When the bootloader lists boot
entries, select the serial console boot entry.
### Networking in the installer {#sec-installation-booting-networking}
### Networking in the installer {#sec-installation-manual-networking}
[]{#sec-installation-booting-networking} <!-- legacy anchor -->
The boot process should have brought up networking (check `ip
a`). Networking is necessary for the installer, since it will
@ -100,7 +214,8 @@ placed by mounting the image on a different machine). Alternatively you
must set a password for either `root` or `nixos` with `passwd` to be
able to login.
## Partitioning and formatting {#sec-installation-partitioning}
### Partitioning and formatting {#sec-installation-manual-partitioning}
[]{#sec-installation-partitioning} <!-- legacy anchor -->
The NixOS installer doesn't do any partitioning or formatting, so you
need to do that yourself.
@ -112,7 +227,8 @@ below use `parted`, but also provides `fdisk`, `gdisk`, `cfdisk`, and
The recommended partition scheme differs depending if the computer uses
*Legacy Boot* or *UEFI*.
### UEFI (GPT) {#sec-installation-partitioning-UEFI}
#### UEFI (GPT) {#sec-installation-manual-partitioning-UEFI}
[]{#sec-installation-partitioning-UEFI} <!-- legacy anchor -->
Here\'s an example partition scheme for UEFI, using `/dev/sda` as the
device.
@ -158,9 +274,10 @@ update /etc/fstab.
```
Once complete, you can follow with
[](#sec-installation-partitioning-formatting).
[](#sec-installation-manual-partitioning-formatting).
### Legacy Boot (MBR) {#sec-installation-partitioning-MBR}
#### Legacy Boot (MBR) {#sec-installation-manual-partitioning-MBR}
[]{#sec-installation-partitioning-MBR} <!-- legacy anchor -->
Here\'s an example partition scheme for Legacy Boot, using `/dev/sda` as
the device.
@ -202,9 +319,10 @@ update /etc/fstab.
:::
Once complete, you can follow with
[](#sec-installation-partitioning-formatting).
[](#sec-installation-manual-partitioning-formatting).
### Formatting {#sec-installation-partitioning-formatting}
#### Formatting {#sec-installation-manual-partitioning-formatting}
[]{#sec-installation-partitioning-formatting} <!-- legacy anchor -->
Use the following commands:
@ -239,7 +357,8 @@ Use the following commands:
- For creating software RAID devices, use `mdadm`.
## Installing {#sec-installation-installing}
### Installing {#sec-installation-manual-installing}
[]{#sec-installation-installing} <!-- legacy anchor -->
1. Mount the target file system on which NixOS should be installed on
`/mnt`, e.g.
@ -410,7 +529,8 @@ Use the following commands:
You may also want to install some software. This will be covered in
[](#sec-package-management).
## Installation summary {#sec-installation-summary}
### Installation summary {#sec-installation-manual-summary}
[]{#sec-installation-summary} <!-- legacy anchor -->
To summarise, [Example: Commands for Installing NixOS on `/dev/sda`](#ex-install-sequence)
shows a typical sequence of commands for installing NixOS on an empty hard

19
nixos/doc/manual/installation/obtaining.chapter.md
View File

@ -1,24 +1,21 @@
# Obtaining NixOS {#sec-obtaining}
NixOS ISO images can be downloaded from the [NixOS download
page](https://nixos.org/nixos/download.html). There are a number of
installation options. If you happen to have an optical drive and a spare
CD, burning the image to CD and booting from that is probably the
easiest option. Most people will need to prepare a USB stick to boot
from. [](#sec-booting-from-usb) describes the preferred method to
prepare a USB stick. A number of alternative methods are presented in
the [NixOS Wiki](https://nixos.wiki/wiki/NixOS_Installation_Guide#Making_the_installation_media).
page](https://nixos.org/download.html#nixos-iso). Follow the instructions in
[](#sec-booting-from-usb) to create a bootable USB flash drive.
If you have a very old system that can't boot from USB, you can burn the image
to an empty CD. NixOS might not work very well on such systems.
As an alternative to installing NixOS yourself, you can get a running
NixOS system through several other means:
- Using virtual appliances in Open Virtualization Format (OVF) that
can be imported into VirtualBox. These are available from the [NixOS
download page](https://nixos.org/nixos/download.html).
download page](https://nixos.org/download.html#nixos-virtualbox).
- Using AMIs for Amazon's EC2. To find one for your region and
instance type, please refer to the [list of most recent
AMIs](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/ec2-amis.nix).
- Using AMIs for Amazon's EC2. To find one for your region, please refer
to the [download page](https://nixos.org/download.html#nixos-amazon).
- Using NixOps, the NixOS-based cloud deployment tool, which allows
you to provision VirtualBox and EC2 NixOS instances from declarative

1
nixos/doc/manual/md-to-db.sh
View File

@ -19,6 +19,7 @@ pandoc_flags=(
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/myst-reader/roles.lua"
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/link-unix-man-references.lua"
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/rst-roles.lua"
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/html-elements.lua"
"--lua-filter=$DIR/../../../doc/build-aux/pandoc-filters/docbook-writer/labelless-link-is-xref.lua"
-f "commonmark${pandoc_commonmark_enabled_extensions}+smart"
-t docbook

10
nixos/doc/manual/release-notes/rl-2205.section.md
View File

@ -581,7 +581,15 @@ In addition to numerous new and upgraded packages, this release has the followin
- The `miller` package has been upgraded from 5.10.3 to [6.2.0](https://github.com/johnkerl/miller/releases/tag/v6.2.0). See [What's new in Miller 6](https://miller.readthedocs.io/en/latest/new-in-miller-6).
- MultiMC has been replaced with the fork PolyMC due to upstream developers being hostile to 3rd party package maintainers. PolyMC removes all MultiMC branding and is aimed at providing proper 3rd party packages like the one contained in Nixpkgs. This change affects the data folder where game instances and other save and configuration files are stored. Users with existing installations should rename `~/.local/share/multimc` to `~/.local/share/polymc`. The main config file's path has also moved from `~/.local/share/multimc/multimc.cfg` to `~/.local/share/polymc/polymc.cfg`.
- MultiMC has been replaced with the fork PrismLauncher due to upstream
developers being hostile to 3rd party package maintainers. PrismLauncher
removes all MultiMC branding and is aimed at providing proper 3rd party
packages like the one contained in Nixpkgs. This change affects the data
folder where game instances and other save and configuration files are stored.
Users with existing installations should rename `~/.local/share/multimc` to
`~/.local/share/PrismLauncher`. The main config file's path has also moved
from `~/.local/share/multimc/multimc.cfg` to
`~/.local/share/PrismLauncher/prismlauncher.cfg`.
- `systemd-nspawn@.service` settings have been reverted to the default systemd behaviour. User namespaces are now activated by default. If you want to keep running nspawn containers without user namespaces you need to set `systemd.nspawn.<name>.execConfig.PrivateUsers = false`

81
nixos/doc/manual/release-notes/rl-2211.section.md
View File

@ -55,6 +55,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default.
- Improved performances of `lib.closePropagation` which was previously quadratic. This is used in e.g. `ghcWithPackages`. Please see backward incompatibilities notes below.
- Cinnamon has been updated to 5.4. While at it, the cinnamon module now defaults to
blueman as bluetooth manager and slick-greeter as lightdm greeter to match upstream.
@ -69,6 +71,9 @@ In addition to numerous new and upgraded packages, this release has the followin
## New Services {#sec-release-22.11-new-services}
- [appvm](https://github.com/jollheef/appvm), Nix based app VMs. Available as [virtualisation.appvm](options.html#opt-virtualisation.appvm.enable).
- [xray] (https://github.com/XTLS/Xray-core), a fully compatible v2ray-core replacement. Features XTLS, which when enabled on server and client, brings UDP FullCone NAT to proxy setups. Available as [services.xray](options.html#opt-services.xray.enable).
- [syncstorage-rs](https://github.com/mozilla-services/syncstorage-rs), a self-hostable sync server for Firefox. Available as [services.firefox-syncserver](options.html#opt-services.firefox-syncserver.enable).
- [dragonflydb](https://dragonflydb.io/), a modern replacement for Redis and Memcached. Available as [services.dragonflydb](#opt-services.dragonflydb.enable).
@ -91,6 +96,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [kanata](https://github.com/jtroo/kanata), a tool to improve keyboard comfort and usability with advanced customization.
Available as [services.kanata](options.html#opt-services.kanata.enable).
- [karma](https://github.com/prymitive/karma), an alert dashboard for Prometheus Alertmanager. Available as [services.karma](options.html#opt-services.karma.enable)
- [languagetool](https://languagetool.org/), a multilingual grammar, style, and spell checker.
Available as [services.languagetool](options.html#opt-services.languagetool.enable).
@ -98,10 +105,14 @@ In addition to numerous new and upgraded packages, this release has the followin
- [Outline](https://www.getoutline.com/), a wiki and knowledge base similar to Notion. Available as [services.outline](#opt-services.outline.enable).
- [ntfy.sh](https://ntfy.sh), a push notification service. Available as [services.ntfy-sh](#opt-services.ntfy-sh.enable)
- [alps](https://git.sr.ht/~migadu/alps), a simple and extensible webmail. Available as [services.alps](#opt-services.alps.enable).
- [endlessh-go](https://github.com/shizunge/endlessh-go), an SSH tarpit that exposes Prometheus metrics. Available as [services.endlessh-go](#opt-services.endlessh-go.enable).
- [Garage](https://garagehq.deuxfleurs.fr/), a simple object storage server for geodistributed deployments, alternative to MinIO. Available as [services.garage](#opt-services.garage.enable).
- [netbird](https://netbird.io), a zero configuration VPN.
Available as [services.netbird](options.html#opt-services.netbird.enable).
@ -115,6 +126,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [expressvpn](https://www.expressvpn.com), the CLI client for ExpressVPN. Available as [services.expressvpn](#opt-services.expressvpn.enable).
- [merecat](https://troglobit.com/projects/merecat/), a small and easy HTTP server based on thttpd. Available as [services.merecat](#opt-services.merecat.enable)
- [go-autoconfig](https://github.com/L11R/go-autoconfig), IMAP/SMTP autodiscover server. Available as [services.go-autoconfig](#opt-services.go-autoconfig.enable).
- [tmate-ssh-server](https://github.com/tmate-io/tmate-ssh-server), server side part of [tmate](https://tmate.io/). Available as [services.tmate-ssh-server](#opt-services.tmate-ssh-server.enable).
@ -132,6 +145,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- [Listmonk](https://listmonk.app), a self-hosted newsletter manager. Enable using [services.listmonk](options.html#opt-services.listmonk.enable).
