dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge master into haskell-updates

Browse Source
This commit is contained in:
github-actions[bot] 2024-11-01 00:18:16 +00:00 committed by GitHub
commit 3a826649ee
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1860 changed files with 75883 additions and 39593 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.git-blame-ignore-revs
View File

@ -40,6 +40,9 @@ d1c1a0c656ccd8bd3b25d3c4287f2d075faf3cf3
# fix indentation in meteor default.nix
a37a6de881ec4c6708e6b88fd16256bbc7f26bbd
# pkgs/stdenv/make-derivation: Reindent
b4cc2a2479a7ab0f6440b2e1319221920ef72699
# treewide: automatically md-convert option descriptions
2e751c0772b9d48ff6923569adfa661b030ab6a2
@ -189,3 +192,14 @@ ce21e97a1f20dee15da85c084f9d1148d84f853b
# percona: apply nixfmt
8d14fa2886fec877690c6d28cfcdba4503dbbcea
# nixos/virtualisation: format image-related files
# Original formatting commit that was reverted
04fadac429ca7d6b92025188652376c230205730
# Revert commit
4cec81a9959ce612b653860dcca53101a36f328a
# Final commit that does the formatting
88b285c01d84de82c0b2b052fd28eaf6709c2d26
# sqlc: format with nixfmt
2bdec131b2bb2c8563f4556d741d34ccb77409e2

2
.github/ISSUE_TEMPLATE.md vendored
View File

@ -8,4 +8,4 @@
## Technical details
Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->

6
.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@ -33,12 +33,8 @@ If in doubt, check `git blame` for whoever last touched something.
-->
### Metadata
Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
```console
[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
output here
```
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
---

7
.github/ISSUE_TEMPLATE/build_failure.md vendored
View File

@ -31,12 +31,7 @@ If in doubt, check `git blame` for whoever last touched something.
### Metadata
Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result.
```console
[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
output here
```
<!-- Please insert the output of running `nix-shell -p nix-info --run "nix-info -m"` below this line -->
---

15
.github/labeler.yml vendored
View File

@ -217,9 +217,9 @@
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/nim.section.md
- pkgs/development/compilers/nim/*
- pkgs/development/nim-packages/**/*
- pkgs/top-level/nim-packages.nix
- pkgs/build-support/build-nim-package.nix
- pkgs/by-name/ni/nim*
- pkgs/top-level/nim-overrides.nix
"6.topic: nodejs":
- any:
@ -340,6 +340,15 @@
- pkgs/os-specific/linux/systemd/**/*
- nixos/modules/system/boot/systemd*/**/*
"6.topic: tcl":
- any:
- changed-files:
- any-glob-to-any-file:
- doc/languages-frameworks/tcl.section.md
- pkgs/development/interpreters/tcl/*
- pkgs/development/tcl-modules/**/*
- pkgs/top-level/tcl-packages.nix
"6.topic: TeX":
- any:
- changed-files:

2
.github/workflows/backport.yml vendored
View File

@ -20,7 +20,7 @@ jobs:
if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Create backport PRs

2
.github/workflows/basic-eval.yml vendored
View File

@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-latest
# we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
with:

2
.github/workflows/check-cherry-picks.yml vendored
View File

@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
filter: blob:none

2
.github/workflows/check-maintainers-sorted.yaml vendored
View File

@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge

2
.github/workflows/check-nix-format.yml vendored
View File

@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge

2
.github/workflows/check-nixf-tidy.yml vendored
View File

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge

4
.github/workflows/check-shell.yml vendored
View File

@ -10,7 +10,7 @@ jobs:
name: shell-check-x86_64-linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge
@ -22,7 +22,7 @@ jobs:
name: shell-check-aarch64-darwin
runs-on: macos-latest
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge

41
.github/workflows/codeowners.yml → .github/workflows/codeowners-v2.yml vendored
View File

@ -1,17 +1,32 @@
name: Codeowners
name: Codeowners v2
# This workflow depends on a GitHub App with the following permissions:
# - Repository > Administration: read-only
# - Organization > Members: read-only
# - Repository > Pull Requests: read-write
# The App needs to be installed on this repository
# the OWNER_APP_ID repository variable needs to be set
# the OWNER_APP_PRIVATE_KEY repository secret needs to be set
# This workflow depends on two GitHub Apps with the following permissions:
# - For checking code owners:
# - Permissions:
# - Repository > Administration: read-only
# - Organization > Members: read-only
# - Install App on this repository, setting these variables:
# - OWNER_RO_APP_ID (variable)
# - OWNER_RO_APP_PRIVATE_KEY (secret)
# - For requesting code owners:
# - Permissions:
# - Repository > Administration: read-only
# - Organization > Members: read-only
# - Repository > Pull Requests: read-write
# - Install App on this repository, setting these variables:
# - OWNER_APP_ID (variable)
# - OWNER_APP_PRIVATE_KEY (secret)
#
# This split is done because checking code owners requires handling untrusted PR input,
# while requesting code owners requires PR write access, and those shouldn't be mixed.
on:
pull_request_target:
types: [opened, ready_for_review, synchronize, reopened, edited]
# We don't need any default GitHub token
permissions: {}
env:
OWNERS_FILE: ci/OWNERS
# Don't do anything on draft PRs
@ -35,7 +50,7 @@ jobs:
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
# We later build and run code from the base branch with access to secrets,
# so it's important this is not the PRs code.
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: base
@ -45,10 +60,10 @@ jobs:
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
id: app-token
with:
app-id: ${{ vars.OWNER_APP_ID }}
private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
app-id: ${{ vars.OWNER_RO_APP_ID }}
private-key: ${{ secrets.OWNER_RO_APP_PRIVATE_KEY }}
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: refs/pull/${{ github.event.number }}/merge
path: pr
@ -72,7 +87,7 @@ jobs:
# Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
# This is intentional, because we need to request the review of owners as declared in the base branch.
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
id: app-token

8
.github/workflows/editorconfig.yml → .github/workflows/editorconfig-v2.yml vendored
View File

@ -1,6 +1,8 @@
name: "Checking EditorConfig"
name: "Checking EditorConfig v2"
permissions: read-all
permissions:
pull-requests: read
contents: read
on:
# avoids approving first time contributors
@ -25,7 +27,7 @@ jobs:
- name: print list of changed files
run: |
cat "$HOME/changed_files"
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge

7
.github/workflows/manual-nixos.yml → .github/workflows/manual-nixos-v2.yml vendored
View File

@ -1,6 +1,7 @@
name: "Build NixOS manual"
name: "Build NixOS manual v2"
permissions: read-all
permissions:
contents: read
on:
pull_request_target:
@ -15,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge

7
.github/workflows/manual-nixpkgs.yml → .github/workflows/manual-nixpkgs-v2.yml vendored
View File

@ -1,6 +1,7 @@
name: "Build Nixpkgs manual"
name: "Build Nixpkgs manual v2"
permissions: read-all
permissions:
contents: read
on:
pull_request_target:
@ -17,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge

8
.github/workflows/nix-parse.yml → .github/workflows/nix-parse-v2.yml vendored
View File

@ -1,6 +1,8 @@
name: "Check whether nix files are parseable"
name: "Check whether nix files are parseable v2"
permissions: read-all
permissions:
pull-requests: read
contents: read
on:
# avoids approving first time contributors
@ -25,7 +27,7 @@ jobs:
if [[ -s "$HOME/changed_files" ]]; then
echo "CHANGED_FILES=$HOME/changed_files" > "$GITHUB_ENV"
fi
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# pull_request_target checks out the base branch by default
ref: refs/pull/${{ github.event.pull_request.number }}/merge

4
.github/workflows/nixpkgs-vet.yml vendored
View File

@ -27,7 +27,7 @@ jobs:
timeout-minutes: 10
steps:
# This checks out the base branch because of pull_request_target
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: base
sparse-checkout: ci
@ -42,7 +42,7 @@ jobs:
echo "Skipping the rest..."
fi
rm -rf base
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
if: env.mergedSha
with:
# pull_request_target checks out the base branch by default

2
.github/workflows/periodic-merge-24h.yml vendored
View File

@ -41,7 +41,7 @@ jobs:
into: staging-24.05
name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

2
.github/workflows/periodic-merge-6h.yml vendored
View File

@ -39,7 +39,7 @@ jobs:
into: staging
name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: ${{ matrix.pairs.from }} → ${{ matrix.pairs.into }}
uses: devmasx/merge-branch@854d3ac71ed1e9deb668e0074781b81fdd6e771f # 1.4.0

17
ci/OWNERS
View File

@ -11,13 +11,13 @@
# - There is no need for user/team listed here to have write access.
# - No reviews will be requested for PRs that target the wrong base branch.
#
# Processing of this file is implemented in workflows/codeowners.yml
# Processing of this file is implemented in workflows/codeowners-v2.yml
# CI
/.github/workflows @NixOS/Security @Mic92 @zowoq
/.github/workflows/check-nix-format.yml @infinisil
/.github/workflows/nixpkgs-vet.yml @infinisil @philiptaron
/.github/workflows/codeowners.yml @infinisil
/.github/workflows/codeowners-v2.yml @infinisil
/ci/OWNERS @infinisil
/ci @infinisil @philiptaron @NixOS/Security
@ -173,10 +173,17 @@ nixos/modules/installer/tools/nix-fallback-paths.nix @NixOS/nix-team @raitobeza
/pkgs/development/r-modules @jbedo
# Rust
/pkgs/development/compilers/rust @Mic92 @zowoq @winterqt @figsoda
/pkgs/development/compilers/rust @alyssais @Mic92 @zowoq @winterqt @figsoda
/pkgs/build-support/rust @zowoq @winterqt @figsoda
/doc/languages-frameworks/rust.section.md @zowoq @winterqt @figsoda
# Tcl
/pkgs/development/interpreters/tcl @fgaz
/pkgs/development/libraries/tk @fgaz
/pkgs/top-level/tcl-packages.nix @fgaz
/pkgs/development/tcl-modules @fgaz
/doc/languages-frameworks/tcl.section.md @fgaz
# C compilers
/pkgs/development/compilers/gcc
/pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm
@ -332,7 +339,9 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
/pkgs/by-name/ne/nemo-* @mkg20001
# nim
/pkgs/development/compilers/nim @ehmry
/doc/languages-frameworks/nim.section.md @ehmry
/pkgs/build-support/build-nim-package.nix @ehmry
/pkgs/top-level/nim-overrides.nix @ehmry
# terraform providers
/pkgs/applications/networking/cluster/terraform-providers @zowoq

2
doc/doc-support/lib-function-docs.nix
View File

@ -74,7 +74,7 @@
}
{
name = "customisation";
description = "Functions to customise (derivation-related) functions, derivatons, or attribute sets";
description = "Functions to customise (derivation-related) functions, derivations, or attribute sets";
}
{
name = "meta";

2
doc/hooks/just.section.md
View File

@ -6,7 +6,7 @@ This setup hook attempts to use [the `just` command runner](https://just.systems
## `buildPhase` {#just-hook-buildPhase}
This phase attempts to invoke `just` with [the default recipe](https://just.systems/man/en/chapter_23.html).
This phase attempts to invoke `just` with [the default recipe](https://just.systems/man/en/the-default-recipe.html).
[]{#just-hook-dontUseJustBuild} This behavior can be disabled by setting `dontUseJustBuild` to `true`.

2
doc/languages-frameworks/cuda.section.md
View File

@ -150,7 +150,7 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its `DT_NEEDED` section. As a first step, ensure that dependencies are patched with [`autoAddDriverRunpath`](https://search.nixos.org/packages?channel=unstable&type=packages&query=autoAddDriverRunpath). Failing that, try running the application with [`nixGL`](https://github.com/guibou/nixGL) or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the `RPATH` or `RUNPATH` of the binary.
## Running Docker or Podman containers with CUDA support {#running-docker-or-podman-containers-with-cuda-support}
## Running Docker or Podman containers with CUDA support {#cuda-docker-podman}
It is possible to run Docker or Podman containers with CUDA support. The recommended mechanism to perform this task is to use the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html).

1
doc/languages-frameworks/index.md
View File

@ -93,6 +93,7 @@ ruby.section.md
rust.section.md
scheme.section.md
swift.section.md
tcl.section.md
texlive.section.md
titanium.section.md
vim.section.md

54
doc/languages-frameworks/tcl.section.md Normal file
View File

@ -0,0 +1,54 @@
# Tcl {#sec-language-tcl}
## User guide {#sec-language-tcl-user-guide}
Tcl interpreters are available under the `tcl` and `tcl-X_Y` attributes, where `X_Y` is the Tcl version.
Tcl libraries are available in the `tclPackages` attribute set.
They are only guaranteed to work with the default Tcl version, but will probably also work with others thanks to the [stubs mechanism](https://wiki.tcl-lang.org/page/Stubs).
## Packaging guide {#sec-language-tcl-packaging}
Tcl packages are typically built with `tclPackages.mkTclDerivation`.
Tcl dependencies go in `buildInputs`/`nativeBuildInputs`/... like other packages.
For more complex package definitions, such as packages with mixed languages, use `tcl.tclPackageHook`.
Where possible, make sure to enable stubs for maximum compatibility, usually with the `--enable-stubs` configure flag.
Here is a simple package example to be called with `tclPackages.callPackage`.
```
{ lib, fetchzip, mkTclDerivation, openssl }:
mkTclDerivation rec {
pname = "tcltls";
version = "1.7.22";
src = fetchzip {
url = "https://core.tcl-lang.org/tcltls/uv/tcltls-${version}.tar.gz";
hash = "sha256-TOouWcQc3MNyJtaAGUGbaQoaCWVe6g3BPERct/V65vk=";
};
buildInputs = [ openssl ];
configureFlags = [
"--with-ssl-dir=${openssl.dev}"
"--enable-stubs"
];
meta = {
homepage = "https://core.tcl-lang.org/tcltls/index";
description = "OpenSSL / RSA-bsafe Tcl extension";
maintainers = [ lib.maintainers.agbrooks ];
license = lib.licenses.tcltk;
platforms = lib.platforms.unix;
};
}
```
All Tcl libraries are declared in `pkgs/top-level/tcl-packages.nix` and are defined in `pkgs/development/tcl-modules/`.
If possible, prefer the by-name hierarchy in `pkgs/development/tcl-modules/by-name/`.
Its use is documented in `pkgs/development/tcl-modules/by-name/README.md`.
All Tcl applications reside elsewhere.
In case a package is used as both a library and an application (for example `expect`), it should be defined in `tcl-packages.nix`, with an alias elsewhere.