- [Uptime Kuma](https://uptime.kuma.pet/), a fancy self-hosted monitoring tool. Available as [services.uptime-kuma](#opt-services.uptime-kuma.enable).
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
@ -158,6 +173,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `fetchgit` fetcher now uses [cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalscone_mode_handling) by default for sparse checkouts. [Non-cone mode](https://www.git-scm.com/docs/git-sparse-checkout/2.37.0#_internalsnon_cone_problems) can be enabled by passing `nonConeMode = true`, but note that non-cone mode is deprecated and this option may be removed alongside a future Git update without notice.
- `openssh` was updated to version 9.1, disabling the generation of DSA keys when using `ssh-keygen -A` as they are insecure. Also, `SetEnv` directives in `ssh_config` and `sshd_config` are now first-match-wins
- `bsp-layout` no longer uses the command `cycle` to switch to other window layouts, as it got replaced by the commands `previous` and `next`.
- The Barco ClickShare driver/client package `pkgs.clickshare-csc1` and the option `programs.clickshare-csc1.enable` have been removed,
@ -178,6 +195,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- PHP 7.4 is no longer supported due to upstream not supporting this
version for the entire lifecycle of the 22.11 release.
- The ipfs package and module were renamed to kubo. The kubo module now uses an RFC42-style `settings` option instead of `extraConfig` and the `gatewayAddress`, `apiAddress` and `swarmAddress` options were renamed. Using the old names will print a warning but still work.
- `pkgs.cosign` does not provide the `cosigned` binary anymore. The `sget` binary has been moved into its own package.
- Emacs now uses the Lucid toolkit by default instead of GTK because of stability and compatibility issues.
@ -191,11 +210,24 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- `teleport` has been upgraded to major version 10. Please see upstream [upgrade instructions](https://goteleport.com/docs/ver/10.0/management/operations/upgrading/) and [release notes](https://goteleport.com/docs/ver/10.0/changelog/#1000).
- `lib.closePropagation` now needs that all gathered sets have an `outPath` attribute.
- lemmy module option `services.lemmy.settings.database.createLocally`
moved to `services.lemmy.database.createLocally`.
- virtlyst package and `services.virtlyst` module removed, due to lack of maintainers.
- The `nix.checkConfig` option now fully disables the config check. The new `nix.checkAllErrors` option behaves like `nix.checkConfig` previously did.
- `generateOptparseApplicativeCompletions` and `generateOptparseApplicativeCompletion` from `haskell.lib.compose`
(and `haskell.lib`) have been deprecated in favor of `generateOptparseApplicativeCompletions` (plural!) as
provided by the haskell package sets (so `haskellPackages.generateOptparseApplicativeCompletions` etc.).
The latter allows for cross-compilation (by automatically disabling generation of completion in the cross case).
For it to work properly you need to make sure that the function comes from the same context as the package
you are trying to override, i.e. always use the same package set as your package is coming from or even
better use `self.generateOptparseApplicativeCompletions` if you are overriding a haskell package set.
The old functions are retained for backwards compatibility, but yield are warning.
- The `services.graphite.api` and `services.graphite.beacon` NixOS options, and
the `python3.pkgs.graphite_api`, `python3.pkgs.graphite_beacon` and
`python3.pkgs.influxgraph` packages, have been removed due to lack of upstream
@ -203,6 +235,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `aws` package has been removed due to being abandoned by the upstream. It is recommended to use `awscli` or `awscli2` instead.
- The [CEmu TI-84 Plus CE emulator](https://ce-programming.github.io/CEmu) package has been renamed to `cemu-ti`. The [Cemu Wii U emulator](https://cemu.info) is now packaged as `cemu`.
- `systemd-networkd` v250 deprecated, renamed, and moved some sections and settings which leads to the following breaking module changes:
* `systemd.network.networks.<name>.dhcpV6PrefixDelegationConfig` is renamed to `systemd.network.networks.<name>.dhcpPrefixDelegationConfig`.
@ -213,18 +247,29 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The `paperless` module now defaults `PAPERLESS_TIME_ZONE` to your configured system timezone.
- The top-level `termonad-with-packages` alias for `termonad` has been removed.
- (Neo)Vim can not be configured with `configure.pathogen` anymore to reduce maintainance burden.
Use `configure.packages` instead.
- Neovim can not be configured with plug anymore (still works for vim).
- The `adguardhome` module no longer uses `host` and `port` options, use `settings.bind_host` and `settings.bind_port` instead.
- The default `kops` version is now 1.25.1 and support for 1.22 and older has been dropped.
- `k3s` no longer supports docker as runtime due to upstream dropping support.
- `mysql57` has been removed. Please update to `mysql80` or `mariadb`. See the [upgrade guide](https://mariadb.com/kb/en/upgrading-from-mysql-to-mariadb/) for more information.
- Consequently, `cqrlog` and `amorok` now use `mariadb` instead of `mysql57` for their embedded databases. Running `mysql_upgrade` may be neccesary.
- `k3s` supports `clusterInit` option, and it is enabled by default, for servers.
- `stylua` no longer accepts `lua52Support` and `luauSupport` overrides, use `features` instead, which defaults to `[ "lua54" "luau" ]`.
- `pkgs.fetchNextcloudApp` has been rewritten to circumvent impurities in e.g. tarballs from GitHub and to make it easier to
apply patches. This means that your hashes are out-of-date and the (previously required) attributes `name` and `version`
are no longer accepted.
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
## Other Notable Changes {#sec-release-22.11-notable-changes}
@ -235,14 +280,38 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- A new module was added for the Saleae Logic device family, providing the options `hardware.saleae-logic.enable` and `hardware.saleae-logic.package`.
- ZFS module will not allow hibernation by default, this is a safety measure to prevent data loss cases like the ones described at [OpenZFS/260](https://github.com/openzfs/zfs/issues/260) and [OpenZFS/12842](https://github.com/openzfs/zfs/issues/12842). Use the `boot.zfs.allowHibernation` option to configure this behaviour.
- The Redis module now disables RDB persistence when `services.redis.servers.<name>.save = []` instead of using the Redis default.
- Neo4j was updated from version 3 to version 4. See this [migration guide](https://neo4j.com/docs/upgrade-migration-guide/current/) on how to migrate your Neo4j instance.
- The `networking.wireguard` module now can set the mtu on interfaces and tag its packets with an fwmark.
- The option `overrideStrategy` was added to the different systemd unit options (`systemd.services.<name>`, `systemd.sockets.<name>`, …) to allow enforcing the creation of a dropin file, rather than the main unit file, by setting it to `asDropin`.
This is useful in cases where the existence of the main unit file is not known to Nix at evaluation time, for example when the main unit file is provided by adding a package to `systemd.packages`.
See the fix proposed in [NixOS's systemd abstraction doesn't work with systemd template units](https://github.com/NixOS/nixpkgs/issues/135557#issuecomment-1295392470) for an example.
- The `polymc` package has been removed due to a rogue maintainer. It has been
replaced by `prismlauncher`, a fork by the rest of the maintainers. For more
details, see [the pull request that made this
change](https://github.com/NixOS/nixpkgs/pull/196624) and [this issue
detailing the vulnerability](https://github.com/NixOS/nixpkgs/issues/196460).
Users with existing installations should rename `~/.local/share/polymc` to
`~/.local/share/PrismLauncher`. The main config file's path has also moved
from `~/.local/share/polymc/polymc.cfg` to
`~/.local/share/PrismLauncher/prismlauncher.cfg`.
- The `bloat` package has been updated from unstable-2022-03-31 to unstable-2022-10-25, which brings a breaking change. See [this upstream commit message](https://git.freesoftwareextremist.com/bloat/commit/?id=887ed241d64ba5db3fd3d87194fb5595e5ad7d73) for details.
- The `services.matrix-synapse` systemd unit has been hardened.
- The `services.grafana` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.
- The `services.grafana.provision.datasources` and `services.grafana.provision.dashboards` options were converted to a [RFC 0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration. They also now support specifying the provisioning YAML file with `path` option.
- The `services.grafana.provision.alerting` option was added. It includes suboptions for every alerting-related objects (with the exception of `notifiers`), which means it's now possible to configure modern Grafana alerting declaratively.
- Matrix Synapse now requires entries in the `state_group_edges` table to be unique, in order to prevent accidentally introducing duplicate information (for example, because a database backup was restored multiple times). If your Synapse database already has duplicate rows in this table, this could fail with an error and require manual remediation.
- The `diamond` package has been update from 0.8.36 to 2.0.15. See the [upstream release notes](https://github.com/bbuchfink/diamond/releases) for more details.
@ -261,6 +330,16 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The udisks2 service, available at `services.udisks2.enable`, is now disabled by default. It will automatically be enabled through services and desktop environments as needed.
This also means that polkit will now actually be disabled by default. The default for `security.polkit.enable` was already flipped in the previous release, but udisks2 being enabled by default re-enabled it.
- Nextcloud has been updated to version **25**. Additionally the following things have changed
for Nextcloud in NixOS:
- For Nextcloud **>=24**, the default PHP version is 8.1.
- Nextcloud **23** has been removed since it will reach its [end of life in December 2022](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/d76576a12a626d53305d480a6065b57cab705d3d).
- For `system.stateVersion` being **>=22.11**, Nextcloud 25 will be installed by default. For older versions,
Nextcloud 24 will be installed.
- Please ensure that you only upgrade on major release at a time! Nextcloud doesn't support
upgrades across multiple versions, i.e. an upgrade from **23** to **25** is only possible
when upgrading to **24** first.
- Add udev rules for the Teensy family of microcontrollers.
- systemd-oomd is enabled by default. Depending on which systemd units have
@ -278,6 +357,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
- The Wordpress module got support for installing language packs through `services.wordpress.sites.<site>.languages`.
- The default package for `services.mullvad-vpn.package` was changed to `pkgs.mullvad`, allowing cross-platform usage of Mullvad. `pkgs.mullvad` only contains the Mullvad CLI tool, so users who rely on the Mullvad GUI will want to change it back to `pkgs.mullvad-vpn`, or add `pkgs.mullvad-vpn` to their environment.
- There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed.
- There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service.

8
nixos/lib/make-options-doc/default.nix
View File

@ -122,10 +122,14 @@ in rec {
optionsJSON = pkgs.runCommand "options.json"
{ meta.description = "List of NixOS options in JSON format";
buildInputs = [
nativeBuildInputs = [
pkgs.brotli
(let
self = (pkgs.python3Minimal.override {
# python3Minimal can't be overridden with packages on Darwin, due to a missing framework.
# Instead of modifying stdenv, we take the easy way out, since most people on Darwin will
# just be hacking on the Nixpkgs manual (which also uses make-options-doc).
python = if pkgs.stdenv.isDarwin then pkgs.python3 else pkgs.python3Minimal;
self = (python.override {
inherit self;
includeSiteCustomize = true;
});

4
nixos/lib/make-options-doc/options-to-docbook.xsl
View File

@ -40,8 +40,8 @@
concat($optionIdPrefix,
translate(
attr[@name = 'name']/string/@value,
'*&lt; >[]:',
'_______'
'*&lt; >[]:&quot;',
'________'
))" />
<varlistentry>
<term xlink:href="#{$id}">

41
nixos/lib/systemd-lib.nix
View File

@ -187,11 +187,14 @@ in rec {
done
done
# Symlink all units defined by systemd.units. If these are also
# provided by systemd or systemd.packages, then add them as
# Symlink units defined by systemd.units where override strategy
# shall be automatically detected. If these are also provided by
# systemd or systemd.packages, then add them as
# <unit-name>.d/overrides.conf, which makes them extend the
# upstream unit.
for i in ${toString (mapAttrsToList (n: v: v.unit) units)}; do
for i in ${toString (mapAttrsToList
(n: v: v.unit)
(lib.filterAttrs (n: v: (attrByPath [ "overrideStrategy" ] "asDropinIfExists" v) == "asDropinIfExists") units))}; do
fn=$(basename $i/*)
if [ -e $out/$fn ]; then
if [ "$(readlink -f $i/$fn)" = /dev/null ]; then
@ -210,11 +213,21 @@ in rec {
fi
done
# Symlink units defined by systemd.units which shall be
# treated as drop-in file.
for i in ${toString (mapAttrsToList
(n: v: v.unit)
(lib.filterAttrs (n: v: v ? overrideStrategy && v.overrideStrategy == "asDropin") units))}; do
fn=$(basename $i/*)
mkdir -p $out/$fn.d
ln -s $i/$fn $out/$fn.d/overrides.conf
done
# Create service aliases from aliases option.
${concatStrings (mapAttrsToList (name: unit:
concatMapStrings (name2: ''
ln -sfn '${name}' $out/'${name2}'
'') unit.aliases) units)}
'') (unit.aliases or [])) units)}
# Create .wants and .requires symlinks from the wantedBy and
# requiredBy options.
@ -222,13 +235,13 @@ in rec {
concatMapStrings (name2: ''
mkdir -p $out/'${name2}.wants'
ln -sfn '../${name}' $out/'${name2}.wants'/
'') unit.wantedBy) units)}
'') (unit.wantedBy or [])) units)}
${concatStrings (mapAttrsToList (name: unit:
concatMapStrings (name2: ''
mkdir -p $out/'${name2}.requires'
ln -sfn '../${name}' $out/'${name2}.requires'/
'') unit.requiredBy) units)}
'') (unit.requiredBy or [])) units)}
${optionalString (type == "system") ''
# Stupid misc. symlinks.
@ -340,7 +353,7 @@ in rec {
'';
targetToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable;
{ inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text =
''
[Unit]
@ -349,7 +362,7 @@ in rec {
};
serviceToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable;
{ inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def +
''
[Service]
@ -371,7 +384,7 @@ in rec {
};
socketToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable;
{ inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def +
''
[Socket]
@ -382,7 +395,7 @@ in rec {
};
timerToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable;
{ inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def +
''
[Timer]
@ -391,7 +404,7 @@ in rec {
};
pathToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable;
{ inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def +
''
[Path]
@ -400,7 +413,7 @@ in rec {
};
mountToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable;
{ inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def +
''
[Mount]
@ -409,7 +422,7 @@ in rec {
};
automountToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable;
{ inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def +
''
[Automount]
@ -418,7 +431,7 @@ in rec {
};
sliceToUnit = name: def:
{ inherit (def) aliases wantedBy requiredBy enable;
{ inherit (def) aliases wantedBy requiredBy enable overrideStrategy;
text = commonUnitText def +
''
[Slice]

16
nixos/lib/systemd-unit-options.nix
View File

@ -48,6 +48,22 @@ in rec {
'';
};
overrideStrategy = mkOption {
default = "asDropinIfExists";
type = types.enum [ "asDropinIfExists" "asDropin" ];
description = lib.mdDoc ''
Defines how unit configuration is provided for systemd:
`asDropinIfExists` creates a unit file when no unit file is provided by the package
otherwise a drop-in file name `overrides.conf`.
`asDropin` creates a drop-in file named `overrides.conf`.
Mainly needed to define instances for systemd template units (e.g. `systemd-nspawn@mycontainer.service`).
See also systemd.unit(1).
'';
};
requiredBy = mkOption {
default = [];
type = types.listOf unitNameType;

10
nixos/lib/testing-python.nix
View File

@ -29,7 +29,9 @@ rec {
};
};
# Make a full-blown test
# Make a full-blown test (legacy)
# For an official public interface to the tests, see
# https://nixos.org/manual/nixos/unstable/index.html#sec-calling-nixos-tests
makeTest =
{ machine ? null
, nodes ? {}
@ -48,7 +50,8 @@ rec {
else builtins.unsafeGetAttrPos "testScript" t)
, extraPythonPackages ? (_ : [])
, interactive ? {}
} @ t:
} @ t: let
testConfig =
(evalTest {
imports = [
{ _file = "makeTest parameters"; config = t; }
@ -60,6 +63,9 @@ rec {
}
];
}).config;
in
testConfig.test # For nix-build
// testConfig; # For all-tests.nix
simpleTest = as: (makeTest as).test;

2
nixos/lib/testing/nodes.nix
View File

@ -101,7 +101,7 @@ in
nodesCompat =
mapAttrs
(name: config: config // {
config = lib.warn
config = lib.warnIf (lib.isInOldestRelease 2211)
"Module argument `nodes.${name}.config` is deprecated. Use `nodes.${name}` instead."
config;
})

18
nixos/lib/utils.nix
View File

@ -39,11 +39,19 @@ rec {
|| hasPrefix a'.mountPoint b'.mountPoint
|| any (hasPrefix a'.mountPoint) b'.depends;
# Escape a path according to the systemd rules, e.g. /dev/xyzzy
# becomes dev-xyzzy. FIXME: slow.
escapeSystemdPath = s:
replaceChars ["/" "-" " "] ["-" "\\x2d" "\\x20"]
(removePrefix "/" s);
# Escape a path according to the systemd rules. FIXME: slow
# The rules are described in systemd.unit(5) as follows:
# The escaping algorithm operates as follows: given a string, any "/" character is replaced by "-", and all other characters which are not ASCII alphanumerics, ":", "_" or "." are replaced by C-style "\x2d" escapes. In addition, "." is replaced with such a C-style escape when it would appear as the first character in the escaped string.
# When the input qualifies as absolute file system path, this algorithm is extended slightly: the path to the root directory "/" is encoded as single dash "-". In addition, any leading, trailing or duplicate "/" characters are removed from the string before transformation. Example: /foo//bar/baz/ becomes "foo-bar-baz".
escapeSystemdPath = s: let
replacePrefix = p: r: s: (if (hasPrefix p s) then r + (removePrefix p s) else s);
trim = s: removeSuffix "/" (removePrefix "/" s);
normalizedPath = strings.normalizePath s;
in
replaceChars ["/"] ["-"]
(replacePrefix "." (strings.escapeC ["."] ".")
(strings.escapeC (stringToCharacters " !\"#$%&'()*+,;<=>=@[\\]^`{|}~-")
(if normalizedPath == "/" then normalizedPath else trim normalizedPath)));
# Quotes an argument for use in Exec* service lines.
# systemd accepts "-quoted strings with escape sequences, toJSON produces

4
nixos/modules/config/update-users-groups.pl
View File

@ -186,7 +186,7 @@ foreach my $name (keys %groupsCur) {
# Rewrite /etc/group. FIXME: acquire lock.
my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
(sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
updateFile($gidMapFile, to_json($gidMap));
updateFile($gidMapFile, to_json($gidMap, {canonical => 1}));
updateFile("/etc/group", \@lines);
nscdInvalidate("group");
@ -272,7 +272,7 @@ foreach my $name (keys %usersCur) {
# Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
(sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
updateFile($uidMapFile, to_json($uidMap));
updateFile($uidMapFile, to_json($uidMap, {canonical => 1}));
updateFile("/etc/passwd", \@lines);
nscdInvalidate("passwd");

2
nixos/modules/config/users-groups.nix
View File

@ -697,7 +697,7 @@ in {
value = "[a-zA-Z0-9/+.-]+";
options = "${id}(=${value})?(,${id}=${value})*";
scheme = "${id}(${sep}${options})?";
content = "${base64}${sep}${base64}";
content = "${base64}${sep}${base64}(${sep}${base64})?";
mcf = "^${sep}${scheme}${sep}${content}$";
in
if (allowsLogin user.hashedPassword

2
nixos/modules/hardware/video/nvidia.nix
View File

@ -261,7 +261,7 @@ in
in optional primeEnabled {
name = igpuDriver;
display = offloadCfg.enable;
modules = optional (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ];
modules = optionals (igpuDriver == "amdgpu") [ pkgs.xorg.xf86videoamdgpu ];
deviceSection = ''
BusID "${igpuBusId}"
${optionalString (syncCfg.enable && igpuDriver != "amdgpu") ''Option "AccelMethod" "none"''}

2
nixos/modules/installer/cd-dvd/iso-image.nix
View File

@ -421,7 +421,7 @@ let
echo "Usage size: $usage_size"
echo "Image size: $image_size"
truncate --size=$image_size "$out"
faketime "2000-01-01 00:00:00" mkfs.vfat -i 12345678 -n EFIBOOT "$out"
mkfs.vfat --invariant -i 12345678 -n EFIBOOT "$out"
# Force a fixed order in mcopy for better determinism, and avoid file globbing
for d in $(find EFI -type d | sort); do

15
nixos/modules/installer/sd-card/sd-image.nix
View File

@ -224,14 +224,25 @@ in
# Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img
eval $(partx $img -o START,SECTORS --nr 1 --pairs)
truncate -s $((SECTORS * 512)) firmware_part.img
faketime "1970-01-01 00:00:00" mkfs.vfat -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img
mkfs.vfat --invariant -i ${config.sdImage.firmwarePartitionID} -n ${config.sdImage.firmwarePartitionName} firmware_part.img
# Populate the files intended for /boot/firmware
mkdir firmware
${config.sdImage.populateFirmwareCommands}
find firmware -exec touch --date=2000-01-01 {} +
# Copy the populated /boot/firmware into the SD image
(cd firmware; mcopy -psvm -i ../firmware_part.img ./* ::)
cd firmware
# Force a fixed order in mcopy for better determinism, and avoid file globbing
for d in $(find . -type d -mindepth 1 | sort); do
faketime "2000-01-01 00:00:00" mmd -i ../firmware_part.img "::/$d"
done
for f in $(find . -type f | sort); do
mcopy -pvm -i ../firmware_part.img "$f" "::/$f"
done
cd ..