190
doc/stdenv/platform-notes.chapter.md
View File

@ -46,22 +46,198 @@ Some common issues when packaging software for Darwin:
}
```
- Some packages assume xcode is available and use `xcrun` to resolve build tools like `clang`, etc. This causes errors like `xcode-select: error: no developer tools were found at '/Applications/Xcode.app'` while the build doesnt actually depend on xcode.
- Some packages assume Xcode is available and use `xcrun` to resolve build tools like `clang`, etc. The Darwin stdenv includes `xcrun`, and it will return the path to any binary available in a build.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
nativeBuildInputs = [ bison ];
buildCommand = ''
xcrun bison foo.y # produces foo.tab.c
# ...
'';
}
```
The package `xcbuild` can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues.
Note: Some packages may hardcode an absolute path to `xcrun`, `xcodebuild`, or `xcode-select`. Those paths should be removed or replaced.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
prePatch = ''
substituteInPlace Makefile \
--replace-fail '/usr/bin/xcrun clang' clang
--replace-fail /usr/bin/xcrun xcrun
# or: --replace-fail /usr/bin/xcrun '${lib.getExe' buildPackages.xcbuild "xcrun"}'
'';
}
```
The package `xcbuild` can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues.
- Multiple SDKs are available for use in nixpkgs. Each platform has a default SDK (10.12.2 for x86_64-darwin and 11.3 for aarch64-darwin), which is available as the `apple-sdk` package.
- x86_64-darwin uses the 10.12 SDK by default, but some software is not compatible with that version of the SDK. In that case,
the 11.0 SDK used by aarch64-darwin is available for use on x86_64-darwin. To use it, reference `apple_sdk_11_0` instead of
`apple_sdk` in your derivation and use `pkgs.darwin.apple_sdk_11_0.callPackage` instead of `pkgs.callPackage`. On Linux, this will
have the same effect as `pkgs.callPackage`, so you can use `pkgs.darwin.apple_sdk_11_0.callPackage` regardless of platform.
The SDK provides the necessary headers and text-based stubs to link common frameworks and libraries (such as libSystem, which is effectively Darwins libc). Projects will sometimes indicate which SDK to use by the Xcode version. As a rule of thumb, subtract one from the Xcode version to get the available SDK in nixpkgs.
The `DEVELOPER_DIR` variable in the build environment has the path to the SDK in the build environment. The `SDKROOT` variable there contains a sysroot with the framework, header, and library paths. You can reference an SDKs sysroot from Nix using the `sdkroot` attribute on the SDK package. Note that it is preferable to use `SDKROOT` because the latter will be resolved to the highest SDK version of any available to your derivation.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
env.PACKAGE_SPECIFIC_SDK_VAR = apple-sdk_10_15.sdkroot;
# or
buildInputs = [ apple-sdk_10_15 ];
postPatch = ''
export PACKAGE_SPECIFIC_SDK_VAR=$SDKROOT
'';
}
```
The following is a list of Xcode versions, the SDK version in nixpkgs, and the attribute to use to add it. Generally, only the last SDK release for a major version is packaged (each _x_ in 10._x_ until 10.15 is considered a major version).
| Xcode version | SDK version | nixpkgs attribute |
|--------------------|---------------------------------------------------|-------------------|
| Varies by platform | 10.12.2 (x86_64-darwin)<br/>11.3 (aarch64-darwin) | `apple-sdk` |
| 8.08.3.3 | 10.12.2 | `apple-sdk_10_12` |
| 9.09.4.1 | 10.13.2 | `apple-sdk_10_13` |
| 10.010.3 | 10.14.6 | `apple-sdk_10_14` |
| 11.011.7 | 10.15.6 | `apple-sdk_10_15` |
| 12.012.5.1 | 11.3 | `apple-sdk_11` |
| 13.013.4.1 | 12.3 | `apple-sdk_12` |
| 14.014.3.1 | 13.3 | `apple-sdk_13` |
| 15.015.4 | 14.4 | `apple-sdk_14` |
| 16.0 | 15.0 | `apple-sdk_15` |
To use a non-default SDK, add it to your build inputs.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
buildInputs = [ apple-sdk_15 ]; # Uses the 15.0 SDK instead of the default SDK for the platform.
}
```
If your derivation has multiple SDKs its inputs (e.g., because they have been propagated by its dependencies), it will use the highest SDK version available.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3"; # Upstream specifies that it needs Xcode 12 to build, so use the 11.3 SDK.
# ...
buildInputs = [ apple-sdk_11 ];
nativeBuildInputs = [ swift ]; # Propagates the 13.3 SDK, so the 13.3 SDK package will be used instead of the 11.3 SDK.
}
```
- When a package indicates a minimum supported version, also called the deployment target, you can set it in your derivation using `darwinMinVersionHook`. If you need to set a minimum version higher than the default SDK, you should also add the corresponding SDK to your `buildInputs`.
The deployment target controls how Darwin handles availability and access to some APIs. In most cases, if a deployment target is newer than the first availability of an API, that API will be linked directly. Otherwise, the API will be weakly linked and checked at runtime.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3"; # Upstream specifies the minimum supported version as 12.5.
buildInputs = [ (darwinMinVersionHook "12.5") ];
}
```
If your derivation has multiple versions of this hook in its inputs (e.g., because it has been propagated by one of your dependencies), it will use the highest deployment target available.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3"; # Upstream specifies the minimum supported version as 10.15.
buildInputs = [ qt6.qtbase (darwinMinVersionHook "10.15") ];
}
# Qt 6 specifies a minimum version of 12.0, so the minimum version resolves to 12.0.
```
- You should rely on the default SDK when possible. If a package specifies a required SDK version, use that version (e.g., libuv requires 11.0, so it should use `apple-sdk_11`). When a package supports multiple SDKs, determine which SDK package to use based on the following rules of thumb:
- If a package supports multiple SDK versions, use the lowest supported SDK version by the package (but no lower than the default SDK). That ensures maximal platform compatibility for the package.
- If a package specifies a range of supported SDK versions _and_ a minimum supported version, assume the package is using availability checks to support the indicated minimum version. Add the highest supported SDK and a `darwinMinVersionHook` set to the minimum version supported by the upstream package.
Warning: Avoid using newer SDKs than an upstream package supports. When a binary is linked on Darwin, the SDK version used to build it is recorded in the binary. Runtime behavior can vary based on the SDK version, which may work fine but can also result in unexpected behavior or crashes when building with an unsupported SDK.
```nix
stdenv.mkDerivation {
name = "foo-1.2.3";
# ...
buildInputs = [ apple-sdk_15 (darwinMinVersionHook "10.15") ]; # Upstream builds with the 15.0 SDK but supports 10.15.
}
```
- Libraries that require a minimum version can propagate an appropriate SDK and `darwinMinVersionHook`. Derivations using that library will automatically use an appropriate SDK and minimum version. Even if the library builds with a newer SDK, it should propagate the minimum supported SDK. Derivations that need a newer SDK can add it to their `buildInputs`.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
buildInputs = [ apple-sdk_15 ]; # Upstream builds with the 15.0 SDK but supports 10.15.
propagatedBuildInputs = [ apple-sdk_10_15 (darwinMinVersionHook "10.15") ];
}
# ...
stdenv.mkDerivation {
name = "bar-1.2.3";
# ...
buildInputs = [ libfoo ]; # Builds with the 10.15 SDK
}
# ...
stdenv.mkDerivation {
name = "baz-1.2.3";
# ...
buildInputs = [ apple-sdk_12 libfoo ]; # Builds with the 12.3 SDK
}
```
- Many SDK libraries and frameworks use text-based stubs to link against system libraries and frameworks, but several are built from source (typically corresponding to the source releases for the latest release of macOS). Several of these are propagated to your package automatically. They can be accessed via the `darwin` package set along with others that are not propagated by default.
- libiconv
- libresolv
- libsbuf
Other common libraries are available in Darwin-specific versions with modifications from Apple. Note that these packages may be made the default on Darwin in the future.
- ICU (compatible with the top-level icu package, but it also provides `libicucore.B.dylib` with an ABI compatible with the Darwin system version)
- libpcap (compatible with the top-level libpcap, but it includes Darwin-specific extensions)
- The legacy SDKs packages are still available in the `darwin` package set under their existing names, but all packages in these SDKs (frameworks, libraries, etc) are stub packages for evaluation compatibility.
In most cases, a derivation can be updated by deleting all of its SDK inputs (frameworks, libraries, etc). If you had to override the SDK, see below for how to do that using the new SDK pattern. If your derivation depends on the layout of the old frameworks or other internal details, you have more work to do.
When a package depended on the location of frameworks, references to those framework packages can usually be replaced with `${apple-sdk.sdkroot}/System` or `$SDKROOT/System`. For example, if you substituted `${darwin.apple_sdk.frameworks.OpenGL}/Library/Frameworks/OpenGL.framework` in your derivation, you should replace it with `${apple-sdk.sdkroot}/System/Library/Frameworks/OpenGL.framework` or `$SDKROOT/System/Library/Frameworks`. The latter is preferred because it supports using the SDK that is resolved when multiple SDKs are propagated (see above).
Note: the new SDK pattern uses the name `apple-sdk` to better align with nixpkgs naming conventions. The old SDK pattern uses `apple_sdk`.
- There are two legacy patterns that are being phased out. These patterns were used in the past to change the SDK version. They have been reimplemented to use the `apple-sdk` packages.
- `pkgs.darwin.apple_sdk_11_0.callPackage` - this pattern was used to provide frameworks from the 11.0 SDK. It now adds the `apple-sdk_11` package to your derivations build inputs.
- `overrideSDK` - this stdenv adapter would try to replace the frameworks used by your derivation and its transitive dependencies. It now adds the `apple-sdk_11` package for `11.0` or the `apple-sdk_12` package for `12.3`. If `darwinMinVersion` is specified, it will add `darwinMinVersionHook` with the specified minimum version. No other SDK versions are supported.
- Darwin supports cross-compilation between Darwin platforms. Cross-compilation from Linux is not currently supported but may be supported in the future. To cross-compile to Darwin, you can set `crossSystem` or use one of the Darwin systems in `pkgsCross`. The `darwinMinVersionHook` and the SDKs support cross-compilation. If you need to specify a different SDK version for a `depsBuildBuild` compiler, add it to your `nativeBuildInputs`.
```nix
stdenv.mkDerivation {
name = "libfoo-1.2.3";
# ...
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ apple-sdk_12 ];
buildInputs = [ apple-sdk_13 ];
depsTargetTargetPropagated = [ apple-sdk_14 ];
}
# The build-build clang will use the 12.3 SDK while the package build itself will use the 13.3 SDK.
# Derivations that add this package as an input will have the 14.4 SDK propagated to them.
```
The different target SDK and hooks are mangled based on role:
- `DEVELOPER_DIR_FOR_BUILD` and `MACOSX_DEPLOYMENT_TARGET_FOR_BUILD` for the build platform;
- `DEVELOPER_DIR` and `MACOSX_DEPLOYMENT_TARGET` for the host platform; and
- `DEVELOPER_DIR_FOR_TARGET` and `MACOSX_DEPLOYMENT_TARGET_FOR_TARGET` for the build platform.
In static compilation situations, it is possible for the build and host platform to be the same platform but have different SDKs with the same version (one dynamic and one static). cc-wrapper takes care of handling this distinction.
- The current default versions of the deployment target (minimum version) and SDK are indicated by Darwin-specific attributes on the platform. Because of the ways that minimum version and SDK can be changed that are not visible to Nix, they should be treated as lower bounds. If you need to parameterize over a specific version, create a function that takes the version as a parameter instead of relying on these attributes.
- `darwinMinVersion` defaults to 10.12 on x86_64-darwin and 11.0 on aarch64-darwin. It sets the default `MACOSX_DEPLOYMENT_TARGET`.
- `darwinSdkVersion` defaults to 10.12 on x86-64-darwin and 11.0 on aarch64-darwin. Only the major version determines the SDK version, resulting in the 10.12.2 and 11.3 SDKs being used on these platforms respectively.

5
lib/licenses.nix
View File

@ -942,6 +942,11 @@ lib.mapAttrs mkLicense ({
url = "https://license.coscl.org.cn/MulanPSL2";
};
naist-2003 = {
spdxId = "NAIST-2003";
fullName = "Nara Institute of Science and Technology License (2003)";
};
nasa13 = {
spdxId = "NASA-1.3";
fullName = "NASA Open Source Agreement 1.3";

211
maintainers/maintainer-list.nix
View File

@ -414,6 +414,12 @@
githubId = 1174810;
name = "Nikolay Amiantov";
};
abcsds = {
email = "abcsds@gmail.com";
github = "abcsds";
githubId = 2694381;
name = "Alberto Barradas";
};
abdiramen = {
email = "abdirahman.osmanthus@gmail.com";
github = "Abdiramen";
@ -731,6 +737,12 @@
githubId = 79667753;
keys = [ { fingerprint = "B0D7 2955 235F 6AB5 ACFA 1619 8C7F F5BB 1ADE F191"; } ];
};
ailsa-sun = {
name = "Ailsa Sun";
email = "jjshenw@gmail.com";
github = "ailsa-sun";
githubId = 135079815;
};
aimpizza = {
email = "rickomo.us@gmail.com";
name = "Rick Omonsky";
@ -743,6 +755,11 @@
githubId = 37664775;
name = "Yuto Oguchi";
};
airrnot = {
name = "airRnot";
github = "airRnot1106";
githubId = 62370527;
};
airwoodix = {
email = "airwoodix@posteo.me";
github = "airwoodix";
@ -961,6 +978,12 @@
githubId = 173595;
name = "Caleb Maclennan";
};
alex = {
email = "alexander.cinnamon927@passmail.net";
github = "alexanderjkslfj";
githubId = 117545308;
name = "Alex";
};
ALEX11BR = {
email = "alexioanpopa11@gmail.com";
github = "ALEX11BR";
@ -1873,6 +1896,12 @@
githubId = 10285250;
name = "Artur E. Ruuge";
};
arunoruto = {
email = "mirza.arnaut45@gmail.com";
github = "arunoruto";
githubId = 21687187;
name = "Mirza Arnaut";
};
asbachb = {
email = "asbachb-nixpkgs-5c2a@impl.it";
matrix = "@asbachb:matrix.org";
@ -2480,6 +2509,7 @@
};
bbenno = {
email = "nix@bbenno.com";
matrix = "@bbenno:matrix.org";
github = "bbenno";
githubId = 32938211;
name = "Benno Bielmeier";
@ -2527,6 +2557,12 @@
githubId = 34620799;
name = "Jacob Bachmann";
};
bcyran = {
email = "bazyli@cyran.dev";
github = "bcyran";
githubId = 8322846;
name = "Bazyli Cyran";
};
bdd = {
email = "bdd@mindcast.org";
github = "bdd";
@ -2915,6 +2951,12 @@
githubId = 535135;
name = "Brennon Loveless";
};
bloxx12 = {
email = "charlie@charlieroot.dev";
github = "bloxx12";
githubId = 75451918;
name = "Charlie Root";
};
bluescreen303 = {
email = "mathijs@bluescreen303.nl";
github = "bluescreen303";
@ -5401,6 +5443,12 @@
githubId = 4490283;
name = "diadatp";
};
diamond-deluxe = {
email = "carbon_lattice@proton.me";
github = "diamond-deluxe";
githubId = 112557036;
name = "Diamond";
};
DianaOlympos = {
github = "DianaOlympos";
githubId = 15774340;
@ -5826,6 +5874,12 @@
githubId = 1931963;
name = "David Sferruzza";
};
dsluijk = {
name = "Dany Sluijk";
email = "nix@dany.dev";
github = "dsluijk";
githubId = 8537327;
};
dstengele = {
name = "Dennis Stengele";
email = "dennis@stengele.me";
@ -5870,7 +5924,10 @@
github = "jollheef";
githubId = 1749762;
name = "Mikhail Klementev";
keys = [ { fingerprint = "5DD7 C6F6 0630 F08E DAE7 4711 1525 585D 1B43 C62A"; } ];
keys = [
{ fingerprint = "5AC8 C9A1 68C7 9451 1A91 2295 C990 5BA7 2B5E 02BB"; }
{ fingerprint = "5DD7 C6F6 0630 F08E DAE7 4711 1525 585D 1B43 C62A"; }
];
};
dunxen = {
email = "git@dunxen.dev";
@ -6264,6 +6321,12 @@
github = "elliottslaughter";
githubId = 3129;
};
ElliottSullingeFarrall = {
name = "Elliott Sullinge-Farrall";
email = "elliott.chalford@gmail.com";
github = "ElliottSullingeFarrall";
githubId = 108588212;
};
elliottvillars = {
email = "elliottvillars@gmail.com";
github = "elliottvillars";
@ -7166,6 +7229,11 @@
githubId = 183879;
name = "Florian Klink";
};
florensie = {
github = "florensie";
githubId = 13403842;
name = "Florens Pauwels";
};
florentc = {
github = "florentc";
githubId = 1149048;
@ -7408,7 +7476,7 @@
matrix = "@frontear:matrix.org";
github = "Frontear";
githubId = 31909298;
keys = [ { fingerprint = "C170 11B7 C0AA BB3F 7415 022C BCB5 CEFD E222 82F5"; } ];
keys = [ { fingerprint = "6A25 DEBE 41DB 0C15 3AB5 BB34 5290 E18B 8705 1A83"; } ];
};
frontsideair = {
email = "photonia@gmail.com";
@ -8625,6 +8693,12 @@
githubId = 6430643;
name = "Henry Till";
};
hensoko = {
email = "hensoko@pub.solar";
github = "hensoko";
githubId = 13552930;
name = "hensoko";
};
heph2 = {
email = "srht@mrkeebs.eu";
github = "heph2";
@ -9438,6 +9512,13 @@
email = "itepastra@gmail.com";
keys = [ { fingerprint = "E681 4CAF 06AE B076 D55D 3E32 A16C DCBF 1472 541F"; } ];
};
itsvic-dev = {
email = "contact@itsvic.dev";
name = "Victor B.";
github = "itsvic-dev";
githubId = 17727163;
keys = [ { fingerprint = "FBAA B86A 101B 4C5F D4F1 25D2 E93D DAC1 7E5D 6CA1"; } ];
};
ius = {
email = "j.de.gram@gmail.com";
name = "Joerie de Gram";
@ -9500,6 +9581,12 @@
githubId = 1318743;
name = "Ivar";
};
iv-nn = {
name = "iv-nn";
github = "iv-nn";
githubId = 49885246;
keys = [ { fingerprint = "6358 EF87 86E0 EF2F 1628 103F BAB5 F165 1C71 C9C3"; } ];
};
ivyfanchiang = {
email = "dev@ivyfanchiang.ca";
github = "hexadecimalDinosaur";
@ -10494,6 +10581,13 @@
githubId = 168684553;
name = "João Marques";
};
joinemm = {
email = "joonas@rautiola.co";
github = "joinemm";
githubId = 26210439;
name = "Joonas Rautiola";
keys = [ { fingerprint = "87EC DD30 6614 E510 5299 F0D4 090E B48A 4669 AA54"; } ];
};
jojosch = {
name = "Johannes Schleifenbaum";
email = "johannes@js-webcoding.de";
@ -12383,6 +12477,13 @@
githubId = 169170;
name = "Mathias Schreck";
};
loc = {
matrix = "@loc:locrealloc.de";
github = "LoCrealloc";
githubId = 64095253;
name = "LoC";
keys = [ { fingerprint = "DCCE F73B 209A 6024 CAE7 F926 5563 EB4A 8634 4F15"; } ];
};
locallycompact = {
email = "dan.firth@homotopic.tech";
github = "locallycompact";
@ -14809,6 +14910,11 @@
githubId = 96225281;
name = "Mustafa Çalışkan";
};
musjj = {
name = "musjj";
github = "musjj";
githubId = 72612857;
};
mvisonneau = {
name = "Maxime VISONNEAU";
email = "maxime@visonneau.fr";
@ -16354,6 +16460,11 @@
githubId = 33182938;
name = "Pankaj";
};
PapayaJackal = {
github = "PapayaJackal";
githubId = 145766029;
name = "PapayaJackal";
};
paperdigits = {
email = "mica@silentumbrella.com";
github = "paperdigits";
@ -16626,6 +16737,12 @@
githubId = 63069986;
name = "Per Stark";
};
petee = {
name = "Pete Erickson";
email = "pete.perickson@gmail.com";
github = "petee";
githubId = 89916;
};
petercommand = {
email = "petercommand@gmail.com";
github = "petercommand";
@ -17479,6 +17596,12 @@
githubId = 43755002;
name = "Dmitriy P";
};
pta2002 = {
email = "pta2002@pta2002.com";
github = "pta2002";
githubId = 7443916;
name = "Pedro Alves";
};
ptival = {
email = "valentin.robert.42@gmail.com";
github = "Ptival";
@ -17584,6 +17707,12 @@
githubId = 12017109;
name = "Rabindra Dhakal";
};
qbisi = {
name = "qbisicwate";
email = "qbisicwate@gmail.com";
github = "qbisi";
githubId = 84267544;
};
qbit = {
name = "Aaron Bieber";
email = "aaron@bolddaemon.com";
@ -18009,6 +18138,12 @@
name = "Roland Conybeare";
keys = [ { fingerprint = "bw5Cr/4ul1C2UvxopphbZbFI1i5PCSnOmPID7mJ/Ogo"; } ];
};
rc-zb = {
name = "Xiao Haifan";
email = "rc-zb@outlook.com";
github = "rc-zb";
githubId = 161540043;
};
rdnetto = {
email = "rdnetto@gmail.com";
github = "rdnetto";
@ -18154,6 +18289,11 @@
githubId = 3302;
name = "Renzo Carbonara";
};
reputable2772 = {
name = "Reputable2772";
github = "Reputable2772";
githubId = 153411261;
};
rettetdemdativ = {
email = "michael@koeppl.dev";
github = "rettetdemdativ";
@ -19165,6 +19305,12 @@
githubId = 695473;
name = "Sascha Grunert";
};
satoqz = {
email = "mail@satoqz.net";
github = "satoqz";
githubId = 40795431;
name = "satoqz";
};
saturn745 = {
email = "git-commits.rk7uq@aleeas.com";
github = "saturn745";
@ -19721,12 +19867,24 @@
github = "shhht";
githubId = 118352823;
};
shift = {
name = "Vincent Palmer";
email = "shift@someone.section.me";
github = "shift";
githubId = 1653;
};
shikanime = {
name = "William Phetsinorath";
email = "deva.shikanime@protonmail.com";
github = "shikanime";
githubId = 22115108;
};
shiphan = {
email = "timlin940511@gmail.com";
name = "Shiphan";
github = "Shiphan";
githubId = 140245703;
};
shiryel = {
email = "contact@shiryel.com";
name = "Shiryel";
@ -20041,6 +20199,12 @@
githubId = 49844593;
name = "skovati";
};
skyesoss = {
name = "Skye Soss";
matrix = "@skyesoss:matrix.org";
github = "Skyb0rg007";
githubId = 30806179;
};
skykanin = {
github = "skykanin";
githubId = 3789764;
@ -20448,6 +20612,12 @@
github = "srounce";
githubId = 60792;
};
Srylax = {
name = "Srylax";
email = "srylax+nixpkgs@srylax.dev";
github = "Srylax";
githubId = 71783705;
};
sshine = {
email = "simon@simonshine.dk";
github = "sshine";
@ -20521,6 +20691,12 @@
githubId = 94006354;
name = "steamwalker";
};
steeleduncan = {
email = "steeleduncan@hotmail.com";
github = "steeleduncan";
githubId = 866573;
name = "Duncan Steele";
};
steell = {
email = "steve@steellworks.com";
github = "Steell";
@ -21815,6 +21991,12 @@
githubId = 2164118;
name = "Tobias Bora";
};
tobifroe = {
email = "hi@froelich.dev";
github = "tobifroe";
githubId = 40638719;
name = "Tobias Frölich";
};
tobim = {
email = "nix@tobim.fastmail.fm";
github = "tobim";
@ -23043,6 +23225,12 @@
githubId = 24979302;
name = "Vladimír Zahradník";
};
wfdewith = {
name = "Wim de With";
email = "wf@dewith.io";
github = "wfdewith";
githubId = 2306085;
};
wgunderwood = {
email = "wg.underwood13@gmail.com";
github = "WGUNDERWOOD";
@ -23105,6 +23293,13 @@
githubId = 1215623;
keys = [ { fingerprint = "DA03 D6C6 3F58 E796 AD26 E99B 366A 2940 479A 06FC"; } ];
};
wilhelmines = {
email = "mail@aesz.org";
matrix = "@wilhelmines:matrix.org";
name = "Ronja Schwarz";
github = "wilhelmines";
githubId = 71409721;
};
willbush = {
email = "git@willbush.dev";
matrix = "@willbush:matrix.org";
@ -23269,6 +23464,12 @@
githubId = 28888242;
name = "WORLDofPEACE";
};
WoutSwinkels = {
name = "Wout Swinkels";
email = "nixpkgs@woutswinkels.com";
github = "WoutSwinkels";
githubId = 113464111;
};
wozeparrot = {
email = "wozeparrot@gmail.com";
github = "wozeparrot";
@ -24212,12 +24413,6 @@
githubId = 71881325;
name = "Stefan Bordei";
};
zzamboni = {
email = "diego@zzamboni.org";
github = "zzamboni";
githubId = 32876;
name = "Diego Zamboni";
};
zzzsy = {
email = "me@zzzsy.top";
github = "zzzsyyy";

8
nixos/doc/manual/administration/rollback.section.md
View File

@ -12,7 +12,7 @@ system has booted, you can make the selected configuration the default
for subsequent boots:
```ShellSession
# /run/current-system/bin/switch-to-configuration boot
# /run/current-system/bin/apply boot
```
Second, you can switch to the previous configuration in a running
@ -25,11 +25,11 @@ system:
This is equivalent to running:
```ShellSession
# /nix/var/nix/profiles/system-N-link/bin/switch-to-configuration switch
# /nix/var/nix/profiles/system-N-link/bin/apply switch
```
where `N` is the number of the NixOS system configuration. To get a
list of the available configurations, do:
where `N` is the number of the NixOS system configuration to roll back to.
To get a list of the available configurations, run:
```ShellSession
$ ls -l /nix/var/nix/profiles/system-*-link