# Verify the FAT partition before copying it.
fsck.vfat -vn firmware_part.img
dd conv=notrunc if=firmware_part.img of=$img seek=$START count=$SECTORS

8
nixos/modules/misc/documentation.nix
View File

@ -56,6 +56,7 @@ let
)
pkgSet;
in scrubbedEval.options;
baseOptionsJSON =
let
filter =
@ -67,9 +68,9 @@ let
);
in
pkgs.runCommand "lazy-options.json" {
libPath = filter "${toString pkgs.path}/lib";
pkgsLibPath = filter "${toString pkgs.path}/pkgs/pkgs-lib";
nixosPath = filter "${toString pkgs.path}/nixos";
libPath = filter (pkgs.path + "/lib");
pkgsLibPath = filter (pkgs.path + "/pkgs/pkgs-lib");
nixosPath = filter (pkgs.path + "/nixos");
modules = map (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy;
} ''
export NIX_STORE_DIR=$TMPDIR/store
@ -99,6 +100,7 @@ let
exit 1
} >&2
'';
inherit (cfg.nixos.options) warningsAreErrors allowDocBook;
};

9
nixos/modules/misc/nixpkgs.nix
View File

@ -55,6 +55,11 @@ let
check = builtins.isAttrs;
};
# Whether `pkgs` was constructed by this module - not if nixpkgs.pkgs or
# _module.args.pkgs is set. However, determining whether _module.args.pkgs
# is defined elsewhere does not seem feasible.
constructedByMe = !opt.pkgs.isDefined;
hasBuildPlatform = opt.buildPlatform.highestPrio < (mkOptionDefault {}).priority;
hasHostPlatform = opt.hostPlatform.isDefined;
hasPlatform = hasHostPlatform || hasBuildPlatform;
@ -353,12 +358,12 @@ in
else "nixpkgs.localSystem";
pkgsSystem = finalPkgs.stdenv.targetPlatform.system;
in {
assertion = !hasPlatform -> nixosExpectedSystem == pkgsSystem;
assertion = constructedByMe -> !hasPlatform -> nixosExpectedSystem == pkgsSystem;
message = "The NixOS nixpkgs.pkgs option was set to a Nixpkgs invocation that compiles to target system ${pkgsSystem} but NixOS was configured for system ${nixosExpectedSystem} via NixOS option ${nixosOption}. The NixOS system settings must match the Nixpkgs target system.";
}
)
{
assertion = hasPlatform -> legacyOptionsDefined == [];
assertion = constructedByMe -> hasPlatform -> legacyOptionsDefined == [];
message = ''
Your system configures nixpkgs with the platform parameter${optionalString hasBuildPlatform "s"}:
${hostPlatformLine

6
nixos/modules/misc/nixpkgs/test.nix
View File

@ -59,5 +59,11 @@ lib.recurseIntoAttrs {
For a future proof system configuration, we recommend to remove
the legacy definitions.
''];
assert getErrors {
nixpkgs.localSystem = pkgs.stdenv.hostPlatform;
nixpkgs.hostPlatform = pkgs.stdenv.hostPlatform;
nixpkgs.pkgs = pkgs;
} == [];
pkgs.emptyFile;
}

11
nixos/modules/module-list.nix
View File

@ -347,6 +347,7 @@
./services/continuous-integration/hercules-ci-agent/default.nix
./services/continuous-integration/hydra/default.nix
./services/continuous-integration/github-runner.nix
./services/continuous-integration/github-runners.nix
./services/continuous-integration/gitlab-runner.nix
./services/continuous-integration/gocd-agent/default.nix
./services/continuous-integration/gocd-server/default.nix
@ -612,6 +613,7 @@
./services/misc/nix-optimise.nix
./services/misc/nix-ssh-serve.nix
./services/misc/novacomd.nix
./services/misc/ntfy-sh.nix
./services/misc/nzbget.nix
./services/misc/nzbhydra2.nix
./services/misc/octoprint.nix
@ -684,6 +686,7 @@
./services/monitoring/heapster.nix
./services/monitoring/incron.nix
./services/monitoring/kapacitor.nix
./services/monitoring/karma.nix
./services/monitoring/kthxbye.nix
./services/monitoring/loki.nix
./services/monitoring/longview.nix
@ -714,6 +717,8 @@
./services/monitoring/unifi-poller.nix
./services/monitoring/ups.nix
./services/monitoring/uptime.nix
./services/monitoring/vmagent.nix
./services/monitoring/uptime-kuma.nix
./services/monitoring/vnstat.nix
./services/monitoring/zabbix-agent.nix
./services/monitoring/zabbix-proxy.nix
@ -974,6 +979,7 @@
./services/video/rtsp-simple-server.nix
./services/networking/uptermd.nix
./services/networking/v2ray.nix
./services/networking/vdirsyncer.nix
./services/networking/vsftpd.nix
./services/networking/wasabibackend.nix
./services/networking/websockify.nix
@ -985,6 +991,7 @@
./services/networking/xinetd.nix
./services/networking/xl2tpd.nix
./services/networking/x2goserver.nix
./services/networking/xray.nix
./services/networking/xrdp.nix
./services/networking/yggdrasil.nix
./services/networking/zerobin.nix
@ -1069,6 +1076,7 @@
./services/web-apps/calibre-web.nix
./services/web-apps/code-server.nix
./services/web-apps/baget.nix
./services/web-apps/changedetection-io.nix
./services/web-apps/convos.nix
./services/web-apps/dex.nix
./services/web-apps/discourse.nix
@ -1140,6 +1148,7 @@
./services/web-servers/caddy/default.nix
./services/web-servers/darkhttpd.nix
./services/web-servers/fcgiwrap.nix
./services/web-servers/garage.nix
./services/web-servers/hitch/default.nix
./services/web-servers/hydron.nix
./services/web-servers/jboss/default.nix
@ -1147,6 +1156,7 @@
./services/web-servers/lighttpd/collectd.nix
./services/web-servers/lighttpd/default.nix
./services/web-servers/lighttpd/gitweb.nix
./services/web-servers/merecat.nix
./services/web-servers/mighttpd2.nix
./services/web-servers/minio.nix
./services/web-servers/molly-brown.nix
@ -1247,6 +1257,7 @@
./system/boot/systemd/user.nix
./system/boot/timesyncd.nix
./system/boot/tmp.nix
./system/boot/uvesafb.nix
./system/etc/etc-activation.nix
./tasks/auto-upgrade.nix
./tasks/bcache.nix

5
nixos/modules/profiles/minimal.nix
View File

@ -13,4 +13,9 @@ with lib;
documentation.nixos.enable = mkDefault false;
programs.command-not-found.enable = mkDefault false;
xdg.autostart.enable = mkDefault false;
xdg.icons.enable = mkDefault false;
xdg.mime.enable = mkDefault false;
xdg.sounds.enable = mkDefault false;
}

14
nixos/modules/programs/neovim.nix
View File

@ -11,7 +11,19 @@ let
in {
options.programs.neovim = {
enable = mkEnableOption (lib.mdDoc "Neovim");
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = lib.mdDoc ''
Whether to enable Neovim.
When enabled through this option, Neovim is wrapped to use a
configuration managed by this module. The configuration file in the
user's home directory at {file}`~/.config/nvim/init.vim` is no longer
loaded by default.
'';
};
defaultEditor = mkOption {
type = types.bool;

2
nixos/modules/programs/tsm-client.nix
View File

@ -223,7 +223,7 @@ let
description = lib.mdDoc ''
The TSM client derivation to be
added to the system environment.
It will called with `.override`
It will be used with `.override`
to add paths to the client system-options file.
'';
};

2
nixos/modules/programs/zsh/zsh.nix
View File

@ -184,7 +184,7 @@ in
# Tell zsh how to find installed completions.
for p in ''${(z)NIX_PROFILES}; do
fpath+=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions)
fpath=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions $fpath)
done
# Setup custom shell init stuff.

12
nixos/modules/security/acme/default.nix
View File

@ -26,8 +26,8 @@ let
Type = "oneshot";
User = user;
Group = mkDefault "acme";
UMask = 0022;
StateDirectoryMode = 750;
UMask = "0022";
StateDirectoryMode = "750";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/acme"
@ -62,9 +62,9 @@ let
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service"
"@system-service @resources"
# 2. and deny unreasonable ones
"~@privileged @resources"
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
@ -85,7 +85,7 @@ let
serviceConfig = commonServiceConfig // {
StateDirectory = "acme/.minica";
BindPaths = "/var/lib/acme/.minica:/tmp/ca";
UMask = 0077;
UMask = "0077";
};
# Working directory will be /tmp
@ -243,7 +243,7 @@ let
serviceConfig = commonServiceConfig // {
Group = data.group;
UMask = 0027;
UMask = "0027";
StateDirectory = "acme/${cert}";

8
nixos/modules/security/polkit.nix
View File

@ -14,6 +14,8 @@ in
security.polkit.enable = mkEnableOption (lib.mdDoc "polkit");
security.polkit.debug = mkEnableOption (lib.mdDoc "debug logs from polkit. This is required in order to see log messages from rule definitions.");
security.polkit.extraConfig = mkOption {
type = types.lines;
default = "";
@ -21,6 +23,7 @@ in
''
/* Log authorization checks. */
polkit.addRule(function(action, subject) {
// Make sure to set { security.polkit.debug = true; } in configuration.nix
polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
});
@ -58,6 +61,11 @@ in
systemd.packages = [ pkgs.polkit.out ];
systemd.services.polkit.serviceConfig.ExecStart = [
""
"${pkgs.polkit.out}/lib/polkit-1/polkitd ${optionalString (!cfg.debug) "--no-debug"}"
];
systemd.services.polkit.restartTriggers = [ config.system.path ];
systemd.services.polkit.stopIfChanged = false;

2
nixos/modules/services/audio/navidrome.nix
View File

@ -62,7 +62,7 @@ in {
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
RestrictRealtime = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;

104
nixos/modules/services/backup/btrbk.nix
View File

@ -1,72 +1,74 @@
{ config, pkgs, lib, ... }:
let
inherit (lib)
concatLists
concatMap
concatMapStringsSep
concatStringsSep
filterAttrs
flatten
isAttrs
isString
literalExpression
mapAttrs'
mapAttrsToList
mkIf
mkOption
optionalString
partition
typeOf
sort
types
;
# The priority of an option or section.
# The configurations format are order-sensitive. Pairs are added as children of
# the last sections if possible, otherwise, they start a new section.
# We sort them in topological order:
# 1. Leaf pairs.
# 2. Sections that may contain (1).
# 3. Sections that may contain (1) or (2).
# 4. Etc.
prioOf = { name, value }:
if !isAttrs value then 0 # Leaf options.
else {
target = 1; # Contains: options.
subvolume = 2; # Contains: options, target.
volume = 3; # Contains: options, target, subvolume.