4
nixos/doc/manual/configuration/customizing-packages.section.md
View File

@ -33,8 +33,8 @@ Unfortunately, Nixpkgs currently lacks a way to query available package configur
::: {.note}
For example, many packages come with extensions one might add.
Examples include:
- [`passExtensions.pass-otp`](https://search.nixos.org/packages/query=passExtensions.pass-otp)
- [`python310Packages.requests`](https://search.nixos.org/packages/query=python310Packages.requests)
- [`passExtensions.pass-otp`](https://search.nixos.org/packages?query=passExtensions.pass-otp)
- [`python312Packages.requests`](https://search.nixos.org/packages?query=python312Packages.requests)
You can use them like this:
```nix

2
nixos/doc/manual/development/non-switchable-systems.section.md
View File

@ -16,6 +16,6 @@ profile:
The most notable deviation of this profile from a standard NixOS configuration
is that after building it, you cannot switch *to* the configuration anymore.
The profile sets `config.system.switch.enable = false;`, which excludes
`switch-to-configuration`, the central script called by `nixos-rebuild`, from
`apply` and `switch-to-configuration`, the central scripts called by `nixos-rebuild`, from
your system. Removing this script makes the image lighter and slightly more
secure.

4
nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md
View File

@ -5,8 +5,8 @@ This chapter explains some of the internals of this command to make it simpler
for new module developers to configure their units correctly and to make it
easier to understand what is happening and why for curious administrators.
`nixos-rebuild`, like many deployment solutions, calls `switch-to-configuration`
which resides in a NixOS system at `$out/bin/switch-to-configuration`. The
`nixos-rebuild`, like many deployment solutions, calls `apply` (or for NixOS older than 24.11, `switch-to-configuration`)
which resides in a NixOS system at `$out/bin/apply`. The
script is called with the action that is to be performed like `switch`, `test`,
`boot`. There is also the `dry-activate` action which does not really perform
the actions but rather prints what it would do if you called it with `test`.

10
nixos/doc/manual/development/writing-nixos-tests.section.md
View File

@ -71,20 +71,20 @@ nix-build -A nixosTests.hostname
### Testing outside the NixOS project {#sec-call-nixos-test-outside-nixos}
Outside the `nixpkgs` repository, you can instantiate the test by first importing the NixOS library,
Outside the `nixpkgs` repository, you can use the `runNixOSTest` function from
`pkgs.testers`:
```nix
let nixos-lib = import (nixpkgs + "/nixos/lib") { };
let pkgs = import <nixpkgs> {};
in
nixos-lib.runTest {
pkgs.testers.runNixOSTest {
imports = [ ./test.nix ];
hostPkgs = pkgs; # the Nixpkgs package set used outside the VMs
defaults.services.foo.package = mypkg;
}
```
`runTest` returns a derivation that runs the test.
`runNixOSTest` returns a derivation that runs the test.
## Configuring the nodes {#sec-nixos-test-nodes}

2
nixos/doc/manual/installation/installing-from-other-distro.section.md
View File

@ -247,7 +247,7 @@ The first steps to all these are the same:
```ShellSession
$ sudo mv -v /boot /boot.bak &&
sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot
sudo /nix/var/nix/profiles/system/bin/apply boot
```
Cross your fingers, reboot, hopefully you should get a NixOS prompt!

36
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -54,6 +54,16 @@
If you experience any issues, please report them.
The original Perl script is deprecated and is planned for removal in the 25.05 release. It will remain accessible until then by setting `system.switch.enableNg` to `false`.
- Built NixOS configurations now have a `$toplevel/bin/apply` script.
Unlike `switch-to-configuration`, it is capable of performing a complete `switch` operation.
If you call `switch-to-configuration` directly, you are recommended to use `apply` instead, and remove your call to `nix-env --profile /nix/var/nix/profiles/system --set $toplevel` or similar.
It will run the switch operation as a systemd unit if available, as `nixos-rebuild switch` would.
Benefits include:
- The `apply` script reduces the roundtrips required when performing a remote deployment with `nixos-rebuild switch --target-host HOST`.
- Developers and power users can now update NixOS in a single call.
- Alternative NixOS deployment methods have feature parity with `nixos-rebuild`, and NixOS can evolve all of its switching logic in one place.
- Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)
was added through the `boot.initrd.systemd.dmVerity` option.
@ -321,10 +331,23 @@
- The method to safely handle secrets in the `networking.wireless` module has been changed to benefit from a [new feature](https://w1.fi/cgit/hostap/commit/?id=e680a51e94a33591f61edb210926bcb71217a21a) of wpa_supplicant.
The syntax to refer to secrets has changed slightly and the option `networking.wireless.environmentFile` has been replaced by `networking.wireless.secretsFile`; see the description of the latter for how to upgrade.
- NetBox was updated to `>= 4.1.0`.
Have a look at the breaking changes
of the [4.0 release](https://github.com/netbox-community/netbox/releases/tag/v4.0.0)
and the [4.1 release](https://github.com/netbox-community/netbox/releases/tag/v4.1.0),
make the required changes to your database, if needed,
then upgrade by setting `services.netbox.package = pkgs.netbox_4_1;`
in your configuration.
- `services.cgit` now runs as the cgit user by default instead of root.
This change requires granting access to the repositories to this user or
setting the appropriate one through `services.cgit.some-instance.user`.
- `gradle_6` was removed due to being [unsupported upstream as of 10 Feb 2023](https://endoflife.date/gradle).
Additionally, it had numerous security vulnerabilities that were only patched
in later versions, such as [CVE-2021-29429](https://nvd.nist.gov/vuln/detail/CVE-2021-32751),
[CVE-2021-29427](https://nvd.nist.gov/vuln/detail/CVE-2021-29427), [CVE-2021-29428](https://nvd.nist.gov/vuln/detail/CVE-2021-29428), and [CVE-2021-32751](https://nvd.nist.gov/vuln/detail/CVE-2021-32751).
- `nvimpager` was updated to version 0.13.0, which changes the order of user and
nvimpager settings: user commands in `-c` and `--cmd` now override the
respective default settings because they are executed later.
@ -385,6 +408,8 @@
`nodePackages.coc-eslint` and `vimPlugins.coc-eslint` packages offer comparable
features for `eslint`, which replaced `tslint`.
- Tcl packages have been moved into the `tclPackages` scope.
- `teleport` has been upgraded from major version 15 to major version 16.
Refer to upstream [upgrade instructions](https://goteleport.com/docs/management/operations/upgrading/)
and [release notes for v16](https://goteleport.com/docs/changelog/#1600-061324).
@ -553,8 +578,17 @@
- The `services.prometheus.exporters.minio` option has been removed, as it's upstream implementation was broken and unmaintained.
Minio now has built-in [Prometheus metrics exposure](https://min.io/docs/minio/linux/operations/monitoring/collect-minio-metrics-using-prometheus.html), which can be used instead.
- The `services.prometheus.exporters.tor` option has been removed, as its upstream implementation was broken and unmaintained.
- The `services.patroni.raft` option has been removed, as Raft has been [deprecated by upstream since 3.0.0](https://github.com/patroni/patroni/blob/master/docs/releases.rst#version-300)
- The `jd-cli` package was removed due to an inactive upstream and a dependency on the shut down
JCenter JAR repository.
Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
- The `jd-gui` package was removed due to an inactive upstream and a dependency on the end-of-life Gradle 6.
Java decompilers already packaged in Nixpkgs include `bytecode-viewer` (GUI), `cfr` (CLI), and `procyon` (CLI).
- `services.roundcube.maxAttachmentSize` will multiply the value set with `1.37` to offset overhead introduced by the base64 encoding applied to attachments.
- The `services.mxisd` module has been removed as both [mxisd](https://github.com/kamax-matrix/mxisd) and [ma1sd](https://github.com/ma1uta/ma1sd) are not maintained any longer.
@ -747,6 +781,8 @@
- The arguments from [](#opt-services.postgresql.initdbArgs) now get shell-escaped.
- Mattermost has been updated from 9.5 to 9.11 ESR. See the [changelog](https://docs.mattermost.com/about/mattermost-v9-changelog.html#release-v9-11-extended-support-release) for more details.
- `cargo-tauri.hook` was introduced to help users build [Tauri](https://tauri.app/) projects. It is meant to be used alongside
`rustPlatform.buildRustPackage` and Node hooks such as `npmConfigHook`, `pnpm.configHook`, and the new `yarnConfig`

2
nixos/lib/testing/nixos-test-base.nix
View File

@ -23,7 +23,7 @@ in
};
}
({ config, ... }: {
# Don't pull in switch-to-configuration by default, except when specialisations or early boot shenanigans are involved.
# Don't pull in apply and switch-to-configuration by default, except when specialisations or early boot shenanigans are involved.
# This is mostly a Hydra optimization, so we don't rebuild all the tests every time switch-to-configuration-ng changes.
key = "no-switch-to-configuration";
system.switch.enable = mkDefault (config.isSpecialisation || config.specialisation != {} || config.virtualisation.installBootLoader);

2
nixos/lib/testing/nodes.nix
View File

@ -13,7 +13,7 @@ let
types
;
inherit (hostPkgs) hostPlatform;
inherit (hostPkgs.stdenv) hostPlatform;
guestSystem =
if hostPlatform.isLinux

230
nixos/maintainers/scripts/ec2/amazon-image.nix
View File

@ -1,24 +1,47 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkOption optionalString types versionAtLeast;
inherit (lib)
mkOption
optionalString
types
versionAtLeast
;
inherit (lib.options) literalExpression;
cfg = config.amazonImage;
amiBootMode = if config.ec2.efi then "uefi" else "legacy-bios";
in {
imports = [ ../../../modules/virtualisation/amazon-image.nix ];
in
{
imports = [
../../../modules/virtualisation/amazon-image.nix
../../../modules/virtualisation/disk-size-option.nix
(lib.mkRenamedOptionModuleWith {
sinceRelease = 2411;
from = [
"amazonImage"
"sizeMB"
];
to = [
"virtualisation"
"diskSize"
];
})
];
# Amazon recommends setting this to the highest possible value for a good EBS
# experience, which prior to 4.15 was 255.
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html#timeout-nvme-ebs-volumes
config.boot.kernelParams =
let timeout =
if versionAtLeast config.boot.kernelPackages.kernel.version "4.15"
then "4294967295"
else "255";
in [ "nvme_core.io_timeout=${timeout}" ];
let
timeout =
if versionAtLeast config.boot.kernelPackages.kernel.version "4.15" then "4294967295" else "255";
in
[ "nvme_core.io_timeout=${timeout}" ];
options.amazonImage = {
name = mkOption {
@ -34,30 +57,32 @@ in {
}
]
'';
default = [];
default = [ ];
description = ''
This option lists files to be copied to fixed locations in the
generated image. Glob patterns work.
'';
};
sizeMB = mkOption {
type = with types; either (enum [ "auto" ]) int;
default = 3072;
example = 8192;
description = "The size in MB of the image";
};
format = mkOption {
type = types.enum [ "raw" "qcow2" "vpc" ];
type = types.enum [
"raw"
"qcow2"
"vpc"
];
default = "vpc";
description = "The image format to output";
};
};
config.system.build.amazonImage = let
configFile = pkgs.writeText "configuration.nix"
''
# Use a priority just below mkOptionDefault (1500) instead of lib.mkDefault
# to avoid breaking existing configs using that.
config.virtualisation.diskSize = lib.mkOverride 1490 (3 * 1024);
config.virtualisation.diskSizeAutoSupported = !config.ec2.zfs.enable;
config.system.build.amazonImage =
let
configFile = pkgs.writeText "configuration.nix" ''
{ modulesPath, ... }: {
imports = [ "''${modulesPath}/virtualisation/amazon-image.nix" ];
${optionalString config.ec2.efi ''
@ -70,91 +95,102 @@ in {
}
'';
zfsBuilder = import ../../../lib/make-multi-disk-zfs-image.nix {
inherit lib config configFile pkgs;
inherit (cfg) contents format name;
zfsBuilder = import ../../../lib/make-multi-disk-zfs-image.nix {
inherit
lib
config
configFile
pkgs
;
inherit (cfg) contents format name;
includeChannel = true;
includeChannel = true;
bootSize = 1000; # 1G is the minimum EBS volume
bootSize = 1000; # 1G is the minimum EBS volume
rootSize = cfg.sizeMB;
rootPoolProperties = {
ashift = 12;
autoexpand = "on";
rootSize = config.virtualisation.diskSize;
rootPoolProperties = {
ashift = 12;
autoexpand = "on";
};
datasets = config.ec2.zfs.datasets;
postVM = ''
extension=''${rootDiskImage##*.}
friendlyName=$out/${cfg.name}
rootDisk="$friendlyName.root.$extension"
bootDisk="$friendlyName.boot.$extension"
mv "$rootDiskImage" "$rootDisk"
mv "$bootDiskImage" "$bootDisk"
mkdir -p $out/nix-support
echo "file ${cfg.format} $bootDisk" >> $out/nix-support/hydra-build-products
echo "file ${cfg.format} $rootDisk" >> $out/nix-support/hydra-build-products
${pkgs.jq}/bin/jq -n \
--arg system_label ${lib.escapeShellArg config.system.nixos.label} \
--arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \
--arg root_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$rootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$bootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_mode "${amiBootMode}" \
--arg root "$rootDisk" \
--arg boot "$bootDisk" \
'{}
| .label = $system_label
| .boot_mode = $boot_mode
| .system = $system
| .disks.boot.logical_bytes = $boot_logical_bytes
| .disks.boot.file = $boot
| .disks.root.logical_bytes = $root_logical_bytes
| .disks.root.file = $root
' > $out/nix-support/image-info.json
'';
};
datasets = config.ec2.zfs.datasets;
extBuilder = import ../../../lib/make-disk-image.nix {
inherit
lib
config
configFile
pkgs
;
postVM = ''
extension=''${rootDiskImage##*.}
friendlyName=$out/${cfg.name}
rootDisk="$friendlyName.root.$extension"
bootDisk="$friendlyName.boot.$extension"
mv "$rootDiskImage" "$rootDisk"
mv "$bootDiskImage" "$bootDisk"
inherit (cfg) contents format name;
mkdir -p $out/nix-support
echo "file ${cfg.format} $bootDisk" >> $out/nix-support/hydra-build-products
echo "file ${cfg.format} $rootDisk" >> $out/nix-support/hydra-build-products
fsType = "ext4";
partitionTableType = if config.ec2.efi then "efi" else "legacy+gpt";
${pkgs.jq}/bin/jq -n \
--arg system_label ${lib.escapeShellArg config.system.nixos.label} \
--arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \
--arg root_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$rootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$bootDisk" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_mode "${amiBootMode}" \
--arg root "$rootDisk" \
--arg boot "$bootDisk" \
'{}
| .label = $system_label
| .boot_mode = $boot_mode
| .system = $system
| .disks.boot.logical_bytes = $boot_logical_bytes
| .disks.boot.file = $boot
| .disks.root.logical_bytes = $root_logical_bytes
| .disks.root.file = $root
' > $out/nix-support/image-info.json
'';
};
inherit (config.virtualisation) diskSize;
extBuilder = import ../../../lib/make-disk-image.nix {
inherit lib config configFile pkgs;
postVM = ''
extension=''${diskImage##*.}
friendlyName=$out/${cfg.name}.$extension
mv "$diskImage" "$friendlyName"
diskImage=$friendlyName
inherit (cfg) contents format name;
mkdir -p $out/nix-support
echo "file ${cfg.format} $diskImage" >> $out/nix-support/hydra-build-products
fsType = "ext4";
partitionTableType = if config.ec2.efi then "efi" else "legacy+gpt";
diskSize = cfg.sizeMB;
postVM = ''
extension=''${diskImage##*.}
friendlyName=$out/${cfg.name}.$extension
mv "$diskImage" "$friendlyName"
diskImage=$friendlyName
mkdir -p $out/nix-support
echo "file ${cfg.format} $diskImage" >> $out/nix-support/hydra-build-products
${pkgs.jq}/bin/jq -n \
--arg system_label ${lib.escapeShellArg config.system.nixos.label} \
--arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \
--arg logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$diskImage" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_mode "${amiBootMode}" \
--arg file "$diskImage" \
'{}
| .label = $system_label
| .boot_mode = $boot_mode
| .system = $system
| .logical_bytes = $logical_bytes
| .file = $file
| .disks.root.logical_bytes = $logical_bytes
| .disks.root.file = $file
' > $out/nix-support/image-info.json
'';
};
in if config.ec2.zfs.enable then zfsBuilder else extBuilder;
${pkgs.jq}/bin/jq -n \
--arg system_label ${lib.escapeShellArg config.system.nixos.label} \
--arg system ${lib.escapeShellArg pkgs.stdenv.hostPlatform.system} \
--arg logical_bytes "$(${pkgs.qemu_kvm}/bin/qemu-img info --output json "$diskImage" | ${pkgs.jq}/bin/jq '."virtual-size"')" \
--arg boot_mode "${amiBootMode}" \
--arg file "$diskImage" \
'{}
| .label = $system_label
| .boot_mode = $boot_mode
| .system = $system
| .logical_bytes = $logical_bytes
| .file = $file
| .disks.root.logical_bytes = $logical_bytes
| .disks.root.file = $file
' > $out/nix-support/image-info.json
'';
};
in
if config.ec2.zfs.enable then zfsBuilder else extBuilder;
meta.maintainers = with lib.maintainers; [ arianvp ];
}

53
nixos/maintainers/scripts/openstack/openstack-image-zfs.nix
View File

@ -1,6 +1,11 @@
# nix-build '<nixpkgs/nixos>' -A config.system.build.openstackImage --arg configuration "{ imports = [ ./nixos/maintainers/scripts/openstack/openstack-image.nix ]; }"
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkOption types;
copyChannel = true;
@ -10,9 +15,20 @@ in
{
imports = [
../../../modules/virtualisation/openstack-config.nix
../../../modules/virtualisation/disk-size-option.nix
(lib.mkRenamedOptionModuleWith {
sinceRelease = 2411;
from = [
"openstackImage"
"sizeMB"
];
to = [
"virtualisation"
"diskSize"
];
})
] ++ (lib.optional copyChannel ../../../modules/installer/cd-dvd/channel.nix);
options.openstackImage = {
name = mkOption {
type = types.str;
@ -22,18 +38,15 @@ in
ramMB = mkOption {
type = types.int;
default = 1024;
default = (3 * 1024);
description = "RAM allocation for build VM";
};
sizeMB = mkOption {
type = types.int;
default = 8192;
description = "The size in MB of the image";
};
format = mkOption {
type = types.enum [ "raw" "qcow2" ];
type = types.enum [
"raw"
"qcow2"
];
default = "qcow2";
description = "The image format to output";
};
@ -54,24 +67,28 @@ in
};
};
# Use a priority just below mkOptionDefault (1500) instead of lib.mkDefault
# to avoid breaking existing configs using that.
virtualisation.diskSize = lib.mkOverride 1490 (8 * 1024);
virtualisation.diskSizeAutoSupported = false;
system.build.openstackImage = import ../../../lib/make-single-disk-zfs-image.nix {
inherit lib config;
inherit (cfg) contents format name;
pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
configFile = pkgs.writeText "configuration.nix"
''
{ modulesPath, ... }: {
imports = [ "''${modulesPath}/virtualisation/openstack-config.nix" ];
openstack.zfs.enable = true;
}
'';
configFile = pkgs.writeText "configuration.nix" ''
{ modulesPath, ... }: {
imports = [ "''${modulesPath}/virtualisation/openstack-config.nix" ];
openstack.zfs.enable = true;
}
'';
includeChannel = copyChannel;
bootSize = 1000;
memSize = cfg.ramMB;
rootSize = cfg.sizeMB;
rootSize = config.virtualisation.diskSize;
rootPoolProperties = {
ashift = 12;
autoexpand = "on";

9
nixos/modules/config/resolvconf.nix
View File

@ -161,9 +161,12 @@ in
script = ''
${lib.getExe cfg.package} -u
files=(/run/resolvconf ${lib.escapeShellArgs cfg.subscriberFiles})
chgrp -R resolvconf "''${files[@]}"
chmod -R g=u "''${files[@]}"
chgrp resolvconf ${lib.escapeShellArgs cfg.subscriberFiles}
chmod g=u ${lib.escapeShellArgs cfg.subscriberFiles}
${lib.getExe' pkgs.acl "setfacl"} -R \
-m group:resolvconf:rwx \
-m default:group:resolvconf:rwx \
/run/resolvconf
'';
};

25
nixos/modules/config/users-groups.nix
View File

@ -6,6 +6,7 @@ let
attrNames
attrValues
concatMap
concatMapStringsSep
concatStrings
elem
filter
@ -13,6 +14,7 @@ let
flatten
flip
foldr
generators
getAttr
hasAttr
id
@ -944,16 +946,18 @@ in {
warnings =
flip concatMap (attrValues cfg.users) (user: let
unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([
user.hashedPassword
user.hashedPasswordFile
user.password
passwordOptions = [
"hashedPassword"
"hashedPasswordFile"
"password"
] ++ optionals cfg.mutableUsers [
# For immutable users, initialHashedPassword is set to hashedPassword,
# so using these options would always trigger the assertion.
user.initialHashedPassword
user.initialPassword
]));
"initialHashedPassword"
"initialPassword"
];
unambiguousPasswordConfiguration = 1 >= length
(filter (x: x != null) (map (flip getAttr user) passwordOptions));
in optional (!unambiguousPasswordConfiguration) ''
The user '${user.name}' has multiple of the options
`hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`
@ -961,6 +965,13 @@ in {
The options silently discard others by the order of precedence
given above which can lead to surprising results. To resolve this warning,
set at most one of the options above to a non-`null` value.
The values of these options are:
${concatMapStringsSep
"\n"
(value:
"* users.users.\"${user.name}\".${value}: ${generators.toPretty {} user.${value}}")
passwordOptions}
'')
++ filter (x: x != null) (
flip mapAttrsToList cfg.users (_: user:

1
nixos/modules/hardware/hackrf.nix
View File

@ -12,6 +12,7 @@ in
description = ''
Enables hackrf udev rules and ensures 'plugdev' group exists.
This is a prerequisite to using HackRF devices without being root, since HackRF USB descriptors will be owned by plugdev through udev.
Ensure your user is a member of the 'plugdev' group after enabling.
'';
};
};

3
nixos/modules/installer/tools/tools.nix
View File

@ -106,11 +106,12 @@ let
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
# firefox
# tree
# ];
# };
# programs.firefox.enable = true;
# List packages installed in system profile. To search, run:
# \$ nix search wget
# environment.systemPackages = with pkgs; [

30
nixos/modules/misc/version.nix
View File

@ -22,21 +22,26 @@ let
{
NAME = "${cfg.distroName}";
ID = "${cfg.distroId}";
ID_LIKE = optionalString (!isNixos) "nixos";
VENDOR_NAME = cfg.vendorName;
VERSION = "${cfg.release} (${cfg.codeName})";
VERSION_CODENAME = toLower cfg.codeName;
VERSION_ID = cfg.release;
BUILD_ID = cfg.version;
PRETTY_NAME = "${cfg.distroName} ${cfg.release} (${cfg.codeName})";
CPE_NAME = "cpe:/o:${cfg.vendorId}:${cfg.distroId}:${cfg.release}";
LOGO = "nix-snowflake";
HOME_URL = optionalString isNixos "https://nixos.org/";
VENDOR_URL = optionalString isNixos "https://nixos.org/";
DOCUMENTATION_URL = optionalString isNixos "https://nixos.org/learn.html";
SUPPORT_URL = optionalString isNixos "https://nixos.org/community.html";
BUG_REPORT_URL = optionalString isNixos "https://github.com/NixOS/nixpkgs/issues";
ANSI_COLOR = optionalString isNixos "1;34";
IMAGE_ID = optionalString (config.system.image.id != null) config.system.image.id;
IMAGE_VERSION = optionalString (config.system.image.version != null) config.system.image.version;
} // lib.optionalAttrs (cfg.variant_id != null) {
VARIANT_ID = cfg.variant_id;
VARIANT = optionalString (cfg.variantName != null) cfg.variantName;
VARIANT_ID = optionalString (cfg.variant_id != null) cfg.variant_id;
DEFAULT_HOSTNAME = config.networking.fqdnOrHostName;
};
initrdReleaseContents = (removeAttrs osReleaseContents [ "BUILD_ID" ]) // {
@ -116,6 +121,27 @@ in
description = "A lower-case string identifying a specific variant or edition of the operating system";
example = "installer";
};
variantName = mkOption {
type = types.nullOr types.str;
default = null;
description = "A string identifying a specific variant or edition of the operating system suitable for presentation to the user";
example = "NixOS Installer Image";
};
vendorId = mkOption {
internal = true;
type = types.str;
default = "nixos";
description = "The id of the operating system vendor";
};
vendorName = mkOption {
internal = true;
type = types.str;
default = "NixOS";
description = "The name of the operating system vendor";
};
};
image = {

2
nixos/modules/module-list.nix
View File

@ -172,6 +172,7 @@
./programs/cpu-energy-meter.nix
./programs/command-not-found/command-not-found.nix
./programs/coolercontrol.nix
./programs/corefreq.nix
./programs/criu.nix
./programs/darling.nix
./programs/dconf.nix
@ -1549,6 +1550,7 @@
./services/web-servers/phpfpm/default.nix
./services/web-servers/pomerium.nix
./services/web-servers/rustus.nix
./services/web-servers/send.nix
./services/web-servers/stargazer.nix
./services/web-servers/static-web-server.nix
./services/web-servers/tomcat.nix

2
nixos/modules/programs/_1password.nix
View File

@ -17,7 +17,7 @@ in
enable = lib.mkEnableOption "the 1Password CLI tool";
package = lib.mkPackageOption pkgs "1Password CLI" {
default = [ "_1password" ];
default = [ "_1password-cli" ];
};
};
};

42
nixos/modules/programs/corefreq.nix Normal file
View File

@ -0,0 +1,42 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.programs.corefreq;
kernelPackages = config.boot.kernelPackages;
in
{
options = {
programs.corefreq = {
enable = lib.mkEnableOption "Whether to enable the corefreq daemon and kernel module";
package = lib.mkOption {
type = lib.types.package;
default = kernelPackages.corefreq;
defaultText = lib.literalExpression "config.boot.kernelPackages.corefreq";
description = ''
The corefreq package to use.
'';
};
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
boot.extraModulePackages = [ cfg.package ];
boot.kernelModules = [ "corefreqk" ];
# Create a systemd service for the corefreq daemon
systemd.services.corefreq = {
description = "CoreFreq daemon";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = lib.getExe' cfg.package "corefreqd";
};
};
};
}

2
nixos/modules/programs/nix-ld.nix
View File

@ -34,7 +34,7 @@ in
environment.pathsToLink = [ "/share/nix-ld" ];
environment.variables = {
environment.sessionVariables = {
NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so";
NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib";
};

5
nixos/modules/programs/wayland/sway.nix
View File

@ -85,9 +85,10 @@ in
extraPackages = lib.mkOption {
type = with lib.types; listOf package;
default = with pkgs; [ swaylock swayidle foot dmenu wmenu ];
# Packages used in default config
default = with pkgs; [ brightnessctl foot grim pulseaudio swayidle swaylock wmenu ];
defaultText = lib.literalExpression ''
with pkgs; [ swaylock swayidle foot dmenu wmenu ];
with pkgs; [ brightnessctl foot grim pulseaudio swayidle swaylock wmenu ];
'';
example = lib.literalExpression ''
with pkgs; [ i3status i3status-rust termite rofi light ]

19
nixos/modules/programs/wayland/uwsm.nix
View File

@ -108,18 +108,19 @@ in
systemd.packages = [ cfg.package ];
environment.pathsToLink = [ "/share/uwsm" ];
services.graphical-desktop.enable = true;
# UWSM recommends dbus broker for better compatibility
services.dbus.implementation = "broker";
services.displayManager.sessionPackages = lib.mapAttrsToList (
name: value:
mk_uwsm_desktop_entry {
inherit name;
inherit (value) prettyName comment binPath;
}
) cfg.waylandCompositors;
services.displayManager = {
enable = true;
sessionPackages = lib.mapAttrsToList (
name: value:
mk_uwsm_desktop_entry {
inherit name;
inherit (value) prettyName comment binPath;
}
) cfg.waylandCompositors;
};
};
meta.maintainers = with lib.maintainers; [

10
nixos/modules/programs/zsh/oh-my-zsh.nix
View File

@ -87,6 +87,15 @@ in
Without this option it would default to the read-only nix store.
'';
};
preLoaded = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
Shell commands executed before the `oh-my-zsh` is loaded.
For example, to disable async git prompt write `zstyle ':omz:alpha:lib:git' async-prompt no` (more information https://github.com/ohmyzsh/ohmyzsh?tab=readme-ov-file#async-git-prompt)
'';
};
};
};
@ -120,6 +129,7 @@ in
ZSH_CACHE_DIR=${cfg.cacheDir}
''}
${cfg.preLoaded}
source $ZSH/oh-my-zsh.sh
'';

3
nixos/modules/security/ca.nix
View File

@ -24,7 +24,8 @@ in
internal = true;
};
security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle.
security.pki.useCompatibleBundle = mkEnableOption ''
usage of a compatibility bundle.
Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`,
which is an OpenSSL specific PEM format.

6
nixos/modules/security/wrappers/default.nix
View File

@ -165,6 +165,10 @@ in
###### interface
options = {
security.enableWrappers = lib.mkEnableOption "SUID/SGID wrappers" // {
default = true;
};
security.wrappers = lib.mkOption {
type = lib.types.attrsOf wrapperType;
default = {};
@ -227,7 +231,7 @@ in
};
###### implementation
config = {
config = lib.mkIf config.security.enableWrappers {
assertions = lib.mapAttrsToList
(name: opts:

2
nixos/modules/services/audio/jack.nix
View File

@ -260,7 +260,7 @@ in {
systemd.services.jack-session = {
description = "JACK session";
script = ''
jack_wait -w
${pkgs.jack-example-tools}/bin/jack_wait -w
${cfg.jackd.session}
${lib.optionalString cfg.loopback.enable cfg.loopback.session}
'';

14
nixos/modules/services/continuous-integration/hydra/default.nix
View File

@ -330,12 +330,12 @@ in
ln -sf ${hydraConf} ${baseDir}/hydra.conf
mkdir -m 0700 -p ${baseDir}/www
mkdir -m 0700 ${baseDir}/www || true
chown hydra-www:hydra ${baseDir}/www
mkdir -m 0700 -p ${baseDir}/queue-runner
mkdir -m 0750 -p ${baseDir}/build-logs
mkdir -m 0750 -p ${baseDir}/runcommand-logs
mkdir -m 0700 ${baseDir}/queue-runner || true
mkdir -m 0750 ${baseDir}/build-logs || true
mkdir -m 0750 ${baseDir}/runcommand-logs || true
chown hydra-queue-runner:hydra \
${baseDir}/queue-runner \
${baseDir}/build-logs \
@ -362,8 +362,8 @@ in
# Move legacy hydra-www roots.
if [ -e /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots ]; then
find /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots/ -type f \
| xargs -r mv -f -t ${cfg.gcRootsDir}/
find /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots/ -type f -print0 \
| xargs -0 -r mv -f -t ${cfg.gcRootsDir}/
rmdir /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots
fi
@ -520,7 +520,7 @@ in
elif [[ $compression == zstd ]]; then
compression="zstd --rm"
fi
find ${baseDir}/build-logs -type f -name "*.drv" -mtime +3 -size +0c | xargs -r "$compression" --force --quiet
find ${baseDir}/build-logs -type f -name "*.drv" -mtime +3 -size +0c -print0 | xargs -0 -r "$compression" --force --quiet
'';
startAt = "Sun 01:45";
serviceConfig.Slice = "system-hydra.slice";

2
nixos/modules/services/hardware/monado.nix
View File

@ -93,6 +93,8 @@ in
environment.systemPackages = [ cfg.package ];
environment.pathsToLink = [ "/share/openxr" ];
hardware.opengl.extraPackages = [ pkgs.monado-vulkan-layers ];
environment.etc."xdg/openxr/1/active_runtime.json" = mkIf cfg.defaultRuntime {
source = "${cfg.package}/share/openxr/1/openxr_monado.json";
};

9
nixos/modules/services/misc/anki-sync-server.md
View File

@ -42,6 +42,15 @@ Here, `passwordFile` is the path to a file containing just the password in
plaintext. Make sure to set permissions to make this file unreadable to any
user besides root.
By default, synced data are stored in */var/lib/anki-sync-server/*ankiuser**.
You can change the directory by using `services.anki-sync-server.baseDirectory`
```nix
{
services.anki-sync-server.baseDirectory = "/home/anki/data";
}
```
By default, the server listen address {option}`services.anki-sync-server.host`
is set to localhost, listening on port
{option}`services.anki-sync-server.port`, and does not open the firewall. This

9
nixos/modules/services/misc/anki-sync-server.nix
View File

@ -59,6 +59,13 @@ in {
description = "Port number anki-sync-server listens to.";
};
baseDirectory = mkOption {
type = types.str;
default = "%S/%N";
description = "Base directory where user(s) synchronized data will be stored.";
};
openFirewall = mkOption {
default = false;
type = types.bool;
@ -114,7 +121,7 @@ in {
wantedBy = ["multi-user.target"];
path = [cfg.package];
environment = {
SYNC_BASE = "%S/%N";
SYNC_BASE = cfg.baseDirectory;