}.${name} or (throw "Unknow section '${name}'");
genConfig' = set: concatStringsSep "\n" (genConfig set);
genConfig = set:
let
pairs = mapAttrsToList (name: value: { inherit name value; }) set;
sortedPairs = sort (a: b: prioOf a < prioOf b) pairs;
in
concatMap genPair sortedPairs;
genSection = sec: secName: value:
[ "${sec} ${secName}" ] ++ map (x: " " + x) (genConfig value);
genPair = { name, value }:
if !isAttrs value
then [ "${name} ${value}" ]
else concatLists (mapAttrsToList (genSection name) value);
addDefaults = settings: { backend = "btrfs-progs-sudo"; } // settings;
mkConfigFile = name: settings: pkgs.writeTextFile {
name = "btrbk-${name}.conf";
text = genConfig' (addDefaults settings);
checkPhase = ''
set +e
${pkgs.btrbk}/bin/btrbk -c $out dryrun
# According to btrbk(1), exit status 2 means parse error
# for CLI options or the config file.
if [[ $? == 2 ]]; then
echo "Btrbk configuration is invalid:"
cat $out
exit 1
fi
set -e
'';
};
cfg = config.services.btrbk;
sshEnabled = cfg.sshAccess != [ ];
serviceEnabled = cfg.instances != { };
attr2Lines = attr:
let
pairs = mapAttrsToList (name: value: { inherit name value; }) attr;
isSubsection = value:
if isAttrs value then true
else if isString value then false
else throw "invalid type in btrbk config ${typeOf value}";
sortedPairs = partition (x: isSubsection x.value) pairs;
in
flatten (
# non subsections go first
(
map (pair: [ "${pair.name} ${pair.value}" ]) sortedPairs.wrong
)
++ # subsections go last
(
map
(
pair:
mapAttrsToList
(
childname: value:
[ "${pair.name} ${childname}" ] ++ (map (x: " " + x) (attr2Lines value))
)
pair.value
)
sortedPairs.right
)
)
;
addDefaults = settings: { backend = "btrfs-progs-sudo"; } // settings;
mkConfigFile = settings: concatStringsSep "\n" (attr2Lines (addDefaults settings));
mkTestedConfigFile = name: settings:
let
configFile = pkgs.writeText "btrbk-${name}.conf" (mkConfigFile settings);
in
pkgs.runCommand "btrbk-${name}-tested.conf" { } ''
mkdir foo
cp ${configFile} $out
if (set +o pipefail; ${pkgs.btrbk}/bin/btrbk -c $out ls foo 2>&1 | grep $out);
then
echo btrbk configuration is invalid
cat $out
exit 1
fi;
'';
in
{
meta.maintainers = with lib.maintainers; [ oxalica ];
@ -196,7 +198,7 @@ in
(
name: instance: {
name = "btrbk/${name}.conf";
value.source = mkTestedConfigFile name instance.settings;
value.source = mkConfigFile name instance.settings;
}
)
cfg.instances;

17
nixos/modules/services/cluster/kubernetes/apiserver.nix
View File

@ -18,7 +18,8 @@ in
imports = [
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ])
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"])
(mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "port" ] ["services" "kubernetes" "apiserver" "insecurePort"])
(mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecureBindAddress" ] "")
(mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecurePort" ] "")
(mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "")
(mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ])
(mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ])
@ -164,18 +165,6 @@ in
type = listOf str;
};
insecureBindAddress = mkOption {
description = lib.mdDoc "The IP address on which to serve the --insecure-port.";
default = "127.0.0.1";
type = str;
};
insecurePort = mkOption {
description = lib.mdDoc "Kubernetes apiserver insecure listening port. (0 = disabled)";
default = 0;
type = int;
};
kubeletClientCaFile = mkOption {
description = lib.mdDoc "Path to a cert file for connecting to kubelet.";
default = top.caFile;
@ -376,8 +365,6 @@ in
"--proxy-client-cert-file=${cfg.proxyClientCertFile}"} \
${optionalString (cfg.proxyClientKeyFile != null)
"--proxy-client-key-file=${cfg.proxyClientKeyFile}"} \
--insecure-bind-address=${cfg.insecureBindAddress} \
--insecure-port=${toString cfg.insecurePort} \
${optionalString (cfg.runtimeConfig != "")
"--runtime-config=${cfg.runtimeConfig}"} \
--secure-port=${toString cfg.securePort} \

9
nixos/modules/services/cluster/kubernetes/controller-manager.nix
View File

@ -10,7 +10,7 @@ in
{
imports = [
(mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"])
(mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"])
(mkRemovedOptionModule [ "services" "kubernetes" "controllerManager" "insecurePort" ] "")
];
###### interface
@ -50,12 +50,6 @@ in
type = listOf str;
};
insecurePort = mkOption {
description = lib.mdDoc "Kubernetes controller manager insecure listening port.";
default = 0;
type = int;
};
kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager";
leaderElect = mkOption {
@ -133,7 +127,6 @@ in
--leader-elect=${boolToString cfg.leaderElect} \
${optionalString (cfg.rootCaFile!=null)
"--root-ca-file=${cfg.rootCaFile}"} \
--port=${toString cfg.insecurePort} \
--secure-port=${toString cfg.securePort} \
${optionalString (cfg.serviceAccountKeyFile!=null)
"--service-account-private-key-file=${cfg.serviceAccountKeyFile}"} \

1
nixos/modules/services/cluster/kubernetes/flannel.nix
View File

@ -26,7 +26,6 @@ in
};
services.kubernetes.kubelet = {
networkPlugin = mkDefault "cni";
cni.config = mkDefault [{
name = "mynet";
type = "flannel";

10
nixos/modules/services/cluster/kubernetes/kubelet.nix
View File

@ -62,6 +62,7 @@ in
(mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "applyManifests" ] "")
(mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "cadvisorPort" ] "")
(mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "allowPrivileged" ] "")
(mkRemovedOptionModule [ "services" "kubernetes" "kubelet" "networkPlugin" ] "")
];
###### interface
@ -189,12 +190,6 @@ in
default = {};
};
networkPlugin = mkOption {
description = lib.mdDoc "Network plugin to use by Kubernetes.";
type = nullOr (enum ["cni" "kubenet"]);
default = "kubenet";
};
nodeIp = mkOption {
description = lib.mdDoc "IP address of the node. If set, kubelet will use this IP address for the node.";
default = null;
@ -315,7 +310,6 @@ in
"--cluster-dns=${cfg.clusterDns}"} \
${optionalString (cfg.clusterDomain != "")
"--cluster-domain=${cfg.clusterDomain}"} \
--cni-conf-dir=${cniConfig} \
${optionalString (cfg.featureGates != [])
"--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
--hairpin-mode=hairpin-veth \
@ -323,8 +317,6 @@ in
--healthz-port=${toString cfg.healthz.port} \
--hostname-override=${cfg.hostname} \
--kubeconfig=${kubeconfig} \
${optionalString (cfg.networkPlugin != null)
"--network-plugin=${cfg.networkPlugin}"} \
${optionalString (cfg.nodeIp != null)
"--node-ip=${cfg.nodeIp}"} \
--pod-infra-container-image=pause \

2
nixos/modules/services/cluster/kubernetes/pki.nix
View File

@ -266,7 +266,7 @@ in
in
''
export KUBECONFIG=${clusterAdminKubeconfig}
${kubernetes}/bin/kubectl apply -f ${concatStringsSep " \\\n -f " files}
${top.package}/bin/kubectl apply -f ${concatStringsSep " \\\n -f " files}
'';
})]);

401
nixos/modules/services/continuous-integration/github-runner.nix
View File

@ -1,396 +1,23 @@
{ config, pkgs, lib, ... }:
{ config
, pkgs
, lib
, ...
}@args:
with lib;
let
cfg = config.services.github-runner;
svcName = "github-runner";
systemdDir = "${svcName}/${cfg.name}";
# %t: Runtime directory root (usually /run); see systemd.unit(5)
runtimeDir = "%t/${systemdDir}";
# %S: State directory root (usually /var/lib); see systemd.unit(5)
stateDir = "%S/${systemdDir}";
# %L: Log directory root (usually /var/log); see systemd.unit(5)
logsDir = "%L/${systemdDir}";
# Name of file stored in service state directory
currentConfigTokenFilename = ".current-token";
in
{
options.services.github-runner = {
enable = mkOption {
default = false;
example = true;
description = lib.mdDoc ''
Whether to enable GitHub Actions runner.
Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here:
[About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners).
'';
type = lib.types.bool;
};
url = mkOption {
type = types.str;
description = lib.mdDoc ''
Repository to add the runner to.
Changing this option triggers a new runner registration.
IMPORTANT: If your token is org-wide (not per repository), you need to
provide a github org link, not a single repository, so do it like this
`https://github.com/nixos`, not like this
`https://github.com/nixos/nixpkgs`.
Otherwise, you are going to get a `404 NotFound`
from `POST https://api.github.com/actions/runner-registration`
in the configure script.
'';
example = "https://github.com/nixos/nixpkgs";
};
tokenFile = mkOption {
type = types.path;
description = lib.mdDoc ''
The full path to a file which contains either a runner registration token or a
personal access token (PAT).
The file should contain exactly one line with the token without any newline.
If a registration token is given, it can be used to re-register a runner of the same
name but is time-limited. If the file contains a PAT, the service creates a new
registration token on startup as needed. Make sure the PAT has a scope of
`admin:org` for organization-wide registrations or a scope of
`repo` for a single repository.
Changing this option or the file's content triggers a new runner registration.
'';
example = "/run/secrets/github-runner/nixos.token";
};
name = mkOption {
# Same pattern as for `networking.hostName`
type = types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$";
description = lib.mdDoc ''
Name of the runner to configure. Defaults to the hostname.
Changing this option triggers a new runner registration.
'';
example = "nixos";
default = config.networking.hostName;
defaultText = literalExpression "config.networking.hostName";
};
runnerGroup = mkOption {
type = types.nullOr types.str;
description = lib.mdDoc ''
Name of the runner group to add this runner to (defaults to the default runner group).
Changing this option triggers a new runner registration.
'';
default = null;
};
extraLabels = mkOption {
type = types.listOf types.str;
description = lib.mdDoc ''
Extra labels in addition to the default (`["self-hosted", "Linux", "X64"]`).
Changing this option triggers a new runner registration.
'';
example = literalExpression ''[ "nixos" ]'';
default = [ ];
};
replace = mkOption {
type = types.bool;
description = lib.mdDoc ''
Replace any existing runner with the same name.
Without this flag, registering a new runner with the same name fails.
'';
default = false;
};
extraPackages = mkOption {
type = types.listOf types.package;
description = lib.mdDoc ''
Extra packages to add to `PATH` of the service to make them available to workflows.
'';
default = [ ];
};
package = mkOption {
type = types.package;
description = lib.mdDoc ''
Which github-runner derivation to use.
'';
default = pkgs.github-runner;
defaultText = literalExpression "pkgs.github-runner";
};
ephemeral = mkOption {
type = types.bool;
description = lib.mdDoc ''
If enabled, causes the following behavior:
- Passes the `--ephemeral` flag to the runner configuration script
- De-registers and stops the runner with GitHub after it has processed one job
- On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option)
- Restarts the service after its successful exit
- On start, wipes the state directory and configures a new runner
You should only enable this option if `tokenFile` points to a file which contains a
personal access token (PAT). If you're using the option with a registration token, restarting the
service will fail as soon as the registration token expired.
'';
default = false;
};
};
options.services.github-runner = import ./github-runner/options.nix (args // {
# Users don't need to specify options.services.github-runner.name; it will default
# to the hostname.
includeNameDefault = true;
});
config = mkIf cfg.enable {
warnings = optionals (isStorePath cfg.tokenFile) [
''
`services.github-runner.tokenFile` points to the Nix store and, therefore, is world-readable.
Consider using a path outside of the Nix store to keep the token private.
''
];
systemd.services.${svcName} = {
description = "GitHub Actions runner";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
environment = {
HOME = runtimeDir;
RUNNER_ROOT = stateDir;
};
path = (with pkgs; [
bash
coreutils
git
gnutar
gzip
]) ++ [
config.nix.package
] ++ cfg.extraPackages;
serviceConfig = rec {
ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
# Does the following, sequentially:
# - If the module configuration or the token has changed, purge the state directory,
# and create the current and the new token file with the contents of the configured
# token. While both files have the same content, only the later is accessible by
# the service user.
# - Configure the runner using the new token file. When finished, delete it.
# - Set up the directory structure by creating the necessary symlinks.
ExecStartPre =
let
# Wrapper script which expects the full path of the state, runtime and logs
# directory as arguments. Overrides the respective systemd variables to provide
# unambiguous directory names. This becomes relevant, for example, if the
# caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
# to contain more than one directory. This causes systemd to set the respective
# environment variables with the path of all of the given directories, separated
# by a colon.
writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" ''
set -euo pipefail
STATE_DIRECTORY="$1"
RUNTIME_DIRECTORY="$2"
LOGS_DIRECTORY="$3"
${lines}
'';
runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" ] cfg;
newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
newConfigTokenPath= "$STATE_DIRECTORY/.new-token";
currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
runnerCredFiles = [
".credentials"
".credentials_rsaparams"
".runner"
];
unconfigureRunner = writeScript "unconfigure" ''
copy_tokens() {
# Copy the configured token file to the state dir and allow the service user to read the file
install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
# Also copy current file to allow for a diff on the next start
install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
}
clean_state() {
find "$STATE_DIRECTORY/" -mindepth 1 -delete
copy_tokens
}
diff_config() {
changed=0
# Check for module config changes
[[ -f "${currentConfigPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
|| changed=1
# Also check the content of the token file
[[ -f "${currentConfigTokenPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
|| changed=1
# If the config has changed, remove old state and copy tokens
if [[ "$changed" -eq 1 ]]; then
echo "Config has changed, removing old runner state."
echo "The old runner will still appear in the GitHub Actions UI." \
"You have to remove it manually."
clean_state
fi
}
if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
# In ephemeral mode, we always want to start with a clean state
clean_state
elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
# There are state files from a previous run; diff them to decide if we need a new registration
diff_config
else
# The state directory is entirely empty which indicates a first start
copy_tokens
fi
'';
configureRunner = writeScript "configure" ''
if [[ -e "${newConfigTokenPath}" ]]; then
echo "Configuring GitHub Actions Runner"
args=(
--unattended
--disableupdate
--work "$RUNTIME_DIRECTORY"
--url ${escapeShellArg cfg.url}
--labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
--name ${escapeShellArg cfg.name}
${optionalString cfg.replace "--replace"}
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
${optionalString cfg.ephemeral "--ephemeral"}
)
# If the token file contains a PAT (i.e., it starts with "ghp_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option
token=$(<"${newConfigTokenPath}")
if [[ "$token" =~ ^ghp_* ]]; then
args+=(--pat "$token")
else
args+=(--token "$token")
fi
${cfg.package}/bin/config.sh "''${args[@]}"
# Move the automatically created _diag dir to the logs dir
mkdir -p "$STATE_DIRECTORY/_diag"
cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
rm -rf "$STATE_DIRECTORY/_diag/"
# Cleanup token from config
rm "${newConfigTokenPath}"
# Symlink to new config
ln -s '${newConfigPath}' "${currentConfigPath}"
fi
'';
setupRuntimeDir = writeScript "setup-runtime-dirs" ''
# Link _diag dir
ln -s "$LOGS_DIRECTORY" "$RUNTIME_DIRECTORY/_diag"
# Link the runner credentials to the runtime dir
ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$RUNTIME_DIRECTORY/"
'';
in
map (x: "${x} ${escapeShellArgs [ stateDir runtimeDir logsDir ]}") [
"+${unconfigureRunner}" # runs as root
configureRunner
setupRuntimeDir
];
# If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
# to trigger a fresh registration.
Restart = if cfg.ephemeral then "on-success" else "no";
# Contains _diag
LogsDirectory = [ systemdDir ];
# Default RUNNER_ROOT which contains ephemeral Runner data
RuntimeDirectory = [ systemdDir ];
# Home of persistent runner data, e.g., credentials
StateDirectory = [ systemdDir ];
StateDirectoryMode = "0700";
WorkingDirectory = runtimeDir;
InaccessiblePaths = [
# Token file path given in the configuration, if visible to the service
"-${cfg.tokenFile}"
# Token file in the state directory
"${stateDir}/${currentConfigTokenFilename}"
];
# By default, use a dynamically allocated user
DynamicUser = true;
KillSignal = "SIGINT";
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing:
# systemd-analyze security github-runner
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0066";
ProtectProc = "invisible";
SystemCallFilter = [
"~@clock"
"~@cpu-emulation"
"~@module"
"~@mount"
"~@obsolete"
"~@raw-io"
"~@reboot"
"~capset"
"~setdomainname"
"~sethostname"
];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
# Needs network access
PrivateNetwork = false;
# Cannot be true due to Node
MemoryDenyWriteExecute = false;
# The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands
ProcSubset = "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the
# `personality` syscall
# You may want to set this to `true` if not using coverage tooling on
# compiled code
LockPersonality = false;
};
};
services.github-runners.${cfg.name} = cfg;
};
}

173
nixos/modules/services/continuous-integration/github-runner/options.nix Normal file
View File

@ -0,0 +1,173 @@
{ config
, lib
, pkgs
, includeNameDefault
, ...
}:
with lib;
{
enable = mkOption {
default = false;
example = true;
description = lib.mdDoc ''
Whether to enable GitHub Actions runner.
Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here:
[About self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners).
'';
type = lib.types.bool;
};
url = mkOption {
type = types.str;
description = lib.mdDoc ''
Repository to add the runner to.
Changing this option triggers a new runner registration.
IMPORTANT: If your token is org-wide (not per repository), you need to
provide a github org link, not a single repository, so do it like this
`https://github.com/nixos`, not like this
`https://github.com/nixos/nixpkgs`.
Otherwise, you are going to get a `404 NotFound`
from `POST https://api.github.com/actions/runner-registration`
in the configure script.
'';
example = "https://github.com/nixos/nixpkgs";
};
tokenFile = mkOption {
type = types.path;
description = lib.mdDoc ''
The full path to a file which contains either a runner registration token or a
(fine-grained) personal access token (PAT).
The file should contain exactly one line with the token without any newline.
If a registration token is given, it can be used to re-register a runner of the same
name but is time-limited. If the file contains a PAT, the service creates a new
registration token on startup as needed. Make sure the PAT has a scope of
`admin:org` for organization-wide registrations or a scope of
`repo` for a single repository. Fine-grained PATs need read and write permission
to the "Adminstration" resources.
Changing this option or the file's content triggers a new runner registration.
'';
example = "/run/secrets/github-runner/nixos.token";
};
name = let
# Same pattern as for `networking.hostName`
baseType = types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$";
in mkOption {
type = if includeNameDefault then baseType else types.nullOr baseType;
description = lib.mdDoc ''
Name of the runner to configure. Defaults to the hostname.
Changing this option triggers a new runner registration.
'';
example = "nixos";
} // (if includeNameDefault then {
default = config.networking.hostName;
defaultText = literalExpression "config.networking.hostName";
} else {
default = null;
});
runnerGroup = mkOption {
type = types.nullOr types.str;
description = lib.mdDoc ''
Name of the runner group to add this runner to (defaults to the default runner group).
Changing this option triggers a new runner registration.
'';
default = null;
};
extraLabels = mkOption {
type = types.listOf types.str;
description = lib.mdDoc ''
Extra labels in addition to the default (`["self-hosted", "Linux", "X64"]`).
Changing this option triggers a new runner registration.
'';
example = literalExpression ''[ "nixos" ]'';
default = [ ];
};
replace = mkOption {
type = types.bool;
description = lib.mdDoc ''
Replace any existing runner with the same name.
Without this flag, registering a new runner with the same name fails.
'';
default = false;
};
extraPackages = mkOption {
type = types.listOf types.package;
description = lib.mdDoc ''
Extra packages to add to `PATH` of the service to make them available to workflows.
'';
default = [ ];
};
extraEnvironment = mkOption {
type = types.attrs;
description = lib.mdDoc ''
Extra environment variables to set for the runner, as an attrset.
'';
example = {
GIT_CONFIG = "/path/to/git/config";
};
default = {};
};
serviceOverrides = mkOption {
type = types.attrs;
description = lib.mdDoc ''
Overrides for the systemd service. Can be used to adjust the sandboxing options.