SYNC_HOST = specEscape cfg.address;
SYNC_PORT = toString cfg.port;
};

2
nixos/modules/services/misc/bazarr.nix
View File

@ -54,6 +54,8 @@ in
--no-update True
'';
Restart = "on-failure";
KillSignal = "SIGINT";
SuccessExitStatus = "0 156";
};
};

21
nixos/modules/services/misc/calibre-server.nix
View File

@ -12,7 +12,7 @@ let
"--port" = cfg.port;
"--auth-mode" = cfg.auth.mode;
"--userdb" = cfg.auth.userDb;
}) ++ [(lib.optionalString (cfg.auth.enable == true) "--enable-auth")])
}) ++ [ (lib.optionalString (cfg.auth.enable == true) "--enable-auth") ] ++ cfg.extraFlags)
);
in
@ -42,6 +42,15 @@ in
'';
};
extraFlags = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
Extra flags to pass to the calibre-server command.
See the [calibre-server documentation](${generatedDocumentationLink}) for details.
'';
};
user = lib.mkOption {
type = lib.types.str;
default = "calibre-server";
@ -73,6 +82,13 @@ in
'';
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description =
"Open ports in the firewall for the Calibre Server web interface.";
};
auth = {
enable = lib.mkOption {
type = lib.types.bool;
@ -137,6 +153,9 @@ in
};
};
networking.firewall =
lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; };
};
meta.maintainers = with lib.maintainers; [ gaelreyrol ];

4
nixos/modules/services/misc/disnix.nix
View File

@ -40,7 +40,7 @@ in
###### implementation
config = lib.mkIf cfg.enable {
dysnomia.enable = true;
services.dysnomia.enable = true;
environment.systemPackages = [ pkgs.disnix ] ++ lib.optional cfg.useWebServiceInterface pkgs.DisnixWebService;
environment.variables.PATH = lib.optionals cfg.enableProfilePath (map (profileName: "/nix/var/nix/profiles/disnix/${profileName}/bin" ) cfg.profiles);
@ -74,7 +74,7 @@ in
restartIfChanged = false;
path = [ config.nix.package cfg.package config.dysnomia.package "/run/current-system/sw" ];
path = [ config.nix.package cfg.package config.services.dysnomia.package "/run/current-system/sw" ];
environment = {
HOME = "/root";

14
nixos/modules/services/misc/dysnomia.nix
View File

@ -1,6 +1,6 @@
{pkgs, lib, config, ...}:
let
cfg = config.dysnomia;
cfg = config.services.dysnomia;
printProperties = properties:
lib.concatMapStrings (propertyName:
@ -79,7 +79,7 @@ let
in
{
options = {
dysnomia = {
services.dysnomia = {
enable = lib.mkOption {
type = lib.types.bool;
@ -142,6 +142,10 @@ in
};
};
imports = [
(lib.mkRenamedOptionModule ["dysnomia"] ["services" "dysnomia"])
];
config = lib.mkIf cfg.enable {
environment.etc = {
@ -164,7 +168,7 @@ in
environment.systemPackages = [ cfg.package ];
dysnomia.package = pkgs.dysnomia.override (origArgs: dysnomiaFlags // lib.optionalAttrs (cfg.enableLegacyModules) {
services.dysnomia.package = pkgs.dysnomia.override (origArgs: dysnomiaFlags // lib.optionalAttrs (cfg.enableLegacyModules) {
enableLegacy = builtins.trace ''
WARNING: Dysnomia has been configured to use the legacy 'process' and 'wrapper'
modules for compatibility reasons! If you rely on these modules, consider
@ -181,7 +185,7 @@ in
'' true;
});
dysnomia.properties = {
services.dysnomia.properties = {
hostname = config.networking.hostName;
inherit (pkgs.stdenv.hostPlatform) system;
@ -208,7 +212,7 @@ in
++ lib.optional (dysnomiaFlags.enableSubversionRepository) "subversion-repository";
};
dysnomia.containers = lib.recursiveUpdate ({
services.dysnomia.containers = lib.recursiveUpdate ({
process = {};
wrapper = {};
}

1
nixos/modules/services/misc/klipper.nix
View File

@ -113,6 +113,7 @@ in
'';
serial = lib.mkOption {
type = lib.types.nullOr path;
default = null;
description = "Path to serial port this printer is connected to. Leave `null` to derive it from `service.klipper.settings`.";
};
configFile = lib.mkOption {

7
nixos/modules/services/misc/octoprint.nix
View File

@ -5,10 +5,9 @@ let
baseConfig = {
plugins.curalegacy.cura_engine = "${pkgs.curaengine_stable}/bin/CuraEngine";
server.host = cfg.host;
server.port = cfg.port;
webcam.ffmpeg = "${pkgs.ffmpeg.bin}/bin/ffmpeg";
};
} // lib.optionalAttrs (cfg.host != null) {server.host = cfg.host;};
fullConfig = lib.recursiveUpdate cfg.extraConfig baseConfig;
@ -29,8 +28,8 @@ in
enable = lib.mkEnableOption "OctoPrint, web interface for 3D printers";
host = lib.mkOption {
type = lib.types.str;
default = "0.0.0.0";
type = lib.types.nullOr lib.types.str;
default = null;
description = ''
Host to bind OctoPrint to.
'';

8
nixos/modules/services/misc/paperless.nix
View File

@ -290,11 +290,12 @@ in
''
+ optionalString (cfg.passwordFile != null) ''
export PAPERLESS_ADMIN_USER="''${PAPERLESS_ADMIN_USER:-admin}"
export PAPERLESS_ADMIN_PASSWORD=$(cat $CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD)
PAPERLESS_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PAPERLESS_ADMIN_PASSWORD")
export PAPERLESS_ADMIN_PASSWORD
superuserState="$PAPERLESS_ADMIN_USER:$PAPERLESS_ADMIN_PASSWORD"
superuserStateFile="${cfg.dataDir}/superuser-state"
if [[ $(cat "$superuserStateFile" 2>/dev/null) != $superuserState ]]; then
if [[ $(cat "$superuserStateFile" 2>/dev/null) != "$superuserState" ]]; then
${cfg.package}/bin/paperless-ngx manage_superuser
echo "$superuserState" > "$superuserStateFile"
fi
@ -353,7 +354,8 @@ in
tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}'
)
fi
export PAPERLESS_SECRET_KEY=$(cat '${secretKeyFile}')
PAPERLESS_SECRET_KEY="$(cat '${secretKeyFile}')"
export PAPERLESS_SECRET_KEY
if [[ ! $PAPERLESS_SECRET_KEY ]]; then
echo "PAPERLESS_SECRET_KEY is empty, refusing to start."
exit 1

9
nixos/modules/services/monitoring/nezha-agent.nix
View File

@ -92,6 +92,14 @@ in
Address to the dashboard
'';
};
extraFlags = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "--gpu" ];
description = ''
Extra command-line flags passed to nezha-agent.
'';
};
};
};
@ -125,6 +133,7 @@ in
++ lib.optional cfg.gpu "--gpu"
++ lib.optional cfg.temperature "--temperature"
++ lib.optional cfg.useIPv6CountryCode "--use-ipv6-countrycode"
++ cfg.extraFlags
);
wantedBy = [ "multi-user.target" ];
};

23
nixos/modules/services/monitoring/prometheus/default.nix
View File

@ -201,6 +201,26 @@ let
};
};
promTypes.sigv4 = types.submodule {
options = {
region = mkOpt types.str ''
The AWS region.
'';
access_key = mkOpt types.str ''
The Access Key ID.
'';
secret_key = mkOpt types.str ''
The Secret Access Key.
'';
profile = mkOpt types.str ''
The named AWS profile used to authenticate.
'';
role_arn = mkOpt types.str ''
The AWS role ARN.
'';
};
};
promTypes.tls_config = types.submodule {
options = {
ca_file = mkOpt types.str ''
@ -1464,6 +1484,9 @@ let
Sets the `Authorization` header on every remote write request with the bearer token
read from the configured file. It is mutually exclusive with `bearer_token`.
'';
sigv4 = mkOpt promTypes.sigv4 ''
Configures AWS Signature Version 4 settings.
'';
tls_config = mkOpt promTypes.tls_config ''
Configures the remote write request's TLS settings.
'';

4
nixos/modules/services/monitoring/prometheus/exporters.nix
View File

@ -88,7 +88,6 @@ let
"statsd"
"surfboard"
"systemd"
"tor"
"unbound"
"unifi"
"unpoller"
@ -299,6 +298,9 @@ in
The Minio exporter has been removed, as it was broken and unmaintained.
See the 24.11 release notes for more information.
'')
(lib.mkRemovedOptionModule [ "tor" ] ''
The Tor exporter has been removed, as it was broken and unmaintained.
'')
];
};
description = "Prometheus exporter configuration";

43
nixos/modules/services/monitoring/prometheus/exporters/tor.nix
View File

@ -1,43 +0,0 @@
{ config, lib, pkgs, options, ... }:
let
cfg = config.services.prometheus.exporters.tor;
inherit (lib) mkOption types concatStringsSep;
in
{
port = 9130;
extraOpts = {
torControlAddress = mkOption {
type = types.str;
default = "127.0.0.1";
description = ''
Tor control IP address or hostname.
'';
};
torControlPort = mkOption {
type = types.port;
default = 9051;
description = ''
Tor control port.
'';
};
};
serviceOpts = {
serviceConfig = {
ExecStart = ''
${pkgs.prometheus-tor-exporter}/bin/prometheus-tor-exporter \
-b ${cfg.listenAddress} \
-p ${toString cfg.port} \
-a ${cfg.torControlAddress} \
-c ${toString cfg.torControlPort} \
${concatStringsSep " \\\n " cfg.extraFlags}
'';
};
# CPython requires a process to either have $HOME defined or run as a UID
# defined in /etc/passwd. The latter is false with DynamicUser, so define a
# dummy $HOME. https://bugs.python.org/issue10496
environment = { HOME = "/var/empty"; };
};
}

85
nixos/modules/services/monitoring/rustdesk-server.nix
View File

@ -3,6 +3,12 @@ let
TCPPorts = [21115 21116 21117 21118 21119];
UDPPorts = [21116];
in {
imports = [
(lib.mkRemovedOptionModule [ "services" "rustdesk-server" "relayIP" ] "This option has been replaced by services.rustdesk-server.signal.relayHosts")
(lib.mkRenamedOptionModule [ "services" "rustdesk-server" "extraRelayArgs" ] [ "services" "rustdesk-server" "relay" "extraArgs" ])
(lib.mkRenamedOptionModule [ "services" "rustdesk-server" "extraSignalArgs" ] [ "services" "rustdesk-server" "signal" "extraArgs" ])
];
options.services.rustdesk-server = with lib; with types; {
enable = mkEnableOption "RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices";
@ -18,30 +24,53 @@ in {
'';
};
relayIP = mkOption {
type = str;
description = ''
The public facing IP of the RustDesk relay.
'';
signal = {
enable = mkOption {
type = bool;
default = true;
description = ''
Whether to enable the RustDesk signal server.
'';
};
relayHosts = mkOption {
type = listOf str;
default = [];
# reference: https://rustdesk.com/docs/en/self-host/rustdesk-server-pro/relay/
description = ''
The relay server IP addresses or DNS names of the RustDesk relay.
'';
};
extraArgs = mkOption {
type = listOf str;
default = [];
example = [ "-k" "_" ];
description = ''
A list of extra command line arguments to pass to the `hbbs` process.
'';
};
};
extraSignalArgs = mkOption {
type = listOf str;
default = [];
example = [ "-k" "_" ];
description = ''
A list of extra command line arguments to pass to the `hbbs` process.
'';
relay = {
enable = mkOption {
type = bool;
default = true;
description = ''
Whether to enable the RustDesk relay server.
'';
};
extraArgs = mkOption {
type = listOf str;
default = [];
example = [ "-k" "_" ];
description = ''
A list of extra command line arguments to pass to the `hbbr` process.
'';
};
};
extraRelayArgs = mkOption {
type = listOf str;
default = [];
example = [ "-k" "_" ];
description = ''
A list of extra command line arguments to pass to the `hbbr` process.
'';
};
};
config = let
@ -96,13 +125,17 @@ in {
wantedBy = [ "multi-user.target" ];
};
systemd.services.rustdesk-signal = lib.mkMerge [ serviceDefaults {
serviceConfig.ExecStart = "${cfg.package}/bin/hbbs -r ${cfg.relayIP} ${lib.escapeShellArgs cfg.extraSignalArgs}";
} ];
systemd.services.rustdesk-signal =
let
relayArg = builtins.concatStringsSep ":" cfg.signal.relayHosts;
in
lib.mkIf cfg.signal.enable (lib.mkMerge [ serviceDefaults {
serviceConfig.ExecStart = "${cfg.package}/bin/hbbs --relay-servers ${relayArg} ${lib.escapeShellArgs cfg.signal.extraArgs}";
} ]);
systemd.services.rustdesk-relay = lib.mkMerge [ serviceDefaults {
serviceConfig.ExecStart = "${cfg.package}/bin/hbbr ${lib.escapeShellArgs cfg.extraRelayArgs}";
} ];
systemd.services.rustdesk-relay = lib.mkIf cfg.relay.enable (lib.mkMerge [ serviceDefaults {
serviceConfig.ExecStart = "${cfg.package}/bin/hbbr ${lib.escapeShellArgs cfg.relay.extraArgs}";
} ]);
};
meta.maintainers = with lib.maintainers; [ ppom ];

41
nixos/modules/services/networking/avahi-daemon.nix
View File

@ -317,6 +317,47 @@ in
Type = "dbus";
ExecStart = "${cfg.package}/sbin/avahi-daemon --syslog -f ${avahiDaemonConf}";
ConfigurationDirectory = "avahi/services";
# Hardening
CapabilityBoundingSet = [
# https://github.com/avahi/avahi/blob/v0.9-rc1/avahi-daemon/caps.c#L38
"CAP_SYS_CHROOT"
"CAP_SETUID"
"CAP_SETGID"
];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = false;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown setgroups setresuid"
];
UMask = "0077";
};
};

141
nixos/modules/services/networking/coturn.nix
View File

@ -1,41 +1,41 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, utils, ... }:
let
cfg = config.services.coturn;
pidfile = "/run/turnserver/turnserver.pid";
configFile = pkgs.writeText "turnserver.conf" ''
listening-port=${toString cfg.listening-port}
tls-listening-port=${toString cfg.tls-listening-port}
alt-listening-port=${toString cfg.alt-listening-port}
alt-tls-listening-port=${toString cfg.alt-tls-listening-port}
${lib.concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)}
${lib.concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)}
min-port=${toString cfg.min-port}
max-port=${toString cfg.max-port}
${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
${lib.optionalString cfg.no-auth "no-auth"}
${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")}
${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")}
realm=${cfg.realm}
${lib.optionalString cfg.no-udp "no-udp"}
${lib.optionalString cfg.no-tcp "no-tcp"}
${lib.optionalString cfg.no-tls "no-tls"}
${lib.optionalString cfg.no-dtls "no-dtls"}
${lib.optionalString cfg.no-udp-relay "no-udp-relay"}
${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"}
${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"}
${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"}
${lib.optionalString (cfg.dh-file != null) ("dh-file=${cfg.dh-file}")}
no-stdout-log
syslog
pidfile=${pidfile}
${lib.optionalString cfg.secure-stun "secure-stun"}
${lib.optionalString cfg.no-cli "no-cli"}
cli-ip=${cfg.cli-ip}
cli-port=${toString cfg.cli-port}
${lib.optionalString (cfg.cli-password != null) ("cli-password=${cfg.cli-password}")}
${cfg.extraConfig}
'';
listening-port=${toString cfg.listening-port}
tls-listening-port=${toString cfg.tls-listening-port}
alt-listening-port=${toString cfg.alt-listening-port}
alt-tls-listening-port=${toString cfg.alt-tls-listening-port}
${lib.concatStringsSep "\n" (map (x: "listening-ip=${x}") cfg.listening-ips)}
${lib.concatStringsSep "\n" (map (x: "relay-ip=${x}") cfg.relay-ips)}
min-port=${toString cfg.min-port}
max-port=${toString cfg.max-port}
${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"}
${lib.optionalString cfg.no-auth "no-auth"}
${lib.optionalString cfg.use-auth-secret "use-auth-secret"}
${lib.optionalString (cfg.static-auth-secret != null) "static-auth-secret=${cfg.static-auth-secret}"}
${lib.optionalString (cfg.static-auth-secret-file != null) "static-auth-secret=#static-auth-secret#"}
realm=${cfg.realm}
${lib.optionalString cfg.no-udp "no-udp"}
${lib.optionalString cfg.no-tcp "no-tcp"}
${lib.optionalString cfg.no-tls "no-tls"}
${lib.optionalString cfg.no-dtls "no-dtls"}
${lib.optionalString cfg.no-udp-relay "no-udp-relay"}
${lib.optionalString cfg.no-tcp-relay "no-tcp-relay"}
${lib.optionalString (cfg.cert != null) "cert=${cfg.cert}"}
${lib.optionalString (cfg.pkey != null) "pkey=${cfg.pkey}"}
${lib.optionalString (cfg.dh-file != null) "dh-file=${cfg.dh-file}"}
no-stdout-log
syslog
pidfile=${pidfile}
${lib.optionalString cfg.secure-stun "secure-stun"}
${lib.optionalString cfg.no-cli "no-cli"}
cli-ip=${cfg.cli-ip}
cli-port=${toString cfg.cli-port}
${lib.optionalString (cfg.cli-password != null) "cli-password=${cfg.cli-password}"}
${cfg.extraConfig}
'';
in {
options = {
services.coturn = {
@ -301,7 +301,7 @@ in {
};
};
config = lib.mkIf cfg.enable (lib.mkMerge ([
config = lib.mkIf cfg.enable (lib.mkMerge [
{ assertions = [
{ assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ;
message = "static-auth-secret and static-auth-secret-file cannot be set at the same time";
@ -341,25 +341,66 @@ in {
'' }
chmod 640 ${runConfig}
'';
serviceConfig = {
serviceConfig = rec {
Type = "simple";
ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}";
RuntimeDirectory = "turnserver";
ExecStart = utils.escapeSystemdExecArgs [
(lib.getExe' pkgs.coturn "turnserver")
"-c"
runConfig
];
User = "turnserver";
Group = "turnserver";
AmbientCapabilities =
lib.mkIf (
cfg.listening-port < 1024 ||
cfg.alt-listening-port < 1024 ||