'';
example = {
ProtectHome = false;
};
default = {};
};
package = mkOption {
type = types.package;
description = lib.mdDoc ''
Which github-runner derivation to use.
'';
default = pkgs.github-runner;
defaultText = literalExpression "pkgs.github-runner";
};
ephemeral = mkOption {
type = types.bool;
description = lib.mdDoc ''
If enabled, causes the following behavior:
- Passes the `--ephemeral` flag to the runner configuration script
- De-registers and stops the runner with GitHub after it has processed one job
- On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option)
- Restarts the service after its successful exit
- On start, wipes the state directory and configures a new runner
You should only enable this option if `tokenFile` points to a file which contains a
personal access token (PAT). If you're using the option with a registration token, restarting the
service will fail as soon as the registration token expired.
'';
default = false;
};
user = mkOption {
type = types.nullOr types.str;
description = lib.mdDoc ''
User under which to run the service. If null, will use a systemd dynamic user.
'';
default = null;
defaultText = literalExpression "username";
};
}

254
nixos/modules/services/continuous-integration/github-runner/service.nix Normal file
View File

@ -0,0 +1,254 @@
{ config
, lib
, pkgs
, cfg ? config.services.github-runner
, svcName
, systemdDir ? "${svcName}/${cfg.name}"
# %t: Runtime directory root (usually /run); see systemd.unit(5)
, runtimeDir ? "%t/${systemdDir}"
# %S: State directory root (usually /var/lib); see systemd.unit(5)
, stateDir ? "%S/${systemdDir}"
# %L: Log directory root (usually /var/log); see systemd.unit(5)
, logsDir ? "%L/${systemdDir}"
# Name of file stored in service state directory
, currentConfigTokenFilename ? ".current-token"
, ...
}:
with lib;
{
description = "GitHub Actions runner";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
environment = {
HOME = runtimeDir;
RUNNER_ROOT = stateDir;
} // cfg.extraEnvironment;
path = (with pkgs; [
bash
coreutils
git
gnutar
gzip
]) ++ [
config.nix.package
] ++ cfg.extraPackages;
serviceConfig = rec {
ExecStart = "${cfg.package}/bin/Runner.Listener run --startuptype service";
# Does the following, sequentially:
# - If the module configuration or the token has changed, purge the state directory,
# and create the current and the new token file with the contents of the configured
# token. While both files have the same content, only the later is accessible by
# the service user.
# - Configure the runner using the new token file. When finished, delete it.
# - Set up the directory structure by creating the necessary symlinks.
ExecStartPre =
let
# Wrapper script which expects the full path of the state, runtime and logs
# directory as arguments. Overrides the respective systemd variables to provide
# unambiguous directory names. This becomes relevant, for example, if the
# caller overrides any of the StateDirectory=, RuntimeDirectory= or LogDirectory=
# to contain more than one directory. This causes systemd to set the respective
# environment variables with the path of all of the given directories, separated
# by a colon.
writeScript = name: lines: pkgs.writeShellScript "${svcName}-${name}.sh" ''
set -euo pipefail
STATE_DIRECTORY="$1"
RUNTIME_DIRECTORY="$2"
LOGS_DIRECTORY="$3"
${lines}
'';
runnerRegistrationConfig = getAttrs [ "name" "tokenFile" "url" "runnerGroup" "extraLabels" "ephemeral" ] cfg;
newConfigPath = builtins.toFile "${svcName}-config.json" (builtins.toJSON runnerRegistrationConfig);
currentConfigPath = "$STATE_DIRECTORY/.nixos-current-config.json";
newConfigTokenPath= "$STATE_DIRECTORY/.new-token";
currentConfigTokenPath = "$STATE_DIRECTORY/${currentConfigTokenFilename}";
runnerCredFiles = [
".credentials"
".credentials_rsaparams"
".runner"
];
unconfigureRunner = writeScript "unconfigure" ''
copy_tokens() {
# Copy the configured token file to the state dir and allow the service user to read the file
install --mode=666 ${escapeShellArg cfg.tokenFile} "${newConfigTokenPath}"
# Also copy current file to allow for a diff on the next start
install --mode=600 ${escapeShellArg cfg.tokenFile} "${currentConfigTokenPath}"
}
clean_state() {
find "$STATE_DIRECTORY/" -mindepth 1 -delete
copy_tokens
}
diff_config() {
changed=0
# Check for module config changes
[[ -f "${currentConfigPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q '${newConfigPath}' "${currentConfigPath}" >/dev/null 2>&1 \
|| changed=1
# Also check the content of the token file
[[ -f "${currentConfigTokenPath}" ]] \
&& ${pkgs.diffutils}/bin/diff -q "${currentConfigTokenPath}" ${escapeShellArg cfg.tokenFile} >/dev/null 2>&1 \
|| changed=1
# If the config has changed, remove old state and copy tokens
if [[ "$changed" -eq 1 ]]; then
echo "Config has changed, removing old runner state."
echo "The old runner will still appear in the GitHub Actions UI." \
"You have to remove it manually."
clean_state
fi
}
if [[ "${optionalString cfg.ephemeral "1"}" ]]; then
# In ephemeral mode, we always want to start with a clean state
clean_state
elif [[ "$(ls -A "$STATE_DIRECTORY")" ]]; then
# There are state files from a previous run; diff them to decide if we need a new registration
diff_config
else
# The state directory is entirely empty which indicates a first start
copy_tokens
fi '';
configureRunner = writeScript "configure" ''
if [[ -e "${newConfigTokenPath}" ]]; then
echo "Configuring GitHub Actions Runner"
args=(
--unattended
--disableupdate
--work "$RUNTIME_DIRECTORY"
--url ${escapeShellArg cfg.url}
--labels ${escapeShellArg (concatStringsSep "," cfg.extraLabels)}
--name ${escapeShellArg cfg.name}
${optionalString cfg.replace "--replace"}
${optionalString (cfg.runnerGroup != null) "--runnergroup ${escapeShellArg cfg.runnerGroup}"}
${optionalString cfg.ephemeral "--ephemeral"}
)
# If the token file contains a PAT (i.e., it starts with "ghp_" or "github_pat_"), we have to use the --pat option,
# if it is not a PAT, we assume it contains a registration token and use the --token option
token=$(<"${newConfigTokenPath}")
if [[ "$token" =~ ^ghp_* ]] || [[ "$token" =~ ^github_pat_* ]]; then
args+=(--pat "$token")
else
args+=(--token "$token")
fi
${cfg.package}/bin/config.sh "''${args[@]}"
# Move the automatically created _diag dir to the logs dir
mkdir -p "$STATE_DIRECTORY/_diag"
cp -r "$STATE_DIRECTORY/_diag/." "$LOGS_DIRECTORY/"
rm -rf "$STATE_DIRECTORY/_diag/"
# Cleanup token from config
rm "${newConfigTokenPath}"
# Symlink to new config
ln -s '${newConfigPath}' "${currentConfigPath}"
fi
'';
setupRuntimeDir = writeScript "setup-runtime-dirs" ''
# Link _diag dir
ln -s "$LOGS_DIRECTORY" "$RUNTIME_DIRECTORY/_diag"
# Link the runner credentials to the runtime dir
ln -s "$STATE_DIRECTORY"/{${lib.concatStringsSep "," runnerCredFiles}} "$RUNTIME_DIRECTORY/"
'';
in
map (x: "${x} ${escapeShellArgs [ stateDir runtimeDir logsDir ]}") [
"+${unconfigureRunner}" # runs as root
configureRunner
setupRuntimeDir
];
# If running in ephemeral mode, restart the service on-exit (i.e., successful de-registration of the runner)
# to trigger a fresh registration.
Restart = if cfg.ephemeral then "on-success" else "no";
# Contains _diag
LogsDirectory = [ systemdDir ];
# Default RUNNER_ROOT which contains ephemeral Runner data
RuntimeDirectory = [ systemdDir ];
# Home of persistent runner data, e.g., credentials
StateDirectory = [ systemdDir ];
StateDirectoryMode = "0700";
WorkingDirectory = runtimeDir;
InaccessiblePaths = [
# Token file path given in the configuration, if visible to the service
"-${cfg.tokenFile}"
# Token file in the state directory
"${stateDir}/${currentConfigTokenFilename}"
];
KillSignal = "SIGINT";
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing:
# systemd-analyze security github-runner
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0066";
ProtectProc = "invisible";
SystemCallFilter = [
"~@clock"
"~@cpu-emulation"
"~@module"
"~@mount"
"~@obsolete"
"~@raw-io"
"~@reboot"
"~capset"
"~setdomainname"
"~sethostname"
];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
# Needs network access
PrivateNetwork = false;
# Cannot be true due to Node
MemoryDenyWriteExecute = false;
# The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands
ProcSubset = "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the
# `personality` syscall
# You may want to set this to `true` if not using coverage tooling on
# compiled code
LockPersonality = false;
# Note that this has some interactions with the User setting; so you may
# want to consult the systemd docs if using both.
DynamicUser = true;
} // (
lib.optionalAttrs (cfg.user != null) { User = cfg.user; }
) // cfg.serviceOverrides;
}

56
nixos/modules/services/continuous-integration/github-runners.nix Normal file
View File

@ -0,0 +1,56 @@
{ config
, pkgs
, lib
, ...
}@args:
with lib;
let
cfg = config.services.github-runners;
in
{
options.services.github-runners = mkOption {
default = {};
type = with types; attrsOf (submodule { options = import ./github-runner/options.nix (args // {
# services.github-runners.${name}.name doesn't have a default; it falls back to ${name} below.
includeNameDefault = false;
}); });
example = {
runner1 = {
enable = true;
url = "https://github.com/owner/repo";
name = "runner1";
tokenFile = "/secrets/token1";
};
runner2 = {
enable = true;
url = "https://github.com/owner/repo";
name = "runner2";
tokenFile = "/secrets/token2";
};
};
description = lib.mdDoc ''
Multiple GitHub Runners.
'';
};
config = {
systemd.services = flip mapAttrs' cfg (n: v:
let
svcName = "github-runner-${n}";
in
nameValuePair svcName
(import ./github-runner/service.nix (args // {
inherit svcName;
cfg = v // {
name = if v.name != null then v.name else n;
};
systemdDir = "github-runner/${n}";
}))
);
};
}

6
nixos/modules/services/continuous-integration/gocd-server/default.nix
View File

@ -106,6 +106,8 @@ in {
"-Dcruise.config.file=${cfg.workDir}/conf/cruise-config.xml"
"-Dcruise.server.port=${toString cfg.port}"
"-Dcruise.server.ssl.port=${toString cfg.sslPort}"
"--add-opens=java.base/java.lang=ALL-UNNAMED"
"--add-opens=java.base/java.util=ALL-UNNAMED"
];
defaultText = literalExpression ''
[
@ -119,6 +121,8 @@ in {
"-Dcruise.config.file=''${config.${opt.workDir}}/conf/cruise-config.xml"
"-Dcruise.server.port=''${toString config.${opt.port}}"
"-Dcruise.server.ssl.port=''${toString config.${opt.sslPort}}"
"--add-opens=java.base/java.lang=ALL-UNNAMED"
"--add-opens=java.base/java.util=ALL-UNNAMED"
]
'';
@ -199,7 +203,7 @@ in {
${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.startupOptions} \
${concatStringsSep " " cfg.extraOptions} \
-jar ${pkgs.gocd-server}/go-server/go.jar
-jar ${pkgs.gocd-server}/go-server/lib/go.jar
'';
serviceConfig = {

6
nixos/modules/services/continuous-integration/jenkins/default.nix
View File

@ -87,8 +87,8 @@ in {
};
packages = mkOption {
default = [ pkgs.stdenv pkgs.git pkgs.jdk11 config.programs.ssh.package pkgs.nix ];
defaultText = literalExpression "[ pkgs.stdenv pkgs.git pkgs.jdk11 config.programs.ssh.package pkgs.nix ]";
default = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ];
defaultText = literalExpression "[ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ]";
type = types.listOf types.package;
description = lib.mdDoc ''
Packages to add to PATH for the jenkins process.
@ -228,7 +228,7 @@ in {
# For reference: https://wiki.jenkins.io/display/JENKINS/JenkinsLinuxStartupScript
script = ''
${pkgs.jdk11}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${cfg.package}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \
${pkgs.jdk17}/bin/java ${concatStringsSep " " cfg.extraJavaOptions} -jar ${cfg.package}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \
--httpPort=${toString cfg.port} \
--prefix=${cfg.prefix} \
-Djava.awt.headless=true \

5
nixos/modules/services/continuous-integration/jenkins/job-builder.nix
View File

@ -30,7 +30,7 @@ in {
};
accessUser = mkOption {
default = "";
default = "admin";
type = types.str;
description = lib.mdDoc ''
User id in Jenkins used to reload config.
@ -48,7 +48,8 @@ in {
};
accessTokenFile = mkOption {
default = "";
default = "${config.services.jenkins.home}/secrets/initialAdminPassword";
defaultText = literalExpression ''"''${config.services.jenkins.home}/secrets/initialAdminPassword"'';
type = types.str;
example = "/run/keys/jenkins-job-builder-access-token";
description = lib.mdDoc ''

33
nixos/modules/services/databases/postgresql.xml
View File

@ -72,16 +72,20 @@ Type "help" for help.
{ config, pkgs, ... }:
{
<xref linkend="opt-environment.systemPackages" /> = [
(pkgs.writeScriptBin "upgrade-pg-cluster" ''
(let
# XXX specify the postgresql package you'd like to upgrade to.
# Do not forget to list the extensions you need.
newPostgres = pkgs.postgresql_13.withPackages (pp: [
# pp.plv8
]);
in pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
# XXX replace `&lt;new version&gt;` with the psqlSchema here
export NEWDATA="/var/lib/postgresql/&lt;new version&gt;"
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
# XXX specify the postgresql package you'd like to upgrade to
export NEWBIN="${pkgs.postgresql_13}/bin"
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${config.<xref linkend="opt-services.postgresql.dataDir"/>}"
export OLDBIN="${config.<xref linkend="opt-services.postgresql.package"/>}/bin"
@ -127,12 +131,25 @@ Type "help" for help.
</listitem>
<listitem>
<para>
After the upgrade it's advisable to analyze the new cluster (as <literal>su -l postgres</literal> in the
<xref linkend="opt-services.postgresql.dataDir" />, in this example <filename>/var/lib/postgresql/13</filename>):
After the upgrade it's advisable to analyze the new cluster.
</para>
<itemizedlist>
<listitem>
<para>
For PostgreSQL ≥ 14, use the <literal>vacuumdb</literal> command printed by the upgrades script.
</para>
</listitem>
<listitem>
<para>
For PostgreSQL &lt; 14, run (as <literal>su -l postgres</literal> in the <xref linkend="opt-services.postgresql.dataDir" />, in this example <filename>/var/lib/postgresql/13</filename>):
<programlisting>
<prompt>$ </prompt>./analyze_new_cluster.sh
</programlisting>
<warning><para>The next step removes the old state-directory!</para></warning>
</para>
</listitem>
</itemizedlist>
<para>
<warning><para>The next step removes the old state-directory!</para></warning>
<programlisting>
<prompt>$ </prompt>./delete_old_cluster.sh
</programlisting>

28
nixos/modules/services/desktops/pipewire/daemon/filter-chain.conf.json Normal file
View File

@ -0,0 +1,28 @@
{
"context.properties": {
"log.level": 0
},
"context.spa-libs": {
"audio.convert.*": "audioconvert/libspa-audioconvert",
"support.*": "support/libspa-support"
},
"context.modules": [
{
"name": "libpipewire-module-rt",
"args": {},
"flags": [
"ifexists",
"nofail"
]
},
{
"name": "libpipewire-module-protocol-native"
},
{
"name": "libpipewire-module-client-node"
},
{
"name": "libpipewire-module-adapter"
}
]
}

38
nixos/modules/services/desktops/pipewire/daemon/pipewire-avb.conf.json Normal file
View File

@ -0,0 +1,38 @@
{
"context.properties": {},
"context.spa-libs": {
"audio.convert.*": "audioconvert/libspa-audioconvert",
"support.*": "support/libspa-support"
},
"context.modules": [
{
"name": "libpipewire-module-rt",
"args": {
"nice.level": -11
},
"flags": [
"ifexists",
"nofail"
]
},
{
"name": "libpipewire-module-protocol-native"
},
{
"name": "libpipewire-module-client-node"
},
{
"name": "libpipewire-module-adapter"
},
{
"name": "libpipewire-module-avb",
"args": {}
}
],
"context.exec": [],
"stream.properties": {},
"avb.properties": {
"ifname": "enp3s0",
"vm.overrides": {}
}
}

3
nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix
View File

@ -33,7 +33,8 @@ in
stdenv.mkDerivation {
name = "brscan4-etc-files-0.4.3-3";
pname = "brscan4-etc-files";
version = "0.4.3-3";
src = "${brscan4}/opt/brother/scanner/brscan4";
nativeBuildInputs = [ brscan4 ];

6
nixos/modules/services/hardware/udev.nix
View File

@ -192,7 +192,6 @@ in
###### interface
options = {
boot.hardwareScan = mkOption {
type = types.bool;
default = true;
@ -205,6 +204,9 @@ in
};
services.udev = {
enable = mkEnableOption (lib.mdDoc "udev") // {
default = true;
};
packages = mkOption {
type = types.listOf types.path;
@ -345,7 +347,7 @@ in
###### implementation
config = mkIf (!config.boot.isContainer) {
config = mkIf cfg.enable {
services.udev.extraRules = nixosRules;

2
nixos/modules/services/logging/journalwatch.nix
View File

@ -239,7 +239,7 @@ in {
Type = "oneshot";
# requires a relative directory name to create beneath /var/lib
StateDirectory = user;
StateDirectoryMode = 0750;
StateDirectoryMode = "0750";
ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail";
# lowest CPU and IO priority, but both still in best-effort class to prevent starvation
Nice=19;

2
nixos/modules/services/mail/listmonk.nix
View File

@ -202,7 +202,7 @@ in {
NoNewPrivileges = true;
CapabilityBoundingSet = "";
SystemCallArchitecture = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "@resources" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
ProtectDevices = true;
ProtectControlGroups = true;
ProtectKernelTunables = true;

2
nixos/modules/services/matrix/appservice-discord.nix
View File

@ -137,7 +137,7 @@ in {
PrivateTmp = true;
WorkingDirectory = appDir;
StateDirectory = baseNameOf dataDir;
UMask = 0027;
UMask = "0027";
EnvironmentFile = cfg.environmentFile;
ExecStart = ''

1
nixos/modules/services/matrix/mautrix-facebook.nix
View File

@ -25,6 +25,7 @@ in {
default = {
homeserver = {
address = "http://localhost:8008";
software = "standard";
};
appservice = rec {

8
nixos/modules/services/matrix/mautrix-telegram.nix
View File

@ -19,6 +19,10 @@ in {
apply = recursiveUpdate default;
inherit (settingsFormat) type;
default = {
homeserver = {
software = "standard";
};
appservice = rec {
database = "sqlite:///${dataDir}/mautrix-telegram.db";
database_opts = {};
@ -81,7 +85,7 @@ in {
description = lib.mdDoc ''
{file}`config.yaml` configuration as a Nix attribute set.
Configuration options should match those described in
[example-config.yaml](https://github.com/tulir/mautrix-telegram/blob/master/example-config.yaml).
[example-config.yaml](https://github.com/mautrix/telegram/blob/master/mautrix_telegram/example-config.yaml).
Secret tokens should be specified using {option}`environmentFile`
instead of this world-readable attribute set.
@ -162,7 +166,7 @@ in {
PrivateTmp = true;
WorkingDirectory = pkgs.mautrix-telegram; # necessary for the database migration scripts to be found
StateDirectory = baseNameOf dataDir;
UMask = 0027;
UMask = "0027";
EnvironmentFile = cfg.environmentFile;
ExecStart = ''

2
nixos/modules/services/misc/ethminer.nix
View File

@ -85,7 +85,7 @@ in
config = mkIf cfg.enable {
systemd.services.ethminer = {
path = optional (cfg.toolkit == "cuda") [ pkgs.cudaPackages.cudatoolkit ];
path = optionals (cfg.toolkit == "cuda") [ pkgs.cudaPackages.cudatoolkit ];
description = "ethminer ethereum mining service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];

4
nixos/modules/services/misc/geoipupdate.nix
View File

@ -183,7 +183,7 @@ in
DynamicUser = true;
ReadWritePaths = cfg.settings.DatabaseDirectory;
RuntimeDirectory = "geoipupdate";
RuntimeDirectoryMode = 0700;
RuntimeDirectoryMode = "0700";
CapabilityBoundingSet = "";
PrivateDevices = true;
PrivateMounts = true;
@ -197,7 +197,7 @@ in
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictNamespaces = true;

2
nixos/modules/services/misc/gitea.nix
View File

@ -592,7 +592,7 @@ in
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
environment = {

Some files were not shown because too many files have changed in this diff Show More