cfg.tls-listening-port < 1024 ||
cfg.alt-tls-listening-port < 1024 ||
cfg.min-port < 1024
) "cap_net_bind_service";
RuntimeDirectory = [
"coturn"
"turnserver"
];
RuntimeDirectoryMode = "0700";
Restart = "on-abort";
# Hardening
AmbientCapabilities = if
cfg.listening-port < 1024 ||
cfg.alt-listening-port < 1024 ||
cfg.tls-listening-port < 1024 ||
cfg.alt-tls-listening-port < 1024 ||
cfg.min-port < 1024
then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
CapabilityBoundingSet = AmbientCapabilities;
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
] ++ lib.optionals (cfg.listening-ips == [ ]) [
# only used for interface discovery when no listening ips are configured
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
UMask = "0077";
};
};
systemd.tmpfiles.rules = [
"d /run/coturn 0700 turnserver turnserver - -"
];
}]));
}]);
}

2
nixos/modules/services/networking/dhcpcd.nix
View File

@ -249,7 +249,7 @@ in
ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind";
Restart = "always";
AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
ReadWritePaths = [ "/proc/sys/net/ipv6" ]
ReadWritePaths = [ "/proc/sys/net/ipv4" "/proc/sys/net/ipv6" ]
++ lib.optionals useResolvConf ([ "/run/resolvconf" ] ++ config.networking.resolvconf.subscriberFiles);
DeviceAllow = "";
LockPersonality = true;

2
nixos/modules/services/networking/fastnetmon-advanced.nix
View File

@ -160,6 +160,8 @@ in {
}
});
'';
# dbus/polkit with DynamicUser is broken with the default implementation
services.dbus.implementation = "broker";
# We don't use the existing gobgp NixOS module and package, because the gobgp
# version might not be compatible with fastnetmon. Also, the service name

50
nixos/modules/services/networking/murmur.nix
View File

@ -6,7 +6,7 @@ let
cfg = config.services.murmur;
forking = cfg.logFile != null;
configFile = pkgs.writeText "murmurd.ini" ''
database=/var/lib/murmur/murmur.sqlite
database=${cfg.stateDir}/murmur.sqlite
dbDriver=QSQLITE
autobanAttempts=${toString cfg.autobanAttempts}
@ -69,6 +69,32 @@ in
'';
};
user = mkOption {
type = types.str;
default = "murmur";
description = ''
The name of an existing user to use to run the service.
If not specified, the default user will be created.
'';
};
group = mkOption {
type = types.str;
default = "murmur";
description = ''
The name of an existing group to use to run the service.
If not specified, the default group will be created.
'';
};
stateDir = mkOption {
type = types.path;
default = "/var/lib/murmur";
description = ''
Directory to store data for the server.
'';
};
autobanAttempts = mkOption {
type = types.int;
default = 10;
@ -257,7 +283,7 @@ in
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/var/lib/murmur/murmurd.env";
example = literalExpression ''"''${config.services.murmur.stateDir}/murmurd.env"'';
description = ''
Environment file as defined in {manpage}`systemd.exec(5)`.
@ -289,14 +315,14 @@ in
};
config = mkIf cfg.enable {
users.users.murmur = {
users.users.murmur = mkIf (cfg.user == "murmur") {
description = "Murmur Service user";
home = "/var/lib/murmur";
home = cfg.stateDir;
createHome = true;
uid = config.ids.uids.murmur;
group = "murmur";
group = cfg.group;
};
users.groups.murmur = {
users.groups.murmur = mkIf (cfg.group == "murmur") {
gid = config.ids.gids.murmur;
};
@ -324,8 +350,8 @@ in
Restart = "always";
RuntimeDirectory = "murmur";
RuntimeDirectoryMode = "0700";
User = "murmur";
Group = "murmur";
User = cfg.user;
Group = cfg.group;
# service hardening
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
@ -362,7 +388,7 @@ in
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="murmur">
<policy user="${cfg.user}">
<allow own="net.sourceforge.mumble.murmur"/>
</policy>
@ -387,9 +413,9 @@ in
r ${config.environment.etc."os-release".source},
r ${config.environment.etc."lsb-release".source},
owner rwk /var/lib/murmur/murmur.sqlite,
owner rw /var/lib/murmur/murmur.sqlite-journal,
owner r /var/lib/murmur/,
owner rwk ${cfg.stateDir}/murmur.sqlite,
owner rw ${cfg.stateDir}/murmur.sqlite-journal,
owner r ${cfg.stateDir}/,
r /run/murmur/murmurd.pid,
r /run/murmur/murmurd.ini,
r ${configFile},

5
nixos/modules/services/networking/pptpd.nix
View File

@ -101,15 +101,12 @@ with lib;
secrets="/etc/ppp-pptpd/chap-secrets"
[ -f "$secrets" ] || cat > "$secrets" << EOF
[ -f "$secrets" ] || install -m 600 -o root -g root /dev/stdin "$secrets" << EOF
# From: pptpd-1.4.0/samples/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
#username pptpd password *
EOF
chown root:root "$secrets"
chmod 600 "$secrets"
'';
serviceConfig = {

4
nixos/modules/services/networking/radicale.nix
View File

@ -52,7 +52,7 @@ in {
default = { };
description = ''
Configuration for Radicale. See
<https://radicale.org/3.0.html#documentation/configuration>.
<https://radicale.org/v3.html#configuration>.
This option is mutually exclusive with {option}`config`.
'';
example = literalExpression ''
@ -74,7 +74,7 @@ in {
type = format.type;
description = ''
Configuration for Radicale's rights file. See
<https://radicale.org/3.0.html#documentation/authentication-and-rights>.
<https://radicale.org/v3.html#authentication-and-rights>.
This option only works in conjunction with {option}`settings`.
Setting this will also set {option}`settings.rights.type` and
{option}`settings.rights.file` to appropriate values.

2
nixos/modules/services/networking/soju.nix
View File

@ -12,7 +12,7 @@ let
tlsCfg = optionalString (cfg.tlsCertificate != null)
"tls ${cfg.tlsCertificate} ${cfg.tlsCertificateKey}";
logCfg = optionalString cfg.enableMessageLogging
"log fs ${stateDir}/logs";
"message-store fs ${stateDir}/logs";
configFile = pkgs.writeText "soju.conf" ''
${listenCfg}

8
nixos/modules/services/networking/tailscale.nix
View File

@ -29,6 +29,12 @@ in {
description = "Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.";
};
disableTaildrop = mkOption {
default = false;
type = types.bool;
description = "Whether to disable the Taildrop feature for sending files between nodes.";
};
package = lib.mkPackageOption pkgs "tailscale" {};
openFirewall = mkOption {
@ -129,6 +135,8 @@ in {
''"FLAGS=--tun ${lib.escapeShellArg cfg.interfaceName} ${lib.concatStringsSep " " cfg.extraDaemonFlags}"''
] ++ (lib.optionals (cfg.permitCertUid != null) [
"TS_PERMIT_CERT_UID=${cfg.permitCertUid}"
]) ++ (lib.optionals (cfg.disableTaildrop) [
"TS_DISABLE_TAILDROP=true"
]);
# Restart tailscaled with a single `systemctl restart` at the
# end of activation, rather than a `stop` followed by a later

21
nixos/modules/services/networking/xl2tpd.nix
View File

@ -104,31 +104,18 @@ with lib;
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p -m 700 /etc/xl2tpd
install -m 700 -d /etc/xl2tpd/ppp
pushd /etc/xl2tpd > /dev/null
mkdir -p -m 700 ppp
[ -f ppp/chap-secrets ] || cat > ppp/chap-secrets << EOF
[ -f /etc/xl2tpd/ppp/chap-secrets ] || install -m 600 -o root -g root /dev/stdin /etc/xl2tpd/ppp/chap-secrets <<EOF
# Secrets for authentication using CHAP
# client server secret IP addresses
#username xl2tpd password *
EOF
chown root:root ppp/chap-secrets
chmod 600 ppp/chap-secrets
# The documentation says this file should be present but doesn't explain why and things work even if not there:
[ -f l2tp-secrets ] || (echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) > l2tp-secrets
chown root:root l2tp-secrets
chmod 600 l2tp-secrets
[ -f /etc/xl2tpd/l2tp-secrets ] || install -m 600 -o root -g root <(echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) /etc/xl2tpd/l2tp-secrets
popd > /dev/null
mkdir -p /run/xl2tpd
chown root:root /run/xl2tpd
chmod 700 /run/xl2tpd
install -m 701 -o root -g root -d /run/xl2tpd
'';
serviceConfig = {

2
nixos/modules/services/security/oauth2-proxy.nix
View File

@ -62,7 +62,7 @@ let
} // lib.optionalAttrs (cfg.passBasicAuth) {
basic-auth-password = cfg.basicAuthPassword;
} // lib.optionalAttrs (cfg.htpasswd.file != null) {
display-htpasswd-file = cfg.htpasswd.displayForm;
display-htpasswd-form = cfg.htpasswd.displayForm;
} // lib.optionalAttrs tls.enable {
tls-cert-file = tls.certificate;
tls-key-file = tls.key;

1
nixos/modules/services/video/frigate.nix
View File

@ -523,6 +523,7 @@ in
intel-gpu-tools
];
serviceConfig = {
ExecStartPre = "-rm /var/cache/frigate/*.mp4";
ExecStart = "${cfg.package.python.interpreter} -m frigate";
Restart = "on-failure";

5
nixos/modules/services/wayland/hypridle.nix
View File

@ -20,6 +20,11 @@ in
systemd = {
packages = [ cfg.package ];
user.services.hypridle.wantedBy = [ "graphical-session.target" ];
user.services.hypridle.path = [
config.programs.hyprland.package
config.programs.hyprlock.package
pkgs.procps
];
};
};

44
nixos/modules/services/web-apps/immich.nix
View File

@ -6,6 +6,7 @@
}:
let
cfg = config.services.immich;
format = pkgs.formats.json { };
isPostgresUnixSocket = lib.hasPrefix "/" cfg.database.host;
isRedisUnixSocket = lib.hasPrefix "/" cfg.redis.host;
@ -110,6 +111,37 @@ in
description = "The group immich should run as.";
};
settings = mkOption {
default = null;
description = ''
Configuration for Immich.
See <https://immich.app/docs/install/config-file/> or navigate to
<https://your-immich-domain/admin/system-settings> for
options and defaults.
Setting it to `null` allows configuring Immich in the web interface.
'';
type = types.nullOr (
types.submodule {
freeformType = format.type;
options = {
newVersionCheck.enabled = mkOption {
type = types.bool;
default = false;
description = ''
Check for new versions.
This feature relies on periodic communication with github.com.
'';
};
server.externalDomain = mkOption {
type = types.str;
default = "";
description = "Domain for publicly shared links, including `http(s)://`.";
};
};
}
);
};
machine-learning = {
enable =
mkEnableOption "immich's machine-learning functionality to detect faces and search for objects"
@ -258,10 +290,13 @@ in
postgresEnv
// redisEnv
// {
HOST = cfg.host;
IMMICH_HOST = cfg.host;
IMMICH_PORT = toString cfg.port;
IMMICH_MEDIA_LOCATION = cfg.mediaLocation;
IMMICH_MACHINE_LEARNING_URL = "http://localhost:3003";
}
// lib.optionalAttrs (cfg.settings != null) {
IMMICH_CONFIG_FILE = "${format.generate "immich.json" cfg.settings}";
};
services.immich.machine-learning.environment = {
@ -272,6 +307,11 @@ in
IMMICH_PORT = "3003";
};
systemd.slices.system-immich = {
description = "Immich (self-hosted photo and video backup solution) slice";
documentation = [ "https://immich.app/docs" ];
};
systemd.services.immich-server = {
description = "Immich backend server (Self-hosted photo and video backup solution)";
after = [ "network.target" ];
@ -281,6 +321,7 @@ in
serviceConfig = commonServiceConfig // {
ExecStart = lib.getExe cfg.package;
EnvironmentFile = mkIf (cfg.secretsFile != null) cfg.secretsFile;
Slice = "system-immich.slice";
StateDirectory = "immich";
SyslogIdentifier = "immich";
RuntimeDirectory = "immich";
@ -300,6 +341,7 @@ in
inherit (cfg.machine-learning) environment;
serviceConfig = commonServiceConfig // {
ExecStart = lib.getExe (cfg.package.machine-learning.override { immich = cfg.package; });
Slice = "system-immich.slice";
CacheDirectory = "immich";
User = cfg.user;
Group = cfg.group;

21
nixos/modules/services/web-apps/netbox.nix
View File

@ -75,21 +75,17 @@ in {
package = lib.mkOption {
type = lib.types.package;
default =
if lib.versionAtLeast config.system.stateVersion "24.05"
if lib.versionAtLeast config.system.stateVersion "24.11"
then pkgs.netbox_4_1
else if lib.versionAtLeast config.system.stateVersion "24.05"
then pkgs.netbox_3_7
else if lib.versionAtLeast config.system.stateVersion "23.11"
then pkgs.netbox_3_6
else if lib.versionAtLeast config.system.stateVersion "23.05"
then pkgs.netbox_3_5
else pkgs.netbox_3_3;
else pkgs.netbox_3_6;
defaultText = lib.literalExpression ''
if lib.versionAtLeast config.system.stateVersion "24.05"
if lib.versionAtLeast config.system.stateVersion "24.11"
then pkgs.netbox_4_1
else if lib.versionAtLeast config.system.stateVersion "24.05"
then pkgs.netbox_3_7
else if lib.versionAtLeast config.system.stateVersion "23.11"
then pkgs.netbox_3_6
else if lib.versionAtLeast config.system.stateVersion "23.05"
then pkgs.netbox_3_5
else pkgs.netbox_3_3;
else pkgs.netbox_3_6;
'';
description = ''
NetBox package to use.
@ -328,6 +324,7 @@ in {
--pythonpath ${pkg}/opt/netbox/netbox
'';
PrivateTmp = true;
TimeoutStartSec = lib.mkDefault "5min";
};
};

3
nixos/modules/services/web-apps/peertube.nix
View File

@ -432,7 +432,6 @@ in {
path = with pkgs; [ nodejs_18 yarn ffmpeg-headless openssl ];
script = ''
#!/bin/sh
umask 077
cat > /var/lib/peertube/config/local.yaml <<EOF
${lib.optionalString (cfg.secrets.secretsFile != null) ''
@ -457,7 +456,7 @@ in {
ln -sf ${cfg.package}/config/default.yaml /var/lib/peertube/config/default.yaml
ln -sf ${cfg.package}/client/dist -T /var/lib/peertube/www/client
ln -sf ${cfg.settings.storage.client_overrides} -T /var/lib/peertube/www/client-overrides
node dist/server
exec node dist/server
'';
serviceConfig = {
Type = "simple";

16
nixos/modules/services/web-apps/sftpgo.nix
View File

@ -35,13 +35,21 @@ in
};
dataDir = mkOption {
type = types.str;
type = types.path;
default = "/var/lib/sftpgo";
description = ''
The directory where SFTPGo stores its data files.
'';
};
extraReadWriteDirs = mkOption {
type = types.listOf types.path;
default = [];
description = ''
Extra directories where SFTPGo is allowed to write to.
'';
};
user = mkOption {
type = types.str;
default = defaultUser;
@ -63,7 +71,7 @@ in
type = with types; nullOr path;
description = ''
Path to a json file containing users and folders to load (or update) on startup.
Check the [documentation](https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md)
Check the [documentation](https://sftpgo.github.io/latest/config-file/)
for the `--loaddata-from` command line argument for more info.
'';
};
@ -72,7 +80,7 @@ in
default = {};
description = ''
The primary sftpgo configuration. See the
[configuration reference](https://github.com/drakkan/sftpgo/blob/main/docs/full-configuration.md)
[configuration reference](https://sftpgo.github.io/latest/config-file/)
for possible values.
'';
type = with types; submodule {
@ -324,7 +332,7 @@ in
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.dataDir;
ReadWritePaths = [ cfg.dataDir ];
ReadWritePaths = [ cfg.dataDir ] ++ cfg.extraReadWriteDirs;
LimitNOFILE = 8192; # taken from upstream
KillMode = "mixed";
ExecStart = "${cfg.package}/bin/sftpgo serve ${utils.escapeSystemdExecArgs cfg.extraArgs}";

2
nixos/modules/services/web-servers/nginx/default.nix
View File

@ -1374,7 +1374,7 @@ in
];
services.logrotate.settings.nginx = mapAttrs (_: mkDefault) {
files = "/var/log/nginx/*.log";
files = [ "/var/log/nginx/*.log" ];
frequency = "weekly";
su = "${cfg.user} ${cfg.group}";
rotate = 26;

228
nixos/modules/services/web-servers/send.nix Normal file
View File

@ -0,0 +1,228 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkOption types;
cfg = config.services.send;
in
{
options = {
services.send = {
enable = lib.mkEnableOption "Send, a file sharing web sevice for ffsend.";
package = lib.mkPackageOption pkgs "send" { };
environment = mkOption {
type =
with types;
attrsOf (
nullOr (oneOf [
bool
int
str
(listOf int)
])
);
description = ''
All the available config options and their defaults can be found here: https://github.com/timvisee/send/blob/master/server/config.js,
some descriptions can found here: https://github.com/timvisee/send/blob/master/docs/docker.md#environment-variables
Values under {option}`services.send.environment` will override the predefined values in the Send service.
- Time/duration should be in seconds
- Filesize values should be in bytes
'';
example = {
DEFAULT_DOWNLOADS = 1;
DETECT_BASE_URL = true;
EXPIRE_TIMES_SECONDS = [
300
3600
86400
604800
];
};
};
dataDir = lib.mkOption {
type = types.path;
readOnly = true;
default = "/var/lib/send";
description = ''
Directory for uploaded files.
Due to limitations in {option}`systemd.services.send.serviceConfig.DynamicUser`, this item is read only.
'';
};
baseUrl = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Base URL for the Send service.
Leave it blank to automatically detect the base url.
'';
};
host = lib.mkOption {
type = types.str;
default = "127.0.0.1";
description = "The hostname or IP address for Send to bind to.";
};
port = lib.mkOption {
type = types.port;
default = 1443;
description = "Port the Send service listens on.";
};
openFirewall = lib.mkOption {
type = types.bool;
default = false;
description = "Whether to open firewall ports for send";
};
redis = {
createLocally = lib.mkOption {
type = types.bool;
default = true;
description = "Whether to create a local redis automatically.";
};
name = lib.mkOption {
type = types.str;
default = "send";
description = ''
Name of the redis server.
Only used if {option}`services.send.redis.createLocally` is set to true.
'';
};
host = lib.mkOption {
type = types.str;
default = "localhost";
description = "Redis server address.";
};
port = lib.mkOption {
type = types.port;
default = 6379;
description = "Port of the redis server.";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/agenix/send-redis-password";
description = ''
The path to the file containing the Redis password.
If {option}`services.send.redis.createLocally` is set to true,
the content of this file will be used as the password for the locally created Redis instance.
Leave it blank if no password is required.
'';
};
};
};
};
config = lib.mkIf cfg.enable {
services.send.environment.DETECT_BASE_URL = cfg.baseUrl == null;
assertions = [
{
assertion = cfg.redis.createLocally -> cfg.redis.host == "localhost";
message = "the redis host must be localhost if services.send.redis.createLocally is set to true";
}
];
networking.firewall.allowedTCPPorts = lib.optional cfg.openFirewall cfg.port;
services.redis = lib.optionalAttrs cfg.redis.createLocally {
servers."${cfg.redis.name}" = {
enable = true;
bind = "localhost";
port = cfg.redis.port;
};
};
systemd.services.send = {
serviceConfig = {
Type = "simple";
Restart = "always";
StateDirectory = "send";
WorkingDirectory = cfg.dataDir;
ReadWritePaths = cfg.dataDir;
LoadCredential = lib.optionalString (
cfg.redis.passwordFile != null
) "redis-password:${cfg.redis.passwordFile}";
# Hardening
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
AmbientCapabilities = lib.optionalString (cfg.port < 1024) "cap_net_bind_service";
DynamicUser = true;
CapabilityBoundingSet = "";
NoNewPrivileges = true;
RemoveIPC = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
};
environment =
{
IP_ADDRESS = cfg.host;
PORT = toString cfg.port;
BASE_URL = if (cfg.baseUrl == null) then "http://${cfg.host}:${toString cfg.port}" else cfg.baseUrl;
FILE_DIR = cfg.dataDir + "/uploads";
REDIS_HOST = cfg.redis.host;
REDIS_PORT = toString cfg.redis.port;
}
// (lib.mapAttrs (
name: value:
if lib.isList value then
"[" + lib.concatStringsSep ", " (map (x: toString x) value) + "]"
else if lib.isBool value then
lib.boolToString value
else
toString value
) cfg.environment);
after =
[
"network.target"
]
++ lib.optionals cfg.redis.createLocally [
"redis-${cfg.redis.name}.service"
];
description = "Send web service";
wantedBy = [ "multi-user.target" ];
script = ''
${lib.optionalString (cfg.redis.passwordFile != null) ''
export REDIS_PASSWORD="$(cat $CREDENTIALS_DIRECTORY/redis-password)"
''}
${lib.getExe cfg.package}
'';
};
};
meta.maintainers = with lib.maintainers; [ moraxyc ];
}

163
nixos/modules/system/activation/apply/apply.sh Normal file
View File

@ -0,0 +1,163 @@
#!@bash@
# This is the NixOS apply script, typically located at
#
# ${config.system.build.toplevel}/bin/apply
#
# This script is responsible for managing the profile link and calling the
# appropriate scripts for its subcommands, such as switch, boot, and test.
set -euo pipefail
toplevel=@toplevel@
subcommand=
installBootloader=
specialisation=
profile=/nix/var/nix/profiles/system
log() {
echo "$@" >&2
}
die() {
log "NixOS apply error: $*"
exit 1
}
usage() {
log "NixOS apply invocation error: $*"
cat >&2 <<EOF
Usage: apply [switch|boot|test|dry-activate] [OPTIONS]
Subcommands:
switch make the configuration the boot default and activate it
boot make the configuration the boot default
test activate the configuration, but don\'t make it the boot default
dry-activate show what would be done if this configuration were activated
Options:
--install-bootloader install the bootloader
--profile PROFILE use PROFILE as the target profile (if applicable)
--specialisation NAME use the specialisation NAME
EOF
}
parse_args() {
while [[ $# -gt 0 ]]; do
case "$1" in
switch|boot|test|dry-activate)
subcommand="$1"
;;
--install-bootloader)
installBootloader=1
;;
--profile)
if [[ $# -lt 2 ]]; then
die "missing argument for --profile"
fi
profile="$2"
shift
;;
# --rollback is not an `apply` responsibility, and it should be
# implemented by the caller of `apply` instead.
--specialisation)
if [[ $# -lt 2 ]]; then
die "missing argument for --specialisation"
fi
specialisation="$2"
shift
;;
*)
if [[ -n "$subcommand" ]]; then
die "unexpected argument or flag: $1"
else
die "unexpected subcommand or flag: $1"
fi
;;
esac
shift
done
if [ -z "$subcommand" ]; then
die "no subcommand specified"
fi
}
main() {
local cmd activity
case "$subcommand" in
boot|switch)
nix-env -p "$profile" --set "$toplevel"
;;
esac
# Using systemd-run here to protect against PTY failures/network
# disconnections during rebuild.
# See: https://github.com/NixOS/nixpkgs/issues/39118
cmd=(
"systemd-run"
"-E" "LOCALE_ARCHIVE" # Will be set to new value early in switch-to-configuration script, but interpreter starts out with old value
"-E" "NIXOS_INSTALL_BOOTLOADER=$installBootloader"
"--collect"
"--no-ask-password"
"--pipe"
"--quiet"
"--same-dir"
"--service-type=exec"
"--unit=nixos-rebuild-switch-to-configuration"
"--wait"
)
# Check if we have a working systemd-run. In chroot environments we may have
# a non-working systemd, so we fallback to not using systemd-run.
if ! "${cmd[@]}" true; then
log "Skipping systemd-run to switch configuration since it is not working in target host."
cmd=(
"env"
"-i"
"LOCALE_ARCHIVE=${LOCALE_ARCHIVE:-}"
"NIXOS_INSTALL_BOOTLOADER=$installBootloader"
)
fi
if [[ -z "$specialisation" ]]; then
cmd+=("$toplevel/bin/switch-to-configuration")
else
cmd+=("$toplevel/specialisation/$specialisation/bin/switch-to-configuration")
if ! [[ -f "${cmd[-1]}" ]]; then
log "error: specialisation not found: $specialisation"
exit 1
fi
fi
if ! "${cmd[@]}" "$subcommand"; then
case "$subcommand" in
switch)
activity="switching to the new configuration"
;;
boot)
activity="switching the boot entry to the new configuration"
;;
test)
activity="switching to the new configuration (in test mode)"
;;
dry-activate)
activity="switching to the new configuration (in dry-activate mode)"
;;
*) # Should never happen
activity="running $subcommand"
;;
esac
log "warning: error(s) occurred while $activity"
exit 1
fi
}
if ! type test_run_tests &>/dev/null; then
# We're not loaded into the test.sh, so we run main.
parse_args "$@"
main
fi

51
nixos/modules/system/activation/apply/checks.nix Normal file
View File

@ -0,0 +1,51 @@
# Run:
# nix-build -A nixosTests.apply
#
# These are not all tests. See also nixosTests.
{
lib,
stdenvNoCC,
testers,
...
}:
let
fileset = lib.fileset.unions [
./test.sh
./apply.sh
];
in
{
unitTests = stdenvNoCC.mkDerivation {
name = "nixos-apply-unit-tests";
src = lib.fileset.toSource {
root = ./.;
inherit fileset;
};
dontBuild = true;
checkPhase = ''
./test.sh
'';
installPhase = ''
touch $out
'';
};
shellcheck =
(testers.shellcheck {
src = lib.fileset.toSource {
# This makes the error messages include the full path
root = ../../../../..;
inherit fileset;
};
}).overrideAttrs
{
postUnpack = ''
for f in $(find . -type f); do
substituteInPlace $f --replace @bash@ /usr/bin/bash
done
'';
};
}

176
nixos/modules/system/activation/apply/test.sh Executable file
View File

@ -0,0 +1,176 @@
#!/usr/bin/env bash
# shellcheck disable=SC2317 disable=SC2031
# False positives:
# SC2317: Unreachable code: TEST_*
# SC2031: <variable> was modified in a subshell. That change might be lost.
# We have a lot of that, and that's expected.
# This is a unit test script for the NixOS apply script.
# It can be run quickly with the following command:
#
# ./test.sh
#
# Alternatively, run the following to run all tests and checks
#
# TODO
#
set -euo pipefail
# set -x
apply="${BASH_SOURCE[0]%/*}/apply.sh"
# source_apply() {
run_parse_args() {
bash -c "source $apply;"' parse_args "$@"' -- "$@"
}
TEST_parse_args_none() {
if errout="$(run_parse_args 2>&1)"; then
test_fail "apply without arguments should fail"
elif [[ $? -ne 1 ]]; then
test_fail "apply without arguments should exit with code 1"
fi
grep -F "no subcommand specified" <<<"$errout" >/dev/null
}
TEST_parse_args_switch() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args switch;
[[ $subcommand == switch ]]
[[ $specialisation == "" ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_boot() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args boot;
[[ $subcommand == boot ]]
[[ $specialisation == "" ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_test() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args test;
[[ $subcommand == test ]]
[[ $specialisation == "" ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_dry_activate() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args dry-activate;
[[ $subcommand == dry-activate ]]
[[ $specialisation == "" ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_unknown() {
if errout="$(run_parse_args foo 2>&1)"; then
test_fail "apply with unknown subcommand should fail"
fi
grep -F "unexpected argument or flag: foo" <<<"$errout" >/dev/null
}
TEST_parse_args_switch_specialisation_no_arg() {
if errout="$(run_parse_args switch --specialisation 2>&1)"; then
test_fail "apply with --specialisation without argument should fail"
fi
grep -F "missing argument for --specialisation" <<<"$errout" >/dev/null
}
TEST_parse_args_switch_specialisation() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args switch --specialisation low-power;
[[ $subcommand == switch ]]
[[ $specialisation == low-power ]]
[[ $profile == "" ]]
)
}
TEST_parse_args_switch_profile() {
(
# shellcheck source=nixos/modules/system/activation/apply/apply.sh
source "$apply";
parse_args switch --profile /nix/var/nix/profiles/system;
[[ $subcommand == switch ]]
[[ $specialisation == "" ]]
[[ $profile == /nix/var/nix/profiles/system ]]
)
}
# Support code
test_fail() {
echo "TEST FAILURE: $*" >&2
exit 1
}
test_print_trace() {
local frame=${1:0}
local caller
# shellcheck disable=SC2207 disable=SC2086
while caller=( $(caller $frame) ); do
echo " in ${caller[1]} at ${caller[2]}:${caller[0]}"
frame=$((frame+1));
done
}
test_on_err() {
echo "ERROR running: ${BASH_COMMAND}" >&2
test_print_trace 1 >&2
}
test_init() {
trap 'test_on_err' ERR
}
test_find() {
declare -F | grep -o 'TEST_.*' | sort
}
test_run_tests() {
local status=0
for test in $(test_find); do
set +e
(
set -eEuo pipefail
trap 'test_on_err' ERR
$test
)
r=$?
set -e
if [[ $r == 0 ]]; then
echo "ok: $test"
else
echo "TEST FAIL: $test"; status=1;
fi
done
if [[ $status == 0 ]]; then
echo "All good"
else
echo
echo "TEST SUITE FAILED"
fi
exit $status
}
# Main
test_init
test_run_tests

2
nixos/modules/system/activation/specialisation.nix
View File

@ -42,7 +42,7 @@ in
(e.g. `fewJobsManyCores`) at runtime, run:
```
sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test
sudo /run/current-system/specialisation/fewJobsManyCores/bin/apply test
```
'';
type = types.attrsOf (types.submodule (

7
nixos/modules/system/activation/switch-to-configuration.pl
View File

@ -80,12 +80,9 @@ if ("@localeArchive@" ne "") {
if (!defined($action) || ($action ne "switch" && $action ne "boot" && $action ne "test" && $action ne "dry-activate")) {
print STDERR <<"EOF";
error: Unknown action $action
Usage: $0 [switch|boot|test|dry-activate]
switch: make the configuration the boot default and activate now
boot: make the configuration the boot default
test: activate the configuration, but don\'t make it the boot default
dry-activate: show what would be done if this configuration were activated
Consider calling `apply` instead of `switch-to-configuration`.
EOF
exit(1);
}

27
nixos/modules/system/activation/switchable-system.nix
View File

@ -40,7 +40,30 @@ in
};
};
options.system.apply.enable = lib.mkOption {
type = lib.types.bool;
default = config.system.switch.enable;
internal = true;
description = ''
Whether to include the `bin/apply` script.
Disabling puts `nixos-rebuild` in a legacy mode that won't be maintained
and removes cheap and useful functionality. It's also slower over ssh.
This should only be used for testing the `nixos-rebuild` command, to
pretend that the configuration is an old NixOS.
'';
};
config = lib.mkMerge [
(lib.mkIf config.system.apply.enable {
system.activatableSystemBuilderCommands = ''
mkdir -p $out/bin
substitute ${./apply/apply.sh} $out/bin/apply \
--subst-var-by bash ${lib.getExe pkgs.bash} \
--subst-var-by toplevel ''${!toplevelVar}
chmod +x $out/bin/apply
'';
})
(lib.mkIf (config.system.switch.enable && !config.system.switch.enableNg) {
warnings = [
''
@ -54,7 +77,7 @@ in
];
system.activatableSystemBuilderCommands = ''
mkdir $out/bin
mkdir -p $out/bin
substitute ${./switch-to-configuration.pl} $out/bin/switch-to-configuration \
--subst-var out \
--subst-var-by toplevel ''${!toplevelVar} \
@ -86,7 +109,7 @@ in
(
source ${pkgs.buildPackages.makeWrapper}/nix-support/setup-hook
mkdir $out/bin
mkdir -p $out/bin
ln -sf ${lib.getExe pkgs.switch-to-configuration-ng} $out/bin/switch-to-configuration
wrapProgram $out/bin/switch-to-configuration \
--set OUT $out \

4
nixos/modules/system/activation/top-level.nix
View File

@ -49,8 +49,8 @@ let
# Putting it all together. This builds a store path containing
# symlinks to the various parts of the built configuration (the
# kernel, systemd units, init scripts, etc.) as well as a script
# `switch-to-configuration' that activates the configuration and
# makes it bootable. See `activatable-system.nix`.
# `bin/apply` that activates the configuration and
# makes it bootable. See `activatable-system.nix` and `switchable-system.nix`.
baseSystem = pkgs.stdenvNoCC.mkDerivation ({
name = "nixos-system-${config.system.name}-${config.system.nixos.label}";
preferLocalBuild = true;

4
nixos/modules/system/boot/stage-1.nix
View File

@ -405,7 +405,7 @@ let
${lib.optionalString (config.boot.initrd.secrets == {})
"exit 0"}
export PATH=${pkgs.coreutils}/bin:${pkgs.libarchive}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin
export PATH=${pkgs.coreutils}/bin:${pkgs.cpio}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin
function cleanup {
if [ -n "$tmp" -a -d "$tmp" ]; then
@ -426,7 +426,7 @@ let
}
# mindepth 1 so that we don't change the mode of /
(cd "$tmp" && find . -mindepth 1 | xargs touch -amt 197001010000 && find . -mindepth 1 -print0 | sort -z | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @-) | \
(cd "$tmp" && find . -mindepth 1 | xargs touch -amt 197001010000 && find . -mindepth 1 -print0 | sort -z | cpio --quiet -o -H newc -R +0:+0 --reproducible --null) | \
${compressorExe} ${lib.escapeShellArgs initialRamdisk.compressorArgs} >> "$1"
'';

1
nixos/modules/system/boot/systemd.nix
View File

@ -160,6 +160,7 @@ let
# Misc.
"systemd-sysctl.service"
"systemd-machine-id-commit.service"
] ++ optionals cfg.package.withTimedated [
"dbus-org.freedesktop.timedate1.service"
"systemd-timedated.service"

10
nixos/modules/system/boot/unl0kr.nix
View File

@ -30,11 +30,11 @@ in
example = lib.literalExpression ''
{
general.animations = true;
theme = {
default = "pmos-dark";
alternate = "pmos-light";
};
general.animations = true;
theme = {
default = "pmos-dark";
alternate = "pmos-light";
};
}
'';
default = { };

Some files were not shown because too many files have changed in this diff Show More